The Internal Controls and Risk Management policies of Banese are based on the recommendations of the Basel Accord, the Resolutions of the National Monetary Council – CMN and the Central Bank of Brazil, and on the other regulations dealing with internal controls and corporate risk management. The prudential measures recommended, so that our activities abide by the internal rules and regulations and risk mitigation, have been adopted as the basis for preparation and disclosure of specific communication vehicles for all units of the bank.
The market, credit, liquidity, operational, social and environmental and capital management risks inherent to the institution’s business are managed using a corporate approach by the Internal Controls and Capital and Risk Management areas, together with the areas where they arise, in accordance with specific internal policies and regulations. The systematic review of the internal controls, and the continuous monitoring of the risks using in-house methodologies or those regulated by the Central Bank of Brazil provide the information that determines the implementation of action plans and corrective measures directed at the efficiency of the mitigation controls, while also quantifying how much prudential capital must be allocated for the potential occurrence of losses.
The outcome of these analyses and the corrective actions are presented for approval by the Board of Directors do Banco through periodic reports.
The main Senior Management body is the Board of Directors, which is responsible for the information disclosed on Capital and Risk Management, among other duties. The Executive Board has several responsibilities, including assisting Senior Management in decision-making. The Chief Executive Officer is responsible for guiding, monitoring, controlling and enforcing the resolutions passed and objectives established by the Board of Directors. The Finance, Controls and Investor Relations Office (FCIRO) is responsible for the information disclosed about Capital and Risk Management.
Banese’s risk management structure is linked to the Risk Management Superintendence and the Strategic Management and Finance, Controls and Investor Relations Office (FCIRO). It has a Capital and Risk Management Committee, internal and non-statutory, comprised of career technicians of the institution that helps Senior Management in decision-making.
Please see below the organizational chart of the control and risk management structure.
The purpose of the Capital and Risk Management Committee is to assist the Executive Board in its duties related to the adoption of strategies, policies and measures focused on risk management. It is composed of internal members who understand, in an integrated and comprehensive manner, the risks that may impact the institution.
Among other duties, the Capital and Risk Management Committee:
a) Systematically monitors the activities carried out by the Conglomerate, in order to assess whether the credit risk, market, liquidity, socio-environmental and capital management objectives are being attained in all the areas, in accordance with internal limits and policies, the applicable laws and regulations, as well as ensure that any non-compliances can be promptly remedied;
b) Issues opinions on the Half-Yearly Report addressed to the Executive Board and the Board of Directors;
c) Manages the Prudential Conglomerate’s capital;
d) Ensures that treasury operations remain within the risk limits set by the Liquidity Risk Management Policy;
e) Outlines strategies to maximize available treasury funds preserving adequacy between assets and liabilities (rates and terms);
f) Analyzes changes in the Bank Reserve;
g) Validates, on a monthly basis. the Liquidity Contingency Plan approved by the Executive Board with regards to its execution potential; and
h) Helps review risk appetite levels established by the Board of Directors.
i) Among others.
The purpose of the Ethics and Compliance Committee is to help the Executive Board perform its duties related to the adoption of strategies, policies and measures focused on:
a) Internal controls and operational, legal and reputation risks;
b) Information security and business continuity;
c) Compliance with and improvement of the Code of Ethics;
d) Issue of opinions on the Half-yearly Report of Internal Controls addressed to the Executive Board and Board of Directors, prepared by the Risk Management Superintendence, together with the Internal Controls and Compliance Area, evidencing the Bank’s conformity with CMN Resolutions 2.554/1998 and 4.557/2017.
e) Among others.
The purpose of the Incident Response Committee is to assist the Executive Board in the performance of its duties related to the adoption of strategies, policies and measures focused on the review of and decision on the procedures, structure and guidelines that support the ability to respond to and manage business continuity incidents, crises and relevant situations that may compromise Banese’s image and reputation.
