Along with the changing regulations, globalization, and technological developments affect the nature of the banking sector’s risks, as in the other sectors. Therefore, adapting to a risk environment that changes faster than ever figures a vital role in long-term sustainable growth. Accordingly, we consider risk management, one of the building blocks for the continuity of banking sector activities, as an important tool to adapt to constantly changing regulations and environments.

We focus on risk management, which is among our material topics, in accordance with legal regulations, international regulations, and standards. We manage risk management and internal control processes through the Audit Board, Internal Control, Risk Management, and Compliance and Regulation Departments, of which the duties and responsibilities are determined under the regulations of the Banking Regulation and Supervision Agency (BRSA) and which are working in harmony, under the supervision and control of the Audit Committee.

The primary responsibility in risk management lies with the Risk Management Department, and IT Compliance Department is assigned to the risks arising from Information Technologies (IT). We also have a Market Risk Management Committee, Credit Risk Management Committee, and Operational Risk Management Committee.

By improving the risk culture throughout the corporation in parallel with the changing operating environment and risk perception, we identified the risks as follows by weighing the materiality principle to contribute to the realization of the mission and vision of our Bank and to ensure its existence healthily, adopting the best risk management practices recognized nationally and internationally.

• Credit Risk
• Market Risk
• Liquidity Risk
• Operational Risk
• Counterparty Credit Risk
• Interest Rate Risk Arising From Banking Accounts
• Residual Risk, Concentration Risk, Sovereign Risk, Reputation Risk, Model Risk, Climate Risk

Policies define these risks, and we carry out monitoring, measuring, and reporting activities within this framework. We make risk calculations based on financial statement projections in accordance with the methods specified for risk types.

In addition, we carry out validation and monitoring activities of credit risk parameter models used in the process of internal rating and TFRS 9 provision calculations throughout the bank.

In line with these risks, we also conduct various sensitivity analyses, internal scenario analyses, stress tests, and related studies to understand the risks in more detail.

In our bank, we conduct stress tests on portfolios and activities, on a solo and consolidated basis, at particular and universal levels. We establish particular stress test applications with sensitivity and scenario analyses particular to a portfolio or activity and universal stress test applications in a way that enables the Bank’s risks to be seen from an integrated perspective. Relations between risks are taken into account by the correlation effect, and connections between portfolios are considered with the diversification effect. Depending on their characteristics, risks subject to stress testing are applied daily, weekly, monthly, or annually.

Sensitivity and scenario analyses are made by applying one or several of risk factor shocks that can be exemplified as changes in the general level of interest rates, shifts in the probability of default, decreases in the creditworthiness of counterparties with which our Bank operates, adverse changes in liquid asset values, legislative changes that may affect operations, significant volatility in financial markets, operational loss conditions, increase in activity concentrations, to specific portfolios and activities.

Moreover, we present our determinations and suggestions to the Senior Management by conducting studies on establishing the infrastructure for managing reputational risk, ensuring the strengthening of inadequate and incomplete controls through Impact Analysis studies in which business processes are analyzed. According to the Risk Rating Scale, we determine the risk level by weighing the effects of the risks that are likely to occur under the headings of financial loss, legal liability, customer satisfaction, and reputation. We monitor the implementation of the Audit Committee's and the Board of Directors' decisions regarding the said work results. Additionally, we consider the reputational risk in the “Support Service Risk Analysis Reports” prepared for the support services to be received and the evaluations of new products/services/projects to be implemented in our Bank.

We analyze the risks caused by climate change and continue our studies on this issue. In this context, as a result of our Bank’s lending activities, we carry out studies to determine and measure portfolio risks within the framework of both physical risks and transition risks related to climate risks and to measure the effects of physical risks such as excessive rainfall, floods, and droughts related to the places where operational activities are performed.

