MILLIRE 2021 ANNUAL REPORT

81 MİLLİ RE ANNUAL REPORT 2021 FINANCIAL STATUS RISKS AND ASSESSMENT OF THE GOVERNING BODY UNCONSOLIDATED FINANCIAL STATEMENTS TOGETHER WITH INDEPENDENT AUDITORS’ REPORT THEREON CONSOLIDATED FINANCIAL STATEMENTS TOGETHER WITH INDEPENDENT AUDITORS’ REPORT THEREON Operational Risk This risk expresses the probable losses arising from inappropriate or inoperative business processes, human errors, technological or infrastructural interruptions, changes in management or processes, inaccurate internal/external reporting or external factors occurring while Company conducts its vital functions necessary for the continuation of business, and inability to secure low cost and high efficiency as a result of business interruption due to disasters. Qualitative and quantitative methods are used together in measuring the operational risk. Factor Based Standard Approach is applied as a quantitative method. In this method, the required capital for operational risks is calculated by multiplying gross technical provisions and gross earned premiums by the factors in respect of the relevant lines of business. “Self-Assessment Methodology”, which allows determination of the risks related to activities conducted with the involvement of staff performing such activities, is applied as a qualitative method for operational risk. The level of the operational risk that the Company is exposed to is subsequently classified as “High”, “Acceptable” or “Low” depending on the result of the assessments. Reputation Risk This risk can be defined as the probable loss due to loss of confidence of the Company or damage to the “Company Reputation” resulting from failures in operations or noncompliance with current regulations. Qualitative methods are used to measure the level of the risk. On the basis of “Self-Assessment Methodology”, “Questionnaire” and/or “Interview” methods are used to determine the impact and probability levels of the risk as “High”, “Acceptable” or “Low”. Information Technologies Risk This risk expresses the probable losses arising in Information Technology (IT) processes, assets and resources that constitute the entire hardware, applications and communication channels used in operations, due to internal and external problems occurring in operations and processes such as strategy management, cost management, human resources management, risk management, incident and problem management, information security, back up process, procurement process, supplier selection and assessment, user identification and access management, critical resources management, data security, integrity and availability, acquisition and modification of software and hardware, test and version management, service quality and continuity, business continuity, disaster and configuration management, environmental and physical factors management. Risks related to Company’s information technologies are measured and assessed in accordance with the provisions stated in Information Technology Risk Management Application Principles, based on internationally accepted practices. On the other hand, Disaster Management process, defined with the purpose of governing and monitoring sub-risks in relation to Business Continuity and IT Continuity, is carried out in accordance with the provisions of related legislation. An internal training is organized and a test study is performed annually within the context of Disaster Management. In this regard, for Company’s business processes and information systems, this year’s exercise was carried out by providing remote access to applications and systems in Disaster Server Centre located outside of İstanbul via a secure network connection. According to the results of this study, which was performed by displaying and entering the data, it was confirmed that IT resources related to critical processes and data stored in these resources were accessible in conformity with recovery point objectives. All findings obtained as a result of measurement of the above mentioned risks, analyses and assessments in respect of these findings are regularly reported by Internal Control and Risk Management Department to General Manager, Risk Committee and Board of Directors, as well as to Subsidiaries Division of İşbank. If the impact and probability levels of the risks are found “High”, the Board of Directors determines an action plan regarding the necessary actions.