Exhibit 99.1
Itaú Unibanco Holding S.A.
REFERENCE FORM
Base date: 12.31.2015
(in compliance with Attachment 24 of CVM Instruction No. 480 of December 7, 2009, or “CVM Instruction 480” and following its updates)
|Identification
|Itaú Unibanco Holding S.A. a corporation enrolled with the Legal Entity Taxpayer’s Registry under CNPJ/MF No. 60.872.504/0001-23, with its incorporation documents duly filed with the Board of Trade of the State of São Paulo under NIRE No. 35.3.0001023-0, registered as a listed company before the Brazilian Securities Commission (“CVM”) under No. 19348 (“Bank” or “Issuer”).
|Head office
|The Issuer’s head office is located at Praça Alfredo Egydio de Souza Aranha, 100 - Torre Olavo Setubal, in the City of São Paulo, State of São Paulo, CEP 04344-902.
|Investor Relations Office
|The Bank’s Investor Relations area is located at Praça Alfredo Egydio de Souza Aranha, 100 - Torre Conceição – 9th floor, in the City of São Paulo, State of São Paulo. The Investor Relations Officer is Mr. Marcelo Kopel. The phone number of the Investor Relations Department is (0xx11) 2794 3547 , fax is (0xx11) 5019 8717 and email is investor.relations@itau-unibanco.com.br.
|Independent Auditors of the Company
|PricewaterhouseCoopers Auditores Independentes for the years ended 12/31/2015, 12/31/2014 and 12/31/2013.
|Underwriter
|Itaú Corretora de Valores S.A.
|Shareholders Service
|The Issuer’s Shareholders’ Service is provided at the branches of Itaú Unibanco S.A., of which the head office is located at Praça Alfredo Egydio de Souza Aranha, 100 - Torre Olavo Setubal, in the City of São Paulo, State of São Paulo, CEP 04344-902.
|Newspapers in which the Company divulges its information
|Oficial do Estado de São Paulo (Official Gazette of the State of São Paulo) and Valor Econômico.
|Website
|https://www.itau.com.br/investor-relations Information included in the Company’s website is not an integral part of this Reference Form.
|Date of last review of this Reference Form
|09/02/2016 (originally presented on 05/31/2016)
Historical resubmission
|Version
|Reasons for resubmission
|Date of update
|V2
|Update in items 12.1, 12.5/12.6, 12.7/12.8, 12.13, 15.8, 17.5 and 19.2
|06/14/2016
|V3
|Update in item 12.13
|06/16/2016
|V4
|Update in items 11.1, 11.2 and 17.5
|08/02/2016
|V5
|Update in item 12.2
|08/12/2016
|V6
|Update in items 12.5, 12.6, 12.7, 12.8 and 12.13
|08/23/2016
|V7
|Update in item 5.1
|09/02/2016
5.1. In relation to the risks indicated in item 4.1, inform:
a) whether the issuer has a formal risk management policy, informing, if so, the approving body and the approval date, and, if not, the reasons why the issuer has not adopted such a policy
Credit Risk
In line with the principles of CMN Resolution No. 3,721, we have a credit risk management structure and institutional policy (HF 31 – CREDIT RISK MANAGEMENT AND CONTROL), approved by our Board of Directors, applicable to all companies and subsidiaries in Brazil and abroad. This policy is disclosed on the corporate portal and a summary may be viewed on “Public Access Report – Credit Risk”, on website www.itau.com.br/investor-relations, under Corporate Governance, Rules and Policies.” HF 31 was updated and published on November 18, 2015, after being approved by the Board of Directors.
Operational Risk
Itaú Unibanco has a risk management policy disclosed on the corporate portal, (HF 06 – RISK AND CAPITAL MANAGEMENT), aimed at establishing the risk management governance controlled by the Finance and Risk Management and Control Area of Itaú Unibanco Holding S.A. This policy was updated and published on June 1, 2015 after being approved by the Board of Directors, through the CGRC (Risk and Capital Management Committee) (approved on August 27, 2015). Additionally, we have an operational risk management policy (HF-19 – INTEGRATED MANAGEMENT OF OPERATIONAL RISK, INTERNAL CONTROLS AND COMPLIANCE), aimed at establishing the guidelines associated with the management framework of the Operational Risk, Internal Controls and Compliance, updated and published on October 5, 2015 by the Board of Directors (aproved on May 31, 2015).
Liquidity Risk
Itaú Unibanco has a risk management policy disclosed on the corporate portal, (HF 25 – LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY), aimed at establishing the liquidity risk management governance controlled by the Finance and Risk Management and Control Area of Itaú Unibanco Holding S.A.
This policy was updated and published on February 23, 2016, after being approved by the Board of Directors on January 28, 2016.
Risk and Capital Management
We understand the risk and capital management as essential to optimize the use of resources and to select the best business opportunities, seeking to maximize value creation for stockholders.
Our risk management process:
· identifies and measures existing and potential risks to our positions;
· approves risk management and control institutional policies, procedures and methodologies consistent with the directives from, and approved by, the Board of Directors;
· seeks the best risk-return ratios for Itaú Unibanco’s portfolio management.
The risk identification process purpose is to map internal and external risk threats that may affect the business’ and supporting units’ strategies, potentially impacting Itaú Unibanco’s results, capital, liquidity and reputation.
The risk management processes permeate the entire institution and are aligned with the Board of Directors and the Senior Management directives, which, through the Committees and Superior Commissions, described below, define the overall objectives by setting targets and limits for business units. The capital management and control units, in turn, support our management through monitoring and analyzing risk and capital processes.
Our risk management organizational structure complies with Brazilian and international regulations in place and is aligned with the best practices of the market. Control of credit, market, liquidity, operational, and underwriting risks is performed in a centralized manner by an independent unit, in order to ensure that such risks are managed pursuant to our risk appetite and our existing policies and procedures. This independent unit is also responsible for centralizing our capital management. Centralized control is intended to provide the Board of Directors and senior management with a global view of our exposures to risks, as well as with a prospective view of our capital adequacy, so as to optimize and expedite corporate decisions.
We manage proprietary information technology (IT) systems to comply with capital reserve requirements, as well as for risk measurement purposes, following regulations and regulatory models. We also coordinate actions among different units to verify compliance with qualitative and quantitative requirements established by relevant authorities to maintain the minimum required capital and monitor risks.
Please refer to item 10.6.a for more details on adherence to criteria defined by COSO – Committee of Sponsoring Organization of the Treadway Commission in Internal Control.
