Operational Risk Management (ORM) Framework

Losses arising from operational lapses can have a devastating impact on the operations of the “Company”, and affect
its bottom line and relationship with stakeholders. It is, therefore, vital for “Company” to have in place an effective
and suitable operational risk management framework to help it approach the operational risks inherent in its business
and ensure sound activities.

The ORM Framework will help:

- provide a common definition and understanding of operations risks across the “Company”;
- provide an ORM organizational structure that will clarify risk management roles and responsibilities;
- determine the “Company’s” operational risk profile in comparison to its risk appetite, and
consequently put in place risk-mitigating control measures;
- identify, assess, monitor and control/mitigate operational risks on a regular basis, at all levels of the
organization, in all activities it undertakes, including but not limited to existing and newly-developed products,
business processes or procedures, and information and communication technology systems;
- develop and maintain a risk-smart leadership, workforce and environment.

Successful implementation of this ORM Framework depends heavily on individual responsibility and collective
oversight. It is hoped that successful implementation of the ORM Framework will lead to reductions in operational
losses, errors and incidents, as the “Company” will be more able and faster in identifying and addressing potential
problems.

The “COMPANY” ORM Framework shall have five (5) Basic Elements:

Element 1: Understanding Risk: provides a common understanding of operations risk which is essential in
ensuring coordinated efforts towards management of risks.

Element 2: Establishing Risk Management Function and Responsibilities: provides a discussion on the
corporate structure that will support the Operational Risk Management Framework. It outlines the roles and
responsibilities of the members of the organization as far as risk management is concerned.

Element 3: Developing the Corporate Risk Profile: provides a discussion on the processes, tools and techniques
that will help the “Company” identify and respond to its risk profile and risk appetite.

Element 4: Institutionalizing the Risk Management Process: provides a discussion on the risk management
process that will help the “Company” identify, assess, monitor, mitigate/control operations risks, and on how to
integrate such process into practices at all levels of the organization, in all activities it undertakes.

Element 5: Maintaining a Risk- Smart Leadership, Structure and Culture: provides a discussion on how the
“Company” can develop a risk-smart leadership, structure and culture.

1
Element 1: Understanding Risk
The “Company” as an institution must identify and understand the operational risks that it faces so that it may be
able to act on them appropriately. But it must start with understanding what operational risks are all about. All the
members of the organization must use a common language in order to have a uniform and coordinated approach on
risk management.

For the purpose of this paper, risk, in general, is defined as the possibility of loss, damage, or any other undesirable
event. It is inherent to the industry, in all of the “Company’s” activities, but can be avoided, mitigated, minimized or
contained within acceptable levels, transferred, and can even lead to innovation and opportunity, provided that it is
managed properly.

Operational risk, on the other hand, is one of the three major risks faced by the “Company”, the other two being
credit and market risks. The Basel Committee on Supervision defines it as the risk of loss resulting from inadequate
or failed internal processes, people and systems, or from external events. This definition includes legal and
regulatory risk, but excludes business and reputational risk.

To be more specific, the “Company” defines operational risk as the potential loss arising from:
- process execution failure or errors, due to absence or inadequacy of, non-compliance with, or disregard
or ignorance of policies and procedures or contracts;
- internal and external fraud or rogue practices, due mainly to the breakdown in, or inadequacy of
internal control or corporate governance;
- a major failure of computer systems, which delayed, or affected the accuracy, completeness, and/or
validity of transactions;
- natural and man-made disasters which denied the people an access to, or damaged the “Company’s”
assets such as buildings and computers, and affected the capability of the “Company” to resume normal
operations.
- legal liabilities due to employment practices, workplace safety, or changes in the regulatory
environment;

Note: Potential loss may be in the form of financial loss or other non-financial damages, such as loss of
reputation and public confidence that will impact the “Company’s” credibility and ability to transact, maintain
liquidity and obtain new business.

To better explain the above definitions, and clearly exclude non-operational risks, the following boundary rules shall
be followed:

What are included in the definition of Operational Risk

Legal and Regulatory Risks

Legal and regulatory risk is the risk of loss resulting from exposure to impacts such as fines, penalties, or punitive
damages from supervisory actions, or to judgments or private settlements. Examples are as follows:
• Court litigation or arbitration costs or damages
• Costs and fees resulting from litigation even if the same is dismissed or withdrawn
• Losses or costs involved where the “Company” itself is the victim and is seeking recovery through litigation
• Losses due to retroactive implementation of laws or regulations

What are excluded from the definition of Operational Risk

Strategic & Business Risk

Strategic and Business Risks are the risk of losses arising from flawed strategic or discretionary processes, and are
usually associated with senior management decision making, such as decisions on the following:
2
• Investment in new products, processes or systems
• Merger and acquisition
• Re-Engineering / Organizational Restructuring
• Opening up of new business centers or rationalization of business center locations
• Redundancy programs

However, risk events that happen during the implementation of the above-mentioned projects (e.g., illegal
termination of employment during redundancy programs, late payment of obligations to contractors, etc.) are
considered as operational risks.

Credit Risk

Credit risk is the risk of loss due to counter-party default.

However, where the principal driver of the loss is attributable to operational failures (i.e. lapses in implementing the
procedures for carrying out a credit transaction), then such must be considered as operational risk. Examples are as
follows:
• Erroneous or defective credit rating or scoring or evaluation system that resulted in the approval of transactions
from non-creditworthy clients
• Failure to insure a collateral, or failure to monitor adequacy of collateral or appraise or update the value of the
collateral and make a collateral call
• Failure to seek approval for a credit transaction, or wrong approval authority that led to inadequate review of
the transaction and eventually resulted in a loss
• Processing errors that prevented discovery of defaulting loan obligations
• Booking errors that reduced the value of obligation of borrowing client
• Legally defective or unenforceable or missing or incomplete loan documents, due to improper review and
safekeeping of such documents.

