About bank

General provisions

The Organizational Risk Management Policy at Kapital Bank OJSC is guided by the Law on Banks of the Republic of Azerbaijan, Corporate Governance Standards for Banks, as well as the Regulation on Operational Risk Management in Banks of the Central Bank of the Republic of Azerbaijan, relevant documents of the Basel Committee, and other international standards and principles.

Purpose of the Risk Management Policy

This policy ensures the effective risk management within the strategic and business framework of the Bank and provides a holistic and comprehensive approach to risk management. The policy aligns with the Bank's approved risk limits, the Risk Appetite Statement, and the Bank's business strategy. All risks within the Bank are managed according to this Policy.

There are two main objectives of adopting the Risk Management Policy:

1. Create an environment that encourages the risk identification and their effective and efficient management, while utilizing potential opportunities for development and innovation.
2. Develop a risk culture that allows for effective management of uncertainties and challenges, covering all Bank operations.

By adopting and adhering to a forward-looking and methodical approach to risk management, the Bank protects itself from potential uncertainties, ensuring its long-term operations, stability, and prosperity.

Risk Identification

The Bank shall prepare a comprehensive list to identify risks at an organizational level and assess the significance of these risks in its operations. The key risks identified within the Bank shall include:

Credit Risk – Credit risk arises from the failure of a borrower to fulfill their obligations to the bank in a timely or complete manner.

To manage credit risk, the Bank shall analyze its portfolio using specialized tools, including:

• Risk exposure portfolio;
• Expected loss (EL) and its components;
• Vintage analysis;
• Stress Test models;
• Scenario analysis / "What-if?" analysis;
• Transition matrices;
• Analysis of the follow-up system;
• Retrospective patterns and forecasts;
• Special provisions are created for potential losses on assets (based on IFRS and CBAR standards).

Market risk – Market risk arises from changes in the market, such as fluctuations in interest rates, exchange rates, securities, and commodity prices.

• Interest rate risk: risk arising from unfavorable changes in interest rates;
• Currency risk: risk arising from unfavorable changes in foreign exchange rates;
• Commodity risk: risk arising from unfavorable changes in commodity prices.

 

Inorder to manage market risks, the Bank shall take the following measures:

• Investigating potential changes in the economy and the banking sector, and determining their possible impact on lending and asset-liability management;
• Examining interest rate risk, changes in interest rates, and/or potential volatility interruptions;
• Economic value of equity approach;
• Net interest income approach;
• Repricing Gap Analysis is performed;
• Investment risks: Examining changes in the value of stocks and bonds, yield curves, etc., and calculating the Risk Exposure Value of securities from market risk;
• Considering the potential negative impacts of market risks on financial institutions;
• Assessing the impact of changes in foreign exchange rates and commodity prices on the bank's assets;
• Conducting stress tests;
• Scenario analysis, etc.

Liquidity risk – The riskof loss to the Bank due to the inability to sell assets at the desired/expected price in the market due to insufficient demand. The Bank shall manage liquidity risk through the following ways:

• Selection and application of methods and models for liquidity risk;
• Analysis of risk indicators reflecting both internal and external causes of risk;
• Stress testing for liquidity and analysis of shock events;
• Identification of concentration in funding;
• Calculation and analysis of indicators such as Quick Liquidity, Liquidity Coverage Ratio, Net Stable Funding Ratio, etc.;
• Analysis of payment terms and liquidity gap;
• Analysis of liquidity and payments by currency, etc.

Concentration risk – The risk arising from a high degree of concentration in the Bank's assets, liabilities, or operations within a specific borrower, sector, geographical region, or other similar factors.

Capital adequacy risk – The risk that the Bank may not have enough capital to maintain its financial stability over the long term.

Operational risk – The risk of loss resulting from inadequate or failed internal processes, employees, systems, or external events.

