136 2013 Annual Report BNI Risk Management

3. Operational Risk

The management of operational risk becomes very important in line with the increasing diversity and complexity of banking products and activities offered to customers, the very rapid development of systems and technologies, and the increased expectation of customers regarding services provided by the bank. Governance and Organization Operational risk management governance has been implemented in all business units and support units as Risk Owner or Risk Taking Unit forming the first line of defense. The implementation is supported by a second line of defense undertaken by the Enterprise Risk Management Division and the Compliance Division as the Risk Control Unit, as well as the third line of defense constituting the Internal Audit as Risk Assurance Unit. Policies and Procedures The Enterprise Risk Management Division has a policy for Operational Risk Management to support the implementation of operational risk management at all units, namely: - Policies for operational risk management at domestic branches. - Policies for operational risk management at overseas branches. These are further elaborated into Standard Operating Procedures for prudent transactions and operations in day-to-day business activities such as: - Operational risk management procedure for domestic branches - Operational risk management procedure for overseas branches - Guidelines for implementation of operational risk self assessment RSA - Guidelines for implementation of Loss Event database LED - Guidelines for implementation of operational risk expenses BRO - Operational risk self assessment manual for overseas branches - Guidelines for implementation of Operational Risk Tool PERISKOP Process Operational risk management process at BNI consists of 5 five major continuing processes as stipulated by Bank Indonesia, namely the identification, assessment, measurement, monitoring and mitigation of risk. a. Risk Identification The mechanism for operational risk identification is done by applying Macro Process Mapping on work processes activities of each unit to capture the potential operational risks. b. Risk Assessment Performed by each risk owner unit through a method of operational risk self assessment, including an assessment of the impact, the frequency and causes of risks as well as its solutions. c. Risk Measurement In accordance with Bank Indonesia regulation, the measurement of operational risk uses the Basic Indicator Approach. Quantitative disclosure of operational risk - bank only and consolidated - is presented in Table 8.1.a and Table 8.1.b d. Risk Monitoring The Enterprise Risk Management Division conduct evaluation and feedback on risk assessment based on the results of self- assessment, such as: - Feedback reports for all divisionsunits areasbranches - Monthly report on Operational Risk Expenses to the Board of Directors - Operational Risk Profile reports e. Risk Mitigation The mechanism for operational risk mitigation is reflected in the internal control processes through the implementation of the four strategies of mitigation, namely avoid, mitigate, transfer and accept. The four mitigation strategies are carried out in Operational Risk mitigation procedures that include control procedures, settlement procedures, accounting procedures, assets and custodial storage procedures, product delivery procedures, and fraud prevention procedures. Tools and Methods To help the process of operational risk management performed by each working unit, the Bank has developed a web-based Operational Risk Management tool known as PERISKOP Operational Risk Management Tool. PERISKOP has a very important role because the 3 three main processes in operational risk management use this tool, namely Self Assessment, Loss Event Database and Key Risk Indicator. 137 2013 Annual Report BNI PERISKOP Self Assessment Module Loss Event Database Module Key Risk Indicator Module Self Assessment SA is a series of activities conducted by each unit risk owner in identifying operational risk issues inherent in the unit, locate the cause, measure the loss potential that may arise, and search for their solutions. The result of SA provides a view of potential risks faced by the unit in the next 3 three months period. Represents a database of all financial loss due to operational risk occurring in all units of the Bank. In addition to improving the management of operational risk, data of losses collected in LED also serve as basis for the calculation of capital needed to cover operational risk using the Advance Measurement Approach AMA. Key risk indicators are parameters to identify the loss potential from operational risks inherent in products and activities before the risk occurs, and to provide a signal if it crossed a pre- determined range of values. Business Continuity Management Disruption or disaster caused by natural factors, human action, and system may happen to various BNI’s critical business function, causing disruption of business activities and services by BNI. To anticipate such events, BNI has implemented a Business Continuity Management BCM system that is expected to be able to minimize operational risk in the event of an emergency or disaster situation. The development of the system is in line with Bank Indonesia regulation that requires banks to implement risk control processes to manage risks that could compromise the survival of a bank, and also in line with the requirements of the Basel II document which requires the Bank to have business continuity management and contingency management plan to ensure the Bank’s ability to keep operating and to limit losses in the event of disruption to business activities. a. Governance and Organization In a disaster situation, BNI has prepared a specific organization consisting of a Crisis Management Team CMT and an Emergency Task Force ETF comprising of Senior Executives as disaster management coordinator who has the highest level of authority and effective. The CMT is activated as soon as the Executive Management Team EMT, as the highest authority in CMT, declares a disaster condition. b. Policies Procedures In regard the implementation of BCM, BNI has established: - BCM policies for domestic operations - BCM policies for overseas branches - BCM procedures - Governance of BCM Building - Guidelines for visits to the BCM Building. c. Process Every step of the recovery strategy and restoration strategy implemented are monitored and reported to the CMT until the return of normal conditions. To ascertain the level of readiness and evaluation of BCM, BNI conduct disaster test simulation to examine the implementation of BCM in all operational units. This is conducted routinely every year to determine the level of readiness of each unit, in terms of organization and infrastructure of its BCM. The results of the routine evaluation and examination are evident in the systematic and purposeful handling of disaster situations, whether caused by human, nature or systems. Thus, operational activities at disaster-affected locations continue to a certain degree, even though some of its facilities and supporting infrastructure are disrupted.

4. Liquidity Risk