SBERBANK OF RUSSIA. Risk and Capital Strategy of Sberbank Group

Transcription

1 SBERBANK OF RUSSIA APPROVED BY Resolution of the Supervisory Board of Sberbank Minutes No. 41 dated September 16, 2015 Risk and Capital Strategy of Sberbank Group Moscow 2015

2 Content 1. General Provisions 4 2. Goals and Objectives 4 3. Classification of Objects of Risk and Capital Adequacy Management 5 4. General Principles 6 5. Powers and Responsibility of Management Bodies and Units in Charge of Risk and Capital Adequacy Management 8 6. Organization of the Risk and Capital Adequacy Management Process 12 ANNEX 1. Terms and Definitions 16 ANNEX 2. Abbreviations 18 ANNEX 3. References 19 ANNEX 4. Composition of Risk Reports for the Supervisory Board 20 ANNEX 5. Basic Requirements for Stress Testing Scenarios 21 2

3 IRD Specification 1 Name of the document Risk and Capital Strategy Sberbank Group 2 Member of the Group to which the document is applicable Sberbank Group 3 IRD group First 4 Type of risks All risks 5 Risk cluster All risk clusters 6 Risk management process steps regulated by the IRD 7 Upper-level IRDs All steps None 8 IRDs setting subordinate processes and methods Integrated Risk Management Regulation of Group OJSC Sberbank of Russia No dated

4 1. General Provisions 1.1. The Risk and Capital Strategy of Sberbank Group (hereinafter the Strategy ) stipulates the basic principles according to which Sberbank and the members of the Group 1,2 form the risk and capital adequacy management system The Strategy was developed in compliance with the requirements of the Bank of Russia and regulations of the Russian Federation /1, 2, 3, 4/, with account of the recommendations of the Basel Committee on Banking Supervision (BCBS) /5, 6/ and the European Community /7, 8/ The risk and capital adequacy management system is part of the general management system of the Group and aims to ensure stable development of the Bank and the members of the Group within the implementation of the development strategy approved by the Bank's Supervisory Board This Strategy is applicable to the Group as a whole, the Bank, and the members of the Group which are under the Bank's direct or indirect control 3, can be significantly influenced by the Bank 4, and which are subject to the requirements 5 for risk and capital adequacy management. A deviation from the requirements set herein is allowable for the members of the Group outside the jurisdiction of the Russian Federation if they contravene the requirements of the local legislation The provisions hereof are the basis for the arrangement of work aimed to manage risks and capital adequacy in the Group, the Bank, and the members of the Group, including development other internal regulations of the Bank and the members of the Group. 2. Goals and Objectives 2.1. The goal of risk and capital adequacy management is to Ensure/maintain the acceptable risk exposure within the risk appetite 6 ; Ensure capital adequacy to cover material risks; Comply with the requirements of the state bodies of the Russian Federation regulating the activity of the Group as a whole and of particular members of the Group, and the requirements of the state bodies of the countries of presence of members of the Group The objectives of the risk and capital adequacy management system are to: Identify, assess, aggregate material 7 risks of the Group and control their level; 1 This Strategy defines the members of the Group as all organizations within the Group, other than the Bank. 2 The term Group is used in this Strategy for the purpose of managing risks and capital of Sberbank Group and may differ from the definition of Group used for any other purposes, including for forming a list of organizations whose reporting is included into the consolidated financial and/or accounting statements of the Bank. 3 The criteria of whether the Bank exercises direct or indirect control over other organizations are stipulated by the International Financial Reporting Standard (IFRS) 10 Consolidated Financial Statements. 4 The criteria of whether the Bank can significantly influence other organizations are stipulated by International Financial Reporting Standard (IAS) 28 Investments in Associate and Joint Ventures. 5 The risk and capital management requirements may be regulatory or internal, established by the Bank for a member of the Group. 6 The term risk appetite coincides with risk tolerance in Bank of Russia Regulation No U dd On Requirements for the Risk and Capital Management System of a Credit Institution and Banking Group. 7 The term material risk coincides with the term significant risk in Bank of Russia Regulation No U dd On Requirements for the Risk and Capital Management System of a Credit Institution and Banking Group, as well as takes into account the need to recognize non-capitalized risks as material (liquidity risks and other risks assessed through expert review). 4

