62

BUSINESS REVIEW | STRATEGY AND PERFORMANCE

First Bank of Nigeria Plc Annual Report & Accounts 2010

KEY RISK SUMMARY

COMPLIANCE
Type of risk Regulatory risk Impact on business Could result in significant financial loss, impairment of shareholders funds and/or outright closure of business occasioned by sanction/fine on the bank, or loss/suspension of banking licence. Mitigation measures Proactive implementation of the Banks robust compliance programme that ensures compliance by all stakeholders to relevant laws and regulations. This includes continuous updates of the Banks rule books as well as training of all stakeholders to understand regulatory obligations and the consequence of non-compliance. Responsibility The primary responsibility for complying with regulatory requirements lies with all members of staff conducting particular transactions or activity to which regulation applies. However, the Board of Directors is ultimately accountable for compliance performance through the Chief Compliance Officer. Type of risk Reputational risk Impact on business Could result in loss of correspondent banking relationships, loss of investor community confidence and significant financial loss; occasioned by damage to the Banks image as a result of negative publicity and eventual loss of business. Mitigation measures The Bank has put in place adequate measures to know our customers and implement processes for combating money laundering and terrorist financing. In this regard, FirstBank continuously reviews its Anti Money Laundering (AML)/Countering the Financing of Terrorism (CFT) Manual, incorporating any new regulatory guidelines for Know Your Customer (KYC)/Know Your Customers Business (KYB). Responsibility The primary responsibility for complying with regulatory requirements lies with all members of staff conducting particular transactions, or activity to which regulation applies. However, the Board of Directors is ultimately accountable for compliance through the Chief Compliance Officer.

CREDIT RISK CREDIT

Type of risk Default/counterparty risk, performance risk, payment risk, diversion risk, governance risk, financial risk, socio-political risk and environmental risk Impact on business Poor asset quality arising from high level of non-performing loans and ultimately low yield on risk assets. Financial loss due to increased loan loss provisions and charges on impaired assets. Possible impairment of shareholders funds. Mitigation measures Strong credit analysis to identify the risk and proffer mitigants. Clear loan covenants and transaction dynamics. Effective credit control and monitoring processes. Prompt identification of early signs of deterioration. Adequacy and realisability of collateral.  Adoption of risk-based pricing for risk assets. S  trengthened risk management systems and processes to optimise portfolio quality and to ensure appropriate pricing of risk assets. Responsibility Strategic Business Units Risk Management Chief Risk Officer

PORTFOLIO
Type of risk Concentration risk Impact on business Breaches of portfolio limits and regulatory provisions could lead to sanctions and increased financial loss. Mitigation measures Adherence to portfolio limits and regulatory requirements. Responsibility Strategic Business Units Risk Management Chief Risk Officer

www.firstbanknigeria.com/annualreport/2010/

First Bank of Nigeria Plc Annual Report & Accounts 2010

63

MARKET RISK AND LIQUIDITY RISK

INTRODUCTION Type of risk Interest rate risk Impact on business Could result in significant financial loss, impairment of interest rate related instruments including all fixed-rate and floating-rate debt securities and instruments that behave like them, including non-convertible preference shares. Mitigation measures  Experienced Market Risk Policy Committee that meets regularly.  Daily reporting of valuation results to executive management. S  trict adherence to the Banks internal policies such as the use of limits and management action triggers. T  he use of hedge contracts to mitigate interest rate risk exposures. Type of risk Liquidity risk Impact on business Could lead to insolvency and eventual reputational risk. Type of risk Foreign exchange risk Impact on business Could lead to diminution in the value of foreign currency position. Mitigation measures  Daily monitoring of FX trading position against risk limits.  Daily reporting of all FX exposures to executive management.  Hedging policy in place. R  egular review of the Banks currency exposures by the Market Risk Policy Committee.  Limiting transactions to approved counterparties. Responsibility for market risk and liquidity risk Please note that the primary responsibility for mitigating the above risks lies with the risk-taking units of the Bank, which include the strategic business units, e.g., Treasury unit, Product group or trading desk. However the risk identification, measurement, monitoring, control and reporting lies with the Head, Market and Liquidity Risk department who reports to the Chief Risk Officer. FINANCIAL STATEMENTS Mitigation measures E  fficient Asset and Liability Committee that oversees liquidity management.  Diversified sources of funding.  Contingent funding plan.  Effective cash flow planning. RISK MANAGEMENT AND GOVERNANCE Type of risk Counterparty credit risk (pre-settlement and settlement risk) Impact on business Could lead to financial losses due to the default of a trading counterparty. Mitigation measures BUSINESS REVIEW  Approved counterparties with pre-settlement risk lines. M  easurement and reporting of pre-settlement risk exposures to executive management.

Type of risk Investment risk

COMPANY INFORMATION

Impact on business Could lead to diminution in the value of investments. Mitigation measures S  ignificant investments are approved by the Board and all others by the Management Committee. C  ounterparties for investments are approved by executive management and the Board.

