Contact
Voice of Customer
Enterprise Risk Management Overview
⇒ SME Bank adopts principles of risk management and internal control according to international standards The Committee of Sponsoring Organization of the Treadway Commission (COSO) principles of risk management throughout the organization (Enterprise Risk Management: ERM) guidelines of the Bank of Thailand and the Ministry of Finance as a framework for risk management. In order for the operation of the SME Development Bank to meet the goals that have been set with stability and good governance.
⇒ SME Development Bank has set directions and strategies for risk management operations. to support the Bank’s operations to achieve its objectives and goals set as follows:
1. SME Development Bank has established standardized risk management guidelines. It is acceptable to suit the mission and activities of the Bank. which is integrated with the organization’s strategic plan There is a work plan and measures to manage risks. to lead to the practice that is in the same direction There are regular reviews of risk management policies and processes. or when there is a significant event or change To make the policy and risk management process of SME Development Bank more efficient and effective.
2. SME Development Bank arranges for the development of important risk management work systems such as the development of operational risk management systems. Developing a loss data/incident data data collection system to provide a database for calculating capital adequacy. according to international standard guidelines Development of an early warning system (Early Warning System) for monitoring and sending early warning signals. by developing from key risk factors linked to the organization’s goals
3. SME Development Bank prescribes that risk management is the responsibility of all departments. Starting from the Board of Directors of SME Development Bank, management, executives and all employees. to act as Drivers of risk management down to the risk agency level to raise awareness and implementation. Until becoming a culture of risk management and internal control of the organization (Risk Culture), SME Bank provides communication. To create knowledge and understanding for the stakeholders of SME Development Bank in matters related to good corporate governance. risk management and internal control Disseminated through various channels such as SME Bank’s website, publications and various reports, etc., to create awareness and awareness until becoming a corporate culture. good risk management and internal control Under the Governance, Risk Management and Compliance (GRC) Integrated Program
4. SME Development Bank provides continuous development of personnel and risk management tools. keep up with the situation so that personnel are professional in risk management to be at an acceptable level and resulted in the SME Bank’s work plans to achieve their goals efficiently and effectively.
5. SME Bank embeds risk management into the organization’s culture, including requiring all sectors from the board of directors of SME Bank, risk oversight committee, management, executives and employees in various departments to take part. Participate in risk management of SME Development Bank continuously. In order to manage the risks of SME Bank in accordance with the principles of risk management throughout the organization (Enterprise Risk Management: ERM)
Operational Risk Management
0 0 0 ⇒ The Bank recognizes the importance of operational risk management. The Board of Directors has approved the operational risk management policy. and define operational risk management as the responsibility of all directors, executives and employees to implement the operational risk management system as a part of their work until becoming an organizational culture. The essence is as follows.
1. Structure and functions of units related to operational risk management
. . . The Bank arranges for and separate duties clearly in writing and announced throughout the organization Roles and responsibilities are as follows:
. . . . 1.1) Board of Directors
. . . Approve policies and risk management strategies. It covers various types of significant risks, including operational risk management policies. Risk Appetite (RA) and Risk Tolerance (RT) approved by the Risk Oversight Committee. as well as supervise and supervise compliance with regulations set by supervisory authorities and comply with policies set by the Bank.
1.2) Risk Oversight Committee
Consider and approve the overall risk management policy and strategy. It covers key types of risks, including operational risk policies. Determining the level of risk acceptable to the organization (Risk Appetite: RA) and the level of risk allowed to deviate (Risk Tolerance: RT) to present to the Board of Directors up in a timely manner in order to have effective internal control and acknowledged the internal control evaluation report according to the Ministry of Finance’s criteria Internal Control Standards and Regulations for Government Agencies B.E. Situations follow the Risk Culture and report to the Board of Directors.
. . . . 1.3) Audit Committee
Supervise and monitor actions to ensure that management’s action plan to manage key risks has been put into practice seriously as well as giving suggestions to the management to improve the risk management process.
1.4) All departments within the Bank which is the owner of the risk
Strictly abiding by the operational risk management policy and relevant regulations. and report damage information – Provide appropriate risk management measures and the risk management plan set Including performing risk management duties and cultivating a risk culture by promoting employees to realize the importance of risk management.
