MILLI_RE_ANNUAL REPORT 2022

activities, is applied as a qualitative method for operational risk. The level of the operational risk that the Company is exposed to is subsequently classified as “High”, “Acceptable” or “Low” depending on the result of the assessments. Reputation Risk This risk can be defined as the probable loss due to loss of confidence of the Company or damage to the “Company Reputation” resulting from failures in operations or noncompliance with current regulations. Qualitative methods are used to measure the level of the risk. On the basis of “Self-Assessment Methodology”, “Questionnaire” and/or “Interview” methods are used to determine the impact and probability levels of the risk as “High”, “Acceptable” or “Low”. Information Technologies Risk This risk expresses the probable losses arising in Information Technology (IT) processes, assets and resources that constitute the entire hardware, applications and communication channels used in operations, due to internal and external problems occurring in operations and processes such as strategy management, cost management, human resources management, risk management, incident and problem management, information security, back up process, procurement process, supplier selection and assessment, user identification and access management, critical resources management, data security, integrity and availability, acquisition and modification of software and hardware, test and version management, service quality and continuity, business continuity, disaster and configuration management, environmental and physical factors management. Risks related to Company’s information technologies are measured and assessed in accordance with the provisions stated in Information Technology Risk Management Application Principles, based on internationally accepted practices. On the other hand, Disaster Management process, defined with the purpose of governing and monitoring sub-risks in relation to Business Continuity and IT Continuity, is carried out in accordance with the provisions of related legislation. An internal training is organized, and a test study is performed annually within the context of Disaster Management. In this regard, for Company’s business processes and information systems, including the Singapore Branch of the Company, this year’s exercise was carried out by providing remote access to applications and systems in Disaster Server Centre located outside of Istanbul via a secure network connection. In addition, Suadiye Miltaş Sports Facilities, which is the disaster recovery location of the Company, was visited and the equipment there was tested. According to the results of this study, all applications and systems specified in the Disaster Recovery Plan, data and documents required by business units for critical business processes were accessible in conformity with recovery point objectives, and data entries were completed successfully. In addition, the data restore test has also been carried out successfully. All findings obtained as a result of measurement of the above-mentioned risks, analyses and assessments in respect of these findings are regularly reported by Risk Management Department to the Board of Directors, as well as to Subsidiaries Division of İşbank. If the impact and probability levels of the risks are found “High”, the Board of Directors determines an action plan regarding the necessary actions. FINANCIAL STATUS RISKS AND ASSESSMENT OF THE GOVERNING BODY UNCONSOLIDATED FINANCIAL STATEMENTS TOGETHER WITH INDEPENDENT AUDITORS’ REPORT THEREON CONSOLIDATED FINANCIAL STATEMENTS TOGETHER WITH INDEPENDENT AUDITORS’ REPORT THEREON 89 MİLLİ RE 2022 ANNUAL REPORT