SHAREHOLDER INFORMATION

H  ighly experienced professionals in the Strategy Unit who advise on strategic investments. S  trong supervision by the parent company board on subsidiaries.  Portfolio selection and diversification strategies.

64

BUSINESS REVIEW | STRATEGY AND PERFORMANCE

First Bank of Nigeria Plc Annual Report & Accounts 2010

KEY RISK SUMMARY

OPERATIONAL RISK
Type of risk People risk Impact on business The risk of loss financial, reputational or otherwise, arising from a failure to properly manage the Banks human capital. This could manifest in the form of staff fraud, high staff attrition, knowledge gaps and a demotivated and disgruntled workforce. This would impact the Bank by way of negative service experiences for our customers and the attendant loss in market share, financial loss, and reputational damage, and the cumulative effect of being unable to deliver strong business performance that meets or exceeds stakeholders expectations. Mitigation measures T  he Bank has put in place robust Human Capital Management and Development practices to achieve a strong and efficient workplace. E  ffective background checks and thorough confirmation process on new hires. C  ompetitive remuneration package and other hygiene factors to attract and retain the best talent. Enforcement of strong supervisory control. Zero tolerance to staff integrity issues and fraud. A  fully fledged learning and development unit and infrastructures to cater for the training and development needs of staff. Strict enforcement of the requirements of the staff handbook. A  disciplinary committee that meets regularly to deal with and resolve employee issues. A comprehensive Fidelity insurance policy. Encouragement of a worklife balance culture. Mitigation measures A  comprehensive Control Administrative and Accounting Procedure (CAAP) Manual has been put in place to guide operational activities and processes of the Bank. E  stablishment of a central processing centre specialising in various operations areas, and the migration of some activities, which were hitherto handled at the branches. T  he introduction of a functional reporting structure to the operations job families to allow for effective supervisory control of the operations of the Bank. I ntroduction of a self-assessment programme to allow process owners to identify control weaknesses with a view to taking proactive remedial actions. Automation and re-engineering of our processes. P  utting in place robust business continuity planning and disaster recovery programmes.  Stepping up operational risk awareness training and programmes. M  onitor and manage Key Risk Indicators (KRIs) in processes/ products/activities.

Type of risk System or technology risk Impact on business The risk of failing to develop, implement or operate the Banks technology platforms and solutions to meet stakeholder requirements. This could manifest in the form of: system downtime resulting in irate customers and a tarnished reputation; software failures; systems change process management failures; seizure of technical support; hardware failures; obsolete hardware; and no support from the manufacturers. Mitigation measures

Type of risk Operations risk Impact on business The risk for the Bank to incur financial loss as a result of inadequacies or failures in Operations processes, systems or staff. Operations risk additionally incorporates the risk arising from disruption of Operations activities caused by external events. Examples are: transaction capture, execution and maintenance errors or failures; failures in the customer intake and documentation process; failed mandatory reporting obligations; limit breach due to inadequate internal processes; inadequate reconciliation processes; and manual intensive processes. Impact on business ranges from negative customer impact and the attendant loss in market share, financial loss and reputational damage, and the cumulative effect of being unable to deliver strong business performance that meets or exceeds stakeholders expectations.

The Bank has a Disaster Recovery Centre (DRC). A  comprehensive Service Level Agreement (SLA) with IT service providers. Regular IT audit and control. H  ardware policies covering hardware purchase, use, replacement and disposal. S  oftware policies covering purchase or design, enhancement, patching, replacement and disposal. use,

B  uilding resilience into the Banks network platform through the installation of a back-up link to over 90% of our branches. A  n articulated medium-term transformation plan to optimise the Banks investment in technology.

www.firstbanknigeria.com/annualreport/2010/

First Bank of Nigeria Plc Annual Report & Accounts 2010

65

INTRODUCTION

Type of risk External events and third-party risk Impact on business External events could lead to disruption in business and financial loss to the Bank. Third-party failure could lead to poor service, reputational damage and financial loss to the Bank. Technology failure due to activities of hackers, and inadequate financial capacity to fulfil obligations could impact negatively on the Banks service delivery. Mitigation measures  Hedging against external events with adequate insurance cover. A  robust business continuity arrangement is being put in place to improve the Banks resilience. R  egular monitoring and review of all outsourcing arrangements in the Bank.  Strict adherence to the Banks outsourcing policy.  Enforcement of SLA, sanctions for breach of contracts.  Real-time reporting of high-risk incidents or exposure. T  he Bank has also put in place a Physical Security and Personal and Business Protection Policy to mitigate internal and external threats.

