Along with the changing regulations, globalization and technological developments affect the nature of the banking sector’s risks, as in the other sectors. Therefore, adapting to the risk environment that changes faster than ever figures a vital role in long-term sustainable growth. Accordingly, we see risk management, one of the building blocks for the follow-up of banking sector activities, as an important tool to adapt to constantly changing environments.

We handle risk management, which is among our material topics, under legal regulations, international regulations, and standards. We manage risk management and internal control processes through the Board of Auditors, Internal Control, Risk Management, and Compliance and Regulation Departments, which the duties and responsibilities are determined under the regulations of the Banking Regulation and Supervision Agency (BRSA) and working in harmony, under the supervision and control of the Audit Committee.

The primary responsibility in the risk management is under the Risk Management Department, and IT Compliance Department is assigned to the field of risks from Information Technologies (IT). We also have Market Risk Management Committee, Credit Risk Management Committee, and Operational Risk Management Committee.

By improving the risk culture throughout the corporation in parallel with the changing operating environment and risk perception, we identified the risks as follows by weighing the materiality principle to contribute to the realization of the mission and vision of our Bank and to ensure its existence healthily, practicing the best risk management practices accepted nationally and internationally.

• Credit Risk
• Market Risk
• Liquidity Risk
• Operational Risk
• Counterparty Credit Risk
• Interest Rate Risk Arising From Banking Accounts
• Residual Risk, Concentration Risk, Sovereign Risk, Reputation Risk, Earthquake Risk, Climate Risk

Policies define these risks, and we carry out monitoring, measuring, and reporting activities within this framework. We make risk calculations based on financial statement projections in accordance with the methods specified for risk types.

In addition, we carry out validation and monitoring activities of credit risk parameter models used in the process of internal rating and TFRS 9 provision calculations throughout the bank.

In line with these risks, we also conduct various sensitivity analyzes, internal scenario analyzes, stress tests, and related studies to recognize the risks in more detail.

In our bank, we conduct stress tests on portfolios and activities, on a solo and consolidated basis, at the particular and universal levels. We establish specific stress test applications with sensitivity and scenario analyzes particular to a portfolio of activity and universal stress test applications in a way that enables the Bank’s risks to be seen in an integrated perspective. Relations between risks are taken into account by the correlation effect, and connections between portfolios are considered with the diversification effect. Depending on their characteristics, risks subject to stress testing are applied daily, weekly, monthly, or annually.

Risk factor shocks that can be exemplified as changes in the general level of interest rates, shifts in the probability of default, decrease in the creditworthiness of counterparties with which our Bank operates, adverse changes in liquid asset values, legislative changes that may affect operations, significant volatility in financial markets, operational loss conditions, increase in activity concentrations are applied to specific portfolios and activities by one or more of them.

Moreover, we present our determinations and suggestions to the Senior Management by conducting studies on establishing the infrastructure for managing reputational risk, ensuring the strengthening of inadequate and incomplete controls through Impact Analysis studies in which business processes are analyzed. According to the Risk Rating Scale, we determine the risk level by weighing the effects of the risks that are likely to occur under the headings of financial loss, legal liability, customer satisfaction, and reputation. We monitor the implementation of the Audit Committee’s decisions and the Board of Directors regarding the previous work results. Additionally, we consider the reputational risk in the “Support Service Risk Analysis Reports” prepared for the support services to be received and the evaluations of new products/services/projects to be implemented in our Bank.

We analyze the risks caused by climate change and continue our studies on this issue. In this context, as a result of our Bank’s lending activities, we carry out studies to determine and measure portfolio risks within the framework of both physical risks and transition risks related to climate risks and to measure the effects of physical risks such as excessive rainfall, floods, and droughts related to the places where operational activities are performed.

