The disclosure of BCA’s risk management principles and risk exposure, including capital, refers to OJK Circular No.09/

SEOJK.03/2020 dated 30 June 2020 regarding Transparency and Publication of Reporting for Conventional Commercial Bank Reports.

I. BCA’s Application of Risk Management

Guidelines for implementing BCA risk management policies are based on POJK No.18/POJK.03/2016 dated 16 March 2016 on the Implementation of Risk Management for Commercial Banks, as follows:

I.A. Active Supervision by the Board of Commissioners and the Board of Directors

1. In carrying out its risk management function, the Board of Commissioners has defined duties and responsibilities as follows:

• Approving risk management policies including risk management strategy and frameworks, implemented in accordance with BCA’s risk appetite and risk tolerance;

• Ensuring the effective implementation and integration of the overall risk management policies and processes;

• Evaluating the following:

- Risk management policies and strategies at least once a year, or on more frequent occasion if there are significant changes in factors affecting BCA’s business activities

- The responsibility of the Board of Directors to ensure the effective management of BCA’s activities and risks and to ensure the provision of guidance by the Board of Directors on improving the implementation of risk management policies on regular basis.

- Requests from the Board of Directors related to transactions requiring the approval of Commissioners and making decisions on such requests.

2. In carrying out the risk management function, the Board of Directors has defined its duties and responsibilities as follows:

• Establishing comprehensive and fully documented risk management policy, strategy and framework, including overall or by-type risk limits, taking into account the Bank’s risk appetite and risk tolerance according to the condition of BCA and the impact of risk on capital adequacy. After obtaining approval from the Board of Commissioners, the Board of Directors sets the policy, strategy and risk management framework;

• Organizing, assigning and updating the following:

- Procedures and tools for identifying, measuring, monitoring and controlling risks;

- Transaction approval mechanisms, including those that exceed limits and authority for each level or position;

• Evaluating and/or updating the policies, strategies and risk management framework at least once a year, or more frequently if there are any significant changes in factors affecting the Bank’s business activities, risk exposure, and/or risk profile;

• Establishing an organizational structure, including clear authority and responsibility at each level or position related to the implementation of risk management;

• Implementing risk management policies, strategies and frameworks approved by the Board of Commissioners and evaluating and providing guidance based on reports,

• Ensuring the following:

- All material risks and impacts from such risks have been followed up and have been submitted regularly to the Board of Commissioners, including reports on progress and issues related to material risks and corrective actions that have been, are being and will be carried out;

- Implementation of corrective actions towards problems or irregularities in BCA’s business activities identified by the Internal Audit Division;

- Adequacy of human resource support and of resources to manage and control risk;

- Independent implementation of risk management functions, which is reflected amongst others, in the separation of functions of the risk management unit, which identifies, measures, monitors and controls risks and work units that conduct and complete the transactions, measurement, monitoring and risk control and the work units that conduct and complete transactions;

• Developing a risk management culture, including risk awareness across all levels of the organization. This includes adequate communication to all levels of the organization regarding the importance of effective internal control;

• Evaluating and deciding on transactions that require the approval of the Board of Directors;

• Conducting periodic reviews to ensure the following:

- Accuracy of the risk assessment methodology;

- Adequacy of implementation of the risk management information system;

- Accuracy of risk management policies and procedures and risk limits;

• Declaring when BCA is in an emergency condition and, if necessary, requesting the opinion of the Risk Management Committee (KMR), the Assets and Liabilities Committee (ALCO) and/or other related committees.

Under emergency conditions, control of authorities is under the direct coordination of the Board of Directors.

3. The active supervision of the Board of Commissioners and the Board of Directors (management) includes the following mechanisms:

• Supervision by the Board of Commissioners is conducted in accordance with their duties and responsibilities as stipulated in the articles of association and relevant regulations.

• The Audit Committee, the Risk Oversight Committee, the Remuneration and Nomination Committee, and the Integrated Corporate Governance Committee assist in the supervisory duties of the Board of Commissioners.

