2.2.4 Non-Financial Risk Non-Financial risk is defined as the risk of financial impact and non-financial impact e.g. legal or regulatory sanctions, or reputational damage due to inadequate or failing internal processes, people and systems, a failure to comply with laws, regulations and standards, or external incidents. Non-Financial Risk Management at the Bank is managed through a governance structure where the Board of Directors holds the ultimate responsibility for bank-wide risk management. The Board has delegated several non-financial risk management related authorities to the Bank Non-Financial Risk Committee (BNFRC) and IT Non-Financial Risk Committee (IT NFRC), both chaired by the CEO, whose responsibilities are to manage the non-financial risks and IT risks of the Bank and its subsidiaries by establishing the Non-financial Risk strategy and policies and by ensuring that they are implemented effectively at all levels with the proper degree of granularity and by overseeing any outstanding risk exposures, adequate follow-up on outstanding risk mitigation actions and the compliance with NFR Policy and Minimum Standards. The Bank has established 3 BUs (Retail Banking, Automotive Lending and Commercial Banking) Non-Financial Risk Committees: BU NFRC, chaired by Business Chiefs, reporting to BNFRC, to enable the management from lower levels to steer the operational & compliance risk management in their respective Business Units. Chiefs, product owners and process owners in business units and support units as the 1st Line of Defense, are primarily responsible and accountable for their own operational risk management and controls. Business Operational Risk Management (BORM) is part of the first line of defense and report hierarchically to the Chief of the business or support unit, and functionally to Head of CORM. BORM supports Chiefs, product and process owners in performing risk management related activities including RCSAs, incident reporting and root cause analysis on incidents. BORM teams independently test controls. The Bank has established a dedicated Corporate Operational Risk Management (CORM) function, as the 2nd Line of Defense, reporting to the CRO, to oversee specific non-financial risk management risks. CORM develops Non-financial Risk Management Policies (which have been approved by the Board of Directors and the Risk Oversight Committee) and ensures that the non-financial risks are properly identified, assessed, monitored, reported, analyzed, and controlled in a systematic and consistent manner. The policies provide the foundation and common infrastructure for delivering, maintaining, and governing the non-financial risk management. CORM reviews the control framework and performs QA on control testing by BORMs. Compliance is the 2nd Line of Defense function, reporting to the CRO, that oversees compliance with Market Conduct regulation, PDPA, AML, CDD/KYC and other relevant laws and regulations. Compliance developed the Compliance Policy to ensure that the Compliance risks are properly managed. 107 Form 56-1 One Report 2021
RkJQdWJsaXNoZXIy ODEyMzQ3