Summary and Broad Risk Categories Business View

RISK LIBRARYI- Major Risk Category:1) Environment Risk

2) Process Risk

3) Information for Decision Making Risk

II- Type of Risk

1) Environment Risk 1.1) Competitor

1.2) Technology Innovation

1.3) Sensitivity

1.4) Sovereign/Political

1.5) Legal

1.6) Regulatory

1.7) Industry

1.8) Financial Markets

1.9) Catastrophic Loss

2) Process Risk 2.1) Operations Risk2.2) Empowerment Risk2.3) Information Processing/Technology Risk2.4) Integrity Risk

2.5) Financial Risk

2.6) Product Pricing Risk

2.7) Contract Commitment Risk

2.8) Performance Measurement Risk

2.9) Alignment Risk

3) Information for Decision Making Risk -

3.1) PROCESS/OPERATIONAL DECISION MAKING RISK

3.1.1) Product Pricing Risk

3.1.2) Contract Commitment Risk

3.1.3) Performance Measurement Risk

3.1.4) Alignment Risk

3.2) FINANCIAL AND BUSINESS DECISION MAKING RISK

3.2.1) Budget and Planning Risk3.2.2) Accounting Information Risk

3.2.3) Financial Reporting Evaluation Risk

3.2.4) Taxation Risk3.2.5) Compensation and Benefit Risk

3.2.6) Investment Evaluation Risk

3.2.7) Regulatory Reporting Risk

3.3.1) Environmental Scan Risk

3.3.2) Business Portfolio Risk

3.3.3) Valuation Risk

3.3.4) Business Portfolio Risk

3.3.5) Performance Measurement Risk

3.3.6) Organization Structure Risk

3.3.7) Resource Allocation Risk3.3.8) Planning Risk3.3.9) Product Life Cycle RiskIII- Risk Definitions Environment Risk

Environment risk arises when there are external forces that could significantly change the fundamentals that drive Group's overall objectives and strategies and, in the extreme, put any segment of the Group out of business.Type of RiskDefinition/s

Environment riskarises from failure to understand customer wants, failure to anticipate or react to actions of competitors, over-dependence on vulnerable sources of income or funds etc. Management's assumptions about the business environment provide a critical starting point for formulating and evaluating business strategies. If key managers do not have a common understanding of the key environment risks, the Group's strategic objectives will not be focused. Because the high stakes of strategic error, management must have assurance that the key environmental assumptions on which its strategy is based are consistent with reality.

Competitor RiskActions of competitors or new entrants (conventional and otherwise), including newly merged entities (e.g. Banks, securities firms, insurance companies, asset management companies etc.), to the market threaten Group's competitive advantage or even its ability to dominate the market. These' actions include introducing of new products to the market, improve product quality, increasing productivity and reducing costs, and reconfiguring the value chain in the eyes of the customers.

Technological Innovation RiskThe Group is not leveraging advancements in technology in its business model to achieve or sustain competitive advantage or exposed to the action of competitors or substitutes that leverage technology to attain superior quality, cost and /or time performance in their products, services and processes.

Sensitivity RiskOver-commitment of resources and expected future cash flows threatens Group's capacity to withstand changes in environment (e.g., interest rates, market demand, changes in regulations, etc.) forces beyond its control.

For example:

Unfavorable changes in competitor capabilities, interest rates, currency rates, inflation, capital markets, international trade and other economic conditions that are closely tied to the business cycle can adversely affect and threaten competitive advantage of the Group.

The Group's strategy to grow rapidly, expand geographically and invest in significant high risk lines of business can increase its sensitivity exposure to unexpected economic, regulatory and market developments.

Systemic risk for financial institutions is a form of sensitivity risk. It is the risk that financial difficulties in one financial institution or a major market disruption will cause uncontrollable financial harm to other institutions or prevent the effective operation of the financial system generally.

Sensitivity risk also results when the Group is too inflexible to change in response to changes in the environment. If the Group's business processes cannot be aligned to satisfy customer wants and meet the challenges of changing technological advances, unexpected competitor actions or other external environmental changes, its ability to compete will be significantly affected.

Sovereign/Political RiskAdverse political actions in a country in which the Group has invested significantly or has entered into a significant agreement with counterparty subject to the laws of that country threaten the Group's resources and future cash flows.

For example, possible nationalization, expropriation of assets without compensation, currency blockage or other restrictions could result in significant losses to the Group.

Sovereign risk is a reflection of a country's financial standing in the world community and, to some degree, a function of the country's political stability and historical performance in meeting its international financial obligations. The greater the probability a government may impose foreign exchange controls, thus making it impossible for a counterparty or foreign subsidiary to honor its commitments, the greater is the sovereign risk. For example:

An institution may be barred from doing business in a country;

An issuer/obligor may be barred by its government from making interest and principal payments on its debt;

Counterparty to a derivative contract (i.e., a swap) is barred by its government.

Legal RiskChanging laws (local and foreign in countries which Group has operations threaten the Group's capacity to consummate important transactions, enforce contractual agreements or implement specific strategies and activities.

Changes in laws and litigation claims and assessments can also result in increased competitive pressures and significantly affect the Group's ability to efficiently conduct business. For example, uncontrolled litigation, and punitive damages (i.e. lender liability) can cause tremendous uncertainty in decision making and create potentially unacceptable liabilities for businesses.

Regulatory RiskChanging regulations (local and foreign countries in which the Group has operations) threaten the Group's competitive position and its capacity to efficiently conduct business. This can result in increased competitive pressures and significantly affect the Group's ability to efficiently conduct business. For example, regulators can significantly change the rules of the marketplace and thrust entire industries into a vastly different competitive environment (e.g., the ability of universal brokers to offer full range of specified financial services).

Industry RiskChanges in opportunities and threats, capabilities of competitors, and other conditions affecting the financial services industry threaten the attractiveness of the entire industry.

There are also other risks that can be broadly categorized under "industry risk" because they tend to affect different industries in different ways:

Demographic Risk - The risks that demographic trends will affect the industry's customer base .and work force.

Social/Cultural Risk - The way people live, work and behave as consumers can affect the industry's products and services. For example, society's acclimatization to the internet will impact the delivery of competitive products and services, etc.

Natural Disaster Risk - Severe weather, flooding, earthquakes and other natural disasters affect most industries, some more directly than others. For example, weather affects market demand for gas and electricity. Inclement weather that is out-of-season also adversely affects the citrus industry. This could significantly impact the ability of the borrowers to pay their obligations.

Finally, there is the risk that an entire industry's public image will be tarnished or damaged due to negative publicity. Factors that can affect the image include industry consolidation, failures, large derivative losses, etc.

Financial Markets RiskExposure to changes in the earnings capacity or economic value as a result of changes in financial market variables which affect income, expense or balance sheet values. For example:

The market price of financial instruments (e.g., investment securities, foreign currency debt instruments, or commodities)

Market rates which influence income and expenses (e.g., interest rates, currency rates)

An index (e.g., a stock market index) which can affect either the price of a financial instrument or the value of a commercial transaction such as export sales

Financial market exposures can result in substantial losses if the exposures are unhedged or imperfectly hedged. Financial markets risk can be incurred in a number of different ways. For example:

Yield Risk - Exposure to changes in earnings as a result of fluctuations of market factors (e.g., interest rate changes, currency fluctuations, etc.) which affect income 'from unhedged assets or the cost of unhedged liabilities (including executory contracts and other contingent exposures).

