Corporate Governance
I
Risk Management, Internal Audit, Internal Control and Compliance
The Audit Committee’s Assessment of the Functioning of the Internal Systems Units In 2024
Internal systems activities at Ziraat Bank are carried out by the Board of Internal Auditors, Internal Control Department, Risk Management Department, Compliance Department and Information Security Department under the coordination of the Internal Systems Group Presidency, with separated duties and responsibilities.
This organization is structured so as to embrace all Bank units and branches as well as Bank-owned subsidiaries subject to the Bank’s oversight. Its purpose is to minimize any risks that might adversely affect the thoroughgoing and secure conduct of banking operations, the fulfillment of long-term profit targets, the reliability of financial and administrative reporting, and/or the Bank’s reputation and financial stability.
Risk Management System
Ziraat Bank risk management activities are conducted subject to the requirements of the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process and other relevant regulations and BRSA Best Practice Guides.
In these activities, the Bank aims to embed the risk culture throughout its business processes and to bring the risk management function closer to good practices by constantly improving the system and human resources.
The activities carried out within the framework of the risk management system include credit risk, market risk, operational risk, balance sheet risks (interest rate risk arising from banking book and liquidity risk), internal rating-based modeling and validation.
Risk management activities are carried out in accordance with the regulations approved by the Board of Directors, and care is taken to ensure that the units involved in the line of business to which each type of risk is related contribute to the process.
In addition, the Bank carries out activities to ensure that its overseas branches and subsidiaries comply with local regulations regarding risk management, and closely monitors their risk management ratios.
Within the framework of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process,” the Internal Capital Adequacy Assessment Process was set up to determine the capital required to meet the risks which the Bank is exposed to or may be exposed to, and to establish and maintain a system that will evaluate the capital requirements and levels in line with its strategies. The models designed in this context and the model outputs together with the validation studies of these models are used in TFRS-9 calculations, allocation and pricing processes. Analyses conducted in line with BRSA regulations are also supported by risk-based stress tests/scenario analyses. Year-end Stress Test and Internal Capital Adequacy Assessment Process (ICAAP) reports are prepared and are sent to BRSA with the approval of the Board of Directors.
The results of the analysis carried out within the scope of risk management activities and risk indicators are submitted to the Audit Committee and the Board of Directors at six-month intervals, to the Audit Committee on a monthly basis and to the senior management on a monthly, weekly or daily basis.
Ziraat Bank will continue to carry out its activities for all types of risks based on internationally accepted advanced risk management techniques and to turn these activities into an integral part of the strategic decision-making processes in the coming periods.
Information About Risk Management Policies and Activities According to Type of Risk
Credit Risk
Credit risk is an expression of the likelihood of the Bank’s suffering a loss because a debtor fails to fulfill, in a timely manner, some or all of his obligations under an agreement that he has entered into.
Within the framework of credit risk management activities, Ziraat Bank’s carries out work on the definition, measurement, monitoring and reporting of credit risk using methods compatible with the Basel-3 criteria.
The Bank follows the credit risk limits approved by the Board of Directors and conducts scenario analysis and stress tests by applying internal and external shocks to credit risk factors. Credit risk measurement is carried out using the Standard Approach method within the framework of the “Regulation on Measurement and Evaluation of Capital Adequacy Ratios of Banks.” Counterparty Credit Risk is measured by using the Standard Approach (SA-CCR) method.
Ziraat Bank monitors and reports the credit risk and counterparty credit risk signal and limit values determined by Ziraat Bank on a monthly basis. These signals and limit values are included in the Risk Appetite Statement Regulation approved by the Board of Directors. The risk weighted assets that the Bank can carry on segment and portfolio type basis are limited by these limits.
Market Risk
Market risk is an expression of the possibility of loss that the Bank may be exposed to on account of its on- or off-balance sheet exchange rate, commodity, interest rate and stock position risk, which are subject to the Bank’s trading activities and followed up under the Bank’s accounts and positions valued at fair value, and which arise from the movements in market prices.