For the management of technology-related risks, an assessment of IT Risks for IT assets and the preparation of an IT Risk Asset Inventory are conducted and submitted to the Board of Directors every year in our Bank. Annual Emergency Tests are carried out by using the results of service criticality levels obtained in the results of IT risk assessments and Business Impact analyses. With the Emergency Tests operations, the risks that may occur in the event of an emergency situation in Very Critical and Critical services are simulated and tests are carried out.

In addition to these, we have established the Corporate Risk Management Procedure to coordinate and ensure the effectiveness of the procedures and activities set within the framework of the Quality and Environmental Management System to evaluate the internal and external risks that our Bank may encounter and to take necessary measures, as well as to identify the opportunities that may occur with the conjuncture and to provide the awareness required in the whole organization.

During this period, our Risk Management Department continued to prepare the Covid-19 Risk Bulletin and share it with senior management. The Covid-19 pandemic is expected to affect which risk categories and how it is anticipated through the relevant bulletin. Recommendations were made regarding the measures that can be implemented. Further, the scenario weights used in TFRS 9 provision calculations were revised, increasing the pessimistic scenario’s effectiveness.

Risk Management Policies Applied by Risk Type

Risk management activities continued in 2021 in line with the Bank’s risk management policies prepared as per national legislation and international practices and approved by the Board of Directors of the Bank.

Risk management practices are implemented through policies, action plans, implementation procedures, and limits determined for the quality and level of the Bank’s activities depending on the Bank’s risk-return structure. They include identifying, measuring, and reporting incurred risks on unconsolidated and consolidated bases and monitoring the total required capital and liquidity adequacy regarding risk profiles.

Policies and other documents are prepared as per the Banking Regulation and Supervision Agency (BRSA)’s “Regulation on Bank’s Internal Systems and Internal Capital Adequacy Assessment Process” and “Good Practice Manuals.” They are periodically reviewed and updated if necessary.

In 2021, efforts continued to follow up and monitor national and international regulations regarding risk management & capital adequacy, and relevant developments. In line with economic developments and expectations, daily scenario analyses on the capital adequacy ratio and monitoring and analysis activities for the standard ratio of interest rate risks arising from banking accounts and the liquidity coverage ratio were also carried out in 2021. The stress test reports issued at the end of each month covering all risk factors were regularly reported to the Bank’s top management.

An “Internal Capital Adequacy Assessment Process (ICAAP) Report” was issued and submitted to the Banking Regulation and Supervision Agency in 2021, pursuant to the Regulation on Bank’s Internal Systems and Internal Capital Adequacy Assessment Process and “Good Practice Manuals.”

In accordance with Article 66/A of the Banking Law No. 5411 and the “Regulation on Preventive Plans to be Prepared by Systemically Important Banks” published on March 16, 2021, by the BRSA, a “Preventive Plan Report” was prepared with the participation of the relevant departments in coordination with the Risk Management Department and the Strategy and Planning Department and submitted to the BRSA.

The “Risk Appetite Statement” was updated in 2021, which determines the level of risk that the Bank is ready to take based on the risk capacity the Bank is anticipated to bear at a safe level to realize the Bank’s objectives and strategies. The Bank, in addition to the capital adequacy ratios, has determined Risk Appetite Levels for the first structural block risks (Credit Risk, Market Risk, Operational Risk, Counterparty Credit Risk) and second structural block risks (Interest Rate Risk in the Banking Book, Liquidity Risk, Concentration Risk, and Other Risks) as determined by the BRSA in line with Basel regulations. The capital-based in the Risk Appetite Statement, liquidity and risk concentrations established in the statement and risk-based limits are regularly monitored.

Studies to calculate the market risk through the “Value at Risk (VaR)” model and to improve this model continued.

Within the scope of operational risk management, data on operational losses are collected, including subsidiaries and affiliates, to make a consolidated analysis. Operational Risk Analysis reports, which include breakdown and evolution of data regarding losses, continued to be prepared and shared with the Senior Management. Furthermore, impact analysis activities for banking business processes were completed in 2021.

