Comprehensive Risk Managements Program

1. INTRODUCTION
Risk is the chance or possibility of loss, damage, injury or failure
to achieve objectives caused by an unwanted or uncertain action
or event. Risk management implies adopting a planned and
systematic approach to the identification, evaluation and
economically control of those risks, which can threaten the
assets or financial and organizational wellbeing of the Bank.
Banking, like most business ventures, is inherently risky. These
risks are of a wide variety and have an impact on the Bank's
profitability. Enat Bank is expected to be successful when the
risks it is taking are reasonable, controlled and within its
financial resources.
Banks are exposed to various risks in pursuit of their business
objectives. Failure to adequately manage these risks exposes
banks not only to losses, but may also threaten their survival.
Enat Bank S.C. is a business entity which performs its
activities within the stated environment, due to this well-defined
risk management program is fundamental.

Risk Management is a discipline at the core of every financial

institution and encompasses all the activities that affect its risk
profile. It involves identification, measurement, monitoring and
controlling risks to ensure that:

a) The individuals who take or manage risks clearly understand it.

b) The Bank's Risk exposure is within the limits established
by its Board of Directors.
c) Risk taking decisions are in line with the business
strategy and objectives set by the BoD.
d) The expected payoffs compensate for the risks taken.
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risks.

The acceptance and management of financial risks is inherent to

 Comprehensive Risk Managements Program
the business of banking and banks' roles as financial
intermediaries. Risk management, as commonly perceived,
does not mean minimizing risks; rather the goal of risk
management is to optimize risk-reward trade-off.
Notwithstanding the fact that
banks are in the business of taking risks, it should be recognized that
an institution
 need not engage in business in a manner that unnecessarily
imposes risks upon it, nor should it absorb a risk that can be
transferred to other participants. Rather, it should accept
those risks that are uniquely part of the array of a bank's
services.
Due to this fact, Enat Bank, therefore, required conducting its
operations within the boundaries of applicable guidelines issued
by the National Bank of Ethiopia to manage the Bank's
potential risks.

1.1 OBJECTIVE
• Ensuring that the Bank operate m a safe and sound
manner by effectively managing its risks;
• To identify and prioritize potential inherent and significant risk
events;
• Develop a common understanding of risk across multiple
functions and business units so we can manage risk cost-
effectively on a bank wide basis;
• To monitor assessment of the exposure to all types of risk
faced by the bank by assessing the quality and
appropriateness of mitigating
r- actions, and ensuring that adequate controls and
systems are in place to identify and address problems
before they become major concerns;
• Ensure that the process of risk management is developed
and risks are managed throughout the bank in a
consistent manner.
• Promote a culture of "risk
awareness" among the entire banks
performers;
• Combat a "risk averse" mentality;
• Guide performers involved in the risk management process
to identify, assess/measure, control, monitor and report
potential risk sources to the concerned organs; and
• Assist performers in prioritizing risks for further actions.
1.2 RISK MANAGEMENT PHILOSOPHY

The management of risk has always been a fundamental element

of the Bank's business execution although in recent times local
and international events have increased the expectations for the
management of risk in the Bank. The Bank's risk management
approach is an approved Bank wide risk management
methodology and philosophy to ensure adequate and effective
risk management. In addition, the methodology also provides
regulatory principles that, together with the risk management
approach, will continue to ensure optimum return on
shareholders' equity through the application of the following core
principles:

• Clear assignment of responsibilities and accountabilities;

• Common Bank-wide risk management framework and process;
• The identification of uncertain future
events that may influence the
achievement of business plans and strategic objectives; and
• The integration of risk management activities within the
Bank and across its business lines.

Sustainable high-quality shareholder returns can only be

derived by accepting a certain measure of risk. Enat Bank
views risks as an inherent part of running a successful
business, i.e. risks are not only mitigated but are also
analyzed and investigated for potential opportunities. This
approach provides the direct correlation and linkage between
risk management and maximizing shareholder value.

The group applies a logical and systematic methodology to identify,

analyze, assess, control and monitor all known risks. The critical
success factor is the alignment of the key fundamentals of
governance, business objectives, stakeholders, ethics, policies,
standards, strategies and compliance.
The risk management process is continuous, with well-defined
and imbedded procedures that support enhanced decision
making by contributing a greater insight into risks and their
potential impact. One of the objectives of the risk
management philosophy is to ensure that mitigati_ng; :
e e geared to deliver
reliable and
timely risk management information. Enat Bank's approach to
risk accepts and holds risk management as a core competency
that allows the business to optimize risk taking through
objectivity and transparency that will ensure effective and
efficient risk valuing and optimized returns within a chosen
risk appetite.

1.3 RISK MANAGEMENT PRINCIPLES

The risk management functions shall be conducted m line with

the following overarching principles:

• The Bank shall have policies and procedures for managing

risk in all of the Bank's products, activities, processes and
systems;
• The Bank shall identify and assess risks inherent in all
products, processes, and systems.
• The Bank shall also ensure that before new products,
activities, processes and systems are introduced or
undertaken, the risks inherent in them is subject to
adequate assessment procedures;
• There shall be regular reporting of pertinent information to
the RCMD and the BoDs that supports the proactive
management of risk;
• The Bank shall proactively identify and manage reputation risk;
• There shall be fair and open communication of risks;
• A strong risk management culture helps reinforcing Enat Bank's
resilience.
• Risk management shall be a continuous process and part of daily
activities of
every performer.