Price Risk - Exposure to changes in, earnings or net worth as a result of price level changes.

Credit Risk - The exposure to actual loss or opportunity losses as a result of deterioration in the ability of a counterparty to honor its obligations and/or deterioration in the collateral value.

Liquidity Risk - Exposure to loss resulting from the inability to convert assets (e.g., investment securities, receivables, inventories) to an equivalent cash value, or to raise unsecured funding, in a timely and cost-effective manner.

Systemic Risk - Exposure to loss as a result of a major market disruption which adversely affects all participants in that market (e.g., the inability to repatriate funds held in a foreign country due to the failure of its financial markets and/or banking system).

Complexity Risk - Exposure to loss resulting from entering into complex transactions, the structure and pricing of which are not completely understood.

Catastrophic Loss RiskA major disaster threatens the Group's or business unit's ability to sustain operations, provide essential products and services or recover operating costs.

The inability to recover from such events in a world class manner could damage the Group's reputation, ability to obtain capital, and investor relationships. There are two sources of catastrophic losses:

Uncontrollable - Disasters from war, terrorism, fire, earthquake, severe weather and flooding and other similar events are completely beyond the control of the Group. However, their effects on the Group's assets and operations can be managed.

Controllable - Environmental disasters, pervasive health and safety violations, incredibly high litigation costs, huge losses from derivatives, massive business fraud, and significant losses in market share because of failure to abandon strategies that no longer work can be as catastrophic in their effects on a business as an uncontrollable disaster; however, the business activities that contribute to these losses are within the control of the Group.

Breakdowns in any of these areas can threaten the very survival of the business. The risk of catastrophic losses occurring overlaps with other business risks that relate more specifically to the potential for adverse events, i.e., Product/Service Delivery, Environmental, Health and Safety, and Derivative Risks.

PROCESS RISK

Process risk is the risk that business processes:

Are not clearly defined;

Are poorly aligned with business strategies;

Do not perform effectively and efficiently in satisfying customer needs; and

Expose significant financial, physical and intellectual assets to unacceptable losses, risk taking, misappropriation or misuse.

The interdependencies of processes within a business/function/entity and with customers and suppliers are a contributing factor to process risk. Deficient outputs from one business process are deficient inputs to another. Process risk includes:

Type of RisksDefinition

OPERATIONS RISKOperations risk is the risk that operations are inefficient and-ineffective in satisfying customers and achieving Group's quality, cost and time objectives.

Customer Satisfaction RiskA lack of focus on customers threatens the capacity to meet or exceed customer expectations. The consequences of dissatisfied customers are severe permanent loss of repeat business, declining revenues, and loss of market share. Without a constant drive towards customer satisfaction and continuous improvement, the Group will neither understand nor accept the product characteristics or service elements necessary to remain competitive and will fail to improve its products and processes. If the Group does not focus on the root causes of customer dissatisfaction, long-term growth may be impossible and survival doubtful.

Human Resources Risk

The personnel responsible for managing and controlling a business process/function/entity/ business unit do not possess the requisite knowledge, skill and experience needed to ensure that critical business objectives are achieved a significant business risks are reduced to an acceptable level.

Product Development Risk

Inadequate product development threatens the Group's ability to (1) meet or exceed customers' needs and wants consistently over the long-term; and/or (2) the product profitability does not meet the minimum requirement of the management or the product is not profitable. The Group's product development process creates products that:

Customers don't want or need.

Are priced at a level customers are not willing to pay

Meet a need but are late in reaching the market that a competitor reached first.

Are not profitable or do not meet the minimum required by the management to meet shareholders' expectations.

The productivity of the product development process is significantly less than that of the more innovative competitors who are able to achieve higher productivity through a stronger customer focus, focused marketing, faster cycle time and longer product life.

Capacity RiskInsufficient capacity threatens the Group's ability to meet customer demands, or excess capacity threatens the Group's ability to generate competitive profit margins.

Capacity risk has several dimensions:

The effective productive capacity of the delivery channel is not fully utilized, resulting in fixed costs spreading over fewer units and creating higher unit costs and lower unit margins.

The effective productive capacity of the delivery channel is not adequate to fulfill customer needs and demands, resulting in lost business.

Unnecessary activities also threaten the Group's capacity to produce and deliver goods or services on a timely basis.

Compliance Risk

Non-compliance with customer requirements, prescribed internal Group policies and procedures may result in lower quality, higher production costs, lost revenues, unnecessary delays, penalties, fines, embarrassment, etc.

As a result of a flaw in design or operation or due to human error, oversight or indifference, the Group's processes do not meet customer requirements the first time or do not comply with prescribed procedures and policies, or contractual obligations. Compliance risk, sometimes referred to as non-conformance risk, result in lower quality, higher costs, lost revenues, unnecessary delays and potentially lack of contract enforceability and losing customer confidence.

The risk of non-conformance also gives rise to product/service delivery risk because if it is not detected and corrected before a product or service is delivered to the customer, a product or performance failure results.

Compliance risk can lead to a diminished reputation, reduced business opportunities and lessened expansion potential. It can also increase exposure to integrity risk (see "Integrity Risk") or occur as a result of empowerment risk (see "Empowerment Risk").

Pre-approve retail credit facilities for retail customers with access within 24

hour notification;

The use of technology to deliver products and services. For example, the use of electronic home banking providing customer access to all accounts;

Providing no hassle, new transaction account set up. The ability to eliminate barriers to establishing new relationships will provide institutions with a competitive advantage.

Regulatory Compliance Risk

Regulatory compliance risk arises from non-conformance with laws and regulations at the international, country, state and local levels that apply to Group or any of its business units and its business processes.

This risk also arises in situations where the laws or regulations governing certain products or activities of the Group's clients may be ambiguous or untested. Regulatory compliance risk exposes the Group to sanctions, fines and penalties and can lead to a diminished reputation, reduced brand name value, limited business opportunities and lessened expansion potential.

Business Interruption Risk

Business interruptions stemming from the unavailability of sufficient funding, liquidity, information technologies, skilled labor or other resources threaten the Group's or any of its business unit's capacity to continue operations.

The Group's capability to continue critical operations and processes may be highly dependent on availability of certain information technologies, skilled human (different from the Human Resources risk that impedes the capability to-perform, the human related Business Interruption Risk here is more detrimental. to the extent interrupting the business) and other resources. If facilities, people with the requisite experience and skills and other critical resources were not available or if critical information systems went down, the Group would experience difficulty in continuing operations in the desired manner. Advanced disaster recovery planning and testing is essential.

Business interruption can arise from accidents, weather, work stoppages, sabotage and crisis, and results in dissatisfied customers and loss of revenue, profits and competitive position. Business interruption attributable to a loss of critical information systems is described as "Availability Risk" under "Information Processing/Technology Risk".

Product /Service Delivery RiskFaulty or non-performing products or services expose the Group to customer complaints, liability claims, litigation, and loss of revenues, market share and business reputation. The Group's operations create risk of customers receiving inaccurate or untimely services. These failures usually occur as customer complaints are not addressed on a timely basis. They can significantly affect Group's reputation, future expansion, fraud prevention controls and market share.

Health and Safety Risk

Failure to provide a safe working environment for its personnel exposes the Group to compensation liabilities, loss of business reputation and other costs.

