Risk Management Table

B. QUALITATIVE ASSESSMENT ON NSFR

38. Report On Asset Encumbrance - ENC - as of December 31, 2022

Bank Only Consolidated

a b c d a b c d

Encumbered Asset

Asset placed or pledged to Central Bank but yet to be used to create

liquidity

Unencumbered

asset Total Encumbered

Asset

Asset placed or pledged to Central Bank but yet to be used to create

liquidity

Unencumbered

asset Total

1 Level 1 HQLA

a. Cash and its equivalent - - 21,281,939 21,281,939 - - 21,359,439 21,359,439

b. Placement with Bank Indonesia:

- Current account - - 102,745,583 102,745,583 - - 104,110,295 104,110,295

- Fine Tune Operation - - 14,088,588 14,088,588 - - 14,131,079 14,131,079

- Deposit Facility - - 4,149,453 4,149,453 - - 4,550,752 4,550,752

c. Bank Indonesia Certificates - - - - - - - -

d. Bank Indonesia Syariah Certificates - - - - - - - -

e. Bank Indonesia Syariah Bond - - - - - - 1,450,229 1,450,229

f. Bank Indonesia Marketable Securities - - 92,801 92,801 - - 92,801 92,801

g. Reverse Repo counterparty BI - - 152,408,798 152,408,798 - - 153,934,357 153,934,357

h. Government Bonds (Rupiah) - 58,389,333 134,801,573 193,190,906 - 59,160,981 138,891,862 198,052,843

i. Government Bonds (Foreign currencies) - - 8,880,371 8,880,371 279,585 - 8,943,816 9,223,402

j. UST - Bond - - 430,747 430,747 - - 430,747 430,747

2 HQLA Level 2A - - 4,596,643 4,596,643 - - 5,523,420 5,523,420

3 HQLA Level 2B - - 6,745,505 6,745,505 - - 7,811,952 7,811,952

TOTAL HQLA - 58,389,333 450,222,000 508,611,334 279,585 59,160,981 461,230,749 520,671,315

40.a. Quantitative Disclosure of Operational Risk - Bank Only

(in million Rupiah)

No. Indicator Approach

As of December 31, 2022 Average Gross Income in the past

3 years Capital Charge RWA

(1) (2) (2) (3) (4)

1 Basic Indicator Approach 69,836,976 10,475,546 130,944,329

Total 69,836,976 10,475,546 130,944,329

40.b. Quantitative Disclosure of Operational Risk - Consolidated

(in million Rupiah)

No. Indicator Approach

As of December 31, 2022 Average Gross Income in the past

3 years Capital Charge RWA

(1) (2) (2) (3) (4)

1 Basic Indicator Approach 73,106,949 10,966,042 137,075,529

Encumbered Asset

Asset placed or pledged to Central Bank but yet to be used to create

liquidity

Unencumbered

asset Total Encumbered

Asset

Asset placed or pledged to Central Bank but yet to be used to create

liquidity

Unencumbered

asset Total

1 Level 1 HQLA

a. Cash and its equivalent - - 21,281,939 21,281,939 - - 21,359,439 21,359,439

b. Placement with Bank Indonesia:

- Current account - - 102,745,583 102,745,583 - - 104,110,295 104,110,295

- Fine Tune Operation - - 14,088,588 14,088,588 - - 14,131,079 14,131,079

- Deposit Facility - - 4,149,453 4,149,453 - - 4,550,752 4,550,752

c. Bank Indonesia Certificates - - - - - - - -

d. Bank Indonesia Syariah Certificates - - - - - - - -

e. Bank Indonesia Syariah Bond - - - - - - 1,450,229 1,450,229

f. Bank Indonesia Marketable Securities - - 92,801 92,801 - - 92,801 92,801

g. Reverse Repo counterparty BI - - 152,408,798 152,408,798 - - 153,934,357 153,934,357

h. Government Bonds (Rupiah) - 58,389,333 134,801,573 193,190,906 - 59,160,981 138,891,862 198,052,843