5 Ensure efficient resource distribution in order to optimize the risk/return ratio of the Group; Assess capital adequacy to cover material risks; Plan capital based on the results of the comprehensive assessment of material risks, tests of the Group stability against internal and external risk factors, business development strategy targets, requirements of the Bank of Russia for capital adequacy; Ensure uniform understanding of risks at the level of the Group and strategic planning with regard to the level of accepted risk. 3. Classification of Objects of Risk and Capital Adequacy Management 3.1. Risk is defined as an inherent in the business of the Bank / Group possibility (probability) to bear losses and/or deterioration of liquidity and/or other adverse effect due to internal factors (complexity of the organizational structure, employees skills level, organizational changes, employee turnover, etc.) and/or external factors (changes in economic conditions of the Group activity, applied technologies, etc.) Material risks risks whose materialization entail material impact on the consolidated financial result of the Group, and/or available capital of the Group, and/or liquidity of the Group, and/or reputation of the Group, or the capability to comply with the requirements of the regulators in the Russian Federation and in the countries of presence of the members of the Group. It is necessary to form a risk management systems for the risks recognized as material Risk appetite is a system of metrics characterizing the maximum risk exposure that the Group as a whole, the Bank, and the members of the Group are ready to accept in the process of value creation, achievement of the established goals, including the target return, implementation of strategic initiatives, and fulfillment of their mission Risk management comprises measures taken by the Bank and the members of the Group that are aimed to change the risk (change risk factors, risk exposure, consequences of risk factors) incurred by the Group, the Bank, and/or particular members of the Group. Risk management may not always cause expected results of risk change The internal capital adequacy assessment procedures (hereinafter the ICAAP ) are procedures of assessment by the Group, the Bank, and/or a member of the Group of the adequacy of available capital, i.e. capital to cover accepted and potential risks. ICAAP also comprise the procedures for capital planning based on the approved development strategy, business growth targets and results of the comprehensive current risk assessment, stress testing of the stability against internal and external risk factors Available financial resources are capital at the disposal of the Group, the Bank, and/or a member of the Group, available to cover accepted and potential risks, that is assessed with the internal models of the Group / the Bank / a member of the Group Economic capital is the amount of capital of the Group / the Bank / a member of the Group required to cover all types of capitalized risks accepted by the Group / the Bank / a member of the Group in the course of their activity that are assessed with the internal models of the Group / the Bank / a member of the Group Regulatory capital is the amount of capital of the Group / the Bank / a member of the Group required to cover risks accepted in the course of the activity that shall be assessed according to the method established by the regulator. 5

6 3.9. Capital adequacy means adequacy of available capital to cover the overall amount of accepted and potential risks. Capital adequacy ratio is calculated as a ratio of available capital to the overall amount of accepted and potential risks. 4. General Principles 4.1. Risk Awareness A decision to conduct any transaction shall be made only upon a comprehensive analysis of risks arising as a result of such transaction. All transactions shall be carried out in compliance with the internal regulations and/or organizational and administrative documents. No new transactions exposed to material risks are allowed if there are no internal regulations, organizational and administrative documents, or relevant decisions of collegial bodies regulating the respective procedure Risk adjusted performance management The Group evaluates the adequacy of available capital to cover accepted and potential risks by implementing the internal capital adequacy assessment procedures (ICAAP). When making decisions on business development (forming the development strategy), the Group relies on the ICAAP results as a basis for evaluation of the capital amount needed to cover material and potential risks. The Group selects top-priority areas of development and capital allocation using the analysis of risk-adjusted performance of particular units and business areas Involvement of Top Management The Supervisory Board, the President, the Chairman of the Management Board, the Management Board, and other executive bodies of the Bank, as well as supervisory boards and executive bodies of the members of the Group receive information about the level of risks accepted and facts of violation of the established risk management procedures, limits and restrictions on a regular basis Risk Limits The Group applies the system of limits and restrictions in order to ensure the acceptable risk exposure risk appetite of the Group. The system of limits of the Group has a multi-level structure: general limits for the Group established based on risk appetite defined according to this Strategy; limits on all types of risks material for the Group; limits for the Bank and the members of the Group, structural units of the Bank and the members of the Group responsible for accepting risks material for the Group; limits on the volume of transactions with one counterparty, group of connected counterparties, on the volume of transactions with financial instruments, etc.; as well as other risk limits necessary to efficiently restrict material risks Division of Functions, Powers and Responsibility The organizational structure is formed considering the requirements for absence of conflict of interests and ensures the division of functions and powers of collective bodies, units and responsible employees in risk taking and risk management. 6

