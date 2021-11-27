Table of Contents PART I - PRELIMINARY.............................................................................................. 2 Title ........................................................................................................................... 2 Application ................................................................................................................ 2 Interpretation............................................................................................................. 2 PART II - OBJECTIVES AND RELEVANT REQUIREMENTS .................................... 5 Objectives and Key Requirements ........................................................................... 5 PART III - SOUND RISK MANAGEMENT STANDARDS............................................ 6 The Role of the Board............................................................................................... 6 Risk Management Framework .................................................................................. 6 Risk Management Strategy ...................................................................................... 7 Risk Appetite............................................................................................................. 8 Strategic Plan ........................................................................................................... 8 Policies and Procedures ........................................................................................... 8 Risk Culture and Organisational Accountability for Risk ........................................... 9 Risk Management Oversight Function...................................................................... 9 Review of the Risk Management Framework ......................................................... 10 Risk Management Declaration................................................................................ 11 Notification Requirements....................................................................................... 11 Exemptions ............................................................................................................. 12 Additional Directives ............................................................................................... 12 Annexure A - RISK MANAGEMENT DECLARATION REQUIREMENTS ................. 13

PART I - PRELIMINARY Title 1. This Directive may be cited as the Risk Management Directive, 2021. Application 2. This Directive is issued pursuant to Section 92(1) of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930) and shall apply to Banks, Savings and Loans Companies, Finance Houses and Financial Holding Companies (FHC) licensed or registered under Act 930. Where a Regulated Financial Institution (RFI) is the 'Parent of a Group', it shall comply with this Directive: in its capacity as an RFI; on a group basis by ensuring that the directive is applied to each entity in the group (including those entities within the group which are not regulated by the BOG). . Interpretation 3. In this Directive, unless the context otherwise requires, "Act 930" means the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930). "BoG" means the Bank of Ghana. "Board" means the Board of Directors of a Regulated Financial Institution. "Host Supervisor" means a supervisory authority in a country in which a subsidiary of a foreign parent bank licensee is incorporated. "Material Risks" means risks that could have a material impact, both financial and non-financial, on the institution and its subsidiaries or on the interests of depositors and other stakeholders. "Regulated Financial Institution (RFI)" means a bank, savings and loans company, finance house and financial holding company regulated under Act 930. "Risk Appetite" means the aggregate level and types of risk an RFI is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and plan. "Risk Appetite Framework (RAF)" means the overall approach, including policies, processes, controls and systems, through which the approved risk appetite is established, communicated and monitored. It includes a risk appetite 2

statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the RFI as well as to its reputation vis-à-vis depositors and other stakeholders. The RAF aligns with the RFI's strategy. "Risk Appetite Statement (RAS)" means the written articulation of the aggregate level and types of risk that an RFI will accept, or avoid, in order to achieve its strategic objectives. It includes quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It shall also include qualitative statements to address reputation and conduct risks as well as money laundering and unethical practices. "Risk Capacity" means the maximum amount of risk an RFI is able to assume given its capital base, risk management and control capabilities as well as its regulatory constraints. "Risk Culture" means an RFI's norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume. "Risk Governance Framework" means the framework through which the Board and senior management establish and make decisions about the RFI's strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis the RFI's strategy; and identify, measure, manage and control risks. "Risk Limits" means specific quantitative measures or limits based on, for example, forward-looking assumptions that allocate the RFI's aggregate risk to business lines, legal entities as relevant specific risk categories, concentrations and, as appropriate, other measures. "Risk Management" means the processes established to ensure that all material risks and associated risk concentrations are identified, measured, evaluated, controlled, mitigated and reported on a timely and comprehensive basis. "Risk Management Framework" means the totality of systems, structures, policies, processes and people within an institution that identify, measure, evaluate, control or mitigate, monitor and report all internal and external sources of material risk. "Risk Management Oversight Function" means a key component of the bank's second line of defence in the three lines of defence model. This function is responsible for overseeing risk-takingactivities across the RFI and should have authority within the organisation to do so. 3

"Risk Management Strategy" means the strategy for managing risk and the basis on which the Board will evaluate the success of its RMF and its approach. "Risk Profile" means point-in-time assessment of an RFI's gross risk exposures (i.e. before the application of any mitigants) or, as appropriate, net risk exposures (i.e. after taking into account mitigants) aggregated within and across each relevant risk category based on current or forward-looking assumptions. "Risk Tolerance" means the maximum level of risk that the institution is willing to operate within, which is expressed as a risk limit based on its risk appetite, risk profile and capital strength. "Risk Universe" means the set of material risks or risk categories the Board of an RFI has identified in its business activities, which must be managed efficiently to generate sustainable profitable returns. "Senior Management" means members of the Executive Management Committee (EXCO) of an RFI and any other Key Management Personnel as may be determined by the Regulated Financial Institution. "Three Lines of Defence Model" means an organisational model of risk management in which the business lines that take risk form the first line of defence; the risk management and compliance oversight functions are the second line of defence; and independent internal audit and assurance form the third line of defence. 4

