Risk Management
The Internal Controls and Risk Management policies of Banese are based on the recommendations of the Basel Accord, the Resolutions of the National Monetary Council – CMN and the Central Bank of Brazil, and on the other regulations dealing with internal controls and corporate risk management. The prudential measures recommended, so that our activities abide by the internal rules and regulations and risk mitigation, have been adopted as the basis for preparation and disclosure of specific communication vehicles for all units of the bank.
The market, credit, liquidity, operational, social, environmental, and climate, contamination, cyber risk, capital, image and other risk management inherent to the institution’s business are managed using a corporate approach by the Internal Controls and Capital and Risk Management areas, together with the areas where they arise, in accordance with specific internal policies and regulations. The systematic review of the internal controls, and the continuous monitoring of the risks using in-house methodologies or those regulated by the Central Bank of Brazil provide the information that determines the implementation of action plans and corrective measures directed at the efficiency of the mitigation controls, while also quantifying how much prudential capital must be allocated for the potential occurrence of losses.
The outcome of these analyses and the corrective actions are presented for approval by the Deliberation of the Executive Board and the Bank’s Board of Directors through periodic reports.
The main Senior Management body is the Board of Directors, which is responsible for the information disclosed on Capital and Risk Management, among other duties. The Executive Board has several responsibilities, including assisting Senior Management in decision-making. The Chief Executive Officer is responsible for guiding, monitoring, controlling and enforcing the resolutions passed and objectives established by the Board of Directors. The Finance, Controls and Investor Relations Office (FCIRO) is responsible for the information disclosed about Capital and Risk Management.
Banese’s risk management structure is linked to the Risk Management Superintendence and the Strategic Management and Finance, Controls and Investor Relations Office (FCIRO). It has a Capital and Risk Management Committee, internal and non-statutory, comprised of career technicians of the institution that helps Senior Management in decision-making.
Please see below the Organizational chart below shows the Risk Management Structure. .
The purpose of the Capital and Risk Management Committee is to assist the Executive Board in its duties related to the adoption of strategies, policies and measures focused on risk management. It is composed of internal members who understand, in an integrated and comprehensive manner, the risks that may impact the institution.
Among other duties, the Capital and Risk Management Committee:
a) Systematically monitors the activities carried out by the Conglomerate, in order to assess whether the credit risk, market, liquidity, social, environmental, climate and capital management objectives are being attained in all the areas, in accordance with internal limits and policies, the applicable laws and regulations, as well as ensure that any non-compliances can be promptly remedied;
b) Issues opinions on the Half-Yearly Report addressed to the Executive Board and the Board of Directors;
c) Manages the Prudential Conglomerate’s capital;
d) Ensures that treasury operations remain within the risk limits set by the Liquidity Risk Management Policy;
e) Outlines strategies to maximize available treasury funds preserving adequacy between assets and liabilities (rates and terms);
f) Analyzes changes in the Bank Reserve;
g) Validates, on a monthly basis. the Liquidity Contingency Plan approved by the Executive Board with regards to its execution potential; and
h) Helps review risk appetite levels established by the Board of Directors.
i) Among others.
The purpose of the Ethics and Compliance Committee is to help the Executive Board perform its duties related to the adoption of strategies, policies and measures focused on:
a) Internal controls and operational, legal, contamination and reputation risks;
b) Information security and business continuity;
c) Compliance with and improvement of the Code of Ethics;
d) Issue of opinions on the Half-yearly Report of Internal Controls addressed to the Executive Board and Board of Directors, prepared by the Risk Management Superintendence, together with the Internal Controls and Compliance Area, evidencing the Bank’s conformity with CMN Resolutions 4.968/2021 and 4.557/2017.
e) Among others.
The purpose of the Incident Response Committee is to assist the Executive Board in the performance of its duties related to the adoption of strategies, policies and measures focused on the review of and decision on the procedures, structure and guidelines that support the ability to respond to and manage business continuity incidents, crises and relevant situations that may compromise Banese’s image and reputation.
Banco do Estado de Sergipe S/A, in compliance with the provisions of National Monetary Council Resolutions 4.557/2017 and 4.955/2021 on the integrated management of risks and the Social, Environmental, and Climate Risk Responsibility Policy, respectively, the recommendations of Basel III and the provisions of Law 9.613/98, has a corporate risk management structure capable of identifying, assessing, monitoring, controlling and mitigating its risks, including those arising from outsourced services.