Mitigation measures T  he Bank has put in place a fully fledged Compliance team to drive and implement the Banks compliance framework. E  ffective monitoring of the Banks compliance with laws and regulations, its code of conduct, and corporate governance practices. T  he Bank has a process for ensuring new and changed legal and regulatory requirements are identified, monitored and reflected in the Banks process and rule book. E  nsuring that regulatory requirements are incorporated in the operational procedures manual where appropriate.  Prompt submission of regulatory reports. S  ound corporate governance practices and the setting of the right tone from the top with respect to regulatory issues.

BUSINESS REVIEW

Type of risk Legal risk Impact on business Could lead to financial loss from defective transaction or contracts, non-compliance to a change in the law and jurisdictional risk. Mitigation measures T  he Bank has a process for ensuring new and changed legal and regulatory requirements are identified, monitored and reflected in the Bank process. E  nsuring that regulatory requirements are incorporated in the operational procedures manual where appropriate.  Adequate defence for claims and counterclaims. V  etting of all contractual documents and agreements by the Legal Services Department before execution. RISK MANAGEMENT AND GOVERNANCE

Type of risk Regulatory and compliance risk Impact on business Could lead to financial and reputational losses to the Bank as a result of failure to comply with the laws, regulations or codes applicable to the financial services industry. The impact of this risk category on the Bank ranges from financial loss arising from fines and penalties, loss of revenue due to temporary suspension or ban from certain market activities. Possible loss in share price and negative investor perception occasioned by disclosure of regulatory infractions in our Annual Report and withdrawal of licence.

FINANCIAL STATEMENTS

Responsibility for operational risk Please note that the primary responsibility for mitigating the operational risks lies with the risk-taking units of the Bank, which include all the Business units and Support functions, e.g., Branches, Operations group, E-Business and HCMD. However, the operational risk management function serves as thought partner in risk management and mitigation, develops operational risk toolsets, and coordinates and aggregates the operational risk management activities of the business units and support functions. COMPANY INFORMATION SHAREHOLDER INFORMATION

66

BUSINESS REVIEW | STRATEGY AND PERFORMANCE

First Bank of Nigeria Plc Annual Report & Accounts 2010

KEY RISK SUMMARY

INFORMATION SECURITY RISK

Type of risk Information assets, confidentiality, integrity and availability Impact on business Information assets are critical to the operation of FirstBank and the integrity, availability and confidentiality of these assets should be protected at all times. Disruption or interruptions to these assets would have dire consequences on FirstBank operations, e.g., a virus outbreak could cause disruption in FirstBank operation by rendering the systems unavailable within the period of infection and would require a clean-up, which is both expensive and time consuming. The aim of information security through awareness programmes and proactive controls is prevention, to help reduce such infections. Other incidents include fire outbreaks, system failures and information theft. Mitigation measures D  evelopment of a risk assessment methodology that enables the Bank to carry out risk assessment of its information assets that is both reproducible and measurable and has been used to implement appropriate controls. B  uilding of information security controls into processes and procedures. C  lassifying all information assets with appropriate priorities and assigning custodians for those assets. E  ngaging the services of an independent company to carry out Bank-wide security risk assessment, to determine the security posture of the Bank and allocate appropriate safeguards to the asset. D  eveloping a Bank-wide awareness programme and making information security the responsibility of all FirstBank staff. Responsibility The Board has the final responsibility for information security.

LEGAL RISK Litigation risk

Type of risk Institution of frivolous adverse claim(s) against the Bank. Impact on business Increased litigation portfolio and its attendant cost and distraction. Mitigation measures Engage very competent and outstanding firms of solicitors to defend the Bank resulting in the courts dismissal of the frivolous claims, sometimes with damages in favour of the Bank. Responsibility Head, Legal Services

CORPORATE/Contract risk
Type of risk Failure of vendors to deliver on contracts entered into with the Bank. Impact on business This could lead to financial loss, inability to deliver its desired services and reputational risk. Mitigation measures This risk is being mitigated by ensuring proper scrutiny of vendors through due diligence and referencing obtaining indemnity from vendors, proper scrutiny of contract document to guarantee enforceability. This has ensured minimal difficult rate by vendors. Responsibility Head, Legal Services, Head, General Services, and Head, Learning and Development

Asset security risk

Type of risk Incidences of submission of cloned or fake title documents by borrowing customers for banking facilities. Impact on business This can be a major threat to the Banks security over the properties in question. Mitigation measures The Bank has engaged in vigorous scrutiny of title documents including conducting verification exercise at various registries before such documents are accepted as security. The number of fake documents discovered have since reduced to the barest level. Responsibility Head, Legal Services Type of risk Acceptance of collateral that is disproportionate to the loan advanced or unenforceable. Impact on business Failure to recover the facility upon default by customer. Mitigation measures This is mitigated through thorough credit reviews, obtaining independent assets valuation and monitoring. Legal services also participates in induction training for new hires as well as refresher courses for other relevant personnel. Responsibility Head, Credit Analysis & Processing, Relationship Managers, and Head, Legal Services