Risk Management

This policy ensures the effective risk management within the strategic and business framework of the Bank and provides a holistic and comprehensive approach to risk management. The policy aligns with the Bank's approved risk limits, the Risk Appetite Statement, and the Bank's business strategy. All risks within the Bank are managed according to this Policy.
There are two main objectives of adopting the Risk Management Policy:
Create an environment that encourages the risk identification and their effective and efficient management, while utilizing potential opportunities for development and innovation.
Develop a risk culture that allows for effective management of uncertainties and challenges, covering all Bank operations.
By adopting and adhering to a forward-looking and methodical approach to risk management, the Bank protects itself from potential uncertainties, ensuring its long-term operations, stability, and prosperity.
 

Enterprise Level Risk Identification

To identify risks at the Enterprise Level, the Bank develops a long list of risks and assesses their materiality in its operations. The material risks identified by the Bank are as follows:
Credit risk — the risk arising from the possibility of a borrower or counterparty failing to meet its contractual obligations.
In order to manage credit risks, the Bank analyzes its portfolio using specialized tools:
•    Risk-exposed portfolio;
•    Expected loss (EL) and its components;
•    Vintage analysis;
•    Stress testing models;
•    Scenario analysis / “What-if?” analysis;
•    Transition matrices;
•    Monitoring system analysis;
•    Retrospective modeling and forecasting;
•    Special provisions are created to cover potential losses on assets (based on IFRS and CBA standards).
Market risk — the risk that may arise due to changes in interest rates, exchange rates, and prices of securities and banking products in the financial market.
•    Foreign exchange risk: the risk of financial losses for the Bank related to changes in the foreign currency exchange rates.
•    Interest rate risk: the risk of financial losses for the Bank related to adverse changes in the present value of securities and derivative financial instruments due to changes in the market interest rates.
•    Market volatility risk: the risk of sharp and rapid fluctuations in the prices of financial assets over a short period of time.
•    Credit spread risk: the risk of loss of profit or economic value due to changes in the credit spreads on instruments held in non-trading “books”.
In order to manage market risks, the Bank carries out the following activities:
•    The potential changes in the economy and banking sector are studied and their possible impact on credit, asset and liability management are determined;
•    The interest rate risk, changes in interest rates and/or breaches of assumed volatility are assessed:
•    Economic value of equity approach;
•    Net interest income approach;
•    Repricing gap analysis is performed;
•    Investment risks: the changes in the value of equities and bonds, yield curves, etc. are evaluated, and the value at risk driven by market risks of securities is calculated; 
•    The potential adverse impacts of market risks on financial institutions are assessed;
•    The impact of risks arising from changes in exchange rates and commodity prices on the Bank’s assets is assessed;
•    The stress testing is performed;
•    The scenario analysis is performed, etc.
Liquidity risk — the risk of the inability to timely and effectively fulfill planned and unforeseen obligations, attract additional liquid funds, as well as a reduction in the ability to immediately realize the Bank’s assets with minimal losses. 
The Bank manages liquidity risk in the following ways:
•    The liquidity risk management methods and models are selected and applied;
•    The risk indicators reflecting internal and external risk drivers are analysed;
•    Liquidity stress testing and shock event analysis are performed;
•    The funding concentration is determined;
•    The quick ratio, liquidity coverage ratio, net stable funding ratio, and other indicators are calculated and analysed;
•    The maturity profiles and liquidity gaps are analysed;
•    The liquidity and payments by currency are analysed, etc.
Concentration risk — the risk of losses associated with uneven distribution of exposures across major counterparties and groups of counterparties, economic sectors, or geographic regions.
Capital adequacy risk — the risk of the Bank’s inability to meet its obligations in the long term.
Operational risk — the risk of losses resulting from inadequate or failed internal processes, people, systems, or external events.
•    Risk of errors in internal control processes: the risk arising from deficiencies and violations in the internal control system, including breaches of internal rules for executing transactions and operations.
•    Operational risk of payment system: Risk of providing payment infrastructure services that do not meet the requirements for the provision of services as a result of the appearance of failures, failures and accidents in the work of information and technological systems, shortcomings in the organization and performance of technological and management processes, errors or illegal actions of personnel, or as a result of emergency situations, erroneous or illegal actions of third parties.
 