i. Government Bonds (Foreign currencies) - - 8,880,371 8,880,371 279,585 - 8,943,816 9,223,402

j. UST - Bond - - 430,747 430,747 - - 430,747 430,747

2 HQLA Level 2A - - 4,596,643 4,596,643 - - 5,523,420 5,523,420

3 HQLA Level 2B - - 6,745,505 6,745,505 - - 7,811,952 7,811,952

TOTAL HQLA - 58,389,333 450,222,000 508,611,334 279,585 59,160,981 461,230,749 520,671,315

40.a. Quantitative Disclosure of Operational Risk - Bank Only

(in million Rupiah)

No. Indicator Approach

As of December 31, 2021 Average Gross Income in the past

3 years Capital Charge RWA

(1) (2) (2) (3) (4)

1 Basic Indicator Approach 63,618,528 9,542,779 119,284,741

Total 63,618,528 9,542,779 119,284,741

40.b. Quantitative Disclosure of Operational Risk - Consolidated

(in million Rupiah)

No. Indicator Approach

As of December 31, 2021 Average Gross Income in the past

3 years Capital Charge RWA

(1) (2) (2) (3) (4)

1 Basic Indicator Approach 67,284,999 10,092,750 126,159,374

Total 67,284,999 10,092,750 126,159,374

With the implementation of the RWA calculation for Operational Risk using a standard approach starting on January 2023 refering to SE OJK No. 6/SEOJK.03/2020 regarding the Calculation of Risk Weighted Assets for Operational Risk by using Commercial Banks Standard Approach (SE OJK ATMR), the Bank, therefore, presents the report on risk management implementation for operational risk as well as performs calculations with the standard approach that will be implemented in 2023.

INDIVIDUAL CONVENTIONAL COMMERCIAL BANK MINIMUM CAPITAL ADEQUACY REQUIREMENT (KPMM) AND RISK WEIGHTED ASSET (RWA) REPORT - ANNUAL

Form D1:Historical Loss Data Report

No. Business Indicator (BI) and

component BI T T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 Average

10 Years Minimum limit of an operational loss event of

IDR300,000,000.00 (three hundred million Rupiahs) or more 

1. Total net operating loss after calculating the recovery value

(without exception)  - - - -

2. Total occurrence of operational risk loss - - - -

3. Total excluded operational risk loss - - - -

4. Total occurrence of excluded operational risk loss  - - - -

5. Total net operating loss after calculating the recovery value

and excluded operational risk losses - - - -

Minimum limit of an operational loss event of IDR1,500,000,000.00 (one billion Rupiahs) or more  6. Total net operating loss after calculating the recovery value

(without exception)  1,832 0.07 96,043 13,139 88 41,767 16,486 63,374 - - 29,091

7. Total occurrence of operational risk loss 1 - 3 5 1 4 2 1 - - 2

8. Total excluded operational risk loss - - - -

9. Total occurrence of excluded operational risk loss  - - - -

10. Total net operating loss after calculating the recovery value

and excluded operational risk losses 1,832 0.07 96,043 13,139 88 41,767 16,486 63,374 - - 29,091

Details of capital calculation for operational risks 11. Are losses used in calculating the Internal Loss Multiplier

(ILM)? (Yes/No)  No - - - -

12. If line 11 answer is 'No', is the internal loss data not use because of a discrepancy of the minimum standards for loss data? (Yes/No)

Yes - - - -

13. Threshold used in calculating capital for operational risks (in

Rupiah full amount) - - - 1,500,000,000

14. Other information (if any) Optional - - - -

in 2023.