1.5) Risk Management Department
. . . Prepare an operational risk management policy. and reviewing the policy at least once a year or when there is an important event that may affect the operation or service of the Bank at an acceptable level and report operational losses (Operational Loss Data) – Control, observe, test Including preparing and reviewing a Business Continuity Plan (BCP) at least once a year and reporting the results of the BCP plan. – Communicate and create a risk culture. Make employees at all levels aware of their duties. Responsibility for risk management in relation to oneself – Supervise and ensure compliance with the policy of using services from business support providers (Business Facilitator Policy) and give opinions on the main risks in using the service – Conduct risk assessments, operational processes and control activities in accordance with the Bank’s risk management framework. as well as giving opinions on operational risks in the process of launching new products (New Product Process) or when there is a change in new operational processes.
. . . . 1.6) Internal Audit Department
. . . Evaluate the operational process Risk Management and Internal Control Compliance with laws, rules, regulations, policies, orders, manuals, operational procedures and ethics, including giving advice on improving the internal control system. and prepare a report on inspection results
2. Operational Risk Management Process
2.1) Risk Identification
� � � All departments within the bank have a duty to specify and review operational risks. or at least once a year or every time there is a change in various risk factors. that affect operational processes such as new product launches issuing official regulations work restructuring, etc.
2.2) Risk Assessment
Risk assessment is the result of the assessor conducting a self-assessment according to the Risk Control Self-Assessment (RCSA) form. The assessment results depend on the degree of damage (Severity) and likelihood or frequency. (Likelihood) to take damage
2.3) Risk control and management
o o o the department will proceed to rank the risks in order of priority. to set up an internal risk control system The main objective of the control system is to control the risks to an acceptable level. and must be able to clearly mitigate risks. Where any risk is likely to be high risk but low impact (High Frequency / Low Severity), control measures may be considered to reduce the likelihood of such risks, such as increasing the verification process (Check and Balance). Prepare operational manuals, etc. For any risk that is likely to be low risk but has a high severity of impact (Low Frequency / High Severity), risk control can be done by finding measures to reduce or Limit potential impacts such as setting transaction limits. insurance and the preparation of a BCP plan, etc. For risks that have a high likelihood of occurrence and have a high level of impact severity (High Frequency/ High Severity), the agency should avoid Or cancel that operation or consider hiring an outsider to perform instead. (Outsourcing) to reduce the risk.
2.4) Operational Risk Monitoring and Reporting
All departments together with the Risk Management Department set Key Risk Indicators (KRIs) together, with risk factors and risk profiles being reported. in managing and managing operational risks appropriately. and to recommend guidelines for preventing, controlling, and mitigating risks.
3. Operational Risk Management Guidelines
. . . . 3.1) Information Technology Management
o o o The Bank has established an information technology risk management policy. Information Security Policy or Information Technology Service Outsourcing Policy to prevent risks related to information technology that may occur
3.2) Operational Risk Management in Banking Units
Operational risk management is the duty and responsibility of department heads to supervise and manage operational risks in their departments. Including risk level setting, Risk Appetite / Risk Tolerance, and operational risk information reporting.
3.3) Personnel management and risk management personnel
o o o The Bank has a policy to develop the Bank’s personnel. To increase knowledge and expertise as well as to raise the standard of work to be able to support future competition. Including the cultivation of awareness in the matter of risk management. The Bank will maintain quality risk management personnel with appropriate compensation. Encourage employees to be aware of their duties and responsibilities for operational risk management and corporate ethics. Implement good internal control principles such as segregation of duties, etc.
4. Use of service providers outside
o o o The Bank has established a policy for using services from service providers to support business operations. To supervise the operation of the service provider and reduce the risks that may occur. The supervision is as follows: Business continuity management And providing services to customers (Business Continuity), customer protection (Consumer Protection) by keeping the security and customer information. and risk management from using services from business support service providers (Business Facilitator Risk Management).
5. Establishment of a business continuity plan (BCP)
The Bank has set up a BCP plan to allow relevant departments to carry out important transactions continuously. without affecting the business operations, reputation, status and operating results of the Bank
6. Promoting corporate culture and principles of good corporate governance (Risk Culture & Good Governance)
. . . Support Bank Emphasis is placed on instilling awareness in creating a control system to become a part of the Bank’s culture. so that stakeholders at all levels realize that Control activities are the responsibility of everyone within the bank. The management of an agency is responsible for operational risks within their own agency. There is regular monitoring, control and development of risk management within the department. To create a risk management culture within the department. and according to the principles of good corporate governance
7. Raising awareness of risk management and a culture of risk control
. . . The Board of Directors or the assigned committee and senior management will take the lead in communicating, guiding, and emphasizing the importance of controls. To be a good role model for employees whereby the executives of the unit will be the one who will instill the consciousness in creating an internal control system. and creating awareness about risk management within the organization