The Bank has established its Third-party Risk Management Policy to set out the principles and standards for the effective identification of major risks created by outsourcing and management of such risks. The Bank has established its Business Continuity Management (BCM) Policies and Standards to provide guidance and standards for all units to develop a Business Continuity Plan. The Business Continuity Management under Information Security Office (ISO) is set up to oversee the implementation of BCM Policies and Standards, monitor and lead the co-ordination of group-wide BCP initiatives to raise the overall BCP/DRP readiness of the Bank. The Bank has established the Key Control Testing (KCT) minimum standard to provide guidance and standards for all Business and Support Units in the area of mandatory control testing by BORM functions. KCT is the set of methods and processes used for the key control testing in order to keep non-financial risks related to business activities actively within the Bank’s risk appetite, ensure the effectiveness of controls and building proactive Risk Culture. In terms of non-financial risk management at the subsidiaries, the subsidiaries have aligned with and adopted the Bank’s Non-financial Risk Management Policies where applicable. 2.2.5 Reputational Risk Reputation can be described as a strategic asset of the Bank, which is embedded in its key stakeholders’ perceptions towards the whole organization or its business practices or its employees’ behaviors and cannot be transferred to and deployed by other banks and competitors. Reputational risk can be described as the exposure incurred from unexpected incidents or from unanticipated responses to the institution’s initiatives, actions, and day-to-day activities, particularly the cases that catch public attention and are negative news. Unexpected incidents range from activities of rogue employees, to questions regarding the suitability of sales practices, to the actions of disgruntled customers, to public regulatory sanctions - all of which can generate negative public reactions. Unanticipated responses range from negative public reactions (including liquidity implications) based on announcements or activities of the institution, to organized public activities designed to impact institutional decision-making. Those incidents and responses may result in the Bank’s negative images or reduced confidence in the Bank or the Bank’s products or services. Such events may negatively impact present and future revenue and/or capital of the Bank. Reputation is one of the impact factors described in the Non-Financial Risk (NFR) Footprint, which provides the guideline on how the Bank assesses the reputational impact to the Bank’s brand/image based on the non-financial risk events. Reputational risk is a key area discussed as part of RCSA activities resulting in risk statements and mitigating controls, documented in control frameworks. 109 Form 56-1 One Report 2021
RkJQdWJsaXNoZXIy ODEyMzQ3