4.

COMPLIANCE RISK MANAGEMENT

Compliance risk is the current and prospective risk lo earmngs or capital

arising from violations of or non-conformance with laws, rules, regulations,
prescribed practice or ethical standards issued by the regulator from time to
time. In a nu tshell, legal nsks arise or emerge from an inability to manage
compliance effectively and proaclively.

Compliance management is, therefore, the process of identifying

international and
,- national laws and regulations applicable to the operation of the bank and
ensuring that the bank complies with them so as to protect itself from legal
risks.
8.1. RESPONSIBLE ORGANS ON COMPLIANCE RISK MANAGEME NT

8.1.1. THEBOARD OF DIRECTORS

The Board of Directors shall:

a) Ensure the Bank's compliance with all relevant laws, rules and
standards;
b) Ensure the allocation of sufficient resources for compliance programs
covenng legal and compliance issues associated with the Bank's operations;
c) Ensure the establishment of a compliance function that is sufficiently
independent from operations; and
d) Understand the nature and level of compliance risk to which the Bank is
exposed and how its risk profile fits within the overall business strategy.

8.1.2. THEBOARD'S RISK AND COMPLIANCE COMMITTEE

The Board's Risk and Compliance Committee shall:

e) Reviewing and recommending compliance risk management strategies

and policies for BoD Approval;
f) Reviewing and assessing adequacy of compliance risk management
policies and framework in identifying, measuring, monitoring and controlling
compliance risk and the extent to which these are operating effectively;
g) Ensuring the availability of the necessary infrastructure, resources
and systems are in place for compliance risk management;
h) Ensuring that the entire Bank's staff is responsible for implementing
compliance risk management system perform those duties independently to the
Bank's risk taking activities; and

i) Reviewing management's periodic reports on compliance

composition and risk management activities risk exposure,

8.1.3. THE EXECUTIVE MANAGEMENT

The Executive Management shall:

a) Implement the compliance policy approved by the Board of Directors ;

b) Effectively manage the Bank's regulatory compliance ris k;
c) Ensure that there is sufficient depth and skill in staff resources to
manage compliance risks;
d) Ensure that appropriate remedial actions are taken for the identified
potential
compliance risk; and
e) Ensure that the Board's Risk and Compliance Committee 1s receiving
compliance reports.
8.1.4. THE RISK AND COMPLIANCE MANAGEMENT DEPARTMENT

The Risk and Compliance Management Department shall:

a) Propose, prepare and review compliance management policy and

procedure;
b) Review all policy and procedure of the Bank in light of compliance risks;
c) Identify and report potential compliance risk incidents for the Board's
Risk and Compliance Committee; and
d) Advise the Board of Directors and the Executive Management on
compliance issues.

8.1.5. THE LEGAL SERVICE DEPARTMENT

The Legal Services Department shall:

a) Ensue that the legal system incorporates the identified compliance

issues;
b) Assist Risk and Compliance Management Department in identifying
applicable laws and regulations; and
c) Provide legal findings to the Risk and Compliance Management
Department.

8.2. STRATEGY, POLICY AND PROCEDURE COMPLIANCE RISK

MANAGEMENT OF REGULATORY
I. The Bank's regulatory compliance risk strategy shall be:
a) Able to meet all legal obligations;
b) Capable enough to protect its customers, employees and stakeholders;
and
c) Consolidated and integrated to ensure all necessary governance
requirements are met.
II. The Bank's regulatory compliance risk framework shall encompass
the
following:
a) A framework for dealing with legal matters of varying complexity:
b) Maintenance of a central inventory of key documents such as contracts,
licenses, policy statements and others;

c) Regular review and assessment of the legal risk in the Bank's

activities, including new products;
d) Adequate documentation on all significant tra nsactions, including
security administration;
e) Record maintenance in line with relevant statutory requirements; and
D Ensure maintenance of confidentiality provis io ns .