• The Board of Commissioners maintains constructive communication with the Board of Directors.

• The Board of Commissioners actively provides recommendations to the Board of Directors in determining strategic actions that they believe should be implemented.

• The supervisory duties of the Board of Directors are assisted by the Asset Liabilities (ALCO), Credit Policy, Credit, Risk Management, Information Technology Steering, Employment Case Consideration, and Integrated Risk Management Committees.

• The Board of Directors actively engages in discussion, provides input and monitors internal conditions and the development of external factors that directly or indirectly affect the Bank’s business strategy.

I.B. Adequacy of Risk Management Policies and Procedures and Determination of Risk Limits

1. BCA has an adequate organisational structure to support the implementation of sound risk management and internal control that consists of the internal audit division, including the DAI, SKMR, SKK, Risk Management and Integrated Risk Management Committees.

2. BCA’s risk management policy, as detailed in its plan and the annual budget and work plan, is in line with the Bank’s vision, mission, business strategy, capital adequacy, human resources competencies, and risk appetite. This policy is reviewed regularly and adjusted in line with both internal and external developments.

3. Policies, procedures and determination of risk management limits have been fully documented in writing and are regularly reviewed and updated.

4. In conducting its business activities, BCA has developed a bank business plan and an annual budget and work plan that addresses the Bank’s overall strategy, including business development direction. BCA’s strategy takes into account its

impact on its capital, projected capital and the minimum capital requirement (KPMM).

I.C. Adequacy of the Risk Identification, Measurement, Monitoring and Mitigation Processes and Risk Management Information System

1. BCA has identified, measured, monitored and controlled risk as part of the process of implementing risk management.

Risk exposure is monitored regularly by Risk Management Work Unit by comparing the actual risk with the set risk limits.

2. Reports on risk trends, including the BCA risk profile report, integrated risk profile, and credit portfolio reports, and business plan progress are reported to the Board of Directors regularly, accurately and in a timely manner.

I.D. Comprehensive Internal Control System

BCA internal control consists of 5 main components in line with the Internal Control Integrated Framework developed by The Committee of Sponsoring Organization of the Treadway Commission (COSO), including:

1. Management supervision and risk control culture;

2. Risk identification and assessment;

3. Control activities and segregation of duties;

4. Accounting, information and communication systems;

5. Monitoring and corrective actions against deficiencies.

BCA applies three lines of defenses in the internal control system and risk management, involving all parts of the organisation, with oversight by the Board of Commissioners and the Board of Directors.

To support the implementation of the internal control system, BCA has a fully documented risk management policy (organisational structure, segregation of duties, risk limits, and others). BCA strongly encourages a risk culture and a culture of compliance with regard to the applicable regulations that are conducted and monitored by the Risk Management Unit and Compliance Unit, which together form the second line of risk management defence.

The assessment and evaluation of the adequacy and effectiveness of the internal control system is periodically reviewed by the Internal Audit Division, which is the third line of risk management defence, to ensure that internal control has been implemented adequately. All management and employees of BCA have the role and responsibility to implement, adhere to and enhance the quality, reliability and effectiveness of the Bank’s internal control.

Risk Management and Internal Control Organizational Structure

Business Continuity & Crisis

Management Risk

Management¹ Compliance¹

Credit Risk Management Enterprise Risk

Management Market Risk

Management

Operational Risk Management

monitoring lines

Credit Recovery Credit

Analysis Legal

monitoring lines reporting lines

coordination lines Anti

Fraud

Internal Audit¹

Note:

1. Oversee internal audit/risk management/

compliance function of subsidiaries in association with integrated corporate governance and integrated risk management application.

2. Deputy President Director oversees and coordinates management of subsidiaries.

3. Compliance, Legal & Risk Management Director oversees subsidiaries risks as part of integrated risk management.

GENERAL MEETING OF