Risk Management
Credit Risk
Credit risk is the possibility of losses due to the failure by the borrower, issuer or counterparty to perform their respective financial obligations under agreed upon terms, the devaluation of a credit agreement arising from a deterioration of the risk rating of the borrower, issuer or counterparty, the reduction of earnings or remuneration, and the benefits granted upon renegotiation or the recovery costs.
Our credit risk management and control structure establishes limits and risk mitigation mechanisms, in addition to processes and instruments to measure, monitor and control the credit risk inherent in all products, portfolio concentrations and the impacts of potential changes in the economic environment. The Bank’s portfolio, policies and strategies are continuously monitored so as to ensure compliance with the rules and laws in effect in each country.
Our credit risk management is the primary responsibility of all Business Areas and is aimed at maintaining the quality of the credit portfolio at levels consistent with the institution’s risk appetite, for each market segment in which it operates. The Business Units are mainly responsible for:
· following up and closely monitoring the portfolios under their responsibility;
· granting credit in accordance to the authority levels, market conditions, macroeconomic prospects, changes in markets and products and the effects of sector and geographic concentrations; and
· managing credit risk adopting actions that provide sustainability to their business.
Our credit policy is developed based on internal factors, such as borrower rating criteria, performance and evolution of portfolio, default levels, return rates, and allocated economic capital, and on external factors related to the economic environment, interest rates, market default indicators, inflation and changes in consumption levels.
We have a structured process to maintain a diversified portfolio, which is considered appropriate by the institution. Concentration levels are monitored continuously for economic sectors and largest debtors, allowing preventive measures to be taken to avoid the breach of established limits.
Our credit risk management governance is conducted through corporate bodies, which act primarily by assessing competitive market conditions, setting credit limits for the institution, reviewing control practices and policies, and approving these actions at the respective authority levels. The risk communication and reporting process, including disclosure of institutional policies on credit risk management, is also responsibility of this structure.
The centralized control of credit risk is carried out by an independent executive area segregated from the business units and responsible for risk control, as required by the current regulation. For the credit risk control process, the main responsibilities of the risk management centralized control area are:
· monitoring and controlling the performance of the loan portfolios in accordance with the limits approved by senior management;
· conducting a centralized control of the credit risk area, segregated from the other business units;
· managing the process of preparation, review and approval of institutional policies applied to credit risk, as provided for regulatory guidelines;
· assessing the credit risk of operations at the authority levels appointed by the credit commissions.
The policies and products’ evaluation process enables Itaú Unibanco to identify potential risks in order to ensure that credit decisions make sense from an economic and risk perspective.
The centralized process for approving credit policies and validating models ensures the synchronization of credit actions.
The credit rating for wholesale transactions is based on information such as the economic and financial condition of a potential borrower, its cash-generating capabilities, its relevant affiliated parent and companies and the current and prospective situation of the economic sector in which it operates. Credit proposals are analyzed on a case-by-case basis by adopting a mechanism based on authority levels. The economic groups involved in high-profile anticorruptions investigations that are our clients may have their economic and financial condition impacted, with adverse effects on their ability to honor obligations, thus impacting their credit ratings and, consequently, the accrual level and potential losses related to these groups.
With respect to retail transactions (individuals, small and middle-market companies), ratings are assigned based on statistical application (in the early stages of Itaú Unibanco’s relationship with a customer) and behavior score (used for customers with whom Itaú Unibanco already has a relationship) models. Decisions are made based on these models, which are continuously monitored by an independent structure. Extraordinarily, an individual analysis of specific cases may be performed, in which case credit approval follows the applicable authority levels.
Additionally, the risk assessment of both the retail and the wholesale segments incorporate client’s debts both to Itaú and the market.
Itaú Unibanco rates government securities and other debt instruments according to their credit quality with the purpose of managing exposures.
We seek to strictly control the credit exposure to clients and counterparties, taking actions to remediate occasional situations in which the actual exposure exceeds targeted levels. Accordingly, we may seek the enforcement of contractual provisions, such as the right to demand early payment or require additional collateral.
We count on a specific structure and processes aimed at ensuring that the country risk is managed and controlled, including: (i) country risk governance; (ii) country ratings; (iii) credit limits for specific countries; (iv) limits monitoring; and (v) actions for limit breaches.
In line with the principles of CMN Resolution No. 3,721, we have a credit risk management structure and institutional policy, approved by the Board of Directors, applicable to all companies and subsidiaries in Brazil and abroad.
The document “Public Access Report – Credit Risk”, detailing the guidelines set forth by the institutional market risk management policy can be found on the website www.itau.com.br/investor-relations under Corporate Governance, Rules and Policies.
Operational Risk
Operational risk is defined as the possibility of losses arising from failure, deficiency or inadequacy of internal processes, people or systems, or from external events that affect the achievement of strategic, tactical or operational objectives. It includes the legal risk associated with inadequacy or deficiency in contracts signed by us, as well as penalties due to noncompliance with laws and punitive damages to third parties arising from the activities undertaken by us.
Internally, we classify the following as operational risks:
· Internal fraud;
· External fraud;
· Labor demands and deficient security in the workplace;
· Inadequate practices related to clients, products and services;
· Damages to physical assets or assets in use by Itaú Unibanco;
· Interruption of our activities;
· Failures in information technology systems; and
· Failures in the performance, compliance with deadlines and management of our activities.
In line with the principles of CMN Resolution No. 3,380 and BACEN Circular No. 3,647, we have an operational risk management structure and institutional policy, approved by our Board of Directors, applicable to all companies and subsidiaries in Brazil and abroad.
The operational risk management structure is composed of activities of operational risk control and management, the purpose of which is to support the institution in the decision-making process, seeking the proper identification and assessment of risks, value creation for stockholders, and the protection of our assets and our image.
We have a governance process structured based on discussion forums and corporate bodies, which, in turn, report to the Board of Directors, and on well-defined roles and responsibilities to reinforce the segregation among the business, management and control activities. This structure is intended to ensure independence between units and, consequently, informed decisions with respect to risks. This independence is reflected in the risk management carried out on a decentralized basis under the responsibility of the business units, and in the centralized control carried out by the operational risk and internal control and compliance units by means of methodologies, training and certification of the control environment on an independent basis.
The management structure seeks to identify, prioritize, and respond to any operational risks, monitor and report management activities, in order to ensure the quality of the control environment in conformity with internal guidelines and applicable regulations. The managers of our executive units use corporate methodologies built and made available by the internal control, compliance and operational risk departments. Among the methodologies and tools used are the self-evaluation and the map of the organization’s prioritized risks, the approval of processes, products, and systemic developmetn projects, the monitoring of key risk indicators and the database of operational losses, ensuring a single framework for the management of processes, systems, projects and new products and services.