8.3. REGULATORY COMPLIANCE RISK MANAGEMENT PROCESS

In the Bank, a system should exist to ensure that deficiencies identified arc
promptly managed and meaningful corrective actions are implemented; the
basic processes are the following:

8.3.1. IDENTIFICATION OF THE COMPLIANCE RISK

The compliance risk needs to be identified and considered in detail. Failure to
propel considers risks can lead to the election of inappropriate legal and
compliance measures and ineffective regulatory outcomes.
The following factors should be examined:

a) The nature of the risk - What event or incident can happen, when and
where?
b) The source of the risk- What types of people or businesses will be
involved?
c) The cause of the risk- Whydoes the risk occur, direct and underlying
reasons?
d) The effect of the risk - What is the impact upon the regulatory
outcome? Who will be adversely affected? There may be a range of different
effects that need to be identified.
e) It will be necessary to use information on previous cases of non-
compliance as well as the knowledge of the staffs in examining these matters.
8.3.2. MEASUREMENT OF COMPLIANCE RISK

The regulatory compliance risk should be analyzed so that the level of the risk
can be understood. This information is important because it will be used
to decide which risks the Bank should give most attention. The level of
co.,mp.liance risk is determined by Enat Bank S.C Page 103

consideration of the negative consequences of the non-compliance risk and the

likelihood of the non-compliance risk. This is determined using either
quantitative or qualitative analysis.

8.3.2.1. QUANTITATIVE ANALYSIS

The Bank should use quantitative analysis, where possible, because it is the
most objective and accurate method of analysis. Quantitative analysis can be
used to determine the consequences and likelihood of non-compliance were
verifiable data 1s available for the legal risk or non-compliance.

8.3.2.2. QUALITATIVE ANALYSIS

Qualitative analysis should be used if quantitative analysis is not feasible

because inadequate data is available or where the costs of the quantitative
assessment are out of proportion with the significance of the non-compliance
risks. Qualitative analysis can also be used as a first step to identify risks
which require further detailed analysis.
Qualitative analysis involves using judgment to describe in words the
consequences and likelihood of non-compliance risks. Subjective judgments
should be based on the available facts and data. The Bank should categorize
the level of the risk based on an implicit judgment of the consequences and
likelihood of a risk and the significance of each factor.
8.3.3. CONTROLLING OF COMPLIANCE RISK

a) Ensuring that compliance activities are coordinated and appropriately

resourced;
b) It may also be useful to acquaint staffs with the steps to be followed
when investigating non-compliances; and
c) Fam ilia rize employees on the banking legal and non-compliance
grounds and how
to proceed.

8.3.4. MONITORING OF COMPLIANCE RISK

Risk analysis cannot, by nature, be precise, but it should be accurate enough

to use as a basis to prioritize the compliance risks. To ensure the risk analysis
is sufficiently accurate, The Bank should bear in mind the following:

a) Carefully review semi-quantitative analysis. These results arc based on

the judgments of staffs and not verifiable data as with quantitative analysis
and need to be examined for anomalies and inconsistencies;
b) Clearly state assumptions. If it is necessary to make an assumption in
analyzing the non-compliance risks, it should be clearly stated and justified.
This allows the assumptions to be later reviewed if more evidence comes to
light;
c) Apply methodology consistently. The methodology used in quantitative
and qualitative analysis should be applied consistently so that risks are
analyzed on the same basis. This allows the level of each risk to be compared
with other risks; and
d) Consider sensitivity analysis. This can be used to demonstrate how
outcomes vary with changes in input assumption. If outcomes are highly
sensitive to a change in a particular input, greater certainty about that input
should be sought where possible to improve the risk analysis.

8.3.4.1. REPORTING
The monitoring process also includes reporting of potential compliance risk,
which has been identified, measured and monitored by Risk and Compliance
Management Department to the Board's Risk and Compliance committee on
quarterly basis in brief and in a summarized manner for informed business
decisions and proper management of the compliance risk of the Bank.
8.4. . MANAGEMENT INFORMATION SYSTEM
An effective management information system (MIS) is essential for sound
compliance risk management decisions and the effective oversight.
Management information systems are a critical tool for communicating
information to decision makers in a form that enables them to review and act
on the information. Information should be readily available for day-to-day
operations management and risk control. Data should be appropriately
consolidated, comprehensive yet brief, focused and available in a timely
manner. Compliance risk can arises from violating the national laws,
regulations and procedures at any level while the Bank is performing its day
to day activities and effective compliance risk management may require daily
internal reporting. Since the banks operation 1s affected by different factors
therefore, detailed information on every transaction 1s essential.
Enat bank shall implement a system to monitor on an ongoing basis its
compliance risk exposure and loss events by each major departments and
branches. The bank monitors its compliance losses directly, with an analysis
of each occurrence and a description of the nature and causes of los ses.

8.5. . INTERNAL AUDIT

The Internal Audit Department of the Bank shall:

a) Undertake audit assessments independently in line with the legal

framework of the bank periodically; and
b) Provide identified audit findings on legal and non-compliance risks to
the Risk and Compliance Management immediately for further analysis.