Banco do Estado de Sergipe S/A, in compliance with the provisions of National Monetary Council Resolutions 4.327/2014 and 4.557/2017 dealing with social and environmental risk management and integrated risk management, respectively, the recommendations of Basel III and the provisions of Law 9.613/98, has a corporate risk management structure capable of identifying, assessing, monitoring, controlling and mitigating its risks, including those arising from outsourced services.
Capital and Risk Management at the Banese Conglomerate is a fundamental instrument for the efficient use of capital and for choosing the best business opportunities, in order to achieve the best risk-return ratio for its shareholders and to generate systematic information for mitigating the organization’s risks without prejudicing the bank’s search for operational efficiency.
Banese defines “Operational Risk” as the possibility of losses occurring from failures, deficiencies or shortcomings in internal processes, people and systems, or from external events that may negatively impact the development of the Bank’s activities.
Operational Risk includes legal and reputational risks. Operational risk events include:
- Internal and External Fraud;
- Labor claims;
- Improper practices relating to clients, products and services;
- Damages to physical assets owned or used by the institution;
- Risks leading to interruption of the institution’s activities;
- Information Technology systems’ failure;
- Failure in execution, compliance with deadlines and management of the institution’s activities;
- Deficient security of the workplace.
In order to provide an appropriate environment for identification and assessment of risks, BANESE applies an Operational Risk Management Policy that is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. This policy clearly defines the roles and duties of the employees and units regarding operational risk management.
In accordance with CMN Resolution No. 4.557/17 and the provisions set forth in the Basel Accord, this Policy represents a set of global guidelines that is established by the Bank’s management to define the model adopted in order to enable, in addition to the fulfillment of the legislation in force, the adoption of risk identification practices and mitigation controls that ensure that all processes, products and services offered by Banese are safe and competitive, reducing the losses relating to operational risks, and approved by the relevant signing authorities.
Finance, Controls and Investor Relations Office (FCIRO) is the unit responsible for managing the operational risk, with the support of the Executive Board and the Board of Directors. The Risk Management Superintendence, through the Internal Controls and Compliance Area (ARCIC), is responsible for promoting the policy’s culture and the implementation of methods for identification, classification, assessment and mitigation of risks, and control and corrective actions for processes and procedures.
Operational risks are reported to the Ethics and Compliance Committee (COMEC) and the Executive Board on a monthly basis. Reports containing the risks identified and the relevant mitigation plans, where applicable, are regularly submitted to the Board of Directors.
With respect to the allocation of capital resulting from the calculation of the portion of the Core Capital Required for Operational Risks, Banese adopts the Simplified Alternative Standardized Approach – APAS.
Banese Internal Controls and Compliance Policy, which is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors, is a set of global guidelines referenced in CMN Resolution No. 2.554/1998 and the Principles of the Basel Accord, which govern all activities relating to controls for identification, prevention and monitoring of risks inherent to our business and activities. The Policy defines the responsibilities of all units involved.
Management and monitoring is incumbent on the Risk Management Superintendence through the Internal Controls and Compliance Area (ARCIC), by means of automated management tools.
In order to protect the Institution from involvement in direct or indirect financial transactions intended to transform funds from illegal sources into legal funds that are introduced in the financial market, the Bank has a published Anti-Money Laundering Policy (AMLP).
The Anti-corruption Policy, Know-Your-Customer Principles, and Know-Your-Employee Principles, which are intended to guarantee ethics and safety to our business, are also available in our intranet system.
Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the PCLD process at the Institution. It is the responsibility of the Risk Management Superintendence, through the Internal Controls and Compliance Area, to monitor the application of AML policies and procedures using automated management tools.
The Market Risk Management Policy of the Banese Conglomerate is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors, and it consists of a set of global guidelines defined by the Senior Management to establish the internal model adopted for compliance with the legislation in force, and to control the risk of the Bank’s transactions on the financial market.
“Market Risk” arises from the possibility of losses occurring as a result of fluctuations in the market values of sale and purchase positions held by the Financial Institution. It includes the risk from operations that are subject to variation in exchange rates, interest rates, and share and commodities prices.