1.4 RISK DESCRIPTION

This Comprehensive Risk Management Program covers seven

most common risks in banking i.e. credit, liquidity, market,
operational, strategic, reputation and compliance risks.
Description of these risks is as follows:
Credit Risk: It is the risk of default due to the fact that the
Bank's borrowers are either unable to perform-"1:1i.e1. ligation
or unwilling to perform\ \ ·· -
, 1:- - ·.
 Comprehensive Risk Managements Program

obligations in line with the agreed terms resulting m

economic loss to the Bank.
I. Liquidity Risk: Liquidity risk is the potential for loss to
an institution arising from either its inability to meet its
obligations as they fall due or to fund increases in assets
without incurring unacceptable cost or losses. Liquidity
risk includes inability to manage unplanned decreases or
changes in funding sources. Liquidity risk also arises
from the failure to recognize or address changes in
market conditions that affect the ability to liquidate
assets quickly and with minimal loss in value.
II. Market Risk: Market risk is the risk of losses m on and off
balance sheet positions as a result of adverse changes in
market prices i.e. interest rates, foreign exchange rates, and
equity prices.
III. Operational Ris k: Operational risk is the current and
prospective risk to earnings and capital arising from
inadequate or failed internal processes, people and
systems or from external events.
IV. Strategic Risk: Stra tegic risk is the current and
prospective impact on earnings, capital, reputation or good
standing of the Bank arising from adverse business
decisions, improper implementation of decisions or lack of
response to industry, economic or technological changes.
This risk is a function of the compatibility of an
organization's strategic goals, the business strategies
developed to achieve these goals, the resources deployed to
meet these goals and the quality of implementation.
V. Reputation Risk: Reputational risk is the potential, which
negative publicity regarding an institu tion's business
practices, whether true or not, will cause a decline in the
customer base, costly litigation or revenue reductions.
VI. Compliance Risk: Compliance risk is the current or
prospective risk to earnings, capital and reputation ansmg
 Comprehensive Risk Managements Program
from violations or non-compliance with laws, rules,
regulations, agreements, prescribed practices, or ethical
standards, as well as from incorrect interpretation of
relevant laws or regulations.

1.5 RISK MANAGEMENT PROCESS

Risk Management is a discipline at the core of every institution

and encompasses all the activities that affect its risk profile.
Risk management as commonly perceived does not mean
minimizing risk; rather the goal of risk management is to
optimize risk-reward trade-off. This can be achieved through
putting in place an effective risk management framework which
can adequately capture and manage all risks a bank is
exposed to. Risk Management entails four key processes:

I. Risk Identification

In order to manage risks, a bank must identify existing risks

or risks that mayarise from both existing and new business
initiatives for example; risks inherent in lending activity include
credit, liquidity, interest rate and operational risks. Risk
identification should be a continuing process, and should
occur at both the transaction and portfolio level.

II. Risk Measurement

Once risks have been identified, they shall be measured in

order to determine their impact on the bank's profitability and
capital. This can be done using various techniques. Accurate
and timely measurement of risk is essential to effective risk
management systems. A bank that docs not have a risk
measurement system has limited ability to control or monitor
risk levels. A bank shall periodically test to make sure that the
measurement tools it uses are accurate. Good risk
measurement systems assess the risks of both individual
transactions and portfolios.
 Comprehensive Risk Managements Program

III. Risk Control

After measuring risk, a bank shall establish and communicate

risk limits through policies, standards, and procedures that
define responsibility and authority. Enat bank also applies
various mitigating tools in minimizing exposure to various
risks.
The bank shall have a process to auth? r j_-z e x: ion s or changes to
risk limits when

IV. Risk Monitoring

Enat Bank shall put in place an effective management

information system (MIS) to monitor risk levels and facilitate
timely review of risk positions and exceptions. Monitoring
reports should be frequent, timely, accurate, and informative
and should be distributed to appropriate individuals to ensure
action, when needed.
1.6 RISK MANAGEMENT FRAMEWORK

A risk management framework encompasses the scope of risks to

be managed, the process / systems and procedures to manage
those risks and the roles and responsibilities of individuals
involved in risk management. The framework is comprehensive
enough to capture all risks a bank is exposed to and have
flexibi lity to accommodate any change in business activities. Key
elements of an effective risk management framework as per
NBE's Risk Guideline are:

• Active board and senior management oversight;

• Adequate policies, procedures and limits;
• Adequate risk measurement,
monitoring and management information
systems; and
• Comprehensive internal controls.
I. Active Board and Senior Management Oversight

Boards of directors have ultimate responsibility for the level of

 Comprehensive Risk Managements Program
risk taken by the bank. Accordingly, they should approve the
overall business strategies and significant policies of the ban k,
including those related to managing and taking risks, and
should also ensure that senior management is fully capable of
managing the activities that the bank conducts. While all boards
of directors are responsible for understanding the nature of the
risks significant to the bank and for ensuring that
management is taking the steps necessary to identify, measure,
monitor, and control these risk s.

Directors should have a clear understanding_ o.f _t he types of

•·

risks to which the bank isexposed and should .- receive

'·'.i..
- repo.
rts , tli. t' ideri'tify size and significance
of the
t -
ation,

directors should provide clear guidance regarding the level of

exposures acceptable to the bank and have the responsibility to
ensure that senior management implements the procedures and
controls necessary to comply with adopted policies.