• Employee risk: The risk arising from the violation of existing legal acts and internal regulations during the execution of banking operations by the Bank's employees, either intentionally or unintentionally, leading to errors and deficiencies;
• Legal risk: The risk of loss arising from the violation of contractual terms by the Bank and/or its counterparties, legal mistakes in operations, deficiencies in the legal system, violations of regulatory acts by counterparties, and the risk resulting from counterparties operating in different jurisdictions;
• Internal control error risk: The risk arising from deficiencies and violations in the internal control system, including the violation of internal rules related to the execution of operations and transactions;
• Outsourcing risk: Bankın proseslərinin və fəaliyyətinin davamlılığı və kəsilməzliyinə təsir göstərə bilən üçüncü tərəflərdən (satıcılar, təchizatçılar, vasitəçilər) yaranan risk.
• Behavioral risk: The risk arising from the violation of the principles of integrity, completeness, and accuracy when the Bank fails to meet its obligations towards customers, or fails to apply fair conduct principles.
• Payment system operational risk: The risk of failure to meet service requirements in payment infrastructure due to malfunctions, errors, or accidents in information and technological systems, deficiencies in the arrangement and implementation of technological and management processes, staff errors or illegal actions, or emergencies, as well as the mistakes or illegal actions of third parties.

Information security risk  – The risk arising from deficiencies in information security processes, including the implementation of technological and other measures, flaws in the software of computerized systems and programs, and the mismatch of these processes with the Bank's operations, which may result in the occurrence of information security threats. The Bank shall take the following actions to manage information security:

• Asset management;
• Network connection monitoring;
• Access control;
• Establishing data handling procedures and applying encryption requirements;
• Investigating incidents related to information security, etc.

Information systems risk – The risk of malfunction or disruption of the information systems used by the Bank, and/or their functional capabilities and features not meeting the Bank's requirements.

Cyber risk – The risk of the Bank facing material or immaterial losses due to external attacks, vulnerabilities, or breaches in relation to its information technology systems and data.

Compliance risk – The risk of facing enforcement actions, sanctions, financial losses, or reputational damage resulting from the Bank's failure to comply with the laws and regulations governing financial markets.

Reputational risk – The risk arising from the creation of a negative perception about the Bank by customers, counterparties, shareholders, investors, debt-holders, other relevant parties, or regulators. Such negative perceptions can adversely affect the Bank's ability to maintain existing, or establish new, business relationships and continued access to sources of funding and its liquidity.

Model risk –    The risk arising from decisions based on incorrectly developed or applied models, or from the misused model outputs and reports. It also includes the uncertainty arising from the model itself or its failure to align with the reality it is trying to measure.

Strategic risk – The risk of loss resulting from the failure of strategic initiatives, including acquisitions, mergers, new products, markets, etc.

Country risk – The risk that the economic, social, and political conditions and events in foreign countries will affect the current or projected financial condition and resilience of the bank.

Data risk – The potential negative impact on decision-making processes, legal and regulatory obligations, reputation, and financial position due to the failure to ensure the accuracy, completeness, confidentiality, and timely availability of the data used in the Bank's operations.

Operational Risk Identification

  To identify operational risks, the Bank shall use the following ways:

• Risk and control self-assessment process (RCSA)
• Incident management system
• Monitoring conducted by the second and third lines of defense
• Risk analysis of internal business processes and products;
• Analysis during the creation of new or modification of existing products and services;
• Results from internal and external audits;

• Key risk and performance indicators;
• Scenario analysis (both past and future-oriented scenarios, stress tests);
• Analysis of customer complaints, administrative penalties imposed on employees, etc.

All identified risks within the Bank shall be recorded in the Risk and Control Matrix.

Risk Assessment

Risk assessment in the Bank shall be conducted on an annual basis. The assessed significant risks shall be approved by the Bank's senior management, the Supervisory Board.

Organizational risk assessment in the Bank shall be conducted through the following three approaches:

• Regulatory approach – Direct assessment of risks in line with regulatory prudential standards and requirements.
• Quantitative approach  – Evaluation of the significance of risks based on quantitative criteria and calculations considering their impact and probability.
• Expert approach  – The final assessment by experts of non-financial risks, where quantitative assessment is not applied

During stress testing, the Bank shall evaluate the impact of significant risks on its capital adequacy, financial and operational stability, and its potential to maintain its risk profile, operations, and development strategy. Stress tests shall be conducted at least on a biannual basis, and the results shall be submitted to Senior Management and relevant stakeholders.