The management of market risks enables identification and monitoring of the institution’s market risks in transactions made in its trading and banking portfolios; determination of VaR (Value-at-Risk) limits at absolute and percentage values, which are calculated based on previously established time horizons, and classified according to exposure volumes: by risk factor and portfolio profile, relating them to the Bank’s Shareholders’ Equity, when consolidated positions are considered; performance of assessment tests in the systems used for measuring and monitoring market risks; and creation of stress scenarios based on previously established parameters, taking into account the exposures to different market risk factors and changes in positions held by the institution.
All roles and responsibilities relating to the market risk management structure are clearly defined in this Policy. Finance, Controls and Investor Relations Office is responsible for Market Risk Management activities, as provided for in CMN Resolution No. 4.557/2017. The Risk Management Superintendence, duly supported by the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, as well as preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
Banese’s Liquidity Risk Management Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based on Resolution No. 4.557/2017, which defines the norms that must be respected by the units responsible for controlling and monitoring the Liquidity Risk.
Liquidity Risk originates from discrepancies between tradable assets and liabilities due – that is, the “mismatching” between accounts payable and receivable – that may affect the Bank’s payment capacity, taking into account different currencies and terms for settlement of rights and obligations. It involves the risk that an institution’s reserves and cash and cash equivalents are not sufficient to pay its obligations when they fall due. In other words, it is the institution’s temporary lack of capacity to settle its commitments due to mismatching of cash flows, as a result of mismatching of maturities or volumes of estimated receipts and payments.
In accordance with the roles and responsibilities of the Liquidity Risk management structure the Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the policy and reporting the decisions made by the Executive Board and the Board of Directors to the Central Bank. The Risk Management Superintendence, through the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, and preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
In order to guarantee the efficacy of Liquidity Risk management, the process includes procedures to identify the events that may interfere in liquidity (funding, investments, administrative and investment expenses), cash flow generation, analysis of scenarios (internal and external indicators), preparation of the Contingency Plan, and liquidity reserves in extreme situations, as well as the establishment of minimum liquidity levels.
Banese’s Credit Risk Management Policy, which was approved and is reviewed at least on a yearly basis by the Executive Board and the Board of Directors, aims at improving credit risk management, guaranteeing the integrity of credit assets, establishing appropriate risk and loss levels, and improving the Bank’s quality standards and performance. Accordingly, the principles that guide this policy are in line with CMN Resolution No. 4.557/2017, the principles of the Basel III Accord, and the best market practices, aiming at correct identification, measurement, control and mitigation of credit risks associated to the products and services provided by the Bank.
Credit Risk is defined as the possibility of losses arising from failure by borrowers or counterparties to meet their financial obligations as contracted, from the impairment of loans due to downgrading of the borrower’s risk rating, from reductions in earnings and remuneration, from benefits granted in debt renegotiations, and from recovery costs.
Credit risk management is performed by the Risk Management Superintendence, through the Capital and Risk Management Area – ARGER, which is a unit independent from the business areas, while the management of this policy is under the responsibility of the Finance, Controls and Investor Relations Office (FCIRO). The Capital and Risk Management Committee – COGER, the Internal Audit and the other Executive Offices are co-responsible for managing this Policy through their relevant areas. The units participating in the credit process are responsible for strictly following these guidelines, regardless of the scope of their activities or responsibility levels.
Banese’s credit risk management structure includes policies, manuals, norms and procedures intended to reduce risks. Transactions subject to credit risk are classified in categories based on economic and financial conditions, updated registration data, and use of instruments to reduce credit risks associated to the transaction.
The Banese Conglomerate uses a statistical, probabilistic and predictive risk classification system to rate individual clients, who are grouped into homogeneous classes of risk, each of which is assigned a risk score. For corporate clients, we use a parametric risk classification system. We adopt methodologies for the institutional management of credit risk that include credit V@R (Value at Risk), Stress test, RAROC (Risk-adjusted Return on Capital), Pricing of Operations and Credit Assets, Concentration Measurement, Credit Risk components of Risk-Weighted Assets (RWA Cpad) and the Backtest model.