Technology-related risks are managed from two fronts, the Risk Management Department and Information Security Department. The Information Security Department conducts annual work on IT Risk assessment for the Bank's IT assets, and preparation of IT Risk Asset Inventory, and presents it to the Board of Directors. Annual Emergency Tests are carried out by using the results of service criticality levels obtained from the results of IT risk assessments and Business Impact analyses. With Emergency Tests, risks that may occur in the event of an emergency in Very Critical and Critical services are simulated and tests are carried out.

In addition to these, we have established the Corporate Risk Management Procedure to coordinate and ensure the effectiveness of the procedures and activities set within the framework of the Quality and Environmental Management System to evaluate the internal and external risks that our Bank may encounter and to take necessary measures, as well as to identify the opportunities that may occur due to the conjuncture and to create the awareness required within the entire organization.

Risk Management Policies Applied by Risk Type

Risk management activities continued in 2022 in line with the Bank’s risk management policies that were prepared as per national legislation and international practices and approved by the Board of Directors of the Bank.

Risk management practices are implemented through policies, action plans, implementation procedures, and limits determined for the quality and level of the Bank’s activities depending on the Bank’s risk-return structure. They include identifying, measuring, and reporting incurred risks on an unconsolidated and consolidated basis and monitoring the total capital requirement and liquidity adequacy regarding risk profiles.

Policies and other documents are prepared as per the Banking Regulation and Supervision Agency (BRSA)’s “Regulation on Bank’s Internal Systems and Internal Capital Adequacy Assessment Process” and “Good Practice Manuals.” They are periodically reviewed and updated if necessary.

In 2022, efforts continued to follow up and monitor national and international regulations regarding risk management & capital adequacy, and relevant developments. In line with economic developments and expectations, daily scenario analyses on the capital adequacy ratio and monitoring and analysis activities for the standard ratio of interest rate risks arising from banking accounts and the liquidity coverage ratio were also carried out in 2022. The stress test reports issued at the end of each month covering all risk factors were regularly reported to the Bank’s senior management.

An “Internal Capital Adequacy Assessment Process (ICAAP) Report” was issued and submitted to the Banking Regulation and Supervision Agency in 2022, pursuant to the Regulation on Bank’s Internal Systems and Internal Capital Adequacy Assessment Process and “Good Practice Manuals.”

In line with the Regulation on Prevention Plans to be Prepared by Systemically Important Banks' issued by BRSA, a 'Prevention Plan Report' was drawn up with the coordination of the Risk Management and Strategy & Planning Departments and with the participation of relevant units and submitted to BRSA.

The “Risk Appetite Statement” was updated in 2022, which determines the level of risk that the Bank is ready to take based on the risk capacity the Bank is anticipated to bear at a safe level to realize the Bank’s objectives and strategies. The Bank, in addition to the capital adequacy ratios, has determined Risk Appetite Levels for the first structural block risks (Credit Risk, Market Risk, Operational Risk, Counterparty Credit Risk) and second structural block risks (Interest Rate Risk in the Banking Book, Liquidity Risk, Concentration Risk and Other Risks) as determined by BRSA in line with Basel regulations. The capital-based in the Risk Appetite Statement, liquidity and risk concentrations established in the statement and risk-based limits are regularly monitored.

Studies to calculate the market risk through the “Value at Risk (VaR)” model and to improve this model continued.

Within the scope of operational risk management, data on operational losses are collected, including subsidiaries and affiliates, to make a consolidated analysis. Operational Risk Analysis reports, which include breakdown and evolution of data regarding losses, continued to be prepared and shared with the Senior Management. Furthermore, impact analysis activities for banking business processes were completed in 2022.

Market Risk

The market risk from trading transactions is measured and monitored using standard methods and internal models in conformity with national and international practices. Market risk is managed in accordance with the “Market Risk Management Policy Document.”

