The Risk Management Department assesses risks and opportunities that should be managed taking the mission and strategic objectives of KKB into account.

Shaping its activities according to superior quality standards, KKB manages strategic, operational, financial, and reputational risks in light of international corporate risk management standards (e.g. COSO ERM, ISO 31000 Risk Management). The Risk Management Department operates directly under the General Manager and reports to the Audit Committee.

The Unit works to assess risks and opportunities that should be managed in line with KKB’s founding mission and strategic objectives while supporting the provision of products and services in the most efficient, effective, and controlled manner possible. While strategic planning/targeting and risk management activities are carried out, risk assessment is performed in accordance with the Information Security Management System (ISO 27001), Business Continuity Management System (ISO 22301), and Service Management System (ISO 20000) standards. These activities were separately conducted by process, service, and asset. This is how KKB’s critical services, as well as the processes and assets enabling the provision of such services, were subjected to risk assessments based on different methods and perspectives so as to identify all possible risks. In 2020, the Risk Management Department also performed risk assessments prior to contract execution with critical third parties providing services to or entering into a business partnership with the organization. The potential impacts of activities that are underway on KKB were also evaluated; relevant third parties were visited and on-site activities were conducted. These efforts helped mitigate all external risks, including the risk arising from support services.

Holding ISO 27001, ISO 22301, and ISO 20000 certificates, KKB targeted the best practices in risk management and improved its maturity in 2020, passing all inspections successfully and renewing these certifications. Additionally, KKB established and commissioned the Environmental Management System in the Anadolu Data Center and was entitled to the ISO 14001 Environmental Management System certificate after the audits. Furthermore, the practice initiated in 2018 was repeated. After the independent audit at KKB Anadolu Data Center, the Service Assurance Report drafted in accordance with the ISAE3402 reporting standard was shared with customers. The report assured customers while helping mitigate audit efforts.

The department also made significant progress in the technological and structural development of crisis management, risk management, information security, strategic planning, and process management. In October, the business continuity and disaster recovery tests were performed successfully - in a more comprehensive manner than the previous years. As for crisis management, crisis simulations were developed with the participation of the senior management for better preparedness against current threats. KKB’s crisis preparedness was assessed; potential improvement areas were identified. The benefit of the crisis simulations was especially seen during the COVID-19 pandemic in 2020. The crisis was managed by the Risk Management Department with the aim of minimizing the pandemic’s impact on the institution.

The IT and business processes related to all KKB activities are established and carried out under the COBIT framework, the ISO 27001, ISO 22301, and ISO 20000 standards, and the “Communiqué on the Principles Applicable to the Management of Information Systems of Information Exchange, Clearing and Settlement Entities and on the Audit of Business Processes and Information Systems,” issued by BRSA in 2013. As part of Corporate Process Management, all corporate processes have been aligned with the current operations; the impact of changes in processes has been analyzed, and these changes have been disseminated in a more effective manner. Standards were defined for processes, and efforts initiated in August 2019 to identify and improve efficiencies in processes. As a result, Key Performance Indicators (KPI) were determined and made available for process owners. Process automation opportunities were evaluated. As a result, studies for Robotic Process Automation (RPA), which is among the initial steps towards full automation, have been initiated and an application plan has been prepared for the coming period.

In order to bring information security infrastructure and processes up to the level of the companies with the best performance in this field, KKB continued to invest in information security and improve cybersecurity detection capabilities in 2020. The transition to the new security incident management tool has been completed in 2020. Besides, the big data analytics platform has ensured a more effective detection and analysis of information security incidents. In line with the human-focused information security approach, information security awareness efforts related to current events and global threats continued at full speed in 2020, while five employees with the highest information security awareness index were awarded gift checks. KKB continued to host security managers in 2020 to enhance the banking sector’s cooperation in information security.

Risk Management also assumes responsibility for operating the Business Continuity Management System to provide the continuity of services KKB offers to its customers. In 2020, it continued working to reduce the risks of potential crises and maintain KKB’s crisis readiness with business impact analyses and emergency drills.

The Risk Management Department assesses risks and opportunities that should be managed taking the mission and strategic objectives of KKB into account.

KKB’s risk management policy includes the following activities:

• Defining KKB’s primary business goals,
• Identifying threats that may hinder KKB from achieving its goals,
• Identifying risks that may give rise to such threats and ascertaining the potential impact and likelihood of such risks,
• Implementing risk management and controls as necessary to reduce risks to levels determined by senior management,
• Establishing the coordination and communication network necessary for risk management within KKB,
• Proactively assessing new risks that may emerge in credit recording and information technology systems, and developing recommendations on the mitigation of potential risks,
• Providing KKB executives with training programs on risk management on a regular basis and raising employee awareness,
• Determining and regularly reviewing key risk indicators to measure and monitor existing risks.

This policy is supported with written procedures and job definitions; the first-level controls of risks identified by business units in the course of daily activities; and the periodic evaluation of the operating results of risk management by senior management.