Personnel health and safety risks are significant if not controlled because they expose the Group to potentially significant workers' compensation liabilities. Workers' compensation laws, which vary from country to country, can result in severe financial losses if respective operations do not strictly comply with them.

Costs associated with on site operating facility accidents have risen dramatically since the 1970s and have a far reaching impact on the employee, his or her family and friends, and fellow employees. The negative publicity from highly visible human and other costs associated with health and safety issues also can create reputation loss for bank Group. The Group and their respective managers could find themselves criminally liable for failure to monitor and provide a safe working environment for their employees.

Brand Name Erosion Gap Risk

Erosion of the brand name over time threatens the demand for the Group's products or services. It is a risk that the brand name will lose its value over time to a business in building and retaining demand for its products and services.

A brand name is a word, symbol or device - or any combination of these that identifies a product or service and distinguishes that product or service from the products or services of other financial services institutions. The risk can arise because of the occurrence of other risks, e.g. Product/Services Delivery Risk, or the social appearance Group compared to other competitors in the eyes of the community, or a combination of them,

Partnering Risk

Inefficient or ineffective alliance, joint ventures, affiliate and: other external relationships affect the Group's capacity to compete; these uncertainties arise clue to choosing the wrong partner, poor execution, taking more than is given (resulting in loss of a partner) and failing to capitalize on partnering opportunities.

Many companies today are focusing on core competencies and core businesses. They are realizing that it is very hard to be "all things to all people", particularly when fast reaction and speed to market and opportunity are becoming increasingly important.

Partnering with other organizations to achieve the Group's objectives is emerging as a strategic enabler and risk mitigation strategy. While partnering can take many forms legally and structurally (literal partnerships, strategic alliances, cost-sharing arrangements, co-branding arrangements, etc.) the essence is establishing a relationship with another organization that is perceived to benefit both. Partnering can be used to achieve any broad objective; share risks, reduce cost, access new markets, enhance brand image, accelerate R&D and learning, etc. Inefficient or ineffective alliance, joint .venture, affiliate and other external relationships affect the Group's capability to compete. Partnering risk has several dimensions:

Choosing the wrong partner, potentially causing reputation risk and failure to achieve objectives.

Executing poorly with a viable partner, due to cultural differences, communications failures, etc.

Taking more than what is given, and losing a valuable partner relationship because mutuality of interest is lost.

Failing to take advantage of an obvious opportunity to partner.

Empowerment risk is the risk that managers and employee:

Are not properly lead,

Do not know what to do (or how to do it) when they need to do it,

Exceed the boundaries of their defined authorities,

Do not have the resources, training and tools necessary to make effective decisions , or

Are given incentives to do the wrong thing.

Leadership Risk

The Group's or any of its business unit's people are not being effectively led to do the right things, which may result in a lack of direction customer focus, motivation to perform, management credibility and trust throughout the organization.

Consequences of poor leadership include:

Lack of customer focus, resulting in business processes that are unresponsive to rapidly changing customer requirements and ineffective in satisfying customer needs;

No clear sense of direction or future pull that motivates key people to stretch themselves and take the risks to:

Learn and keep up with the pace of change

Develop new skills and competencies

Acquire new knowledge

Seek and find opportunities for new markets and products

Add new and different value to existing products and services and

Continuously improve business processes

Lack of management credibility and trust within the organization

Employees feel unappreciated, lack inspiration and enthusiasm, don't feel empowered to act, do not really know what is expected of them and are too willing to accept "business as usual"

People within the organization are ineffective in making cross-functional teams work

The organization is not sufficiently innovative to meet the competition.

Leadership is absolutely essential to successful business risk management, change management, business process reengineering and continuous business process improvement.

Authority/Limit RiskIneffective lines of authority may cause managers or employees to do things they should not do or fail to do things they should.

Failure to establish limits on personnel actions may cause managers or employees to commit unauthorized or unethical acts, or to assume unauthorized or unacceptable business risks.

For example, senior management and the Board either (1) does not approve a transaction or decision or (2) does not specify the process and criteria by which the transaction or decision is to be approved:

In defining the responsibilities and authorities of key employees, management does not clarify the terms or boundaries of those responsibilities and authorities, e.g., what they can not or should not do. Clear boundaries and limits, defined in accordance with a business risk management strategy or prudent business policy, are important because they create focus, restrict or preclude non-controllable business activities, place caps on unacceptable risk taking and losses in high risk areas, clarify management's authorization criteria, and define parameters for corporate conduct.

With respect to areas in which significant risks are taken or significant assets are entrusted to a few specialists (e.g., derivatives and eBusiness), management does not understand who is doing what, how often and why, and the extent and magnitude of the risks the-experts assume on the Group's behalf.

Managers and employees are given responsibilities that are inconsistent with the Group's objectives, strategy and ' prudent business risk management practice.

Managers and employees do not believe they are empowered to act, so they do not act when action is clearly warranted. In these circumstances, fear and distrust may even be widespread in the organization.

Outsourcing Risk

Outsourcing activities to third parties may result in the third parties not acting within the intended limits of their authority or not performing in a manner consistent with the organization's strategies, objectives and desired results. There are two elements of outsourcing risk. First, there is the risk that outside not within their defined limits of authority and do not perform in a manner consistent with the values, strategies and objectives Group). Second, there is the risk that strategic business processes outsourced ultimately create competition for the outsourcing business units. For example:

TPAs may settle or negotiate claims, provide information technology services or other services outside the limits established by the Group. There may be a risk that transactions outside of the TPA's authority are consummated but not documented or that limits on the service provider's authority have not been properly defined in the first place.

The motivation and activities of a TPA may not be consistent with the strategic goals of the Group. Emphasis or lack of emphasis on particular products, services or qualities of the Group may limit the effectiveness of the TPA or minimize the Group's success.

If the Group contracts with the TPA without focusing upon the ultimate customer's value chain, the risk of the TPA competing for business increases significantly. For example, outsourcing the mortgage origination and servicing function could allow the third party processor to compete on similar products and service offerings.

The TPA and its staff are not held to the same conduct and behavioral standards as are the employees of the Group. Employees of the TPA do not understand or are not committed to same values, mission and strategies of the Group.

Performance Incentives Risk

Unrealistic, misunderstood, subjective or non-actionable performance measures may cause managers and employees to act in a manner inconsistent with the Group's objectives, strategies and ethical standards, and with prudent business practices.

Managers and employees are monitored with performance measures that create incentives to act in a manner that is inconsistent with the Group's business objectives, strategies, ethical standards, and prudent business practice. Managers and employees do not believe in, the performance measures used by the Group because they are not realistic, understandable, objectively determinable, or actionable.

The Group's compensation system is not integrated with the performance measurement system. As a result, employees are (or perceive that they are) compensated in a fashion that is inconsistent with the Group's objectives, strategies, vision and values.

Change Readiness RiskThe people within the Group are unable to implement process and product/service improvements quickly enough to keep pace with changes in the marketplace. This may be due to lack of skill sets, knowledge or a dynamic corporate culture.

Communications Risk

Ineffective communication channels may result in messages that are inconsistent with authorized responsibilities or established performance measures. Communications vertically (top-down and bottom-up) or horizontally (cross-functional) within the Group are ineffective and result in messages that are inconsistent with authorized responsibilities or established measures. As a result, managers and employees:

Are confused as to what the Group or business unit's mission, objectives and strategies are.