INDIVIDUAL CONVENTIONAL COMMERCIAL BANK MINIMUM CAPITAL ADEQUACY REQUIREMENT (KPMM) AND RISK WEIGHTED ASSET (RWA) REPORT - ANNUAL

Form D1:Historical Loss Data Report

No. Business Indicator (BI) and

component BI T T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 Average

10 Years Minimum limit of an operational loss event of

IDR300,000,000.00 (three hundred million Rupiahs) or more 

1. Total net operating loss after calculating the recovery value

(without exception)  - - - -

2. Total occurrence of operational risk loss - - - -

3. Total excluded operational risk loss - - - -

4. Total occurrence of excluded operational risk loss  - - - -

5. Total net operating loss after calculating the recovery value

and excluded operational risk losses - - - -

Minimum limit of an operational loss event of IDR1,500,000,000.00 (one billion Rupiahs) or more  6. Total net operating loss after calculating the recovery value

(without exception)  1,832 0.07 96,043 13,139 88 41,767 16,486 63,374 - - 29,091

7. Total occurrence of operational risk loss 1 - 3 5 1 4 2 1 - - 2

8. Total excluded operational risk loss - - - -

9. Total occurrence of excluded operational risk loss  - - - -

10. Total net operating loss after calculating the recovery value

and excluded operational risk losses 1,832 0.07 96,043 13,139 88 41,767 16,486 63,374 - - 29,091

Details of capital calculation for operational risks 11. Are losses used in calculating the Internal Loss Multiplier

(ILM)? (Yes/No)  No - - - -

12. If line 11 answer is 'No', is the internal loss data not use because of a discrepancy of the minimum standards for loss data? (Yes/No)

Yes - - - -

13. Threshold used in calculating capital for operational risks (in

Rupiah full amount) - - - 1,500,000,000

14. Other information (if any) Optional - - - -

INDIVIDUAL CONVENTIONAL COMMERCIAL BANK MINIMUM CAPITAL ADEQUACY REQUIREMENT (KPMM) AND RISK WEIGHTED ASSET (RWA) REPORT - ANNUAL

Form D3: Business Indicator Detailed Report No. Business Indicator (BI) and

component BI T T-1 T-2

1. Interest, Rent and Dividend

Components 27,442,124 - -

1a. Interest Income 68,103,869 62,039,167 62,022,745

1b. Interest Expense 6,212,171 7,832,564 9,639,600

1c. Earning Assets 1,256,127,958 1,178,464,483 1,023,393,292

1d. Dividend Income 1,702,184 2,045,885 773,624

2. Services Components 14,930,173 - -

2a. Fees and Commission Income 16,522,759 14,568,393 13,089,977

2b. Fees and Commission Expenses 350,702 313,103 284,834

2c. Other Operating Income 111,112 50,113 21,134

2d. Other Operating Expenses 237,009 227,472 144,911

3. Financial Components 3,068,073 - -

3a. Net Profit Loss Trading Book 1,004,971 1,883,343 126,561

3b. Net Profit Loss Banking Book 1,993,617 482,277 3,713,450

4. Business Indicator (BI) 45,440,370 - -

5. Business Indicator Components (BIC) 6,366,055 - -

Business Indicator Disclosure

6a. Total BI including divested activities 45,440,370 - -

6b. BI reduction due to the exclusion of

divested activities - - -

7. Additional information Optional - -

CONSOLIDATED CONVENTIONAL COMMERCIAL BANK MINIMUM CAPITAL ADEQUACY REQUIREMENT (KPMM) AND RISK WEIGHTED ASSET (RWA) REPORT - ANNUAL

Form D5: RWA Calculation Report for Operational Risk using Standard Approach

No. Details T

1. Business Indicator Components (BIC) 6,366,055

2. Internal Loss Multiplier Factor (ILM) 0,6

3. Operational Risk Minimum Capital (ROC) 3,866,017

4. RWA for Operational Risks 48,325,210

reviewed periodically to comply with applicable regulatory provisions, the directions of the Basel Accord, prudential banking principle, and other international best practices. Here are some of the policies that the bank has in place:

• Basic Risk Management Policy.

• Operational Risk Management Policy.

• Basic Information Technology Usage Risk Management Policy.

• Information Security Policy.

• Product/Activity Publishing Policy and Provision of Supporting Information Technology Systems.

• Evaluation on Increased Risk Exposure of Bank Product Development Policy.

