Milli Re 2025 Annual Report

Risk Management Practices Model Risk This risk expresses the probability of loss that may occur if the models that the Company uses within risk measurement processes are inappropriately designed or not properly implemented. In measurement and assessment process of model risk, “Questionnaire” and/or “Interview” methods are used on the basis of “Self-Assessment Methodology”, to determine the level of the risk as “High”, “Acceptable” or “Low”. Operational Risk This risk expresses the probable losses arising from inappropriate or inoperative business processes, human errors, technological or infrastructural interruptions, changes in management or processes, inaccurate internal/external reporting or external factors occurring while Company conducts its vital functions necessary for the continuation of business, and inability to secure low cost and high efficiency as a result of business interruption due to disasters. Qualitative and quantitative methods are used together in measuring the operational risk. Factor Based Standard Approach is applied as a quantitative method. In this method, the required capital for operational risks is calculated by multiplying gross technical provisions and gross earned premiums by the factors in respect of the relevant lines of business. “Self-Assessment Methodology”, which allows determination of the risks related to activities conducted with the involvement of staff performing such activities, is applied as a qualitative method for operational risk. The level of the operational risk that the Company is exposed to is subsequently classified as “High”, “Acceptable” or “Low” depending on the result of the assessments. Reputation Risk This risk can be defined as the probable loss due to loss of confidence in the Company or damage to its reputation resulting from failures in operations or non- compliance with current regulations. Qualitative methods are used to measure the level of the risk. On the basis of “Self-Assessment Methodology”, “Questionnaire” and/ or “Interview” methods are used to determine the level of the risk as “High”, “Acceptable” or “Low”. Information Technologies Risk This risk expresses the probable losses arising in Information Technology (IT) processes, assets and resources that constitute the entire hardware, applications and communication channels used in operations, due to internal and external problems occurring in operations and processes such as strategy management, cost management, human resources management, risk management, incident and problem management, information security, back up process, procurement process, supplier selection and assessment, user identification and access management, critical resources management, data security, integrity and availability, acquisition and modification of software and hardware, test and version management, service quality and continuity, business continuity, disaster and configuration management, environmental and physical factors management. Risks related to the Company’s information technologies are measured and assessed in accordance with the provisions stated in Information Technology Risk Management Application Principles, based on internationally accepted practices. All findings obtained as a result of measurement of the above- mentioned financial and non-financial risks, analyses and assessments in respect of these findings are regularly reported by Risk Management Department to the Board of Directors through the Audit Committee, as well as to Subsidiaries Division of İşbank. If the levels of the risks are found “High”, the Board of Directors determines an action plan regarding the necessary actions. 98 MİLLİ RE 2025 Annual Report