MILLIRE ENG2024

Reputation Risk This risk can be defined as the probable loss due to loss of confidence in the Company or damage to its reputation resulting from failures in operations or non-compliance with current regulations. Qualitative methods are used to measure the level of the risk. On the basis of “Self-Assessment Methodology”, “Questionnaire” and/or “Interview” methods are used to determine the level of the risk as “High”, “Acceptable” or “Low”. Information Technologies Risk This risk expresses the probable losses arising in Information Technology (IT) processes, assets and resources that constitute the entire hardware, applications and communication channels used in operations, due to internal and external problems occurring in operations and processes such as strategy management, cost management, human resources management, risk management, incident and problem management, information security, back up process, procurement process, supplier selection and assessment, user identification and access management, critical resources management, data security, integrity and availability, acquisition and modification of software and hardware, test and version management, service quality and continuity, business continuity, disaster and configuration management, environmental and physical factors management. Risks related to the Company’s information technologies are measured and assessed in accordance with the provisions stated in Information Technology Risk Management Application Principles, based on internationally accepted practices. On the other hand, the Disaster Management process, defined with the purpose of governing and monitoring sub- risks in relation to Business Continuity and IT Continuity, is carried out in accordance with the provisions of related legislation. Staff are trained, and a test study is performed at least once a year within the context of Disaster Management. In this regard, for Company’s business processes and information systems, including the Singapore Branch of the Company, this year’s exercise was carried out by providing remote access to applications and systems in Disaster Server Centre located outside of Istanbul via a secure network connection. In addition, Suadiye Miltaş Sports Facilities, which is the disaster recovery location of the Company, was visited and the equipment there was tested. According to the results of this study, all applications and systems specified in the Disaster Recovery Plan, data and documents required by business units for critical business processes were accessible in conformity with recovery point objectives, and data entries were completed successfully. In addition, the data restore test has also been carried out successfully. All findings obtained as a result of measurement of the above-mentioned financial and non-financial risks, analyses and assessments in respect of these findings are regularly reported by Risk Management Department to the Board of Directors through the Audit Committee, as well as to Subsidiaries Division of İşbank. If the levels of the risks are found “High”, the Board of Directors determines an action plan regarding the necessary actions. Risk Management Practices 88 MİLLİ RE