We believe that a strong risk culture is vital to the long-term sustainability of the Bank’s business franchise. It ensures that our decisions and actions are considered and focused on our customers, and that we are not side-tracked by perceived short-term gains. Specifically, risk culture refers to the norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks*. At UOB, our risk culture is based on our values.
UOB's Risk Culture Statement
Managing risk is integral to how UOB creates long-term value for our customers and stakeholders. Our risk culture is built on four principles: enforcing robust risk governance; balancing growth with stability; ensuring accountability for all our risk-based decisions and actions; and encouraging awareness, engagement and consistent behaviour in every employee. Each of these principles is based on UOB’s distinctive set of values that guides every action we take. In entrenching our risk culture further across our franchise, we uphold our commitment to financial safety and soundness; fair outcomes and appropriate support for our customers; sustainable and prudent business approach and performance based on integrity, ethics and discipline.
*Guidelines, Corporate Governance Principles for Banks, Basel Committee on Banking Supervision, July 2015.
UOB’s risk management structure, as shown in the following diagram, underpins the Group’s risk culture. Under the structure, the various risk and control oversight functions work with the business and support units to identify their risks and to facilitate their risk and control self-assessments.
Our risk management strategy is targeted at embedding our risk culture so as to facilitate ongoing effective discovery, management and mitigation of risks arising from external factors and our business activities and to set aside adequate capital efficiently to address these risks. Risks are managed within levels established by the senior management committees and approved by the Board and its committees. We have put in place a framework of policies, methodologies, tools and processes that will help us identify, measure, monitor and manage material risks faced by the Group. This enables us to concentrate our efforts on the fundamentals of banking and to create long-term value for all our stakeholders.
The Group’s risk governance frameworks, policies and appetite provide the principles and guidance for the Group’s risk management activities. They help to shape our key decisions for capital management, strategic planning and budgeting, and performance management to ensure that the risk dimension is appropriately and sufficiently considered. In particular, the Group’s Internal Capital Adequacy Assessment Process (ICAAP), which incorporates stress-testing, takes into consideration the Group’s risk appetite to ensure that the Group’s capital, risk and return are within acceptable levels under various stress scenarios. We also take into consideration the Group Risk Appetite in the development of risk-related key performance indicators (KPIs) for performance measurement. This serves to embed a risk culture and risk management mindset throughout the organisation.
Our risk identification, assessment, monitoring and reporting processes are governed by applicable risk management frameworks, policies and appetites. Risk reports are regularly submitted to Management and the Board to keep them apprised of the Group’s risk profile.
UOB’s responsibility for risk management starts with the Board overseeing a governance structure that is designed to ensure that the Group’s business activities are:
In this regard, the Board is primarily assisted by the Board Risk Management Committee (BRMC). The BRMC reviews the overall risk appetite and level of risk capital to be maintained for the Group.
The CEO has established senior management committees to assist him in making business decisions with due consideration to risks and returns. The main senior management committees involved in this are the Management Executive Committee, Risk and Capital Committee, Asset and Liability Committee, Credit Committee and Operational Risk Management Committee. These committees also assist the Board Committees in specific risk areas.
The Management and the senior management committees are authorised to delegate risk appetite limits by location, business units and/or broad product lines.
Risk management is the responsibility of every employee in the Group. Risk awareness and accountability are embedded in our culture through an established framework that ensures appropriate oversight and accountability for the effective management of risk throughout the Group and across risk types. This is executed through an organisational control structure that provides three "Lines of Defence" as follows:
First Line of Defence - The Risk Owner:
The business and support functions have primary responsibility for implementing and executing effective controls to manage the risks arising from their business activities. This includes establishing adequate managerial and supervisory controls to ensure compliance with risk policies, appetite, limits and controls and to highlight control breakdowns, inadequacy of processes and unexpected risk events.
Second Line of Defence - Risk Oversight:
The risk and control oversight functions (Group Credit and Risk Management, and Group Compliance) and the Chief Risk Officer provide the Second Line of Defence.
The risk and control oversight functions support the Group’s strategy of balancing growth with stability by establishing risk frameworks, policies, appetite and limits within which the business functions must operate. The risk and control oversight functions are also responsible for the independent review and monitoring of the Group’s risk profile and for highlighting any significant vulnerabilities and risk issues to the respective management committees.
