ttb 56-1 One Report 2021 (EN)

Legal and Financial Control are the 2nd Line of Defense function, reporting to the CRO and CFO respectively, to oversee the legal risk and the financial control risk which are also under coverage of the non-financial risks. Audit operates as the “3rd Line of Defense”. Their mission is to provide an independent assurance of the design and effectiveness of internal controls established by the first (BU/SUs) and the second (CORM, Compliance, Legal, Financial Control) line of defense. In carrying out this work, Audit provides specific recommendations for improving the governance and the risk & control framework. The Bank uses several tools and processes to manage the operational risk such as Risk & Control Self-Assessment (RCSA), Risk Appetite Statement (RAS), Key Risk Indicators (KRI), Incident Management, Action Tracking, Product and Service Approval Process (PSAP), Third-party Risk Management, Business Continuity Plan and Disaster Recovery Plan (BCP/DRP), and Key Control Testing (KCT). The Bank uses and implements the GRC system as a tool for incident management and response and PTA identification and to keep track of the status of the actions which come from audit and non-audit findings to ensure that they are monitored and managed efficiently by all relevant parties. RCSA is a process that helps to identify and assess key risks and controls as well as to determine the mitigating actions. The Bank has also established KRI’s at corporate and business level to be a warning signal for all levels of management, enabling them to proactively manage and control their non-financial risks. Incident management is established to enable detection, resolution, analysis of non-financial risk incidents, as well as collection of loss data. The RAS is determined based on strategy, objectives and historical incident data. The RAS contains a set of quantitative and qualitative statements. The quantitative statements are measurable and are determined by the strategic priorities of the organization. The qualitative expressions of non-financial risk appetite describe the acceptable and unacceptable attitudes and behaviors of the organization as a whole. The process of measuring, monitoring and reporting of RAS is done through the non-financial risk dashboard (NFRD) on a quarterly basis which aims to promote a pro-active risk management response. In case the Bank moves towards or beyond the tolerance level, the responsible units will highlight the issue during NFRD reporting on the Bank Non-Financial Risk Committee (BNFRC), the Risk Oversight Committee (ROC), and the Board of Director (BoD), management and staff are expected to take actions to bring the risk down to within its tolerance level. To ensure that products and services are offered in a safe and responsible manner, the Product and Service Approval Process (PSAP) is established to set guidelines for sign-off and approval of new products and services. This due diligence process ensures that the potential risks created by the new products and services are properly identified and mitigated, and that the necessary infrastructure and controls are in place to support the new business. 108 TMBThanachart Bank Public Company Limited

RkJQdWJsaXNoZXIy ODEyMzQ3