Market Risk

Market risk is defined as the risk of loss due to market prices changes on outstanding positions, due to discretionary
market judgements.

However, where the principal driver of the loss is attributable to operational failures (i.e. lapses in implementing the
procedures for carrying out a trading transaction), then such must be considered as operational risk. Examples are as
follows:
• Processing errors, such as when a different currency is used or inputted in the computer system that diminished
the value of the transaction
• Accounting errors that led to erroneous marking-to-market of transactions
• Failure to properly execute a stop loss
• Failure to observe transaction limits
• Erroneous market valuation models that led to wrong investment decisions
• Failure to secure proper approval for transactions in excess of limits
• Incomplete documentation
• Unauthorized trading

Reputational Risk

Reputational risk is the risk of loss resulting from damage to the company’s reputation. Although, operational risks
may sometimes lead to a damage to a company's reputation, the losses attributable to such reputational damage shall
not be considered as operational in nature. Nevertheless, proper management of operational risk is tantamount to
protecting the “Company’s” reputation.

3
And while operational risk is regarded as a discipline distinct from credit and market risks, its management should
be seen as a support towards building a robust credit risk or market risk infrastructure. Having the proper controls,
processes and systems, which is partly what operational risk management is all about, create an environment that
support credit and market risk - taking activities.

4
Element 2: Establishing Risk Management Function and Responsibilities
Risk management can be defined as the culture, processes, and structures that are directed towards the effective
management of risks. However, risk management can only be achieved at all levels of the “Company”, and in all
activities it undertakes if there is an organizational structure that will support the full implementation of established
risk management policies and procedures.

In the case of “COMPANY”, management of risk is the responsibility of everyone. Such responsibility resides at all
members of the organization, at all levels and in all offices of the “Company”. Each individual, regardless of rank,
position and nature of work, is a risk manager, and shall be held accountable for managing risks in his or her area of
responsibility.

The basic foundation of the “COMPANY” Operational Risk Management framework is the clear definition of the
roles and responsibilities of all the members of the organization with regard to risk management. In this regard, a
robust risk management structure shall be in place in the “Company” to ensure adequate oversight and
implementation of the ORM Framework. The principal responsible offices are as follows:
- Board of Directors
- Senior Management Committee
- Operations Risk Unit of the Risk Management Group
- Line Management
- Internal Audit Division

To wit, the organizational structure shall work as follows: the ORM Framework and risk management policies and
structures, including basic control policies, shall be:
1. formulated or designed and continuously improved by RISK MANAGEMENT GROUP;
2. approved and mandated for implementation by the Board;
3. implementation thereof strictly monitored by Senior Management;
4. implemented by line management; and
5. regularly reviewed for adequacy and effectiveness by the Internal Audit.

Board of Directors and Senior Management

The Board of Directors and the Senior Management of the “Company” shall be actively involved in the oversight of
the operational risk management framework.

Board of Directors

The Board of Directors shall be responsible for the following:

• Review and approval of the ORM Framework, including revisions thereto;
• Annual review of the effectiveness of the framework;
• Review and approval of the risk profile appropriate to the “Company’s” growth strategy;
• Require setting up by management of an appropriate system of internal control to effectively identify, assess,
monitor and control/mitigate operational risk, and monitor maintenance thereof,
• Regularly receive, review and take appropriate actions and decisions on operational risk reports submitted by
the Senior Management;
• Assess the ability and effectiveness of the Senior Management in managing operational risks;
• Ensure the regular audit of the “Company’s” operational risk management system;
• Put in place an appropriate employee training and reward-punishment system to promote operational risk
management and develop a risk-smart workforce and environment.

The Board may delegate risk-related responsibilities to the Risk Management Committee and the Audit Committee.
In such a case, these committees must advise the Board about the risk reports they receive from management.

5
There shall be at least one (1) non-executive director in the Board with expertise in the area of risk management
(including operational risk) to provide independent insight.

Senior Management

Senior management, on the other hand, shall be responsible for the following:
• Implement the Operational Risk Management framework and be ultimately responsible to the Board for the
management of operational risks;
• Set up an appropriate internal control system that will ensure the effective management of operational risk
• Review of the risk exposure and the monitoring mechanisms on a regular basis
• Regularly submit to the Board reports on overall operational risk management;
• Ensure that for every organizational changes, each business unit's responsibilities in operational risk
management are clearly defined;
• Equip operational risk management with appropriate resources, including but not limited to financial and human
resources;
• Adjust operational risk management strategies in response internal and external events.

Risk Management Group and its Operations Risk Unit

There shall be a risk management office, named the Risk Management Group which must be independent from other
business units in the organization in order to ensure consistency and effectiveness of risk management. RISK
MANAGEMENT GROUP, specifically its Operational Risk Unit, shall be responsible for defining the Operational
Risk Management Framework and related policies, and ensuring enterprise-wide and consistent implementation
thereof.