7 The risk management in the Group is organized in compliance with the 3 lines of defense principle: Risk taking (1 st line of defense). Units taking risks shall strive to achieve the optimum return and risk ratio, follow the established targets for development and for return and risk ratio, monitor decisions on risk taking, take account of clients' risk profiles and recommendations of the risk management units when conducting transactions / deals, implement efficient business processes, participate in the risk identification and materiality assessment processes, comply with the requirements of the internal regulations, including in a part of risk management. Risk management (2 nd line of defense). Units responsible for risk management shall develop risk management standards, organize the risk management process, stipulate principles, limits and restrictions, monitor risk exposure and prepare reporting, check the conformance of risk exposure to the established limits, including to risk appetite, consult on risk management issues, develop risk evaluation models, perform risk identification and materiality assessment, calculate the aggregate risk exposure. Audit of the risk management system (3 rd line of defense). The internal audit unit evaluates the efficiency of the risk management system and notifies the Supervisory Board, executive management bodies of defects detected in the operation of the risk management system and of the measures taken to eliminate them Centralized and Decentralized Approaches The Group applies the combination of centralized and decentralized approaches to risk and capital adequacy management in order to enhance the efficiency. The Bank's competent bodies manage risks and capital adequacy of the Bank and the Group as a whole, as well as set the requirements for the organization of the risk and capital adequacy management system at the level of a particular member of the Group (including the structure of limits and restrictions, methods applied, and other aspects). The members of the Group manage risks and capital adequacy at the local level within the established limits and powers and develop internal regulations within the standards of the Group, considering local specifics. Decentralization of functions enables to promptly respond to changes in the level of particular types of risks and risk exposure in the members of the Group Use of Information Technologies Risk and capital adequacy management is based on using advanced information technologies enabling to enhance the quality and promptness of decision-making Improvement of Methods Risk and capital adequacy management methods continuously progress; procedures, technologies and information systems evolve with account of strategic tasks assigned, changes in the external environment, innovations in the international practice Risk Culture To ensure the stable and efficient functioning of the entire risk management system, the Group takes actions to develop risk culture whose main tasks are: acquisition of knowledge and skills by employees of the Bank and the members of the Group in the sphere of risk management through regular trainings; correct use of risk management tools by executives and employees in the day-today activity; 7

8 development of employees' skills to correctly and timely use risk management tools; open and active communication within the Group regarding the risk culture values and principles Remuneration System The remuneration system of the Group ensures the conformance of employees' remuneration to the type and scale of performed operations, results of work, level and combination of risks taken Information Disclosure All risk and capital adequacy management information needed according to the regulators' requirements shall be disclosed. Content of such information and frequency of its disclosure are subject to the regulators' requirements. 5. Powers and Responsibility of Management Bodies and Units in Charge of Risk and Capital Adequacy Management 5.1. Risk Management Service of the Bank The Risk Management Service of the Bank is a complex of the Bank's units in charge of risk management, namely these are units of the Risks Block responsible for risk management on a consolidated basis, and specialized units ensuring management of risk clusters according to the distribution of risk management responsibilities set out in Paragraph 5.2. In its work, the Bank's Risk Management Service is governed by the effective legislation of the Russian Federation, regulations of the Bank of Russia, the Bank's Charter, this Strategy, resolutions of the Bank's management bodies, and other internal regulations and organizational and administrative documents of the Bank. The Bank s Risk Management Service takes into consideration the regulatory requirements of members of the Group counties of presence for the purposes of Group wide integrated risk management. The Bank's Risk Management Service performs its functions specified in Paragraphs and on a continuous basis. The Bank's Risk Management Service is managed by the Head of the Block Risks who reports to the Deputy Chairman of the Bank's Management Board supervising the Block Risks. The Head of the Risk Management Service shall comply with the qualification and business reputation requirements established by the legislation and regulations of the Bank of Russia 8. The head and employees of the Risk Management Service shall be on the staff of the Bank. The Risk Management Service reports to the Supervisory Board, the President, the Chairman of the Bank's Management Board, and to the Management Board. 8 The qualification requirements are stipulated by Bank of Russia Regulation No U dated On Requirements for Heads of the Risk Management Service, Internal Control Service, Internal Audit Service of a Credit Institution. The business reputation requirements are stipulated by Clause 1, Part 1, Article 16 of Federal Law On Banks and Banking Activity. 8