Within the scope of market risk management activities, Ziraat Bank carries out risk identification, measurement, analysis, monitoring and reporting activities, which are supported by stress testing. The results of these activities are taken into account in the Bank’s strategic decision-making process.
In order to manage market risk, market movements that affect the present value of the portfolios which expose the Bank to market risk in line with its trading strategies are kept track of on a daily basis and the impact that both upward/downward and ordinary/extraordinary movements may have on these portfolios is analyzed.
In the conduct of its day-to-day operations, trigger values are monitored as part of the early-warning process that is carried out to protect the Bank’s financial strength from being seriously affected by increases in market volatility. Risk exposure levels are kept within prescribed limits.
The Standardized Approach methodology is used to calculate the Bank’s exposure to market risk, the amount of which is included in its mandatory capital adequacy ratio. Market risk is also calculated on a daily basis using a VaR-based internal model. The effectiveness of the models being used is also analyzed regularly by means of back testing.
Operational Risk
Operational risk” is an expression of the likelihood of the Bank’s suffering a loss because of changes in value caused by the fact that the actual losses which are incurred on account of inadequate or failed internal processes, people, or systems or on account of external events (including legal risk) differ from expected losses.
Within the scope of operational risk management activities, Ziraat Bank carries out work to define, classify, measure and analyze operational risks, and monitors the operational risk signal and limit values approved by the Board of Directors on a periodic basis. The amount subject to operational risk in the Bank is calculated using the Basic Indicator Method in accordance with the “Regulation on Measurement and Evaluation of Capital Adequacy Ratio of Banks.”
The Bank’s operational risk loss database, which is integrated with the Bank and is compatible with the accounting system, was established in line with a classification covering the loss event type and activity lines of the Basel Banking Supervision and Audit Committee, and includes data obtained from overseas and domestic branches and subsidiaries. Effective methods are applied to monitor the company’s operational risk outlook.
In addition, a self-assessment study is conducted to evaluate the potential threats arising from the Bank’s operational processes and activities and the Bank’s weaknesses against these threats.
Ziraat Bank employees perform their duties taking into account the operational risk-related principles and procedures set forth in the Bank’s internal regulations and in a manner that is both sensitive to the operational risks that may be incurred and mindful of Bank policies intended to create an operational environment that will reduce the likelihood of losses.
Risks and actions taken within the scope of IT are monitored and reported to the senior management regarding operational risk.
In order to ensure the continuity of outsourced support services, the risks that might arise from their procurement are assessed in light of BRSA Regulation on the outsourcing of support services by banks.
As part of the Business Continuity Plan, “business impact analyses” are carried out in order both to identify the risks that might arise if the Bank’s operations are interrupted and to determine their potential consequences. Analyses are also conducted into the portfolio custody service database. Reputation risk management activities are included in operational risk activities. Within the scope of reputation risk studies, various factors are monitored in terms of the Bank’s reputation and reputation risk analyzes are reported regularly.
Balance Sheet Risks
Ziraat Bank aims to effectively manage the risks arising from assets, liabilities and off-balance sheet accounts within the scope of balance sheet risks.
In this regard, the Bank carries out definition, measurement, analysis, monitoring and reporting activities regarding liquidity risk and interest rate risk arising from banking book. The Bank also supports these studies, the results of which are taken into account in strategic decision-making, with stress tests and scenario analyses.
There are two components of liquidity risk: funding liquidity risk and market liquidity risk. Funding liquidity risk refers to the possibility of loss as a result of the Bank’s inability to meet all foreseeable or unforeseeable cash flow requirements without affecting the daily operations or financial structure.
Market-related liquidity risk pertains to the potential for the Bank to incur financial losses as it is unable to close out or balance its positions at prevailing market prices due to insufficient market depth or excessive volatility.
Interest rate risk consists of the possibility of sustaining losses on risk-sensitive assets, liabilities, and off-balance sheet items owing to changes taking place in interest rates.
Ziraat Bank calculates the consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio for liquidity and interest rate risks arising from banking book and the unconsolidated Interest Rate Risk Ratio Arising from Banking Book within the BRSA regulations and reports to the BRSA and monitors them internally regularly.
