CORPORATE GOVERNANCE

İŞBANK

ANNUAL REPORT 2014

81

All principles and procedures related to constitution and management of Bank’s asset-liability structure and Bank’s risk appetite is

established by the Board of Directors. Ensuring asset and liability management risk being within the levels imposed by legal legislation and

internal risk limits is the primary priority. Internal risk limits are determined by Board of Directors taking into consideration liquidity, target

income level, general expectations about the changes in risk factors and risk appetite of the Bank.

Board of Directors and Audit Committee are obliged to track that Bank’s capital is used optimally. For this purpose these bodies are obligated

to keep risk limits under control and ensure necessary actions being taken.

Asset-Liability Management Committee is responsible for governance of asset and liability management risk in accordance with the risk

appetite and risk limits determined by Board of Directors and within the principles and procedures expressed in this policy.

Measuring asset and liability management risk, reporting the results and monitoring the compliance with the risk limits are the

responsibilities of Risk Management Division. The course of the risk taken is reviewed under different scenarios. Measurement results are

tested in terms of reliability and integrity. Asset and liability management risk is reported to Risk Committee and reported to the Board of

Directors through Audit Committee.

Compliance with risk limits is closely and continuously monitored by Risk Management Division, Asset-Liability Management Committee

and related business units. In the event of a breach in the risk limits, the breach and its reasons are instantly reported to Board of Directors

through Audit Committee. Course of action needed to be taken in order to eliminate the breach is determined by the Board.

Asset and liability management processes and compliance with the policy rules are audited by internal audit system. The principles

regarding the audit process, audit reports and fulfillment of action plans to eliminate the errors and gaps determined by internal audit are

established by the Board of Directors.

Operational Risk Policy

Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external

events”. Risk Management Division is responsible for the risk management activity on this particular risk. Operational risk management

activities comprise defining, measuring, analyzing, monitoring and reporting of operational risks, following up the new techniques

on management of operational risks besides regulatory and internal reporting. The fundamental principles and procedures of risk

management are determined in Operational Risk Policy.

Categorization of inherited operational risks within the activities and processes is made possible by the Bank Risk Catalogue. It serves as the

basic document to define and classify the risks and is subject to alteration as conditions change. Bank Risk Catalouge is modified in line with

the improving risk management practices and changing regulations.

The methodology employed to identify operational risks is “self-assessment”. This methodology requires staff with roles and

responsibilities in a particular activity to get involved in the risk and control assessment process of that activity. Operational risk

management process combines both qualitative and quantitative approaches in measurement and assessment. The measurement process

uses data obtained from “impact - likelihood analysis”, “loss database” and “key risk indicators”.

All operational risks inherited in the banking processes and information systems, risk levels of new products and processes, operational

losses incurred by the Bank are monitored continuously, risk assessments are updated regularly and reported to the Risk Committee and

the Board in a timely manner.

Employees have the understanding of the Bank’s objective to attain a working environment aiming to reduce the probability of loss,

considering that the entire internal rules and procedures, led by operational risk policy, and act sensitively to the inherited operational risks

and controls.

Consolidated Risk Policies

Compliance with risk management principles related to the Bank’s subsidiaries are monitored according to Bank’s “Consolidated Risk

Policies”. Through Consolidated Risk Policies, subsidiaries identify their specific risk management policies which are approved by their

Boards that form the framework of their risk management systems and processes.

Information Systems Management Policy

The purpose of Information Systems Management Policy is to determine the principles which will constitute a basis for the management of

information systems that the Bank uses to fulfill its activities and the procedures in order to define, measure, control, monitor, report and

manage the risks derived from using information technologies. With the Policy, the information technologies which is an important element

for sustaining Bank activities is intended to be managed effectively as information systems management, being handled as a part of

corporate governance practices. On the management of Bank’s information systems and all the elements relating to those systems articles

of this Policy are applied.

Risks derived from information technologies are basically assessed within the scope of Bank’s operational risk management. It is essential

that those risks which could be seen as multipliers of the other risks derived from activities of the Bank are measured, closely monitored

and controlled within the framework of Bank’s integrated risk management.