9 5.2. Powers and Responsibility of Main Participants in the Risk and Capital Adequacy Management Process General Meeting of Shareholders of the Bank Makes decisions on increase/decrease of the authorized capital, splitting/consolidation of shares, issue/conversion of bonds and other issue-grade securities convertible into ordinary shares, in cases provided for by /12/; Makes decisions on dividend payments; Approves interested-party transactions in cases and according to the procedure stipulated in в /12/ Supervisory Board of the Bank Approves risk and capital strategy of the Group; Approves risk appetite and target risk exposure 9 of the Group and the Bank; Makes decisions on changing capital within the powers established by the Bank's Charter; Controls the compliance with the risk appetite limits and achievement of target risk exposure of the Group and the Bank; Considers results of stress testing for the Group and the Bank; Approves interested-party transactions in cases and according to the procedure stipulated in /12/; Assesses the efficiency of the risk and capital adequacy management system of the Group Management Board of the Bank Ensures conditions for efficient implementation of the risk and capital adequacy strategy of the Group, arranges risk and capital adequacy management processes in the Group; Ensures compliance with the ICAAP and maintenance of capital adequacy; Makes decisions on changing capital within the powers established in /12/; Forms collegiate working bodies, including committees of the Bank, approves regulations thereon, and stipulates their powers Group Risk Committee of the Bank Manages the overall risk of the Group within the powers, requirements and restrictions approved by resolutions of the Bank's Management Board; Defines the composition of risk clusters, appoints committees for managing risk clusters, and units ensuring management of risk clusters; Cascades risk appetite limits of the Group by risk types and per members of the Group Asset and Liability Committee of the Bank Approves standards of the Group for capital adequacy management processes and approaches, requirements for regulations of the members of the Group describing internal capital adequacy management methods and procedures; 9 Within business plans and strategic plans of the Group and the Bank. 9

10 Sets the capital requirements for the members of the Group; Establishes and cascades capital adequacy limits Bank's Committees for Managing Risk clusters 10 Manage risks of the Group included into risk clusters, within the powers, requirements and restrictions approved by resolutions of the Bank's Management Board; Establish and control the compliance with the limits set within the risk appetite limits for risk clusters; Control achievement of target risk exposure as related to risks the management of which is within their powers Block Risks Develops, implements, supports and improves the risk management system of the Bank and the Group on a consolidated basis, ensures its compliance with the requirements of the Bank's development strategy, requirements and recommendations of the Bank of Russia, the recommendations of the Basel Committee on Banking Supervision (BCBS), and best world practices, which includes: - organization of the process of risk identification and materiality assessment in the Group; - preparation of ICAAP reports of the Bank and the Group; - compilation of aggregate reporting on the material risks level for the Bank's management, the Bank's management bodies, and other collegiate bodies responsible for management of the Bank's risks, to the extent required for decision making, including reporting to the Supervisory Board according to the requirements of Annex 4; Forms proposals on values of risk appetite limits and target risk levels of the Group, the Bank, and on their cascading upon approval with the units ensuring management of risk clusters; Performs centralized stress testing; Validates risk evaluation and risk management models 11 ; Consolidates information on risks for disclosure purposes Head of the Block Risks Controls work of the units within the Block Risks ; Is member of the Bank's committees for managing risk clusters Block Finance Prepares reporting on the value of equity (capital), compliance with the mandatory rates, provisions for potential losses on loans, loan and similar debt of the Bank and the Group; Consolidates financial statements of the Group for the purposes of regulatory and management statements; 10 Including the Group Risk Committee and the Asset and Liability Committee. 11 An independent unit responsible for validating models has been established in the Block Risks. 10

11 Performs business-planning of the Bank and the Group in compliance with the limits and restrictions set by risk appetite and target risk exposure of the Bank and the Group Bank's Units Ensuring Risk Clusters Management 12 Develop, implement, support and improve the system for managing risks included into risk clusters according to this Strategy, which includes development and update of the internal documents setting the uniform standards and requirements for the organizational structure, distribution of powers, process and procedures for management of risk clusters; Form the requirements for methods and processes of management of risks included into risk clusters for the members of the Group; Organize management of risks included into the relevant risk cluster in the Bank and in the Group as a whole; Manage the Bank's risks within the powers stipulated by the appropriate risk management policies, as well as coordinate the management of material risks of the Group included into risk clusters; Cooperate with the Block Risks within the integrated risk management processes; Provide information within their competence for the disclosure purposes Internal Audit Service Assesses the efficiency of the risk and capital adequacy management system, which includes audit of the risk evaluation methods and risk management procedures established by the internal documents (methods, programs, rules, procedures, etc.) and of the completeness of the internal documents application; Audits the operation of the units ensuring risk cluster management, which includes audit of the operation of the units of the Bank's Block Risks ; Informs the Supervisory Board and executive management bodies of defects detected in the operation of the risk and capital adequacy management system and of actions taken to eliminate them; Form the requirements for the arrangement of internal audit in the members of the Group in a part of audit of the risk and capital adequacy management system, which includes development and update of IRDs setting the uniform standards and requirements for the organizational structure, distribution of powers, internal audit processes and procedures Members of the Group Organize the risk and capital adequacy management process according to the principles set by this Strategy and the standards of the Group; Distribute risk limits and targets for their respective units within the established risk limits and targets; Provide information required for integrated risk management. 12 Including units ensuring risk cluster management of the Block Risks. 11