Capital and Risk Management at the Banese Conglomerate is a fundamental instrument for the efficient use of capital and for choosing the best business opportunities, in order to achieve the best risk-return ratio for its shareholders and to generate systematic information for mitigating the organization’s risks without prejudicing the bank’s search for operational efficiency.
Banese has a Contamination Risk Policy guided by the principles of CMN Resolution 4.557/2017 and other complementary provisions, in the best market practices, together with the guidelines adopted by the Board of Directors and Executive Board, being annually reviewed.
The contamination risk comes from the possibility of losses for the entities comprising the prudential conglomerate, including the leading financial institution, due to its relationships (contractual or not), its subsidiaries that are not part of the conglomerate (non-consolidated), its affiliate and sponsored companies, the controlling company of the leading financial institution, entities belonging to parallel structures and with non-consolidated entities that, whether they have an interest in the Company’s capital or not, may apply for future financial support, even if there is no legal or contractual obligation to do that.
The contamination risk is monitored by the Internal Controls, Compliance and Capital and Risk Management areas, which are responsible for monitoring and periodic reports to Senior Management.
Banese defines “Operational Risk” as the possibility of losses occurring from failures, deficiencies or shortcomings in internal processes, people and systems, or from external events that may negatively impact the development of the Bank’s activities.
Operational Risk includes legal and reputational risks. Operational risk events include:
- Internal and External Fraud;
- Labor claims;
- Improper practices relating to clients, products and services;
- Damages to physical assets owned or used by the institution;
- Risks leading to interruption of the institution’s activities;
- Information Technology systems’ failure;
- Failure in execution, compliance with deadlines and management of the institution’s activities;
- Deficient security of the workplace.
In order to provide an appropriate environment for identification and assessment of risks, BANESE applies an Operational Risk Management Policy that is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. This policy clearly defines the roles and duties of the employees and units regarding operational risk management.
In accordance with CMN Resolution No. 4.557/17 and the provisions set forth in the Basel Accord, this Policy represents a set of global guidelines that is established by the Bank’s management to define the model adopted in order to enable, in addition to the fulfillment of the legislation in force, the adoption of risk identification practices and mitigation controls that ensure that all processes, products and services offered by Banese are safe and competitive, reducing the losses relating to operational risks, and approved by the relevant signing authorities.
Finance, Controls and Investor Relations Office (FCIRO) is the unit responsible for managing the operational risk, with the support of the Executive Board and the Board of Directors. The Risk Management Superintendence, through the Internal Controls and Compliance Area (ARCIC), is responsible for promoting the policy’s culture and the implementation of methods for identification, classification, assessment and mitigation of risks, and control and corrective actions for processes and procedures.
Operational risks are reported to the Ethics and Compliance Committee (COMEC) and the Executive Board on a monthly basis. Reports containing the risks identified and the relevant mitigation plans, where applicable, are regularly submitted to the Board of Directors.
With respect to the allocation of capital resulting from the calculation of the portion of the Core Capital Required for Operational Risks, Banese adopts the Simplified Alternative Standardized Approach – APAS.
Banese Internal Controls and Compliance Policy, which is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors, is a set of global guidelines referenced in CMN Resolution No. 4.968/2021 and the Principles of the Basel Accord, which govern all activities relating to controls for identification, prevention and monitoring of risks inherent to our business and activities. The Policy defines the responsibilities of all units involved.
Management and monitoring is incumbent on the Risk Management Superintendence through the Internal Controls and Compliance Area (ARCIC), by means of automated management tools.
In order to protect the Institution from involvement in direct or indirect financial transactions intended to transform funds from illegal sources into legal funds that are introduced in the financial market, the Bank has a published Anti-Money Laundering Policy (AMLP).
The Anti-corruption Policy, Know-Your-Customer Principles, and Know-Your-Employee Principles, which are intended to guarantee ethics and safety to our business, are also available in our intranet system.
Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the PCLD process at the Institution. It is the responsibility of the Risk Management Superintendence, through the Internal Controls and Compliance Area, to monitor the application of AML policies and procedures using automated management tools.
