Basis for Management Policy on Capital Structure BCA’s capital policy is regularly adjusted with reference
III. C. Disclosure of Operational Risk Exposures and Implementation of Operational Risk
Management
Operational Risk Management Organization
The implementation of Operational Risk Management at a bank-wide level includes the following:
• Board of Commissioners and Board of Directors Ensuring adequate risk management implementation according to the characteristics, complexity, and risk profile of the Bank, as well as a good understanding of the type and level of risk inherent in the Bank’s business activities.
• Risk Management Committee
Ensuring that the risk management framework provides adequate protection against risks faced by the Bank.
• Risk Management Work Unit (SKMR)
Ensuring that the Bank mitigates risks correctly by identifying, measuring, monitoring, controlling, and reporting risks in accordance with the risk management framework and can deal with emergency scenarios that threaten the sustainability of the Bank’s business.
• Enterprise Security Work Unit (SKES)
Protecting and securing information assets of the Bank and ensuring that the Bank’s information security governance is implemented in accordance with the policy.
• Internal Audit Division (DAI)
Examining and assessing the adequacy and effectiveness of the risk management processes, internal controls, and the Bank’s corporate governance.
• Operating-Service Development and Strategy Group (GPOL)
Assisting SKMR in implementing operational risk management programs and providing support to all work units related to SKMR programs.
• Work Units (Business and Support Units as the Risk Owners)
Managing risk in daily operations and reporting operational risk problems and events to the SKMR.
Mechanism to Identify and Measure Operational Risk The Bank has owned and implemented the Risk Self- Assessment (RSA) methodology to identify and measure operational risks since 2002, which has been improved into Risk and Control Self-Assessment (RCSA). RCSA has been implemented in all work units at branches and head office that are identified as having significant operational risks.
In RCSA methodology, work units at branches and head office identify and measure operational risks inherent to their work units, determine the controls that must be implemented to mitigate risks, then design follow-up action plans should there be residual risk with significant value.
In addition to the RSCA methodology, the Bank has implemented a Loss Event Database (LED) and Key Risk Indicator (KRI). LED is designed to assist the Bank in monitoring, recording, and analyzing operational events that have occurred and could lead to losses so that the Bank can take corrective and preventive actions to minimize the possible risk of operational losses.
LED is also a means of operational risk loss data collection used by the Bank to determine the allocation of capital charge from operational losses using the Standardized Approach. Currently, LED has been implemented in all regional offices, branches, and work units at head office.
KRI is a method used to provide an early warning signal in the event of increased operational risk within a work unit. All regional offices, branches, and work units at head office are considered to have fairly significant operational risks and have implemented KRI. The KRI system has been further developed into a predictive risk management tool that can detect and respond to increased risks within work units.
The implementation of RCSA, LED and KRI methodologies is supported by the Operational Risk Management Information System (ORMIS).
Mechanism for Operational Risk Mitigation To mitigate operational risks, the Bank:
• Implements regular Risk Awareness Programs to promote risk awareness to all BCA stakeholders
• Sets and consistently updates policies, procedures, and limits in accordance with organizational development, regulations, and prevailing laws
• Has a Business Continuity Plan (BCP)
• Owns an internal control system, implemented with the four eyes principle and segregation of duty to reduce fraud potential.
To maintain security in conducting digital banking transactions, BCA has implemented cyber risk management with reference to the Bank’s strategy and direction from the regulators. BCA regularly disseminates e-learning, videos, infographics, and e-mail phishing simulations to employees and management in to raise security awareness, as well as webinars to customers.
Addressing the COVID-19 pandemic, BCA has taken efforts to minimize the risk impact of the pandemic as previously described in the Operational Risk section.
New Product and Activity Risk Management
Every development plan of new products/activities will undergo a risk management process beforehand. The Bank has a process to ensure the new products/activities have adequate control or risk mitigation to minimize risks that could arise from the products/activities ensuring it will not significantly affect the Bank’s risk profile. Risk management of new products/activities is implemented based on internal regulations in accordance with regulatory requirements.
