The bank’s underlying premise for managing risk is to protect and grow the economic value of the Bank for our many stakeholders. Our stakeholders include our shareholders, our customers, our suppliers, our employees, our investors, the general public and the PMA. In striving to provide value to our stakeholders, we encounter many risks in our business and operating environment that can both reduce or add value to the Bank. Accordingly, the bank’s needs an integrated risk management framework to help effectively identify and manage these risks. As this framework is progressively implemented across the Bank, consistent and systematic risk management will become an integral part of the way we run our business.
Risk management does not mean risk avoidance; all organisations must accept some risk if they are to achieve a sustainable profit for their shareholders. At BOP, we accept risk-taking as part of our strategy to both create and preserve value, but we expect financial and non-financial returns commensurate with the risk.
BOP’s risk management framework enhances our capability to systematically identify and assess risks, and establish acceptable levels of risk relative to BOP’s growth and return objectives. Linking effective risk management to the achievement of our corporate goals will bring about greater alignment and certainty of outcomes, resulting in the likelihood of improved organisational performance.
BOP’s objectives and the environment in which we operate are evolving and as a result, the risks the Bank faces are continually changing. Sound management of BOP’s risks depends on a thorough and regular evaluation of the nature and extent of the risks to which the Bank is exposed. Since there are rewards for successful risk-taking in business, the purpose of risk management at BOP is to help manage risks to acceptable levels rather than to eliminate them.
Such an enterprise-wide risk management framework encompasses the risk culture, processes and structure that are established by BOP’s Board of Directors, management and other personnel. It is applied in strategy setting and decision-making across the Bank to provide reasonable assurance regarding the achievement of BOP’s objectives.
The internal environment or risk management culture of BOP sets the tone for managing risk in the Bank and provides the basis for all the other components of the Framework.
The key factors influencing the environment that BOP wishes to achieve are:
- A set of shared beliefs and attitudes throughout the organisation characterising how BOP considers risks throughout its operations. This basic risk management philosophy is to be reflected in everything BOP does – by capturing it in policy statements, oral and written communications, decision making, general behaviours and everyday actions;
- Operating consistently within the Board approved “risk appetite” – that is, on a broad level, the amount and types of risk that the Board and senior management are prepared to accept in pursuit of value. Risk appetite is assessed and documented by the Board and senior management team during the annual strategy setting process;
- The operating policies that are approved by the BoD that set guidelines for how risk shall be managed across the BOP; and
- A commitment by everyone in the organisation to embrace the risk management framework, to share a common language for risk, to work in accordance the Bank’s Code of Conduct and to seek to continuously improve the way in which we manage risk.
- An investment in the training of staff to develop skills and experience to make risk management a core competency across the Bank. This is supported by an open, honest culture that values the identification and communication of risk issues.
Accordingly, the objectives of the Bank’s risk management activities are to:
- Establish a framework that supports the business activities to maximise risk-adjusted returns within the Board’s risk appetite and other constraints such as regulatory requirements and the Bank’s internal controls
- Accurately identify and measure the sources of these risks
- Recommend appropriate levels of these risks, consistent with the Board’s tolerance or appetite for such risks
- Control the level of these risks by establishing limits and routinely monitoring the risk exposures to these limits
- Ensure that there is no breach of relevant PMA regulatory requirements and applicable laws
- Seek to enable a balance between controlling these risks and generating optimal returns within these risk constraints
- Add value to the Bank’s business units, senior management and Board by providing analysis and recommendations to support the achievement of the overall Bank’s strategic objectives.
The major risk types for the Bank have been identified and specific Risk Policies have been developed as follows:
- Asset Liability Management (ALM) Policy
- Credit Risk Policy
- Liquidity Risk Policy
- Currency Risk Policy
- Interest Rate Risk Policy
- Investment and Counterparty Risk Policy
- Operational Risk Policy
The level of the Bank’s capital is aligned to the risk appetite and risk profile. The key objectives for capital management are to:
- Satisfy PMA regulatory requirements relating to capital adequacy and to adhere to regulatory standards and guidelines
- Manage the capital resources of the Bank within its risk appetite
- Generate sufficient capital to support the growth of the Bank’s balance sheet and business strategy
- Hold an adequate buffer to ensure maintenance of capital adequacy under unexpected, stressed economic conditions
- Efficiently manage and allocate capital in order to optimise risk adjusted returns
The Risk Management Framework Policy of the Bank is under the authority of the Board of Directors.