The Market Risk Management Policy of the Banese Conglomerate is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors, and it consists of a set of global guidelines defined by the Senior Management to establish the internal model adopted for compliance with the legislation in force, and to control the risk of the Bank’s transactions on the financial market.
“Market Risk” arises from the possibility of losses occurring as a result of fluctuations in the market values of sale and purchase positions held by the Financial Institution. It includes the risk from operations that are subject to variation in exchange rates, interest rates, and share and commodities prices.
The management of market risks enables identification and monitoring of the institution’s market risks in transactions made in its trading and banking portfolios; determination of VaR (Value-at-Risk) limits at absolute and percentage values, which are calculated based on previously established time horizons, and classified according to exposure volumes: by risk factor and portfolio profile, relating them to the Bank’s Shareholders’ Equity, when consolidated positions are considered; performance of assessment tests in the systems used for measuring and monitoring market risks; and creation of stress scenarios based on previously established parameters, taking into account the exposures to different market risk factors and changes in positions held by the institution.
All roles and responsibilities relating to the market risk management structure are clearly defined in this Policy. Finance, Controls and Investor Relations Office is responsible for Market Risk Management activities, as provided for in CMN Resolution No. 4.557/2017. The Risk Management Superintendence, duly supported by the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, as well as preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
Banese has a Risk Rate Policy for Interest from the Banking Portfolio – IRRBB, defines a set of guidelines that have the purpose, among others, to establish procedures to maintain the exposure to the Interest from the Banking Portfolio in conformity with the limits and levels set in the RAS, and to subsidize senior management in the Institution’s strategic decisions.
The Policy of Interest of Banking Portfolio establishes roles and responsibilities, being approved and reviewed at least annually by the Executive Board and Board of Directors, which represents a set of global guidelines established by the Finance, Controls and IR Executive Board, based on what is established by Resolution 4.557/2017, which provides operating rules to be observed by the units that act in the control and monitoring of Interest of IRRBB Risk.
The interest rate risk of the banking book is monitored by the Capital and Risk Management Area, which is responsible for preparing the reports that are reported monthly to Senior Management. In addition, stress tests are performed for the banking book by means of sensitivity analysis methodology.
Banese’s Liquidity Risk Management Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based on Resolution No. 4.557/2017, which defines the norms that must be respected by the units responsible for controlling and monitoring the Liquidity Risk.
Liquidity Risk originates from discrepancies between tradable assets and liabilities due – that is, the “mismatching” between accounts payable and receivable – that may affect the Bank’s payment capacity, taking into account different currencies and terms for settlement of rights and obligations. It involves the risk that an institution’s reserves and cash and cash equivalents are not sufficient to pay its obligations when they fall due. In other words, it is the institution’s temporary lack of capacity to settle its commitments due to mismatching of cash flows, as a result of mismatching of maturities or volumes of estimated receipts and payments.
In accordance with the roles and responsibilities of the Liquidity Risk management structure the Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the policy and reporting the decisions made by the Executive Board and the Board of Directors to the Central Bank. The Risk Management Superintendence, through the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, and preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
In order to guarantee the efficacy of Liquidity Risk management, the process includes procedures to identify the events that may interfere in liquidity (funding, investments, administrative and investment expenses), cash flow generation, analysis of scenarios (internal and external indicators), preparation of the Contingency Plan, and liquidity reserves in extreme situations, as well as the establishment of minimum liquidity levels.
Banese’s Credit Risk Management Policy, which was approved and is reviewed at least on a yearly basis by the Executive Board and the Board of Directors, aims at improving credit risk management, guaranteeing the integrity of credit assets, establishing appropriate risk and loss levels, and improving the Bank’s quality standards and performance. Accordingly, the principles that guide this policy are in line with CMN Resolution No. 4.557/2017, the principles of the Basel III Accord, and the best market practices, aiming at correct identification, measurement, control and mitigation of credit risks associated to the products and services provided by the Bank.
Credit Risk is defined as the possibility of losses arising from failure by borrowers or counterparties to meet their financial obligations as contracted, from the impairment of loans due to downgrading of the borrower’s risk rating, from reductions in earnings and remuneration, from benefits granted in debt renegotiations, and from recovery costs.