Senior management is responsible for implementing strategies

in a manner that limits risks associated with each strategy and
that ensures compliance with laws and regulations on both a
long-term and day-to-day basis. Acco rd in gly , management
should be fully involved in the activities of the bank and possess
sufficient knowledge of all major business lines to ensure that
appropriate policies, con trols, and risk monitoring systems are
in place and that accountability and lines of authority arc clearly
delineated. Senior management is also responsible for
establishing and communicating a strong awareness of and
need for effective internal controls and high ethical standards.
Meeting these responsibilities requires senior managers of the
bank to have a thorough understanding of banking activities and
detailed knowledge of the activities the bank conducts, including
the nature of internal controls necessary to limit the related
risks.
 Comprehensive Risk Managements Program

The risk management function provides independent oversight of

the management of risks inherent in banks. The risk manager
should be a member of the management team (but not part of
internal audit). He/she should not detract line managers from
the primary responsibilities of managing risk in their respective
business units.

In general, the risk manager shall ensure that effective processes are in
place for:
• Identifying current and emerging risks;
• Developing risk assessment and measurement systems;
• Establishing policies, practices and other control
mechanisms to manage risks;
• Developing risk tolerance limits for senior management
and board approval; monitoring positions against approved
risk tolerance limits; and
• Reporting results of risk monitoring to senior management and
board.
• Ensuring that all newbusiness initiatives area subject to
comprehensive risk assessment before roll out;
• Organizing the aggregate risk position of the bank from
various line functions and focus on high risk areas for
corrective action by responsible risk owners; and
• Ensuring that all risks assumed by the bank are identified
, measured, transferred, avoided, and/or controlled/
mitigated.

A bank's internal control structure is critical to the safe and

sound functioning of the bank, in general and to its risk
management, in particular. Establishing and maintaining an
effective system of controls, including the enforcement of official
lines of authority and the appropriate separation of duties is one
of management's more important responsibilities.

Indeed, appropriately segregating duties is a fundamental and

essential element of a sound risk management and internal
control system. Failure to implement and maintain an adequate
 Comprehensive Risk Managements Program
separation of duties can constitute an unsafe and unsound
practice and possibly lead to serious losses or otherwise
compromise the financial mtegrity of the bank.

II. Policies, Procedures and Limits

The bank's directors and senior management shall tailor their

risk management policies and procedures to the types of risks
that arise from the activities the bank conducts. Once the risks
are properly identified, the bank's policies and its more fully
articulated procedures provide detailed guidance for the day-to-
day implementation of broad business strategies, and generally
include limits designed to shield the bank from excessive and
imprudent risks.

III. Ris k Me asu re m e n t , Monitoring and Management Information

Systems

Effective risk monitoring requires the bank to identify and

measure all material risk exposures. Consequently, risk
monitoring activities must be supported by information
systems that provide senior managers and BoD with timely
reports on the financial condition, operating performance, and
risk exposure of the institution,
-..... as well as with regular and
sufficiently
Enat Bank S.C detailed reports for line managers engaged in the

day-to-day management of the ip s· t itti;ffc";n 1:\<;fivities .

,.

IV. Internal Controls

The Bank's internal control structure is critical to its safe and

sound functioning generally and to risk management system,
in particular. The Bank shall establish and maintain effective
system of controls, including the enforcement of official lines of
authority and the appropriate separation of duties and
responsibilities.

Appropriately segregating duties is a fundamental and essential

element of a sound risk management and internal control
 Comprehensive Risk Managements Program
system. Failure to implement and maintain an adequate
separation of duties can constitute an unsafe and unsound
practice and possibly lead to serious losses or otherwise
compromise the financial integrity of the bank.
A properly structured system of internal controls promotes
effective operations and reliable financial and regulatory
reporting, safeguards assets, and helps to ensure compliance
with relevant laws, regulations, and the bank's policies.
.- 1.7 ORGANIZATIONAL STRUCTURE OF RISK AND COMPLIANCE
MANAGEMENT DEPARTMENT

Board of Directors
he Board's Risk and Compliance Manag eme nt Com m itt ee

I
President
... I
..
Risk and Compliance Management Department

I
I I
Compliance Management Division
Risk Management Division

1.8. SCOPE OF THE PROGRAM

The scope of the Bank's risk management program is an

approved bank wide risk management which applies and
encompasses a logical and systematic methodology to identify,
analyze, assess, control and monitor all known risks. The critical
success factor is the alignment of the key fundamentals of
governance, business objectives,
 Comprehensive Risk Managements Program
stakeholders, ethics, policies, standards, strategies and
compliance.
In general, the scope of this risk management process is
continuous, with well defined and imbedded procedures that
support enhanced decision making by contributing a greater
insight into risks and their potential impact.
1.9 . ACCESS TO THE PROGRAM

As the risk management is an inclusive task across the entire

business units, all employees of the Bank have the right to
access the Comprehensive Risk Management Program.
Employees at all levels must carry out diligently, efficiently and
to the best of their abilities the responsibilities entrusted to
them. They must act with loyalty to the Bank where the
legitimate interest of the clients and its stakeholders shall
prevail, and must act honestly, independently, impartially, with
discretion and without regard to self-interest. This Program
applies to all employees of the Bank without restriction in
conjunction with related operational policies and procedures
issued for the respective departments.

