Enterprise Risk Management Framework

A clear understanding of risks surrounding the business activities is crucial for any organization to create sustainable stakeholder value in executing its strategies. It is therefore essential to reinforce the overall strategy of an organization with a prudent risk management framework so that the opportunities are optimized while minimizing the effects of downside risks.

The approach to managing risk is outlined in PNB’s Enterprise Risk Management Framework (ERMF). This details the risk management process: activities, tools, and organizational structure to ensure material risks are identified, measured, monitored, and managed throughout the entire organization. The Bank ‘s philosophy is that responsibility for risk management resides at all levels within the Bank. The ERM framework, through regular reviews and updates, has served the Bank well and has been resilient through economic cycles. We have placed a strong reliance on this risk governance framework with the three lines model of The Institute of Internal Auditors (IIA): Governing Body, Management and Internal Audit.

1. Governance and the Governing body role
   Governance requires the implementation of appropriate structures and processes that enable accountability to stakeholders, action by management to manage risk and assurance by an internal audit function. Through the Board of the Directors, the governing body ensures there is an effective governance structure in place, where the Bank’s objectives and activities are aligned with the interests of its stakeholders. It also delegates responsibility to management, with the necessary resources, in achieving the Bank’s objectives while ensuring legal, regulatory and ethical requirements are met.
   
   In all cases, there needs to be a strong communication line between management and the governing body. Aside from the Chief Executive Officer (CEO) being a member of the Board, leaders of second line roles such as the Chief Risk Officer (CRO), the Chief Information Security Officer (CISO)/Data Protection Officer (DPO) and the Chief Compliance Officer (CCO) have a direct reporting line to the Board. Both CRO and CISO/DPO reports to the Risk Oversight Committee (ROC) and CCO reports to the Board Audit & Compliance Committee (BACC). Finally, the governing body ensures there is an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives.


2. Management: First & Second line roles
   Management’s responsibility to achieve organizational objectives comprises both first and second line roles. First line roles are the lines of business who are directly involved in managing risks. This entails the proactive self-identification of risks as well as the design and implementation of appropriate controls. Within the business lines, a culture of open communication is key to sustainable risk–return thinking. Discussions about new products, existing and new positions, and other issues must be broad and not just limited to meeting financial targets. Data and information availability are a must to ensure that front office and top management undertake relevant and timely decisions with respect to risk taking. Finally, limits and other basic controls must be respected.
   
   The second line roles are the support units who provide expertise and insight to the first line in managing risks. For the Bank, second line roles include the Enterprise Risk Management Group (ERMG) and Global Compliance Group (GCG):
   
   
   • ERMG implements the risk management framework and assists risk owners in reporting adequate risk-related information to the ROC.
   • GCG ensures that a strong compliance program is in place, effectively monitored, and aligned with the risks of the Bank’s individual business processes. The second line roles may also recommend implementation of action plans, corrective actions or service recovery in managing the risk impact and prevent recurrence.


3. Internal Audit: Third line roles
   Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of the Bank’s control, governance and risk management processes. It reports its findings to Management and the BACC to promote and facilitate continuous improvement. Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility. It is established through accountability to the governing body, unfettered access to people, resources and data needed to complete its work; and freedom from bias or interference in the planning and delivery of audit services..

All roles, when working together, collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders. Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.

By instituting a disciplined risk management culture and framework, PNB ensures oversight and accountability for risk at all levels of the organization and across all risk types. The Board of Directors, through the ROC and BACC, exercises oversight and provides guidance to the Bank’s experienced Senior Management Team who, through the Management Risk Committee (MRC), works closely with the business lines in managing risk. The seamless flow of a rich risk culture ensures effective implementation of the ERMF not only within the Bank, but also across its subsidiaries.