Risk Governance

After a comprehensive assessment of risks and identification of various risks that may impact the Bank, it is essential to adopt risk governance strategies to ensure the safety and sustainability of the organizational environment. When governing its risks, the Bank shall consider the approved risk limits, risk tolerance, and risk appetite. The identified and assessed risks within the Bank shall be collected and monitored in the Bank's Risk and Control Matrix (RCM).

The Bank governs the risks in 4 ways:

• Risk acceptance  - Thi s is a response to a risk when the potential impact of the identified risk is within organizational risk limits. Risk acceptance involves consciously deciding to tolerate the risk's effects or likelihood without taking specific actions to actively mitigate or manage the risk.
• Risk mitigation  - This involves taking actions to minimize the overall impact of identified risks, thus reducing their potential effects.
• Risk transfer  - It is a risk response measure taken when the Bank wants to transfer the obligation and responsibility for the risk to other organizations through contracts, insurance or outsourcing agreements.
• Risk avoidance  - It is a measure of risk response when the established risk exceeds organizational risk limits. A risk avoidance decision is typically made when the risk poses a serious threat to the organization, and the costs associated with mitigating the risk outweigh the potential benefits of the risk management measures.

Risk Monitoring

The main objective of risk monitoring is to ensure that the risks identified by the Bank and to which it is exposed remain within the Bank’s risk appetite and risk limits. When monitoring its risks, the Bank uses the Risk Appetite Statement, Key Risk Indicators (KRI), the Incident Management System, and the Risk and Control Matrix.

Risk Reporting

Risk reporting is the process of regularly collecting, analyzing, and presenting the risks faced by the Bank according to defined indicators, to management, regulatory bodies, and other relevant stakeholders.

The Bank prepares its overall risk profile on a monthly, quarterly, semi-annual, and annual basis and submits reports to the Chief Risk Officer, the Risk Management Committee, the Management Board, and the Supervisory Board. Also, the Bank submits the required risk-related reports to regulators.

Authority and responsibility distribution of Senior Management in risk management

The Senior Management of the Bank is responsible for the following tasks related to Risk Management (but not limited to):

Supervisory Board:

• Reviews and approves the organizational risk management policy, including the processes for identifying, assessing, mitigating, and monitoring risks;
• Ensures that risk management is integrated into strategic planning and across various levels of the organization;
• Approves the organizational structure for risk management, including the authority and responsibilities of the risk management function;
• Reviews and approves internal policies and guidelines related to risk management, ensuring they align with the organization's objectives, regulatory requirements, and best practices;
• Approves the risk management strategy;
• Reviews and approves the Risk Appetite Statement and risk limits;
• Evaluates the effectiveness of the risk management system at least annually and identifies areas for improvement;
• Approves the Business Continuity Policy and the Emergency Response Plan;
• Reviews the internal audit report and the action plan to address deficiencies identified during the audit;

Risk Management Committee (RMC):

• Reviews and initially approves the risk management strategy, policies (reviews the risk management policy at least annually), and guidelines, ensuring their compliance with the organization's objectives, regulatory requirements, and best practices and then submits them to the Supervisory Board for final approval;
• Reviews and initially approves the Risk Appetite Statement and risk limits, then submits them to the Supervisory Board for final approval;
• Provides recommendations and suggestions to the Supervisory Board regarding adjustments to the current and future risk appetite, as well as to the thresholds and limits established in case of a breach of these limits, for both aggregate and individual risk types;
• Reviews and initially approves the risk identification report submitted by the Management Board, along with the Bank's risk register, and then submits them to the Supervisory Board for final approval;
• Ensures that procedures are in place to ensure the Bank's compliance with the risk management policy, as well as overseeing the implementation of the Risk Appetite Statement by the Management Board;
• Monitors that the management of the Bank's capital and liquidity objectives, as well as all risks inherent to the organization, including credit, market, operational, reputational, and other risks, are in line with the organization's risk appetite;
• Provides recommendations to the Supervisory Board on risk mitigation strategies to keep risk levels within the established tolerance limits;
• Collaborates with the CRO and supervises their activities;
• Reviews and evaluates the activities of the CRO on an annual basis;
• Provides recommendations to the Supervisory Board on improving the efficiency of the risk management system.

