EFFECTIVENESS OF BANK RISK MANAGEMENT SYSTEMS

III. H. Disclosure Of Compliance Risk Exposure And Implementation Of Compliance Risk Management

10. Socialization, coordination, and communication with the subsidiaries

The Integrated Risk Management Committee has the primary function of providing recommendations to the Board of Directors that consist of the followings:

• The compilation of Integrated Risk Management policies;

• The improvement of said policies based on the evaluation results of implementation of the Integrated Risk Management.

In 2017, the Integrated Risk Management Committee conducted regular meetings to discuss the following:

• Integrated Risk Management Information System;

• Risk Appetite and Risk Tolerance of FC BCA;

• Information regarding the review of new and strategic lines of business;

• Integrated Business Continuity Plan (BCP);

• Integrated stress test;

• Integrated Risk Profile Report;

• Integrated risk limits;

• Any other issues that need to be approved by the Integrated Risk Management Committee.

FC BCA manages 10 types of integrated risks as identified by the regulators. These risks include the eight types of risks that were previously managed within the Bank’s risk management process with the addition of inter-group transaction risk and insurance risk.

Inter-Group Transaction Risk

FC BCA conducts inter-group transactions in accordance with the principles of fairness and on an arms-length basis in adherence with prevailing regulations. All inter-group transactions are documented appropriately.

Inter-group transactions currently do not have a material impact on the overall financial performance of the Group.

Insurance Risk

FC BCA also manages Insurance Risk through the Bank’s subsidiaries active in the insurance industry.

The Insurance Risk of FC BCA is considered to exhibit

“low” inherent risk with “satisfactory” risk management

implementation based on current regulatory guidelines.

Based on integrated risk assessment, FC BCA’s capital is considered sufficient to anticipate potential losses that may arise or be faced by FC BCA in conducting the integrated businesses.

The Bank’s subsidiaries that are included in the implementation of the integrated risk management are: BCA Finance, BCA Finance Limited, BCA Syariah, BCA Sekuritas, BCA Insurance, Central Santosa Finance, BCA Life and Central Capital Ventura.

Summary of the implementation of risk management within each subsidiary, as follows:

PT BCA FINANCE

Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

• Audit Committee at the level of the Board of Commissioners; and

• Risk Management Committee and Asset Liability Committee (ALCO) at the level of the Board of Directors, and through the Regular Meeting Management and Consumer

Meeting.

Adequacy of policies and procedures, and determination of limits

• Basic Risk Management Policy;

• Risk management policy and implementation guidelines for various risks as described in Decision Letters;

• Policies and procedures, and determination of limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in risk profile reports submitted every semester;

• Risk management processes are reflected in, among others, risk profile reports, monitoring reports and regular limit reviews;

• Risk management of information technology systems are used to identify and detect blacklisted customers, mitigate fraud through Know Your Customer reports for the branches and headquarters, reporting on risk events at the branches or headquarters through Operation Risk Event Management (OREM) detection of fraud parameters, risk self assessment, risk mapping through RCSA, credit scoring, behavior score (B-score) and others.

• System integration will be realized through the work plan to redevelop RMIS.

Comprehensive internal control systems

Internal Audit Division has the function of evaluating the effectiveness and efficiency of work processes and their suitability to the needs of the business. Evaluations are conducted by way of active and passive inspection throughout all work units.

BCA FINANCE LIMITED

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Directors is conducted through discussions on business and operational activities between the Board of Directors and management staff through regular reports.

Adequacy of policies and procedures, and determination of limits

• Basic Risk Management Policy and Guidelines;

• Risk management policy is defined in job procedures and guidelines;

• Policies and procedures, and determination of limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in risk profile reports on a quarterly basis;

• Risk management processes are reflected in, among others, the monitoring of limits and regular limit reviews.

Comprehensive internal control systems

Internal control is conducted by the Risk Management, Compliance and Internal Audit division.

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted through the establishment of the following:

• Risk Oversight Committee, Audit Committee and Remuneration and Nomination Committee at the level of the Board of Commissioners; and

• Risk Management Committee, Financing Policy Committee, Information Technology Committee, and Asset Liability Committee (ALCO) at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

• Basic Risk Management Policy;

• Risk management policy for various risks as defined in Job Procedures and Guidelines;

• Financing Policy related to credit risk;

• Policies and procedures, and determination of limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in risk profile reports on a quarterly basis;

• Risk management processes are reflected in, among others, the monitoring of limits and regular limit reviews.

