Strategic Report Strategic Report Strategic Report Financial Additional Overview Strategy Performance Governance Statements Information Creating a culture of integrity and accountability We identify, evaluate, manage and monitor the risks control policies and procedures. Our reporting process that we face through an integrated control framework enables key risks to be escalated to the appropriate level supported by formal policies and procedures, clearly of authority and provides assurance to the Committees delegated authority levels and comprehensive reporting. and the Board. Key developments affecting our principal The Board confirms that our framework has been risks and associated mitigating actions are reviewed in place throughout the year under review and to the quarterly (or more often if necessary on an ad hoc basis, date of approval of this Annual Report and that it is outside of the regular reporting process) by the Audit integrated into both our business planning and viability and Risk Committees, as appropriate, and the Board. assessment processes. The principal risks and uncertainties faced by the Group are identified through the above processes. Overview A description of these principal risks and Our Board, supported by its Audit and Risk Committees uncertainties, including recent trends and outlook, and the Management Board, is ultimately responsible as well as mitigation efforts, can be found on for the Group’s risk management and internal controls. pages 60 to 67 of the Strategic Report. We believe that in order to have an effective risk management framework there needs to be a strong risk Internal control management culture within the Group. In this section we demonstrate how we ensure that managing risk is Our Board is responsible for reviewing and approving the ingrained in our everyday business activities. We seek Group’s system of internal control and its adequacy and to create an environment where there is openness and effectiveness. Controls are reviewed to ensure effective transparency in how we make decisions and manage risks management of risks we face. Certain matters – such and where business managers are accountable for the risk as the approval of major capital expenditure, significant management and internal control processes associated acquisitions or disposals and major contracts – are with their activities. Our culture also seeks to ensure reserved exclusively for the Board. The full schedule of that risk management is responsive, forward-looking matters specifically reserved for the Board can be found and consistent. on our website, at https://bankofgeorgiagroup.com/ governance/documents. For other matters, the Board Our framework is often assisted by both the Audit and Risk Committees. The Board’s mandate includes determining the Group’s With respect to internal control over financial reporting, risk appetite and risk tolerance as well as monitoring including over the Group’s consolidation process, risk exposures to ensure that the nature and extent of our financial procedures include a range of system, the main risks we face are consistent with our overall transactional and management oversight controls. The goals and strategic objectives. The Board is accountable Group prepares detailed monthly management reports for reviewing the effectiveness of the systems and that include analyses of results along with comparisons, processes of risk management and internal control, with relevant strategic plans, budgets, forecasts and prior the Audit and Risk Committees assisting in the discharge results. These are presented to and reviewed by the of this responsibility. At the Board, Committee and Management Board. Each quarter, the Bank’s CFO and Management Board levels, we develop formal policies and other members of the finance team discuss financial procedures which explain the way in which risks need to be reporting and associated internal controls with the systematically identified, assessed, quantified, managed Audit Committee, which reports significant findings and monitored. to the Board. The Audit Committee also reviews the quarterly, half-year and full year financial statements and Each business participates in the risk management corresponding results announcements and advises the process by identifying the key risks applicable to its Board. The external and internal auditors attend each business. The principal risks and uncertainties faced by Audit Committee meeting and the Audit Committee the Group are identified through this bottom-up process. meets them regularly both with and without the Management Board present. On a day-to-day basis, the Management Board is responsible for the implementation of the Group’s risk Our Audit and Risk Committees monitor internal control management and other internal control policies and over operating and compliance risk through discussions procedures. Based on our risk culture, managers “own” with the Bank’s Deputy CEO, Chief Risk Officer, the Bank’s the risks relevant to their respective function. For each risk Head of AML and Compliance, Head of Internal Audit and identified at any level of the business, the risk is measured, other Management Board members on a quarterly basis. mitigated (if possible) in accordance with our policies Any key issues identified are escalated to the Board. The and procedures and monitored. Managers are required Board also receives regular presentations directly from to report on identified risks and responses to such risks the head of each risk unit of the Bank. Principal risk and on a consistent and frequent basis. The Management internal control issues are addressed in such presentations. Board regularly reviews the output from the bottom-up The Bank’s Internal Audit function reviews a number of process by providing independent challenge and assessing areas of risk pursuant to an annual programme approved the implementation of the risk management and internal by the Audit Committee. Any significant issues or risks Annual Report 2018Bank of Georgia Group PLC 49