Management Board:

• Reviews the risk management strategy, policies, and guidelines, ensuring their compliance with the organization's objectives, regulatory requirements, and best practices, and submits them to the Risk Management Committee for further review;
• Arranges the risk management process and ensures the implementation of the risk management policy;
• Oversees compliance with the risk management strategy and the organizational risk management policy;
• Monitors the alignment between risk and returns within the Bank's defined risk appetite;
• Submits reports on risks and their management to the Risk Management Committee;
• Reviews the Risk Appetite Statement and submits it to the Risk Management Committee for further review and approval;
• Approves the bottom limits within the risk limits established by the Supervisory Board;
• Reviews the monthly reports on the results of risk limit monitoring and the organization's risk profile;
• Analyzes the risks faced by the Bank and takes necessary actions to eliminate identified weaknesses;
• Ensures the cooperation of the Bank's other structural units with the risk management unit, and takes actions to prevent interference with its activities while ensuring appropriate conditions for the effective management of the organization's risks;
• Reviews the results of the risk culture assessment within the Bank and submits them to the Risk Management Committee for further review;
• Reports to the Supervisory Board on its activities.

 Chief Risk Officer (CRO)

• Develops the risk management strategy, internal policies, and procedures for risk management, ensuring their compliance with international standards and regulatory requirements, and submits them to the Management Board for further review and to the Risk Management Committee for final approval;
• Oversees the proper establishment, documentation, and implementation of risk management processes by the organization;
• Ensures that the activities of structural units comply with the established risk management policies;
• Ensures compliance with international standards and regulations for risk management, taking proactive measures to guarantee full compliance;
• Coordinates the activities of the Management Board and structural units regarding risk management;
• Participates in analyzing the strategic risks of the organization, ensuring the minimization of the negative impact of risks on the business;
• Reviews the risk identification report submitted by the risk function and submits it to the Management Board for further review;
• Oversees the execution of the risk assessment processes.

Role of the three lines of defense in risk management

 

The three lines of defense model is used to establish a system for effective risk management and control. This model helps ensure that risks are appropriately identified, assessed, and managed while promoting transparency, accountability, and compliance with requirements.

First Line of Defense – This includes business units directly involved in day-to-day business activities.

Second Line of Defense  –This involves the structural units responsible for overseeing and guiding the first line of defense in implementing effective risk management practices and performing risk management and compliance functions.

Third Line of Defense – This includes the independent internal audit function, which evaluates the effectiveness of the first and second lines of defense.

Risk Culture

Risk culture is a set of norms, attitudes and behaviours related to risk identification, risk acceptance and management, as well as decision-making regarding risks. Considering the Bank's risk appetite, it must foster a comprehensive understanding and holistic assessment of the risks it faces, as well as the ways in which these risks are addressed, promoting a risk culture at the organizational level.

The management of the Bank's risks shall not be limited to internal control or risk management functions. Under the management's oversight, all structural units shall be responsible for managing risks on a daily basis, considering the organization's risk appetite and risk profile, and adhering to the organization's policies, procedures, and control tools.

Therefore, the Organizational Risk Management Policy requires the creation of a sound risk culture, where all lines of defense take on only acceptable risks when making daily decisions in their operations.

The organization's risk culture, a key element of effective risk management, must be strong and sustained to ensure that the organization makes well-founded and informed decisions.

Understanding and evaluating risk culture within the Bank is crucial in identifying strengths, weaknesses, and areas for improvement. Therefore, by conducting a comprehensive assessment of the Bank's risk culture, the Bank takes steps to create a risk-aware and resilient environment, encourage making the most effective decisions in risk management, and improve overall organizational performance.

To accelerate the process of enhancing the risk culture and improving communication across defense lines, a Risk Coordinator is appointed for each structural unit. The Risk Coordinator is responsible for coordinating and overseeing risk management activities within their structural unit. Their role is to ensure the effective implementation of risk management policies, procedures, and strategies within their structural units, in line with the organization's objectives and goals.

Final Provisions

This Policy shall come into effect upon its approval by the Supervisory Board of the Bank.

All structural units within the Bank are responsible for implementing this Policy in accordance with the provisions outlined in it. Together with the Bank's management, they are responsible for ensuring compliance with the provisions specified in this Policy, as well as for the periodic review and revision of the Policy.

The Bank regularly conducts an external independent assessment of its risk management practices. This is considered essential to ensure that the risk management processes function effectively and that significant risks are managed at acceptable levels.