It shall be responsible for the following:

• Formulation and coordinating implementation of risk policies and procedures, for approval by the Board,
including but not limited to policies and procedures that will identify, assess, mitigate and monitor operational
risks, report results of operational risk assessments;
• Development, implementation review and reporting of results from bottom-up “self-assessments” resulting
in a specific operational risk profile for the business lines highlighting the areas with high risk potential, and
monitoring of implementation of corrective actions
• Loss event database development, maintenance, analysis and reporting;
• Capture, monitoring, analysis and reporting of results of such analysis of Key Risk Indicators and Key
Performance Indicators
• Development of plans, tools and techniques preparatory to the adoption of more advanced risk management
methodologies
• Assist and consequently equip other business units with the knowledge and skills to identify, assess,
monitor and control/mitigate operational risk;

Line Management

Primary responsibility for identifying, assessing and day-to-day mitigating or managing operational risks rests with
Line Management. By "Line Management", this Framework refers to heads of business units who administer the
activities of the “Company”.

To perform this role, Line Management must:

• effectively align the corporate and the business level strategies with the risk appetite and tolerance of the
“Company”;
• be responsible for the training, competence and continuous professional development of the people. Though it
may appoint a staff within the department to take charge of operational risk management, it shall make all

6
 members of the department aware of their risk-related responsibilities, including knowing risk management
policies and procedures..
• implement on an on-going basis risk management approaches that will help identify and assess the operational
risks in the departments;
• manage the risk profile of its own department, and coordinate and establish with other offices a cross-functional
approach in managing common risks that impact their respective activities.

Internal Audit Division

The Internal Audit shall not be directly involved in other departments’ operational risk management. It shall
independently audit the adequacy and effectiveness of the

7
8
“Company’s” ORM Framework and internal controls. Specifically, it shall:
• check compliance by all members of the organization with internal controls;
• report its findings and propose corrective actions to the Audit Committee, which shall, in turn, advise the same
to the Board of Directors, for appropriate action;
• check the “Company’s” capability to timely and effectively handle operational risk events;
• check the adequacy level of the “Company’s” capital provisions for operational risks.

9
Element 3: Developing the Corporate Risk Profile
The “Company’s” strategies and resources must be adjusted to the risks it actually faces and is willing to tolerate. To
do so, it must know its corporate risk profile. Developing a corporate risk profile involves taking stock of the
organization's operating environment, identifying key risks, and reviewing the organization's capacity to deal with
these risks. The corporate risk profile is approved by senior management, reported to the Board of Directors, and
updated annually.

Considering all these risks, the “Company” shall then define its risk appetite and tolerance.

Risk appetite is the amount of risk the “Company” is willing to accept in the normal course of business as it
pursues its strategic and financial objectives. Risk taken within appetite may give rise to expected losses,
but these should be sufficiently exceeded by expected earnings.

Risk tolerance is an assessment of the maximum risk the group is willing to sustain for short periods of
time. It emphasizes the downside of the risk distribution, and the group’s capacity to absorb unexpected
losses. The capacity for unexpected losses is dependent upon having sufficient capital and liquidity
available to avoid insolvency. Risk tolerance typically provides an upper boundary for the group’s risk
appetite.

In developing a corporate risk profile, it will involve the following activities:

• Planning and preparation;
• Conducting an environmental scan;
• Understanding the organization's risk tolerance;
• Assessing current risk management capacity;
• Developing risk response; and
• Stating or finalizing the corporate risk profile.

Planning and Preparation

There must be a process methodology, approved by senior management, that will provide a structured and
disciplined approach to collecting the necessary data for developing the corporate risk profile. These methodologies
will identify the organization's threats or risks and provide the process by which the “Company” may decide on how
to deal with such risks. As of the date of this paper, these methodologies shall be, but not limited to, the following:
• Risk and Control Self-Assessment or RCSA, which is a bottom-up “self-assessments” exercise to be
conducted at department level, enterprise-wide. The results will be the specific operational risk profile for the
business unit, and, when collated the Corporate Risk Profile. The RCSA exercise will highlight the functions
and processes with high-risk potential.
• Loss Events Database, a methodology for the capture and use of all operational risk loss data.
• Key Risk Indicator (KRI) identification and assessment methodology,

These and other future approaches to be used must be able to assess the risk profile at the department level or
business line, so that appropriate risk management measures may be adopted at each department or line of business

In implementing these methodologies, briefings or workshops shall be conducted jointly by the Operational Risk
Unit of RISK MANAGEMENT GROUP and the Training Department of the Human Resources Group among the
members of the organization who are handpicked to provide support to the endeavor. These briefings or workshops
are meant to gain support for and understand the corporate risk profile development program. The briefing or
workshop would cover the following:
• Risk management concept;
• Corporate risk profile concept and objectives;
• Roles of and expectations from participating business units or individuals; and

10
 • What information needs to be collected to develop the corporate risk profile, how this will be done, and
what will be done with the information collected.

Conducting an Internal and External Environmental Scan

Internal and external risk factors that could significantly and adversely influence or affect overall management
priorities, performance, and achievement of corporate objectives must be identified through environmental scan or
risk identification process. The scan includes the following:
• the identification and description of internal and external risks that significantly influence the achievement
of the organization's objectives (key risk areas);
• an overview of the department's capacity to manage risk in terms of existing competencies and systematic
processes;
• an identification of target risk units (activities, operating groups, systems, and programs that require
specific attention because they entail significant potential risks); and
• systematic methods of managing risk for the priority target risk units.

Risk data collection may be done through:

• techniques like brainstorming;
• official sources of risk information like audit reports, performance reports, and other management
information systems
• surveys or interviews

All risk areas or information identified during the process must be classified as to what functions the risk is
identified with, types and/or sources of risk, a ranking scale. The data will then be organized by program, business
line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and
other relevant categories.

