Operational Risk Disclosure

Managing Risk – An Overview

For Citi Bahrain, effective risk management is of primary importance to its overall operations. Accordingly, Citi’s risk management process has been designed to monitor, evaluate and manage the principal risks it assumes in conducting its activities. Specifically, the activities that Citi engages in, and the risks those activities generate, must be consistent with Citi’s mission and value proposition, the key principles that guide it, and Citi’s risk appetite.

Under Citi’s mission and value proposition, which was developed by Citi’s senior leadership and distributed throughout the Company, Citi strives to serve its clients as a trusted partner by responsibly providing financial services that enable growth and economic progress while earning and maintaining the public’s trust by constantly adhering to the highest ethical standards. As such, Citi asks all employees to ensure that their decisions pass three tests: (1) they are in our clients’ interests (2) create economic value and (3) they are always systemically responsible. Additionally, Citi evaluates employees’ performance against behavioral expectations set out in Citi’s leadership standards, which were designed in part to effectuate Citi’s mission and value proposition. Other culture-related efforts in connection with conduct risk, ethics and leadership, escalation and treating customers fairly help Citi to execute its mission and value proposition.

Citi’s risk governance framework consists of the policies, standards, procedures and processes through which Citi identifies, assesses, measures, manages, monitors, reports and controls risks across the Company.

It also emphasizes Citi’s risk culture and lays out standards, procedures and programs that are designed and undertaken to enhance the Company’s risk culture, embed this culture deeply within the organization, and give employees tools to make sound and ethical risk decisions and to escalate issues appropriately.

Citi manages its risks through each of its three lines of defense: (i) business management, (ii) independent control functions and (iii) internal audit. The three lines of defense collaborate with each other in structured forums and processes to bring various perspectives together and to lead the organization toward outcomes that are in clients’ interests, create economic value and are systemically responsible.

Managing Operational Risk – An Overview

Operational risk for Citi Branch, is managed in line with the Operational Risk Management Policy (issued at a group level), which defines an overall framework designed to balance strong corporate oversight with well-defined independent risk management. Citi Bahrain has also adopted the ‘Three Lines of Defense’ Governance Structure for effective management of Operational Risk as well as the “Manager’s Control Assessment (MCA)” Standards and Procedure to assist / support business managers to self-assess significant operational risks and key controls and identify and address weaknesses in the design and / or operating effectiveness of internal controls that mitigate significant operational risks.

Citi Bahrain also has a clear process for identifying, accounting and reporting events related to operational risk. Each loss (or gain) posted on the books of the Bank, & recording the same in a database (Loss Capture system) in line with the thresholds as defined by Citi’s Operational Risk Management Data Quality Standards. An analysis of the significant losses reported are done in order to take the necessary corrective actions & implement mitigating controls.

Additionally, the in-country Operational Risk Management, works proactively with the businesses and other independent control functions to embed a strong operational risk management culture and framework across Citi. Operational Risk Management engages with the businesses to ensure effective implementation of the Operational Risk Management framework by focusing on (i) identification, analysis and assessment of operational risks, (ii) effective challenge of key control issues and operational risks and (iii) anticipation and mitigation of operational risk events.

At a country level there exists a Business Risk, Compliance and Controls Committee (BRCC) which is the principal committee for escalation and reporting of operational risk events, internal control, legal, compliance, regulatory and risk issues. The key objectives of the BRCC are:

• To discuss and challenge the management of the most significant risk and control issues impacting the local business activities, including the proposed associated action and remediation plans.
• To monitor the management of business risks that affect the franchise and as well as its constituent parts through assisting Senior Management to focus on the most significant risk, control issues, emerging risks impacting business objectives and activities, and the timeliness and effectiveness of corrective actions.

The Citi Country Officer (CCO) of Citi Bahrain, serves as the Committee chair and the committee comprises of key representatives from the First, Second & Third Lines of Defense.

Operational Risk Appetite Statement

Objectives

Citi Bahrain’s goal is to keep operational risk at appropriate levels relative to the characteristics of its businesses, the markets in which it operates, its capital and liquidity, and the competitive, economic and regulatory environment. The entity recognizes that operational risk is inherent in its global business activities and related support processes. To anticipate, mitigate and control operational risk, the entity follows Citi-wide policies, and the institutional framework for assessing, monitoring and communicating operational risks and the overall operating effectiveness of the internal control environment across Citi.

Risk Appetite

Citi Bahrain also recognizes that operational risk can occur broadly and has impact beyond financial losses. Local Management has implemented a Manager’s Control Assessment (MCA) program that relies on key indicators across various operational risk categories and established methodologies and tools to facilitate monitoring where appropriate so that any exceptions and / or negative trends are captured in operational risk management reporting. Citi Bahrain:

• Maintains a well-controlled operating environment for its businesses and functions to mitigate the most material risks (e.g., including but not limited to external fraud and errors in processing, data);
• Expects employees to uphold the highest ethical standards of conduct in accordance with Citi’s values, policies and control framework and report concerns as set forth in the employee code of conduct;
• Expects Third Parties providing significant products or services to businesses and support areas will hold themselves to the highest standards of conduct in accordance with Citi’s values, policies and control framework;
• Does not tolerate:
  • Violations of laws or regulations,
  • Fraud committed by its staff,
  • Deliberate actions that result in harm to clients;
• The entity recognizes that mistakes occur but has very little appetite for:
  • Activities which could result in financial statements that inadequately reflect Citi’s financial profile or in a material weakness in financial reporting controls,
  • Threats to company assets or data arising from malicious attacks or inadequate protection,
  • Damage from inability to timely recover from a major interruption to business operations, technology or facilities,
  • Behavior inconsistent with responsibly providing financial services or which could result in reputational harm.