Page 37 - 86395_CCB - 2024 Annual Report (web)
P. 37
37
Financial Models
Description The risk that the Bank incurs financial loss because of decisions that are principally based on the
output of (internal) models, due to errors in the development, implementation, or use of such models.
Governance Board Audit Committee Credit Committee
Board Risk & Compliance Committee Risk Management Committee
Executive Committee Model Risk Governance Committee
Impairment & Provisions Committee Model Risk Governance Framework & Policy
Asset Liability Committee End User Computing Framework
Risk Appetite The Bank maintains a low appetite for Model Risk and aims to maintain compliance with regulatory
Statement requirements and standards, minimising incidents and losses arising from model risk issues by
maintaining and operating within an appropriate governance framework, supported by a governance
policy. There is a clear definition of a model, and an inventory of all models is maintained within the
Bank. The Bank adopts a proportionate risk‑based approach according to the materiality of each
model, with specific requirements regarding model development, independent validation, approval,
implementation, monitoring, and recommended enhancement.
The Bank requires that independent oversight is provided by the Second Line of defence and the
monthly Model Risk Governance Committee.
Key Mitigants Materiality assessment for models End User Computing (EUCs) framework
at inception, and annually thereafter. enhancements – requiring minimum standards
Regular independent model validation for for databases.
high/medium rated models. The Bank has recently enhanced its
Regular model self‑validation for low expected credit losses and impairment
rated models. modelling capabilities.
Ongoing model monitoring for key models. Part of annual Audit plan.
Comments The Bank’s Model Risk Governance Policy articulates the principles and standards for model use
at each stage of its life cycle, with control and assurance requirements commensurate with the
model’s materiality and level of risk.
Operational Resilience
Description The risk that events arising from inadequately identified or managed Important Business Services
cause regulatory censure, reputational damage, financial loss, service disruption and/or customer
detriment. Operational resilience metrics are included within Operational Risk reporting.
Governance Maintaining Operational Resilience is a key regulatory and operational requirement to ensure
the Bank can prevent, respond to, recover, and learn from operational disruptions. As several
key IT services are outsourced, including the Bank’s core platform, satisfactory performance
of its service providers is an ongoing part of ensuring continued Operational Resilience.
Risk Appetite Operational resilience and supplier risk management arrangements were significantly
Statement enhanced during 2022, including Board approval of Important Business Services
(IBSs) and Impact tolerances along with workshops held to assess continuity of
business services for the critical scenarios. Continual developments have been
made during 2024 and are subject to Board and Executive level oversight.
Key Mitigants The Bank completes annual testing of its Important Business Services and continues
to complete the required review cycle all of which is Board approved.
Testing includes the mapping, identification of vulnerabilities and stress testing.
Resiliency is also tested via IT disaster recovery, crisis management
planning (both desktop & simulated scenario) and business continuity.
Our third party’s resiliency forms part of the Bank’s internal testing.
Comments The Bank’s resiliency remains strong with continued review of supplier relationship management
and Line 1 and 2 oversight of critical suppliers. All actions from test activity are logged and reviewed.
