Risk Management System BRI s integrated risk management system is translated into the following:

Transcription

1 428 Risk Management System s integrated risk management system is translated into the following: Pillar 1 Active Supervision from the Board of Commissioners and Board of Directors The Board of Commissioners and Board of Directors are in charge of the effectiveness of risk management implementation at. To ensure the effectiveness of management of activities and risks by the Board of Directors, the Board of Commissioners through RMOC evaluates the policy and implementation of risk management by the Board of Directors. RMC assisted the Board of Directors in determining the direction of risk management policies and strategies and its comprehensive implementation. The Board of Directors ensures that all material risks and the impact has been followed up, and the corrective measures for problems or irregularities in business activity are implemented. Culture of risk management, including risk awareness at all levels of the organization are also of the Board of Directors concern. Adequacy of Policies, Procedures, and Limit Risk management policy at is set forth in General Policy of Risk Management (KUMR ). KUMR stipulates the basics of risk management policies and is the highest provision of risk management at, serving as reference for policies, procedures, and guidelines for risk management in accordance with prevailing regulations. KUMR set forth in detail the Guidelines for the Application of Risk Management (P3MR), which includes several stages of process of risk management, among others: risk identification, risk measurement, risk monitoring and risk control. P3MR consists of Guidelines for the Application of Credit Risk Management (P3MRK), Guidelines for the Application of Operational Risk Management (P3MRO), Guidelines for the Application of Market Risk Management (P3MRP), Guidelines for the Application of Liquidity Risk Management (P3MRL) and Guidelines for the Application of Enterprise Risk Management (P3ERM). Management procedures and limits for each type of risk should be managed in all products and business activities of, according to the risk appetite, taking into account experience of managing the risk in question. Limit is reviewed periodically in order to adjust it in accordance with the changing conditions. s Board of Directors has the authority to establish risk limits, tolerance levels for each type of risk, and risk exposure, by taking into account the experience, capital ability, capability of systems and risk management tools, available resources, as well as the applicable regulations. Risk Management Process and Risk Management Information System Identification identifies risk by analyzing all types and characteristics of risks inherent in the business of the Financial Conglomerate. Risk identification is proactive, covers all business activities of the Financial Conglomerate and is carried out in order to analyze the source and possible risks and impacts. Risk identification, among others is based on the loss that occurred in the past. Identification of risk issues for Operational Risk and Other Risks are conducted by the Head Office, Regional Offices and Branch Offices throughout Indonesia by using risk management tools. In this stage, determination and updating of risk issues were brought about. Measurement Risk measurement is conducted periodically for all business activities of the Financial Conglomerate. The use of risk measurement models is tailored to the needs, size, and complexity of business activities, as well as the benefits. Risk measurement is implemented to measure risk exposure, as a reference for control. Risk assessment is conducted periodically both for product and portfolio, as well as for all business activities of. The approach and methodology of measurement may be quantitative, qualitative, or a combination of both. Risk measurement system is evaluated and refined periodically, or at any time if deemed necessary to ensure the suitability of assumptions, data sources, as well as the procedures used to measure risk. Stress testing is carried out to complement the risk measurement system by estimating any potential loss to the Financial Conglomerate under crisis, using stress scenarios specific for the Financial Conglomerate and stress scenarios of the market.