The management of new products/activities at BCA includes several important aspects as follows:
• Every development plan for new products/activities must be approved by the Board of Directors and reported to the Board of Commissioners as part of active supervision by the Board of Directors and the Board of Commissioners
• Every development plan for new products/activities must identify risks that could appear, and the impact to all risks, in order to implement adequate risk mitigation
• Every new product/activity should pass several stages: planning, development, testing, implementation, and evaluation
• Newly implemented products/activities will be evaluated to ensure they have achieved the set targets and have adequate risk mitigation
• There is in place an accounting information system for every new product and activity
• Implementing information transparency to customers regarding newly launched products or activities.
conducted in accordance with the strategic objectives, scale, business characteristics, and liquidity risk profile of the Bank. This includes the integration of liquidity risk management with other risks that may impact the Bank’s liquidity position.
The authority and responsibility of Board of Directors are delegated to parties below:
Party Authority and Responsibility
ALCO Authority and Responsibility
Risk Management Work Unit Determines policies and strategies regarding liquidity.
Treasury Division Manages overall operational liquidity of the Bank:
- Responsible for monitoring statutory reserves (GWM) and ensuring the Bank’s compliance on Bank Indonesia regulations on GWM.
- Responsible for managing secondary reserves to maintain liquidity and provide income generating opportunities for the Bank.
Regional Offices and Branches Manages liquidity risk at the respective regional offices and branches.
Funding Strategy
Funding strategy consists of methods to tap diversified sources of funds and to secure a funding duration profile that is linked to the Bank’s characteristics and business plan. The Bank has identified and reviewed the primary factors that affect the ability of the Bank to obtain funds, including identifying and monitoring funding of alternative sources to strengthen the Bank’s capacity to sustain business operations in a crisis condition.
Liquidity Risk Mitigation
To mitigate liquidity risk, the Bank has established guidelines to measure and mitigate liquidity risk, including limits on Secondary Reserves, Interbank Overnight Borrowing limits, Liquidity Coverage Ratios, and the Net Stable Funding Ratio. The Bank has also identified and developed Early Warning Indicators and has implemented a multi-level Contingency Funding Plan to mitigate risk.
Measurement and Control of Liquidity Risk
The measurement of liquidity risk is conducted comprehensively and regularly by monitoring cash flow projections, maturity profile reports, liquidity ratios, and stress test scenarios. Stress testing is conducted based on the Bank’s specific stress scenarios and general market stress scenarios. Liquidity risk is monitored to facilitate timely mitigation and to inform adjustments to the liquidity risk management strategy as soon as any increase in liquidity risk occurs.
The following activities are included in the liquidity risk monitoring process:
• Monitoring both internal and external early warning indicators for events with the potential to increase liquidity risk
• Monitoring funds and liquidity positions that include:
- Interest rate strategy, investment alternatives for fund owners, changes in customer behavior, changes in foreign exchange and interest rates offered by a primary competitor that could impact the fund structure, fund volatility, and core funds. These changes should be monitored on a regular basis (daily, monthly, and annually).
- Daily monitoring of the liquidity position in respect to Minimum Reserves Requirement (GWM), secondary reserves, and liquidity ratio.
Stress Testing Liquidity Risk
Stress testing for liquidity risk is a test using certain scenarios of the Bank’s ability to meet liquidity needs during a crisis. Stress tests are conducted based on a bank-specific stress scenario and a general market stress scenario. Stress testing for specific stress scenarios within the Bank is carried out at least once every three months, while stress scenarios on the market are carried out at least once a year.
Stress testing is performed by considering several factors, including events that have or have the potential to cause a liquidity crisis, duration (duration of events or stress conditions), and the severity of problems caused by these events. The results of the liquidity risk stress test can then be used as input in reviewing policies and strategies for liquidity risk management, composition of assets, liabilities and/or administrative accounts, contingency funding plans, and limit setting.
Contingency Funding Plan
The Bank has designed a contingency funding plan as an action plan to deal with worsening bank liquidity conditions. The action plan is arranged in several levels, namely level one (normal), level two (temporary liquidity squeeze) and level three (name crisis).
The action plan chosen at each level is adjusted to the conditions during a crisis with the priority of speeding up obtaining liquidity and at a reasonable cost. Emergency funding plans must be in line with the results of stress tests, evaluated, updated, and tested regularly to ensure a level of reliability.