Understanding the Organization's Risk Tolerance

An organization's tolerance for risk varies with evolving and prevailing conditions in its internal and external
environments. It is necessary to understand the organization's risk tolerance so that the appropriate measures in
handling the risks may be applied.

In understanding the organization's risk tolerance level, the following must be considered:
• the organization's operating control policies;
• the organization's performance expectations and actual performance;
• previous reactions of the organization on past risk events and issues;
• shareholder expectations;
• regulatory constraints; and
• economic environment.

Assess Current Risk Management Capacity

The following must be identified to fully understand the organization's capacity in managing risks:
• resources of the “Company” which can be used to manage risks, and adequacy thereof;
• skills of human resources.

Developing the Initial Risk Response

All collected information must be used to come up with assumptions, which need to be validated and analyzed.
Analysis should cover:

11
 • assessment of all the risks facing the organization in terms of likelihood and impact on achievement of
corporate objectives;
• identification of which risks need to be managed first, and at what level of the organization; and
• linking of the risks to corporate objectives; and
• ways or options to manage such risks.

The “Company” shall have the following options to reduce its risk exposures:
• Avoid the risk by not engaging in the activity
• Reduce risk exposure by buying insurance
• Accept the risk: But when the “Company” does so, it may use any of the following strategies:
Pricing: Getting a return commensurate with the risk posed by an activity.
Capital: Maintaining a strong capital position in order to absorb possible loss from taking on more risk.
Controls: Having in place the necessary systems, processes and procedures (collectively referred to here as
a risk management system) to identify, assess and control risks by keeping them at acceptable levels.

Stating the Corporate Risk Profile

The final step is to produce a document depicting the corporate risk profile. This document will then be presented to
the Board of Directors for review and approval.

12
Element 4: Institutionalizing the Risk Management Process
Management of risk must be sustained all through out the organization, by making it an indispensable part of the
“Company’s” everyday life. All members of the organization must be committed to sustain it, apply it at all kinds
and levels of activities, and make it part of the decision-making process.

The day-to-day management of operational risk exposures shall be through the maintenance of the following:
• standard process of identifying, assessing, mitigating/controlling and reporting risks when introducing new or
revising existing products, processes or systems;
• system of basic internal controls to ensure the safety and soundness of “Company” operations;
• risk reporting system to ensure prompt and accurate escalation of risk issues to appropriate bodies; and
• risk mitigation programs including but not limited to Business Continuity Management and the Operational
Risk Insurance.

The Standard Risk Management Process

A rigorous risk review and signoff process (or risk management process) shall be applied when introducing new or
revising existing product, process or system. For the purpose of this paper, product, process and system are defined
as follows:

"Product" refers to all products and services being offered or will be offered by the “Company”, such as
Peso Savings Account, deposit pick up, Super Payroll.

A business "Process" is a set of coordinated tasks and activities that will lead to accomplishing a specific
organizational goal. Examples of which are cash deposit, Manager's Check processing, loan release, sale of
acquired assets, purchase of office supplies, credit review, sale of foreign exchange, GOVERNMENT
reports generation.

"System" refers to technology-related solutions, or computer system, or a network of related computer

software, hardware, and data transmission devices, such as Platform “Company”ing, Easymatics, OPICS,
Financial Management System.

Thus, no new product, process or system, or revisions or improvements to those already existing shall be
implemented without such new or improved product, process or system having to go through the standard risk
management process first.

Primarily responsible for ensuring and documenting compliance shall be the product champion, or process or system
owner. The same format used for the “Company’s” Risk and Control Self-Assessment shall be used for conducting a
risk assessment of new or revisions to existing products, processes and systems. All members of the organization
who are involved in the conceptualization, review, testing and/or implementation of such initiatives shall review and
sign off the risk assessment before the initiatives are implemented.

The risk assessment or the Standard Risk Management Process shall involve the following steps:

1. Risk Identification: This involves defining or identifying the problems or threats to the organization as a whole,
or for each activity or function or procedure involved in implementing the product, process or system;

2. Risk Assessment: This involves (a) analyzing key risk areas, the types or categories of risks, and the degree of
exposure to such risks (expressed as likelihood and impact); (b) ranking risks as to severity and prioritization of
management;

3. Risk Mitigation /. Control: This involves (a) defining risk management objectives and expected outcomes for
each of the identified ranked risks; (b) Identifying and analyzing mitigation options on how to minimize threats
13
 and maximize opportunities; and (c) choosing the appropriate option based on perceived risk tolerance of the
organization;

4. Risk Reporting: This involves identifying ways to monitor and report identified risks when the product, process
or system is already in place.

Risk Reporting

The “Company” shall have a system of monitoring and reporting operational risk status and material losses. Material
losses, critical risk issues or operational risk events should be reported to the Board of Directors, through the Risk
Management Committee. But such report must be supported with proposed measures to mitigate or control the risks.

At the very least, the Board of Directors must be apprised of the following reports:
- Results of KRI (Key Risk Indicators) monitoring system
- Analysis of Loss Events Database information
- Internal Audit reports
- Insurance Report

Core Operational Control Standards

The “Company” shall have a system of basic internal controls, called the Core Operational Control Standards, for
the effective management of operational risk. The “Company’s” Core Operational Control Standards are the
policies, procedures and practices established to help ensure that the “Company” personnel carry out board and
management directives at every business level throughout the “Company”. These activities help ensure that the
board and management act to control risks that could prevent the “Company” from attaining its objectives.

