Home » Corporate Governance

Risk Management

Printer-friendly versionPrinter-friendly versionSend to friendSend to friend

“We are strengthening our risk management foundation and building from our current capabilities to align and work more effectively with our business to embed risk management into the DNA of the organisation so that we are able to better optimise our risk-returns to create value and to serve our customers better across the Group”

Dr John Lee
Group Chief Risk Officer

Key Highlights:

  • Migrated successfully to Basel II Internal Ratings Based approach for credit risk for risk weighted assets computation;
  • Improved collaboration with business to streamline our credit policies for better management of our credit risk and reviewed our lending authority limits to be more responsive to our customers;
  • Strengthened our capital management framework to ensure we have a robust capital structure in view of our growth plans, and to better prepare for the Basel III regime; and
  • Enhanced our stress testing framework to better plan and prepare the Group for unanticipated events that could have an impact on the Group, particularly given the current volatile environments.

Overview

The Maybank Group takes proactive measures to manage various risks posed by the rapidly changing business environment. These risks, which include credit risk, market risk, liquidity risk, reputational risk, business risk, strategic risk and operational risk, are systematically managed within the Group’s risk governance, infrastructure and tools.

During the year, some of the major risk factors impacting the Group’s business operations include:

The Group continues to plan, monitor and respond to these internal and external risk factors in an anticipative manner.

Some of the key risk achievements and measures undertaken by the Group during the year include:

  • Bank Negara Malaysia (BNM) formally approved Maybank and Maybank Islamic’s application to migrate fully to the Basel II Internal Ratings Based (IRB) approach for credit risk from 1 July 2010.
  • The Bank and its Malaysian subsidiaries successfully implemented the Risk Weighted Capital Adequacy Framework (RWCAF) reporting based on Basel II to BNM.
  • The Bank and its Malaysian subsidiaries implemented Pillar 3 disclosures based on IRB approach.
  • The Bank and its Malaysian subsidiaries have embedded the Internal Capital Adequacy Assessment Process (ICAAP) in stages since 2008.
  • The Group has integrated robust and regular stress testing to help plan and prepare for future events that could have an impact on the organisation, particularly in volatile environments.
  • The Group has further enhanced its tools and frameworks to cater for prudent liquidity management and diversification of funding (by tenor, product and customer type). During the year, Maybank was awarded the Asian Bankers Best Deposit Product and Liability Management Award for the Asia Pacific region.
  • The Group continues to actively benchmark against leading practices as announced by major institutions such as the Basel Committee for Banking Supervisors, Institute of International Finance and international regulators, to produce the best in house practice and stay ahead of the curve.

 

Moving On FY2012

As part of our risk management strategic initiatives, Maybank Group has embarked on a Risk Transformation Programme (“RTP”).

The key objectives of the RTP is to redesign the current state risk architecture of the Group to align the capabilities of the Group risk function to the strategic aspirations of the Group. The RTP is aimed at enhancing our overall risk management processes globally, increase our ability to manage risks in all markets that we operate in, improve business responsiveness, optimise our risk-return capabilities, and be a market leader and thought leader in risk management in the region.

 

Enhanced Risk Governance at Group Credit & Risk Management

Effective 1 July 2011, the Group Credit & Risk Management team was re-organised to provide a more robust and aligned platform with enhanced capabilities to further strengthen the risk management functions across the Group in support of the Group’s regional business aspirations.

 

Risk Governance Structures

The following chart illustrates the risk governance structures of Maybank Group.

The Risk function is independent of the origination and sales functions to ensure that the necessary balance in risk/return decisions is not in any way compromised by business pressures to generate revenues. This is particularly crucial given that revenues are recognised immediately while losses arising from risk positions only manifest themselves over time.

The Risk function is also responsible for implementing and maintaining the Group’s Risk Management Framework, ensuring that it remains relevant and appropriate to the Group’s activities. Other functions include administering risk-related governance and reporting processes.
 

