Annual Report 2013 PT Bank Mandiri Persero Tbk.

4. OPERATIONAL RISK MANAGEMENT

Operational risk can result from inadequacies or failures afecting internal processes, people and systems, or from external events afecting the operations of the Bank. Efective operational risk management can reduce losses due to operational risk. The Operational Risk Management ORM framework is based on Bank Indonesia regulations, Basel II and the internal regulations of Bank. The Bank’s risk management policies are set out in Bank Mandiri Risk Management Policies KMRBM and Standard Operating Procedures SOPs. These policies and SOPs set out technical guidelines for operational risk management, covering such aspects as governance, procedures and the reporting system. In addition, in order to support innovation so as to meet the needs of Bank customers for products and services, the Bank has compiles risk management and mitigation guidelines for new products and activities PAB, namely the PAB Standard Operating Procedures SPO, which are aimed at achieving standardization for the end-to-end management of risks associated with new products and activities, and to help produce new products and activities that are reliable and will boost proitability, corporate image and quality of service at the Bank. Relecting the Bank’s commitment to the application of prudential principles and Good Corporate Governance, the PAB SOPs assess eight types of risk so as to ensure that all new products and activities of the Bank comply with the regulatory requirements. In order to improve the efectiveness of operational risk management, the Bank has aligned operational risk and risk-based auditing methodology through risk library synchronization; provided a means of communicating with the CEO through the “Letter to the CEO” mechanism, which serves as a Whistleblower System; and adopted a suite of operational risk management tools ORM Tools. The said ORM Tools include the following: A. Risk Control Self Assessment RCSA: RCSA is used to identify and assess the risks that are inherent in an activity, and to evaluate quality control. B. M andiri Form Operational Risk System M-FORs: The Bank uses M-FORs to record losses due to operational risks in each unit. C. Key Indicators: Key indicators are quantitative indicators that are used to provide an indication of the level of risk inherent at diferent stages of key processes in a business unit supporting or end-to-end processes. D. I ssue Action Management IAM: IAM is a mechanism for for incorporating issues related to operational risk. The causes of these issues are analyzed and an action plan devised, whose implementation is subsequently monitored by the business unit. In managing operational risks, the Risk Management Unit acts as a second line of defense and the Internal Audit Unit as the third line. Meanwhile, the Bank’s line units, as the risk owners, serve as the irst line of defense and are responsible for operational risk management in their respective areas of authority. risk management Annual Report 2013 PT Bank Mandiri Persero Tbk. As output from the operational risk management process, the risk proiles of units that generate operational risks are used as the basis for risk proiling the Bank’s overall operations. Operational risk proile reports at the corporate level bankwide are reviewed by the Internal Audit Unit and presented to the Board of Commissioners and reported to Bank Indonesia periodically. For reporting operational risk capital adequacy to Bank Indonesia, the Bank uses the Base Indicator Approach, as shown in the following tables: Table 8.1.a Disclosure of Quantitative Operational Risks – Bank Unconsolidated No. Approach 31 December 2013 Gross Income average of last 3 years Capital Charge RWA I II III IV V 1 Base Indicator Approach 30.758.015 4.613.702 57.671.278 Total 30.758.015 4.613.702 57.671.278 No. Approach 31 December 2012 Gross Income average of last 3 years Capital Charge RWA I II III IV V 1 Base Indicator Approach 25.805.133 3.870.770 48.384.624 Total 25.805.133 3.870.770 48.384.624 For banks that use the Base Indicator Approach in calculating Operational Risk risk management Annual Report 2013 PT Bank Mandiri Persero Tbk. Tabel 8.1.b. Disclosure of Quantitative Operational Risks – Bank Consolidated No. Approach 31 December 2013 Gross Income average of last 3 years Capital Charge RWA I II III IV V 1 Base Indicator Approach 36.077.126 5.411.569 67.642.899 Total 36.077.126 5.411.569 67.642.899 No. Approach 31 December 2012 Gross Income average of last 3 years Capital Charge RWA I II III IV V 1 Base Indicator Approach 29.725.743 4.458.861 55.735.768 Total 29.725.743 4.458.861 55.735.768 For banks that use the Base Indicator Approach in calculating Operational Risk Implementation of Operational Risk Management The key strategy used as guidance in the implementation of operational risk management in relation to Risk Management, Audit Compliance is “to proceed with anti-fraud programs, including optimizing the First Defense, Second Defense and Third Defense”. The Implementation of Risk Management is focused on 4 strengthening aspects, namely: - Risk Awareness Program, that is, a speciic culture program owned