83
Corporate Governance
Operational Risk Policy
Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external
events”. Risk Management Division is responsible for the risk management activity on this particular risk. Operational risk management
activities comprise defining, measuring, analyzing, monitoring and reporting of operational risks, following up the new techniques
on management of operational risks besides regulatory and internal reporting. The fundamental principles and procedures of risk
management are determined in Operational Risk Policy.
Categorization of inherited operational risks within the activities and processes is made possible by the Bank Risk Catalogue. It serves as the
basic document to define and classify the risks and is subject to alteration as conditions change. Bank Risk Catalogue is modified in line with
the improving risk management practices and changing regulations.
The methodology employed to identify operational risks is “self-assessment”. This methodology requires staff with roles and
responsibilities in a particular activity to get involved in the risk and control assessment process of that activity. Operational risk
management process combines both qualitative and quantitative approaches in measurement and assessment. The measurement process
uses data obtained from “impact - likelihood analysis”, “loss database” and “key risk indicators”.
All operational risks inherited in the banking processes and information systems, risk levels of new products and processes, operational
losses incurred by the Bank are monitored continuously, risk assessments are updated regularly and reported to the Risk Committee and
the Board in a timely manner.
Employees have the understanding of the Bank’s objective to attain a working environment aiming to reduce the probability of loss,
considering that the entire internal rules and procedures, led by operational risk policy, and act sensitively to the inherited operational risks
and controls.
Consolidated Risk Policies
Compliance with risk management principles related to the Bank’s subsidiaries are monitored according to Bank’s Consolidated Risk Policies.
Through Consolidated Risk Policies, subsidiaries identify their specific risk management policies which are approved by their boards that
form the framework of their risk management systems and processes.
Information Systems Management Policy
The purpose of Information Systems Management Policy is to determine the principles which will constitute a basis for the management of
information systems that the Bank uses to fulfill its activities and the procedures in order to define, measure, control, monitor, report and
manage the risks derived from using information technologies. With the Policy, the information technologies which is an important element
for sustaining Bank activities is intended to be managed effectively as information systems management, being handled as a part of
corporate governance practices. On the management of Bank’s information systems and all the elements relating to those systems articles
of this Policy are applied.
Risks derived from information technologies are basically assessed within the scope of Bank’s operational risk management. It is essential
that those risks which could be seen as multipliers of the other risks derived from activities of the Bank are measured, closely monitored
and controlled within the framework of Bank’s integrated risk management.