• Business Continuity Plan Policy.

The development of policies related to risk management, including strategy, risk management framework, and risk limits as a whole, is included under the authority and responsibility of the Board of Directors. The policy is compiled with consideration to risk appetite and risk tolerance according to the Bank's needs/conditions and taking into account the impact of risk on capital adequacy. The determination of policies, strategies, and risk management framework by the Board of Directors is done after obtaining approval from the Board of Commissioners.

These policies, provisions, and procedures/manuals are documented and complied into a digital work guide (PAKAR) that can be accessed by all employees (using their USER ID). The Bank conducts regular reviews and assessments of the adequacy of controls on policies, provisions, procedures/manual operation to ensure that operational risks have been properly mitigated.

2 Explanation of the structure and organization of management and control functions related to Operational Risk.

In managing operational risk, the Bank refers to the 3 lines of defense principle with the following organizational tools:

Organizational Tools Authority/Responsibility

Board of Commissioners and

Directors Ensuring that the application of risk management is adequate in accordance with the Bank's characteristics, complexity, and risk profile, as well as a good understanding of the type and level of risk attached to the Bank's business activities.

Risk Management Committee Ensuring that the risk management framework provides adequate protection against the risks faced by the Bank, among others by compiling policies, strategies, and guidelines for risk management.

Risk Oversight Committee Assisting the Board of Commissioners in ensuring that the risk management framework has provided adequate protection against all risks facing the Financial Conglomerate. The Risk Oversight Committee is also in charge of monitoring and evaluating the implementation of the duties of the Risk Management Committee and the Risk Management Work Unit.

Risk Management Work Unit

(SKMR) Ensuring the Bank properly mitigates risk through identification, measurement, monitoring, control, and reporting in accordance with the risk management framework and is able to face emergency situations that threaten the continuity of the Bank's business.

Enterprise Security Work Unit Protecting and securing the Bank's information assets, as well as ensuring that the Bank's information security governance is implemented according to policy.

Internal Audit Division Inspecting and evaluating the adequacy and effectiveness of the risk management process, internal control, and Bank governance.

Anti Fraud Bureau Strengthening the Bank's internal control system through anti-fraud strategies.

Operation Strategy &

Development Group Reviewing and compiling operational policies and procedures as well as services by considering business and operational needs, compliance with regulators and other related institutions, risk management and control, and communicating them to branches and work units in order that they are understood easily and implemented effectively and efficiently.

Work Unit (business unit and

supporting unit) Risk owner who is responsible for day-to-day operational risk management and reports problems and operational risk incidents to SKMR.

3 Explanation of the measurement system for Operational Risk (covering the system and data used to calculate Operational Risk in order to estimate the capital burden for Operational Risk).

Operational risk measurement aims to obtain an overview of the Bank's operational risk profile in order to prioritise mitigation actions in relation to existing risks. Operational risk is measured by gauging the magnitude of the impact and the level of risk occurrence, as well as the level of control strength applied to the Bank's business processes and operational activities. The operational risk measurement system is evaluated periodically or when necessary to ensure the appropriateness of assumptions, accuracy, reasonableness, and data integrity, as well as the procedures used to measure operational risk.

In calculating the capital burden for operational risk, as of January 2023, the Bank refers to SE OJK No. 6/SEOJK.03/2020 regarding the Calculation of Weighted Assets According to Risk for Operational Risk by Using the Standard Approach for Commercial Banks (SE OJK RWA). In order for the Bank to be able to estimate the capital burden that suits the operational loss exposure experienced by the Bank, the collection of quality operational risk incident data is crucial. Therefore, it owns procedures and processes for the identification, collection, and treatment of operational risk loss data as outlined in the provisions and manual of the Operational Risk Management Information System (ORMIS) - Loss Event Database (LED).