In addition, within the scope of liquidity risk, the Bank closely monitors
maturity mismatches between sources and uses,
the level of liquidity buffer that will allow the Bank to continue its normal daily activities or that may be needed in unexpected situations
In addition to the aforementioned issues, studies are carried out to assess the Bank’s liquidity needs in the worst possible case through stress testing, scenario and sensitivity analysis.
For the management of the interest rate risk arising on banking business accounts,
attention is given to monitoring and analyzing such issues,
as rate and maturity mismatches between fixed- and variable-interest fundings and lendings,
assets’ and liabilities’ behavioral as well as contractual maturities, both upward/downward and ordinary/extraordinary movements in interest rates, and the impact of interest rate income on the current value of assets and liabilities.
The Bank periodically monitors interest rate risk signal and limit values arising from liquidity and banking book through the early warning process application. Risk limits are determined by considering the risk appetite and become effective upon the approval of the Board of Directors.
In addition to the stress test analyses that are subject to periodic internal reports, stress test and ICAAP reports are prepared for submission to the BRSA at the end of each year, and internal capital and liquidity adequacy levels are analyzed.
Validation
Ziraat Bank evaluates the accuracy, consistency and adequacy of the internally used rating models and other measurement methodologies in order to accurately measure and manage the risks the Bank is exposed to, while it evaluates the stability of risk models and output (risk estimates, rating grades) performances, and the reporting of the results of the activities to the senior management at regular intervals.
In this context, the Bank aimed to carry out validation studies of IDA models, especially the integration between IDA models and TFRS-9 standards, administrative models, internal models used in the Bank’s decision-making processes such as ICAAP, operational risk and market risk models and to take necessary actions in view of the findings.
Validation activities are carried out under two main headings; initial and periodic validation. Models and methodologies are evaluated qualitatively and quantitatively in both validation types. Models and methodologies, especially data quality controls, performance analyses, evaluation of basic working logic, compliance with legal and internal regulations, documentation and implementation are comprehensively addressed in the validation process. In addition, the preparation of the final validation reports, the evaluation and follow-up of the findings and actions are also included in the validation processes.
Internal Audit System
Internal Audit Board takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.
The board conducts its activities in line with internationally-accepted internal auditing standards. Besides checking the Bank’s operations for their compliance with statutorily mandated procedures, in 2024 the board also reviewed and assessed the effectiveness and efficiency of the transaction procedures involved in both primary and secondary processes. In addition, processes governed by the BRSA regulations pertaining to information systems and banking processes were also audited in line with the Bank’s own practices.
Activities of the Internal Audit Board in 2024 are presented below:
The Central Audit Team continued its intensive operations in 2024 by performing scenario analyses which are influential in preventing irregularities from being committed. Reviewing the effectiveness of existing scenarios against possible abuses, the team continued its systemic developments to minimize the manual processes used during the audit. Work to integrate Artificial Intelligence (AI) technology into the Central Audit processes continues. Accordingly, the transaction types sent to the branches will be included in machine learning, and the probability of fraud will be calculated with more cases that may be subject to abuse being detected more quickly and more effectively.
The R&D Team completed work on updating the audit model with a dynamic approach, ensuring the follow-up of international standards and practices in auditing. Under the new audit structure, scenario-based dynamic audits started to be carried out, in addition to on-site branch audits, in order to centralize the audit process and include new situations arising within the scope of audit without wasting time. These activities were geared towards detecting risk before the risk grew, enabling more branches to be reached compared to those currently contacted. The team closely monitored legislation, BRSA decisions and changes foreseen by the Bank’s senior management and Head Office units and undertook necessary changes at the audit points.
Inquiry rules used in branch audits were revised, and new rule sets were created in which customers’ CTR data was included in the analysis. Accordingly, a sample reflecting risk more accurately was determined where inquiry rules were designed in a dynamic structure and instant actions were taken according to the conjuncture and the Bank’s risk appetite.
The effectiveness, adequacy, and compliance of the controls established over the information systems and business processes of the Bank, its domestic and international subsidiaries subject to consolidation, overseas branches, and service providers/external service providers are periodically assessed each year from a risk-based perspective by the Information Systems Team. These assessments are conducted in consideration of relevant internal and external regulations, international standards, and best practices. The activities continued in 2024 as well.