12 6. Organization of the Risk and Capital Adequacy Management Process 6.1. Internal Capital Adequacy Assessment Procedures (ICAAP) The ICAAP involve the following: evaluation of all material risks of the Group; calculation of the planned (target) capital, current demand for capital at the level of the Group, the Bank and the members of the Group; establishment of the methods and procedures for material risk management, capital adequacy evaluation and capital allocation by types of material risks at the level of the Group, the Bank and members of the Group; establishment of the system of control over material risks, capital adequacy and compliance with the risk limits; setting of reporting at the level of the Group, the Bank and the members of the Group; setting of the procedures for internal control of the compliance with the ICAAP at the level of the Group, the Bank and the members of the Group. The economic capital for the Group, the Bank and the members of the Group shall be calculated at least quarterly within the risk appetite limits control process. The full cycle of the ICAAP with the compilation of the final report shall be performed once a year and comprises: calculation of economic capital on a consolidated basis for the Group; verification of risk management mechanisms; assessment of involvement of the Bank's Management Board and the Supervisory Board into the processes of managing risks of the Group; evaluation of sufficiency and efficiency of the system of internal control of the compliance with the ICAAP. The Bank's Management Board and Supervisory Board rely on results of the ICAAP to assess the compliance of accepted risk with the set risk appetite limits, as well as to perform strategic planning. Results of the ICAAP are a major source for quantitative evaluation of risks when the Bank's committees for managing risk clusters and (sole and collegiate) management bodies of the members of the Group make management decisions. The Bank's units ensuring risk cluster management use results of the ICAAP to prepare proposals on control over the level of risks included into the composition of respective risk cluster. Results of the ICAAP are used to make decisions on changing the capital structure and/or amount Risk Management Risk Identification and Materiality Assessment Risk identification and materiality assessment shall be performed once a year and completed before the start of the annual business planning cycle. In case of significant changes in the external environment and/or within the Group that may affect the risk profile of the Group, unscheduled risk identification and materiality assessment can be carried out. The Bank and all members of the Group subject to this Strategy (Paragraph 1.4) shall take part in the process of risk identification and materiality assessment. The Bank assesses materiality of risks at the level of the Bank and the Group as a whole, while the members of the Group assess materiality of risks at the local level. Risk may be recognized as material for a member of the Group, but immaterial for the Group as a whole. Members of the Group follow the Group standards for materiality assessment taking into account local regulatory requirements. 12

13 Types of risks which are limited by the Bank of Russia for credit institutions / banking groups and/or which are taken into account in calculation of adequate regulatory capital of credit institutions / banking groups are always recognized as material for the Group. Materiality of other types of risks is evaluated based on the comparison of maximum risk losses with economic and regulatory capital of the Group, the Bank, a member of the Group. Risk that cannot be evaluated by a quantitative method can be recognized as material based on an expert's opinion with account of the scale of risk impact on the reputation of Group, the Bank, and/or a member of the Group Formation of Risk Cluster Management Systems Types of risks defined as material, having similar risk factors, similar risk management methods, similar subjects of risks (counterparties, clients, transactions, etc.) are combined into risk clusters, for which a single management system is formed consisting of: the Bank's committees for managing risk clusters; the Bank's units ensuring risk clusters management; units or responsible employees of the members of the Group ensuring risk management at the level of the members of the Group. The management system for risk recognized as material for the Group involves all members of the Group where this risk is recognized as material. If a type of risk is recognized as material only at the level of a member of the Group, a local system for management of this risk shall be created. In this case, a member of the Group shall independently determine risk management approaches, establish and control risk limits and targets, and control the efficiency of management of this risk Risk Exposure Planning The Group plans risk exposure by establishing risk targets a set of risk metrics conforming to the goals of the Group, the Bank, and the members of the Group. To plan its activity, the Group uses risk metrics reflecting (or taking into account) the level of losses in non-stress conditions, and risk metrics reflecting (or taking into account) the level of losses in stress conditions. Risk exposure of the Group is planned within the annual business planning process of the Group Setting Risk Appetite Risk appetite is set with regard to the requirements of the Bank of Russia and the regulators in the countries of presence of the Group. Risk appetite is determined as a set of quantitative and qualitative metrics implemented through the system of hierarchical limits by business areas, types of material risks, units, and by other profiles. Metrics of risk appetite of the Group, the Bank, and the members of the Group may include: mandatory capital adequacy rate, liquidity rate, and other limits established by the Bank of Russia for credit institutions and banking groups related to risk and capital adequacy management; 13