Risk Management Implementation Report for Operational Risk - Individual

In addition, to assist operational risk management in work units, the Bank has a supporting infrastructure in the form of ORMIS, which can support three activities, namely:

• Risk and Control Self Assessment (RCSA)

RCSA is a means for work units to perform the operational risk identification process attached to their work units, carry out risk measurement based on the impact and likelihood of occurrence, determine the controls that should be set in order to mitigate the risk, then develop an action plan to follow up when there is a residual risk of a significant value. RCSA is performed yearly.

• Loss Event Database (LED)

LED is used to record and analyze operational events that cause losses for the Bank. With the presence of LED, the Bank can take corrective and preventive actions. LED is also a tool used by the Bank as an operational loss database to calculate the simulation of capital burden from operational risk losses using the Standard Approach method. In order to obtain quality data, in the recording of operational losses on applications by a work unit, there is a dual control mechanism with the roles of data entry and approver. The Bank has internal regulations governing the input of loss data in order to meet the qualitative requirements set by SE OJK RWA.

• Key Risk Indicator (KRI)

KRI aims to provide an indicator / early warning sign of the possible occurrence of or increase in operational risk in a work unit, in the form of an e-mail notification to the authorized officer. Based on the notification, the authorities are expected to immediately carry out the necessary actions to minimize the risk that may occur.

4 Explanation of the scope of the report framework for Operational Risk for the Bank's executive officers and directors.

In terms of the Board of Commissioners and Directors active supervision on operational risk, reporting is presented as follows:

1. Routine (periodic) reports:

• Financial Conglomerate Operational Risk Exposure Report.

• Integrated Operational Risk Profile Report.

• Integrated Operational Risk Management Implementation Report.

2. Incidental reports:

Reports on the results of analysis of operational incidents and incidental policy changes, systems and procedures. This report can be in the form of an analysis report on the Bank's operational procedures and systems in relation to internal or external operational incidents of the Bank that have significant operational losses.

5 Explanation of risk mitigation and risk transfer used in the management of Operational Risk. This covers mitigation by issuing policies (such as policies for risk culture, acceptable risk, and outsourcing), by divesting high-risk businesses, and by establishing a control function. Remaining exposure can be absorbed by the Bank or risk transfered. For example, the impact of operational losses can be mitigated with insurance.

The principles of risk management, including for operational risk, cover the following 4 pillars:

1. Active Supervision of the Board of Commissioners and Directors.

2. Adequacy of the Risk Management Policies and Procedures and Risk Limits.

3. Adequacy of the Risk Identification, Measurement, Monitoring, and Handling Process, as well as Risk Management Information System.

4. Comprehensive Internal Control System

The Bank compiles policies, internal regulations, systems and procedures related to operational risk management as a foundation for implementing operational risk management, as well as in the context of mitigating risks, both expected and unexpected. In formulating policies, the Bank pays attention to risk management strategies, risk appetite and risk tolerance, existing policies and procedures, as well as risk limits. The Bank internalizes the implementation of operational risk management to all business lines and supporters to ensure the adequacy of operational procedures and controls. The Bank nurtures a culture of awareness on the importance of operational risk management on an ongoing basis, through education for each level of department as well as the Risk Awareness Program.

In general, the scope of operational risk management policies based on the emergent causes of operational risk are as follows:

Risk Cause Operational Risk Management Policy Coverage

Internal Process Complexity 1. Controls to prevent the occurrence of operational risks either for all internal processes or those directly related to customers.

2. Transaction settlement procedures from internal processes, such as to ensure the effectiveness of the transaction settlement process.

3. Accounting implementation procedures to ensure accurate accounting records, including the appropriateness of accounting methods, accounting processes, and administration of supporting documents.

4. Asset storage and custodial procedures, including documentation, handling required for the physical security of assets, and regular checks on the condition of assets.

5. Implementation procedures for the products procurement and other activities performed by the Bank.

6. Fraud prevention and resolution procedures.

Human Resources Recruitment and placement according to the organization’s needs, competitive remuneration and incentive structures, training and development, periodic rotation, career planning and succession policies, handling issues of employment termination and unions, as well as separation of work functions.

External events IInsurance coverage, data/system back-up, work safety guarantees, physical security procedures, and cooperation agreements with third parties.