The Data Security Team, which is tasked with protecting the confidential information of customers and the Bank, continued its activities in 2024.
The Data Science Team, which was established to make auditing more efficient in parallel with the technological transformation brought about by digitalization, identifies deficiencies in the Bank’s processes, generates scenarios to measure the risk spread across the Bank, improve processes and increase efficiency, and presents these scenarios to the relevant business unit to ensure fast and effective solutions for the Bank in general, accelerated its work in 2024, and the outputs of many studies were shared with the relevant Head Office units. The team also aims to create a profile of the transactions subject to findings, inefficiencies, ineffectiveness or irregularities through scenario studies based on previously conducted audits/investigations, and to detect findings, inefficiencies, ineffectiveness and irregularities more quickly and effectively in the coming years through machine learning of the profile. In cases where historical profiling or prediction is not possible, similar items in the targeted dataset are clustered or anomaly detection is performed.
In 2024, the Inspection Scenario Unit continued its activities by identifying systemic deficiencies/malpractices encountered throughout the Bank and developing solutions for their elimination, filtering data from the Bank’s data pool that is considered to contain risk and preparing Spot Inspection Reports. The reports prepared by the Unit are shared with the relevant business units of the Bank, contributing to the development/ modification of business processes and increasing the efficiency of the Bank’s products.
To enable the Internal Audit Board to use analytical tools more effectively and efficiently, members of the Inspection Board were provided with training in this area. In this context, Inspectors were provided with training on Oracle SQL and Python applications.
In 2024, 20 Assistant Inspectors who were successful in the Assistant Inspector Entrance Examination held in December 2023 and 31 Assistant Inspectors who were successful in the Assistant Inspector Entrance Examination held in August 2024 started to work in 2024
In 2024, the function of providing qualified human resources to the Bank was maintained by ensuring the transition of 26 inspectors to administrative duties.
In keeping with its strong sense of responsibility and awareness of its duties, the Internal Audit Board will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.
Internal Control System
Internal control activities at Ziraat Bank are designed so as to embrace the operations of all headquarters units, all domestic and international branches and subsidiaries subject to consolidation as required by Article 9 Paragraph 3 of “Regulation on bank internal system and intrinsic capital adequacy assessment processes” which states “Internal control system is structured to include the bank’s domestic and overseas branches, business processes and information systems, subsidiaries subject to consolidation and all of their operations.”
Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology.
This more proactive structure helps ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition.
Domestic branch controls are carried out locally and centrally within the framework of control programs prepared according to the conjunctural risk situation with a dynamic structure for each quarterly activity period. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.
With the Instant Control system operational transactions, accounting records and lending operations in real time are checked. Transactions within the determined risk scenarios are audited during the day and erroneous transactions are corrected. Real-time transaction checking allows increased efficiency through preventive actions and embeds the internal control system within the Bank’s day-to-day operations instead of retrospective transaction controls.
For this purpose, EVAM scenarios developed by internal controllers are used to detect anomalies by using instant event and action management tools, and various criteria of credit appraisal reports issued for customers are checked by integrating artificial intelligence/machine learning solutions into control processes. Accordingly, it is adopted as a basic principle to avoid possible errors and omissions in recording assets and liabilities and capturing them in financial reports. These control practices prevent the use of additional costs and manpower and contribute to the development of control activities with a focus on sustainability.
As of 2024, the integration of the control of accounting/operational transactions carried out by the branches into robotic processes and the reporting in this regard by the robot have started to be implemented. As a result of the studies carried out in this context and the improvements planned to be realized in the future, the need for processes such as physical reporting and documentation maintained with real persons will be reduced, and thus branch control activities will continue to be structured on the route of economic sustainability. As robotic processes reduce the need for human resources, they will also reduce human-induced environmental impact factors, which will also be beneficial in terms of reducing the potential carbon footprint.
