The disclosure of BCA’s risk management principles and risk exposure, including capital, refers to OJK Circular No.43/SEOJK.03/2016 dated 28 September 2016 regarding Transparency and Publication of Reporting for Conventional Commercial Bank Reports.

I. BCA’s Application of Risk Management

Guidelines for implementing BCA risk management policies are based on POJK No.18/POJK.03/2016 dated 16 March 2016 on the Implementation of Risk Management for Commercial Banks, as follows:

s /RGANIZINGASSIGNINGANDUPDATING - Procedures and tools for

identifying, measuring, monitoring and controlling risks

- Transaction approval mechanisms, including those that exceed limits and authority for each level of position

s %VALUATING ANDOR UPDATING the policies, strategies and risk management framework at least once a year, or at more frequent occasion as necessary, if there any significant changes in factors affecting BCA’s business activities, risk exposure, and/

or risk profile

s %STABLISH AN ORGANIZATIONAL STRUCTURE including clear authority and responsibility at each level of position related to the implementation of risk management

s 2ESPONSIBLEFORIMPLEMENTATIONOFRISK management policies, strategies and frameworks approved by the Board of Commissioners and evaluating and providing guidance based on reports SUBMITTED BY 2ISK -ANAGEMENT 5NIT including risk profile reports

s %NSURING

- All material risks and impacts from such risks have been followed up and have been submitted regularly to the Board of Commissioners, including reports on progresses and issues related of material risks-related with corrective actions that have been, are and will be carried out.

- Implementation of corrective actions towards problems or irregularities in BCA’s business activities identified by internal audit division.

- Adequacy of human resource support to manage and of resources to manage and control risk.

- Independent implementation of risk management functions, which is reflectedamong others,

between the risk management unit, which identifies, measures, monitors and controls risks with work units that conduct and complete the transactions, measurement, monitoring and risk control, from the work units that carry out and complete transactions

s $EVELOP A RISK MANAGEMENT CULTURE including risk awareness across all levels of the organization, including adequate communication to all levels of the organization regarding the importance of effective internal control

s %VALUATING AND DECIDING ON transactions that require the approval of the Board of Directors

s #ONDUCTINGPERIODICREVIEWSTOENSURE - Accuracy of the risk assessment

methodology

- Adequacy of implementation of risk management information system

- Accuracy s of risk management policies and procedures and risk limits

s $ECLARING WHEN "#! IS IN AN emergency condition and, if necessary, the Board of Directors can request the opinion of the risk management committee (KMR), the assets and liabilities committee (ALCO) or other related committee. underemergency conditions, control of authorities is under the direct coordination of the Board of Directors.

3. The active supervision of the Board of Commissioners and the Board of Directors (management) includes the following mechanism:

s 3UPERVISION BY THE "OARD OF Commissioners is conducted in accordance with their duties and responsibilities as stipulated in the articles of association and relevant regulations.

s 4HEAUDIT#OMMITTEETHERISKOVERSIGHT committee, the remuneration and

integrated corporate governance assist in the supervisory duties of the boar of commissioner

s 4HE"OARDOF#OMMISSIONERSMAINTAINS constructive communication with the Board of Directors.

s 4HE "OARD OF #OMMISSIONERS ACTIVELY provides recommendations to the Board of Directors in determining strategic actions that they believed should be implemented

s 4HE SUPERVISORY DUTIES OF THE "OARD of Directors are assisted by the assets liabilities (ALCO), credit policy, credit, risk management, information technology steering, employment case consideration, and integrated risk management committees.

s 4HE "OARD OF $IRECTORS ACTIVELY engages in discussion, provides input and monitors the internal conditions and the development of external factors that directly or indirectly affect BCA’s business strategy.

I.B. Adequacy of Risk Management Policies and Procedures and Determination of Risk Limits 1. BCA has an adequate organizational

structure to support the implementation of sound risk management and internal control that consists of the internal audit division, including DAI, SKMR, SKK, risk management and integrated risk management committees.

2. BCA’s risk management policy, as detailed in the BCA’s plan and the annual budget and work plan, is in line with the vision, mission, business strategy, capital adequacy, human resources competencies, and risk appetite of the bank. This policy is reviewed regularly and adjusted in line with both internal and external development

3. Policies, procedures and determination of risk management limits have been fully documented in writingand are regularly reviewed and updated.

4. In conducting its business activities, BCA has developed a bank business plan and annual budget and work plan that addresses BCA’s overall strategy its overall strategy, including the direction

of business development. BCA’s strategy takes into account its impact on its capital, projected capital and the minimum capital requirement (KPMM).

I.C. Adequacy of the Risk Identification, Measurement, Monitoring and Mitigation Processes and Risk Management Information System

1. BCA has identified, measured, monitored and controlled risk as part of the process of implementing risk management.

2. risk exposure is monitored regularly by SKMR by comparing the actual risk with the set risk limits.

3. Reports on risk trends, including BCA risk profile report, integrated risk profile, and credit portfolio reports, and business plan progress are reported to the Board of Directors regularly, accurately and in a timely manner.

I.D. Comprehensive Internal Control System

The implementation of BCA’s internal control system refers to Financial Services Authority (OJK) Circular Letter No.35/SEOJK.03/2017 dated 7 July 2017 on Guidelines for Internal Control System for Commercial Banks.

1. BCA’s internal control systems guideline consists of five components:

s -ANAGEMENT SUPERVISION AND RISK control culture

s 2ISKIDENTIlCATIONANDASSESSMENT s #ONTROL ACTIVITIES AND SEGREGATION OF

duties

s !CCOUNTING INFORMATION AND communication system

s -ONITORING AND CORRECTIVE ACTIONS against

2. BCA applies the concept of three lines of defense in the internal control system and risk management, involving all lines of the organization, with oversight by the Board of Commissioners and Board of Directors.

The application of the concept is as follows:

- The internal control are embedded in each business or operational unit and are considered the first line of defense for risk management. These units are charged with risk monitoring by their

internal control units at the branches, regional, offices and headquarters.

- To support the implementation of internal control system, BCA has fully documented risk management policy (organizational structure, segregation of duties, risk limits, and others). BCA strongly encourages a risk culture and culture of compliance with regard to the applicable regulations that are conducted and monitored by the Risk -ANAGEMENT 5NIT AND #OMPLIANCE 5NITWHICHTOGETHERFORMTHESECOND line of risk management defense

- The assessment and evaluation of the adequacy and effectiveness of the internal control system is periodically reviewed by Internal Audit Division which is the third line of risk management defense, to ensure that internal control has been implemented adequately.

3. All management and employees of BCA have the role and responsibility to implement, adhere to and enhance the quality of BCA’s internal control system to be reliable and affective

Risk Management and Internal Control Organizational Structure

Business Continuity & Crisis

Management

monitoring lines

Credit Recovery Credit

Analysis Legal Enterprise

Security Risk

Management¹ Compliance¹

Enterprise Risk Management

Credit Risk Management

Market Risk Management

Operational Risk Management

communication lines reporting lines

coordination lines Anti

Fraud

Internal Audit¹

Note:

1. Oversee internal audit/risk management/ compliance function of subsidiaries in association with integrated corporate governance and integrated risk management application.

2. Deputy President Director oversees and coordinates management of subsidiaries.

3. Compliance, Legal & Risk Management Director oversees subsidiaries risks as part of integrated risk management.