by each relevant unit in relation to the identiication, understanding, and mitigation of operational risk. - Risk Proile Report, namely regular obligatory reports from the operational risk management unit to the operational risk management system mentor. Such reports must be submitted at least quarterly or at shorter intervals if necessary ad-hoc. Regular preparation of Risk Proile Reports is intended to ensure that the operational risk proile of each Operational Risk Management Unit remains updated and maintained. - MRO Forum is a forum used to discuss any issues relating to operational risks. Such forums must convene at least once a month. The proceedings of the forum should be reported to the operational risk management system mentor in the form of minutes. - Data Quality of ORM Tools, in the form of processing and updating of the datainformation in the ORM Tools iMORs including RCSA, KI, IAM, and MFORs. Data inputted into the iMORs forms the basis for the preparation of Risk Proiles of line units for the purpose of the assessment of the Bank’s soundness. risk management Annual Report 2013 PT Bank Mandiri Persero Tbk. An MRO Strengthening Program has been applied to all line units as a follow-on from the “No Surprise Program”. The purposes of the MRO Strengthening Program in each line unit are: a. To gain a better understanding of the Principal Operational Risks pertaining to the products and activities of each of line unit, and how to control such risks. b. To provide a better understanding that various initiatives such as the MRO Forum mechanism, Risk Awareness Program and Letter to CEO LTC mechanism can support the efectiveness of the Operational Risk Management. c. To make the DCOR and RBC the second line of defense in understanding the main risks in the unit being supervised and, accordingly, more focused in conducting supervision. Strategi Anti Fraud, Sistem Pemantauan Fraud, dan Fraud Respon Plan In accordance with SE BI No. 1328DPNP regarding the Implementation of Anti-Fraud Strategies in Commercial Banks, Bank Mandiri monitors and mitigates fraud risk through the application of the 4 pillars approach, namely: 1 Prevention; 2 Detection; 3 Investigation, Reporting and Sanctions; and 4 Monitoring, Evaluation and Follow-up. The application of this approach involves all lines of defense. To support the implementation of the anti-fraud strategy, particularly the pillar of detection, an early detection system has been developed to detect anomalies in transactions, processes, and applications that have the potential for fraud. This system automatically alerts the Bank to transactions afected by fraud risks. The follow-up involves a process of alert data investigation by way of on-desk and onsite review so as to ascertain whether or not fraud has occurred in order that the Bank can take prompt, accurate, and focused mitigation measures fraud response plan. Considering that the fraud detection development process is a long-term one, management will focus on business areas that are characterized by signiicant fraud risks. In this respect, the following business segments have been prioritized: a Retail Payment Deposit Segment Branches, EDCMerchants, and E-Channels b Retail Financing Segment Micro Financing, Credit Card, Consumer Loans c Wholesale Segment Business Banking up to Rp 2 billion The Fraud Control Systems currently applied by the Bank are as follows: a. Fraud Control System for Credit Cards b. Fraud Control System for Debit Cards c. Merchant Monitoring System d. Internet Mobile Banking Monitoring System e. Anti-Fraud Application System f. Early Detection System Micro The Fraud Control Systems being developed by the Bank are as follows: a. Fraud Detection System for Branch b. Fraud Control System untuk Business Banking Prevention of Money Laundering and Funding of Terrorism In order to prevent and mitigate risks arising from money laundering and the funding of terrorism, the Bank conducts due diligence and risk management on its customers with reference to the Bank Indonesia regulations on Money Laundering and the Funding of Terrorism. The due diligence and risk management process employs a risk- based approach that identiies, classiies, monitors and manages customer transaction risks on the basis of product, customer and geographical characteristics country, cross-border. risk management Annual Report 2013 PT Bank Mandiri Persero Tbk. Business Continuity Management In order to secure Bank operations during an emergency, the Bank has a comprehensive, documented and tested comprehensive plan setting out the steps that must be taken prior, during and after the emergency. The Bank’s policies and procedures for safeguarding business operations are set out in the Business Continuity Management Plan BCM, which consists of an Emergency Response Plan ERP, Disaster Recovery Plan DRP and Business Continuity Plan BCP. ERP is a manual to ensure the security and safety of employees in emergency situations, DRP is a work plan for recovery from an emergency afecting the Bank’s IT infrastructure, and the BCP contains procedures and information designed to maintain the operations of a line unit.

5. WORST CONDITION SIMULATION STRESS TESTING