Within the scope of the project carried out for robotic control activities, 9 different scenarios were created. At the decision-making stage of the project, it was calculated that all branches of the Bank could be controlled in 21 days in line with the determined scenarios. During the pilot implementation of the project, 21 branches were checked in one day and 444 findings were identified as a result of the checks. In the same period, branches that were controlled with the traditional method saved 21 man/day in terms of the number of controls and the cost of reaching a finding.
Preliminary examination activities are carried out in relation to records in the nature of complaints/notifications, damaging transactions, and issues deemed risky or suspicious according to customary practices, which are identified by internal controllers or communicated to the Internal Control Department through any channel.
Analytical Control activities are carried out by internal controllers to centrally identify Bank-wide errors or systemic deficiencies. In the controls and analyses performed, scenarios are developed using database programs and various analytical tools. Some of the activities carried out in this context have also been awarded by global organizations.
Business unit control programs are prepared taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These programs are revised as needs may require. Business units are controlled by a sufficient number of internal controllers in line with these programs.
The internal control activities of the Bank’s overseas branches are carried out and monitored in accordance with the control plans prepared annually. After the reports issued for overseas branches are reviewed by the relevant internal controllers, the findings in the reports are forwarded to the relevant Head Office units according to the subject matter.
The findings of all these activities and the details of the controls performed are periodically shared with the Bank’s relevant business units and senior management.
Besides performing their internal control functions, internal control personnel also share their suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.
Within the framework of Article 18 of the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, regulatory compliance controls are also carried out within internal control. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.
In 2024, on-site branch control activities decreased with the development of projects such as real-time (instant) control of retail and corporate loans from the center, commissioning of robotic controls, and diversification of scenario-based analytical control studies. This resulted in a reduction in greenhouse gas emissions due to the elimination of the need for flights, road vehicle use and hotel stays for business trips.
Another important project was the integration of physical reports containing the issues examined and findings identified within the scope of internal control activities at the TRNC Country Management into the internal control modules in the main banking application. As a result, consumption of paper was reduced, saving resources as well as reducing emissions. On the other hand, as a result of the project, internal controllers’ reporting and finding follow-up process has become more efficient, and the transition to identification/finding correction and process improvement activities of the controlled units has become easier.
Compliance System
Operations of the Bank to prevent the laundering of proceeds of crime, the financing of terrorism, and the proliferation of weapons of mass destruction are conducted in strict compliance with national and international regulations.
In accordance with the “Regulation on the Compliance Program on the Prevention of Laundering Proceeds of Crime,” updated in line with changes in Law No. 5549 on the Prevention of Laundering Proceeds of Crime, as the main financial institution within the Ziraat Finance Group, the Bank follows the compliance program and the Ziraat Finance Group Compliance Policy on a financial group basis together with the financial institutions operating within the country. In this regard, the Bank’s Principles of Practice and Procedures for Prevention of Laundering Proceeds of Crime and Proliferation of Terrorism and Weapons of Mass Destruction was fully updated in order to ensure that the responsibilities imposed by the relevant laws and regulations may be effectively fulfilled. Care is taken to allocate personnel and resources with due regard to the structural characteristics of the group.
With the rapid digitalization brought about by technological developments in banking processes, criminal organizations have also increased the use of technology and started to turn to more complex tools in order to use banks to finance their illegal activities. Along with its investments in innovations and new products in financial services, the Bank has developed preventive control mechanisms to ensure that the products and services it offers are not used as an instrument for illegal activities, and are structured in such a way that situations which cannot be prevented through preventive controls are detected in a timely manner, with the Bank able to take quick action in the fight against the proceeds from crime with proactive measures.
In addition to the knowledge and analytical skills of specialized personnel to better identify potential risks in the field of laundering proceeds of crime, financing terrorism and the proliferation of weapons of mass destruction, and to effectively manage and control risks, the Bank is focusing on projects to create a system that can effectively respond to the requirements of combating laundering proceeds of crime and terrorist financing, with an emphasis on the use of digital solutions based on artificial intelligence and machine learning.
In this context, the Bank will continue to focus on developing technology-based and innovative processes in the upcoming period, as well as investing in this area in order to ensure that the measures and obligations in place to combat money laundering and the financing of terrorism are more effective and faster.
