Internal Control and Risk Management

Internal Controls

Effective internal controls are the foundation of safe and sound banking. Our robust internal control system enables us to safeguard the Bank’s resources, produce timely and accurate financial reports, comply with laws and regulations, reduce the possibility of significant errors and irregularities, and implement management policies to attain corporate goals.

The Board is responsible for the establishment and review of China Bank’s system of internal controls, while the day-to-day responsibility for internal control rests with Management.  All of our employees are involved to a certain degree in our internal control process. 

Compliance is firmly embedded in China Bank’s culture. We are committed to comply with all applicable laws and regulations to strengthen our business and maintain the trust and confidence of our stakeholders. Our compliance system, built upon a solid foundation of ethical values, fosters a strong compliance culture that starts from the Board and permeates across the organization.

At the forefront of our compliance system is the Compliance Division, which is independent of China Bank’s business activities. The Compliance Division plays an important role in driving the effective management of compliance risks and in promoting compliance awareness and understanding of compliance issues and the impact of non-compliance. It is headed by the Chief Compliance Officer and Governance (CCGO), Atty. Aileen Paulette S. De Jesus, who also takes on the role of Group Compliance Officer for the China Bank Group. The CCGO is independent from management and reports functionally to the Compliance and the Corporate Governance committees, and administratively to the President.

The Compliance function is supported by the collaborative efforts of Regulatory Compliance, Corporate Governance, IT Compliance, Subsidiaries Compliance, Anti-Money Laundering and SEC Compliance departments. Compliance Coordinators are also designated in each Bank unit to ensure that all risks associated to the operations and business of the individual units are identified, monitored, and mitigated.

Internal Audit performs a significant role in corporate governance by providing assurance services and relevant recommendations for the improvement of processes and structures that enhance China Bank’s business integrity. Its assurance function involves the assessment and reporting on the adequacy, efficiency, and effectiveness of governance, risk management, and control processes designed to help us achieve our goals and objectives. Internal Audit provides meaningful advice on the shifting risk and control landscape and insight on emerging risks with the aim of producing appropriate mitigants and positive changes within the Bank.

Our Audit Division is headed by the Chief Audit Executive (CAE), Mr. Ronald R. Marcaida. It is independent from undue influence as evidenced by the functional and administrative reporting to the Audit Committee and the President, respectively. The Division has a Board-approved Internal Audit Charter, which defines its purpose, authority, and responsibility, among others. Its sphere of authority cuts across all functions, units, processes, records, and personnel in relation to the conduct of the Division’s mandate. The auditors are competent, objective, and avoid conflicts of interest in the performance of their responsibilities. These attributes put the group to be in the best position to render assurance services on governance, risk management, and internal control processes.

To ensure excellent and value adding audit services, our Audit Division continuously improves its tools, practices and methodologies. Our internal auditors regularly attend trainings/seminars to enhance their skills and competencies and remain informed of developments in the internal audit profession and banking industry.

China Bank’s resilience is anchored on prudent risk-taking. We safeguard stakeholders’ interest and the Group’s assets with a balanced approach to risk management, undertaking only well considered risks for commensurate returns. Our Risk Management Group (RMG), headed by Chief Risk Officer Ananias S. Cornelio III, executes the risk management function which is generally responsible for identifying, assessing, monitoring, and mitigating our key risks. RMG reports to the Board through the Risk Oversight Committee which has approval and oversight responsibility for our risk management framework and risk appetite. Risk identification and assessment are embedded in our control processes, employees at all levels are responsible for the management and reporting of risks, and risk management is reinforced as a discipline group-wide through trainings and communication.

Market and Liquidity Risk

The objective of our market risk policies is to obtain the best balance of risk and return while meeting our stakeholders’ requirements. On the other hand, our liquidity risk policies center on maintaining adequate liquidity at all times to be in a position to meet all obligations as they fall due. Market risk, interest rate risk, and liquidity risk exposures are managed through a risk management framework comprising of limits, triggers, monitoring, and reporting process that are in accordance with the risk appetite of the Board.

Market risk exposures are measured and monitored through reports from our Market Risk Management System. We use Historical Simulation Value-at-Risk (VaR) approach for all treasury traded instruments, including fixed income bonds, foreign exchange swaps and forwards, interest rate swaps, and equity securities. Meanwhile, liquidity and interest rate risk exposures are measured and monitored through the Maximum Cumulative Outflow (MCO) and Earnings-at-Risk (EaR) reports from our Asset and Liability Management (ALM) system.

To evaluate the Bank’s overall vulnerabilities on specific events or crisis and gauge our ability to withstand stress events, we have an Integrated Stress Testing framework (IST) in addition to the silo stress tests. The IST complements the Internal Models Approach which is the basis for Internal Capital Adequacy Assessment Process (ICAAP) capital charge under normal condition.

Credit Risk

Our policies for managing credit risk are determined at the business level with specific procedures for different risk environments and business goals. Risk limits and thresholds have been established to monitor and manage credit risk from individual and counterparties and/or group of counterparties, and industry sectors. Periodic assessments are also conducted to review the creditworthiness of our counterparties.

The Bank has several risk rating models in place to measure credit risk in a consistent manner. For corporate borrowers with total assets, total facilities, or total exposures of at least P15 million, the rating model used is the Internal Credit Risk Rating System (ICRRS). Retail and small and medium entities and individual loan accounts, on the other hand, are subject to the Borrower Credit Score (BCS) while consumer loans (auto loans, housing loans, credit card), are covered by application scorecards.

Operational, Business Continuity Management (BCM) and Information Technology (IT) Risk

Our Operational Risk Management Framework outlines the policies, processes, and procedures, as well as the tools—including Risk Control Self-Assessment and Key Risk Indicators—for managing our group-wide operational risks.

To mitigate the impact of business-disrupting events, we have a Business Continuity Management (BCM) program covering our resiliency strategies, recovery procedures and facilities, business continuity, and crisis management plans. The program includes tests and simulation exercises which are regularly performed in varying degrees.

In managing our IT risk, we have an IT risk assessment process for identifying vulnerabilities and determining the effectiveness of IT controls. We aligned our IT risk management practices with the standards and operating principles of the Guidelines on IT Risk Management (BSP Circular No. 808) and Enhanced Guidelines on Information Security Management (BSP Circular No. 982).

With the evolving cyber-threat landscape, we developed a Cyber Resilience Framework as a supplement to our Information Security Management System and BCM program. The framework provides the details related to the preparations and measures for protecting the Bank’s disaster recovery infrastructure against cyber-attacks.

Trust Risk

We manage our trust risk in accordance with the Guidelines in Strengthening Corporate Governance and Risk Management Practices on Trust, Other Fiduciary Business, and Investment Management Activities (BSP Circular No. 766). Our Trust Risk Management Guidelines cover all the risks specific to our Trust business, including legal, strategic, and reputational risks.