2 429 Corporate Profile Risk measurement is reflected in the Consolidated Risk Profile Quarterly Report, Monthly Risk Profile Dashboard, Risk Profile Monthly Report from Regional Offices, consolidated RCSA quarterly report stress testing analyzing quarterly report, market risk potential loss weekly report, cash ratio monitoring monthly report, and quarterly Top Risk issue Book. Monitoring has adopted monitoring systems and procedures that include the monitoring of the magnitude of risk exposure, risk tolerance, adherence to internal limit, and the results of stress testing as well as the consistent implementation of policies, procedures, and limits. Risk monitoring activities are conducted by evaluating risk exposure inherent in the Financial Conglomerate business activities, as well as the effectiveness of integrated risk management processes. One form of monitoring is conducted by regularly hold Integrated Risk Management Committee to evaluate Risk Management process and provide recommendations/proposals related to implementation of Risk Management to members of the Financial Conglomerate. The results of risk monitoring can be used to enhance existing risk management processes. The evaluation of the risk exposure is conducted by monitoring and reporting of risks that are significant or affecting the capital of the Financial Conglomerate. Control Risk control process is carried out with due regard to the internal control system prepared in accordance with the applicable regulations and aims to manage certain risks that can jeopardize the business continuity of the Financial Conglomerate. The framework for risk management process is based on results from risk exposure evaluation in the business of the Financial Conglomerate. The main priority in the risk mitigation is against the risks that have high impacting losses or high frequency of occurrence. ensures that the members of the Financial Conglomerate have applied risk control methods against risks that can jeopardize the business continuity of the Financial Conglomerate, among others, by hedging, risk mitigation methods, and additional capital to absorb potential losses. Internal Control Systems A thorough internal control has been implemented through: a) Determination of organization structure with a clear segregation of functions between operational units (business units) and operating units that manage risk control functions (risk management unit). b) Determination of risk management unit, namely an independent operating unit that creates the risk management policies, risk measurement methodologies and performs risk limit setting and data/model validation. c) Each transaction and functional activity with exposure to risk is reviewed and monitored as required by each business unit. d) Data validation is conducted by executives and independent units of the operational units. Data validation is conducted at least once a month for all risks. e) Regular audits are conducted by the Internal Auditors, to audit the implementation of risk management processes and system in any functional activity with risk exposures. f) Implementation of the segregation of duties by applying the concepts of Maker, Checker, Signer (MCS) in all of s operational activities. g) Implementation of risk management information system, to facilitate the risks identification, measuring, monitoring, and controlling process. The risk management information system includes Operational Risk Assessor (OPRA), Loan Approval System (LAS), and Treasury and Market Risk System (GUAVA). EFFECTIVENESS OF THE EVALUATION OF RISK MANAGEMENT SYSTEM The evaluation of the quality of implementation of Risk Management on the four pillars of risk management system mentioned above is conducted in an integrated manner through Self Assessment which include the following: Evaluation on Risk Governance Evaluation on Risk Governance includes: Formulation of Risk Levels The formulation of risk appetite and risk tolerance is adequate. Such formulation is aligned with the strategic objectives and the bank s business as a whole. The parameter for corporate level risk limit is documented in the internal regulation regarding Circular Letter on the Guidelines for Risk Based Bank Rating of PT Bank Rakyat Indonesia (Persero) Tbk. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

3 430 Adequacy of Active supervision by the Board of Commissioners and Board of Directors Adequacy of active supervision by the Board of Commissioners and Board of Directors, including the implementation of the authority and responsibilities of the Board of Commissioners and Board of Directors is considered adequate. BoC has established Risk Management Monitoring Committee set out in the Risk Management Monitoring Committee Charter, among others: 1. Evaluate and analyze the adequacy of risk management policies on regular basis. 2. Evaluate and analyze the risk profile report on quarterly basis. 3. Supervise and evaluate the implementation of Risk Management Committee and Risk Management Division duties. Risk Management Monitoring Committee regularly convenes meeting and provides recommendation for improvement that were documented and the follow-up are monitored. Meeting to discuss risk profile and risk management was conducted 4 (four) times on February 16, 2016, March 29, 2016, August 9, 2016 and October 25, In addition to the implementation of RMC, in general, the implementation of duties of BoC and BoD is considered adequate with the establishment of BoD Committees, such as ALCO, Business Performance Review (BPR), and the Strategic Forum (Forstra). Evaluation on the Framework for Risk Management Evaluation on the Risk Management Framework includes: Risk Management Strategy Risk Management Strategy which was considered adequate and in line with risk appetite and risk tolerance of the business strategy is stipulated in the corporate plan, RBB, and RKAP. The strategy has included discussion on the risk management strategy formulated in line with the risk appetite. Risk Management Organization Tool a) The organization tool that supports the effective implementation of Risk Management is considered adequate with clearly defined authority and responsibility in every business activities. In managing credit risk there was a separation of loan officers, between Relationship Management and Credit Risk Management. Delegation of authority is set forth in the internal regulations on Circular of Credit Committee (KK) and Decision of Loan Authority Delegation, and evaluated regularly by the authorized official. b) In the market risk management, the function of market risk management consist of front office work units (Treasury Division), back office (Operation Center Division), and middle office (Risk Management Division) as explained further in the Market Risk management in this Annual Report. c) In the management of operational risk there is separation of duties and authority of maker, checker, signer (segregation of duty and dual control) on the implementation of all operational activities in the work unit. Delegation of authority in the operational processes at work units is running well as reflected in the review of cost fiat of employee which conducted dynamically according to the competence and experience of the employees/officials. Policies, Procedures and Limit Determination Policies, procedures and limits determination are considered adequate. has placed policies and procedures in any risk management, and the policy is regularly refined in accordance with the latest provisions from the regulator. Monitoring of latest regulations is the responsibility of Compliance Unit. EVALUATION ON RISK MANAGEMENT PROCESS, HUMAN RESOURCE ADEQUACY AND RISK MANAGEMENT PROCESS INFORMATION SYSTEM ADEQUACY Risk Management process Risk Management process is adequate in identifying, measuring, monitoring and controlling risks in accordance with results from discussion in RMC forum held on a quarterly basis throughout The description of risk control process for each type of risk are described further in the risk management efforts in this Annual Report. Human Resources The Human Resource appointed to manage risks have sufficient competence and appropriate education according to the job level. Each employee is required to attend training at least once a year. In addition, in order to have effective and efficient human resource development, fulfillment of formation is tailored to the needs and determination of formation.

