Sustainability Report 2021

55 Introduction Customers Social Governance Appendix Environment Sustainability Report 2021 Our rigorous and comprehensive risk governance and risk management policies are well established. The Bank’s approach to risk management governance, which is implemented across the organization, is independent of business operations, operating in accordance with the three lines of defense model that enhances our risk controls and ensures proper checks and balances. In 2021, ttb reviewed and restructured our risk policy governance and delegation of authority. The Bank is obligated to establish a solid risk governance framework that serves as a foundation for consistent and effective risk management. The risk governance framework predominantlyconsistsof riskappetites, riskmanagement policies and strategies, risk culture, and risk management processes and systems, which together enable the Bank to effectively address and manage the organization’s significant and overall risks. The new structured risk policy governance was approved by the Board of Directors in 2021. In addition, ttb has clearly defined the risk appetite of non-financial risk (NFR) in 2021 which covers the four NFR areas including fraud, compliance, legal, and other operational risks. Each area would comprise of a risk appetite statement (RAS), measurements, and predefined thresholds of risk appetite. This would allow the Bank to better manage the NFR. Three Lines of Defense 1st Line Employees in Business Units Consider the impacts of risk, report if necessary, and apply appropriate risk mitigation strategies. Investments include training, tooling, processes and policies. 2nd Line Risk Management Units under the Chief Risk Officer Formulate risk strategy and appetite, policies, guidelines, standards, and appropriate risk structures. Provide oversight and monitoring of the 1st line of defense as well as actively challenging the risk - return trade-off in Business Units. 3rd Line Internal Audit Provides independent and objective assurance on the effectiveness of controls and recommends improvements to the governance, risk & control framework. 100% of employees completed online risk awareness training courses covering topics such as cybersecurity risk awareness and non-financial risk management 100% of the Board of Directors participated in risk related training on topics such as Security Awareness Training: Cybersecurity and Cyber Resilience