The independence of risk and control oversight functions from business functions ensures the necessary checks and balances are in place.
Third Line of Defence - Independent Audit:
The Group’s internal and external auditors conduct risk-based audits covering all aspects of the First and Second Lines of Defence to provide independent assurance to the CEO, Audit Committee and the Board, on the effectiveness of the risk management and control structure, policies, frameworks, systems and processes.
The Group’s governance framework also provides oversight for our overseas banking subsidiaries through a matrix reporting structure. Our subsidiaries, in consultation with Group Risk Management, adapt the governance structure, frameworks and policies accordingly to comply with local regulatory requirements. This ensures the approach across the Group is consistent and sufficiently flexible to suit local operating environments.
UOB has established a risk appetite framework to define the amount of risk we are able and willing to take in pursuit of our business objectives. The purpose of establishing a risk appetite framework is not to limit risk-taking but to ensure that the Group’s risk profile remains within well-defined and tolerable boundaries. The framework was formulated based on the following key criteria:
The risk appetite defines suitable thresholds and limits across key areas including but not limited to credit risk, country risk, market risk, liquidity risk, operational risk and reputation risk. Our risk-taking approach is focused on businesses which we understand and are well-equipped to manage the risks involved. Through this approach, we aim to minimise earnings volatility and concentration risk and to ensure that our high credit rating, strong capital and funding base remain intact. This enables us to be a steadfast partner of our customers through changing economic conditions and cycles.
UOB’s risk appetite framework and risk appetite are reviewed and approved annually by the Board. The Management monitors and reports the risk profiles and compliance with the risk appetite to the Board.
UOB’s business strategies, products, customer profiles and operating environment expose us to a number of financial and non-financial risks. Identifying and monitoring key risks are integral to the Group’s approach to risk management. It enables us to make proper assessments and to mitigate these risks proactively across the Group. The following table lists the key risks which could impact the success of achieving the Group’s strategic objectives:
|Material Risk||Definition||How risk is managed|
|Credit Risk||The risk of loss arising from any failure by a borrower or counterparty to meet its financial obligations when such obligations are due.||Through the Group’s credit risk management framework, policies, probability of default/loss given default/exposure at default/portfolio models and limits.|
|Market Risk||The risk of loss to the Group from movements in the market rates or prices (such as changes in interest rates, foreign exchange rates, equity prices, commodity prices and credit spreads) of the underlying asset. It includes interest rate risk in the banking book which is the potential loss of capital or reduction in earnings due to changes in interest rates environment.||Through the Group’s market risk management framework, policies, Value-at-Risk models and limits. Interest rate risk in the banking book is managed through the Group’s balance sheet risk management framework, and interest rate risk in the banking book management policies and limits.|
|Liquidity Risk||The risk that arises from the Group’s inability to meet its obligations or fund increases in assets as they fall due.||Through the Group’s balance sheet risk management framework, liquidity risk management policies, ratios and limits.|
|Operational Risk||The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Potential loss may be in the form of financial loss or other damage, for example, loss of reputation and public confidence that will impact the Bank’s creditability and ability to transact, to maintain liquidity and to obtain new business. This includes banking operations risk, fraud risk, legal risk, outsourcing risk, regulatory risk, reputational risk and technology risk.||Through the respective risk management frameworks, policies, key risk and control self-assessments, Key Operational Risk Indicators, and Incident Management.|
|Strategic Risk||The current or prospective negative impact on earnings, capital or reputation arising from adverse strategic decisions, improper implementation of decisions or a lack of responsiveness to industry, economic or technological changes.||Through the Group's strategic and business risk management policy.|
|Business Risk||The adverse impact on earnings or capital arising from changes in business parameters such as volumes, margins and costs.||Through the Group's strategic and business risk management policy.|
This is the risk arising from:
||Through the model risk governance framework and managed under the respective material risk types for which there is a quantitative model.|
|Environmental, Social and Governance Risk||The risk of credit loss or non-financial risks, such as reputational damage, arising from environmental, social and governance issues, including climate change. While a key component of ESG risk arises indirectly from the financial services we provide to our customers, it can also result directly from our own operations.||The different aspects of ESG risk are managed through the relevant frameworks, policies and guidelines in place, including the Group’s Responsible Financing Policy.|