UOB’s responsibility for risk management starts with the Board overseeing a governance structure that is designed to ensure that the Group’s business activities are:
- conducted in a safe and sound manner and in line with the highest standards of professionalism;
- consistent with the Group’s overall business strategy and risk appetite; and
- subjected to adequate risk management and internal controls.
In this regard, the Board is primarily assisted by the Board Risk Management Committee (BRMC). The BRMC reviews the overall risk appetite and level of risk capital to be maintained for the Group.
The CEO has established senior management committees to assist him in making business decisions with due consideration to risks and returns. The main senior management committees involved in this are the Management Executive Committee, Risk and Capital Committee, Asset and Liability Committee, Credit Committee and Operational Risk Management Committee. These committees also assist the Board Committees in specific risk areas.
The Management and the senior management committees are authorised to delegate risk appetite limits by location, business units and/or broad product lines.
Risk management is the responsibility of every employee in the Group. Risk awareness and accountability are embedded in our culture through an established framework that ensures appropriate oversight and accountability for the effective management of risk throughout the Group and across risk types. This is executed through an organisational control structure that provides three "Lines of Defence" as follows:
First Line of Defence – The Risk Owner:
The business and support functions have primary responsibility for implementing and executing effective controls to manage the risks arising from their business activities. This includes establishing adequate managerial and supervisory controls to ensure compliance with risk policies, appetite, limits and controls and to highlight control breakdowns, inadequacy of processes and unexpected risk events.
Second Line of Defence – Risk Oversight:
The risk and control oversight functions (Group Credit and Risk Management, and Group Compliance) and the Chief Risk Officer provide the Second Line of Defence.
The risk and control oversight functions support the Group’s strategy of balancing growth with stability by establishing risk frameworks, policies, appetite and limits within which the business functions must operate. The risk and control oversight functions are also responsible for the independent review and monitoring of the Group’s risk profile and for highlighting any significant vulnerabilities and risk issues to the respective management committees.
The independence of risk and control oversight functions from business functions ensures the necessary checks and balances are in place.
Third Line of Defence – Independent Audit:
The Group’s internal and external auditors conduct risk-based audits covering all aspects of the First and Second Lines of Defence to provide independent assurance to the CEO, Audit Committee and the Board, on the effectiveness of the risk management and control structure, policies, frameworks, systems and processes.
The Group’s governance framework also provides oversight for our overseas banking subsidiaries through a matrix reporting structure. Our subsidiaries, in consultation with Group Risk Management, adapt the governance structure, frameworks and policies accordingly to comply with local regulatory requirements. This ensures the approach across the Group is consistent and sufficiently flexible to suit local operating environments.