Market risk measurement results are calculated monthly on an unconsolidated and consolidated basis by using the standard method under the provisions of the “Regulation on Measuring and Assessing the Capital Adequacy of Banks” and reported to the Bank’s senior management and the Banking Regulation and Supervision Agency. The portfolio, which is used in the calculation, is determined under the Bank’s Trading Strategy, Policy and Implementation Procedures Document.

Moreover, VaR (Value at Risk) calculations are made on a daily basis and reported accordingly. “Value at Risk” is calculated daily through a unilateral 99% confidence interval by using historical simulation and Monte Carlo simulation. Daily tests are made retrospectively (backtesting) to test the reliability and performance of the model results. Furthermore, scenario analysis and stress tests supportive of the standard method and internal models are performed.

Followed in line with the general limits of the Bank and the early warning signal limit, VaR-based limit implementation is monitored daily to limit the market risk.

Interest Rate Risk

Interest rate risk, which the Bank may be exposed to due to maturity mismatch on its balance sheet, is managed in accordance with the “Interest Rate Risk Management Policy Document.”

The standard ratio of interest rate risk from banking accounts is calculated monthly and reported to the Banking Regulation and Supervision Agency. Besides, calculations are also made weekly to track the ratio and take prompt actions. Gap analysis is carried out based on the time left for repricing, and reports are issued on the interest rate risk while duration measurements and sensitivity analyses are periodically performed.

The Bank established and put into practice procedures for interest rate risk appetite. Interest rate risk limits were determined in line with the interest rate risk appetite. Relevant limits are periodically reported to Bank’s Senior Management.

Liquidity Risk

The Bank’s liquidity risk is managed in accordance with the “Liquidity Risk Management Policy Document.” The Bank’s liquidity risk management approach is to monitor liquidity risk throughout the day continuously. Accordingly, work is performed to keep cash inflows and outflows in both Turkish Lira and foreign currency always under control, long-term cash flow tables are prepared, and scenario analyses and stress tests based on previous experiences and expectations are performed to determine the Bank’s resilience against unexpected crises.

The Bank’s liquidity risk appetite was determined, and liquidity risk limits were established accordingly. Relevant limits are periodically reported to Bank’s Senior Management.

The Bank manages its liquidity risk as per the Liquidity Contingency Plan, which the Board of Directors approves. The Bank monitors and addresses possible liquidity requirements within the specified action plans framework and analyses existing and potential liquidity gaps.

Operational Risk

Operational risk refers to the prospect of loss resulting from inadequate or failed processes or systems, employee errors, or external events that also cover Legal Risk. The management of operational risks is performed in accordance with the “Operational Risk Framework,” established for comprehensive determination and definition of all the significant risks faced by the Bank by categories to serve as a shared terminology containing examples of these risks, and the Bank’s “Operational Risk Management Policy Document”. The Inspection Board and the Internal Audit function audit operational risks. In managing operational risks, the Bank collects operational risk actual and potential loss data, enabling the standardized approach’s implementation. The operational loss data is analyzed to identify the risk factors. The findings are presented to the Bank’s internal systems functions and Bank’s senior management.

Operational risk data is examined on a consolidated basis. Within this scope, loss data is regularly collected from the Bank’s affiliates and saved in the database.

Conducted to analyze business processes, identify ineffective and insufficient controls, and take necessary measures, "impact analysis" efforts for 2022, which applies to all Head Office Units, were finalized.

Risk assessments on new products are carried out within the scope of the “New Product Development Regulation.” Moreover, risk assessments regarding the procurement of support services are performed following the “Support Services Procurement Procedures and the Risk Management Program.”

"Operational value at risk" figures calculated annually on an unconsolidated and consolidated basis using the key indicator approach are reported to the Bank’s top management and BRSA, pursuant to the “Regulation on Measuring and Assessing the Capital Adequacy of Banks”.

Credit Risk

Credit risk arises from the partial or complete failure of a counterparty to fulfill its obligations provided for in contractual requirements and is managed within the scope of the “Credit Risk Management Policy Document.” The Bank’s definition of credit risk covers credit risk in all products and activities, based on the definition of credit in the Banking Law.