Enat Bank S.C

---· ...;.-::-;:.
; c /,,- •

/ i
 Comprehensive Risk Managements Program

4. .MAPPING OF INHERENT RISKS ONTO FUNCTIONAL AREAS

Activities in which the Bank engage entail a number of inherent risks

such as credit, liquidity, market, operational, strategic and
compliance risks. The level and type of risks inherent in a certain
activity depend on the nature and scope of such activity. Moreove r ,
one risk may cut across various functional areas and on the other
hand, one activity may have a number of inherent risks. It is also
common for one riskto trigger another risk. There is a need,
therefore, for the Bank to prepare a functional risk matrix to ensure
that all relevant risks inherent in their activities are captured.

Most common activities performed by the Bank include lending,

foreign exchange, deposit mobilization, etc. For the purpose of
preparing functional risk matrix, these activities could be derived
from the Bank's balance sheet, off-balance sheets items, and major
sources of income, organization structure and any other activities
within the institution. Below is Functional Risk Matrix:

Functional Risk Mapping Chart

l,,>. Functional Areas/Activity Inherent Risks

(Based on the financial statements Foreign Interest Operati
Credit Liquidity Strategic Compliance
of Enat Bank ) Exchange Rate onal
......
1 !Treasury and investments: X X
-placements in the NBE X X X X X
......
- pla ce m en ts with local banks X X X X X

-placements with foreign banks X X X X X X

......,-
-investments m X X X X X
...... governmen1 -
- borrowings ( e .g . , interbank) X X X X X
[Banking operations/Payment X X--
......
-deposit due to other banks X X X X X
-customers Deposit X X X X
- --X-
-fixed time deposit X ' . X X X X

Enat Ba nk S.C
 Comprehensive Risk Managements Program

r age 111
 -
-trust and safe custody X X X
-in te r branch floa t items X X X X -
-
- pa ym ent orders/ transfer X X X X X XX X X X X X X X X X X X XX X- X X
- -checks and items for clearing X X X X
- -ca s h payment system X
X
Foreign banking
3 X
- -Foreign exchange trading
X X X X X X
-
-Ban ker 's checks and drafts X X X X X
- i Lending X
-
-Inter-bank lending X X X X X
-Loans and advances X X X
-
X X
- Property Management
X
-· -bankpremises,furniture
and X X

- -other properties and assets X X

-
-.., Off-balance sheet activities X
-Letters of guarantee issued --
-- -Litigation and legal matters
X

X
XXX
X
XXXXXXX
X
X

X
--
-L/ C commitments
-Loan commitments X X X
- ·-
!Hum an Resource X
-
I X

Information systems X
- I

I
I ,In t e rn al controls and audit X

L I O Oth e rs
1
X
·-
 Enat Bank S.C

,-
 5. REVIEW OF THE PROGRAM

Since the working environment of the Banking industry is dynamic,

it entails the revision of this Comprehensive Risk Management
Program. Therefore, this Program is revised as follows:
• An article revision of the Program will be am ended / upda ted
as and time the situation demands;
• The whole Program is revised every two years. The
management of the Bank is responsible for the following
proposal to revise the whole Program document; and
• One ar ticle/ page amendment of this Program could be
initiated in writing by various pertment organs of the Bank
at any time the situation demands.
The Board of Directors has an authority to approve any
amendments on this Comprehensive Risk Management Program of
the Bank and shall be submitted to the NBE.

6. .APPROVALOF THE PROGRAM

This program shall be approved subsequently by the Bank's BOD

and NBE for Final Implementation.

7. EFFECTVE DATE
u;:fvl1,,,
This Program shall enter into force with effective from ptfl. , 2018

:.
•I

Enat Bank S.C

Page 113
 14.Annexes

ANNEX 1: ENAT BANK S.C.

RISK AND COMPLIANCE MANAGEMENT DEPARTMENT
Data Reporting Format on Individual Operational Risk Event

Instruction The purpose of this data collection form is to get up-to-

date information on operational risk events that have occurred in
the business lines (Branches/ Departments) of the Bank. The
information should be reported to the Risk Management and
Compliance Department immediately, as the loss was discovered or
at the end of the month, whichever is sooner. The report could be
presented in the attached form or adapted to another reporting
format (including attaching additional pages) but the response
should be completed in as much detail as possible, and supported
by relevant data where available.
NB Regular monthly report of such a kind should be submitted to
the Risk Management and Compliance Department. The report
should be made even if no operational loss was identified during the
reporting month. In such a case, the Branch/ Department can state
that 'NO OPERATIONAL LOSSES IDENTIFIED'. The form should be
delivered to the Risk Management and Compliance Department signed
by the Manager or his / her designate.
 Enat Bank S.C I

'

Operational Risk 1
Reporting Form

(Incident Reporting Format)

Branch / Depa rtm en t: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Reporting date: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Ref_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

1. Type of operational loss even t2 _

2D.ate of discovery
3. Date of occurrence
4. Gross loss amount
-------------------
5. Net loss amount
--------------------
(Explanation: if an

6. Insurance Recovery
7. Other of loss recovery
means
(specify)_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

8. Business
line/ Operation

9. Place of occurrence
10. Event Description

11. Subseque actions/ taken the Branch/ De pa

nt measur rtm en t risk
immediatel es after by event
y the

12. Recommended measures to control such losses from

happening again in the future
Prepared by (name and sig.)......................
,.. _
..
Approved by (name and sig.) - - - - - - - -·······-·-· - - - - -

