Page 85 - ACCESS BANK ANNUAL REPORTS_eBook
P. 85
capture, assessment, analysis and reporting of risk events. INSURANCE MITIGATION
This process is used to help identify where process and
control requirements are needed to reduce the recurrence Insurance policies are used as a way to mitigate operation-
of risk events. Risk events are loaded onto a central data- al risks. These policies are current and remain applicable in
base and reported monthly to the ERMC. The Group also the Group operating environment. Insurance coverage is
uses a database of external public risk events and is part purchased at Group or cluster level to discharge statutory
of a consortium of international banks that share loss data and regulatory duties, or to meet counterparty commit-
information anonymously to assist in risk identification, as- ments and stakeholder expectations. The primary insur-
sessment, modelling and benchmarking. ance policies managed by the Group are:
• comprehensive crime and electronic crime;
• directors’ and officers’ liability; and
rISK aND CONtrOL SeLF-aSSeSSMeNtS (rCSa) • professional indemnity.
In order to pro-actively identify and actively mitigate risks, In terms of the Advance Measurement Approach (AMA),
the operational risk framework utilises RCSAs. RCSA is used the Group may adjust its operational risk exposure result
at a granular level to identify relevant material risks and key by no more than 20% to reflect the impact of operational
controls mitigating these risks. The risks and controls are risk mitigants. Globally, the use of insurance and other risk
assessed on a quarterly basis and relevant action plans are transfer mechanisms for operational risk is in a state of rap-
put in place to treat, tolerate, terminate or transfer the risks, id development and pioneering work is being done across
taking into account the relevant business risk appetites. the industry. While the Group has developed a methodol-
The RCSA programme is extensive and covers the entire ogy for the modelling of insurance, the Group will not apply
Group. The Internal Audit further tests the effectiveness risk mitigation in the calculation of its operational risk expo-
of the RCSAs within the normal course of auditing and rel- sure until such time as insurance policies are compliant to
evant metrics are monitored and actioned where relevant. regulatory minimum requirements.
Key rISK INDICatOrS (KrIs) INFORMATION SECURITY, DIGITAL BANKING AND
CONTINUITY OF BUSINESS
A comprehensive set of KRIs are in place across the Group,
with relevant and agreed thresholds set by the business. In response to the increased cyber security threat to
KRIs are monitored on a Group as well as business unit level, businesses globally, we have developed a Cyber Security
based on significance. Threshold breaches are managed in Framework and adopted a defense in-depth approach to
accordance with an agreed process across the Group. cover Cybersecurity practices, information security pro-
cesses and infrastructure which includes: Cyber Security
Governance, Operations and Infrastructure.
REPORTING We have a holistic view of all the major risks facing the
Bank and we remain vigilant with regard to both known
Business units are required to report on both regular and and emerging global risks and ensure that we are strong
event-driven basis. The reports include a profile of the key enough to withstand any exogenous shocks by putting in-
risks to their business objectives, RCSA and KRI results, and place a 24/7 monitoring and analysis of security logs and
operational risk events. Risk reports are presented to exec- external intelligence of the Bank’s information and technol-
utive management and risk committees. ogy assets.
The continuous advancement and innovations in technol-
ALLOCATING CAPITAL TO BUSINESS UNITS ogy and the endless need to improve services have made
digital banking a direction that the Bank must tap into with
An allocation methodology is applied for allocating capital adequate mitigating approach to handle the inherent risks
to business units. For each business unit, the allocation involved in the business. In response to the digitization
takes into consideration not only the size of the business needs, we have developed a Digital Banking Framework
unit, but also measures the business unit’s control environ- that will enable the Bank to adopt an overall risk appetite
ment, namely open audit findings, RCSA results, and loss of “moderate risk” while adopting digitization processes in
experience. This translates to a risk-sensitive allocation meeting the needs of our customers.
with the opportunity afforded to business units to identify The Bank’s Business Continuity Management (‘BCM’) prac-
actions to positively impact on their respective allocated tices are governed by a robust BCM framework, that clearly
operational risk capital. identifies critical assets and the vulnerabilities that those
assets are subject to; It involves the analysis of the iden-
tified assets for business impact disruption; the develop-
Access BAnk Plc 85
Annual Report & Accounts 2017