Holistic Enterprise Risk Management Approach

In light of the Group’s operating structure and geographic expansion, the Group continuously enhances its integrated risk management approach towards the effective management of enterprise-wide risks in the Group. Key components of the Enterprise Risk Management (ERM) framework include:

  • Structured risk governance model incorporating Board and Senior Management oversight;
  • Sound capital management processes;
  • Risk appetite statement formulation;
  • Review of risk-reward matrix under a risk-adjusted performance measurement framework;
  • Comprehensive assessment of material risks;
  • Rigorous and regular controls, reviews, monitoring and reporting; and
  • Independent reviews by internal auditors, external auditors and the relevant supervisory authorities.


The Group views the ERM process as a structured and disciplined approach to align strategies, policies, processes, people and technology with the specific purpose of evaluating all risks in line with enhancing shareholder value.

In line with the ERM, the Group has adopted and consistently practised the Seven Broad Principles of Risk Management to ensure integration in purpose, policy, methodology and risk culture across its regional footprint.

 

Maybank Group’s Seven Broad Principles of Risk Management

The Seven Broad Principles define the key principles on accountability, independence, structure and scope.

No.
Principles
1 The risk management approach is premised on three lines of defence – risk taking units, risk control units and internal audit.
2 The risk taking units are responsible for the day-to-day management of risks inherent in their business activities while the risk control units are responsible for setting the risk management frameworks and developing tools and methodologies for the identification, measurement, monitoring, control and pricing of risk. Complementing this is internal audit which provides independent assurance of the effectiveness of the risk management approach.
3 Risk management provides risk oversight for the major risk categories including credit risk, market risk, liquidity risk, operational risk, reputational risk, business and strategic risk, model risk and other industry-specific risks.
4 Risk management ensures that the core risk policies of the Group are consistent, sets the risk tolerance level and facilitates the implementation of an integrated risk-adjusted measurement framework.
5 Risk management is functionally and organisationally independent of the business sectors and other risk taking units within the Group.
6 The Board, through the Board Risk Management Committee, maintains overall responsibility for risk oversight within the Group.
7 Risk management is responsible for the execution of various risk policies and related business decisions empowered by the Board.

 

Three Lines of Defence Concept in Managing Risks across the Group Entities

The 1st Line of Defence is primarily responsible for managing specific risks assumed by them in their day-to-day activities.

The 2nd Line of Defence provides the specialised resources for developing risk frameworks, policies, methodologies and tools for the management of material risks taken by the Group as a whole.

The 3rd Line of Defence involves internal audit, whose task would be to independently review on the adequacy and effectiveness of the risk management process.

With growing emphasis on risk management to be managed at the source, the Group has reinforced the 1st Line of Defence through the formalisation of embedded risk management units within the Business sectors.

The principal risk types facing Maybank Group are addressed within the policies and processes as highlighted below:

