Internal Control System
The internal control system is defined as a collection of strategies, systems, processes, policies and procedures, defined by the board of directors, in addition to the actions taken by the board and other CGD employees, for the purpose of ensuring:
The efficient, profitable performance of activity, over the medium and long term (performance objectives); The existence of full, pertinent, reliable, prompt, financial and management information (information objectives); Compliance with applicable legal and regulatory dispositions (compliance objectives).
CGD Group’s internal control system management is based on “good practice” guidelines and methodologies, particularly the general internal control methodology proposed by COSO (Committee of Sponsoring Organizations of the Treadway Commission) and, as regards information systems, the CobiT Framework (Control Objectives for Information and Related Technology).
Risk management has its own chapter in the Annual Report for 2011, in addition to a note included in each of the Notes to the Separate and Consolidated Financial Statements referred to as “Disclosures on Financial Instruments”, describing the financial risk management policies pertaining to CGD/CGD Group’s activities and quantifies CGD/CGD Group’s exposure to each type of risk.
Under this framework and to effectively achieve the defined objectives, CGD Group endeavours to guarantee an adequate control environment, a solid risk management system, an efficient information and communication system, adequate control activities and an effective monitoring process, with the objective of guaranteeing the system’s quality and efficacy over time.
Specific, transversal responsibilities have been defined for certain structural bodies which, in conjunction and articulation with the Group’s other structures and entities, perform activities to ensure the existence of an adequate internal control system.
The Executive Committee is responsible for periodically reviewing and approving risk and internal control management strategy and policies and establishing and guaranteeing the implementation thereof within CGD, in addition to the progressive alignment of Group entities therewith. Operational Risk and Internal Control Management Committee (CGRC)
This body is responsible for verifying conformity with operational risk and internal control management strategy and policies, monitoring the management thereof within the Group and submitting proposals for action plans to the Executive Committee. Consultancy and Organisation Division
The Operational Risk and Internal Control Management Area, is part of the Consultancy and Organisation Division and has the following main responsibilities: To promote and assist the development and continuous evolution of the internal control management process, in addition to monitoring and assessing its conformity with the defined strategy, policies and methodologies and reporting its respective conclusions to CGRC; To assist the Executive Committee in its preparation of the regulatory internal control report, both separate and Group, periodically reviewing the status of any flaws, undertaking a critical analysis and actively promoting action plans. These activities are strictly articulated with the Compliance Support Office, Risk Management Division, Internal Audit Division and the Group’s subsidiaries and also consider any comments and remarks made by the Audit Committee, Statutory Auditor and External Auditor; To develop and implement operational risk management strategy and policies and to ensure the adequate management thereof, with, in the case of subsidiaries, having the responsibility for assisting the development and continuous evolution of the management process on the said risk as well as monitoring compliance with the defined strategy, policies and methodologies.
This Division is also responsible for the management and documentation of CGD processes, including the identification of potential operational risks and control procedures, articulating this activity with Process Owners and other structural bodies. It is also responsible for keeping documents relating to processes in branches and subsidiaries up-to-date, in articulation with the local structures responsible for their management.
Risk Management Division
The Risk Management Division is responsible for: The coherent identification, comprehension and disclosure of information, within CGD Group, on the existence of risks and opportunities in business transactions; Management and control of CGD Group’s credit risks in accordance with the strategy defined by the Expanded Credit Board; Management and control of market and liquidity risks within CGD Group, subject to the limits defined by the Assets and Liabilities Committee (ALCO); Management and control of model risk within CGD Group.
Under the scope of the internal control management process, this Division is also responsible for the periodic production of reports on risk management for the Executive Committee, with a summary of the main flaws identified and indication of the recommendations followed.
Compliance Support Office
The Compliance Support Office ensures the management coordination of compliance risk within CGD and its respective branches and subsidiaries, in addition to Economic Interest Groupings (EIGs), domiciled in Portugal or abroad, when supervised by central banks or securities commissions, in addition to pension fund management companies but not including CGD Group’s insurance area.
This Office is responsible for the periodic production of internal control reports on the compliance risk area for the Executive Committee, identifying any non-compliances and respective remedial measures. It is also responsible for coordinating and safeguarding the good execution of anti-money laundering and countering the financing of terrorism activities, in addition to preventing market abuse. Internal Audit Division
Internal audit is a permanent, independent, objective activity designed to assist the Executive Committee in monitoring CGD’s and the Group’s implementation of its internal control systems (except for the insurance area) based on a separate systematic assessment and supervision on a consolidated basis, in order to promptly identify areas of greater risk, assessing the management efficacy thereof and the adequacy of the most relevant control procedures and promoting effective governance practices on internal control systems.