Systematic improvements continue to be made in order to adapt the Bank’s customer acquisition process to the current conjuncture and to minimize the compliance risks that this process may pose.
In order to effectively combat the laundering of proceeds of crime and the financing of terrorism and the proliferation of weapons of mass destruction, all domestic and foreign financial institutions operating within Ziraat Finance Group follow an effective risk-based approach, identify and classify the risks subject to combat, and establish effective and proportionate controls based on the identified risks. New typologies developed by crime and terror groups in all countries and areas of operation are closely monitored, trend analyzes are made, and resource planning is made in accordance with the risk-based approach model. In this context, projects aimed at the more efficient use of technological opportunities are rapidly implemented besides the increase in human resources. In this field, studies are carried out to provide efficiency and speed with machine learning structures.
In this context, necessary measures in the form of written policies and procedures, which are created by the Group and updated with the changes in the regulations and in these matters, are taken in order to prevent the use of the products and services provided by the Bank and the Ziraat Finance Group with the purpose of money laundering, terrorism and the proliferation of weapons of mass destruction, and controls are carried out in a way that the Bank does not expose to any operational risk, reputational risks and sanctions in these matters.
Checks have been put in place to eliminate the risk of sanctions by preventing the bank from entering into business relations with individuals and organizations which are included in the programs of sanctions followed by the Bank, while also ensuring that the bank does not provide any services for sanctioned activities and halting any banking service which violates the sanctions.
Within the scope of the compliance program regulation, thanks to the system developed to ensure information sharing within Ziraat Finance Group and supported by the Bank’s technology infrastructure, information continues to be shared securely within the Group within the framework of Ziraat Finance Group’s information sharing policy.
In addition to the domestic subsidiaries of the Bank within Ziraat Finance Group, there are regular contacts with overseas branches and subsidiaries within the framework of the coordinated strategy carried out for compliance activities, joint studies are carried out in terms of compliance with national and international legislation and practices, especially SGA/TFO, and remote or on-site support and trainings are provided to the relevant branches or subsidiaries when necessary, and the support provided by the Bank will continue to increase in the coming period. Ziraat Pay and Ziraat Dinamik, the subsidiaries established by the Bank, are leading the adaptation of the systematic structures required for compliance controls at the Bank, and the systematic adaptation work required for the compliance controls of the Algeria Branch is ongoing. In the process of opening the Dubai Representative Office, support was provided in the preparation of harmonization legislation.
In-house training continues to be provided in order to develop common standards on “Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Weapons of Mass Destruction,” to create common processes, to exchange information in line with the common policy goal.
In addition, trainings are continued to be organized to raise the awareness and consciousness of all personnel on the prevention of laundering proceeds of crime and financing of terrorism.
The Bank will continue to strengthen its checks by taking into account existing laws and regulations regarding the timely detection, minimization and prevention of compliance risks within the Group.
With their expert staff structure and analytical infrastructure, Ziraat Bank’s compliance units, both as the main financial institution and the financial institutions operating within the Ziraat Finance Group continued to closely follow new trends and best practices in the field of SGA/TFP, as in past years. They will continue their activities with a risk-based approach aimed at maximizing efficiency and effectiveness by achieving the maximum use of technological opportunities.
Risk Management System
Ziraat Bank’s risk management activities are conducted in accordance with “Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks” and other pertinent regulations, as well as BRSA Good Practice Guidelines, with the aim of cultivating a risk culture throughout the Bank and bringing the risk management function closer to best practices by continuously improving the system and human resources. The activities carried out within the framework of the risk management system include credit risk, market risk, operational risk, balance sheet risks (interest rate risk arising from banking book and liquidity risk), internal rating-based modeling and validation. In addition, the Bank’s overseas branches and subsidiaries comply with local regulations on risk management and monitor their risk management ratios. Care is taken to ensure that each risk type is carried out in coordination with the contributions of the units included in the line of activity to which it is related.
