Internal Control System

Risk Function

Bison Bank’s Risk Control System seeks to identify, measure, monitor, evaluate and manage all risks of the Bank. Bison Bank recognises that risk management forms a key pillar in ensuring the Bank’s stability and sustainability, and the Board of Directors (BoD) takes a conservative approach to risk management.

In this context, it is highlighted the importance of adequate monitoring and control of the risks intrinsic to the activity of the Bank either financial or non-financial, including risks in the areas of credit, real estate, market, liquidity, interest rate, concentration, and also operational, business and strategy, reputational, etc.

Risk management is conducted in accordance with strategies and policies defined by the BoD and by the Board Member responsible for risk management.

The Bank’s organisational culture favours an approach in which all staff is responsible for managing risks, pertaining to the specific scope of their functions as well as their regulatory, ethical and professional duties. Thus, the risk control system is fully embedded in the Institution’s’ organisational culture.

Bison Bank’s has in place an Internal Control System (ICS) that enables the Bank to adequately manage the risks arising from its business, considering the risk profile, risk appetite and risk tolerance. The high-level principles for risk management are implemented through policies, limits, operational guidelines as well as methodologies and tools for risk identification and monitoring. All together these forms the Bank’s risk management framework.

Bison Bank’s internal control system features comprehensive and integrated policies and procedures, which are both quantitative and qualitative in nature. They are designed broadly to ensure measurement/control of risks, independent reporting with responsible behaviour, as well as the respect for the adherence to regulatory, legal and prudential guidelines.

The Bank ensures its management with sound and strong risk control. To this end, the Bank established regular review (periodic reviews of its risk management policies and procedures, in order to reflect changes in regulations, markets, products and best practices) and monitoring procedures for its activities as well as prudent risk exposure.

The BoD is responsible for the definition of such policies with the support of the risk department in carrying out risk monitoring. The department monitors the most significant risks and, whenever necessary, proposes new policies and/or corrective measures to ensure that risks are prevented and mitigated.

Compliance Function

The Bank has a Compliance Function, which is characterized by being an independent, permanent and consultative function whose mission is to promote compliance with legal, regulatory, operational, ethical and conduct obligations and duties that, at each moment, are applicable to credit institutions, as well as their corporate bodies, directors and employees, within the framework of the institutional control and supervision environment defined by the competent regulatory entities and the legal regulations to which it is subject.

This function is performed by the Compliance Department (COD), which is an autonomous organic unit, which reports hierarchically to the Executive Committee through its Executive Director.

In addition, it maintains a permanent communication line with the Supervisory Board and the Risk and Compliance Committee, namely through bimonthly meetings with the objective of ensuring an adequate dissemination of information and discussion of relevant topics in the exercise of the Compliance Function activity.

The Head of COD is responsible for the Compliance control function, coordinating the following internal procedures:

• Prevention, detection and reporting of financial crimes;
• Coordination of the Bank’s internal control system;
• Conflict of Interest and Related Parties Management;
• Compliance with the Code of Conduct;
• Analysis of new legislation and regulations, assessment of its impacts and promotion of compliance;
• Analysis of situations and signs of violation or risk of non-compliance with legal obligations;
• Complaints management and handling;
• Compliance with the general data protection regulation;
• Responsible for the compliance of the norms.

In order to achieve its objectives, COD operates independently from the Board of Directors and the other Organic Units, and it cannot be prohibited from accessing information relevant to the proper performance of its duties.

The Compliance Function is a governance function responsible to:

• Promote an ethics-based culture: the role of Compliance is to assist management to promote a corporate culture based on ethics;
• Deliver compliance solutions: Compliance is accountable to bring expertise to the management and maintenance of policies, practical guidance, training, controls and processes relating to compliance risks;
• Provide assurance: the role of Compliance, as part of the second line of defense, encompasses the impact assessment of the legal developments as well as the assurance that compliance risks within the scope of the function are appropriately identified, evaluated and managed.

The ecosystem based on Compliance Risk Universe sets a clear vision of the scope of the Compliance function and increase the robustness of the internal control system.

Internal Audit

The Internal Audit functions are one of the three Control Functions with the mission to support the Board of Directors in the attainment of its objectives, by independently assessing and overseeing systems, controls and internal governance, using a systematic and disciplined approach, contributing to add value and improve the management of the Bank. The developed jobs is based on the Annual Audit Plan approved by the Board of Directors, where general guidelines for the development of the function’s work are established. Anytime, the Internal Audit Department has the autonomy to develop any type of job considered necessary.

The audit jobs carried out results in Audit Reports sent to the Board of Directors and the Supervisory Board for information purposes and knowledge. The Internal Points of Control identified in these Audit Reports are connected with mitigation measures that, when implemented, strengthen the general internal control environment and reducing the Institution’s risk profile.

The Internal Audit Department works in a coordinated way with the Risk Department and the Compliance Department in strengthening the Institution’s Internal Control environment with compliance with observance of the regulatory framework.

The main duties of the function are the following:

• Carry out, in a systematic manner and in accordance with the approved plan, audit actions in order to assess the design and effectiveness of risk management processes, namely, if: (i) the organizational objectives support and are aligned with the Institution’s mission; (ii) the most relevant and significant risks are properly identified and correctly assessed; (iii) appropriate responses to the identified risks are selected and implemented, which align (or seek to align) the Institution’s risk profile with the respective risk appetite, defined by the Top Management; and (iv) the relevant risk information is properly captured and compiled and is communicated in a reliable and timely manner through the organization, in order to allow an adequate and timely response by the Top Management;
• Avaliar o grau de confiança, integridade e fiabilidade da informação financeira, operacional, de risco e sistemas de informação;
• Assess the degree of confidence, integrity and reliability of financial, operational, information systems and risk information;
• Assess the degree of compliance with the rules in force, namely those that have the greatest impact on the organization.