Market Risk

The market risk from trading transactions is measured and monitored using standard methods and internal models in conformity with national and international practices. Market risk is managed in accordance with the “Market Risk Management Policy Document.”

Market risk measurement results are calculated monthly on unconsolidated and consolidated bases by using the standard method under the provisions of the “Regulation on Measurement and Assessment of Capital Adequacy of Banks” and reported to the Bank’s senior management and the Banking Regulation and Supervision Agency. The portfolio, which is used in the calculation, is determined under the Bank’s Trading Strategy, Policy and Implementation Procedures Document.

Moreover, VaR (Value at Risk) calculations are made on a daily basis and reported accordingly. “Value at Risk” is calculated through a unilateral 99% confidence interval daily using historical simulation and Monte Carlo simulation. Daily tests are made retrospectively (backtesting) to test the reliability and performance of the model results. Furthermore, scenario analysis and stress tests supportive of the standard method and internal models are performed.

Followed in line with the general limits of the Bank and the early warning signal limit, VaR-based limit implementation is monitored daily to limit the market risk.

Interest Rate Risk

Interest rate risk, which the Bank may be exposed to due to maturity mismatch on its balance sheet, is managed in accordance with the “Interest Rate Risk Management Policy Document.”

The standard ratio of interest rate risk from banking accounts is calculated monthly and reported to the Banking Regulation and Supervision Agency. Besides, calculations are also made weekly to track the ratio and take prompt actions. Gap analysis is carried out based on the time left for repricing, and reports are issued on the interest rate risk while duration measurements and sensitivity analyses are periodically performed.

The Bank established and put in practice procedures for interest rate risk appetite. Interest rate risk limits were determined in line with the interest rate risk appetite. Relevant limits are periodically reported to Bank’s Senior Management.

Liquidity Risk

The Bank’s liquidity risk is managed in accordance with the “Liquidity Risk Management Policy Document.” The Bank’s liquidity risk management approach is to monitor liquidity risk throughout the day continuously. Accordingly, work is performed to keep cash inflows and outflows in both Turkish Lira and foreign currency are always tried to keep under control, long-term cash flow tables are prepared, and scenario analysis and stress tests based on previous experiences and expectations performed to determine the Bank’s resilience against unexpected crises.

The Bank’s liquidity risk appetite was determined, and liquidity risk limits were established accordingly. Relevant limits are periodically reported to Bank’s Senior Management.

The Bank manages its liquidity risk as per the Liquidity Contingency Plan, which the Board approves of Directors. The Bank monitors and addresses liquidity requirements within the specified action plans framework and analyses existing and potential liquidity gaps.

Operational Risk

Operational risk refers to the prospect of loss resulting from inadequate or failed procedures or systems, employee errors, or external events that also cover Legal Risk. The management of operational risks is performed in accordance with the “Operational Risk Framework,” established for comprehensive determination and definition of all the significant risks faced by the Bank by categories to serve as a shared terminology containing examples of these risks, and the “Bank’s Operational Risk Management Policy Document.” The Audit Board and the Internal Audit function audit operational risks. In managing operational risks, the Bank collects operational risk loss and potential risk data, enabling the standardized approach’s implementation. The operational loss data is analyzed to identify the risk factors. The findings are presented to the Bank’s internal systems functions and Bank’s executive management.

Operational risk data is examined on a consolidated basis. Within this scope, loss data is regularly collected from the Bank’s affiliates and saved in the database.

The 2021 “Impact Analysis” performed to analyze business processes, identify inadequate controls, and take necessary measures, covering the Head Office’s business departments was completed. Symptom monitoring efforts and assessment of updated and newly established processes as part of the “Impact Analysis” are ongoing.

Risk assessments on new products are carried out within the scope of the “New Product Development Regulation.” Moreover, risk assessments regarding the procurement of support services are performed following the “Support Services Procurement Procedures and the Risk Management Program.”