The operational risk management includes the conduct risk, and related mitigating actions comprise the assessment of product design (suitability) and incentive models. Fraud preventionrelated actions are carried out by the inspectorship area, irrespective of origin, and specific cases may be addressed by the risk, integrity and ethics committees.
Within the management process governance, consolidated reports on risk monitoring, controls, action plans and operational losses are regularly presented to our business unit executives.
Noteworthy is the dissemination of the risk and control culture to employees through training, which is an important pillar aimed at providing a better understanding of the matter and plays a relevant role in risk mitigation.
The document “Public Access Report – Operational Risk”, a summarized version of the institutional operational risk management policy, can be found on the website www.itau.com.br/investor-relations under Corporate Governance, Rules and Policies.
Crisis Management and Business Continuity
The purpose of Itaú Unibanco’s Business Continuity Program is to protect its employees, ensure the continuity of the critical functions of its business lines, safeguard revenue and sustain both a stable financial market in which it operates and the trust of its clients and strategic partners in the provision of products and services.
It is composed of procedures for relocating and/or recovering operations in response to a variety of interruption levels and can be divided into two key elements:
· Crisis Management: centralized communication and response processes to manage business interruption events and any other types of threats to our image and reputation with respect to our employees, clients, strategic partners and regulators. Our crisis management structure has a command center that constantly monitors daily transactions, as well as media channels in which we are mentioned. Crisis management is successfully handled by our focal agents, who are representatives appointed by our business units and that work in the monitoring of potential problems, resolution of crises, business continuity, improvement of processes and search for preventive actions;
· Business Continuity Plans (BCP): procedures and information developed, consolidated and maintained so they are available for use in possible incidents, allowing the resumption of critical activities in acceptable terms and conditions. For the fast and safe resumption of operations, Itaú Unibanco has defined in its BCP corporate-wide customized actions for its lines of business, including by means of:
- Disaster Recovery Plan: focused on the recovery of our primary data center, ensuring the continuity of the processing of critical systems within minimum pre-established periods;
- Workplace Contingency Plan: employees responsible for carrying out critical business functions have alternative facilities from which to perform their activities in the event the buildings in which they usually work become unavailable. There are approximately 2,000 contingency dedicated seats that are fully equipped to meet the needs of critical business units in emergency situations.
- Emergency Plan: procedures aimed at minimizing the effects of emergency situations that may impact our facilities, with a preventive focus; and
- Process
Contingency Plan: alternatives for carrying out the critical processes identified in each of our business units.
In order to keep continuity solutions aligned with the business requirements (processes, minimum resources, legal requirements, etc) the Program applies the following tools to understand the organization:
· Business Impact Analysis (BIA): evaluates the criticality and resumption requirement of the processes that support the delivery of products and services. The business environment resumption priorities are defined through this analysis.
· Threats and Vulnerabilities Analysis (TVA): identification of threats to the locations where the buildings used by Itaú Unibanco are located. The efficiency of controls is evaluated against potential threats to identify vulnerabilities, strengthening of solutions and establishment of new controls.
Liquidity Risk
Liquidity risk is defined as the likelihood that an institution will not be able to effectively honor its expected and unexpected current and future obligations, including those from guarantee commitments, without affecting its daily operations and not incurring significant losses.
The liquidity control risk is carried out by an independent group of the business units and is responsible for determining the composition of the reserve, proposing assumptions for the performance of cash flows, identifying, assessing, monitoring, controlling, and reporting on a daily basis the exposure to liquidity risk in different timeframes, proposing and monitoring liquidity risk limits in accordance with the institution’s risk appetite, communicating any mismatches, considering the liquidity risk on an individual basis in the countries where Itaú Unibanco operates, simulating the behavior of cash flows in stress conditions, assessing and reporting in advance the risks inherent to new products and operations, as well as reporting on the information required by the regulatory bodies. All activities are subject to assessment by the independent validation, internal controls and audit departments.
The liquidity risk measurement comprises all financial operations of our companies, as well as possible contingent or unexpected exposures, such as those derived from settlement services, provision of sureties and guarantees, and credit lines contracted but not used.
The policies of liquidity management and associated limits are established based on prospective scenarios, reviewed from time to time, and on definitions from senior management.
The document “Public Access Report – Liquidity Risk”, detailing the guidelines set forth by the institutional liquidity risk management policy can be found on the website www.itau.com.br/investor-relations under Corporate Governance, Rules and Policies.
We manage and control the liquidity risk on a daily basis, through governance approved at corporate bodies, which, among other things, provides for minimum liquidity limits to be adopted, sufficient to absorb possible cash losses under situations of stress, measured by both in-house and regulatory calculation methodologies.
As from October 1, 2015, a minimum Liquidity Coverage Ratio (LCR) has been required of banks with total assets exceeding R$100 billion, which is calculated on an individual or consolidated basis for institutions that are part of a Prudential Conglomerate. This indicator is calculated as required by the Central Bank of Brazil, in line with international guidelines.
As required by BACEN Circular Letter No. 3,724, Itaú Unibanco has, since October 2015, monthly sent to BACEN a disclosure requirement for the LCR. As from the second quarter of 2016, this information will be publicly disclosed, in accordance with BACEN Circular No. 3,749.
The table below shows the schedule for introduction of LCR, with a minimum requirement of 60% as from October 2015, rising gradually to 100% in January 2019.
|Timetable for limits to be observed
|From January 1st
|2015
|2016
|2017
|2018
|2019
|Liquidity Coverage Ratio (LCR)
|60
|%(1)
|70
|%
|80
|%
|90
|%
|100
|%
(1)From October 1st 2015
Additionally, and pursuant to the requirements of CMN Resolutions No. 4,090 and BACEN Circular No. 3,749, Itaú Unibanco makes monthly delivery of its Liquidity Risk Statements to BACEN and the following items are regularly prepared and submitted to the senior management for monitoring and decision support:
· Different scenarios for liquidity projections;
· Contingency plans for crisis situations;
· Reports and charts to enable monitoring risk positions;
· Assessment of funding costs and alternatives;
· Tracking the sort of funding sources through an ongoing control of funding sources considering counterparty type, maturity and other aspects.
Social and Environmental Risk
In business management, we continuously take into consideration the potential of the risk of losses due to exposure to social and environmental events arising from the performance of our activities. These events arise from our direct operation, which, on its own, has an impact on the environment or human health.
The document “Public Access Report – Policy for Sustainability and Social and Environmental Responsibility”, detailing the guidelines set forth by the institutional social and environmental risk management policy can be found on the website www.itau.com.br/investor-relations under Corporate Governance, Rules and Policies.