I See the allached notes and exp la nation s. For more informati on. cont act the Risk and
Compliance Department
2 ational loss event. If more than one operational ris l-. event occurred during the
T month, please use an additional such format.
h Enat Bank S.C )age 115
i
s

f
o
r
m
a
t

i
s

d
e
s
i
g
n
e
d

f
o
r

r
e
p
o
r
t
i
n
g

s
i
n
g
l
e

o
p
e
r
 Note 1: Explanations and Remarks

S. Item Remark
No Such as internal fraud, -
Event transact
external fraud, processes, ion
1 type system failures, etc.
2 Date of The date when the loss was recognized ·-
the
,-- 3 Discovery by Branch/Department
Date of
occurrence -
The date when the loss occurred (the first day
for a series of individual losses related to the
4 Gross loss same operational risk event)
amount Provide an approximation when the precise
number is not available
5 Net loss amount Net loss amount (the loss incurred by the
Bank after takmg into account recoveries from
cus tomers , insurance or other sources).
Provide an approximation when the precise
number JS not available

6 Insurance Provide an approximation when the precise

recovery number is not available
Provide an approximation when the precise
7 Othermeans of number is not available
loss recovery
(specify) I
8 Business Specify the kind of banking activity (cash
line/ Operation management, 1
domestic banking, credit, foreign banking, etc.
9 Place of with their j
occurrence own breakdowns )
Within the bran ch / other ban k/ rela ted to the
document m 1
10 Event Description transit, etc.
A detailed description of the event; including
11 Subsequent weaknesses and Daws that enabled the loss to
action/measures happen
taken by A detailed description of the
the
actions/measures taken by the branch/
Bran ch/ Depart
department (such as reporting to the police,
ment immediately
alerting appropriate organs of the Bank, etc.)
after
the
event -- -
12 Mitigation Recommended measures to control such
techniques losses from
happening again in the future (i.e., any
suggestions that you feel are appropriate for
preventing or reducing such a risk, J
including amendment of the policy, operation
procedures 'J etc.)
 r
r-
Enat Bank S.C
Note 2: Types of Operational Risk (adopted from Basel II definitions)

The definition of operational risk incorporates the risks stemming

from people, processes, systems and external events. People risk
refers to the risk of staff and management failu re, organizational
structure or other human resource failures. These risks may be
exacerbated by poor training, inadequate controls, poor staffing
resources, or other factors. The risk from processes stem from
breakdowns in established processes, failure to follow processes,
or inadequate process mapping within business lines. System risk
covers instances of both disruption and outright system failures in
both internal and outsourced operations. Finally, external events
can include natural disasters, terrorism, and vandalism.
Nevertheless, for quantification and loss data pooling purposes,
operational risk event can also be categorized into the following:
1.1 Risk from Internal Fraud: is a risk resulting from the
dishonesty of personnel within the Bank for the purpose of gaining
benefits from the Bank for oneself, such as forgery of checks and
documents, embezzlement, bribery, etc. This involves at least one
internal party
1.2 Risk from External Fraud:is a risk resulting from the
dishonesty of individuals outside the Bank that directly causes
damage to the Bank, such as forgery of checks and financial
documents, fraudulence, etc.
1.3. Risk from Employment and Hazardous Working Conditions:
is a risk resulting from inappropriate hiring of employees, unjust
compensation, or mistreating employees, producing consequences
such as litigation, resignation, or demonstrations. Moreover, it
includes risk stemming from the enforcement of safety regulations
and the inability LO control the environment in working conditions,
causing detrimental effects to employees' health such as diseases, or
accidents while working.
1.4. Risk from Property Damage: is the risk of property damage
in the Bank resulting from various accidents such as fire, natural
disasters, destruction of property, riots, political uprising,
terrorism, etc.
1.5. Risk from Interruptions and Breakdowns in the Operational
System and Computer System: is a risk resulting from anomalies
in the system or failure of the system in various aspects such as

Enat Bank S.C

inconsistency, disparity ar1smg from combining

operations, defects in the computer system and network system,
and the usage of outdated and substandard technological tools.
1.6 . Risk from Operational Processes: is a risk resulting from
errors in methodology, in the operational process itself, or from
employees within the Bank and employees outside the Bank. Such
as submitting inaccurate information, failure to follow rules,
wrongful recruitment, lack of knowledge and comprehension of
employees in operations and usage of the computer system,
inappropriate improvements in operations, and drawing
incomprehensive contracts and legal documents that produce
loopholes, etc.
1.7. Risk from Customers, Products, and Business Practices: is
a risk resulting from the method of business practice, the product
introduction, and the accessing of customer's information that is
inappropriate or non-compliant with the prescribed laws,
regulations or rules, such as unlawful transaction, unapproved
dealings, money laundering activities, and the usage of confidential
customer's information for personal benefits, etc.
Enat Bank S.C
 ANNEX 2: Enat Bank S.C.

Information Technology Related Risks Reporting

Format For the Period Covering ..................

1. IT Components Failure
2. Specify all the failures of IT co m pon en ts 3 th a t resulted in IT-
related risks during the quarter

- If particular
Particulars/ What actions
failure
l details of have been
IT Components occurred, Remark
o. the adverse taken to correct
- indicate event the adverse
respective no of
event?
occurrences
..l.. Hardware

Software

Network and
infraslructure
,...... entities(including
telecommunication
and external lin ks
,......
-
.
failure)

Others
-
I
I
- (specify...........)
-
3 To be compiled from either Daily Incident Record Report or other relevant records

Enat Bank S.C

 1. Has any key data or in fD 1a t io n bea==hsl due to the failure
of any of the aforementioned IT components? Yes No
2. If ye s , what actions have been taken to minimize such
possibility m the future?