4 431 Corporate Profile To develop competencies in Risk Management, it is mandatory for the Board of Commissioners, Board of Directors, as well as officials to four levels below the Board of Directors to attend certification training in Risk Management. In addition, refreshment to the Human Resources also conducted regularly. Information System Implementation of Risk Management is supported by various information systems, among others: Credit initiatives process is carried out in the LAS system that has been integrated with the Debtor Information System (SID), Credit Risk Scoring Module (CRS) and Credit Risk Rating (CRR) to take into account the risk level of the borrowers. Credit portfolio management process is supported by Data Warehouse reporting information systems and Management Information System (MIS) The support of information system for the operational process is embodied in the unification of authority delegation upon approval of transactions in the Core Banking information system. Process monitoring against the Operational Risk is supported by the Operational Risk Assessor (OPRA) information system in capturing and identifying the occurrence of new risks, Key Risk Indicators (IRU) to monitor the movement of risk parameters and Incident Management (MI) to document the risk occurrence and its impact, as well as monitoring of the follow up on the risk occurrence. Strategic Risk Monitoring is supported by MIS capable of generating reports on the development of business performance on a regular basis. Reputation Risk Monitoring is equipped with Complaint Handling System (CHS) information systems equipped with provision on the escalation of customer complaints report to the Head Office level. EVALUATION ON THE ADEQUACY OF RISK CONTROL SYSTEMS Risk control systems is adequate since it has conducted evaluation on the adequacy of Internal Control System by Risk Management Unit (SKMR), Internal Audit Unit and External Auditor. The evaluation conducted by SKMR includes the methods, assumptions and variables used to measure and set limit of risk, while the review conducted by Internal Audit Unit and External Auditor includes the reliability of Risk Management framework and implementation of Risk Management by business unit and/or supporting unit. EXPLANATION ON RISKS FACED BY THE COMPANY 10 types of risks that should be managed by the Financial Conglomerate are: Credit Risk Credit Risk is any risk arising from failure by borrowers and/ or other parties to meet their obligations to Bank. Credit risk can be sourced from a variety of business activities of the Bank. Market Risk Risks arising from movements in market variables (adverse movement) from the Bank s portfolio, which may be detrimental to the Bank. Market variables in this point are the interest rate and exchange rate. Liquidity Risk Among others, risks arising from the failure of the Bank in meeting its overdue obligations. Operational risk Among others, risks arising from the inadequacy or failure of internal processes, human error, system failure, or external problems affecting the operations of the Bank Legal Risks Risks arising from the weakness of the judicial aspect. The weakness of judicial aspect among others due to lawsuits, the absence of supporting legislation or weakness of contract, such as the failure to fulfill the requirement for a valid contract and imperfect commitment. Strategic Risk Among others, risks arising from the failure of the Bank to determine or implement the right strategy, making wrong business decision of failed to respond the external changes. Reputation Risk Risks arising from negative publicity related to the business activities of the Bank or negative perceptions towards the Bank. Compliance Risk Risks that are resulted from failure to comply with or to implement legislation and other prevailing regulations. Compliance risk management is conducted through the consistent implementation of internal control systems Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

5 432 Intra-Group Transaction Risk The risk of reliance to an entity either directly or indirectly in a financial conglomerate in order to fulfill its written or unwritten contractual obligation agreements either followed and/or not followed by transfer of funds. The risk of intra-group transactions, among others, may arise from Cross ownership between LJK in Financial conglomerate Centralized management of short-term liquidity Guarantees, loans, and commitments given to or obtained from an LJK to another in financial conglomerate Exposure to controlling shareholders, including the exposure of loans and off-balance sheet items such as guarantees and commitments Purchase or sale of asset to another LJK within Financial conglomerate Transfer of risk through reinsurance; and/or Transaction to transfer third-party risk exposure among LJK in the financial conglomerate Risk Insurance Risks due to failure of the insurance company to meet obligations to policyholders as a result of the inadequacy of underwriting (risk selection) process, setting premiums (pricing), use of reinsurance, and/or the handling of claims EFFORTS TO MANAGE RISK has conducted risk management based on four pillars as follows: Credit Risk PILLAR 1 The process of credit decision above a certain nominal limit requires approval from BoD s Credit Committee and consultation with the Board of Commissioners Follow-up/action must be monitored by the Board of Commissioners and Directors if risk limit is exceeded Implementation of quarterly RMC forum that