The Core Operational Control Standards shall include, but not limited to, the following:
• Proper Accounting Records
• Documented, updated and disseminated policies and procedures for all products, processes and systems;
• Establishing approvals and authorization for transactions and activities;
• Reconciliation;
• Review of operating performance and exception reports;
• Establishing safeguards or physical controls for use of assets and records ;
• Segregation of duties to reduce a person’s opportunity to commit and conceal fraud or errors;
• Requirement on mandatory leaves;
• Rotation of duties;
• Number control;
• Knowledge of Outside Activities of Employees;
• Sound Recruitment Policies; and
• Independence of the Internal Audit.

Proper Accounting Records

The “Company” must maintain at all times accurate, updated and complete accounting records of all its transactions.
These records should contain sufficient details to meet management and supervisory needs, and to allow future audit
investigations to trace completed transactions to their point of origin. The “Company’s” Chart of Accounts should
conform to Government regulations. All accounting entries, including corrections or adjustments thereof, should
have proper approval. Members of the organization with bookkeeping function should not have cash-handling duties
and should never be in a position to originate or dominate accounting entries.

14
Adequate and Documented Policies and Procedures

The “Company” shall establish and document policies and procedures to cover all business activities. These policies
must be presented to and approved by the Board prior to implementation, and disseminated to all concerned
individuals and business units.

Policies and procedures must, at least on annual basis or whenever necessary, be reviewed and updated to ensure
they reflect the “Company’s” changing environment (i.e., internal requirements and changes, new regulatory
requirements) and the Board of Directors' current tolerance for risk.

There must be provided policies and procedures governing review and approval of significant policy and procedural
exceptions. The documented exception policies and procedures should provide the mechanics to secure exception
approval and identify the persons responsible for approving the same.

All documented policies and procedures must contain the following basic elements to ensure that the message the
“Company” wishes to convey is clearly understood by the intended users thereof:
• Purpose statement — A statement describing the activities covered by the policy and the risks controlled
through the policy.
• Objectives — A description of the objectives to be achieved through the effective implementation of the policy.
• General Policy — A statement describing the policy’s relationship to the “Company’s” general strategies. The
policy should be consistent with stated “Company”wide objectives and strategies.
• Authority — A description of the management structure (committees and individuals) authorized to engage in
the activities covered by the policy.
• Responsibility — A description of the management structure (committee and individuals) responsible for
implementing the policy.
• Policy exceptions — A description of the process and procedures for approving exceptions to policy
parameters.

Policies and/or procedures authored by the business unit that intends to use them must be reviewed and signed off by
an independent office prior to implementation, to check for the following:
• Consistencies with established practices and controls in the “Company”;
• Compliance with regulations and internal policies; and
• Impact on other offices.

Transaction Approvals, Authorizations and Verifications

All “Company” transactions or activities must have prior approval by an authorized officer who is in the best
position to approve or execute decisions or transactions up to limits established by the “Company”. Approval may
be signified by the approval authority's full signature or initials manually affixed on original copy of the transaction
document or by the electronic equivalent of a signature.

Approval Authority is the authority to approve or execute decisions or transactions up to limits established by the
“Company”, and where the approver is ultimately responsible for the appropriateness, correctness and accuracy of
the decision or transaction which he/she is approving, or the details on the documents he/she is signing on.

In defining authorities, the “Company” shall adhere to the requirements government institutions, and the prevailing
internal requirements and organizational structure of the “Company”. Only the Board of Directors, the Executive
Committee, the Chief Executive Officer, the Chief Operating Officer and the Senior Management Committee may
define signing authorities or approve the creation of committees, task forces, new offices or Responsibility Centers
with approval authorities.

15
Transaction Verification/Validation

Verification and validation of transaction details and activities are important control activities. The term
“verification/validation” shall mean that prior to the processing of or effecting a “Company” transaction, the identity
of the client/s has been established and the source of fund and the purpose of the transaction have been properly
determined.

The following control measures shall be observed in verifying/validating the authenticity of the transaction:

Design and Use of Documents and Records to Help Ensure that Transactions and Events are Recorded:
Documentary requirements play a vital role in any transaction of the “Company”. Thus, to effectively
ensure the authenticity and enforceability of any transaction between the “Company” and the clients,
standard forms must be used and accomplished by clients.

Signature Verification: The signature of the client in the transaction documents/ forms shall be verified
against the IDs presented by client and/or signature cards on file with the “Company”. The “Company”
shall perform signature verification as one of the control measures in validating the authenticity of the
transaction.

Confirmation of Client’s Identity: The submission by client of the acceptable identification requirements
(IDs) must be observed to further establish the identity of the client. Verification shall be done by the
“Company” by requiring the client to present acceptable ID to determine if the client is in fact the person
he/she claims to be, and ensuring that the ID submitted by the client matches the name of the client on the
transaction document and the person’s likeness matches the photo shown in the ID presented.

“Dual Control” Function

“Dual control” shall be defined as the verification of the work of one person by a second person to determine (1) that
proper authority has been given to handle the transaction, (2) that the transaction is properly recorded, and (3) that
the proper settlement of the transaction is made. Such control may be physical; e.g. one person is witnessing another
person's execution of his job; or logical; e.g., a higher level authorization password is required to allow a transaction,
previously initiated by another, to proceed.

Dual Control is based upon the premise that, for a breach to be committed, then both parties would need to be in
collusion and, because one should always alternate the pairs of people, it would require a much greater level of
corruption in order to breach dual control procedures.

When there is a control issue, or the transaction is vulnerable to losses, the routine of the transaction should be so
designed that at least two or more individuals are involved in the completion thereof. In such cases, there should be
a “maker” and a “checker”, where the “checker” should always be a higher-level responsibility employee from the
business unit handling the transaction.