•    External service provider risk: the risk arising from third parties (vendors, suppliers, intermediaries, etc.) that may affect the Bank’s ability to process transactions and/or provide services or result in legal liability for damages caused to third parties (e.g., customers and other stakeholders).
•    Fraud risk: the risk of intentional (deliberate) unlawful (illegal) actions by any person to obtain material or non-material benefits for personal gain, as well as concealment of such actions.
•    Digital fraud risk: the risk of obtaining material, non-material, or other benefits through unauthorized use of payment cards via physical, contactless, electronic, or digital channels, access to card data, fraudulent transactions, or counterfeiting of cards in physical or digital form.
•    Personnel risk: the likelihood of operational disruptions, financial losses, and reputational damage due to human factors (high staff turnover, employee behavior, security errors, unethical conduct, etc.).
•    Project risk: the risk arising from deficiencies and violations in the project management processes aimed at changing banking operations and operational systems.
•    Legal risk: the risk of losses arising from breaches of contractual obligations by the Bank and/or its counterparties, legal errors in operations, deficiencies in the legal system, counterparties’ violations of regulations, and the presence of the Bank’s counterparties in the jurisdictions of different states.
•    Data risk: the risk arising from the failure to ensure accuracy, reliability, completeness, and timely availability of risk data aggregation and usage processes.
Information security and cyber risk — the risk of material or non-material losses for the Bank due to the realization of information security threats arising from deficiencies in the information security processes, including technological and other measures, software deficiencies in computerized systems and programs, and misalignment of such processes with the Bank’s operations, as well as external attacks, vulnerabilities, and data breaches resulting from these threats targeting IT systems and data.
In order to manage information security, the Bank carries out the following activities:
•    Asset management;
•    Network access control;
•    Access control;
•    Establishing data handling rules and applying encryption requirements;
•    Investigation of information security incidents, etc.
Information systems risk — the risk of malfunction and/or disruption of information systems used by the Bank and/or mismatch of their functional capabilities and characteristics with the Bank’s requirements.
Artificial intelligence risk — risks that may arise from the use of artificial intelligence models. The Bank defines artificial intelligence risk as an emerging risk and assesses its materiality.
Compliance risk — the risk of application of legal, administrative, or disciplinary sanctions to the Bank, as well as the risk of significant financial losses or reputational damage due to non-compliance with local and international laws and regulatory requirements, codes of conduct, best practice standards applicable to financial activities, or instructions of the executive body, in particular directives issued by the supervisory authority.
•    AML/CFT risk: the risk of significant legal and regulatory consequences for the Bank, including fines and reputational damage, due to non-compliance with requirements of regulations on anti-money laundering and counter-terrorism financing.
•    Sanction and embargo risk: the risk related to violation of laws, regulations, rules, and standards concerning sanctions that are forming a comprehensive overview of sanctions.
•    Conflict of interest risk: the risk of potential or actual conflict between an employee’s personal interests and the interests of the Bank or its clients.
•    Corruption and bribery risk: the risk of committing corruption offenses or offenses creating conditions for corruption.
•    Data privacy risk: the risk of data breaches due to lack of proper procedures ensuring information confidentiality and internal control.
•    Regulatory risk: the risk faced by the Bank due to failure or partial failure to comply with legal act and regulatory requirements governing banking and financial activities (including regulatory decisions).
•    Professional ethics risk: the risk associated with ethical behavior, practices, or values, including organizational practices, employee conduct, and cultural aspects that may cause harm to internal or external stakeholders.
•    Conduct risk: the risk of the Bank engaging in actions that harm consumers/investors or negatively affect market stability or competition.
Reputational risk — the current or potential risk to the Bank’s income, equity, or liquidity arising from damage to its reputation.
Model risk — the risk of model error arising from decisions based on incorrectly developed and/or applied models, or from incorrect use of model outputs and reporting, as well as model uncertainty related to the model itself and/or the uncertainty of the reality the model attempts to measure.
Strategic risk — the risk of losses arising from failures of strategic initiatives, including acquisitions, mergers, launching new products, entering new markets, etc.
Country risk — credit risk associated with a state/sovereign counterparties.
•    the risk arising from a possibility that an event affecting an entire country (e.g., a natural encounter or socio-political event) can lead to default by a large group of borrowers (collective borrower risk).
•    the risk associated with the cross-border lending in foreign currency and currency risks for significant cross-border lending.
ESG risk — the risk that the Bank may face due to non-compliance with environmental, social, and governance components.

Operational Risk Identification

 To identify operational risks, the Bank shall use the following ways:

• Risk and control self-assessment process (RCSA)
• Incident management system
• Monitoring conducted by the second and third lines of defense
• Risk analysis of internal business processes and products;
• Analysis during the creation of new or modification of existing products and services;
• Results from internal and external audits;
• Key risk and performance indicators;
• Scenario analysis (both past and future-oriented scenarios, stress tests);
• Analysis of customer complaints, administrative penalties imposed on employees, etc.

All identified risks within the Bank shall be recorded in the Risk and Control Matrix.