The findings obtained from analyses on the composition and concentration of the Bank’s loan portfolio (type of loan, currency, sector, borrower, holding, group, subsidiaries), on the portfolio quality (standard loans, non-performing loans, deferred loans, loans under scrutiny, rating distribution of the portfolio) and sovereign risks, as well as data derived from scenario analyses and studies on NPL ratios, are reported to the Bank’s senior management in the form of individual and monthly reports.

Credit value at risk, calculated as per the provisions of the “Regulation on Measuring and Assessing the Capital Adequacy of Banks,” is monthly reported to the Bank’s senior management and BRSA on an unconsolidated and consolidated basis. The Capital Adequacy Standard Ratio is closely monitored within the Bank, calculated daily, and reported to the senior management after the scenario analysis and stress testing.

The ultimate aim of the Bank is to use credit risk internal methods in line with Basel III regulations and international best practices. Within this scope, “Internal Rating Based Approach” (IRB) activities are carried out within the Bank. As part of IRB activities, the Credit Risk Control Department and the Assessment and Rating Directorate work to update the existing credit rating models and develop new models. Policies and procedures are updated by following a risk-based approach during IRB efforts. Furthermore, as it is crucial to use consistent credit rating models with a high-reliability level both within the scope of IDD for internal rating and TFRS 9 for expected credit loss calculations, the Credit Risk Control Department periodically analyses the models’ outputs and prepared monitoring reports are submitted to the Bank’s senior management.

The Validation Department carries out to determine, by using accuracy, correctness, and consistency measurements, the extent to which the models used within the Bank represent the realizations; to measure how sound the models and other components are and; to make qualitative and quantitative validation on the internal credit rating systems used by the Bank. Validation reports regarding the models are presented to the Bank’s Senior Management.

Sovereign Risk

Sovereign risk is described as the probability of loss exposed by the Bank, which bears the direct and/or indirect risk of the borrowers in the said country in its portfolio, as a result of the failure of borrowers (central government, corporate or other) in a foreign country to fulfill their obligations or avoid from fulfilling the same due to events or uncertainties affecting the economic, social and political conditions.

The Bank manages sovereign risk within the scope of the “Country Risk Management Policy Document” and has defined indirect sovereign risk, central government risk, contagion risk, macroeconomic risk, indirect foreign exchange risk, and transfer risk as the main components of the sovereign risk.

Within the framework of the risk appetite, sovereign risk concentration limits have been established. Reports showing the limit compliance level and measurement results are shared with the Senior Management via monthly reports. Within the framework of the Sovereign Risk Management Policy Document, Country Analysis Reports are issued for the countries where our Bank has taken or plans to take a risk, and shared with relevant units by using domestic and international sources. Besides, within the scope of monthly stress tests, sensitivity analyses are carried out regarding the country’s risk. The results are shared with the senior management.

Counterparty Credit Risk

Counterparty credit risk is the risk arising from the possibility that the counterparty may default on amounts owed before the last payment for a transaction that obligates both parties. It is managed pursuant to the “Counterparty Credit Risk Management Policy Document.”

In accordance with the provisions of the “Regulation on Measuring and Assessing the Capital Adequacy of Banks,” counterparty credit risk amounts calculated using the fair value are calculated based on the portfolios in the trading and banking accounts. These amounts are monthly reported on an unconsolidated and consolidated basis within the scope of capital adequacy calculations to the Bank’s senior management and BRSA.

Concentration Risk

Concentration risk arises due to a specific concentration of the Bank’s assets, liabilities, and business lines; this risk type is managed pursuant to the “Concentration Risk Management Policy Document.”

Concentration risk limits were determined in a manner that will enable the Bank to avoid large risk concentrations, monitor its risks within the scope of its risk appetite, and carry out its activities even under stress conditions.

