Risk Management Process


Lending/financing activities are subject to constant risk. The Bank realizes that the key success lies in how the risk is managed, by putting in place clear risk management process that describe the steps taken to mitigate risk as it occurs, to meet the Bank’s objective.

The management of risk at the Bank is undertaken by the respective operational functions within the Bank and monitored by the Group Risk Management. This risk management process are as follows:-



Risk Context


Each Head must first establish a clear and well defined risk context by taking into consideration of the following factors:

  • External Context – Define the relationship between their own functions and BPMB’s business and operational environment, by identifying or determining the crucial elements that may support or impair their ability to manage their own risks, such as regulatory and market conditions;

  • Internal Context – Understand their functions and its capacities and capabilities (i.e. the strength/weakness/threats/opportunities of its staff, processes and systems), as well as its own business objectives, risk strategies and risk culture.

  • Risk Management Context – Establish their risk management approach; i.e. define their own scope of risk assessment and evaluation criteria, define or set their own respective risk appetite and risk tolerance limits, including their risk acceptability, risk avoidance and risk mitigation.



Risk Identification


Each Head must put in place demonstrable processes and procedures to ensure that risks are timeously identified, and to also incorporate Key Risk Indicators (KRIs) to trigger possible future risks (i.e. emerging risk) and/or to anticipate unpredictable risks. To ensure no significant risks are being overlooked.



Risk Analysis or Assessment


Each Head is to provide data to assist in the evaluation and treatment of their risks. It involves the consideration of the sources of risk, the consequences (or impact) and the likelihood that these consequences occur. Each Head is to also document the qualitative and/or quantitative measures of their likelihood and/or expected impact. Risk is analyzed by combining estimates of consequences (impact) and likelihood of occurrence in the context of existing control measures in place.



Risk Evaluation or Measurement

  • The level of risk found during the analysis process needs to be compared with previously established risk criteria of the department or unit. This will result in a prioritized list of risks for further action by Each Head;

  • Identified risks should be monitored and regularly reviewed to ensure they remain adequately controlled or mitigated; and

  • It is also advisable for Each Head to document (or embed) their own business continuity management plan(s) to ensure any severe disruptions in their operating infrastructure can be properly managed and addressed.



Risk Treatment or Mitigation


Each Head is to identify the appropriate options for treating or mitigating their risks and document these options within their own risk procedure. Each option is to be assessed and properly documented. Each Head must ensure any residual risks are within their acceptable threshold.



Risk Communication and Consultation


Each Head are to clearly and continuously communicate their risk management process to all who have roles and responsibilities within it to ensure staff understand why certain actions are required. This communication process must be clearly documented.



Risk Monitoring and Review


Each Head is to document the required proactive monitoring process of their risk treatment or action plans to ensure they remain relevant. Any resultant losses (actual or expected/near-miss or potential) is to be computed and documented accordingly. Each Head is to also to ensure that their risk management process is to be reviewed on a regular basis (at least annually) to determine its effectiveness, including identification of new risks and/or opportunities risks as they emerge.