Risk assessment in the Bank shall be conducted on an annual basis. The assessed significant risks shall be approved by the Bank's senior management, the Supervisory Board.
Organizational risk assessment in the Bank shall be conducted through the following three approaches:

• Regulatory approach – Direct assessment of risks in line with regulatory prudential standards and requirements.
• Quantitative approach  – Evaluation of the significance of risks based on quantitative criteria and calculations considering their impact and probability.
• Expert judgment approach  – The final assessment by experts of non-financial risks, where quantitative assessment is not applied

During stress testing, the Bank shall evaluate the impact of significant risks on its capital adequacy, financial and operational stability, and its potential to maintain its risk profile, operations, and development strategy. Stress tests shall be conducted at least on a biannual basis, and the results shall be submitted to Senior Management and relevant stakeholders.
 

After a comprehensive assessment of risks and identification of various risks that may impact the Bank, it is essential to adopt risk governance strategies to ensure the safety and sustainability of the organizational environment. When governing its risks, the Bank shall consider the approved risk limits, risk tolerance, and risk appetite. The identified and assessed risks within the Bank shall be collected and monitored in the Bank's Risk and Control Matrix (RCM).
The Bank governs the risks in 4 ways:

1. Risk acceptance – This is a response to a risk when the potential impact of the identified risk is within organizational risk limits. Risk acceptance involves consciously deciding to tolerate the risk's effects or likelihood without taking specific actions to actively mitigate or manage the risk.
2. Risk reduction – This involves taking actions to minimize the overall impact of identified risks, thus reducing their potential effects.
3. Risk transfer – It is a risk response measure taken when the Bank wants to transfer the obligation and responsibility for the risk to other organizations through contracts, insurance or outsourcing agreements.
4. Risk avoidance – It is a measure of risk response when the established risk exceeds organizational risk limits. A risk avoidance decision is typically made when the risk poses a serious threat to the organization, and the costs associated with mitigating the risk outweigh the potential benefits of the risk management measures.

The main objective of risk monitoring is to ensure that the risks identified by the Bank and to which it is exposed remain within the Bank’s risk appetite and risk limits. When monitoring its risks, the Bank uses the Risk Appetite Statement, Key Risk Indicators (KRI), the Incident Management System, and the Risk and Control Matrix.

Risk reporting is the process of regularly collecting, analyzing, and presenting the risks faced by the Bank according to defined indicators, to management, regulatory bodies, and other relevant stakeholders.
The Bank prepares its overall risk profile on a monthly, quarterly, semi-annual, and annual basis and submits reports to the Chief Risk Officer, the Risk Management Committee, the Management Board, and the Supervisory Board. Also, the Bank submits the required risk-related reports to regulators.

The Senior Management of the Bank is responsible for the following tasks related to Risk Management (but not limited to):
Supervisory Board:

• Reviews and approves the organizational risk management policy, including the processes for identifying, assessing, mitigating, and monitoring risks;
• Ensures that risk management is integrated into strategic planning and across various levels of the organization;
• Approves the organizational structure for risk management, including the authority and responsibilities of the risk management function;
• Reviews and approves internal policies and guidelines related to risk management, ensuring they align with the organization's objectives, regulatory requirements, and best practices;
• Approves the risk management strategy;
• Reviews and approves the Risk Appetite Statement and risk limits;
• Evaluates the effectiveness of the risk management system at least annually and identifies areas for improvement;
• Approves the Business Continuity Policy and the Emergency Response Plan;
• Reviews the internal audit report and the action plan to address deficiencies identified during the audit;

Risk Management Committee (RMC):

• Reviews and initially approves the risk management strategy, policies (reviews the risk management policy at least annually), and guidelines, ensuring their compliance with the organization's objectives, regulatory requirements, and best practices and then submits them to the Supervisory Board for final approval;
• Reviews and initially approves the Risk Appetite Statement and risk limits, then submits them to the Supervisory Board for final approval;
• Provides recommendations and suggestions to the Supervisory Board regarding adjustments to the current and future risk appetite, as well as to the thresholds and limits established in case of a breach of these limits, for both aggregate and individual risk types;
• Reviews and initially approves the risk identification report submitted by the Management Board, along with the Bank's risk register, and then submits them to the Supervisory Board for final approval;
• Ensures that procedures are in place to ensure the Bank's compliance with the risk management policy, as well as overseeing the implementation of the Risk Appetite Statement by the Management Board;
• Monitors that the management of the Bank's capital and liquidity objectives, as well as all risks inherent to the organization, including credit, market, operational, reputational, and other risks, are in line with the organization's risk appetite;
• Provides recommendations to the Supervisory Board on risk mitigation strategies to keep risk levels within the established tolerance limits;
• Collaborates with the CRO and supervises their activities;
• Reviews and evaluates the activities of the CRO on an annual basis;
• Provides recommendations to the Supervisory Board on improving the efficiency of the risk management system.