14 for the members of the Group outside the jurisdiction of the Russian Federation mandatory capital adequacy rate, liquidity rate, and other limits established by local regulators for credit institutions and banking groups related to risk and capital adequacy management; ratio of economic capital required to cover all material types of risks and available capital; concentration limits for material risks; risk levels recommended by the BCBS for credit institutions and banking groups. Risk appetite is established for the strategic planning horizon, and the Bank's Supervisory Board shall consider if risk appetite review is necessary at least annually. Particular limits of risk appetite may be updated during a financial year in case of changes in the economic situation and/or alteration by the Bank of Russia of the requirements for credit institutions and/or banking groups (alteration of the existing rates and/or introduction of new rates) Aggregate Risk Management Aggregate risk management of the Group comprises: calculation of factors characterizing a consolidated level of overall risk of the Group based on evaluations of risks included into risk clusters, with account of risks correlations; evaluation of deviation of risk exposure of the Group from levels established by the consolidated business plan of the Group; evaluation of the compliance of risk exposure of the Group with the approved risk appetite of the Group; making decisions on establishing/changing limits, or any other decisions aimed to optimize the risk level of the Group. The aggregate risk exposure of the Group shall be evaluated at least quarterly Capital Adequacy Management The process of capital structure and adequacy management of the Bank and the Group is centralized. The Bank's Treasury is the unit responsible for the organization of capital adequacy management in the Bank and the Group as a whole. To implement an efficient process of capital structure and adequacy management, the Bank's Treasury develops necessary procedures, regulations for cooperation between units, methods and group standards, as well as controls the organization of the process in the members of the Group. Capital adequacy management is in place in each member of the Group subject to the mandatory capital adequacy requirements set by the regulator, or the risk appetite capital adequacy related requirements approved by the Bank's competent collegiate body, as well as in other members of the Group stipulated by a separate decision of the Asset and Liability Committee. The following main tools are used for capital adequacy management: business planning and capital adequacy management plan; planning of dividends and capitalization of subsidiaries; system of capital adequacy limits; capital adequacy management plan in case of a crisis situation. 14

15 6.4. Stress Testing Stress testing is evaluation of risk factors and parameters of assets and liabilities in the conditions of hardly probable, but possible pessimistic scenarios, particularly for assessing the adequacy of available capital sources to cover potential losses. Stress testing is performed both by particular risks, and in an aggregated way. In terms of organization, stress testing can be top-down and bottom-up : top-down is an evaluation of scenario impact on financial and economic results of the activity of the Group through the sensitivity analysis of aggregate characteristics of asset and liability portfolios to changes in macroeconomic indicators; bottom-up is an evaluation of scenario impact on basic characteristics of risk exposure at a detailed level by specific risk groups, and evaluation of economic capital of the Group and stress risk indicators based on obtained results and models of potential losses of the Group. Annex 5 contains the basic requirements for stress testing scenarios according to which the Bank and the members of the Group should develop stress testing scenarios. The stress testing procedures of the members of the Group shall be agreed upon with the Bank Risk Reporting Reporting of the Group shall be prepared in compliance with the requirements of the Bank of Russia with account of the recommendations of the Basel Committee on Banking Supervision (BCBS). The Group has in place the process of collection, check and consolidation of data provided by the members of the Group in order to calculate requirements for capital, liquidity rates and other risk factors. Composition and frequency of risk reporting shall comply with the requirements for reporting set by the Bank of Russia, the requirements for management reporting, and the requirements for disclosure of information on risks for all parties concerned. Sole and collegiate executive bodies of the members of the Group are responsible for the correctness of information on risks provided to the Bank. The requirements for composition and frequency of risk reporting for the Supervisory Board are stipulated in Annex 4. Composition and frequency of risk reporting provided to the Chairman of the Management Board, the Management Board, the Group Risk Committee of the Bank, the Bank's committees for managing risk clusters, and heads of the units involved in risk management shall be established by the Bank's internal regulations according to the requirements of Bank of Russia Regulation No U dd On Requirements for the Risk and Capital Management System of a Credit Institution and Banking Group /4/. 15