It is also responsible for producing and submitting reports on audit issues, including a summary of the main flaws detected, recommendations made and respective level of implementation to the Executive Committee. Accounting, Consolidation and Financial Information Division
This body reports directly to the Executive Committee. Its main objective is to develop functions in the accounting, account consolidation and financial information areas, specifically including financial reporting information, prudential information and monetary and financial statistics.
To fully comply with its functions, DCI works with CGD’s other structural bodies, Group companies and external entities involved in the sphere of its attributions.
The circuits and controls involved in the process of the preparation and disclosure of separate and consolidated financial information are permanently monitored and validated by the Statutory Auditors which are responsible for issuing an Opinion on the adequacy and efficacy of the internal control system underlying the process for the preparation and disclosure of separate and consolidated financial information (financial report), sent annually to the Bank of Portugal. Internal Control and Compliance integrated within the structure of Sogrupo – Sistemas de Informação, ACE (SSI)
This body has specific responsibilities for processes within the sphere of the company, including the assessments in accordance with the CobIT Framework and the identification and reporting of non-conformities and improvement opportunities. Control system on the Protection of the Company’s Investments and its Assets
To comply with the dispositions of the Bank of Portugal’s (BdP) Official Notice 5/2008 and Instructions 30/2010 and 73/96 and complementarily, as indicated in the BdP’s Circular Letter 23/11 of 2011/12/15, in the “EBA Guidelines on Internal Governance (GL 44)” document issued by the European Banking Authority – EBA, CGD has defined guidelines and internal standards which are used as the main auxiliary instruments for a control system on CGD’s investments and assets. These guidelines and standards are also support tools for the management and control of the financial risks assumed by CGD as they indicate, with a sufficient degree of precision, the maximum levels on certain types of financial risks which may be incurred by asset portfolios. The risk measures used vary in accordance with the type of risk being assessed.
The Executive Committee has defined and approved guidelines on the management and control of market risk, to be complied with by the Financial Markets Division (DMF) and other CGD Group entities responsible for the management of portfolios containing financial assets subject to market risk. The key measure used for the management of market risk is Value at Risk (VaR) which is complemented by other sensitivity measures, more adjusted to the specific type of market risk to be measured; e.g. (i) V01 for interest rate risk and (ii) Greeks for optionality risks.
The Assets and Liabilities Committee (ALCO) has approved guidelines defining the roles and responsibilities of the various parties, indicators to be monitored, limits on such indicators and control system on such limits for the management and control of liquidity and interest rate risk in the balance sheet. Periodic reports are produced on the monitoring process.
There are also internal standards governing the management and control of credit risk which, based on ratings, define limits on exposures to be used in the decision-making process on credit. The credit risk acceptance process is always accompanied by a commercial proposal and a mandatory risk opinion on economic groups with an exposure of more than a certain amount to CGD.
The credit portfolios are regularly examined and reports produced on their evolution in terms of defaults. Also related with defaults and the valuation of credit assets, CGD Group has implemented a process for assessing impairment provisions, which must be validated by the external auditors. A report is produced on the validation and is sent to BdP.
CGD periodically carries out stress tests with the objective of not only complying with the dispositions of the BdP’s Instructions 32/2009 and 4/2011 but also gaining a better perception of the risks to which it is exposed as well as to provide its assets with the best protection.
In second half 2011, CGD Group was one of the financial groups taking part in the Special on‐site Inspection Program‐ SIP, in which BdP, assisted by independent auditors, assessed CGD as regards:
the quality of its assets; its credit risk management procedures; the quality of its periodic prudential reporting.
As publicly announced, the assessment concluded that the global amount of impairment recognised in the Group’s consolidated accounts was adequate. It also concluded that the aggregate impact of the SIP’s results on the assessment of CGD Group’s solvency at 30 June 2011, would translate into an increase in the Tier 1 ratio from 8.5% to 8.6%, which remains higher than the 8% minimum requirement at the said date. It has been estimated that the above referred to regulatory changes will have an additional positive impact of 0.2 percentage points on the ratio.
The stress tests were designed to provide an analytical appraisal of CGD Group’s position in terms of solvency when subject to extreme scenarios in terms of market, liquidity and interest rate risk in its balance sheet. In 2011 and in addition to the stress tests used for internal management purposes, CGD was also subject to the tests required by the BdP under Instructions 32/2009 and 4/2011. CGD was also a party to the transversal EU wide-stress test exercise, coordinated by the EBA in collaboration with the European Central bank and European Commission and those required to complement the Capital Funding Plan, under the scope of the Memorandum of Understanding (MoU).