Comprehensive internal control systems

The effectiveness of internal control is tested by the Internal Audit Work Unit.

PT BCA SEKURITAS

Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted through the following activities:

• Regular meetings of the Board of Commissioners and the Board of Directors;

• Establishment of organizations with reference to Bapepam-LK/OJK regulation comprising:

− Marketing Functions;

− Risk Management Functions;

− Bookkeeping Functions;

− Custodian Functions;

− Information Technology Functions; and

− Compliance Function;

as well as Research Functions outside of the six functions listed above.

• Establishment of the Internal Audit Function in accordance with OJK Regulation 57/POJK.04/2017 of September 26, 2017 on Implementation of Corporate Governance

for Securities Firms Acting as Underwriters and Brokers;

• The Board of Commissioners gives approval regarding credit facilities accepted by BCA Sekuritas from third parties.

• The Board of Commissioners ensures matters on Money Laundering and Terrorism Financing are discussed at Board of the Directors and the Board of Commissioners meetings;

• The Board of Directors makes decisions regarding internal policy;

• The Board of Directors signs all reports in accordance with Capital Market regulations.

Adequacy of policies and procedures, and determination of limits

• Policy and Procedures that are in line with Capital Market regulations and are used as basis for developing guidelines for BCA Sekuritas’ business activities;

• Basic Risk Management Policy;

• Policies and procedures, and determination of limits are adequate and regularly reviewed;

• Policies derived from basic risk management policy.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are reflected in regular monitoring of the haircut effects, customer limits, and customer daily transactions, all of which are reported regularly;

• Risk management processes are conducted and recorded in risk profile reports every semester.

Comprehensive internal control

systems • Internal control of all business activities is conducted by Internal Audit Work Unit in accordance with Capital Market regulations;

PT ASURANSI UMUM BCA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following committees:

• Audit Committee and Risk Oversight Committee at the level of the Board of Commissioners;

and

• Investment Committee, Insurance Closure Acceptance Committee and Insurance Claim Finalization Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

• Various policies, including the following:

- Guidelines of the implementation of risk management;

- Authority for Claim Approval, Acceptance and Insurance Policy/Cover Note Signing;

- Underwriting Guidelines;

- IT Operation Guidelines;

- Manual Disaster Recovery Plan (DRP);

- Reinsurance policy guidelines;

- Corporate Investment Policy;

- Operations Cost Approval Authority, Fixed Asset Purchasing, Office/Building Renovations;

- Implementation Guidelines for APU and PPT;

• Policies and procedures, and determination of limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and recorded in risk profile reports;

• Risk management processes are reflected in, among others, risk profile reports, monitoring reports and regular limit reviews.

Comprehensive internal control

systems Internal supervision is conducted by the Internal Audit Work Unit which assists management in monitoring the effectiveness of the implementation of all policies/procedures established.

PT CENTRAL SANTOSA FINANCE Active supervision by the board of Commissioners and the board of directors

Active supervision by the Board of Commissioners and the Board of Directors is conducted in the following forms:

• Routine meetings of the Board of Commissioners and the Board of Directors;

• The Board of Directors acknowledges and signs all reports for the authorities;

• The Board of Commissioners has established the Risk Oversight Committee, which is attached to the Audit Committee.

Adequacy of policies and procedures, and determination of limits

• Basic Risk Management Policy;

• Policies and procedures, and determination limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in annual and semester risk profile reports;

• Improvement on the Information system to ensure the readiness of accurate data within a short time as required by management.

Comprehensive internal control

systems Internal supervision is conducted by the Internal Audit Work Unit.

Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

• Risk Oversight Committee and Audit Committee at the level of the Board of Commissioners;

and

• Product Development Committee, Investment Committee and Risk Management Committee at the level of the Board of Directors.

Adequacy of policies and procedures, and determination of limits

• Basic Risk Management Policy and its Implementation Guidelines for each type of risks, as defined in the job procedures and guidelines;

• Policies and procedures, and determination of limits are adequate and regularly reviewed.