In the governance of social and environmental issues, we have the Social and Environmental Risk Committee, whose purpose is to establish the governance for social and environmental risk issues for the entire institution. We have developed many internal processes aimed at the management, control and mitigation of events that may lead to the occurrence of social and environmental risk, and incorporated this variable into different existing processes.
We consistently seek to evolve in the management of the social and environmental risk, always paying attention to the challenges so as to monitor the changes in and demands of society. Therefore, among other actions, we have assumed and incorporated into our internal processes a number of national and international voluntary commitments and pacts aimed at integrating social, environmental and governance aspects into business. Noteworthy are the Principles for Responsible Investment (PRI), the Charter for Human Rights – Ethos, the Equator Principles (EP), the Global Compact, the Carbon Disclosure Project (CDP), the Brazilian GHG Protocol Program, and the Pacto Nacional para Erradicação do Trabalho Escravo (National pact for eliminating compulsory labor), among others. Our efforts to increase the knowledge of the assessment of the social and environmental criteria have been recognized as benchmark in Brazil and abroad, as shown by our recurring presence in the major sustainability indexes abroad, such as the Dow Jones Sustainability Index, and in Brazil, such as the Corporate Sustainability Index, in addition to the many awards we have received.
Reputational Risk
We define reputational risk as the risk arising from internal practices, risk events and external factors that may generate a negative perception of the institution among clients, counterparties, stockholders, investors, supervisors, commercial partners, among others, resulting in impacts on the value of the brand and financial losses, in addition to adversely affecting our capability to maintain existing commercial relations, start new business and continue to have access to financing sources.
Since the reputational risk directly or indirectly permeates all operations and processes of the institution, our governance is structured in a way to ensure that potential reputational risks are identified, analyzed and managed still in the initial phases of operations and the analysis of new products.
We believe that our reputation is extremely important for achieving long-term goals and this is why the institution tries to align its speech with ethical and transparent practice and work, which is essential to raise the confidence of our stakeholders.
Accordingly, to gain a formidable reputation and avoid negative impacts on the perception of our image by the many stakeholders, the treatment given to the reputational risk is structured by many processes and internal initiatives, which, in turn, are supported by internal policies, and their main purpose is to provide mechanisms for the monitoring, management, control and mitigation of the main reputational risks to which the institution is, or might be, exposed. Among them are:
|·
|Risk appetite framework;
|·
|Process for the prevention and fight against the use of Itaú Unibanco in unlawful acts;
|·
|Crisis management and business continuity process;
|·
|Processes and guidelines for governmental and institutional relations;
|·
|Corporate communication process;
|·
|Brand management process;
|·
|Ombudsman office’s initiatives and commitment to client satisfaction;
|·
|Ethics guidelines and corruption prevention.
Regulatory Risk
Regulatory risk is considered at Itaú Unibanco as the risk arising from losses due to fines, sanctions and other penalties applied by regulatory agencies resulting from noncompliance with regulatory requirements. The regulatory risk is managed through a structured process aimed at identifying changes in the regulatory environment, analyzing their impacts on the departments of the institution and monitoring the implementation of actions directed at adherence to regulatory requirements.
We have a structured and consistent flow for addressing rules, covering the stages of recognition, distribution, monitoring and compliance, and all of these processes are established in internal policies. The structure and flow for addressing the regulatory risk are composed of: (i) monitoring of legislative bills, notices and public consultation; (ii) recognition of new rules and definition of action plans for compliance with rules; (iii) relationship with regulators; (iv) monitoring of action plans; (v) prioritization of risks; and (vi) control of compliance with legal decisions on class actions and Conduct Adjustment Instruments (TAC).
Model Risk
Our risk management has proprietary models for risk management that are continuously monitored, and reviewed whenever necessary, aiming at ensuring effectiveness in strategic and business decisions.
Model risk is defined as the risk that arises from the models used by Itaú Unibanco not reflecting, on a consistent basis, the relationships of variables of interest, creating results that systematically differ from those observed. This risk may materialize mainly as a result of methodological inadequacies during its development or the use in different situations from those modeled.
We use the best market practices to manage the model risk to which we are exposed during the entire lifecycle of a model and the stages of which may be classified into four main ones: development, implementation, validation and use. The best practices that mark the model risk control at the institution include: (i) quality certification of database used, (ii) application of a list of essential steps during the development of the model, (iii) conservative approach in our decision making, as applied to our models, (iv) use of external benchmarks, (v) approval of results generated in the model´s implementation, (vi) independent validation unit, (vii) validation, (viii) assessment of a model´s impact once in use and (ix) monitoring of performance, and (x0 monitoring of distribution of explanatory variables and final score.
Country Risk
Country risk is defined as the risk of losses arising from noncompliance with the financial obligations in the terms agreed upon by borrowers, issuers, counterparties or guarantors as a result of actions taken by the government of the country where the borrower, issuer, counterparty or guarantor is located or of political, economic and social events related to that country.
In order to properly address country risk, we have a specific process structure aimed at ensuring that the risk is managed and controlled. These processes include: (i) country risk governance; (ii) establishment of country ratings; (iii) determination of limits for countries; and (iv) monitoring of limits and treatment of noncompliance.
Business and Strategy Risk
We define the business and strategy risk as the risk of a negative impact on our financial results or capital as a consequence of the lack of strategic planning, the making of adverse strategic decisions, our inability to implement the proper strategic plans and/or changes in its business environment.
Since business and strategic risk can directly affect the creation of value and the feasibility of our bank, we have implemented various mechanisms to ensure that both the business and the strategic decision making processes follow proper governance standards, have the active participation of officers and the Board of Directors, are based on market, macroeconomic and risk information and are aimed at optimizing the risk-return ratio.
Insurance, Pension Plan and Capitalization Risk
Products that comprise the portfolios of insurance companies of Itau Unibanco are related to life and casualty insurance lines, as well as pension plans and capitalization products. Accordingly, we understand that the main risks inherent in these products are:
|·
|Underwriting risk is the possibility of losses arising from insurance, pension plans and capitalization opeations that go against the organization’s expectations, directly or indirectly associated with technical and actuarial bases used for calculating premiums, contributions and technical provisions;
|·
|Market risk is the possibility of losses resulting from fluctuations in the market values of assets and liabilities that comprise the technical actuarial reserves;
|·
|Credit risk is the possibility of noncompliance, by a given debtor, with obligations related to the settlement of operations that involve the trading of financial or reinsurance assets;
|·
|Operational risk is the possibility of the occurrence of losses arising from the failure, deficiency or inadequacy of internal processes, people and systems, or from external events that affect the achievement of the strategic, tactical or operational objectives of the insurance, pension and capitalization operations;
|·
|Liquidity risk in insurance operations is the possibility of the institution not being able to timely honor its obligations to policyholders and beneficiaries due to lack of liquidity of the assets comprising the actuarial technical reserves.
