For successful risk management governance that encompasses all potential risks, responsibilities are assigned across different units of the Bank. These assignments form three distinct lines of defense.

The First Line of Defense is executed by business units where risks are taken. As part of their everyday operations, staff in these units are at the forefront of accurately identifying, assessing, managing, and reporting risk exposures. This is done in line with the Bank's risk appetite, policies, procedures, and controls.

The Second Line of Defense is delivered by the independent risk management and compliance functions. The risk management function primarily oversees the Bank's risk-taking activities, carries out risk assessments, and reports independently from the business units. Meanwhile, the compliance function ensures adherence to laws, corporate governance rules, and internal policies.

The Third Line of Defense is ensured by an independent internal audit function. Their responsibility lies in offering assurance on the effectiveness of the Bank’s risk management framework, including the risk management governance arrangements (incorporating the first and second lines of defense).

Effective risk management necessitates a reporting and review structure to ensure risks are effectively identified and assessed, and appropriate controls and responses are implemented. Regular audits of policy and standards compliance are conducted, and standards performance is reviewed to pinpoint areas for improvement.

Considering we operate in evolving environments, changes within the Bank and its operating context are recognized, and necessary adjustments are made to systems. The monitoring process guarantees that there are appropriate controls for the Bank’s activities and that the procedures are understood and adhered to.