Within the framework of credit risk management activities, efforts are carried out to define, measure, monitor and report credit risk using methods in line with Basel III. Credit risk limits approved by the Board of Directors are monitored, scenario analysis and stress tests are performed by applying various shocks to credit risk factors. Counterparty Credit Risk measurements are performed for counterparty risk.
In addition, the models created with the Internal Ratings Based (IRB) approach and the validation studies and model outputs of these models are used in TFRS-9 calculations, allocation and pricing processes.
Within the scope of market risk management activities; risk identification, measurement, analysis, monitoring and reporting activities are carried out and the analysis is supported by stress testing. Risk measurements are performed through internally reported value-at-risk measurement methods as well as legal calculations to be included in the capital adequacy ratio. Value at risk results are monitored through back test analysis. The amounts subject to market risk are periodically monitored through Board of Directors approved limits and the internal limits are shared with the Bank’s Senior Management.
Within the scope of operational risk management activities, operational risks are defined, classified, measured and analyzed, and operational risk signal and limit values approved by the Board of Directors are periodically monitored. The amount subject to operational risk is calculated using the Basic Indicator Method in accordance with the Regulation on Measurement and Assessment of Banks’ Capital Adequacy. The Bank’s operational risk loss database, which is integrated with the Bank and is compatible with the accounting system, was established in line with a classification covering the loss event type and activity lines of the Basel Banking Supervision and Audit Committee, and includes data obtained from overseas and domestic branches and subsidiaries. Effective methods are applied to monitor the company’s operational risk outlook. In addition, a self-assessment study covering the Bank’s organization is conducted, risks arising from information technologies and the actions taken are monitored in coordination with the relevant units, and risk assessments are made for the organizations from which support services are received. On the other hand, reputation risk studies are also carried out within the scope of operational risk and the analyses made are subject to reports.
Within the scope of balance sheet risks, the Bank carries out definition, measurement, analysis, monitoring and reporting activities regarding liquidity risk and interest rate risk arising from banking book. The consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio and Interest Rate Risk Ratio Arising from Unconsolidated Banking Book are reported periodically to the BRSA. In addition, the interest rate risk signal and limit values approved by the Board of Directors for liquidity and interest rate risk arising from banking book are monitored periodically.
In addition to the stress test analyses that are subject to periodic internal reports, Stress Test and ICAAP Reports are prepared for submission to the BRSA as of the end of each year, and the Bank’s internal capital and liquidity adequacy level is analyzed.
Activities are carried out by the validation unit in order to evaluate the accuracy, consistency and adequacy of the rating models and other measurement methodologies used internally in order to accurately measure and manage the risks to which the Bank is exposed, the stability of the risk models and the output (risk estimates, ratings) performances and to report the results to the Senior Management at regular intervals. In this way, it is aimed to carry out validation studies of the internal models used in decision-making processes so that necessary actions can be taken as a result of the findings and to ensure full compliance with legal requirements.
The results of the analysis carried out within the scope of risk management activities and risk indicators are submitted to the Audit Committee and the Board of Directors at six-month intervals, to the Audit Committee on a monthly basis and to the Senior Management on a monthly, weekly or daily basis.
In the new operating period, the Bank will continue to carry out activities for all risk types based on internationally recognized advanced risk management techniques and to carry out these activities as an integral part of the Bank’s strategic decision-making processes.
Internal Audit Board
In line with our Bank’s Sustainability Policy, our activities that create added value with the principle of banking that respects people and the environment are listed below.
Within the scope of the Sustainable Banking Process Audit, which was included in the audit plan in 2024 by the Internal Audit Board in order to evaluate the work carried out by our Bank within the framework of the concept of sustainability, which has been one of the main agenda items of both governments and institutions in recent years; sustainability performance criteria (Key Performance Indicator (KPI)) in line with syndicated loan requirements, our Bank’s environmental loan products within the scope of sustainability, the Draft Communiqué on Green Asset Ratios published by the BRSA on 01.10.2023, the Draft Communiqué on Green Asset Ratios published by the BRSA on 01.01.2023, the legislation published by the Public Oversight Authority on sustainability in the financial sector, and the Bank’s overall level of compliance with the strategies and policies of national and international authorities in the field of sustainable banking were examined. In addition, within the scope of the audit, the integrated annual reports published since 2019, which include the Bank’s sustainability policies on an annual basis, and the general strategies and policies of national and international authorities in the field of sustainable banking were also examined.