Risk Type
Definition of Risk Type
Risk Mitigation Strategies
Credit Risk Credit Risk is the risk that the Bank will suffer a financial loss in the event a customer or counterparty fails to make a contractual payment. The Group has a strong credit culture which incorporates a clear credit policy, robust credit evaluation and approval and sound credit portfolio management. Credit risk in the portfolio is continuously evaluated and reviewed by business together with risk units. Senior management and the Board has good oversight of the credit risks and plays an active role in credit risk management.
Market Risk Market risk is the risk of losses in earnings and capital resulting from movements in market factors such as interest rates, forex and credit spreads. The Group measures, manages and controls its market risk exposure by using tools such as VaR, PV01, Greek limits, Net Open Position Limit, and so forth. Where appropriate, the Group also mitigates/offsets the effect of its currency exposures through the use of various hedging instruments.
Operational Risk Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes legal risk, but excludes strategic and reputational risk. The ORM Framework is aimed at managing operational risk throughout the Group. It is periodically reviewed and aligned against the Group’s business strategy and directions ensuring the business objectives and operational risk management objectives are aligned and consistent. Various tools and techniques are used to minimise operational risk to an acceptable level.
Liquidity & Funding Risk Liquidity risk arises when a bank is unable to make a timely payment on any of its financial obligations to customers or counterparties in any currency. This may be due to the bank’s inability to liquidate assets or to obtain funding to meet its liquidity needs in a timely manner. The Group uses a range of tools to monitor and control liquidity risk exposure such as liquidity gap, early warning signals, liquidity indicators and stress testing. The liquidity positions of the Bank are monitored regularly against the established policies, procedures and limits.
Reputational Risk The risk that a bank’s reputation is damaged by one or more than one reputation event, as reflected from negative publicity about the bank’s business practices, conduct or financial condition. Such negative publicity, whether true or not, may impair public confidence in the bank, result in costly litigation, or lead to a decline in its customer base, business or revenue. The Group’s reputation is preserved through managing all the risks that affect the Group’s reputation through good corporate governance, effective risk management processes and a structured management of reputation events when they occur.
Model Risk Model Risk is defined as the risk that models used in calculation of regulatory capital do not meet the required standards set. This risk is managed through ensuring there is appropriate governance and standards on model development, control over model implementation and effective model validation process and setting of model accuracy thresholds.
Credit Concentration
Risk		 Credit concentration risk refers to the concentration to any single exposure or group of exposures that has the potential
to produce losses large enough to undermine the financial health of the bank.		 The Group adopts a proactive, robust and controlled policy-driven approach in portfolio policy development. The Group’s guiding principle in its lending activity is to diversify its loan portfolio mix and avoid any undue concentration of credit risks in its portfolio. Independent assessment on the Group’s portfolio profile is undertaken to mitigate concentration risk.
Business/Strategic Risk The risk of current or prospective impact
on a bank’s earnings, capital, reputation
or standing arising from changes in the operating environment, adverse strategic decisions, improper implementation of decisions or lack of responsiveness to industry, economic or technological
changes.		 The Group has a well-established risk governance structure and team that reviews the overall risk appetite that is approved by the Board. The Group adopts the ‘Treat’ or ‘Tolerate’ strategies to balance risk and return taking account of changing conditions through the economic cycle and monitor economic trends in market closely and continuously review the suitability of our risk policies and controls. The Group keeps a close watch on key regulatory developments in order to anticipate changes and potential impact on performance with the focus of continuously improving our risk governance structure and framework.
Compliance Risk These are risks arising from non-compliance with laws, rules, regulations or other standards applicable to the bank. The Compliance sector of the Group continually reviews, enhances and implements policies, procedures and operations to ensure that all regulatory requirements are complied with. The setting up of the Risk Assurance & Surveillance function further strengthens this mitigation process.

 

Effective Capital Management Strategies

A strong capital position is essential to the Group’s business strategy and competitive position. The Group’s capital strategy focuses on long-term stability, which enables it to build and invest in market leading businesses.

The Group’s objective in managing its capital resources is to maintain sufficient and adequate capital resources given current and future requirements.

Detailed discussion on Capital Management can be found in Note 48, page 396 of the financial statements. (Download Financial Statements)
 

Internal Capital Adequacy Assessment Process (ICAAP)

At Maybank Group, the overall capital adequacy in relation to its risk profile is assessed through a process articulated in the ICAAP. The ICAAP Framework has been formalised and approved by the Board for consistency and has been implemented within the organisation to ensure all material risks are identified, measured and reported, and adequate capital levels consistent with the risk profiles are held.

In line with Bank Negara Malaysia’s Guideline on ICAAP, the Group’s ICAAP closely integrates the risk and capital assessment processes. The ICAAP framework is designed to ensure that adequate levels, including capital buffers, are held to support the Group’s current and projected demand for capital under existing and stressed conditions.

Detailed discussion on ICAAP can be found in Note 49, page 397 of the financial statements. (Download Financial Statements)


Regular Stress Testing

The Group’s stress testing programme is embedded in the risk and capital management process of the Group and it is a key focus area during the capital planning and business planning processes.

Detailed discussion on Regular Stress Testing can be found in Note 49 (c), page 397 of the financial statements. (Download Financial Statements)

For detailed disclosures on Risk Management refer to page 442 for Basel II Pillar 3 Disclosures. (Download Pillar 3 Disclosures)