Risk Management Philosophy

The key elements of the Bank's risk management philosophy are the following:

1. The Bank considers sound risk management to be the foundation of a long lasting financial institution;
2. The Bank continues to adopt a holistic and integrated approach to risk management and, therefore, brings all risks together under one or a limited number of oversight functions;
3. Risk officers are empowered to perform their duties professionally and independently without undue interference;
4. Risk management is governed by well defined policies which are clearly communicated across the Bank;
5. Risk management is a shared responsibility. Therefore, the Bank aims to build a shared perspective on risks that is grounded in consensus;
6. The Bank's risk management governance structure is clearly defined;
7. There is clear segregation of duties between market facing business units and risk management functions;
8. Risk-related issues are taken into consideration in all business decisions. The Bank shall continue to strive to maintain a conservative balance between risk and revenue considerations;
9. Risks are reported openly and fully to the appropriate levels once they are identified;
10. Risk officers work as allies and thought partners to other stakeholders within and outside the Bank and are guided in the exercise of their powers by a deep sense of responsibility, professionalism and respect for other parties;
11. All subsidiaries are guided by the principles enshrined in the risk management policies of the Bank.

Risk Culture

1. The Board and Management consciously promote a responsible approach to risk and ensure that the long-term survival and reputation of the Bank are not jeopardised while expanding the Bank's market share;
2. The responsibility for risk management in the Bank is fully vested in the Board of Directors which in turn delegates such to Senior Management;
3. The Bank pays attention to both quantifiable and unquantifiable risks;
4. The Bank's Management promotes awareness of risk and risk management across the Bank;
5. The Bank avoids products, markets and businesses where it cannot objectively assess and manage the associated risks.

Risk Appetite

The Bank's risk appetite is set by the Board of Directors annually, at a level that minimises erosion of earnings or capital due to avoidable losses in the banking and trading books or from frauds and operational inefficiencies.

The Bank's appetite for risk is governed by the following:

1. High quality risk assets measured by the following three key performance indicators:
   1. Ratio of non-performing loans to total loans;
   2. Ratio of loan loss expenses to interest revenue; and
   3. Ratio of loan loss provision to gross non-performing loans.
   The broad objective is to be among the top three banks with respect to (i) and (ii) above and maintain a ratio of not less than 100% on (iii).
2. Diversification targets are set for the Credit Portfolio and limits are also set for aggregate large exposures.
3. Losses due to frauds and operational lapses are pegged at a maximum of a specified percentage of gross earnings and in any case must be lower than the industry average.
4. Financial and Prudential ratios targets are pegged at a level more conservative than regulatory requirements and better than the average of benchmark banks. These include liquidity ratios, deposit concentration limits and open position limits.
5. The Bank aims at minimising the following independent indicators of excessive appetite for risk:
   1. Exception reporting by internal control officers, auditors, regulators and external rating agencies;
   2. Adverse publicity in local and international press;
   3. Frequent litigations;
   4. Payment of fines and other regulatory penalties; and
   5. Above average level of staff and customer attrition.
6. The Bank will not compromise its reputation through unethical, illegal and unprofessional conduct. The Bank also maintains zero appetite for association with disreputable individuals and entities.

Risk Oversight

The Bank's Risk Management Directorate ("the Directorate") provides a central oversight of risk management across the Bank and its subsidiaries to ensure that the full spectrum of risks facing the Bank and the Group are properly identified, measured, monitored and controlled to minimise adverse outcomes. The Directorate is, however, complemented by other departments in the management of certain important risks as illustrated below:

Risk Management Responsibilities and Functions

Risk Management	Financial & Management Control	Strategy
Credit Risk	Internal Control	Strategic Risk
Operational Risk	Financial Control	Reputational Risk
Information Security	Compliance
Market and Liquidity Risk
Legal Risk

Risk Management Governance Framework

The Risk Management Directorate coordinates the monitoring and reporting of all risks across the Bank. The Directorate is headed by the Chief Risk Officer, who is also an Executive Director.

Internal Control Division performs first level and continuous independent verification/testing of control measures put in place to manage all risks across the Bank.

Without prejudice to the above, Internal Audit has the responsibility of auditing the risk management function to ensure that all units charged with risk management perform their roles effectively on a continuous basis. Internal Audit also tests the adequacy of internal controls and makes appropriate recommendations where weaknesses are identified.

Risk Management Governance Framework

FirstBank's Risk Management Governance Framework is outlined in the diagram above.

Role of the Board of Directors

General

1. Approve and periodically review risk strategy and policies;
2. Approve the Bank's risk appetite annually and monitor the Bank's risk profile against this appetite;
3. Ensure senior management takes steps necessary to monitor and control risks;
4. Ensure that management maintains an appropriate system of internal control and review its effectiveness;
5. Ensure risk strategy reflects the Bank's tolerance for risk;
6. Review and approve changes/amendments to the risk management framework;
7. Review and approve risk management procedures and control for new products and activities; and
8. Periodically receive risk reports from the Management highlighting key risk areas, control failures and remedial action steps taken by the Management. This is done at least once every quarter.