Operational risk measurement results calculated annually on unconsolidated and consolidated bases using the key indicator approach are reported to the Bank’s top management and the BRSA, pursuant to the “Regulation on Measurement and Assessment of Capital Adequacy of Banks.”

Credit Risk

Credit risk arises from the partial or complete failure of a counterparty to fulfill its obligations provided for in contractual requirements and is managed within the scope of the “Credit Risk Management Policy Document.” The Bank’s definition of credit risk covers credit risk in all products and activities, based on the definition of credit in the Banking Law.

The findings obtained from analyses on the distribution and concentration of the Bank’s loan portfolio (type of credit, currency, maturity, sector, geographical region, segment, borrower, holding, group, subsidiaries), the portfolio quality (standard loans, non-performing loans, deferred loans, loans under close scrutiny, rating distribution of the portfolio), and sovereign risks, as well as data derived from scenario analyses and studies on NPL ratios, are reported to the Bank’s senior management in the form of individual and monthly reports. In 2021, to reduce the possible damages of Covid-19 pandemic cases on the national economy, the regulations made by the BRSA regarding the classification criteria of loans tables on the results of the studies concerning the Bank’s effects on Basket-2 and Basket-3 portfolios, provision figures, and NPL ratios and the distribution of commercial cash risks in close monitoring by sectors were included in the monthly Credit Risk Reports submitted to the Bank’s Top Management.

Credit risk in fair value, measured as per the provisions of the “Regulation on Measurement and Assessment of Capital Adequacy of Banks,” is reported to the Bank’s senior management and the BRSA on unconsolidated and consolidated bases monthly. The Capital Adequacy Standard Ratio is closely monitored within the Bank, calculated daily, and reported to the senior management after the scenario analysis and stress testing.

The ultimate aim of the Bank is to use credit risk internal methods in line with Basel III regulations and international best practices. Within this scope, “Internal Rating Based Approach” (IRB) activities are carried out within the Bank. As part of IRB activities, the Credit Risk Control Department and the Head Office for Assessment and Rating work to update the existing credit rating models and develop new models. Policies and procedures are updated by following a risk-based approach during IRB efforts. Furthermore, as it is crucial to use consistent credit rating models with a high-reliability level both within the scope of IDD for purpose of internal rating and TFRS 9 for purpose of expected credit losses, the Credit Risk Control Department periodically analyzes the models’ outcomes and prepared monitoring reports are submitted to the Bank’s senior management.

The Validation Department carries out to determine, by using accuracy, correctness, and consistency measurements, the extent to which the models used within the Bank represent the outcomes; to measure how sound the models and other components are and; to make qualitative and quantitative validation on the internal credit rating systems used by the Bank. Validation reports regarding the models are presented to the Bank’s Senior Management.

Sovereign Risk

Sovereign risk is described as the probability of loss that the Bank, which held the direct and/or indirect, risk of the borrowers in the said country in its portfolio, as a result of the failure of borrowers (central government, corporate or other) in a foreign country due to events or uncertainties affecting the economic, social and political conditions.

The Bank manages sovereign risk within the scope of the “Country Risk Management Policy Document” and has defined indirect sovereign risk, central management risk, contagion risk, macroeconomic risk, indirect foreign exchange risk, and transfer risk as to the main components of the sovereign risk.

Within the framework of the risk appetite, sovereign risk concentration limits have been established. The reports showing the limit compliance level and the measurement results are shared with the senior management with monthly reports and the Credit Risk Swap (CDS) premium analysis of the countries. Besides, within the scope of monthly stress tests, sensitivity analyses are carried out regarding the country’s risk. The results are shared with the senior management.

Counterparty Credit Risk

Counterparty credit risk is the risk arising from the possibility that the counterparty may default on amounts owed before the last payment for a transaction that obligates both parties. It is managed pursuant to the “Counterparty Credit Risk Management Policy Document.”