16 ANNEX 1. Terms and Definitions Available financial resources are capital at the disposal of the Group, the Bank, and/or a member of the Group, available to cover accepted and potential risks, that is assessed with the internal models of the Group / the Bank / a member of the Group. Bank Sberbank of Russia. Capital adequacy means adequacy of available capital to cover the overall amount of accepted and potential risks. Economic capital is the value of capital of the Group / the Bank / a member of the Group required to cover all types of capitalized risks accepted by the Group / the Bank / a member of the Group in the course of their activity that are evaluated based on the internal models of the Group / the Bank / a member of the Group. Internal audit service is a complex of the Bank's structural units (the Internal audit unit of the Bank's central office and relevant units of the Internal audit service in the branches) carrying out their activity in compliance with the Regulation on the Internal audit service of OJSC Sberbank of Russia /13/. Limit an approved numerical limit for the indicators characterizing (whether each in particular or collectively) risk exposure. The limit may be either an absolute or a relative value. Material risks risks whose materialization entail significant impact on the consolidated financial result of the Group, and/or disposable capital of the Group, and/or liquidity of the Group, and/or reputation of the Group, or the capability to comply with the requirements of the regulators in the Russian Federation and in the countries of presence of the members of the Group. Regulator a competent state body exercising the functions of regulation, control and supervision over the activity of credit institutions and banking groups. Regulatory capital is the value of capital of the Group / the Bank / a member of the Group required to cover risks accepted in the course of the activity that shall be evaluated according to the method established by the regulator. Risk is an inherent in the business of the Bank / Group possibility (probability) to bear losses and/or deterioration of liquidity and/or other adverse effect due to internal factors (complexity of the organizational structure, employees skills level, organizational changes, employee turnover, etc.) and/or external factors (changes in economic conditions of the Group activity, applied technologies, etc.). Risk appetite is a system of indices characterizing the maximum risk exposure that the Group in general, the Bank, and the members of the Group are ready to accept during the process of value creation, achievement of the established goals, including the target level of return, implementation of strategic initiatives, and fulfillment of their mission. Risk assessment assessment of the probability of risk materialization and the amount of potential losses in case of materialization of a particular risk type and/or overall risk accepted by the Group or by the organizations-members of the Group. Risk clusters are formed based on the expediency of separate management of risks. Risk clusters are formed only for risks that are material at the level of the Group. The process of categorizing 16

17 risks into risk clusters is primarily based on opinions on the expediency of grouping given by the Bank's structural units responsible for managing certain types of risks. Risk identification is the process of detection and classification of risks. Sberbank Group (the Group) is a banking group defined according to /1/ where Sberbank is the parent credit institution. Stress testing is an assessment of potential impact on the financial standing of the Group / the Bank / a member of the Group of changes in a range of stress factors that are extraordinary, but possible events. 17

18 ANNEX 2. Abbreviations Bank of Russia the Central Bank of the Russian Federation. BCBS the Basel Committee on Banking Supervision is a committee of banking supervisory authorities which was established by the central bank governors of the G-10 countries in Block Finance the Finance Block of Sberbank. Block Risks the Risks Block of Sberbank. IRD an internal regulatory document. ICAAP internal capital adequacy assessment procedures. Group Risk Committee the Group Risk Committee of Sberbank. ALMC the Asset and Liability Committee of Sberbank. 18

19 ANNEX 3. References 1. Federal Law No dated On Banks and Banking Activity. 2. Letter of the Bank of Russia No /2463 dated On the Corporate Governance Code. 3. Letter of the Bank of Russia No. 14-T dated On the Recommendations of the Basel Committee on Banking Supervision Principles for Enhancing Corporate Governance. 4. Bank of Russia Regulation No U dd On Requirements for the Risk and Capital Management System of a Credit Institution and Banking Group. 5. Principles for enhancing corporate governance, October 2010, Basel Committee on Banking Supervision, ISBN Corporate governance principles for banks, July 2015, Basel Committee on Banking Supervision, ISBN (print), ISBN (online). 7. DIRECTIVE 2013/36/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (CRD IV). 8. REGULATION (EU) No 575/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012" (CRR). 9. Basel Committee on Banking Supervision, Principles for effective risk data aggregation and risk reporting, January 2013, ISBN Letter of the Bank of Russia No. 96-T dated On the Recommendations of the Basel Committee on Banking Supervision Principles of Risk Aggregation and Submission of Risk Reports, Annex Principles of Risk Aggregation and Submission of Risk Reports. 11. Bank of Russia Provision No. 242-P dated On Organization of Internal Control in Credit Institutions and Banking Groups. 12. Charter of Public Joint-Stock Company Sberbank of Russia. 13. Regulation on the Internal Audit Service of OJSC Sberbank of Russia No dated