discusses strategic issues related to enterprise risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Regulation on target markets Determination of risk limits at the corporate level (risk appetite statement) regarding the NPL and NPL Coverage Regulations on tiered credit authorization/pdwk Identification of credit risk is carried out using a system of Credit Risk Rating (CRR) and Credit Risk Scoring (CRS) since Internal Rating (Credit Risk Rating/Credit Risk Scoring) used at currently is based on empirical data/historical data of existing debtors with statistical methodology. Based on this internal ranking, periodic review of the accuracy of models and assumptions used to project is conducted to forecast failure, and adjustments of assumption should be made if there is a change of regulations, both in external (regulatory) and internal. In order to overcome weaknesses that may arise from the use of internal models of the rating, an independent working unit has been working to validate the working unit who applies the model. The validation process or review of the credit risk measurement models is carried out by back testing method. Measurement of credit risk is done by using standard method of calculating the probability of default and loss given default for each business segment based on the shifting of each segment s credit collectibility. Currently, is still developing its Internal Rating Based Approach (IRBA). In addition, a series of stress test is also performed to measure the maximum potential loss in the event of stress conditions. Stress test is done based on some hypotheses and assumptions, such as: economic growth, inflation, world oil prices and the rupiah exchange rate fluctuations. Monitoring credit risk is done through a process of monitoring loan portfolio which is the responsibility of credit administration units at the headquarters. Monitoring loan portfolio is based on credit quality, economic sector, use of credit, geographic factor of initiator unit, and so forth. Monitoring is also undertaken to limit credit risk, among others: NPL, SML, composition of the Loan at Risk, Credit Cost, NPL Coverage ratio, PH, Recovery income and Recovery Rate. Control of credit risk is through: - Credit Decision should take into account collateral analysis, which must comply with the provision of minimum loan to value or minimum coverage against the loan - Procedure of credit quality improvements through restructuring

6 433 Corporate Profile - Procedures to minimize the loss of credit risk through credit settlement and collection/billing optimization - Write-off procedures of problem loans 4 eyes principles: separate functions of credit initiators and credit decision makers Separation unit between credit initiator (business) and a working unit of credit risk analysis for Corporate segment Use of Loan Approval System (LAS) application, which includes the identification of credit risks through the calculation of CRR and CRS as well as loan decision in accordance with the provisions of tiered PDWK. Determination of CKPN is automatically based on an internal model to calculate the reserve adequacy of credit risk based on credit portfolio per segment. Integration between surpassing the limit of credit risk and performance assessment of business and individual working units, including loan composition in Collectability category 2 and NPL. Market Risk Pillar 1 Follow-up monitoring by Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting of monthly risk profile by Risk Management Unit to Board of Directors Policies, procedures, and market risk limit has been compiled and stipulated in the Treasury Policy and Market Risk Management Policy (KUMR and P3MRP). Market Risk Limits listed in the policy, among other things are: open position limits for trading, dealer transaction limit, limit of cut loss and stop loss, uncommitted credit line limit, counterparty limits, as well as limit Value at Risk (VaR). Identification Calculation of Interest Rate Risk by standard methods is carried out against the position of all financial instruments which are classified in Trading Book as exposed by Interest Rate Risk and Calculation of Foreign Exchange risk by standard methods is carried out on s foreign exchange positions in the Trading Book and in the Banking Book which is exposed to Foreign Exchange Risk, Risk factors which are considered in interest rate risk in the standard method are: - Specific Risks of any securities or financial instruments, regardless of a long or a short position. Thus the process of offsetting is not possible unless those positions are identical; - General Market Risk of the overall portfolio, where a long position or a short position of different securities or instruments can offset each other. The market value of securities used in the calculation of Specific Risk and General Risk is the dirty price, i.e the market value of securities (clean price) plus the present value of the interest income to be received (accrued interest). The calculation of the present value of accrued interest can not be done if it is based on the coupon payment term where the present value does not cause material differences. Foreign Exchange Risk calculations is performed for all positions, both Trading Book and Banking Book in foreign currencies, including gold, with reference to the calculation of the Net Open Position (NOP). The position of an instrument that denominated in foreign currency, in addition to Foreign Exchange Risk exposed, can also lead to Interest Rate Risk (e.g for