Processes or computer systems should be designed in such a way that a transaction will not be processed unless the
required “maker” and “checker” initials appear on the records of the transaction.

The “maker” and “checker” should not be related to each other within the third degree of consanguinity or affinity.

Both “maker” and “checker” shall be held responsible for the correctness of the transaction.

Reconciliation

Documentary requirements play a vital role in any transaction of the “Company”. Therefore, in no case shall
“Company” transactions be processed without the required validated documents.
16
Proper and adequate accounting records must be maintained by the “Company”. These records should be kept up-to-
date and shall contain sufficient details so that an audit trail is established. The “Company” must ensure that all
“Company” transactions are recorded and booked to their appropriate general ledgers and subsidiary ledgers. All
transaction media shall bear official approval by the authorized officer/s and should be initiated by the authorized
associate from the originating unit and another person by checking them. Reconciliation/callback of transactions
posted shall be performed by a person other than the one who processed/posted the transactions.

Independent Checks on Whether Jobs are Getting Done and Recorded Amounts are Accurate

Direct Verification: Direct verification is another internal safeguard to protect the “Company” against
losses. As used in the profession, direct verification means the confirmation of accounts or records by
means of direct correspondence with the “Company’s” clients. These accounts or records include deposits,
loans, safekeeping and all other items which can be corroborated by the clients.

Independent Balancing: Independent balancing shall mean that transactions posted are reviewed by a
person other than the one who processed the transactions.

Safekeeping of Records: The “Company” shall retain all official records which have legal, administrative,
accounting and reference value to the “Company” or court or any other government institution. These
records or documents shall be retained for a period of at least five (5) years or permanently or in
accordance with the requirements of existing laws and regulations in the Philippines. Safekeeping of these
documents means both hardcopies and softcopies (whenever applicable) of the documents must be retained
free from tampering or corruption within the assigned retention period. The “Company” must at all stages
in a transaction be able to produce accurate records and retrieve relevant information, to the extent that is
available, without undue delay.

Review of Operating Performance and Exception Reports

Top level reviews shall be conducted by the Board of Directors and senior management through presentations and
performance reports of various units of the “Company”. Top level reviews shall focus on the following:
• Actual performance versus budget
• Comparisons to prior periods
• Performance versus competitor’s performance

A review of the reports showing actual financial results to date versus the budget will enable the senior management
to assess accomplishments against the committed goals, and determine whether there are gaps between actual and
desired performance. Likewise, questions raised by the senior management as a result of this review and the
response of lower levels of management represent a control activity which may detect problems such as control
weaknesses, errors in financial reporting or fraudulent activities.

Functional reviews are usually more detailed and occur more frequently than top-level reviews, and these are being
done to monitor functional areas or departmental activities. In functional reviews, the department or division heads
review standard performance and exception reports on a daily, weekly or monthly basis. Questions that are
generated as a result of reviewing the reports and the responses to those questions represent the control activity.

Physical Controls or Security of Assets

Physical Controls : Physical controls generally focus on restricting access to tangible assets, including cash and
securities. Control activities include physical limitations, dual custody and periodic inventories. The safeguard and
housing of assets, including the vault and the building quarters, demand adequate physical protection. Physical
control shall include the vault, grill door gate, keys that either make equipment inoperative, alarms and other
physical devices to protect the premises of the “Company”. It is extremely important that the “Company” pays close
attention to the security of its facility and all equipment, materials, records and files contained therein.

17
“Joint Custody” Function: “Joint custody” shall refer to the processing of transaction in the presence of and under
the direct observation of a second person. Both persons shall be equally accountable for the physical protection of
the items and records involved.

Treatment of Assets: Employees of the “Company” must protect its assets and use the same for authorized business
purposes only. For purposes of this policy, the assets of the “Company” shall be divided into the following four (4)
major categories:

Proprietary Information: Proprietary information shall refer to any information or knowledge, the unauthorized
disclosure of which could disadvantage the “Company” competitively or financially, or subject the “Company” to
legal sanctions. Confidential information relating to the business and operations of the “Company” should not be
disclosed unless authorized by the “Company” and the law.

Funds and Property: Employees of the “Company” shall be responsible for safeguarding and making proper and
efficient use of its funds and property by following existing policies and procedures to prevent their loss, theft,
destruction or unauthorized use. At a minimum, controls must include a system of supervisory checks and balances
at all levels of the organization for all expenditures. Generally, all expenses must be accompanied by an official
receipt or supporting documents and must be duly approved by the authorized officers of the “Company”.

Records: The “Company” must safeguard and preserve the authenticity of all official records since transactions,
payments or events can only be verified/validated through said records.

Goodwill and Reputation: “Company” associates should act in a way that will not endanger or detrimentally affect
the goodwill and reputation of the “Company”. The actions and behavior of the employees and the conduct of
personal business even outside the “Company” may affect the public’s and the client’s perception of the
“Company”.

System-Related Matters: New systems to be installed in the “Company”, if required, should be reviewed by the
authorized regulatory office/s prior to implementation. For new products and services introduced by the
“Company”, a system must be in place to support the development of said products and services. Likewise, setting
up of a new system and enhancements of the existing systems must be cleared with the “Company’s” Information
Technology Group.

Segregation of Duties

The duties of all the officers and employees of the “Company” must be segregated, clearly defined, understood and
documented. This is to reduce a person’s opportunity to commit and conceal fraud or errors. In this regard, officers
and employees of the “Company” must have clearly defined, documented and updated job descriptions and the
activities being performed by each employee shall be subject to audit. The updated job descriptions must be made
known to and accepted in writing by the employee before he/she assumes the job responsibilities.

