PT BANK MANDIRI PERSERO Tbk. AND SUBSIDIARIES NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS As of December 31, 2016 and for the year then ended Expressed in millions of Rupiah, unless otherwise stated 217

61. RISK MANAGEMENT

Bank Mandiri segregates independent risk management function based on the requirement of Bank Indonesias regulation and international best practices. Bank Mandiri adopts the Enterprise Risk Management ERM concept as comprehensive and integrated risk management strategy which in line with Banks business process and operational needs. ERM implementation will give value added to the Bank and stakeholders. ERM is a risk management process embedded in the business strategies and operations that are integrated into daily decision making processes. With ERM, the Bank establishes a systematic and comprehensive risk management framework credit risk, market risk and operational risk by connecting the capital management and business processes to risks. In addition, ERM also applies consolidated risk management to the subsidiaries, which will be implemented gradually to maximise the effectiveness of bank’s supervision and value creation to the Bank based on Bank Indonesia Regulation No. 86PBI2006 dated January 30, 2006 and Financial Services Authority FSA Regulation No. 17POJK.032014 regarding implementation of risk management integrated for financial conglomerates which coverage throughout the financial industry. The Bank’s risk management framework is based on FSA Regulation No. 18POJK.032016 regarding Risk Management Implementation for Commercial Banks. The Bank’s risk management framework is stated in the Bank Mandiri Risk Management Policy BMRMP, which consists of several policies as the guideline to the business growth and as a business enabler to ensure the Bank conduct prudential principle by examining the risk management performance process identification - measurement - monitoring - risk mitigation for all organisation levels. Active supervision by the Board of Directors and the Board of Commissioners on risk management activities, directly and indirectly, are implemented through the establishment of committees at the level of the Board of Commissioners which are Risk Monitoring Committee, Integrated Governance Committee, Renumeration and Nomination Committee and Audit Committee. The Executive Committee under the supervision of the Board of Directors consists of Asset Liability Committee ALCO, Risk Management Committee RMC, Integrated Risk Management Committee IRC, Capital Subsidiaries Committee CSC, Business Committee, Information Technology Committee ITC, Human Capital Policy Committee HCPC, Policy Procedure Committee PPC dan Credit Committee. From 9 Executive Committees, there are 4 committees that are directly involves in risk management, i.e RMC, IRC, ALCO and PPC. RMC is the committee that discuss and recommends policy and procedures as well as monitoring risks profile and managing all the Banks risks. Integrated IRC is the committee that provide recommendation on the integrated risk management policy including the application of risk management in subsidiaries. IRC is based on the application of FSA Regulation No. 17POJK.032014 regarding integrated risk management. IRC has members from subsidaries and discuss as well as recommends the policy and application of integrated risk management. ALCO is the committee that manages Banks asset and liability management, interest rate and liquidity and other areas that are related to the asset and liability management of the Bank. PPC is the committee that discuss and recommends the adjustment or improvement in the Banks policy and procedures. Committees under Board of Commissioners including Risk Monitoring Committee, Integrated Governance Committee and Audit Committee, which has the task and responsibility to perform review and evaluation on policy and execution of Banks risk management, as well as providing inputs and recommendation to the Board of Commissioners in their monitoring tasks. Operationally, the related Directorate with risk management is divided into two big parts, there are 1 credit approval as part of the four-eye principles, located at the Wholesale Risk Directorate and Retail Risk Directorate and 2 Independent Risk Management that is located in the Risk Management Directorate and Risk Management Compliance Directorate. Risk Management Compliance is headed by a Director that is responsible towards the Board of Director and also a member of the Integrated Risk Management Committee, and Policy Procedure Committee. The bank has also established a Risk Management Working Unit under the Risk Management Compliance. The Risk Management Compliance Directorate is divided into 3 three groups, that is the Credit Portfolio Risk Group that is related to Credit Risk and portfolio and Risk Management integration through ERM, Market Risk Group and Operational Risk Group that is related to market risk, liquidity risk, and operational risk. PT BANK MANDIRI PERSERO Tbk. AND SUBSIDIARIES NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS As of December 31, 2016 and for the year then ended Expressed in millions of Rupiah, unless otherwise stated 218

61. RISK MANAGEMENT continued

The Risk Management Directorate and each strategic business unit are responsible for maintainingcoordinating 10 ten types of risk that faced by the Bank, discussing and proposing risk management policies and guidelines. Bank Mandiri is developing the application of ICAAP, which aims to ensure that banks have a comprehensive risk measurement process and the calculation of capital is according to the risk profile and able to provide the capital needed. One part of the ICAAP, which is the preparation of Risk Appetite Statement RAS, RAS is the type and degree of risk that could be taken faced by the Bank iwithin its risk capacity in order to achieve its business goals. The application of this ICAAP is to support the implementation of Basel II Pillar 2 as the best practice. All risks will be reported in quarterly risk profile report and semi-annually Bank’s soundness report in order to describe all embedded risks in the Bank’s business activities, including consolidation with subsidiaries’s risks. In relations to the changes in the organizational structure of the Bank, namely the establishment of the Directorate of Distribution which is to optimize the role of the region, starting June 2016, Bank Mandiri created Regional Risk Dashboard as a means of monitoring risk management in each region. Risk management in the region is for inherent risks, especially credit risk for the region. A. Credit risk The Bank’s credit risk management is mainly focused to improve the balance between prudent loan expansion and maintenance in order to prevent quality deterioration downgrading to Non Performing Loan NPL category and to optimise capital utilisation to achieve the optimum of Return On Risk Weighted Asset RORWA. To support this objective, the Bank periodically reviews and updates its policies and procedures for credit in general, by business segment and tools risk management. These policies and procedures are intended to provide a comprehensive credit risk management guideline for identification, measurement and mitigation of credit risks in the end-to-end loan acceptance process, from market targeting, loan analysis, approval, documentation, disbursement, monitoringsettlement process for non-performingrestructuring loans. To improve the Bank’s social role and concern to the environmental risk and as an implementation of Good Corporate Governance GCG, the Bank has set up a Guideline for Technical Analysis of Environmental and Social in Lending which is used as a reference in analysing environmental risk in a credit analysis. This Guideline is in line with Bank Indonesia Regulation regarding the Quality of Asset Assessment on Commercial Bank regulating that the assessment on debtor business process should also consider the debtor’s effort to maintain its environment. In principle, credit risk management is implemented to transactional and portfolio levels. At the transactional level, the Bank has implemented the four-eye principles concept, whereby each loan approval involves Business Unit and Credit Risk Management Unit which work independently to make an objective credit decision. The four-eye principles is executed by Credit Committee according to the authority limit and the loan approval process is conducted through Credit Committee Meeting mechanism. Executive Credit Officer as Credit Committee members, must be highly competent as well as having strong capacity and integrity so that the loan granting process can be conducted objectively, comprehensively and prudently. To monitor the performance of the credit authority holders in approving and maintaining loans, the Bank has developed a database for authority-holder monitoring. By using this system, the Bank can monitor the amount and quality of the loans approved by the credit authority holders, so that the performance of the Executive Credit Officer can be monitored from time to time. To mitigate credit risk, Credit Committee sets loan structure for every debtor through appropriate covenants that aligns with debtor needs and conditions. This is to ensure the debtor uses the loan effectively according to original purpose so that bank and debtors interest are fulfilled. Guidelines for determining the structure of collateral in order to mitigate credit risk policy has been regulated in detail according to the SPK Credit Standard Procedures for each segment.