CWBFG Annual Report 2023

OPERATIONAL RISK

Operational Risk is defined as the risk of loss resulting from people, inadequate or failed internal processes and systems or from external events. This includes legal risk but excludes strategic and reputational risk.

Risk Overview Operational risk is inherent in all of our business activities, including our full-service business and personal banking, specialized financing, wealth management offerings, and trust services. We are exposed to operational risk from internal business activities, external threats and business activities performed or enhanced by third party service providers. Effective management of operational risk improves our operational resilience while limiting potential losses that may result from process and control failures, theft and fraud, unauthorized transactions by employees, regulatory non-compliance, business disruption, information security breaches, cybersecurity threats, exposure to risks related to third-party relationships, and damage to physical assets. Its impact can be financial loss, loss of reputation, loss of competitive position, regulatory scrutiny, or failure in the management of other risks. While operational risk cannot be eliminated completely, proactive operational risk management is a key strategy to mitigate this risk. Risk Governance The Non-Financial Risk Committee is responsible for providing risk governance oversight for operational risk management. We have an Operational Risk Management policy and related standards to ensure that all employees understand their responsibilities with respect to operational risk management. The Operational Risk Management policy encompasses a common language of risk coupled with programs and methodologies for identification, measurement, control and management of operational risk. Our management of operational risk follows the three lines of defence governance model. Business and support areas are the first line of defense and are fully accountable to manage and mitigate the operational risks associated with their activities. The Non-Financial Risk Committee oversees the implementation and adoption of the Operational Risk Management policy and facilitates the involvement of relevant stakeholders in the first and second lines of defense across CWB. Group Risk Management, as the second line, is responsible for the continual enhancement of the Operational Risk Management framework and supporting standards. The Board Risk Committee has ultimate oversight and approves the Operational Risk Management policy. Risk Management We apply various risk management frameworks and standards to manage and mitigate operational risks. Management remains close to operations, which helps to facilitate effective internal communication and operational control. Our operational risk management processes are focused to continue to strengthen our risk culture by promoting greater awareness and understanding of operational risk across all three lines of defence and providing ongoing training and communication. We maintain a continued focus to enhance operational risk management processes as risks evolve. Our Operational Risk Management standard describes how the principles of the Operational Risk Management policy are put into practice and defines accountabilities and required participation from various teams across the three lines of defence. The framework sets out the processes to identify, assess, monitor, measure, report and communicate on operational risks. Key elements of the framework include: • Common definitions - We incorporate standard risk terms and key operational risk definitions in our Operational Risk Management standard and supporting policies. We have adopted a Risk Taxonomy that is the basis for all operational risk management reporting, with loss events and identified risks categorized consistently. • Risk control assessments - We utilize Risk Control Assessments (RCA) to develop a forward-looking view of operational risk exposure based on proactive identification of key sources of operational risk exposures. The results of RCAs are aggregated across CWB to evaluate the key sources of operational risks and compare relative exposures from different business activities; • Risk reporting - Loss data monitoring is important to maintain awareness of identified operational risks and to assist management to take constructive action to reduce exposure to future losses; • Root cause analysis - For significant operational risk events we employ a standardized methodology to identify the underlying cause of the operational risk event and document the corrective actions taken to avoid similar events in the future, and opportunities for training and education; • New initiative risk assessments - Integrated with our change management process, the assessment requires initiative owners to proactively identify key risks and conduct detailed RCAs for high-risk new initiatives; • Key risk indicators - We utilize key risk indicators to monitor the main drivers of exposure associated with key operational risks, which can also provide insight into control weaknesses and help to determine residual risk. Risk and performance indicators are used to identify risk trends and prompt actions and mitigation plans to be undertaken; and, • Scenario analysis - We utilize scenario analysis to identify potential operational risk events and assess their potential impact on CWB. Scenario analysis is an effective tool to consider potential sources of operational risk and the need for enhanced risk management controls or mitigation solutions. In addition to the second line Operational Risk Management standard, we maintain several additional standards aligned with our Operational Risk Management policy to manage and mitigate specific types of differentiated operational risks. The regulatory framework requires certain amounts of capital to be allocated to support operational risk. We use the Simplified Standardized approach to measure the notional risk-weighted asset that we hold against operational risk.

52 | CWB Financial Group 2023 Annual Report

Powered by