In accordance with the provisions of the “Regulation on Measurement and Assessment of Capital Adequacy of Banks,” counterparty credit risk amounts calculated using the fair value are calculated based on the portfolios in the trading and banking accounts. These amounts are monthly reported on unconsolidated and consolidated bases within the scope of capital adequacy calculations to the Bank’s senior management and the BRSA.

Concentration Risk

Concentration risk arises due to a specific concentration of the Bank’s assets, liabilities, and business lines; this risk type is managed pursuant to the “Concentration Risk Management Policy Document.”

Concentration risk limits were determined in a manner that will enable the Bank to avoid large risk concentrations, monitor its risks within the scope of its risk appetite, and carry out its activities even under stress conditions.

The Bank establishes limits in managing concentration risks which are monitored and reported to the senior management. Limits are controlled regularly and revised as necessary, parallel with economic developments, expectations, and the Bank’s objectives and strategies.

Reputation Risk

The Bank manages reputation risk, which is defined as the possibility of loss-making of the Bank due to the negative trust of the Bank, or fall into disrepute as a result of the negative opinions of the parties such as existing or potential customers, partners, competitors and supervisors about the Bank or failure to comply with the current legal regulations, in the scope of “Reputation Risk Management Policy Document.”

The “Reputation Risk Policy Document” provides guidance in determining policies regarding the identification, evaluation, control, monitoring, reporting, and management of the reputation risk that may arise from the Bank’s operations, practices, partners, and employees.

For the measurement and management of reputation risk, which is an abstract concept, the Bank has determined the reputation risk sources and manages the reputation risk through qualitative evaluations conducted within these criteria’ framework.

Climate Risk

Climate risk is defined as the potential of negative effects of adverse weather conditions on people, natural systems, and economic sectors.

Climate-related financial risks refer to a group of potential risks that, as a result of climate change, could potentially affect the security and soundness of financial institutions and have broad implications for the banking system in the context of financial stability.

The Bank defines climate risk in terms of physical risks and transition risks. From this perspective, as a result of our Bank’s lending activities, the studies to determine and measure portfolio risks within the framework of both physical risks and transition risks related to climate risks and to measure the effects of physical risks such as excessive rainfall, floods, and droughts related to the locations where activities are being carried out.

Earthquake Risk

Earthquake Risk is defined as the probability of damage caused by the damage to physical assets and human resources of the Bank due to a potential earthquake and the loss of income due to possible service interruptions after the earthquake.

The intensity and time of earthquakes cannot be determined precisely in advance since they are natural events requiring advanced scientific measurements or are based on a mechanism that is not yet determined by existing scientific possibilities. Thus, the Bank has identified the risk sources in analyzing and managing earthquake risk and manages the earthquake risk through qualitative evaluations performed within these criteria’ framework.

Other Risks

The Bank has defined Model Risk and Residual Risk as other essential risk factors depending on the current risk profile, operating environment, regulatory or economic environment.

Model Risk is the probability of losses of the Bank caused by the fact that the models used by the Bank in the measurement of risk or in the valuation of financial products cannot adequately and accurately reflect the risks to which the Bank is exposed. “Model Risk Management Policy Document” was created by the Bank to reveal the principles and approaches that will form the basis for the model risk management process and to contribute to the sustainability of the risk management activities in the Bank.

Model risk management is a process that starts with the development, implementation, and usage of a secure model and continues with the validation of the model through determined a clear framework regarding the boundaries, constraints, and assumptions of the model.

Bank’s Residual Risk is determined as “The remaining level of risk after risk management actions and control practices carried out for risk reduction.” in “Operational Risk Management Policy Document” and as “Risks arising from the fact that the credit risk reduction techniques used are not as effective as expected” in “Credit Risk Management Policy Document.”

Residual Risks are considered within the scope of “Impact Analysis” studies to ensure operational risks are taken under control by analyzing business processes at the Bank, determining ineffective, inadequate management, and taking necessary measures.