Operational risk of customer and prospective customer profiles

Banks perform Customer Due Diligence (CDD) or Enhanced Due Diligence (EDD) in accordance with operational risk exposure.

The Bank has a procedure that is a derivative of the operational risk management policy of general control and specific control.

When there are changes in the Bank's operational activities, the Operation Strategy & Development Group together with SKMR and related units review and evaluate to ensure that risks arising from those activities have been properly reduced.

In order to minimize the impact of disruption and damage from natural or human disasters that can affect the Bank's business operations, especially customer service, the Bank has in place Business Continuity Management (BCM). In order for BCM to run effectively, the Bank has created a Business Continuity Plan (BCP) to facilitate the Bank in preparing for disruptions and in the recovery process, which includes a crisis management plan, crisis communication, as well as routinely socializing BCP awareness and testing the BCP, including through cyber incidents simulations.

Moreover, the Bank also has formed a Disaster Recovery Center integrated with two Data Centers that operate in a mirroring manner, a Secondary Operations Center, a Multi-Operation Site, and a Command and Crisis Center.

In the process of developing new products/activities, the Bank has created a process to ensure that new products/activities have sufficient risk control or risk reduction so that they do not affect the Bank's risk profile significantly. The management of new products/activities implemented in the Bank covers several important aspects, such as:

• Every new product/activity development plan must be approved by Directors and reported to the Board of Commissioners as a form of supervision by the Board of Directors and Board of Commissioners.

• Every new product/activity development plan needs to identify risks that may arise and their impact on all risks so that sufficient risk reduction can be implemented.

• Each product/activity publication is carried out through several levels of study, such as the level of planning, development, testing, implementation, and evaluation.

• New products/activities that have been implemented will be evaluated to ensure that the products/activities meet targets and have adequate risk mitigation.

• There is an accounting information system for each new product and activity.

• information transparency to customers related to new products or activities that have been released.

Technology development and digitalization in banking presents the Bank with increasingly diverse challenges. With digital transformation, IT is used increasingly to support operational activities and the provision of services to customers. In addition, with the increasingly dynamic development of technology, the Bank has updated many systems to adopt new technology. This of course increases the risk for the Bank's operations so that the Bank needs to increase its maturity in the maintenance of IT and be able to deal with risks that may arise from the use of IT.

To maintain security in digital banking transactions, the Bank implements cyber risk management with reference to the Bank's strategy and the regulator's instructions. Security related to digital transactions performed by the Bank includes the use of 2 Factor Authentication (2FA), the use of OTP, restrictions with transaction limits, and transaction monitoring using a fraud detection system (FDS). To mitigate cyber risks, the Bank has procedures for handling information security incidents, an Information Security Incident Response Team (ISIRT), and a Security Monitoring Center (SMC) that operates 24 hours a day. In addition, the Bank also routinely conducts security awareness socialization to employees and management in the form of e-learning, videos, infographics, and e-mail phishing simulations. Educational efforts are also carried out with customers regularly, delivered through:

• BCA’s official website and social media accounts.

• Articles on the Bank's partner online media.

• Information at the branch through banners.

• Information provided when accessing the Bank's transaction channel.

Moreover, increases in service provision that prioritize personalization cause a high demand for customers' personal data. This is related to the development of open banking in the banking world. Provisions regulating data privacy at BCA include:

• Consumer Protection Provisions, which regulate the principles and matters to be observed related to consumer protection, including design, information provision, information delivery, and agreements drafting related to products and services.

• Data Loss Prevention Manual, which regulates the protection of sensitive data/information owned by BCA from the threat of theft/leakage.

To mitigate risks in the use of outsourced workforce, the Bank has provisions for Outsourcing Management that refer to regulatory provisions. Among the jobs that can be outsourced to service providers are supporting service activities or those not directly related to the bank's main activities. While for managing risks related to third parties, BCA has Provisions for the Procurement of Goods and/or Services, and applies the multi-vendor principle.