100
İŞBANK
ANNUAL REPORT 2012
of reliability and integrity. Asset and liability management risk is reported to Risk Committee and reported to the Board of Directors through
Audit Committee.
Compliance with risk limits is closely and continuously monitored by Risk Management Division, Asset-Liability Committee and related
business units. In the event of a breach in the risk limits, the breach and its reasons are instantly reported to Board of Directors through Audit
Committee. Course of action needed to be taken in order to eliminate the breach is determined by the Board.
Asset and liability management processes and compliance with the policy rules are audited by internal audit system. The principles regarding
the audit process, audit reports and fulfillment of action plans to eliminate the errors and gaps determined by internal audit are established
by the Board of Directors.
Operational Risk Policy
Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external
events”. Risk Management Division is responsible for the risk management activity on this particular risk. Operational risk management
activities comprise defining, measuring, analyzing, monitoring and reporting of operational risks, following up the new techniques on
management of operational risks besides regulatory and internal reporting. The fundamental principles and procedures of risk management
are determined in Operational Risk Policy.
Categorization of inherited operational risks within the activities and processes is monitored via the Enterprise Risk Framework. It serves as
the basic document to define and classify the risks and is subject to alteration as conditions change. Enterprise Risk Framework is modified in
line with the improving risk management practices and changing regulations
The methodology employed to identify operational risks is “self-assessment”. This methodology requires staff with roles and responsibilities
in a particular activity to get involved in the risk and control assessment process of that activity. Operational risk management process
combines both qualitative and quantitative approaches in measurement and assessment. The measurement process uses data obtained
from “impact - likelihood analysis”, “loss database” and “key risk indicators”.
All operational risks inherited in the banking processes and information systems, risk levels of new products and processes, operational losses
incurred by the Bank and risk indicators are monitored continuously and reported to the Risk Committee and the Board in a timely manner.
Employees have theunderstandingof theBank’s objective toattainaworkingenvironment aiming to reduce theprobabilityof loss, considering
that the entire internal rules and procedures, led by operational risk policy, and act sensitively to the inherited operational risks and controls.
Consolidated Risk Policies
Compliance with risk management principles related to the Bank’s subsidiaries are monitored through Bank’s “Consolidated Risk Policies” by
Subsidiary Risk Unit. Subsidiaries identify their specific risk management policies that cannot divert from or conflict with consolidated risk
policies. Subsidiary boards approve company risk policies that form the framework of their risk management systems and processes.
Information Systems Management Policy
The purpose of Information Systems Management Policy is to determine the principles which will constitute a basis for the management of
information systems that the Bank uses to fullfill its activities and the procedures in order to define, measure, control, monitor, report and
manage the risks derived from using information technologies. With the Policy, the information technologies which is an important element
for sustaining Bank activities is intended to bemanaged effectively as information systemsmanagement, being handled as a part of corporate
governance practices. On the management of Bank’s information systems and all the elements relating to those systems articles of this Policy
are applied.
Risks derived from information technologies are basically assessed within the scope of Bank’s operational risk management. It is essential
that those risks which could be seen as multipliers of the other risks derived from activities of the Bank are measured, closely monitored and
controlled within the framework of Bank’s integrated risk management.
Information on Risk Management Policies Applied per Risk Types
1...,92,93,94,95,96,97,98,99,100,101 103,104,105,106,107,108,109,110,111,112,...300