Within the scope of the supervision model implemented by the Board, all branch reports were issued through the system, thus eliminating the need to send physical documents/reports. In addition to branch audits, audit reports for all Head Office Units were prepared and monitored through the system.
In addition, with the e-signature and virtual archive application in use, all audit and inspection/investigation reports are digitally archived on the main banking software without the need for a physical document archive.
The transfer of audit and investigation reports to the system and the virtual archive application, resulted in a saving of 32,000 sheets of A4.
Operation of Information Security Management
Ziraat Finance Group operates an information security management system in compliance with information security policies established in line with national regulations, international standards and sectoral best practices. This policy effectively guides information security processes by providing a framework in line with the Bank’s strategic goals. Ensuring information security throughout the Bank is realized by working in harmony with business units. Our information security objectives are integrated with our business objectives. Information security management ensures that the Bank’s operations continue uninterruptedly by exhibiting a dynamic structure that includes continuous monitoring, evaluation and improvement processes.
Awareness programs are conducted for the Bank’s employees in order to minimize risks. At the same time, the necessary procedures for the protection and use of information are prepared and all our employees are ensured to act in accordance with these rules.
Information Security Management at our Bank includes a comprehensive set of policies, processes and technologies to protect information assets. Our Bank classifies our information assets according to confidentiality, integrity and accessibility criteria and determines appropriate protection methods for each asset. Threats and vulnerabilities against the Bank’s information assets are analyzed and control mechanisms are developed to minimize risks as a result of these analyses. Analyzes information security requirements in critical projects and system changes. In this process, we work in cooperation with all teams involved in projects to identify and mitigate information security risks.
Regular penetration tests are conducted by independent third-party companies and action plans are prepared based on the findings of these tests. These action plans are reported to the Banking Regulation and Supervision Agency (BRSA) on time and information security processes are continuously reviewed and improved. Improvement actions are taken to reduce the impact of the risks identified for our Bank’s information assets and the success of these actions is evaluated as a result of these actions. At the end of the improvement process, an analysis is carried out again to reduce the risks to acceptable levels. Comprehensive controls are implemented to limit the impact of threats and vulnerabilities to the Bank’s information assets or to reduce the probability of their occurrence. These controls reduce the risks of information assets in line with the principles of confidentiality, integrity and accessibility, while ensuring that activities are carried out in accordance with legislation and standards.
Necessary measures are taken to minimize the effectiveness of information security incidents, and processes are regularly monitored and improved. Monitoring and reporting information security breaches is among our priorities, and there is a continuous monitoring mechanism on information systems to prevent possible breaches. In case of cyber-attacks or data breaches, our incident management processes aim to provide rapid response and effective solutions. The Cyber Security Center, which is active 24/7 in our Bank, keeps the security of our Bank at the highest level by constantly monitoring and analyzing our information systems against possible cyber threats. Thanks to real-time threat detection and response, data breaches are prevented and operational interruptions are avoided.
Effective authentication and access management policies are implemented in our Bank’s information systems in accordance with the principles of separation of duties and minimum authorization. Access to critical systems and data is restricted to authorized persons, and unauthorized access risks are mitigated through methods such as multi-factor authentication and role-based access management. Unauthorized access risks are minimized by ensuring that our employees only have access authorizations appropriate to their business needs.
All necessary measures are taken to protect the integrity of transactions, records and data realized in banking services and information systems. Advanced technologies such as firewalls and intrusion detection systems are used effectively against threats from both the bank’s network and external networks, data loss is prevented and data integrity is ensured through regular backup processes. In order to ensure information security at our Bank, the SIEM (Security Information and Event Management) system is used to collect detailed trace records from all our information systems and these records are analyzed with advanced analysis techniques. This enables early detection of potential security threats and anomalous activities and enables our bank to respond quickly and effectively to cyber security incidents.