2. Information Technology Security

1. Specify any damage, loss, or disruption, if any, caused by events

that exploit IT security weaknesses of the Bank during the
quarter?
- --
Indicate any
j What actions
Particulars damage or loss
have been taken
No. /details of Causes that resulted Remark
to correct the
the event from security
adverse event?
failure
I
I
1

l
1 2
I
J
3

,_

Enat Bank S.C

..-..­.
' .. ,' ./
 Comprehensive Risk Managements Program

2. During the quarter, have the branch/esof the Bank complied

with maintaining a data back-up?
Yes D No D
(Objective: the Back-up system is located at the reasonable
distance from the main system to prevent any possible damage in
case the main system ceases functioning or the branch site is
damaged partially or completely as the result of disasters.)

If no, specify branches that did not maintain a back-up data.

3. Specify any potential risk the Bank confronts related to the Bank's
existing IT system?

,....

,....

Enat Bank S.C

 I I

Comprehensive Risk Managements Program

------------------

4. How do you rate the excellence banking system used by the Bank over the following parameters?

No Areas of Concern Good Have Remark (explanation for the

Problems problems)

1 Adequacy of controls over changes to the systems, programs, data files,

and personal-computer-based applications:

• Controls to restrict and monitor use of data-altering utilities

• security
Controls tosettings
prevent unauthorized changes to system and programs

• Process and authorizations to change application parameters.

2 Employees' levels of online access (bloc ked , rea d - o n ly, update, override,
etc.) match current job responsibilities.

3 Password administration for employee and customer

passwords considering the complexity of the processing
environment and the type of the information accessed.
• Whether passwords are confidential (known only to the
employee) .
• Whether the procedures to reset passwords ensure
that confidentiality is maintained.
• Security of passwords while stored
in computerfiles, during transmission, and
on printed activity logs and reports.
.,.
1 4 The effectiveness of controls to protect data r.
confidentiality-that is, to prevent the inadvertent
-- disclosure of confidential informa tion .
• Systems used to monitor access and detect
unauthorized internal or
external attempts to access the bank's systems (i.e . , -- \
the detection of
l
; . ·
intruders)
Control
• remote and tions
loca security
. for data transmitted to or from
,,,-----, -- -- { . • ' I
,i
Enat Bank S.C
 I I

Page 122
I I I I I
Comprehensive Risk an agem_e n _ts _Pro g_ram

• Controls over remote access (by modem or Internet

link) to ensure use/access by authorized users onlv.
5 The effectiveness of planning for event management
activities.
• Emergency procedures and evacuation plans.
• Response to network attack or penetration.
6 The processes and procedures to prevent destruction of
electronic files and other storage media.
• Frequency of file backup for each activity.
• Access to backup files and storage media (disks, Lapes,
etc.).
• Location of off-site file storage.
• Virus protection for networks and PCs.
7 The adequacy of and compliance with IT security policy.
• Whether the been approved and overseen by
policy has the Board of
Directors.
• Whether it is adjusted, as appropriate, for changes in
the bank's (or service provider's) processing
environment or systems.
• Whether it prescribes reports to the Board (or
committee) on the overall status of the IT security and
the Ban k's compliance with the policv.
8 The effectiveness of MIS reports for significant IT systems
and activities to
ensure that risk identification, measurement, control,
and monitoring are commensurate with the complexity
of the ban k's technology and operating environment. -.
, :,
• Systems capacity, including peak processing volumes ,
,
• Up-time performance (within time) and processing in .·' •~.
(, . ' .. \,.
terru ptions. ..
..
+. ' '
• Network mon itor in g, including penetration attempts .
and the detection of intruders. •N
. j • r_• ! ;
I I I I I

I
:/
Enat Bank S.C
Page 123
 I I I I
Comprehensive Risk
Managements Program

• Activity logs and security reports for

operations, program and parameter changes,
terminals use, etc.
• Volume and trends of losses from errors, fraud,
and un-reconciled
items, etc.
9 Adequacy of insurance policies for the IT
hardware/software (whether they are current and
provide adequate coverage.)
10 The significance of the system or application in
supporting bank products and services.

- / '\

-
\'
.·,
, .
 I I I I

Enat Bank S.C

 Comprehensive Risk Managements Program

Annex 3: Enat Bank S.C

Credit Risk Review Format (Confidential )
I. Borrower Profile
1. Borrower's Name_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

2. Is he/ she cu rrently engaged in any type of business? Y/ N _

3. Line of bus in es s
4. Name of the major shareholders
!.

11-. - - - - - - - - - - - - - - -

5. List of Sister Company(s) and affilia te s (if any)

1_. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 1_1. _ _ _ _ _
_ _ _ _ _ _ _ _ _ _

6. Is the borrower a related party to the bank? Y/ N

II. Credit Facilities
a. With Enat Bank

I Approved Initia Date of Due/Exp Outstand Intere

[ Credit l Date renewal/ iry ing st Statu
acilitie
· s grant restructur Date balance rate s
limit/Amount ed ing as at......
I
T L
T/L
-
0 D
-
Temporar
y
0 er-
drawal
-
lY. --
rchandise
GJ,1arante
-e I
L C
-
Total Credit exposure of Enat Bank to the
Borrower
T Credit exposure of Enat Bank -
tal to its sister company
-
T- Credit exposure
tal
1. Total credit exposure to the Bank's capital _ _ _ _ _ _ _ _ _ _ _ _ _ _
_