In line with good national and international practices and to ensure that risks arising from insurance, pension plan and capitalization products are properly identified, measured, evaluated, reported and approved in relevant forums, we have a risk management framework, whose guidelines are established in institutional policies, approved by the Board of Directors, applicable to companies and subsidiaries exposed to the insurance, pension plan and capitalization risk in Brazil and abroad.
The insurance, pension plan and capitalization risk management process is based on defined responsibilities between the control and business areas, ensuring that they are independent from each other and focusing on the special nature of each risk, according to the guidelines established by Itaú Unibanco.
As part of the risk management process, there is a governance structure where decisions may be made by corporate bodies, thus ensuring compliance with a number of regulatory and internal requirements, as well as balanced decisions in connection with risks.
Our aim is to ensure that assets serving as collateral for long-term products, with guaranteed minimum returns, are managed according to the characteristics of the liabilities, so that they are actuarially balanced and solvent in the long term.
Liabilities for long-term products, which result in projected future benefits flows, are mapped in detail by using actuarial premises every year. This mapping enables Asset Liability Management models are used to define the best makeup of the asset portfolio so as to neutralize the risk of this type of product, taking into account their economic and financial viability in the long term. Portfolios of collateral assets are rebalanced periodically according to changes in market prices, the company’s liquidity requirements and changes in the characteristics of liabilities.
Capital Management
The Board of Directors is our highest authority with respect to capital management, responsible for monitoring capital adequacy, approving the Internal Capital Adequacy Assessment Process (ICAAP) report, and analyzing the results of the independent validation of ICAAP’s models and processes, performed by our internal controls and model validation teams, as well as for approving our institutional capital management policy and the guidelines about the conglomerate’s capitalization level. Additionally, the conclusions of and points of attention raised by auditors on capital management processes are submitted to the Board of Directors.
ICAAP is a process aimed at evaluating our capital adequacy level by identifying material risks, defining additional capital requirements for material risks and internal methodologies to quantify capital, preparing a capital plan, both under normal and stress situations, and structuring a capital contingency plan. In order to independently validate the effectiveness of ICAAP’s processes and models, our internal controls team is responsible for evaluating our governance framework, processes, policies and monitoring and reporting activities. Our team responsible for the technical validation of models analyzes the documentation, data, methodology, performance and the use of the models involved.
The risk assessment and capital calculation methodologies, as well as capital-related documents and topics, are evaluated by senior management committees before its submission to the Board of Directors.
In the capital management context, we prepare a capital plan consistent with our strategic planning and designed to maintain an adequate and sustainable capital level, taking into account analyses of the economic, competitive and political environment, in addition to other external factors. The capital plan is also approved by the Board of Directors and comprises:
|·
|Our short- and long-term capital goals and projections, under normal and stress scenarios, according to the Board of Directors’ guidelines;
|·
|Description of main sources of capital; and
|·
|Our contingency capital plan, including actions to be taken in the event of a potential capital deficiency.
As part of our capital planning, extreme market conditions are simulated, emulating serious events, in order to identify potential capital restrictions. Stress scenarios are approved by the Board of Directors, and their impacts on capital are included when devising our businesses and capital strategy and positioning.
Complementing the calculation of capital to cover the risks of Pillar 1 (credit, market, and operational risks), we have developed mechanisms to identify and analyze the materiality of other risks assumed by us, in addition to methodologies for assessing and quantifying additional capital requirements to cover such risks.
In order to provide the necessary information for our officers and Board of Directors to make decisions, managerial reports are prepared and presented at committee meetings, where committee members are informed about our capital adequacy and projections of future capital levels in normal and stress situations.
Minimum requirements
Our capital minimum requirements are expressed as ratios of the capital available stated by the Referential Equity (PR), or Total Capital, and risk-weighted assets, or RWA. These are consistent with a set of resolutions and circulars disclosed by the CMN and the Central Bank of Brazil since 2013, implementing in Brazil the global capital requirement standards known as Basel III.
The PR consists of the sum of Tier 1 and Tier 2 Capital, as defined by CMN resolutions. The total RWA is determined as the sum of the risk-weighted asset amounts for credit, market, and operational risks based on standardized approaches.
The required minimum Total Capital ratio is 11% between October 1, 2013 and December 31, 2015, reducing gradually to 8% on January 1, 2019. To counteract this, the BACEN rules call for Additional Common Equity Tier I Capital (ACP), corresponding to the sum of the components ACPConservation, ACPCountercyclical and ACPSystemic, which, together with the requirements mentioned in the preceding paragraph, increase capital requirements over time and define new requirements to qualify instruments eligible for Tier 1 or Tier 2 Capital. Additionally, these rules introduce a gradual reduction of the eligibility of the instruments issued pursuant to the previous related regulation, which is still in force.
Composition of Capital
Pursuant to current regulations, our Referential Equity (PR), used to monitor compliance with the capital requirements imposed by the Central Bank, is the sum of Tier 1 Capital and Tier 2 Capital, according to which:
|·
|Common Equity Tier 1 Capital: consists of capital stock, certain reserves and retained earnings, net of deductions and regulatory adjustments;
|·
|Additional Tier 1 Capital: consists of instruments of a perpetual nature, which meet eligibility requirements; and
|·
|Tier 2: consists of subordinated debt instruments with defined maturity dates that meet eligibility requirements.
In accordance with applicable Brazilian regulations, we must maintain our Total Capital (PR), Tier 1 Capital and Common Equity Tier 1 Capital ratios above the minimum regulatory requirements. The RWA used for assessing these minimum regulatory requirements can be determined by adding the portions, as follows:
|·
|RWACPAD = portion related to exposures to credit risk;
|·
|RWACAM = portion related to the exposures in gold, foreign currencies, and assets subject to foreign exchange rate variations;
|·
|RWAJUR = portion related to exposures subject to variations of interest rates, interest coupons and coupon rates and classified in the trading portfolio;
|·
|RWACOM = portion related to exposures subject to variations in commodity prices;
|·
|RWAACS = portion related to exposures subject to variations in equities prices and classified in the trading portfolio; and
|·
|RWAOPAD = portion relating to the calculation of operational risk capital requirements.