Do not communicate upwards what senior managers need to know to stay in touch with what is really happening in the business.

Do not receive timely direction/update or counsel from senior management so that they feel they are unsupported and isolated.

Do not have or will not use an employee response program, such as a Hotline, Helpline or Advice Line, to obtain advice and guidance from a responsible company official before they act.

Do not work together cross-functionally to continuously improve processes and satisfy customers' needs.

INFORMATION PROCESSING/ TECHONOLOGY RISKInformation processing/technology risk is the risk that the information technologies used in the business are not efficiently and effectively supporting the current and future needs of the business, are not operating as intended, are compromising the integrity and reliability of data and information, are exposing significant assets to potential loss or misuse, or threaten the Group or business unit's ability to sustain the operation of critical business processes.

Relevance Risk

Irrelevant information created or summarized by an application system may adversely affect decisions of the users.

Relevance risk is the risk that information is not relevant to the purposes for which it is collected, maintained or distributed. This risk relates to the usability and timeliness of information that is either created or summarized by an application system. Relevance risk ties directly to "Information For Decision Making Risk" as it is the risk associated with not getting "the right data/information to the right person/process/system at the right time to allow the right action to be taken". This risk arises frequently from a failure to fully understand information needs and a lack of attention to timeliness issues.

Integrity RiskLoss of integrity in the management of the information system infrastructure may result in unauthorized access to data, irrelevant data or untimely delivery of data, or loss of integrity in the application systems that support the Group business processes may result in unauthorized, incomplete or inaccurate processing of transactions. This risk encompasses all of the risks associated with the authorization, completeness, and accuracy of transactions as they are entered into processed by summarized by and reported on by the various application systems deployed by the Group, or business unit. These risks pervasively apply to each and every aspect of an application system used to support a business process, and are present in multiple places and at multiple times throughout the application systems, however they principally manifest themselves in the following components of an application system:

User Interface - Risks in this area generally relate to whether there are adequate restrictions over which individuals are authorized to perform business/system functions based on their job requirement and the need to enforce a reasonable segregation of duties. Other risks in this area relate to the adequacy of preventive and/or detective controls that ensure that only valid data can be entered into a system and that the data is complete.

Processing - Risks in this area ..generally relate to whether there are adequate preventive or detective balancing and reconciliation controls to ensure that data processing has been complete and timely. This risk also encompasses risks associated with the accuracy and integrity of reports (whether or not they are printed) used to summarize results and/or make business decisions.

Error Processing - Risks in this area generally relate to whether there are adequate processes and other system methods to ensure that any data entry/processing exceptions that are captured are adequately corrected and reprocessed accurately, completely and on a timely basis.

Interface - Risks in this area generally relate to whether there are adequate preventive or detective controls to ensure that data that has been processed and/or summarized is adequately and completely transmitted to and processed by another application system to which it feeds data/information.

Change Management - Risks in this area may be generally considered part, of Infrastructure Risk, but they significantly impact application systems. These risks are associated with inadequate change management processes including user involvement and training as well as the process by which changes to any aspect of an application system is both communicated and implemented.

Data - Risks in this area may also may be generally rooted from and considered part of Infrastructure and/or Access Risks but they significantly impact application systems. These risks are associated with inadequate data management controls including both the security/integrity of processed data and the effective management of databases and data structures.

Integrity can be lost because of programming errors (e.g.. good data is processed by incorrect programs), processing errors (e.g., transactions are incorrectly processed more than once against the same master file), or management/process errors (e.g., poor management of the system maintenance process).

Access Risk

Failure to adequately restrict access to information (data or programs, in physical; form or otherwise) may result in unauthorized knowledge and use of confidential; information, or overly restricting access to information may preclude personnel from performing their assigned responsibilities effectively and efficiently. Inappropriate people may be able to access confidential information. Appropriate personnel may be denied access.. Access risk is pervasive i.e. includes information for any purpose (e.g. read, copy, etc).

Access risk focuses on the risks associated with inappropriate access to systems, data or information. It encompasses the risks of improper segregation of duties, risks associated with. The integrity of data and databases, and risks associated with information confidentiality, etc. Access risk can occur at any, or all, of the following five levels:

Network - The mechanism used to connect users within a processing environment. The access risk in this area is driven by the risk of inappropriate access to the network itself.

Processing Environment - The host computer system where application systems and related data are 'stored and processed from. The access risk in this area is driven by the risk of inappropriate access to a processing environment and the program or data that are stored in that environment.

Application System - The programs that are used by users to process information that is relevant to their business processes. The access risk in this area is associated with inappropriate segregation of duties that might occur if access to systems was granted to person with no clear business need. For example, few people in a business unit should require access to wire transfer authorization system.

Functional Access (within an application).

Field Level Access (within a function).

Existence of Access Risk relating to "failure to adequately restrict access" would mean the existence of Integrity Risk but not the Access Risk relating to "overly restricting access". If the Access Risk is rooted from the system infrastructure (i.e. logical security and security administration), its existence would mean the existence of Infrastructure Risk. Because of its pervasive and specific nature, and the given wider scope definition, it warrants itself a separate risk category in the risk dictionary.

Availability RiskUnavailability of important information when needed threatens the continuity of the Group's critical operations and processes.

Includes risks such as loss of communications (e.g., cut cables, telephone system outage, satellite loss), loss of basic processing capability (e.g., fire, flood, electrical outage) and operational difficulties (e.g., disk drive breakdown, operator errors).

Availability risk focuses on three different levels of risk:

Risks that can be avoided by monitoring performance and proactively addressing systems issues before a problem occur.

Risks associated with short-term disruptions to systems where restore/recovery techniques can be used to minimize the extent of a disruption.

Risks associated with disasters that cause longer term disruptions in information processing and which focus on controls such as backups and contingency planning.

The Group's capability to continue critical operations and processes may be highly dependent on availability of certain information systems. If critical or important systems went down for an unacceptable period, the Group would experience difficulty in continuing operations. Critical and important information systems that are not available to sustain operations can result in: loss of revenue, cash flow and profits; loss of competitive advantage: dissatisfied customers and loss of market share; increased costs; loss of employee morale; and even fines and sanctions.

Infrastructure Risk

The risk that the Group does not have an effective information technology Infrastructure (e.g., hardware, networks, software, people and processes) to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion.

These risks are associated with the series of Information Technology (IT) processes used to define, develop, maintain and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., loans, deposits , etc.). The risks are generally considered within the context of the following core IT processes:

Organizational planning - The risk that:

Information technology plans are not integrated with current and future business plans resulting in inadequate decision making and planning.

IT personnel are inadequately organized to meet the needs of the business.

IT personnel are inadequately trained in current or future technologies.

Application system definition and deployment - The risk that:

Efforts' to define user needs for new systems solutions are ineffective resulting in an inaccurate or incomplete definition or design.

Conceptual designs are not adequate resulting in "build versus buy" decisions that are based on an incomplete understanding of the facts.

Development efforts are not planned or managed resulting in wasted efforts, significant cost overruns or possible abandonment.

Purchased or developed systems do not have the appropriate internal controls to meet business user needs.

Development efforts do not follow a consistent approach for confirming user satisfaction and system functionality resulting in system solutions that do not work or do not meet business needs.

Untested or otherwise inappropriate changes are made to the production environment resulting in a loss of system integrity and/or control.