The Board is responsible for approving the Bank’s risk appetite and strategy, and to formally review it annually or more often if required.
The Board delegates specific oversight of all risk management activities in the Bank to the Board Risk Management Committee, while the Board delegates oversight authority to the BRC, ultimate responsibility for the Bank’s effective risk management and adherence to this Policy rests with the Board. The Board will formally review the Risk Management Framework Policy and all other risk policies at least annually or as internal or external events may dictate.
• Develops the business strategy
• Approves risk management strategy for the Bank
• Articulates risk appetite
• Approves risk appetite translation into risk tolerances and limits
• Establishes the risk governance structure
• Reviews significant risk issues highlighted by different Board committees
• Reviews and approves risk policies and procedures
• Delegates relevant authority to risk functionaries
• Reports to stakeholders on risk management
• Approves public disclosures
The Board may delegate responsibility to the Board Risk Management Committee for the following:
• Ensure development and implementation of the Bank’s risk management framework
• Communicate the risk policies across the Bank
• Review risk management effectiveness and follow up of remedial actions
• Review significant risk issues highlighted by ALCO-Executive Risk Committee and CRO.
• Ongoing oversight and monitoring of the Bank’s risk exposures
• Monitor compliance with Bank policies, PMA regulations and any other external risk management requirements
• Approval of the appointment of the Chief Risk Officer
The Executive Risk Management Committee (ERMC) is a management committee that is delegated with authority from the Board to implement the Bank’s risk management framework. Responsibilities include the following:
• Develop and recommend the Bank’s risk appetite and strategy to the Board
• Oversee the identification, assessment and management of Bank-wide material risks
• Assess the risk implications of the Bank’s business strategies
• Consider the impact of changes in market, economic and competitive environments on the Bank’s risk profile
• Review exceptions, if any, from approved risk guidelines / policies
• Review adequacy of the provisioning policy
• Monitor and review the Bank’s progress towards implementation of the Risk Management Framework
• Monitor compliance with legal and regulatory requirements
• Report to the Board on all material matters arising from its review and monitoring functions
• Report monthly on the nature and magnitude of all significant risks
• Report to the Board Risk Committee on the overall effectiveness of the risk management process
• Develop risk awareness at all management and staff levels
• Initiate/oversee a formal training programme on Risk Management to entire bank staff
• Recommend to the Board Risk Committee relevant risk management policies
• Ensure sound risk management policies and practices are implemented
• Ensure adequate procedures are in place to manage identified risks
• Oversee risk and capital management plan
The Risk Management Departments, headed by Chief Risk Officer (CRO), is responsible for developing and implementing the Bank’s Risk Management framework.
Responsibilities include the following:
• Drafts risk policies and procedures
• Develop risk management standards and measurement tools
• Monitors the Bank’s overall risk profile, including risk aggregation, reporting, trends, and change in material risk positions
• Monitors compliance with risk policies and procedures (in coordination with the Compliance Department)
• Compiles risk across business units and escalates risk and control issues to senior management
• Periodically develops and presents reports on aggregate risk profile
• Supports the organization’s risk culture through the development of a common risk language and Bank wide risk training and support
• Provides interpretation of risk-related regulations, leading practices and disseminates to business units
As noted herein, the day-to-day risk management or implementation of the approved risk management strategy is the responsibility of the risk taker. Their responsibilities include the following:
• Identify, assess, measure, monitor, and report various risks within their business lines
• Manage business activities within the parameters of relevant risk policies
• Recommend business proposals that meet the risk appetite and strategy criteria
• Assess the effectiveness of controls in line with documented risk policy
• Design, operate and monitor a suitable system of control
• Manage and review risks as part of day to day business activity
• Develop daily reports for the risk management department
• Report risk issues to the risk management departments on a regular basis