20 ANNEX 4. Composition of Risk Reports for the Supervisory Board Information on aggregate amount of risks accepted by the Group, the Bank, and the members of the Group on accepted amounts of each material type of risks on risk levels accepted by the structural units of the Bank and the members of the Group on the value of capital and use by the Bank's units and the members of the Group of the limits assigned to them on facts of breaches by the Bank's units and the members of the Group of the established limits, as well as of measures being taken to eliminate the detected breaches on stress testing results on results of assessment of capital adequacy of the Group, the Bank, and the members of the Group on results of implementation of the ICAAP, including on the compliance with the planned (target) capital value and capital adequacy, planned capital structure, planned (target) risk exposure, and target risk structure Frequency quarterly quarterly quarterly quarterly quarterly annually quarterly annually The above information shall be provided to the Bank's Supervisory Board by the Bank's Management Board. The need in internal or external audit of the above information shall be determined by separate decisions of the Bank's Supervisory Board. 20

21 ANNEX 5. Basic Requirements for Stress Testing Scenarios Stress implies a change in macroeconomic factors negatively affecting the situation in the Bank, a member of the Group, and/or the Group in general. Stress testing shall be performed for detailed assessment of the stability of the Bank's current standing against probable stress situations and for support of management decisions aimed to fulfill the following goals and objectives: Goal Maintenance of financial stability of the Group in case of stress Optimal business management with account of potential occurrence of stresses Objectives Test of the capability to maintain the required capital adequacy in stress conditions Test of the capability to maintain adequate liquidity under stress Assessment of business profitability in stress conditions Detection of most stress-sensitive risk types Several scenarios of stress events are to be developed and should take into account various forms of crisis development: by the scope of crisis affect only in the economy of the Russian Federation, Europe, global crisis; by the scope of affect on economic sectors where the assets are primarily concentrated; by markets crisis on stock markets; by crisis type fall/growth of prices for commodities oil; by crisis duration: short-term (max. one year), mid-term (max. three years). Stress testing is performed based on the Bank's scenarios with account of internal scenarios of the members of the Group, as well as scenarios of the regulators in the countries of presence of the Group (primarily based on scenarios of the Bank of Russia). Stress testing is based on historical and hypothetical scenarios. Historical scenario is a significant event that happened in the past and caused materialization of one or several risks of the Bank at scales considerably exceeding the estimates of the standard probability models 13. Hypothetical scenario is a simulation / modeling of a significant event that did not happen in the past, but may cause materialization of one or several risks of the Bank at scales considerably exceeding the estimates of the standard probability models 14. It is recommended to develop stress testing scenarios so that scenarios had the following features: Likelihood: there shall be a considerable probability of occurrence of a scenario on a time horizon of up to one year; 15 Significance: losses caused by scenario occurrence shall be material for the Bank, a member of the Group, or the Group in general. The minimum permissible loss 0.1% of the Bank's Tier I capital; 16 Simplicity: 17 a scenario shall consist of one easily formalized event Examples: Ruble Devaluation, Black Monday, Asian Crisis, Russian Crisis of 1998, etc. 14 Example: Dramatic drop in business activity of an economic sector. 15 E.g. a 1% probability of scenario occurrence means that stress scenarios of such type on average occur at least once in 100 years. 16 The value from the latest available IFRS statements shall be used. 21

22 Stress testing may be based either on the assumption of dynamic balance, or on the assumption of static balance. Development of new scenarios and/or update of current scenarios shall be carried out when there are considerable changes in the economy or in the business of the Bank, a member of the Group and/or the Group in general, as a result of which the use of current scenarios ceases to ensure the appropriate risk control. 17 There is an exception from this rule for scenarios proposed by the Bank's Center for Macroeconomic Research. The Center for Macroeconomic Research may propose scenarios of any complexity. 18 Examples: Hard recession, 5% GDP drop a simple scenario; Stagflation coupled with capital outflow is a complex scenario. 22