Executive Board:

• Reviews the risk management strategy, policies, and guidelines, ensuring their compliance with the organization's objectives, regulatory requirements, and best practices, and submits them to the Risk Management Committee for further review;
• Arranges the risk management process and ensures the implementation of the risk management policy;
• Oversees compliance with the risk management strategy and the organizational risk management policy;
• Monitors the alignment between risk and returns within the Bank's defined risk appetite;
• Submits reports on risks and their management to the Risk Management Committee;
• Reviews the Risk Appetite Statement and submits it to the Risk Management Committee for further review and approval;
• Approves the bottom limits within the risk limits established by the Supervisory Board;
• Reviews the monthly reports on the results of risk limit monitoring and the organization's risk profile;
• Analyzes the risks faced by the Bank and takes necessary actions to eliminate identified weaknesses;
• Ensures the cooperation of the Bank's other structural units with the risk management unit, and takes actions to prevent interference with its activities while ensuring appropriate conditions for the effective management of the organization's risks;
• Reviews the results of the risk culture assessment within the Bank and submits them to the Risk Management Committee for further review;
• Reports to the Supervisory Board on its activities.

 Chief Risk Officer (CRO)

• Develops the risk management strategy, internal policies, and procedures for risk management, ensuring their compliance with international standards and regulatory requirements, and submits them to the Management Board for further review and to the Risk Management Committee for final approval;
• Oversees the proper establishment, documentation, and implementation of risk management processes by the organization;
• Ensures that the activities of structural units comply with the established risk management policies;
• Ensures compliance with international standards and regulations for risk management, taking proactive measures to guarantee full compliance;
• Coordinates the activities of the Management Board and structural units regarding risk management;
• Participates in analyzing the strategic risks of the organization, ensuring the minimization of the negative impact of risks on the business;
• Reviews the risk identification report submitted by the risk function and submits it to the Management Board for further review;
• Oversees the execution of the risk assessment processes.

The three lines of defense model is used to establish a system for effective risk management and control. This model helps ensure that risks are appropriately identified, assessed, and managed while promoting transparency, accountability, and compliance with requirements.

• First Line of Defense – This includes business units directly involved in day-to-day business activities.
• Second Line of Defense  –This involves the structural units responsible for overseeing and guiding the first line of defense in implementing effective risk management practices and performing risk management and compliance functions.
• Third Line of Defense – This includes the independent internal audit function, which evaluates the effectiveness of the first and second lines of defense.

Risk culture is a set of norms, attitudes and behaviours related to risk identification, risk acceptance and management, as well as decision-making regarding risks. Considering the Bank's risk appetite, it must foster a comprehensive understanding and holistic assessment of the risks it faces, as well as the ways in which these risks are addressed, promoting a risk culture at the organizational level.
The management of the Bank's risks shall not be limited to internal control or risk management functions. Under the management's oversight, all structural units shall be responsible for managing risks on a daily basis, considering the organization's risk appetite and risk profile, and adhering to the organization's policies, procedures, and control tools.
Therefore, the Organizational Risk Management Policy requires the creation of a sound risk culture, where all lines of defense take on only acceptable risks when making daily decisions in their operations.
The organization's risk culture, a key element of effective risk management, must be strong and sustained to ensure that the organization makes well-founded and informed decisions.
Understanding and evaluating risk culture within the Bank is crucial in identifying strengths, weaknesses, and areas for improvement. Therefore, by conducting a comprehensive assessment of the Bank's risk culture, the Bank takes steps to create a risk-aware and resilient environment, encourage making the most effective decisions in risk management, and improve overall organizational performance.
To accelerate the process of enhancing the risk culture and improving communication across defense lines, a Risk Coordinator is appointed for each structural unit. The Risk Coordinator is responsible for coordinating and overseeing risk management activities within their structural unit. Their role is to ensure the effective implementation of risk management policies, procedures, and strategies within their structural units, in line with the organization's objectives and goals.

This Policy shall come into effect upon its approval by the Supervisory Board of the Bank.
All structural units within the Bank are responsible for implementing this Policy in accordance with the provisions outlined in it. Together with the Bank's management, they are responsible for ensuring compliance with the provisions specified in this Policy, as well as for the periodic review and revision of the Policy.
The Bank regularly conducts an external independent assessment of its risk management practices. This is considered essential to ensure that the risk management processes function effectively and that significant risks are managed at acceptable levels.