"We continue to strengthen our risk
management across the Group by embedding
a stronger risk culture amongst our people,
articulating clearer and more specifically our
risk appetite, and institutionalising our risk
management knowledge and awareness."
Dr John Lee Hin Hock
Group Chief Risk Officer
During FY2012, Maybank Group made significant strides in managing its risk in a more robust and holistic manner across the Group. Amidst the challenging business landscape and tighter regulatory regime, Risk Management has managed to enhance and embed risk management into the business to drive value creation for the Group.
The risk factors faced by the Group can be categorised as follows:
Economic — Covers a range of macroeconomic risk concerns including economic environment, financial systems, infrastructure, volatility and regulation.
Geopolitical — Covers risks in areas of politics, diplomacy, conflict, crime and governance.
Macro–prudential, Regulatory and Legal — Covers risks pertaining to changes in legislations and the regulatory landscape.
Environmental — Covers a range of environmental risk events such as natural disasters, irremediable pollution, and species over–exploitation.
Risk in Business Operations, Governance and Internal Control Systems — Covers risks arising in the course of day–to–day business operations including breakdowns of governance and internal controls in our business processes.
- Market fluctuations may reduce the value or income generation of our portfolios.
- Liquidity, or ready access to funds, is essential to the Group's activities.
- Reduction in the Group's credit rating, any subsidiaries or any of our debt securities could increase the cost or availability of funding and adversely affect our liquidity position and interest margins.
Technological — Covers risks in the area of current and emerging technologies as well as external technologically– related threats such as cyber attacks, data theft, fraud, etc.
Taking cognizance of these risks, the Group continues to plan, monitor and respond to these internal and external risk factors in an anticipative manner. This is further accomplished through the continuing implementation of the Risk Transformation Programme (RTP).
The key objective of the RTP is to redesign the current state of risk architecture, aligning the capabilities of the Group's risk function with its strategic aspirations. The RTP is aimed at enhancing our global risk management processes, increasing our ability to manage risks in all markets in which we operate, improving business responsiveness, optimising our risk-return capabilities, and acting as a market and thought leader in risk management region-wide.
Highlights of key risk achievements and measures undertaken by the Group for the financial year include the following:
Strategy And Governance
Risk Appetite Statement
The Group's risk appetite statements have been reviewed and approved by the Board to better link our business strategies with our risk-taking capacities and to optimise our risk-return trade-offs. From Maybank's perspective, risk appetite links the risk strategy of the Group to the business strategy through desired target ratings (solvency), earnings volatility and risk limits, among others.
We have successfully implemented the Group Risk Appetite Framework across the Bank and our major overseas subsidiaries and key branches. We continue to align and embed risk appetite into our key risk management and business planning processes to ensure that our risk, return and capital are managed on an integrated basis.
For this purpose we have established a team, focused on managing the risk appetite process, to act as an interface between the Board, senior management and all the business stakeholders in the Group. We view the Risk Appetite Framework as an effective communication tool, which fosters risk-return trade-off discussions between the Board, business and risk management.
The Risk Appetite Framework communicates clearly and effectively the boundaries of risk as defined by the Board and senior management to our various businesses across the Group, and it ensures that all the Group's principal risks are considered in the business, risk management and capital planning processes.
Risk Culture is defined by the Institute of International Finance (IIF) as "the norms and traditions of behaviour of individuals and of groups within an organisation which determine the way in which they identify, understand, discuss and act on the risks the organisation confronts and assumes." In line with our Board's desire to "create and embed the right risk culture", we have designed a Risk Culture Index aimed at measuring the current state of our Risk Culture across the Group.
We view Risk Culture as the foundation upon which a strong, enterprise-wide risk management framework is built. Creating and embedding a strong Risk Culture is the cornerstone of effective risk management for the Group and our clients. Therefore, through the Index, we aim to measure and target specific areas where we can focus our risk management capability-building, thus ensuring that our risk culture is institutionalised.
The Index was successfully launched in 2012, and the results will be incorporated into the performance management process across the Group. Specific action plans will also be developed to ensure that we are able to sustain our growth in a responsible and risk-aware manner.
Embedded Risk Units (ERU) Governance
During the year, the Group continued to enhance the effectiveness of the Embedded Risk Units within business sectors, overseas units and Group subsidiaries to meet the following objectives:
Effective Capital Management Strategies
The Group's approach to capital management is driven by its strategic objectives and takes into account all the relevant regulatory, economic and commercial environments in which the Group operates. The Group regards having a strong capital position as essential to its business strategy and competitive position. As such, implications of the Group's capital position are taken into account by the Board and senior management before implementing major business decisions in order to preserve the Group's overall capital strength.
The Group's capital management policies are to diversify its sources of capital; to allocate and deploy capital efficiently, guided by the need to maintain a prudent relationship between available capital and the risks of its underlying businesses; and to meet the expectations of key stakeholders, including investors, regulators and rating agencies.
A set of strong governance and process guidelines is embedded in the Group Capital Management Framework. Appropriate policies are in place governing the transfer of capital within the Group. The purpose is to ensure that capital is remitted as appropriate, that it complies with local regulatory requirements, and that overall capital resources are optimised at Group and entity levels. Ultimate responsibility for the effective management of capital rests with the Board, whilst the Group EXCO is responsible for ensuring the effectiveness of the capital management policies on an ongoing basis and for updating the Group Capital Management Framework to reflect revisions and new developments.
