The ORMF, which provides the overarching set of standards, tools and processes that apply to the management of all risk types underlying Operational Risk, is complemented by the Operational Risk type frameworks, risk management and control standards and tools set up by the respective Risk Type Controllers for the Operational Risk types they control. These include the following with respect to the following risk types:
- Compliance Risk is the risk of incurring criminal or administrative sanctions, financial loss or damage to reputation as a result of failing to comply with laws, regulations, rules, expectations of regulators, the standards of self-regulatory organizations, and codes of conduct/ethics in connection with the Bank’s regulated activities (collectively the “Rules”). Failure to appropriately manage Compliance Risk can give rise to fines, penalties, judgments, damages, sanctions, settlements and/or increased costs, limitations on businesses related to regulatory or legal actions due to non-compliance with established policies and procedures and Rules governing the activities of a business or entity, and potential reputational damage. The Compliance department, as the second line of defence control function for the Compliance-owned risk types, identifies relevant effective procedures and corresponding controls to support the Bank’s business divisions and Infrastructure functions in managing their Compliance risk. The Compliance department further provides advisory services on the above; performs monitoring activities in relation to the coverage of new or amended material rules and regulations; and assesses the control environment. The results of these assessments are regularly reported to the Management Board and Supervisory Board.
- Financial Crime risks are managed by our Anti-Financial Crime (“AFC”) function via maintenance and development of a dedicated program. The AFC program is based on regulatory and supervisory requirements. AFC has defined roles and responsibilities and established dedicated functions for the identification and management of financial crime risks resulting from money laundering, terrorism financing, non-compliance with sanctions and embargoes as well as other criminal activities including fraud, bribery and corruption and other crimes. AFC assures further update of its strategy on financial crime prevention via regular development of internal policies and procedures, institution-specific risk assessment and staff training.
- Group Legal is primarily responsible for managing the Bank’s legal risk, and carries out its mandate as infrastructure control function through, among other things, the following legal services: (i) provision of legal advice, (ii) drafting of legal content of documentation that defines rights and obligations of the Bank such as contracts, (iii) the management of all contentious matters and (iv) retaining external counsel. These activities are the key pillars of the legal control framework to mitigate the Bank´s legal risk. Legal has established a Legal Risk Management function responsible for implementing and maintaining the ORMF in respect of legal risk types which includes overseeing Legal’s participation in the Bank’s Risk and Control Assessment process and Lessons Learned reviews as well as managing the interface into the Non-Financial Risk Management function. LRM also conducts quality assurance reviews on Legal’s processes, thereby testing the robustness of the legal control framework, identifying related control enhancements and fostering legal risk management awareness via regular communication and training.
- Non-Financial Risk Management Risk Type Control (“NFRM RTC”) is Risk Type Controller for a number of operational risks. Its mandate includes controls over transaction processing activities, as well as infrastructure risks to prevent technology or process disruption, maintain the confidentiality, integrity and availability of data, records and information security, and ensure businesses have robust plans in place to recover critical business processes and functions in the event of disruption from technical or building outage, or the effects of cyber-attack or natural disaster. NFRM RTC also manages the risks arising from the Bank’s internal and external vendor engagements via the provision of a comprehensive vendor risk management framework.