Affin Bank Berhad | Annual Report 2020

202 STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL ORGANISATION EXECUTIVE SUMMARY CORPORATE GOVERNANCE FINANCIAL STATEMENTS OTHER INFORMATION The risk management approach of the Group is underpinned by a sound and robust Group Risk Management Framework ("GRMF"), which is continuously enhanced to remain relevant and resilient in ensuring effective management of risk. The GRMF is supported by the following elements: GROUP RISK MANAGEMENT FRAMEWORK a. Governance • A robust risk governance structure is in place to proactively manage risk within the Group through the establishment of risk appetite and risk management policy as well as the implementation of risk management policy and risk compliance. • GRMF is governed by a strong oversight function comprising the Board and Management Committees. • The governance of risk is further supported by the Three Line of Defense Model which outlines the functional segregation and key responsibilities of the independent oversight functions and business units. b. Risk Appetite • The Group’s risk appetite defines the amount and types of risk that the Group is able and willing to accept in pursuit of its business objectives. • It sets out the level of risk tolerance and limits to govern, manage and control the Group’s risk- taking activities. • The strategic objectives, business plans, desired risk profile and capital plans are aligned to the risk appetite. • The processes for assessing, setting, controlling, monitoring and reporting risk appetite are outlined in the Risk Appetite Framework. c. Risk Culture • Risk culture stems from the values, beliefs, knowledge and understanding about risk shared by the employees within the Bank. • Effective implementation of the GRMF is grounded on a robust and healthy Risk Culture, achieved through components of Tone from the Top, accountability, effective communication and financial/non-financial incentives. d. Risk Management Policy • Risk Management Policy is a statement of the Bank’s overall intentions and approach with respect to certain areas of risk management. Risk Management Policies should clearly state the objectives for, and commitment to, risk management. • The GRMF is supported by several Risk Management Policies which address the respective risk areas in further detail. At minimum, these policies would entail: a) The rationale for managing the risk area b) Links between the Bank’s objectives and the Risk Management Policy c) Accountabilities and responsibilities for managing risk d) Commitment to make the necessary resources available to assist those accountable and responsible for managing risk e) The way in which risk management performance will be measured and reported f) Commitment to review and improve the Risk Management Policy periodically and in response to an event or change in circumstances • Adherence to Risk Management policies is mandatory and only exceptions allowable under the policy are exercisable within reasonable documented justification in writing. e. Risk Management Organisation • While GRM is mandated to carry out the risk management function, risk management is fundamentally the responsibility of everyone within the Bank. • Risk Management Organisation indicates that the appropriate structure is in place to support risk management and risk ownership at all levels of the Bank. In a mature Risk Management Organisation, risk is viewed, addressed and owned by each staff. • The effectiveness of a Risk Management Organisation stems from the positive implementation of all elements within the GRMF.