No one person should be allowed to complete a transaction from beginning to end. For effective control measures,
different people should be responsible for :
• authorizing the transaction;
• recording the transaction;
• handling the related assets; and
• monitoring the transactions.

An appropriate internal control system requires that there is appropriate segregation of duties and that personnel are
not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimized and
subject to careful independent monitoring. There should also be periodic reviews of the responsibilities and
functions of key individuals to ensure that they are not in a position to conceal inappropriate actions.

18
No employee shall be permitted to process transactions affecting his/her own account.

If an associate is asked to relieve someone, the immediate supervisor of the reliever must ensure that there is no
conflict or control issue.

Requirement on Mandatory Leaves

Employees who handle sensitive positions shall be required to take an uninterrupted vacation within a consecutive
period prescribed by the “Company”.

Employees on vacation should stay away from “Company” premises.

A mandatory vacation schedule should be prepared for all the officers and employees of the “Company”. An
uninterrupted vacation from the “Company” within the prescribed period provides a simple yet effective internal
control. An enforced absence from daily work will also make an officer or employee physically and mentally
refreshed.

If possible, the mandatory vacation schedule should be unannounced to prevent the concerned employee from
manipulating “Company” records prior to his/her vacation leave. However, the supervising officer must ensure that
there is always a reliever or alternate who can take the place of the employee who will go on mandatory vacation
leave. During the employee’s absence, any errors or inconsistencies may be detected, and exceptions can be
investigated.

Rotation of Duties

Rotation of duty assignments is one of the control procedures that is closely related to mandatory vacations as both
result in a forced absence from regular duties. Mandatory vacations, however, are planned while rotations are
enforced without previous notice. The rotation should be of sufficient duration to be effective. Rotation of
assignments should be irregular and unannounced, and should last long enough to permit disclosure of any
irregularities or manipulations.

Rotation of duties is not only a basic internal safeguard but also a valuable aid in the training and development of
employees. It will develop among employees the necessary skills and experience which they would need when they
substitute for associates who are absent due to illness or vacation. It will also prepare them for positions of greater
responsibility.

Number Control

Sequence number controls, usually incorporated in the accounting system, shall be used in registering notes, in
issuing official checks and in other similar operations. Numbers on transactions shall be required to control
processing and to identify individual transactions.

Number controls should be monitored by a person who is detached from the particular operations involved. For
example, accounting for the consecutive numbers on money orders should be done by a person who does not prepare
the checks.

Sequentially pre-numbered instruments or forms make the operation of number controls more efficient. Unissued
pre-numbered instruments that can be used to obtain funds should be safeguarded through joint custody by the
designated custodians.

19
Knowledge of Outside Activities of Employees

Non-working activities of the members of the organization must be checked, including any immediate or sudden
change in their appearance or habits, which may be indicative of misconduct or spending habits that go beyond the
limits of their income.

In this regard, all members of the organization shall be required to submit on an annual basis a statement of their
assets and liabilities, certified as true and complete by the former, and may be independently checked or verified by
the “Company”.

High-risk employees (due to financial difficulties as may be further defined by the Human Resources Group) shall
not be assigned to positions handling financial transactions or records.

Outside employment of the members of the organization must be disclosed and must have prior approval from the
Human Resources Group.

Sound Personnel Policies

(a) Recruitment – There must be a written formal procedure for employing new people to ensure that only men and
women of competence and integrity, and who are qualified to handle responsibilitie should staff the
“Company”. All relevant information, including previous employment, credit references, psychological state,
should be secured and made the basis for the decision to whether or not employ the person.

(b) Fair and Just Salary and Benefits Scale – To attract and keep honest staff members, the “Company” should pay
a fair salary consistent with earnings and growth of the financial institution and with the ability of the individual
to work according to the requirements of his position. Paying employees with fair and just salaries can reduce
the temptation to steal and minimize its rate of personnel turnover.

(c) Open Communication Channels Between Employees and Management – Employees should be free to discuss
with the Human Resources Group, their supervising officers or other designated offices their personal problems,
or any work-related problem or perceived violations to established policies and procedures, without fear of
criticism or censure.

(d) Code of Conduct or Discipline or Ethics – The “Company” shall have a code of discipline or ethics or conduct
that will serve as a guide for the conduct expected of the officers and employees in their day-to-day pursuit of
company objectives. This code of discipline should also spell out what constitutes violations and their
corresponding penalties. All members of the organization must be made aware of, and certify having read and
understood, the Code. Any changes to the Code should be communicated to all members of then organization.

Independence of the Internal Auditor

There shall be an Internal Audit office which should be independent of “Company” management, and must be
objective in its review of “Company” transactions. The Internal Auditor should not develop and install procedures,
prepare records nor engage in any activity which he normally would be expected to review or appraise.

Risk Mitigation Programs

Business Continuity

To ensure business continuity, and minimize losses resulting from disruption of business operations, the “Company”
shall have a Business Continuity Management Program that will cover at least the following:

20
1. Disaster Risk Reduction Program, or a program that will ensure that in all of the “Company’s” activities, the
risks are identified and provided measures to reduce or mitigate the same;
2. Crisis Management Program, or the Emergency Preparedness Plan, which will provide guidelines on how to
respond to all types of man-made and natural calamities or threats that may hit the organization, such as but not
limited to fire, flood, earthquake, employee strike, and bomb threats. The primary purpose of this program is to
ensure safety of personnel and protection of resources.
3. Business Continuity Plan, which will guide the “Company” in resuming business operations within an
acceptable timeframe after a disaster.
and
4. Disaster Recovery Plan, which is a clearly defined and documented plan which recovers IT and
telecommunications capabilities when a disaster occurred.