Credit risk management is performed by the Risk Management Superintendence, through the Capital and Risk Management and Credit Risk Management areas, which is a unit independent from the business areas, while the management of this policy is under the responsibility of the Finance, Controls and Investor Relations Office (FCIRO). The Capital and Risk Management Committee – COGER, the Internal Audit and the other Executive Offices are co-responsible for managing this Policy through their relevant areas. The units participating in the credit process are responsible for strictly following these guidelines, regardless of the scope of their activities or responsibility levels.
Banese’s credit risk management structure includes policies, manuals, norms and procedures intended to reduce risks. Transactions subject to credit risk are classified in categories based on economic and financial conditions, updated registration data, and use of instruments to reduce credit risks associated to the transaction.
The Banese Conglomerate uses a statistical, probabilistic and predictive risk classification system to classify individual and corporate customers, which are grouped into homogeneous risk classes, where a risk score is indicated for each of these classes.
In order to mitigate the positions exposed to this type of risk in the credit portfolio, Banese has established credit risk assessment methodologies that consider aspects of customer risk and the operation risk, aiming at the appropriate measurement of the final risk of the operation. They also aim at profiling customer behavior, notably through personal, financial and historical information, in order to separate them into “good” and “bad”, minimizing the risk of loss for the institution. After the due processing, the scores obtained through the Institution’s credit risk models are converted into a risk score, as established in CMN Resolution 2.682/1999. According to the Bank’s procedures, the referred models are under constant monitoring, aiming at the pertinent adjustments, whenever necessary.
Regarding the rules established for the realization of the allowance for doubtful accounts, Banese is in line with the criteria expressed in the aforementioned Resolution and makes use of the option provided for in paragraph 1 of art. 4, which allows double counting of the deadlines listed in item I of the same article, in operations whose term is longer than 36 (thirty-six) months.
The processes adopted for classification, analysis, validation of systems, models and internal procedures and used for managing corporate risk are continuously monitored and periodically reviewed, aiming at improving the quality and timing of information, and resolving the problems identified.
The Capital Management Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based on Resolution No. 4.557/2017, which defines the norms that must be respected by the units responsible for controls, monitoring, assessment, target planning and Capital requirements.
The Capital Management process aims at achieving the organization’s strategic objectives, being compatible with the nature of operations, complexity of products and services, and the dimension of the Institution’s risk exposure.
In accordance with the roles and responsibilities of the Capital and Risk management structure, the Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the policy and reporting the decisions made by the Executive Board to the Central Bank. The Risk Management Superintendence, through the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, and preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
The Social, Environmental and Climate Risk Responsibility Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based, as provided for in Resolutions No. 4.557/2017 and 4.945/2021, on the best market practices, aiming at the correct identification, measurement, control and mitigation of social and environmental risks.
Social, Environmental and Climate Risks are defined as:
a) Social: defined as the possibility of losses to be incurred by the institution due to events that are related to the violation of fundamental rights and guarantees, or acts that harm common interest.
b) Environmental: the possibility of causing damage that result in risk and material or immaterial harm to society, individuals and the environment due to natural, social, or technological factors.
c) Climate: defined as transition risk and physical risk, as follows:
I – Transition climate risk: the possibility of losses to be incurred by the institution due to events that are related to the process of transition to a low-carbon economy, in which greenhouse gas emissions are reduced or offset, and the natural mechanisms to capture such gases are preserved.
II – Physical climate risk: the possibility of losses to be incurred by the institution resulting due to events that are related to frequent and severe climate events or long-term environmental changes that can be related to changes in climate patterns;
It is the possibility of losses arising from damages to the institution’s image in the market and with regulatory bodies due to negative publicity caused by internal practices, risk events and external factors that may generate a negative perception of the institution by clients, counterparties, shareholders, investors, supervisors and business partners, among others, with an impact on the value of the brand and/or financial losses and a negative effect on the bank’s ability to maintain existing business relationships, start new business and/or continue to have access to funding sources.