crosscurrency swaps instrument). In this case, the Interest Rate Risk exposures should also be taken into account. Scope of portfolio accounted for in the Capital Adequacy Ratio (CAR), among others are Position held for resale in the short term. Position held for the purpose of obtaining short-term profits from actual and/or potential price movements. Position held for the purpose of maintaining the advantages of arbitration (locking in arbitrage profit). Derivative instruments related to securities or interest rates, such as Bond Forward, Bond Options, Interest Rate Swaps, Cross Currency Swaps, Forward Foreign Exchange, Interest Rate Options and Forward Rate Agreements/Fras. All debt securities with a fixed or floating interest rates, and all financial instruments that have similar characteristics, including Negotiable Certificates of Deposits and securities sold by on condition of repurchase (Repo/Securities lending). foreign exchange position in the trading book and the banking book which is exposed to foreign exchange risk Measurement Calculation of Interest Rate Risk by standard methods is carried out against the position of all financial instruments classified in Trading Book as exposed to Interest Rate Risk and Foreign Exchange Risk Calculation by standard methods is carried out on s foreign exchange positions in the Trading Book and the Banking Book, which is exposed to Foreign Exchange Risk, Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

7 434 Measurement of market risk are conducted regularly (daily, weekly and monthly), among others by calculating market risk using standardized measurement approach and internal measurement models (VaR) through the application of GUAVA, conducting NII simulation everytime there is a change in market interest rates and managing maturity profile of securities, Valuation of trading book and banking book portfolio is done by using market prices quotes of the instruments that are actively traded (mark to market). The market prices reflect the actual and routine transactions which are reasonably conducted. The result of the valuation based on market value (mark to market) is validated periodically to ensure consistency and fairness of the market price used in the process. If market prices are not available because the instruments are not actively traded, the determination of fair value will use price simulation approach (mark-to-model). Monitoring and Control In carrying out market risk management, the Board of Directors regularly evaluates market risk through daily reports on net open position, Asset & Liability Committee (ALCO) forums, and report of market risk exposure in the market risk profile. In addition, also organizes Market Risk Management Committee forum on a quarterly basis. Separation of Front, Middle and Back office Functions s market risk management functions consist of front office work units (Treasury Division), middle office (Risk Management Division) and back office (Operations Center Division) with each division has different authority. Front office division is authorized to conduct financial instruments transaction and is responsible for monitoring the movement of the market price. Middle office sets and monitors market risk limit as well as regularly ensure market data (market price) used to mark-to-market (MTM). Back office division conducts treasury transaction settlement and sets daily market price (MTM) at the end of the day. Implementation of delegation of authority is realized through setting tiered transaction limits in accordance with the competency and experiences. Market Risk Control Systems Integrated with Front Office Functions has implemented treasury and market risk application systems (Guava), which is an integrated system that is used by the front office, middle office and back office functions. Through this application, can perform integrated market risk measurement in its daily transactions process. In addition to monitoring the risk exposure of the instruments, also monitors market risk limit and transactions limits including transactions dealer nominal limits, open position limit, uncommitted Credit Line Limit (UCL), cut loss limits and stop loss limits. Monitoring is conducted daily to accelerate the provision of current information that supports decisionmaking by line officials and management on a timely basis, especially for the instruments included in the trading classification. Integration Between Surpassing Market Risk Limits and Performance Assessment of Work Business Unit Liquidity Risk Pilar 1 Implementation of ad-hoc ALCO mini meetings and weekly Board of Directors Meeting when market of liquidity conditions is quite tight. Follow-up/action plan monitoring by the Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Pilar 2 Determination of minimum Secondary Reserves limit to the minimum reserve requirement (risk appetite statement) Risk Identification, Measurement and Monitoring through dashboard of daily liquidity Risk Control through liquidity contingency plan Protocol Monitoring system of daily liquidity position Integration between surpassing liquidity risk limit and performance evaluation