Outsourcing

The “Company” shall have risk management policies with regard to outsourcing of functions to ensure that
outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations,
accountabilities and rights of the “Company” and the service providers. The outsourcing guidelines must comply
with the basic requirements of regulatory bodies as regard outsourcing of functions.

Insurance

Whenever necessary, the “Company” shall purchase insurance to mitigate operational risks.

Capital Provisions

The “Company” shall make adequate capital provisions for the operational risk it undertakes, in compliance with the
requirements of regulatory bodies.

21
Element 5: Maintaining a Risk- Smart Leadership, Structure and Culture
Operational risk management is a continuing process. To ensure this, it is essential to embed risk management in the
organization. Developing a risk culture can be done by:
• Having an organizational structure that implements the ORM Framework, as discussed under Element No. 2.
• Regularly communicating the risk management program to all members of the organization;
• Selling the program as a team or collaborative effort; involving everyone in the implementation thereof; and
making each member of the organization an important part of the team;
• Having in place a training and education program for all members of the organization, which must be
comprehensive, visible, and ongoing;
• Setting in place all the necessary, adequate and appropriate information technology and communication tools
that everyone may use in identifying, assessing, mitigating / controlling and reporting operational risks;
• Developing human resource practices that encourage involvement in risk management, like the use of
recognition and reward initiatives; and
• Conducting regular surveys of all the members of the organization to determine their attitudes to risk
management; and
• Making risk management an essential part of the organization's and its people's Annual Performance Appraisal.

Department-Level Risk Managers

As discussed under Element No. 2 of this paper, line management shall be primarily responsible for implementing
risk management processes. However, to reinforce accountability and ownership of risk and control, there must be
appointed in each department or business unit from among the incumbent members thereof a "Risk Manager" who
will assist line managers in driving the risk management program in the department or business unit. The Line
Managers and the Risk Managers shall, in coordination with and/or with the assistance from the Operational Risk
Unit of RISK MANAGEMENT GROUP, shall implement the ORM Framework and form the “Company’s” core
team of risk-smart individuals. These individuals shall be trained to become the “Company’s” positive change
agents.

Communicating Risk Management Programs

Risk management programs, policies, directives and the like must be promptly communicated to all members of the
organization by the Operational Risk Unit of RISK MANAGEMENT GROUP and all other offices which may,
from time to time be involved in the implementation of the ORM Framework. Except when confidentiality must be
protected, everyone must have an access to documents pertaining to said risk management programs, policies and
directives. Any activity that will be launched in support of the risk management program must be clearly articulated
so that successful implementation thereof will be ensured. And as provided for in the Human Resources Manual of
the “Company”, supervising officers must ensure that all communications from management must be shared and
discussed with their respective subordinates.

Training and Education Program

By developing a comprehensive training and education program, the organization will have a workforce that will:
• embrace the risk management culture and consider itself as a vital member of the organization;
• have full understanding of the risk management process;
• ensure consistent and correct implementation of the risk management process;
• adhere to the need for continuous growth and improvement in its role as a risk manager.

The emphasis of the program is that everyone has a role to play in the process and that risk management is essential
in preventing loss.

The Operational Risk Unit of RISK MANAGEMENT GROUP shall coordinate with the Training Department of the
Human Resources Group in designing, implementing and continuously improving the training and education
22
program. But at the helm of this activity shall be the Board of Directors and the Senior Management, both of which
shall be recognized as the owner and driver of the program. The Training Department shall ensure enterprise-wide
coverage of the program.

The risk management training and education program should include:

• Risk management concepts and principles;
• Risk management terminologies;
• Expected benefits by the organization as a whole and by the members of the organization;
• Risk management organizational structure, and the roles and responsibilities of each member thereof;
• Risk management processes and tools.

Information Technology Solutions

The “Company” shall establish and maintain a quality, corporate-wide IT infrastructure that will incorporate the
components and requirements of the ORM Framework. The computer systems shall help in:
• providing mitigating controls in an end-to-end transaction cycle for each “Company” transaction or
process;
• the timely, accurate and complete identification of risks per “Company” transaction or process;
• the subsequent reporting thereof to the line managers and risk managers of the department or business unit
and the Operational Risk Unit of RISK MANAGEMENT GROUP;
• consolidating all related risk management data for easier analysis by the Operational Risk Unit of CRIMS;

Encourage Involvement

The “Company’s” work environment must be supportive of any initiative that will lead to successful implementation
of the risk management program. Support is demonstrated by:
• motivating and providing venues for continuous learning;
• valuing, encouraging and embracing new ideas and innovations; and
• rewarding those that have contributed positively to the attainment of the goals of risk management.

Annual Survey

The Operational Risk Unit of RISK MANAGEMENT GROUP shall undertake an annual risk management survey
of randomly selected members of the organization. This is to gauge the effectiveness of risk management - related
programs and to provide an opportunity to solicit suggestions on how to improve the program. And issue raised by
staff must be reported to management and acted upon accordingly.

Annual Performance Appraisal

Each business unit and each member of the organization must take ownership of particular risks and associated
controls relating to the job and/or transactions they are handling. The successful implementation of the risk
management program or the failure thereof must be considered in the performance appraisal for the individual and
the business unit.

23