Capital Adequacy
Itaú Unibanco, through ICAAP, aims at ensuring sufficiency of capital to cover credit, market and operational risks, which are represented by the minimum capital required and coverage of other risks we consider material.
In order to ensure capital strength and availability to support business growth, we maintain PR levels above the minimum levels to minimize the exposure to risks, according to the Basel ratio (as described below), and Common Equity Tier I, Additional Tier I Capital and Tier II ratios (calculated, respectively, by dividing Common Equity Tier 1, Additional Tier 1 Capital and Tier 2 Capital by total RWA).
At December 31, 2015, our Total Capital (PR) at the Prudential Conglomerate level reached R$128,465 million, a decrease of R$1,325 million compared to December 31, 2014, at the Financial Conglomerate level, mainly driven by the decrease in our Tier II Capital.
|(In millions of R$)
|(%)
|Prudential
Conglomerate
|As of December 31,
Financial Conglomerate
|Variation
|Capital Composition
|2015
|2014
|2013
|2015-2014
|2014-2013
|Tier 1 Capita1(1)
|101,001
|96,232
|87,409
|5.0
|10.1
|Common Equity Tier 1 Capital(2)
|100,955
|96,212
|87,409
|4.9
|10.1
|Additional Tier 1 Capital(3)
|46
|20
|-
|129.9
|-
|Tier 2 Capital(4)
|27,464
|33,559
|37,734
|(18.2
|)
|(11.1
|)
|Regulatory Capital
|128,465
|129,790
|125,144
|(1.0
|)
|3.7
|Minimum Required Regulatory Capital
|79,471
|84,488
|83,099
|(5.9
|)
|1.7
|Excess Capital in relation to Minimum Required Regulatory Capital
|48,994
|45,302
|42,045
|8.1
|7.7
|Risk weighted assets (RWA)
|722,468
|768,075
|755,441
|(5.9
|)
|1.7
(1)Comprised of the Common Equity Tier 1 Capital, as well as the Additional Tier 1 Capital.
(2)Sum of share capital, reserves and retained earnings, net from deductions and regulatory adjustments (ajustes prudenciais).
(3)Comprised of of instruments of a perpetual nature, which meet eligibility requirements.
(4)Comprised of debt instruments with defined maturity dates, primarily subordinated debt, which meet eligibility requirements.
Our BIS ratio (calculated as the ratio between our Regulatory Capital and the total amount of RWA) at the prudential conglomerate level reached 17.8%, on December 31, 2015, an increase compared to December 31, 2014, at the financial conglomerate, mainly explained due to a decrease in RWA. Our BIS ratio on December 31, 2015 consisted of 14.0% of Common Equity Tier 1 Capital and 3.8% of Tier 2 Capital.
|(%)
|As of December 31,
|Prudential
|Financial Conglomerate
|Capital Ratios
|2015
|2014
|2013
|BIS ratio
|17.8
|16.9
|16.6
|Tier 1 Capital
|14.0
|12.5
|11.6
|Common Equity Tier 1 Capital
|14.0
|12.5
|11.6
|Additional Tier 1 Capital
|-
|-
|-
|Tier 2 Capital
|3.8
|4.4
|5.0
Our Regulatory Capital, Tier 1 Capital and Common Equity Tier 1 Capital ratios were calculated on a consolidated basis, applied to the financial institutions included in our Financial Conglomerate, up to December 31, 2014. From January 1, 2015, instead of calculating ratios for our Financial Conglomerate we calculated at the Prudential Conglomerate level, which is comprised of not only financial institutions but also collective financing plans (“consórcios”), payment entities, factoring companies or companies that directly or indirectly assume credit risk, and investment funds in which our Itau Unibanco Group retains substantially all risks and rewards.
b) the objectives and strategies of the risk management policy, if any, including:
i. risks that are intended to be hedged
Credit Risk
We have a framework to control the credit risk through the compliance with applicable regulations, best market practices and a decision-making process by business units. The document “Public Access Report – Credit Risk”, detailing the guidelines set forth by the institutional credit risk management policy can be found on the website www.itau.com.br/investor-relations under Corporate Governance, Rules and Policies.
The credit risk management aims at maintaining the quality of the loan portfolio consistent with risk appetite levels for each market segment in which we operate. We strictly control the credit exposure to clients and counterparties, taking actions to remediate occasional situations in which the actual exposure exceeds targeted levels. We also have a specific process structure aimed at ensuring that the country risk is managed and controlled, as follows. (i) country risk governance; (ii) country ratings; (iii) credit limits for specific countries; (iv) limits monitoring; and (v) actions for limit breaches.
The credit policy is developed based on (i) internal factors, such as borrower ratings criteria, performance and evolution of portfolio, default levels, return rates, and allocated economic capital, and (ii) external factors related to the economic environment, interest rates, market default indicators, inflation and changes in consumption levels.
For information on risk management please refer to “Risk and Capital Management - Pillar 3” on website www.itau.com.br/investor-relations, under Corporate Governance, Rules and Policies.
Operational Risk
We understand operational risk as the possibility of losses arising from failure, deficiency or inadequacy of internal processes, people or systems or from external events. This definition includes the legal risk associated with inadequacy or deficiency in contracts signed by us, as well as penalties due to noncompliance with laws and punitive damages to third parties arising from the activities undertaken by us.
Liquidity Risk
We seek to hedge against the likelihood that we will not be able to effectively honor our expected or unexpected current and future obligations, including those from guarantee commitments, without affecting our daily operations and not incurring significant losses.
ii. instruments used for hedging purposes
Credit Risk
We use guarantees aiming at increasing resiliencies in operations with credit risk. These guarantees can be personal or secured guarantees, legal structures with mitigating power and netting arrangements. When used for managerial purposes, to be considered as credit risk mitigation instruments, these guarantees need to comply with requirements and determinations of the regulations that govern them, whether internal or external and they need to be legally valid (effective), enforceable and regularly evaluated. Credit limits are continuously monitored and changed according to client behavior. Therefore, any potential losses represent a fraction of the amount available.
Operational Risk
We have a governance process structured based on discussion forums and corporate bodies, which, in turn, report to the Board of Directors, and on well-defined roles and responsibilities to reinforce the segregation among the business, management and control activities, thus ensuring the independence between units and, consequently, informed decisions with respect to risks. This is reflected in the risk management carried out on a decentralized basis under the responsibility of the business units, and in the centralized control carried out by the Operational Risk and Internal Control and Compliance units by means of methodologies, training, certification and monitoring of the control environment on an independent basis.