The Bank establishes limits in managing concentration risks which are monitored and reported to senior management. Limits are controlled regularly and revised as necessary, parallel with economic developments, expectations, and the Bank’s objectives and strategies.

Reputation Risk

The Bank manages reputation risk, which is defined as the possibility of loss-making of the Bank due to the negative trust of the Bank, or falling into disrepute as a result of the negative opinions of the parties such as existing or potential customers, partners, competitors and supervisors about the Bank or failure to comply with the current legal regulations, within the scope of “Reputation Risk Management Policy Document”.

The “Reputation Risk Management Policy Document” provides guidance in determining policies regarding the identification, evaluation, control, monitoring, reporting, and management of the reputation risk that may arise from the Bank’s operations, practices, partners, and employees.

For the measurement and management of reputation risk, which is an abstract concept, the Bank has determined the reputation risk sources and manages the reputation risk through qualitative evaluations conducted within these criteria’ framework.

Climate Risk

Climate risk is defined as the potential of negative effects of adverse weather conditions on people, natural systems, and economic sectors.

"Climate Risk Management Policy" guides efforts to establish policies for the definition, assessment, control, monitoring, reporting, and management of climate risk. In 2022, a Climate Risk Policy Document was issued and communicated to all of the staff members.

Climate-related financial risks refer to a group of potential risks that, as a result of climate change, could potentially affect the security and soundness of financial institutions and have broad implications for the banking system in the context of financial stability.

The Bank defines climate risk in terms of physical risks and transition risks. This understanding is adopted while portfolio risks are being identified and measured from the perspective of physical and transition risks related to climate risks as a result of the Bank's lending activities.

The Bank has defined its "Green Asset Ratio", which demonstrates the concentration of green assets in its portfolio, as a key risk parameter for the qualitative assessment of transition risk. Efforts are now being undertaken to issue a guidebook for the preparation of Heat Map Methodologies and the generation of further Green Assets. The Bank is an active participant in the Sustainability Sub-Working Group which operates under the roof of the Banks Association of Türkiye.

Physical damage risk, as well as various scenarios involving rising temperatures and rainfall, are assessed within the scope of climate risk.

Other Risks

The Bank has defined Model Risk, Earthquake Risk, and Residual Risk as other essential risk factors depending on the current risk profile, operating environment, and regulatory or economic environment.

Model Risk is the probability of loss for the Bank caused by the fact that the models used by the Bank in the measurement of risk or the valuation of financial products cannot adequately and accurately reflect the risks to which the Bank is exposed. “Model Risk Management Policy Document” was created by the Bank to reveal the principles and approaches that will form the basis for the model risk management process and to contribute to the sustainability of the risk management activities in the Bank.

Model risk management is a process that starts with the development, implementation, and usage of a sound model and continues with the validation of the model through which a clear framework regarding the boundaries, constraints, and assumptions of the model is determined.

Bank’s Residual Risk is determined as “The remaining level of risk after risk management actions and control practices carried out for risk reduction” in the “Operational Risk Management Policy Document” and as “Risks arising from the fact that the credit risk reduction techniques used are not as effective as expected” in the “Credit Risk Management Policy Document”.

Residual Risks are considered within the scope of “Impact Analysis” studies to ensure operational risks are taken under control by analyzing business processes at the Bank, determining ineffective, and inadequate controls, and taking necessary measures.

Earthquake Risk is defined as the probability of damage caused by the damage to physical assets and human resources of the Bank due to a potential earthquake and the loss of income due to possible service interruptions after the earthquake.

The intensity and time of earthquakes cannot be determined precisely in advance since they are natural events requiring advanced scientific measurements or are based on a mechanism that is not yet determined by existing scientific possibilities. Thus, the Bank has identified the risk sources in analyzing and managing earthquake risk and manages the earthquake risk through qualitative evaluations performed within these criteria’ framework.