2. Does it exceed the single borrower limit? Y/ N

3. If it is a related party to the bank, does it exceed the single and
group-related party exposure limit? Y/N
 Comprehensive Risk Managements Program

r
b. With Other Banks

1. Latest Credit In form a tion Colleclion dale _ _ _ _ _ _ _

Credit Nam Approved Initia Due/Exp Outstandi

facilities e of limit/ l Date iry ng Statu
Ban Amount grant Date balance s
k ed as at..... .
T/L
O/D
Temporary
O/D
Over-draw
Merchandi
se
Guarant ee

2 .Ha s there been any non-performing loans/ facilities with other

banks before approval of Lh e e xis tin g loans with Enat Bank? Y/ N
III. Credit Risk Analysis
1. Did the borrower submit any financial stalements
for new loan requests/ renewal/ restructuring? Y/ N If yes what
type of financial sta tements: audited , provisional or CCR?

Summary of Financial Statements

-
Date Date Date
Current Asset
Inventory
Receivables
Other current
Total Asset
Current Liabilities
Total Liabilities
Capital
Paid-up capital
Other capital
Total Reve nu e
Total Expenses
Net profit (loss)
Accumulated loss
Currenl ratio
Quick ratio -
Debt ratio ,,.

Enat
Bank S.C

· ".
. p age 1 26
. - /.
\
::(( ...... ff/
_/
 I Debt to equity
Inventory Turnover
l
2 . If audited, any qualified opinion of the auditors_ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _

3. Comment on the management of the borrower (including

structure, gender and Qualifications)

4. Any legal case relating to the management: detention, legal charge, etc. _
5. Are the loans backed by collateral? Y/ N
J
Number Latest
Type of Degree of Estimate Insure Expiry
Type of Collateral of Estimati
Loan collateral d value d value date
collateral on date
J
1 Building
J.Vehicles (see year of
manufacturing)
I Machinery
Financial
Cash/Certificate of
Deposit
Merchandise --
6. Has the
Personal guarantee colla te ral been registered with the appropriate organ? Y /N
Total7. Has spouse
Collateral value (s) of owner(s) of the collateral co-signed in the mortgage
contract? Y/N
Collateral to loan ratio (compare with the bank's policy)
IV . Credit Decisions and Approval
l Total collateral value to insurance value(compare with the Bank's
1. Has the loan been approved by the responsible credit
policy)
committee or loan-approving body? Y/N
2 . Has the loan disbursement made with the terms and conditions
been stipulated m the LAF? Y/N
3. Has the loan and mortgage contracts been signed as per the credit
policy of the Bank? Y/N Date of the latest loan contract _

4. ThPeerformance of Merchandise facilities and ot : re

dit facilities without fixed repayment term (for the recent six
months) '\
Enat Bank S.C ..-
 ......

V . Loan Follow Up and Monitoring Activities

1. Has the loan been utilized for the purpose(s) it was granted for
or diverted from its original purpose?
2. Is any business visit conducted? Date of visit _
3Material issues stated in the visit report(s)

3. Date of reminders: 1st °d _ 3rd

4. An y legal steps undertaken status of the legal steps_ _ _ _ _ _ _

5. Describe other follow-up and monitoring activities undertaken _
Performance of the term loan facilities (includes all loans having fixed repayment te rms)
L Typ Arrears Res ched ules / Re Current Ap propriate Provision provision Rema rk
e of structuring Status classification held required
loa n

1 Amount No . of No Reasons
repayment

I T /L
IT/
l L ·- I
T/L
-

VI. Performance of the Credit Facilities

Comment (if any) on the performance of the loan

Enat Bank S.C
-
Type Appro Resched u les Turnov Curre Appropria Provisi Provisi Re
p..[ ve d / Re er nt te on on m
• a limit structuring For the Statu classificat held requir a
n No Reaso latest s ion ed rk
ns SlX
- month
-
s
i/ L

-
-

Comment (if any) on the performance of the loan

Hatimely renewal of the O / D and Merchandise facilities been made?

Expiry date_ _ _ _ _ _ _ _ _ _ _ _ Renewal Date_ _ _ _ _ _ _ _ _ _ _ _
_

VII. Summary

Summarize the performance of the borrower in terms of Cha racter (T rack

records ), Capital, Collate ral, Ca pa cit y, Conditions and control.

Enat Bank S.C

l I } 1 I I
Comprehensive Risk Managemen_ P ogram

ANNEX 4- Format for Human Resources and Support Services

1. MANPOWER STRUCTURE
- -
Managerial Supervisory Clerical
Non- clerical

Age <20
20-30
30-45
45-55
55-65
>65
Male
Sex Fema
le
Experience <2
2 to 5
5 to 10
10 to 15
>15
Education <12th
Diploma/Vocational
Trainings First Degree
Second Degree and

Employment Above Permanent

Status Temporary
Outsour
ced Part
Time
,
_
Others
-
2. HUMANPOWER PLANNING
:·' )
.,.
Enat ; •' • I - ---
 l I I f 1

CompY-e !lens v J:Gsl< Managements Program

------------------ -----
LIST OF VACANT
Department
POSTS
Position
AT THE
Grade
END OF
Planned _ the delay, if Remark
of Reason for
No date
employment any*

r! )

......

