Risk Management

"We continue to strengthen our risk management across the Group by embedding a stronger risk culture amongst our people, articulating clearer and more specifically our risk appetite, and institutionalising our risk management knowledge and awareness." Dr John Lee Hin Hock
Group Chief Risk Officer

Key Highlights

  1. Continued to strengthen our risk strategy and governance to embed and enhance our risk culture and management across the Group in support of our regional growth plans.
  2. Established a Risk Talent Management blueprint to up-skill resources and set the platform to bridge competency gaps.
  3. Improved our risk management processes by optimising capital and resources, improving turnaround time for credit decisions, enhancing enterprise-wide risk reporting for more effective risk oversight, and streamlining risk practices for more effectiveness and consistency across the Group.
  4. Implemented and initiated various risk systems enhancements such as the Risk IT Architecture roadmap, the Treasury Risk Management System and the Operational Risk Management system to ensure robust risk capabilities through technology.


During FY2012, Maybank Group made significant strides in managing its risk in a more robust and holistic manner across the Group. Amidst the challenging business landscape and tighter regulatory regime, Risk Management has managed to enhance and embed risk management into the business to drive value creation for the Group.

The risk factors faced by the Group can be categorised as follows:

Economic — Covers a range of macroeconomic risk concerns including economic environment, financial systems, infrastructure, volatility and regulation.

Geopolitical — Covers risks in areas of politics, diplomacy, conflict, crime and governance.

Macro–prudential, Regulatory and Legal — Covers risks pertaining to changes in legislations and the regulatory landscape.

Environmental — Covers a range of environmental risk events such as natural disasters, irremediable pollution, and species over–exploitation.

Risk in Business Operations, Governance and Internal Control Systems — Covers risks arising in the course of day–to–day business operations including breakdowns of governance and internal controls in our business processes.

Technological — Covers risks in the area of current and emerging technologies as well as external technologically– related threats such as cyber attacks, data theft, fraud, etc.

Taking cognizance of these risks, the Group continues to plan, monitor and respond to these internal and external risk factors in an anticipative manner. This is further accomplished through the continuing implementation of the Risk Transformation Programme (RTP).

The key objective of the RTP is to redesign the current state of risk architecture, aligning the capabilities of the Group's risk function with its strategic aspirations. The RTP is aimed at enhancing our global risk management processes, increasing our ability to manage risks in all markets in which we operate, improving business responsiveness, optimising our risk-return capabilities, and acting as a market and thought leader in risk management region-wide.

Highlights of key risk achievements and measures undertaken by the Group for the financial year include the following:

Strategy And Governance

Risk Appetite Statement

The Group's risk appetite statements have been reviewed and approved by the Board to better link our business strategies with our risk-taking capacities and to optimise our risk-return trade-offs. From Maybank's perspective, risk appetite links the risk strategy of the Group to the business strategy through desired target ratings (solvency), earnings volatility and risk limits, among others.

We have successfully implemented the Group Risk Appetite Framework across the Bank and our major overseas subsidiaries and key branches. We continue to align and embed risk appetite into our key risk management and business planning processes to ensure that our risk, return and capital are managed on an integrated basis.

For this purpose we have established a team, focused on managing the risk appetite process, to act as an interface between the Board, senior management and all the business stakeholders in the Group. We view the Risk Appetite Framework as an effective communication tool, which fosters risk-return trade-off discussions between the Board, business and risk management.

The Risk Appetite Framework communicates clearly and effectively the boundaries of risk as defined by the Board and senior management to our various businesses across the Group, and it ensures that all the Group's principal risks are considered in the business, risk management and capital planning processes.

Risk Culture

Risk Culture is defined by the Institute of International Finance (IIF) as "the norms and traditions of behaviour of individuals and of groups within an organisation which determine the way in which they identify, understand, discuss and act on the risks the organisation confronts and assumes." In line with our Board's desire to "create and embed the right risk culture", we have designed a Risk Culture Index aimed at measuring the current state of our Risk Culture across the Group.

We view Risk Culture as the foundation upon which a strong, enterprise-wide risk management framework is built. Creating and embedding a strong Risk Culture is the cornerstone of effective risk management for the Group and our clients. Therefore, through the Index, we aim to measure and target specific areas where we can focus our risk management capability-building, thus ensuring that our risk culture is institutionalised.