Credit Risk

1. Approve the Bank's overall risk tolerance in relation to credit risk based on the recommendation of the Chief Risk Officer;
2. Ensure that the Bank's overall credit risk exposure is maintained at prudent levels and consistent with the available capital through quarterly review of various types of credit exposure;
3. Ensure that the Management as well as individuals responsible for credit risk management possess the requisite expertise and knowledge to accomplish the risk management function;
4. Ensure that the Bank implements a sound methodology that facilitates the identification, measurement, monitoring and control of credit risk;
5. Ensure that detailed policies and procedures for credit risk exposure creation, management and recovery are in place; and
6. Appoint Credit Officers and delegate approval authorities to individuals and committees.

Board Committees

The above responsibilities of the Board of Directors are discharged primarily by two committees of the Board namely:

1. Board Credit Committee
2. Board Audit and Risk Assessment Committee

Without prejudice to the roles of these committees, the full Board retains ultimate responsibility for risk management.

Board Audit and Risk Assessment Committee

The primary role of the Committee is to report to the Board and provide appropriate recommendations on matters relevant to Risk Management and Internal Audit. The Committee is made up of two Executive and three Non-Executive Directors, with a Non-Executive Director as Chairman. The Chief Risk Officer reports to this committee and is a non-voting member.

Board Credit Committee

The Board Credit Committee ensures effective management of credit risk by the Bank and its subsidiaries. It is also responsible for approving the following:

Risk Management Directorate Structure

1. Credit risk management strategy, policies and standards;
2. Credit products, processes and approving authorities;
3. Credit risk appetite and limits; and
4. Credit requests above EXCO (Credit) level, including those going to the full Board as a recommendation.

This committee is made up of the Managing Director/Chief Executive, all the Executive Directors and five Non-Executive Directors. The Chairman is a Non-Executive Director.

Executive Committee (EXCO)

For all categories of risk, the Executive Committee is responsible for formulating policies, monitoring implementation and reviewing risk reports for presentation to the Board/Board committees as well as implementing Board decisions across the Bank.

The Risk Management Operating Model is depicted in the chart above.

To be more specific, the Management of the Bank is responsible for the following:

1. Implementation of risk strategy approved by the Board of Directors;
2. Developing policies and procedures for identifying, measuring and controlling risk;
3. Providing appropriate resources to evaluate and control risk;
4. Reviewing risk reports on a regular and timely basis; and
5. Providing all reports required by the Board and its committees for the effective performance of risk management oversight functions.

Executive Management Committee for Credit Risk (EXCO Credit)

It is the responsibility of this Committee to:

1. Establish and maintain an effective risk management environment in the Bank;
2. Review proposals in respect of credit policies and standards and endorse them to the Board of Directors for approval;
3. Define the Bank's risk and return preferences and target risk portfolio;
4. Monitor on an ongoing basis the Bank's risk quality and performance, review periodic credit portfolio reports and assess portfolio performance;
5. Define credit approval framework and assign credit approval limits in line with the Bank's policy;
6. Review defined credit product programmes on recommendation of the Head, Credit Risk Management and endorse to the Board of Directors for approval;
7. Review credit policy changes initiated by the Management of the Bank and endorse to the Board of Directors for approval;
8. Ensure compliance with the Bank's credit policies and statutory requirements prescribed by the regulatory/supervisory authorities;
9. Approve credit facility requests within limits defined by FirstBank's credit policy, and within the statutory requirements set by the regulatory/supervisory authorities;
10. Review and recommend to the Board Credit Committee facilities beyond Management approval limits;
11. Review monthly credit portfolio reports and assess portfolio performance;
12. Request rapid portfolio reviews or sector/industry reviews from CRM where deemed appropriate; and
13. Approve exceptions/write-offs, waivers and discounts on non-performing credit facilities within specified limits.

Risk Management Directorate (RMD) – Relationship with other Units

The relationships between the Risk Management Directorate and other sections of the Bank are highlighted below:

1. RMD sets policies and defines limits for other units in the Bank;
2. RMD performs bankwide risk monitoring and reporting;
3. Other units provide relevant data to RMD for risk monitoring and reporting and identify potential risks in their line of business, while RMD provides a framework for managing such risks;
4. RMD and market facing units collaborate in designing new products;
5. RMD and Internal Audit coordinate activities to provide a holistic view of risks across the Bank;
6. RMD makes recommendations with respect to capital allocation, pricing and reward/sanctions based on risk reports; and
7. Information Technology support group provides relevant user support to the RMD function in respect of various risk management software, such as credit scoring, loss databases, loan origination and management systems, etc.

Risk Management Directorate – Relationship with other Units