8 435 Corporate Profile Operational Risk Pilar 1 Follow-up monitoring by the Board of Commissioners and Directors if risk limit is surpassed Implementation of quarterly RMC forum that discusses strategic issues related to the Company s risk management Reporting monthly risk profile by Risk Management Unit to Board of Directors Pilar 2 Tiered approval limit for a given transaction Identification of operational risk is done through the RCSA covering seven functional activity of banks, namely: Activity of credit, Treasury and Investment, Operational and services, trade financing, funding and debt instruments, information technology and management information systems, and human resource management. Measurement of operational risk is carried out using Basic Indicator Approach (BIA). Currently, is gradually preparing the calculation method using Standardized Approach (SA), which will be followed by the Advanced Measurement Approach (AMA). MONITORING of risk profile is conducted with Key Risk Indicators (IRU), based on assessment results of risk profile and operational loss data is managed through the Incident Management (MI). Controlling OF risk through: - Assessment Procedures for New Products and Activities for any new products or services, where any such product must go through a review by the Risk Management Unit and Compliance and Legal Unit (if necessary) before it is registered to a regulator - Business Continuity Management protocol for events that are catastrophic. In this case, has a Crisis Management Team (CMT), which plays an important role during disturbances or disaster and is responsible to step in including reputation risk management. TMK structure is established in all working units ie CMT Headquarters, CMT Regional Offices, Branch Office CMT. Strategic aspects that must be considered in the management of reputation risk at times of crisis is to maintain customers, shareholders, and the public confidence on good reputation. Segregation of duties among Maker-Checker-Signer in the operational activities of banking, where most of the approval process has been embedded in Core Banking, Asset Management and HR MIS systems Procedures of Complaint Handling with a specific SLA Implementation of SOP (Standard Operating Procedure) related to APU and PPT to protect from money laundering and terrorism-related crimes. As well as a system of AML (Anti Money Laundering) exists to monitor suspicious transactions (CTR and STR). Integration between the surpassing limit of operational, legal, strategic and compliance risks and performance assessment of either individual and/or business units Compliance Risk Pillar 1 Discussion on compliance risk profile and its management as well as the follow-up are discussed in the RMC, and RMOC Meetings The compliance risk management process is described in both DUJ and/or BPO of Compliance Work Unit. Establishment of Special Working Unit at both branch offices and Headquarters is to coordinate the management of compliance risk which mainly related to APU and PPT program Management of compliance risks becomes part of the duties and responsibilities of the Risk Management function, which coordinates the implementation of Risk Management for eight types of risk including compliance risk. Identification of compliance risks is done through compliance risk profile reports submitted by each work unit to Compliance Division Each transaction process as well as new products and activities that have potential compliance risks must initially be reviewed by Compliance Division. Compliance monitoring with the latest regulations is the responsibility of Compliance Work Unit. Each regulatory changes, including legislation, regulation, POJK, and PBI are reviewed by Compliance Division and had its impacts assessed for the company. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

9 436 Compliance Risk Management Process is supported by an adequate information system to identify and monitor the claim for money laundering and terrorism-related funding. The systems includes Anti-Money Laundering system and Cash Transaction Reporting System and Suspicious Transaction Report inherent in Core Banking. Compliance Division is actively disseminating the new regulatory impact on the business and operations of the company. Reputation Risk Pillar 1 The discussion on reputation risk profile and management as well as the follow-up are discussed in RMC, and RMOC Meetings In order to control reputation risk, SKP Division has been appointed to handle any negative information. Reputation risk management process is described in DUJ and BPO of the Corporate Secretary Division. The identification of risk reputation is done regularly by the SKP Division to see the amount of negative coverage of, the number of customer complaints in both printed and electronic media, call center and company rating. Measurement of reputation risks aims at estimating the level of vulnerabilities of in facing reputational risks. After identification process, there will be measurement against risk of reputation to assess reputation risk categories by using several parameters correspond to the limit stated in the reputation risk profile report. Monitoring of risk undertaken by SKP Division is to conduct regular monitoring of the number of complaints and negative publicity in the media and to report in the reputation risk profile. Monitoring of reputation risk in the Regional Office carried out by OJL Section Service Subsection at each Regional Office is to conduct periodic monitoring of the quality of service in main branch offices, branch offices and each of Assistance Units, where quarterly report compiles report on handling of customer complaints on Headquarter Report of Commercial Banks/LKPBU for every year. reputation risk is controlled, among others, with the presence of SE policy and Management Information Services, while at the same time, SKP Division coordinates with