Basel II Implementation
The implementation of Basel III in Malaysia commenced with effect from 1 January 2013 under the new Basel III rules released on 28 November 2012 by Bank Negara Malaysia. Bank Negara Malaysia's Basel III rules are broadly in line with the proposals promulgated by the Basel Committee of Banking Supervision (BCBS) in December 2010 (updated June 2011), with the exception of a few major areas, which are more stringent than those of BCBS. Despite the more stringent Basel III requirements under the local regime, the Group expects its capital position to continue to remain healthy at levels above the minimum regulatory requirements, even without the transitional arrangements.
Please refer to pages 465 to 471 in the Financial Statements book of the Annual Report 2012 for a more detailed write-up on Capital Management and the ICAAP process.
Risk Talent Management Blueprint
The Group developed and implemented a comprehensive risk talent management blueprint to clearly articulate core risk competencies required by Maybank's risk professionals. In addition, we defined the training curriculum to build the required risk capabilities as well as support the management of career progression pathways and succession planning.
In our continued effort to up-skill risk management resources, our subsidiary Bank Internasional Indonesia (BII) hosted the annual Risk Masterclass, where risk subject matter experts from across the Group were engaged to share their knowledge of various risk management topics and current risk trends.
Quality of Credit Underwriting
The Group has endorsed an Internal Assessment of Core Credit Personnel (IACCP) programme. This is an on-the-job assessment process to evaluate the competency of core credit personnel, as well as the quality of the credit proposals they produce. The IACCP will help to identify individuals' areas of weakness with the aim of recommending specific credit training programmes to develop their skills and continuously improve the quality of credit underwriting.
Risk Weighted Assets (RWAs) Optimisation
The RWAs Optimisation Programme was designed as a collaborative effort between Risk Management and business as part of our continuous capital management process. To this end, we implemented a range of initiatives, such as developing new rating models, reviewing existing models, managing stale ratings, ensuring appropriate classification of assets and enhancing collateral management information.
Credit Decision Enhancement
Credit processes were re-engineered end-to-end for different business segments, from initial marketing to loan disbursement, with an emphasis on making our credit decisions faster without increasing our risks. We deployed a Business Process Management (BPM) tool to enhance our Loan Origination System (LOS), streamlining the credit processes for better turnaround time at every touch-point.
Market Risk Management
We achieved risk diversification effect in global Value-at-Risk (VaR) computation via the upgraded Kondor Global Risk engine at all Global Market Centres.
Operational Risk Management (ORM)
In support of the Group's intention to obtain The Standardised Approach (TSA) certification for ORM, we launched various initiatives to ensure that ORM was institutionalised Groupwide. These efforts included enhancing our ORM training effectiveness, engaging and sharing knowledge with our branch network, and attesting our personnel.
Various initiatives and programmes ranging from e-Learning Solutions, Integrity Week and Group Compliance Up-skilling Programmes were put in place to institutionalise compliance culture within the Group.
Group Risk Reporting
Recognising the importance of timely and aggregated risk information, we enhanced our risk reporting processes across the Group by means of:
Risk IT Architecture (RITA)
As part of the Risk Transformation Programme, we have developed Risk IT Enterprise Architecture which defines the target state applications, data and technology infrastructure necessary to support our risk management.
RITA was initiated to enhance the risk infrastructure to (i) promote business process efficiency, (ii) align with enterprisewide infrastructure architecture, and (iii) achieve a single source of risk information, thus optimising IT infrastructure cost.
The Group has invested extensively in a range of specific technologies to further enhance its risk management capabilities. These systems include the following:
Risk Management Approach
In accordance to the Group's structure and regional aspirations, the Group continuously enhances its integrated risk management approach towards the effective management of enterprise-wide risks. The Group views the overall risk management process with a structured and disciplined approach to align strategies, policies, processes, people and technology with the specific purpose of evaluating all risk types in line with enhancing shareholder value.
Risk Governance Structures
Board Level Committees
Executive Level Committees
|Executive Risk Committee (ERC)||Group Operational Risk Mgt. Committee (GORMC)||Asset & Liability Mgt. Committee (ALCO)||Group Management Credit Committee (GMCC)|
|The ERC, GORMC, ALCO and GMCC are Executive Level Committees responsible for the management of all material risks within the Bank. The scope of ERC encompasses all risk types, whilst the GORMC caters specifically to operational risk matters. The ALCO is primarily responsible for the development and implementation of broad strategies and policies for managing the consolidated balance sheet and associated risks. The GMCC is empowered as the centralised loan approval committee for the Group.|
Key components of the Enterprise Risk Management framework include:
In line with its enterprise risk management approach, the Group has adopted and consistently practises Seven Broad Principles of Risk Management to ensure the integration of purpose, policy, methodology and systems across its regional footprint.
Maybank Group's Seven Broad Principles of Risk Management
The Seven Broad Principles define the key principles on accountability, independence, structure and scope.
Moving forward, the Group will embark on the next stage of the Risk Transformation Programme, which is to focus on enhancing and integrating risk management into the business to drive value creation for the Group as follows:
Please refer to "Basel II Pillar 3 Disclosures" for detailed disclosures and write-ups on Risk Management.