CFSL Integrated Report 2025

RISK MANAGEMENT

98

Corporate Governance

Statutory Disclosures

Financial

Operational Risks

Failures and resulting losses from inadequate internal processes, systems, or external events.

Risk Response/Mitigation Measures

Three Lines Model: Clear accountability and risk ownership are embedded through

Business Continuity Culture: Promotion of a resilience-focused culture through staff awareness and engagement in Business Continuity Management (BCM) practices. Crisis Preparedness: Regular crisis management and tabletop simulation exercises are conducted to test readiness and derive actionable improvements. Policy and Procedure Reviews: Periodic reviews of non-financial risk policies and procedures to align with evolving business needs and external conditions. Incident Management and Oversight: Timely incident reporting and independent monitoring by the Risk Management team. Governance and Reporting: Regular reporting to the Operational Risk Forum (ORF) and the Risk Management Committee (RMC).

the adoption of the three lines model. Risk Control Self-Assessment (RCSA):

Regular updates of risks and controls are conducted using the RCSA methodology to ensure relevance and effectiveness. Control Optimisation: Continuous enhancement of controls and mitigation strategies aligned with the Group’s risk appetite and defined thresholds. Business Process Resilience: Implementation of resilient processes to ensure operational continuity during disruptions.

The risk of legal or regulatory sanctions, financial loss, or reputational damage the Group may face due to its failure to comply with applicable laws, regulations, rules, internal policies, and standards of good practice.

Compliance Risk

Risk Response/Mitigation Measures

Independent Compliance Function: A dedicated team ensures adherence to regulatory

Training & Awareness: Regular training programmes to promote a strong compliance culture and ensure staff are well-informed of their obligations. AML/CFT Risk Assessments: Comprehensive anti-money laundering and counter-financing of terrorism assessments to identify and mitigate exposure. Data Privacy & Third-Party Risk Controls: Safeguards in place to manage data protection obligations and monitor third-party compliance.

requirements and internal policies. Regulatory Change Management: Ongoing tracking and assessment of regulatory developments to ensure timely compliance. Policy Governance: Periodic reviews and updates of internal policies and procedures to reflect evolving legal and regulatory standards.