The Index was successfully launched in 2012, and the results will be incorporated into the performance management process across the Group. Specific action plans will also be developed to ensure that we are able to sustain our growth in a responsible and risk-aware manner.

Embedded Risk Units (ERU) Governance

During the year, the Group continued to enhance the effectiveness of the Embedded Risk Units within business sectors, overseas units and Group subsidiaries to meet the following objectives:

Effective Capital Management Strategies

The Group's approach to capital management is driven by its strategic objectives and takes into account all the relevant regulatory, economic and commercial environments in which the Group operates. The Group regards having a strong capital position as essential to its business strategy and competitive position. As such, implications of the Group's capital position are taken into account by the Board and senior management before implementing major business decisions in order to preserve the Group's overall capital strength.

The Group's capital management policies are to diversify its sources of capital; to allocate and deploy capital efficiently, guided by the need to maintain a prudent relationship between available capital and the risks of its underlying businesses; and to meet the expectations of key stakeholders, including investors, regulators and rating agencies.

A set of strong governance and process guidelines is embedded in the Group Capital Management Framework. Appropriate policies are in place governing the transfer of capital within the Group. The purpose is to ensure that capital is remitted as appropriate, that it complies with local regulatory requirements, and that overall capital resources are optimised at Group and entity levels. Ultimate responsibility for the effective management of capital rests with the Board, whilst the Group EXCO is responsible for ensuring the effectiveness of the capital management policies on an ongoing basis and for updating the Group Capital Management Framework to reflect revisions and new developments.

Basel II Implementation

The implementation of Basel III in Malaysia commenced with effect from 1 January 2013 under the new Basel III rules released on 28 November 2012 by Bank Negara Malaysia. Bank Negara Malaysia's Basel III rules are broadly in line with the proposals promulgated by the Basel Committee of Banking Supervision (BCBS) in December 2010 (updated June 2011), with the exception of a few major areas, which are more stringent than those of BCBS. Despite the more stringent Basel III requirements under the local regime, the Group expects its capital position to continue to remain healthy at levels above the minimum regulatory requirements, even without the transitional arrangements.

Please refer to pages 465 to 471 in the Financial Statements book of the Annual Report 2012 for a more detailed write-up on Capital Management and the ICAAP process.


Risk Talent Management Blueprint

The Group developed and implemented a comprehensive risk talent management blueprint to clearly articulate core risk competencies required by Maybank's risk professionals. In addition, we defined the training curriculum to build the required risk capabilities as well as support the management of career progression pathways and succession planning.

Risk Masterclass

In our continued effort to up-skill risk management resources, our subsidiary Bank Internasional Indonesia (BII) hosted the annual Risk Masterclass, where risk subject matter experts from across the Group were engaged to share their knowledge of various risk management topics and current risk trends.

Quality of Credit Underwriting

The Group has endorsed an Internal Assessment of Core Credit Personnel (IACCP) programme. This is an on-the-job assessment process to evaluate the competency of core credit personnel, as well as the quality of the credit proposals they produce. The IACCP will help to identify individuals' areas of weakness with the aim of recommending specific credit training programmes to develop their skills and continuously improve the quality of credit underwriting.


Risk Weighted Assets (RWAs) Optimisation

The RWAs Optimisation Programme was designed as a collaborative effort between Risk Management and business as part of our continuous capital management process. To this end, we implemented a range of initiatives, such as developing new rating models, reviewing existing models, managing stale ratings, ensuring appropriate classification of assets and enhancing collateral management information.

Credit Decision Enhancement

Credit processes were re-engineered end-to-end for different business segments, from initial marketing to loan disbursement, with an emphasis on making our credit decisions faster without increasing our risks. We deployed a Business Process Management (BPM) tool to enhance our Loan Origination System (LOS), streamlining the credit processes for better turnaround time at every touch-point.

Market Risk Management

We achieved risk diversification effect in global Value-at-Risk (VaR) computation via the upgraded Kondor Global Risk engine at all Global Market Centres.

Operational Risk Management (ORM)

In support of the Group's intention to obtain The Standardised Approach (TSA) certification for ORM, we launched various initiatives to ensure that ORM was institutionalised Groupwide. These efforts included enhancing our ORM training effectiveness, engaging and sharing knowledge with our branch network, and attesting our personnel.