The processes adopted for classification, analysis, validation of systems, models and internal procedures and used for managing corporate risk are continuously monitored and periodically reviewed, aiming at improving the quality and timing of information, and resolving the problems identified.
The Capital Management Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based on Resolution No. 4.557/2017, which defines the norms that must be respected by the units responsible for controls, monitoring, assessment, target planning and Capital requirements.
The Capital Management process aims at achieving the organization’s strategic objectives, being compatible with the nature of operations, complexity of products and services, and the dimension of the Institution’s risk exposure.
In accordance with the roles and responsibilities of the Capital and Risk management structure, the Finance, Controls and Investor Relations Office (FCIRO) is responsible for managing the policy and reporting the decisions made by the Executive Board to the Central Bank. The Risk Management Superintendence, through the Capital and Risk Management Area – ARGER, is responsible for analyzing calculations, monitoring, control and compliance, and preparing reports. The Capital and Risk Management Committee – COGER and other Executive Offices are co-responsible for managing this Policy through their relevant areas.
The Social and Environmental Responsibility Policy is approved and reviewed at least on a yearly basis by the Executive Board and the Board of Directors. It represents a set of global guidelines that is established by the Bank’s Executive Board, based, as provided for in Resolutions No. 4.327/14 and 4.557/2017, on the best market practices, aiming at the correct identification, measurement, control and mitigation of social and environmental risks.
Social and Environmental Risk is defined as the possibility of losses occurring as a result of social and environmental damages. It is based on the principles of Relevance, Proportionality, Efficiency, Transparency, Ethics, Compliance and Fight against Corruption.
Banese Conglomerate seeks to anticipate the management of social and environmental risks by analyzing different risks that may intensify social and environmental risks, such as the credit risk, reputational risk, operational risk etc.
It is the possibility of losses arising from damages to the institution’s image in the market and with regulatory bodies due to negative publicity caused by internal practices, risk events and external factors that may generate a negative perception of the institution by clients, counterparties, shareholders, investors, supervisors and business partners, among others, with an impact on the value of the brand and/or financial losses and a negative effect on the bank’s ability to maintain existing business relationships, start new business and/or continue to have access to funding sources.
The Banese Conglomerate’s image risk is managed by the Superintendence of Strategic Management, which monitors the Banese Group’s daily exposure in the state media through the Digital Channels and Marketing Area. The Institution believes that news items associated with the brand help strengthen the group’s image, since, in general, they present the institution as a solid, modern company that plays an active role in the economic development of the state, in addition to making relevant investments in culture, sport and social welfare initiatives.
The Banese Conglomerate’s business continuity is managed by Banese’s Information Security and Business Continuity Area, whose goal is to protect employees, ensure the continuity of the Conglomerate’s critical activities, safeguard revenue and maintain the confidence of clients and strategic partners in the delivery of products and services.
The Business Continuity Management comprises procedures for the recovery of critical activities in case of interruption in different levels and includes the following plans:
– Disaster Recovery Plans, focused on the recovery of the primary and secondary data center, as well as communication between them, ensuring continuous processing of the critical systems within the minimum predetermined periods;
– Operational Contingency Plan, under which employees are responsible for performing critical activities and rely on alternative facilities in order to perform their activities in case of unavailability in the main building where they work on a daily basis, in addition to having alternatives for the execution of critical processes identified in the business areas; and
– Emergency Plan, with procedures designed to minimize the effects of emergencies that may cause impacts on our facilities.
Banese currently has dedicated and fully equipped positions in its contingency site focused on meeting the needs of the business units in emergencies.
In order to maintain continuity strategies in line with the business needs, the Business Continuity Management carries out an Business Impact Analysis to assess the recovery criticality of the most relevant processes from the financial, legal, image and operational points of view This analysis defines the priorities for recovery of the business environment.
It also has the Incident Response Plan, designed to manage business interruption events, natural disasters and environmental, social, technological, operational and infrastructure impacts or impacts of any other nature that represent a risk to the image, reputation or feasibility of the processes involving employees, clients, strategic partners and regulatory bodies, with timely and integrated responses.