'i
- .•
,._ ·:, :
.
·"
Enat Bank S.C •

* Reasons for not filling the vacant post.

Page 131
 Comprehensive Risk
Managements Program

3. RECRUITMENT, SELECTION AND PLACEMENT

Non-
Manageri Supervis Clerical clerical
al ory
Number of newly employed
staffs
Recruitment on Progress

Recruitment mode:
Permanent
Temporary

Outsourced

Part-time

4. PROMOTIONS AND TRANSFERS

Non-
Manageri Supervis Clerical clerical
al ory
Nu m ber of Promoted staffs ---

Horizontal Promotion

Vertical Promotion
Others

Transfers
I

,-

,-
Enat Bank S.C a ge 132
 Comprehensive Risk Managements Program

5.TURNOVER/SEPARATIONS

I Managerial Supervisory Clerical Non -clerical

Reasons Resignations
Dismissal
Suspension
Retirement
Others
Age <20
20-30
30-45
45-55
55-65
>65
Sex Male
Female
Experience <2
2 to 5
5 to 10
10 to 15 I
I
>15 I
-l
Ed u ca tio n <12th
Diploma / Voca tion al
First Degree
SecondDegree and -
 Comprehensive Risk Managements Program

Enat Bank S.C

 Comprehensive Risk Managements Program

6. TRAINING AND DEVELOPMENT

Non -
Managerial Superviso Clerical clerical
ry
Training Training
Courses
No. of Pa rtic ipa
n ts :
Locally
organized
Abroad

Managerial
Training
Devt . Courses
Trainings
No. of
Participants:
Locally
organized
Abroad
_J
7 . REPORTED GRIEVANCES

No Description of Grie van ces* Action Taken Remark

,...
..

* It might include grievances on performance appraisal, - on the-

bank's compensation system, on the supervision of employee s, on
-•
employee safety and health, discrimination claims, etc.
 Comprehensive Risk Managements Program

Enat Bank S.C

 Comprehensive Risk Managements Program

8. DISCIPLINE

No Name of Employee Description of Action taken

violation*
Verbal Written Suspension Demotion
Dismissal Other
Caution Reprimands
(specify
)
1

2
3
4

* includes employees violation of the Bank's code of con duct, ru les , regulations and procedures

1'\
.., ,,.
.11
.- • • s·.. 'i' p ·
-.:·"

Enat Bank S.C <:/,r c1 e 13 5

>
I l
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ c_o_m p_r_e_h_e:i s ive Risk Managements Program

ANNEX 6: Checklists of the procurement process

Tender Phase Risk Description

Tender Notice/TOR Failure of exhaustive legal and technical

- considerations that lead the bank to an fextra -
cost < _,.,,,,...- < . Pa
Bid called Any risk emanating from dishonesty by any of the
-
staff in keeping confidentiality of the bid, lack of
Bid closed transparency, risk of theft of key, seal and loss of
document (improper closing of the bid), b ia s or
Bid opening prejudice.
Technical and Financial appraisal

Respective department gives technical appraisal and advisory Bias and or lack of the technical expertise to
as needed evaluate the bidders e.g. IT related purchases

Financial appraisal would be conducted by the committee

Negotiation by the procurement committee Fraud, selec tion of low quality items and high
priced items
Recommendation is forwarded to the Executive Management
-
Winner is awarded
' ' \'

Final Negotiation .,

)
Fraud
Final purchase ,.

Formal purchases(budgeted) ' \.

- -7 '
-
Purchaser collects Performa invoices from at least three vendors Sticking to same suppliers and or failing to transact
and submits to the procurement committee with better potential suppliers

Procurement committee deliberates on the submitted invoices Lack of expertise and inadequate time to deliberate
and recommends purchase from the with least price acceptable - ...
l l
Comprehensive Risk Managements Program

quality well like quality check, etc.....

The committee negotiates and forwards to the fraud
top management or HR andSS for final approval
Auditor checks and approves payment of the Costly since all activities are not
purchase audited prior to
Purchaser purchases the items Separation of duty, that leads to
inconsistency in quality and sample
presented
Items are brought to store and distributed to Loss of items and or fraud
the concerned department
* Initiation of every purchase is by requisition filled by each department and sent to HR and
SS. HR and SS approves the request and forward to procurement committee and or to the
purchaser.
**Ap pro val would be obtained from the president prior to
starting the process as per the procurement manual.

/)
., I •
', ..v - · . .
·
l l
Comprehensive Risk Managements Program

Enat Bank S.C == 13

7
l ) 7 ]
Comprehensive Risk Managements Program

ANNEX 7: FORMAT FOR THE LEGAL DEPARTMENT OUTSTANDING

LEGAL CASES

No of Cases Outstanding
N Status Amount
o Related Others Related Others
to
Credit
to Credit
1 Cases decided in favor of the Bank and
effected
2 Cases decided in favor of the Bank, but
cannot be effected for lack of attachable
property
3 Cases decided against the Bank's
interest
4 Cases under execution proceedings
5 Cases pending before Federal Court and
Regional Zonal Courts
6 Borrowers lo be sued
7 Cases under foreclosure process (Written
Notice
served)
8 Cases under foreclosure process (Under
Auction
Process)
g Cases for which legal action was
suspended
1 Cases under court or other inju nc tio n
0
Total

j)
Enat Bank S.C ,,·,,;;;·