Service Division and relevant work units to resolve negative press and complaints from customers in accordance with predefined SLA. Compliance Division is actively disseminating the new regulatory impact on the business and operations of the company. Strategic Risk Pilar 1 Discussion on strategic planning, target achievement monitoring and evaluation of strategies are deliberated in the Joint Meeting of Commissioners and Directors (Radirkom) during the discussion on RBB approval, approval of work and budget plan of the Company/CBP, and the discussion of the quarterly results. Material in strategic forum (Forstra) which is held each year to support the strategy formulation process are also discussed in the meeting of the Board of Directors. In addition, Board of Directors Committee meetings such as ALCO Committee Meeting also discusses performance achievements and financial performance. Pilar 2 The process of planning, monitoring and evaluation of the strategy set out in BPO and DUJ of Corporate Development and Strategy Division and of Accounting and Financial Management Division. Implementation of Joint Planning Session during the preparation of RBB to discuss business strategy along with the work plan of each Work Unit at the Divisions in Headquarters Organizing the Workshop on Alignment of Inter-Unit Strategic Work Program Plan in the Headquarters office in order to achieve the targets in the CBP and RBB. Implementation of Performance Management with the Balanced Scorecard approach, through the establishment of Key Performance Indicator (KPI) with the principle of vertical and horizontal synergies. Monitoring the Company s strategic initiatives by Change Management Work Unit. The Strategic Initiatives is nonroutine work programs that are very strategic and critical, which should be carried out in order to achieve targets of work unit. Establishment of Corporate Plan Team to prepare Long-Term Plan for the Period of

10 437 Corporate Profile At the level of the Regional Office, has Operations, Network, Services & Performance Management whose role is to monitor the achievement of business targets in their working area. Monitoring and review of performance targets achievements that have been set in the CBP, RBB and CPR are performed regularly at the corporate level by Corporate Development and Strategy division. Review has also made towards the achievement of work programs (Functional Work Plan/RKF) from a work unit at regional office. This review is undertaken to achieve performance targets of Budget Plan - RKA. If there is the realization of one unit s work program is still behind schedule due to linkages with other units, there will be an alignment/acceleration work program to support them. Alignment and acceleration of the work program is monitored by Corporate Development and Strategy Division. Legal Risk Pillar 1 Discussion about material legal case, legal risk management and its follow-up are examined in the RMC, RMOC Meeting and Audit Committee Meeting. Legal guidelines are drawn up by the Legal Division at Headquarters and disseminated throughout the operational working units. There is authority division to assist legal cases between Legal Division at Headquarters and Legal Officer in the Regional Office Each transaction process as well as new products and activities that may have potential legal risks must initially be reviewed by the Legal Division. Legal Risk Monitoring on all Operational Work in Indonesia is conducted by Legal Officer at the Regional Office through mechanism of legal cases reporting and documentation. Legal Officer at the Regional Office and Headquarters will provide legal assistance according their authority if there is legal cases in operational work unit Legal Division is actively disseminate crime mode of operation and its legal handling procedures to minimize legal risks in operational working units. Intra Group Transaction Risk Pilar 1 a) Compliance Director is Director in charge of the Integrated Risk Management function for Financial conglomerate. b) Board of Directors established Integrated Risk Management Committee, and has held RMC Integrated forum to discuss Intra-Group Risk and Policy in Financial conglomerate c) Board of Commissioners of the main entity is responsible for the effective implementation of the Integrated Risk Management and is responsible for: 1. Directing, approving and evaluating policies of Integrated Risk Management 2. Evaluating and providing guidance to improve the implementation of Integrated Risk Management Policy on a regular basis d) Integrated Risk Management Unit has held regular forum with Subsidiaries to discuss Intra-Group s risk profile. These policies below have been regulating Integrated Risk Management: a) Decree Nokep: DIR DIR/DMR/06/2015 dated June 30, 2016 on Integrated Risk Management Policy of PT Bank Rakyat Indonesia (Persero), Tbk And Subsidiaries b) Circular Letter No S DIR/DMR/07/2015 on Guidelines for Risk-Based Bank Rating at PT Bank Rakyat Indonesia (Persero) Tbk dated July 24, 2015 in which regulates Intra- Group Risk Profile and Integrated Corporate Governance c) Decree of the Integrated Risk Management Committee, Nokep: DIR/DMR/12/2016 dated December 30, a) Identification of Intra-Group Integrated Risk is carried out by the Integrated Risk Management Unit, both quantitative and qualitative assessment that will significantly influence financial conglomerate conditions. b) Measurement of inherent Intra-Group Risk and quality of implementation of integrated Intra-Group Risk management are conducted through integrated risk Profile Report c) Monitoring and Control Risks are done through Discussion Forum on Subsidiaries Risk Profile which is held regularly to discuss Intra-Group risk issues and action/follow up plans d) Intra-Group Risk management process is deemed adequate. In order to control the risk of intra-group transactions, Investment Service Division has been assigned as work unit to manage s subsidiaries. Management Discussion and Analysis Corporate Social Responsibility Consolidated Financial Statements 2016 OJK Regulation & ARA 2016 Criteria Cross Reference