Among the methodologies and tools used are the self-evaluation and the map of the organization’s prioritized risks, the approval of processes, products, and system development products and projects, the monitoring of key risk indicators that and the database of operational losses. Our operational risk framework ensures a conceptual exclusive basis for the management of processes, systems, projects and new products and services.
Liquidity risk
We ensure full capacity to honor payments with respect to financial commitments assumed and we manage our liquidity reserves through estimates of funds that will be available for investments, taking into account the continuity of business in normal conditions.
Our liquidity control risk is carried out by an independent group of the business units and is responsible for determining the composition of the reserve, proposing assumptions for the performance of cash flows in different timeframes, proposing and monitoring liquidity risk limits in accordance with the institution’s risk appetite, communicating any mismatches, considering the liquidity risk on an individual basis in the countries where we operate, simulating the behavior of cash flows in stress conditions, assessing and reporting in advance the risks inherent to new products and operations, as well as reporting on the information required by the regulatory bodies.
All activities are subject to assessment by the independent validation, internal controls and audit departments.
iii. organizational structure for risk management
Risk Governance and Capital
We established committees that are responsible for risk and capital management and report directly to the Board of Directors. Committee members are elected by the Board of Directors, the main authority with respect to risk and capital management decisions. For further information on the composition of committees please refer to website www.itau.com.br/investor-relations, under Corporate Governance, Board.
At the executive level, risks are managed by corporate committees, which are chaired by our CEO and count on the participation of our CRO. The following committees are part of our risk and capital management governance structure:
Risk and Capital Management Committee (CGRC): Supports the Board of Directors in the performance of its duties related to our risk and capital management by meeting, at least, quarterly and submitting reports and recommendations to assist the Board of Directors in its decision-making with respect to:
|·
|Decisions regarding our appetite for risk in terms of capital, liquidity, results and franchise (our brand), ensuring these aspects are in alignment with our strategy and including: acceptable levels of capital and liquidity, types of risk to which we could be exposed as well as aggregate limits for each type of risk, tolerance with respect to volatility of results and risk concentrations, general guidelines on tolerance regarding risks that may have an impact on our franchise (or the value of our brand, i.e., image risk);
|·
|Supervision of our risk management and control activities to ensure our adequacy to the risk levels assumed and the complexity of transactions in which we engage, as well as compliance with
|·
|regulatory requirements;
|·
|Review and approval of capital management institutional policies and strategies that establish mechanisms and procedures intended to maintain capital compatible with the risks incurred by us;
|·
|Determination of our minimum expected return on capital for our entire business, as well as performance monitoring;
|·
|Supervision of our incentive structures, including compensation, seeking to ensure their alignment with risk control and value creation objectives; and
|·
|Promotion and improvement of our risk culture.
Audit Committee: set up in April 2004 by the General Stockholders’ Meeting, we have a single Audit Committee overseeing all entities within the Itau Unibanco Group that are either authorized to operate by the Central Bank or that are supervised by SUSEP. The committee is responsible for overseeing the quality and integrity of our financial statements, the compliance with legal and regulatory requirements, the performance, independence and quality of the services provided by our independent auditors and of work performed by our internal auditors, and the quality and effectiveness of the internal control and risk management systems.
Additionally, the Committee will, individually or jointly with the Conglomerate’s respective independent audit companies, formally communicate with the Central Bank or SUSEP, as the case may be: (i) noncompliance with the legal and regulatory provisions and internal norms that place the continuity of our companies at risk; (ii) fraud of any value perpetrated by sênior management (members of the Board of Directors and Executive Board) of our companies; (iii) significant fraud perpetrated by our employees or by third parties; and (iv) errors resulting in significant inaccuracies in our financial statements of our companies. Audit Committee meets at least four times a year convened by its President.
The Audit Committee is composed of at least three (3) and at the most seven (7) members, annually elected by the Board of Directors among its members or professionals of proven technical knowledge, consistent with the responsibilities of the committee, and at least one of the members of this Committee will be designated a Financial Expert. In the election, the independence criteria established in the Internal Charter of the Audit Committee and the applicable regulations are taken into consideration.
Superior Market Risk and Liquidity Committee (CSRML): meets on a monthly basis to set guidelines and governance for investments and market and liquidity risks regarding our consolidated positions and business lines.
The CSRML is responsible for the strategic management and control of risks, and for setting limits for market and liquidity risks, according to the authority delegated by the Risk and Capital Management Committee (CGRC).
The CSRML is also responsible for analyzing the levels of our current and future liquidity and taking steps to promote the safe and efficient evolution of our financial flows. The CSRML is responsible for discussing and establishing (i) additional liquidity and Market risks; (ii) guidelines to delegate operations and decision powers to the Market Risk and Liquidity Management Committee (CGRML); (iii) the funding policy and the policy on investments in the domestic and international financial markets; (iv) the criteria and rules on transfer pricing among companies of the conglomerate. The Audit Committee meets at least four times a year on convening by its Chairman; (v) the strategies for financing group portfolios; (vi) the guidelines and governance for market risk and liquidity in managing funds from Technical Reserves and from Insurance, Pension and Savings Bonds; and (vii) the guidelines for monitoring the balance between assets and liabilities of Closed Private Pension Entities (Foundations) associated with the conglomerate.
Superior Operational Risk Management Committee (CSRO): meets at least on a quarterly basis. Its chief responsibilities are: understanding the risks of our processes and business, defining guidelines for managing operating risks and assessing the results achieved by our Internal Controls and Compliance System.
Superior Products Committee (CSP): meets on a weekly basis and is the highest authority to approve our products, operations, services and related processes that do not fall under the responsibility of other committees subordinated to it. In addition, evaluates products, operations, services and processes that envolve risk to our image.
Superior Retail Credit and Collection Committee (CSCCV): meets on a monthly basis and is responsible for approving credit policies and assessing the performance of Retail Credit and Collection portfolios and strategies.
Superior Wholesale Credit and Collection Committee (CSCCA): meets on a monthly basis and is responsible for approving credit policies and assessing the performance of Wholesale Credit and Collection portfolios and strategies.
Superior Credit Committee (CSC): meets on a weekly basis. It is responsible for:
|·
|Analyzing and deciding on credit proposals that are beyond the authority of the Credit Committees that report to it; and
|·
|Reviewing decisions which were not made due to a lack of consensus at the committee immediately subordinate to it or that were submitted to it for review due to the relevance of the topic or other features.
Risk and Financial Policies Committee (CNRF): meets at least five times a year, to:
|·
|Review and approve, by consensus, the circulars and attachments prepared by the Risk and Finance Control and Management Area (ACGRF);
|·
|Recommend, for final approval by the Board of Directors, the institutional policies prepared by ACGRF; and
|·
|Ratify attachments approved at the appropriate authority levels.