Implementation efforts do not adequately consider user training and other change management efforts resulting in an ineffective implementation.

Logical security and security administration - The risk that inappropriate access is gained to critical systems, data or transactions (either by company personnel or outsiders) resulting in either the loss of data/information integrity or disclosure and/or misuse 'of confidential information.

Computer and network operations - The risk that computers and/or networks are not effectively managed resulting in performance or capacity issues to business users. The risk that critical processes performed by computers and/or network operations personnel are not performed accordance with described procedures and time frames resulting in incomplete or inaccurate information processing.

Data and database management - The risk that data and/or databases lack the integrity needed to support business decisions or that end users do not understand data sufficiently to support their reporting and decision making needs.

Business/data centre recovery - The risk that systems, processes and data/information cannot be restored following a disruption in a timely fashion to support the operating needs of the business.

Lack of effective and well-controlled business processes in each of these areas are usually the root cause of Access. Relevance, and Availability risks (see other information processing/technology risks) and application systems process integrity risks (see Integrity Risk).

ORGANISATIONAL INTEGRITY RISKOrganizational Integrity risk is the risk of management fraud, employee fraud, and illegal and unauthorized acts, any or all of which could lead to reputation degradation in the marketplace or even financial loss. Its root cause is different from the Integrity Risk under the Information Processing/Technology Risk as it is originated from human or organizational behavior.

Management Fraud RiskManagement fraud (e.g., intentional misstatement of financial statements) may adversely affect external stakeholders' decisions. Management issues misleading financial statements with intent to deceive the senior management, holding company, investing public and the external auditors, or engages in bribes, kickbacks, influence payments and other schemes for their own benefits or for the benefits of the business unit or the Group.

Employee Fraud Risk

Fraudulent activities perpetrated by employees individually or in collusion with customers or suppliers perpetrate fraud against the Group or business unit for personal gain (e.g., misappropriation of physical, financial or information assets) expose the Group to financial loss. There is also potential for legal exposure, negative publicity (embarrassment) and an adverse impact on operations (loss of confidence by customers, suppliers' or providers of finance).

Illegal Acts RiskIllegal acts committed by managers or employees, individually or in collusion, placing the Group, its directors and officers at risk to the consequences of their actions, e.g., imprisonment, fines, sanctions, suspension of business (in a country, with a particular agency, with a specified class of customer or for a specified group of products), lost profits, loss of customers and damage to reputation.

This risk will exist together with Compliance Risk if the illegal act in question is explicitly prohibited by the internal policies/guidelines or external regulations/law provisions.

Unauthorized Use Risk

Unauthorized use of the Group's physical, financial or information assets by employees or others expose the organization to unnecessary waste of resources, and financial loss, i.e.:

Physical and financial assets are used for unauthorized or unethical purposes by employees or others.

Information and proprietary assets (e.g., designs, processes, customer lists, information and knowledge, formulas, pricing strategies and other trade secrets, etc.) are compromised by industrial espionage, resulting in loss of competitive advantage.

The existence of this risk may be rooted from the existence of Access Risk.

Reputation RiskDamage to the Group's reputation exposes it to loss of customers, profits, employees and the ability to compete, due to perceptions that it does not:

Deal fairly with customers, suppliers and stakeholders.

Know how to manage its business.

Loss of customers means the loss of future revenue streams. Loss of employees means the loss of the talent, skills and expertise needed to run the business. Loss of ability to compete may mean ultimately going out of business.

The existence of this risk may be due to the existence of other risks e.g. Customer Satisfaction Risk, Business Interruption Risk and Integrity Risk

FINANCIAL RISK

Process risk in a financial context arises when operating policies and procedures do not adequately control exposure to the financial markets. Process risk may result in outright losses or in opportunity costs because financial operations do not support the objectives of the business in a cost-effective way.

Financial risks which must be managed fall into three broad

Market Risk

Liquidity Risk

Credit Risk

MARKET RISKMarket risk is the exposure of earnings or net worth to changes in market factors (e.g. interest rates, currency rates, indices) which affect income, expense or balance sheet values.

Unauthorized use of the Group's physical, financial or information assets by employees or others expose the organization to unnecessary waste of resources, and financial loss, i.e.:

Physical and financial assets are used for unauthorized or unethical purposes by employees or others.

Information and proprietary assets (e.g., designs, processes, customer lists, information and knowledge, formulas, pricing strategies and other trade secrets, etc.) are compromised by industrial espionage, resulting in loss of competitive advantage.

The existence of this risk may be rooted from the existence of Access Risk.

Market risk is normally managed by the treasury function, although this may vary from organization to organization. For example, the banking business has the treasury department to manage dealing and investment securities, the insurance business has a specialized investment department to manage asset price risk. While monitoring and dealing with the existing securities, the treasury function may manage market risk as part of its acquisition/trading operations of both existing and future securities in the portfolio.

Exposure to market risk is typically evaluated in terms of:

Volatility - A measure of the probability and magnitude of fluctuations in prices or values from one time period to another. Volatility measures are tools for assessing the impact of market risks on business performance (e.g. the sensitivity of interest expense to changes in KLIBOR, LIBOR and the Prime Rate).

n general, risk increases as volatility increases. For example, short term interest rates are typically more volatile than long term rates, while some currencies are substantially more volatile than others.

Duration - The weighted average maturity of a set of cash flows (principal and all interest payments), and an estimate of the sensitivity of those cash flows to changes in market prices. Duration is typically used as a tool for assessing the risk associated with the different economic lives of assets (revenues) and liabilities (expenses). For example, duration can be used to estimate the potential impact on net worth of funding long term assets with short or intermediate term debt.

In general, financial risk increases with duration, i.e., the further in the future a bond is paid out, the more volatile is its value. Market risk management needs to be sensitive to:

Market risk management needs to be sensitive to:

Derivative RiskThe risk that a derivative instrument does not achieve management's business objectives. On the one hand, a derivative instrument intended to be a hedge may be inappropriately structured and create a speculative exposure. Alternatively, in the current environment, there is a significant risk that derivatives are not used when their use would improve yields and/or protect cash flows.

Modeling RiskExposure to loss as a result of mis-measurement of price risk particularly for commercial or financial exposures which require complete simulation models or for which readily observable prices are not available Financial models are only as reliable as their underlying assumptions.

Interest Rate Risk

Currency RiskSignificant movements in interest rates away from forecasts expose the Group to higher borrowing costs and lower investment yields.

Interest rate risk includes:

The income risk that a future spot interest rate will deviate from an expected value, resulting in:

lower-than-expected investment yields, or

higher-than-expected borrowing or deposit costs.

The valuation risk associated with holding a fixed-yield financial instrument (e.g., hire purchase loans, zero coupon bonds) when market yields change. Interest rate risk can result in reduced earnings in absolute terms, or in a deterioration of the Group's competitive position in the industry. There are different forms of interest rate risk (e.g., basis risk, yield curve risk, spread risk, etc.) which are categorized and discussed below under "Financial Instrument Risk". Because of the nature of its business, changes in interest rates can adversely affect the cash flow.

Volatility in foreign exchange rates exposes the Group to economic and accounting losses.

Currency risk is the exposure to fluctuations in exchange rates, and may arise as a result of:

Business activities or operations in foreign markets.

Investment in securities issued by overseas entities.

Investment in securities which are denominated in a foreign currency.