Identification, measurement, monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in risk profile reports.;

• Risk management processes are reflected in, among others, risk profile reports, monitoring reports and regular limit reviews.

Comprehensive internal control

systems Internal Audit Division has been established which reviews the effectiveness and efficiency of each operational procedure independently and periodically according to the scope of each work unit

PT CENTRAL CAPITAL VENTURA Active supervision by the board of Commissioners and the board of directors

Active supervision is conducted by the Board of Commissioners and the Board of Directors through the establishment of the following:

• Regular meetings of the Board of Commissioners and the Board of Directors (minimum once in three months, based on OJK regulation No. 36/POJK.05/2015);

• Establishment of organization structure based on OJK regulation No. 34/POJK.05/2015;

• The Board of Commissioners approval on the Board of Directors’ request on the capital injection to PPU

• The Board of Directors approval on internal policies.

• Regular meeting of Board of Directors, a minimum of once a month, based on OJK Regulation No. 36/POJK.05/2015

• The Board of Directors authorization and responsibilities of all reports including risk profile reports to the regulator.

Adequacy of policies and procedures, and determination of limits

• Policies and procedures are in compliance with prevailing regulations and are outlined in BCA’s guidelines and procedures and guidelines for the sustainability business;

• Policies and procedures, and determination of limits are adequate and regularly reviewed Identification, measurement,

monitoring and mitigation processes and risk management Information system

• Risk management processes are conducted and outlined in risk profile reports each semester;

• Risk management processes are reflected in, among others, risk profile reports, monitoring reports and regular limit reviews.

Comprehensive internal control

systems • Have policies, procedures and determination of limits related to corporate investment.

• Internal control process has been carried out in the implementation of operational activities.

Table B.1.a.1. Disclosure of Net Receivables by Region - Bank Only

(in million Rupiah)

No. Portfolio Category

Period of December 31, 2017 Net Receivables by Region

Sumatera Jawa Kalimantan Eastern

Indonesia Total

(1) (2) (3) (4) (5) (6) (7)

1 Receivables on sovereigns - 163,927,574 - - 163,927,574

2 Receivables on public sector entities 6,633 24,265,866 - - 24,272,499

3 Receivables on multilateral development banks and international institutions

- - - - -

4 Receivables on banks 44,616 50,469,846 15,766 29,996 50,560,224

5 Loans secured by residential property 1,914,945 33,892,558 760,127 1,930,569 38,498,199

6 Loans secured by commercial real estate 615,414 13,665,656 178,859 694,818 15,154,747

7 Employee/retired loans - - - - -

8 Receivables on micro, small business & retail portfolio

2,824,832 59,780,953 722,599 1,473,715 64,802,099

9 Receivables on corporate 21,019,287 342,167,220 5,689,550 14,817,118 383,693,175

10 Past due receivables 160,244 1,104,972 71,692 40,458 1,377,366

11 Other assets 1,631,965 36,720,974 472,176 1,280,238 40,105,353

Total 28,217,936 725,995,619 7,910,769 20,266,912 782,391,236

(in million Rupiah)

No. Portfolio Category

Period of December 31, 2016 Net Receivables by Region

Sumatera Jawa Kalimantan Eastern

Indonesia Total

(1) (2) (3) (4) (5) (6) (7)

1 Receivables on sovereigns - 155,265,610 - - 155,265,610

2 Receivables on public sector entities - 17,881,634 - - 17,881,634

3 Receivables on multilateral development banks and international institutions

- - - - -

4 Receivables on banks 18,404 40,780,054 5,100 26,809 40,830,367

5 Loans secured by residential property 1,554,551 29,344,240 597,691 1,532,675 33,029,157

6 Loans secured by commercial real estate 522,403 12,089,258 214,454 519,590 13,345,705

7 Employee/retired loans - - - - -

8 Receivables on micro, small business & retail portfolio

2,587,186 53,649,528 619,567 1,271,279 58,127,560

9 Receivables on corporate 19,906,666 309,398,588 4,829,105 13,972,538 348,106,897

10 Past due receivables 117,722 886,220 60,096 43,805 1,107,843