11 438 a) Effectiveness of Intra-Group Risk Awareness Culture at Financial conglomerate b) Independent review on the quality of implementation of intra-group risk management is conducted by Internal Audit Unit regularly, at least once every year. Risk Insurance Pilar 1 a) Compliance Director is Director in charge of the Integrated Risk Management function for Financial conglomerate. b) Board of Directors established Integrated Risk Management Committee, and has held a forum to discuss Insurance Risks and policies in financial conglomerate. c) The Board of Commissioners of the main entity is responsible for the effective implementation of the Integrated Risk Management and is responsible for: 1. Directing, approving, and evaluating Integrated Risk Management policy 2. Evaluating and providing direction on improvement of implementation of Integrated Risk Management Policy periodically d) An Integrated Risk Management Unit has held a forum with subsidiaries on a regular basis to discuss the Insurance Risk Profile. These policies below have been set to regulate Integrated Risk Management: a) Decree Nokep: DIR DIR/DMR/06/2015 dated June 30, 2016 on Integrated Risk Management Policy at PT Bank Rakyat Indonesia (Persero), Tbk and Subsidiaries. b) Circular Letter S DIR/DMR/07/2015 on Guidelines for Risk Based Bank Rating at PT Bank Rakyat Indonesia (Persero) Tbk dated July 24, 2015, in which regulates integrated insurance risk and Integrated Corporate Governance. c) Decree of Integrated Risk Management Committee Nokep: DIR/DMR/12/2016 dated December 30, a) Identification of integrated insurance risk is conducted by Integrated Risk Management Unit, both quantitative and qualitative assessment that may significantly influence financial conglomerate conditions. b) Measurement of Inherent Insurance Risk and of quality of implementation of insurance risk management is conducted through Integrated Risk Profile Report c) Monitoring and Control Risks are done through regular Risk Profile Discussion forum with subsidiaries to discuss insurance risk Issues and action plans a) Effectiveness of Insurance Risk Awareness culture on Financial conglomerate b) Independent review on the quality of the Insurance Risk Management is conducted by Internal Audit Unit regularly, at least once every year. INTEGRATED IMPLEMENTATION OF RISK MANAGEMENT A complete Integrated risk management process includes stages of identification, measurement, monitoring and control in accordance with applicable regulations. Risk management process is carried out on all risk factors, both quantitative and qualitative, which significantly affect the financial condition of the financial conglomerate. In applying Integrated Risk Management, as the main entity ensures risk management through the following matters: a. Determination of Integrated Risk Limit Preparation of the limit is done by considering inputs from members of Financial conglomerate. Risk limits determination includes overall limit, limit for each kind of risks and limit for each financial conglomerate member who has risk exposure. These limits are reviewed regularly by Risk Management Division to adjust to changing conditions. s Risk Management Division periodically submit the results of the limit monitoring to Board of Directors or to Integrated RMC.

12 439 Corporate Profile b. Integrated Risk Profile Report Integrated Risk Profile Report is compiled each semester up to end of June and December position, presented comparatively with the position of the previous semester. Overall risk profile of conglomerate in December 2016 is low to moderate. c. Capital adequacy of Financial Conglomerate is maintained through risk profile monitoring and the calculation of integrated minimum capital requirement (CAR). compiles and reports the calculation of integrated minimum capital requirement of Financial Conglomerate every semester in pursuant of FSA regulation. Integrated Minimum Capital Requirement Ratio of and its Subsidiaries in December 2016 reached 236%. Integrated Capital Adequacy Ratio is above the minimum threshold of 100%. d. Liquidity management. Consolidated Liquidity Coverage Ratio (LCR) of on December 2016 achieved %. The ratio of Consolidated LCR has met the minimum requirement of 80%. e. Intra-Group Transactions Monitoring Total intra-group transactions to total assets, calculated on all balance sheet transactions (money market borrowing and placement) for both subsidiaries to and vice versa reached Rp1.3 trillion, less than 0.2% of total assets of the Bank. f. Implementation of Integrated RMC Integrated Risk Management Committee (RMC) is the highest committee in the risk management system of the Financial Conglomerate. In 2016, implemented Integrated RMC 3 times, on March 7, 2016, September 28, 2016 and December 7, Consolidated Financial Statements 2016 Management Discussion and Analysis Corporate Social Responsibility OJK Regulation & ARA 2016 Criteria Cross Reference