Model Assessment Technical Committee (CTAM):
The CTAM is the highest decision-making authority for the discussion of credit and market risk models. It is composed of:
|·
|CTAM – Market: meets every two months or upon request for the approval and assessment of market and pricing risk models based on the opinion of the independent model validation group, suggests and monitors action plans for the validated models and monitors the performance of the market risk model our time goes by, determining new developments, if necessary
|·
|CTAM – Credit: meets monthly or when required. Its purpose is to approve the use of credit risk models from a technical viewpoint. Its responsibilities are: to give technical approval for the use of credit risk models; to issue the technical opinions of the Broad Validation Unit on credit risk models and on other models used in the management and/or quantification of specific risks, according to our needs and priorities; to resolve important management changes to the models in use; and to decide on conditions for the use of models, recommendations for action plans to eliminate/ minimize risks and suggestions for future models submitted by the Broad Validation Unit.
Internal Audit
At the administrative level, the Internal Audit reports to the Chairman of the Board of Directors of Itaú Unibanco Holding S.A. Its activities are overseen by the Audit Committee of the Itaú Unibanco Holding S.A., and monitored by the Superior Operational Risk Committee (CSRO).
The Internal Audit representation offices located in Foreign Units report at a technical level to the Audit Executive Board of Itaú Unibanco S.A., and its activities are overseen by both the Audit Committee of Itaú Unibanco Holding S.A. and local audit committees.
The Internal Audit confirms annually its professional independence to the Board of Directors’ Chairman.
Any actual or apparent impediments to independence or objectivity are reported to the Board of Directors’ Chairman and the Audit Committee.
The internal audit activities carried out and the use of the name “internal audit” in the Conglomerate are exclusive to the Audit Executive Board of Itaú Unibanco.
The Internal Audit area’s purpose is to evaluate the activities carried out by the Conglomerate, thus enabling Management to assess the adequacy of controls, effectiveness of risk management, reliability of financial statements and compliance with rules and regulations.
To reach its purposes, the Internal Audit’s responsibilities are to carry out audit technical activities and supplementary activities.
Frequency of meetings: Once a month with the Board of Directors’ Chairman, and semiannually with the Board of Directors.
Internal Controls
The management of Itaú Unibanco Holding S.A. is responsible for establishing and maintaining internal controls related to the company’s consolidated financial statements.
The internal control related to the financial statements is a process developed to provide reasonable assurance regarding the reliability of accounting information and the preparation of the financial statements disclosed in accordance with generally accepted accounting principles. The internal controls related to the financial statements include policies and procedures that (i) are related to the maintenance of records that, in reasonable detail, reflect accurately and properly the transactions and write-offs of the company’s assets; (ii) provide reasonable assurance that the transactions are recorded as necessary to enable the preparation of the financial statements in accordance with the accounting practices adopted in Brazil (BRGAAP), and that the company’s receipts and payments are only being made in accordance with the authorization of the company’s management and officers; and (iii) provide reasonable assurance regarding the timely prevention or detection of any unauthorized acquisition, use or allocation of the company’s assets, which could have a significant effect on the financial statements.
Due to their inherent limits, the internal controls related to the financial statements may not be able to avoid or detect errors. Therefore, even these controls, which had been designed to be effective, may be proven unable to prevent or detect errors. Likewise, projections of any evaluation on their effectiveness for future periods may be subject to the risk that controls may become inadequate due to changes in conditions, or deterioration may occur in the level of conformity with practices or procedures.
Management assessed the effectiveness of our internal controls related to the financial statements at December 31, 2015, and adopted the criteria defined by the Committee of Sponsoring Organization of the Treadway Commission in Internal Control (“COSO”) – Integrated Framework (2013). Based on this evaluation and criteria, Management concluded that the internal controls related to the financial statements are effective with respect to December 31, 2015.
c) the adequacy of operating structure and internal controls to verify the effectiveness of the policy adopted
The integrated management of operational risk, internal controls and compliance is in conformity with the internal policy approved by the Board of Directors, and is structured in three lines of defense:
|·
|1st line: represented by the business and risk control areas, it is responsible for identifying, measuring, assessing, and managing operational risk events, as well as keeping an effective control environment (including the compliance with internal and external rules).
|·
|2nd line: represented by the independent internal controls/ validation area, it is responsible, among others, for disclosing and ensuring the application of decisions, policies and strategies with respect to operational risk management, as well as validating policies and processes on an independent basis.
|·
|3rd line: represented by the Internal Audit Area, it is responsible, among others, for verifying, on an independent and periodic basis, the adequacy of processes and procedures for risk identification and management.
The activities of the 2nd line of defense is carried out by the Internal Controls, Compliance and Operational Risk Executive Board (DCIC), which, as it is segregated from the business and risk control areas, ensures its independence.
The 2nd line of defense carries out the validation of processes focused on identifying, measuring, assessing, monitoring and responding to the organization’s operational risks, thus ensuring that any losses and risks are kept within the limits established by the institution.
Credit Risk
The DCIC’s validation of the credit risk is supported by risk and control assessments carried out by internal control officials, as well as by the credit model validation, which are conducted by the Technical Model Validation area. Assessments are conducted over the year through risk mapping and compliance testing of the main processes with exposure to credit risk. Any weaknesses identified are recorded and forwarded to the areas in charge of the action plan for due correction.
The findings of the assessments show that the control environment for credit risk is adequate since there are credit risk management processes in place, credit strategies and policies adhere to risk appetite guidelines, defined authority levels are observed, and the timely monitoring of the quality of the loan portfolios are carried out.
Operational risk
The Integrated Management Model of Internal Controls, Compliance and Operational Risk aims at identifying, prioritizing and managing any possible operational risks, monitoring and reporting management activities with the purpose of ensuring the quality of the control environment for operational risk.
The monitoring of the operational risk management is carried out through:
|·
|control environment assessments conducted by the Internal Controls, Compliance and Operational Risk area;
|·
|the dissemination of the risk management culture;
|·
|the attendance and evaluation of forums for management of risks of each executive area;
|·
|the monitoring of operational risk indicators and the adherence to regulations.
The findings of these analyses corroborate our conclusion that we have an adequate operational risk control environment.
Liquidity Risk
The independent validation of the processes and controls used along the Liquidity Risk chain is carried out annually by the DCIC, 2nd line of defense, through the process mapping and testing of any existing key controls, which allow for an independent challenge. The findings of these analyses corroborate our conclusion that we have an adequate liquidity risk control environment.