Exposure to currency risk means that the Group or business unit is in a position to experience an economic or accounting benefit if exchange rates move in one direction or suffer an economic or accounting loss if exchange rates move in the other.

Foreign currency risks are generally classified as economic, transaction and translation risks:

Economic Risk -Currency exposure associated with future cash flows, including:

Strategic or Competitive RiskThe extent to which the Group's currency profile places it at a competitive advantage or disadvantage in the event of significant changes in exchange rates. Strategic exposures may substantially exceed known transaction volumes, and may relate to currencies in which the Group has no direct cash flow exposure. To evaluate strategic risk, it is necessary .to examine a broad range of competitive practices, including the number of customers in the industry, the functional currency of industry competitors, and market demand.

Net Monetary RiskExposure to exchange gains or losses on monetary assets or liabilities of foreign operations which are denominated in a currency other than the functional currency of that operation (e.g., U.S. debt held by Hong Kong operations). Net monetary exposures may have tax consequences in the foreign country, as well as cash flow consequences if assets or liabilities are converted into the local currency.

Transaction RisksExposure to movements in exchange rates on specific cash flows. The longer an exposure is outstanding, the greater the risk of unfavorable currency movements. Transaction risks include:

Firm Commitment Risk (including dividends)Exposure between contractual commitment in a foreign currency and the date of settlement.' For example, a contractual commitment may require settlement of the transaction in a foreign currency at a specified or unspecified future date. Transaction exposures are the effects of currency movements on the Group's outstanding firm commitments. This risk also includes anticipated cash transfers over the foreseeable future (generally within the next 12-18 months) from a subsidiary, branch or business unit operating in a foreign country, which creates currency exposure for both the remitting entity and the parent.

Budget RiskExposure to income loss as a result of currency rates which differ from the assumptions included in the corporate business plan.

Cash Flow RiskExposure to cash flow changes as a result of foreign taxes on income in a foreign currency which is not reflected in earnings in the Group's home or reporting currency.

Translation RiskExposure to adverse effects on the financial statements as a result of currency fluctuations. The method of translating foreign currency financial statements into the reporting currency may significantly affect net margins, net asset and liability positions, and net equity positions.

Equity RiskEquity risk is the exposure to fluctuations in the income stream from and/or value of equity ownership in an incorporated entity as a result of investment in shares of publicly traded entities, private placements, etc. It may arise as a result of:

Investment in shares of publicly traded entities, including holdings in a portfolio of equity securities.

Investment in private placements.

Investment holdings of debt convertible into equity.

Foreclosure of collateral.

Repayment of debts via issuance of equity shares by the obligors in debt restructuring.

Commodity Risk

Commodity risk is considered either a financial markets risk or operational risk depending on the industry.

As an operational risk, commodity risk is the exposure to fluctuations in prices of commodity-based materials or products. Because commodities are, at the margin, a substitute for money, commodity price risk is often considered a financial markets risk.

Examples of commodity price risk from the perspective of a financial institution:

When the Group chooses to invest in gold futures or options to implement a diversification strategy for managing investment risk.

The lending exposure of secured agricultural loans to falling commodity prices.

The exposure of derivatives/trading portfolios to changing prices of underlying commodities (commodity futures contracts, commodity swaps, etc.)

Financial Instrument Risk

Financial market risk can vary depending on the particular segment of the market to which the holder of a financial instrument is exposed, or the way in which the exposure is structured. These risks include:

Anticipated Exposure RiskFinancial exposure associated with future events which are highly probable but not contractual, e.g. the impact of exchange .rate fluctuations on cash flows which are highly certain, but for which no contractual commitments are in place (e.g., profits from a business unit operating in a foreign country). Typical exposures arise in conjunction with interest rates associated with future borrowings or investments.

Yield Curve Risk/Yield Shape RiskThe yield curve describes the relationship between the yields and the term to maturity of a financial instrument. Yield Curve/Yield Shape Risk is the risk that .the slope of the curve will change significantly from the Group's/business unit's expectations at the time it planned its financial strategies. Examples of yield curve risk include a steep increase in the cost of forward currency hedges because of increases in one year interest rates.

Basis or Spread RiskExposure to changes in the price/yield differential between two financial markets or instruments (e.g., a change in the risk premium on corporate bonds relative to treasuries of the same maturity, or between two floating rate indexes).

In a corporate environment, basis risk often refers to the residual financial risk that remains after a financial hedge has been put in place. For example, in the case of interest rate swaps, the basis is the difference between two floating rate Indexes. Basis risk is the risk that the fluctuation in the two indexes is less than perfectly correlated. Thus, the Group may convert floating rate debt to fixed; basis risk exists if the swap pays LIBOR, while the business unit's funding strategy is based on U.S. CP rates.

Option Risk (also referred to is Contingent or At-Bid Risk)Exposure to discontinuous changes in cash flows or income as a result of option-type contracts which may be embedded in other financial instruments, or acquired on a stand-alone basis.

Time Lag RiskExposure to price changes from the time the decision to Invest/borrow/buy/sell occurs and the execution of the transaction.

Reinvestment/Refinancing RiskExposure to changes in the general level of interest rates as a result of a mismatch in the timing at which assets and liabilities are funded, i.e., changes in the general level of prices and yield between the initial investment to the date at which the cash flows from are investment are due to be reinvested.

Rollover RiskRollover risk describes exposure to an adverse' change in the yields/prices available in a given market at a given moment in time Rollover risk typically arises when borrower or investor must reprice a significant cash flow on a single date or within a very short period of time.

A hedging strategy in which all swaps are repriced on the same day each quarter leaves the Group vulnerable to rate swings due to market or financial news, or to dealer "qreed".

Rollover risk increases significantly if the repricing position has a material impact on income or expense. Implementing the hedging strategies by locking into massive positions that roll over at predictable times to maintain hedging coverage may expose the Group to traders who learn of this strategy and use that knowledge to profit at the Group's expense.

Derivative RiskThe risk that a derivative instrument does not achieve management's business objectives because:

It is intended to be a hedge, but is inappropriately structured and creates a speculative exposure.

It is not used when its use would improve yields and/or protect cash flows. This situation arises when a currency, interest rate, commodity or equity exposure should be hedged but is left exposed, resulting in significant losses to the Group.

LiquidityLiquidity risk is the exposure to loss as a result of the inability to meet cash flow obligations in a timely and cost-effective manner.

Liquidity risk often arises as a result of an investment portfolio with a cash flow and/or maturity profile which differs from the underlying cash flows dictated by the Group's or the business unit's operating requirements and other obligations. Operating requirements, debt service, capital expenditures and other cash outflows can require premature liquidation of assets, which can lead to reduced yields and/or unplanned realized gains or losses.

Cash Flow Risk

The inability of the Group or business unit to fund its operational or finance obligations which, in extreme cases, may lead to default or loss of business. For example:

The bank or the finance company or the merchant bank is unable to meet its net funding requirements.

Changes in interest rates and economic conditions can adversely affect the business that is highly leveraged increasing liquidity risk.

Opportunity Cost RiskThe use of funds in a manner that leads to the loss of economic value, including time value losses, transaction costs and other causes of loss of value, including:

Time value losses due to delays in investment of funds, etc. The consequences of these delays could result in some subsidiaries borrowing while others are investing.