The Banese Conglomerate’s image risk is managed by the Communication and Advertising (ARCOP) and Digital Products and User Experience (ARPEX) Areas that monitor the Banese Group’s daily exposure in the state media through the Communication and Advertising Areas and Digital Products and User Experience. The Institution believes that news items associated with the brand help strengthen the group’s image, since, in general, they present the institution as a solid, modern company that plays an active role in the economic development of the state, in addition to making relevant investments in culture, sport and social welfare initiatives.
The Banese Conglomerate’s business continuity is managed by Banese’s Information Security and Business Continuity Area, whose goal is to protect employees, ensure the continuity of the Conglomerate’s critical activities, safeguard revenue and maintain the confidence of clients and strategic partners in the delivery of products and services.
The Business Continuity Management comprises procedures for the recovery of critical activities in case of interruption in different levels and includes the following plans:
– Disaster Recovery Plans, focused on the recovery of the primary and secondary data center, as well as communication between them, ensuring continuous processing of the critical systems within the minimum predetermined periods;
– Operational Contingency Plan, under which employees are responsible for performing critical activities and rely on alternative facilities in order to perform their activities in case of unavailability in the main building where they work on a daily basis, in addition to having alternatives for the execution of critical processes identified in the business areas; and
– Emergency Plan, with procedures designed to minimize the effects of emergencies that may cause impacts on our facilities.
Banese currently has dedicated and fully equipped positions in its contingency site focused on meeting the needs of the business units in emergencies.
In order to maintain continuity strategies in line with the business needs, the Business Continuity Management carries out an Business Impact Analysis to assess the recovery criticality of the most relevant processes from the financial, legal, image and operational points of view This analysis defines the priorities for recovery of the business environment.
It also has the Incident Response Plan, designed to manage business interruption events, natural disasters and environmental, social, technological, operational and infrastructure impacts or impacts of any other nature that represent a risk to the image, reputation or feasibility of the processes involving employees, clients, strategic partners and regulatory bodies, with timely and integrated responses.
The management of Cyber Risk in Banese is based on the principles established by CMN Resolution 4.893/2021, which regulates the institutionalization of a cyber security policy, in addition to providing the requirements for hiring data processing and storage services and cloud computing to be observed by institutions.
Cyber Risk comes from the possibility of losses arising from cyber attacks against IT infrastructure or corporate systems, affecting the integrity, confidentiality, and availability.
The Bank operates in a technological environment that is subject to failures and cyber security incidents, such as malware, phishing, and sophisticated attack artifices, with the intent to access, alter, manipulate, corrupt or destroy IT systems, computer networks and stored or transmitted information, as well as access to confidential or private client information by persons inside or outside the Bank or the interruption of services provided.
In case of failures in the institution’s security environment, we will be exposed, among other problems, to the risk of access to the environment by unauthorized third parties, infection of systems by malicious programs, dissemination of malware in the networks and undue visibility to the customer and/or strategic information for the bank, resulting in the unavailability of critical systems, generating financial losses due to deviation of financial resources, damaging the user experience due to connection degradation, in addition to causing image damage by data leakage and generating regulatory fines, sanctions, damages or even intervention by a regulator.
The Money Laundering and Terrorist Financing Prevention Committee aims to advise the Executive Board in carrying out its duties related to the adoption of strategies, policies and measures aimed at analysis and decision-making on the topic, in accordance with regulatory instruments and legislation of the regulatory bodies that deal with the subject.
MLPC carries out actions aimed at:
a) Keep on watch the procedures for detection, analysis and communication of situations provided for in Law No. 9,613/98 and its amendments, Law 13,810/19, Bacen Circular No. 3,978/20, Bacen Circular Letter No. 4,001/20, BCB Resolution No. 44/ 20, CVM Normative Instruction No. 50/21 and BCB Normative Instruction No. 262/22
b) Monitor compliance with legislation, BACEN standards and other regulatory bodies, by all Bank Units, recommending administrative measures to the Executive Board, in the case of infringement that exposes the Bank to operational, legal and reputational risks;
c) Assess the reports and communications issued by the competent Supervisory Bodies and External Audit, determining the actions and measures that may be necessary;
d) Be aware of the processes communicated to COAF – Financial Activities Control Council that require greater attention when deciding whether to continue or terminate the business relationship with the client;
e) Disseminate the culture of internal controls in relation to Money Laundering Prevention;
f) Among other aspects.