Compliance Culture

Various initiatives and programmes ranging from e-Learning Solutions, Integrity Week and Group Compliance Up-skilling Programmes were put in place to institutionalise compliance culture within the Group.

Group Risk Reporting

Recognising the importance of timely and aggregated risk information, we enhanced our risk reporting processes across the Group by means of:


Risk IT Architecture (RITA)

As part of the Risk Transformation Programme, we have developed Risk IT Enterprise Architecture which defines the target state applications, data and technology infrastructure necessary to support our risk management.

RITA was initiated to enhance the risk infrastructure to (i) promote business process efficiency, (ii) align with enterprisewide infrastructure architecture, and (iii) achieve a single source of risk information, thus optimising IT infrastructure cost.

The Group has invested extensively in a range of specific technologies to further enhance its risk management capabilities. These systems include the following:

  • Treasury Risk Management System (TRMS) to ensure more robust market risk oversight capabilities over our market risk.
  • Risk Data Management Solution (RDMS) which is a Basel II-compliant risk weighted assets (RWA) calculation tool which measures RWAs on an aggregated basis of the various asset classes in the Group.
  • Group Exposure Management System to manage the exposure limits at Group level and provide a platform to manage concentration of exposure to single borrowers.
  • Maybank Operational Risk Management (ORM) system which manages the operational risks of the Group.
  • Group Collateral Management System is a centralised collateral management system, which provides the solution for more efficient management of collateral information and meets specific operational and monitoring requirements under Basel II for the use of credit risk mitigation techniques, single source of collateral data for regulatory reporting and compliance, and automatic system revaluation of specific eligible collaterals.
  • Credit Risk Rating Systems allow the Group to assess and measure borrowers' credit risk based on internal rating models.
  • Credit Risk Data-mart (CRDM) which is a repository of credit risk data to facilitate credit risk analytics, trending, modelling, reporting, validation and stress testing requirements in an efficient and timely manner.

Risk Management Approach

In accordance to the Group's structure and regional aspirations, the Group continuously enhances its integrated risk management approach towards the effective management of enterprise-wide risks. The Group views the overall risk management process with a structured and disciplined approach to align strategies, policies, processes, people and technology with the specific purpose of evaluating all risk types in line with enhancing shareholder value.

Risk Governance Structures

Board of Directors
The Board of Directors is the Group's ultimate governing body, which has overall risk oversight responsibility. It approves the risk management framework, risk appetite, plans and performance targets for the Group and its principal operating subsidiaries, the appointment of senior officers, the delegation of authorities for credit and other risks, and the establishment of effective control procedures.

Board Level Committees

Risk Management Committee (RMC)
The RMC is a dedicated Board Committee responsible for the risk oversight function within the Group. It is principally responsible to review and approve key risk frameworks and policies for the various risks.
Credit Review Committee (CRC)
The CRC is tasked by the Board to review fresh or additional loan applications subject to pre-determined authority limits and credit risk ratings as may be recommended by the Group Management Credit Committee.

Executive Level Committees

Executive Risk Committee (ERC) Group Operational Risk Mgt. Committee (GORMC) Asset & Liability Mgt. Committee (ALCO) Group Management Credit Committee (GMCC)
The ERC, GORMC, ALCO and GMCC are Executive Level Committees responsible for the management of all material risks within the Bank. The scope of ERC encompasses all risk types, whilst the GORMC caters specifically to operational risk matters. The ALCO is primarily responsible for the development and implementation of broad strategies and policies for managing the consolidated balance sheet and associated risks. The GMCC is empowered as the centralised loan approval committee for the Group.

Key components of the Enterprise Risk Management framework include:

In line with its enterprise risk management approach, the Group has adopted and consistently practises Seven Broad Principles of Risk Management to ensure the integration of purpose, policy, methodology and systems across its regional footprint.

Maybank Group's Seven Broad Principles of Risk Management

The Seven Broad Principles define the key principles on accountability, independence, structure and scope.


Moving forward, the Group will embark on the next stage of the Risk Transformation Programme, which is to focus on enhancing and integrating risk management into the business to drive value creation for the Group as follows:

Please refer to "Basel II Pillar 3 Disclosures" for detailed disclosures and write-ups on Risk Management.