Transaction costs due to inappropriate or inefficient management of cast flows (e.g., the need to borrow high cost funds or sell securities at a loss because of the failure to match the maturities of short-term investments to settlement dates on operational or financial obligations).

Other causes of loss of value, including indifference to yield-enhancement strategies and ineffective yield-curve management. Earnings exposure when funds are invested in a manner that does not generate sufficient returns to cover costs, profits and risk. Investment losses result from the failure to obtain an adequate return given the degree of risk which is incurred.

Concentration RiskThe risk of loss resulting from the inability to liquidate financial market exposures a "thin" market. For example:

Use of financial products in which the Group or business unit has dominant position (e.g., an excessive share of the open interest in financial futures or commodity contract in a given month), so that exposure cannot be liquidated without moving the market.

Use of financial products in which there are unusual market conditions (e.g. wide bid-ask spreads which create uncertainty as to the true value).

Use of "proprietary" financial products which can only be closed out offsetting contracts with the selling dealer, i.e., it may be difficult to find a counterparty willing to enter into a transaction in a timely manner.

Excessive reliance on a small number of funding sources which may leave the Group or business unit vulnerable to predatory pricing or inability to Obtain funds when needed.

Credit Risk

Credit risk describes the exposure to actual loss or opportunity cost as a result of the default or other failure to perform) by an economic or legal entity (the debtor Or obligor) with which the Group does business.

Credit risk is the risk of toss arising because counterparties fail to perform according to their contractual obligations. This is accentuated by position concentration with group of counterparties and increases in importance with the sophistication and diversity of market players.

Credit risk management is typically driven by requirements for control over the quality of customer base. The Group's credit management and collection policy should appropriately balance the trade-off between (a) maximizing service/loan volume and (b) minimizing loss from uncollectible accounts. If this process for evaluating credit risk; does not work effectively, it can constrain business growth or create unacceptable credit risks, including excessive write-offs and collection costs.

Default Risk

Default of a counterparty or obligor on a contract exposes the Group or business unit to financial loss. Default Risk can be further analyzed into the following:

Delivery RiskAn entity which has taken credit facilities or deliver of services defaults on the payment and/or goes into bankruptcy.

Issuer Risk-An entity which has issued debt securities held in an operating surplus account or pension fund portfolio defaults on the payment of maturing debt and/or goes into bankruptcy.

Counterparty or Market Risk A trading partner is unable to fulfill obligation on a contract (e.g. a swap or a forward commodity contract) on which there is a positive mark-to-market value for the defaulting party.

For example, counterparties agree to make periodic payments to an intermediary institution pursuant to a swap agreement. The agreement specifies the currencies to be exchanged (which may or may not be the same), the rate of interest applicable to each (which may be fixed or floating), the timetable by which payments are to be made, and other provisions defining the relationship between the parties. Swap intermediaries are independently obligated to all their counterparties, e.g., even though a dealer may be viewed as an intermediary between end users, its obligation to each end user counterparty is independent of its obligations to the others.

Some industrial company customers use derivatives to hedge some business risk they do not want (such as the risk 'of an increase in interest rates or a fall in the value of a currency). The risk is passed on to a dealer, who, in turn, may hedge it with a separate contract with another dealer, an end user or a speculator who accepts (he risk. These counterparties typically include other commercial banks and merchant banks, other industrial companies, insurers and other financial services firms, etc. If a counterparty to a contract fails to perform its obligations as defined under that contract, the dealer must seek a replacement swap with terms identical to those of the defaulted swap. If the dealer is unable to find a replacement, it incurs a financial loss from the default.

Because of the size of most dealers (e.g., the big commercial banks and the major securities firms), most end-users consider the risk of dealer default negligible. However, a crisis at a major dealer could trigger a market disruption which would adversely affect all participants in the market. See also Systematic Risk under Financial Market Risk.

Concentration Risk

The risk of excessive loss due to) inappropriate emphasis of sales volume or Revenues on a single customer, industry, country or other economic segment.

Settlement Risk

Different settlement times between the capital markets of the group and its counterparties expose the group to a short term risk of counterparty default on obligations.

In a financial context, settlement risk - also called "delivery risk" - arises when financial counterparties effect their payments to each other at different times or in different locations. The first paying party is exposed to the risk that the later paying party will fail to perform, due to delay, system failure or default. In essence, one party performs its obligations under the contract, but has not yet received value from its counterparty.

Settlement risk is typically short-term (less than 24 hours). For example, (Hong Kong capital markets close for the day before the U.S. markets open, resulting in delivery risk to the U.S. counterparty on a swap at the time of the principal exchange. Settlement risk becomes default risk if a counterparty defaults during the settlement cycle.

COLATERAL RISKThis is the risk that the value of an asset provided as collateral for a loan, lease or commitment may be partially or totally lost. For example:

Significant declines in real estate or equipment values and economic activity in areas where the Group or business unit has concentrated its loan portfolio can pose significant risks.

Collateral provided for a loan declines in value or is lost because unauthorized divestiture or use.

Collateral held by a third party declines in value or is lost because the party goes out of business.

Collateral provided by a counterparty on the net amount by which a swap with another party is out of the money.

Change in the legal status of borrowers (e.g. bankruptcy.)

INFORMATION FOR DECISION-MAKING RISKInformation for Decision Making Risk- Information for decision making risk is the risk that information used to support strategic, operational and financial decisions is not relevant, timely or reliable.

Much decision making is acting on performance measures or the results of industry business process or financial analysis. If measures have not been aligned with business strategies or are not realistic, understandable and actionable, they will not focus people on the right things and will provide incentives for decisions that are inconsistent with the strategies. If the measures and other business information used in decision making are not reliable or relevant, they either will be ignored or will drive the wrong behavior.

Type of RisksDefinition

PROCESS/ OPERATIONAL DECISION MAKING RISKOperational information for decision making risk is the risk that information used to support operational decisions is not relevant or reliable.

Product Pricing Risk

Lack of relevant and/or reliable information supporting pricing decisions may result in prices or rates that customers are unwilling to pay, do not cover development and other cost or do not cover risk exposures assumed by the group or business unit.

There are many forms of pricing risk:

The Group's or business unit's price is more than that the customers willing to pay because the Group's or business unit's pricing strategies not based on market research or other systematically obtained customer driven information.

Products are priced in relation to market forces but are not profitable due to competitive funding differences.

The Group's or business unit's pricing for certain products does not cover their production and distribution costs because of inadequate product and distribution cost information.

The Group or business unit takes on foreign customers, maintains price lists or signs long-term contracts and is exposed to currency risks because sales managers do not understand such risks when making pricing decisions.

Contract Commitment RiskLack of relevant and/or reliable information concerning contractual commitments outstanding as of a point in time may result in subsequent incremental contractual commitment decisions that are not in the best interest of the Group.

The Group or business unit does not have relevant and/or reliable information that effectively tracks contractual commitments outstanding at a point in time, so that the financial implications of decisions to enter into incremental commitments can be appropriately considered by decision makers.

Commitments embedded in contractual agreements include currency risk sharing arrangements. Swaps, options, futures and other derivatives also create contractual commitment risk. If the risks associated with these commitments are not understood and managed on an aggregate basis, decision makers will be making operating decisions in isolation that may not be in the best interest of the Group as a whole (i.e. they may accept risks they should reject or reject risks they should accept).

Actionable (e.g., they are not controllable; there is nothing a decision maker

can do to change the process to influence the behavior of the measures).

