PT BANK MANDIRI PERSERO Tbk. AND SUBSIDIARIES NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS As of December 31, 2016 and for the year then ended Expressed in millions of Rupiah, unless otherwise stated 217

61. RISK MANAGEMENT

Bank Mandiri segregates independent risk management function based on the requirement of Bank Indonesias regulation and international best practices. Bank Mandiri adopts the Enterprise Risk Management ERM concept as comprehensive and integrated risk management strategy which in line with Banks business process and operational needs. ERM implementation will give value added to the Bank and stakeholders. ERM is a risk management process embedded in the business strategies and operations that are integrated into daily decision making processes. With ERM, the Bank establishes a systematic and comprehensive risk management framework credit risk, market risk and operational risk by connecting the capital management and business processes to risks. In addition, ERM also applies consolidated risk management to the subsidiaries, which will be implemented gradually to maximise the effectiveness of bank’s supervision and value creation to the Bank based on Bank Indonesia Regulation No. 86PBI2006 dated January 30, 2006 and Financial Services Authority FSA Regulation No. 17POJK.032014 regarding implementation of risk management integrated for financial conglomerates which coverage throughout the financial industry. The Bank’s risk management framework is based on FSA Regulation No. 18POJK.032016 regarding Risk Management Implementation for Commercial Banks. The Bank’s risk management framework is stated in the Bank Mandiri Risk Management Policy BMRMP, which consists of several policies as the guideline to the business growth and as a business enabler to ensure the Bank conduct prudential principle by examining the risk management performance process identification - measurement - monitoring - risk mitigation for all organisation levels. Active supervision by the Board of Directors and the Board of Commissioners on risk management activities, directly and indirectly, are implemented through the establishment of committees at the level of the Board of Commissioners which are Risk Monitoring Committee, Integrated Governance Committee, Renumeration and Nomination Committee and Audit Committee. The Executive Committee under the supervision of the Board of Directors consists of Asset Liability Committee ALCO, Risk Management Committee RMC, Integrated Risk Management Committee IRC, Capital Subsidiaries Committee CSC, Business Committee, Information Technology Committee ITC, Human Capital Policy Committee HCPC, Policy Procedure Committee PPC dan Credit Committee. From 9 Executive Committees, there are 4 committees that are directly involves in risk management, i.e RMC, IRC, ALCO and PPC. RMC is the committee that discuss and recommends policy and procedures as well as monitoring risks profile and managing all the Banks risks. Integrated IRC is the committee that provide recommendation on the integrated risk management policy including the application of risk management in subsidiaries. IRC is based on the application of FSA Regulation No. 17POJK.032014 regarding integrated risk management. IRC has members from subsidaries and discuss as well as recommends the policy and application of integrated risk management. ALCO is the committee that manages Banks asset and liability management, interest rate and liquidity and other areas that are related to the asset and liability management of the Bank. PPC is the committee that discuss and recommends the adjustment or improvement in the Banks policy and procedures. Committees under Board of Commissioners including Risk Monitoring Committee, Integrated Governance Committee and Audit Committee, which has the task and responsibility to perform review and evaluation on policy and execution of Banks risk management, as well as providing inputs and recommendation to the Board of Commissioners in their monitoring tasks. Operationally, the related Directorate with risk management is divided into two big parts, there are 1 credit approval as part of the four-eye principles, located at the Wholesale Risk Directorate and Retail Risk Directorate and 2 Independent Risk Management that is located in the Risk Management Directorate and Risk Management Compliance Directorate. Risk Management Compliance is headed by a Director that is responsible towards the Board of Director and also a member of the Integrated Risk Management Committee, and Policy Procedure Committee. The bank has also established a Risk Management Working Unit under the Risk Management Compliance. The Risk Management Compliance Directorate is divided into 3 three groups, that is the Credit Portfolio Risk Group that is related to Credit Risk and portfolio and Risk Management integration through ERM, Market Risk Group and Operational Risk Group that is related to market risk, liquidity risk, and operational risk.