Enterprise Risk Management Framework
A clear understanding of risks surrounding the business activities is crucial for any organization to create sustainable stakeholder value in executing its strategies. It is therefore essential to reinforce the overall strategy of an organization with a prudent risk management framework so that the opportunities are optimized while minimizing the effects of downside risks.
The approach to managing risk is outlined in PNB’s Enterprise Risk Management Framework (ERMF). This details the risk management process: activities, tools, and organizational structure to ensure material risks are identified, measured, monitored, and managed throughout the entire organization. The Bank has also placed a strong reliance on the Three Lines-Of-Defense model – as an effective method to enhance communication across the Bank’s units regarding risk and control, with clear roles and responsibilities:
The first line of defense is made up of the Bank’s lines of business and legal entities. The business units ultimately responsible in managing the Bank’s risks through proactive risk identification as well as the design and implementation of the risk mitigants and control mechanisms.
The second line of defense comes from the Risk Management, Compliance, and the Information Security/Cyber Security functions of the Bank – all independent of business operations. The Risk Management Group, headed by the Chief Risk Officer (CRO), implements the risk management framework and provides independent oversight and regularly reports to the Risk Oversight Committee (ROC). The Enterprise Information Security Group (EISG) manages the Bank’s Information Security / Cyber Security Risk and is headed by the Chief Information Security Officer (CISO) who is also reporting to the ROC on matters concerning information security and cyber security. The Global Compliance Group (GCG) is vested with the effective implementation of the Bank’s compliance program towards the timely identification and mitigation of legal, regulatory risks that may erode the franchise value of PNB. GCG, which is headed by the Chief Compliance Officer (CCO), reports directly to the Board Audit and Compliance Committee (BACC).
The third line of defense is performed by the Internal Audit Group (IAG), headed by the Chief Audit Executive (CAE). IAG provides independent assessment of the adequacy and effectiveness of the Bank’s risk management, risk control, compliance, and governance functions. IAG reports directly to the BACC.
By instituting a disciplined risk management culture and framework, PNB ensures oversight and accountability for risk at all levels of the organization and across all risk types. The Board of Directors, through the ROC and BACC, exercises oversight and provides guidance to the Bank’s experienced Senior Management Team who, through the Management Risk Committee (MRC), works closely with the business lines in managing risk. The seamless flow of a rich risk culture ensures effective implementation of the ERMF not only within the Bank, but also across its subsidiaries and affiliates.