Initiators of change (e.g., they do not stimulate continuous process improvement).

Alignment RiskThe objectives and performance measures of the Group's business processes are not aligned with its overall business objectives and strategies. The objectives and measures do not focus people on the right things and lead to conflicting uncoordinated activities.

FINANCIAL AND BUSINESS DECISION MAKING RISK

Business reporting information for decision making risk is the risk that Information used to support business decision is not relevant or reliable.

Budget and Planning Risk

Non existent, unrealistic, irrelevant or unreliable budget and planning information May cause inappropriate financial and business conclusions and decisions. Budgets and business plans are not: Realistic.

Based on appropriate assumptions.

Based on cost drivers and performance measures.

Accepted by key managers.

Useful or used as a monitoring tool.

Aligned with longer term strategic objectives.

Accounting Information RiskOver-emphasis on financial accounting and/or actuarial information to manage the business may result in the manipulation of outcomes to achieve financial targets at the expense of not meeting customer satisfaction, quality and efficiency objectives.

Financial accounting information is used to manage business processes and is not properly integrated with non-financial information focused on customer satisfaction, measuring quality, customer/product profitability and increasing efficiency. The result is a myopic, short-term fixation on manipulating the outputs of business processes to achieve financial targets, rather than fulfilling customer expectations by controlling and improving processes and products.

Financial Reporting Evaluation RiskFailure to accumulate relevant and reliable external and internal information to assess whether adjustment to disclosure in financial statements are required may result in the issuance of misleading financial reports to external stakeholders.

Financial reports issued to existing and prospective investors and lenders include material misstatements or omit material facts, making them misleading. Financial reporting evaluation risk usually results from failure to obtain relevant business information from external and internal sources and assess whether adjustments to or disclosures in the financial statements are required to fairly present financial position, results of operations and sources and uses of cash.

Taxation RiskFailure to accumulate and consider relevant tax information may result in non-compliance with tax regulations or adverse tax consequences that could have been avoided had transactions been structured differently.

Taxation risk has two key elements:

Compliance with all tax regulations, payment and filing requirement.

Significant transactions of the entities in the Group have adverse tax consequences that could have been avoided had they been structured differently.

Taxation risk has the element of Compliance Risk under Process-Operations Risk. However, due to the peculiar nature of taxation-related risks, they are classified under Taxation Risk that can include:

Risk in relation to the deficiency or insufficient within the Group's internal processes in collating relevant information for taxation purposes.

Failure to consider/use the information for tax compliance and tax benefit maximum purposes

Compensation and Benefit Risk

Allocation of assets to fund compensation and benefit obligations (i.e. pension plans, deferred compensation plans, retiree medical plans) are insufficient to satisfy the obligations. The consequences of compensation and benefits risk include reputation risk, loss of morale, work stoppages, litigation, and additional funding required of the group.

Investment Evaluation RiskLack of relevant and/or reliable information supporting investment decisions and linking the financial risks accepted to the capital at risk, may result in poor short or long-term investments.

Management does not have sufficient financial information to make informed short and long-term investment decisions and link the risks accepted to the capital at Risk and the liquidity need of the group or business unit.

Regulatory Reporting RiskIncomplete, inaccurate and/or untimely reporting of required financial information to regulatory agencies may expose the Group to fines, penalties and sanctions.

Environment/strategic information for decision making risk are the risk that information used to support strategic decisions is not relevant, timely or reliable.

Environmental Scan RiskFailure to monitor the external environment or formulation of unrealistic or erroneous assumptions about environment risks may cause the Group to retain business strategies long after they have become obsolete. Environmental scan risk arises when:

The Group does not have an effective process to obtain relevant information about the external environment.

Key assumptions about the external environment are inconsistent with reality or are not being monitored by the Group.

Failure to monitor and stay in touch with a rapidly changing environment will result in obsolete business strategies.

Business Portfolio Risk

Lack of relevant and reliable information that enables management to effectively prioritize its products or balance its businesses in a strategic context may preclude a diversified organization from maximizing its overall performance

For the diversified Group having multiple products and/or business units, there is an added dimension to strategic information for decision making risk. Business portfolio risk is the .risk that the Group will not maximize business performance by effectively prioritizing its products or balancing its businesses in a strategic context.

This risk applies to evaluating both owned businesses (e.g., to decide whether to invest/grow, maintain/harvest, or divest/liquidate) and prospective businesses (e.g., acquire, Joint venture, or strategically align). Current trends in meeting customer residential lending needs are a good example.

Valuation Risk

Lack of relevant and reliable valuation information may preclude owners or prospective owners from making informed assessments of the value of the Group or any of its significant segments in a strategic context.

Management and key decision makers are unable to reliably measure the value of specific business or any of its significant segments in a strategic context. This risk affects the evaluation of both owned businesses (e.g., to decide whether to invest/grow, maintain/harvest, or divest/liquidate) and prospective businesses (e.g. acquire, joint venture, or strategically align).

Performance Measurement Risk

Non-existent, irrelevant or unreliable performance measures that are inconsistent with established business strategies threaten the Group's ability to achieve its long-term strategies.

Organization Structure Risk

Management lacks the information needed to assess the effectiveness of the Group's or business units organizational structure, which threatens its capacity to Change or achieve its long-term strategies.

The Group's or business unit's organizational structure does not support change the Group's or business unit's primary business strategies. The Group's values and culture, its infrastructure and how it defines responsibility, authorities and boundaries and limits have a significant effect on its ability to govern and achieve its objectives. These risks are strategic because they affect the Groups

Allocation, deployment and development of resources.

Tax efficiency

Business process reengineering and business process/technology improvement efforts.

Identification, sourcing, measurement and control of business risks.

Measurement and monitoring of performance

Knowledge of customer needs and expectations.

Resource Allocation Risk

The Group's resource allocation process does not establish and sustain competitive advantage or maximize returns for shareholders.

Planning RiskAn unimaginative and cumbersome strategic planning process may result in irrelevant information that threatens the Group's capacity to formulate viable business strategies. The Group's business strategies are not:

Driven by creative and intuitive input, e.g., it is primarily a result of a formal time consuming process weighted down by hard data, extrapolation of past results, "number crunching" and lengthy reports.

Based on current assumptions about the external environment, resulting in strategies that are out-of-date and unfocused. Unrealistic assumptions about the industry and the Group's own relative position can lead to ' strategic error. For example:

Overestimating industry potential can lead to overbuilding capacity.

Overrating the company's core capabilities can trigger a costly battle to gain share against superior performing competitors.

Effectively programmed in the form of written plans, schedules, budgets, etc.

Communicated consistently and often throughout the Group.

Responsive to environmental change and organizational learning.

Product Life Cycle Risk

Lack of relevant and reliable information that enables management to manage the movement of its product lines and the evolution of its industry along the life cycle threatens the Group's capacity to remain competitive. The Group's approach to managing the movement of its product lines and evolution of its industry along the life cycle (e.g., start-up, growth, maturity and decline) has a significant effect on the ultimate success or failure of its business strategies. For example, management can adopt:

Either an inward or external focus to managing product life cycle costs.

A different strategic focus and operating style as the industry structure evolves from one point within the cycle to another (e.g., from the growth stage to the maturity stage).

A different approach to leading and managing as operations expand significantly to avoid straining existing processes and systems to the point where control breaks down.

PAGE Page 1 of 37