Risk Management and Compliance

Risk Management

Sabancı Group has adopted corporate risk management principles in the interests of maximizing stakeholder value, ensuring the Group’s sustainability, identifying and measuring risks and monitoring risk continuously and effectively.

Sabancı Group has adopted corporate risk management principles to maximize stakeholder value by eliminating or minimizing the risks which may threaten the existence, development and continuity of the Group and which may be encountered during the course of achieving the strategic goals set out by the Board of Directors of Sabancı Holding, and ensuring the Group’s sustainability.

The Group manages risk in line with its risk appetite through a combination of both quantitative and qualitative metrics. In line with the strategic and financial targets, prioritized risks are handled in accordance with the following risk management strategies; risk avoidance, risk transfer, risk reduction and risk acceptance. The corporate risk management framework includes subheadings such as determination and monitoring of risk mitigation activities. Group Risk operation results are evaluated periodically by the Risk Coordination Committee at the Holding’s senior management level and through the Early Detection of Risk Committee (EDRC) at Board of Directors level.

Managing risk in line with risk appetite through a combination of both quantitative and qualitative measurement metrics

At Akbank, risk management is conducted in compliance with Banking Regulation and Supervision Agency regulations under the responsibility and supervision of the Bank’s Board of Directors. The Board of Directors and senior management are responsible for building up a risk appetite framework and developing risk management policies and strategies. The Board of Directors approves Akbank’s general principles of risk control and risk management, its limits for all relevant risks and the procedures which Akbank applies in controlling and managing its risks. Board members periodically attend five committees; the Audit Committee, the Credit Committee, the Executive Risk Committee, the Conduct Risk Management Committee and the Information Security Committee. In addition to these Board level committees, the Risk Management Office and the Information Risk Management Office (IRMO), as well as the Internal Control, Compliance and Internal Audit departments report directly to the Board. Internal methods and risk models are continuously improved upon and developed to ensure effective risk management.

At Sabancı Group’s non‑bank companies, corporate risks are managed by designated risk management officers and company senior management responsible for risk management processes and activities. These efforts come under the supervision of the Board of Directors and related Risk Committees which report to the Board. Group companies report potential risks and prioritized risks to the EDRC and the Board of Directors via periodic reports. The financial, strategic, operational and compliance risks of the subsidiaries are also overseen and supervised by Legal, Risk and Compliance Group, Risk Coordination Committee and the relevant Group Presidents as well as Finance Group at the Holding.

The Risk Management unit is responsible for managing the financial, strategic, operational and compliance risks of Sabancı Holding and providing guidance to Group companies.

Sabancı Group categorizes monitored risks under these criteria:

Compliance Risks

Compliance risks include legal penalties, reputation loss or material damage that may arise from the failure to comply with or the violation of applicable laws, rules or regulations, sanctions, codes of ethics or internal policies and directives. To support Group subsidiaries in efficiently managing compliance risks within the determined framework, instructional activities are carried out by the Holding’s Legal, Risk and Compliance Group.

Financial Risks

This category includes risks that may arise as a result of a company’s financial position and preferences. Financial risks include those caused by movements in exchange rates, interest rates, loans (credit), liquidity/cash management and access to capital and equity capital markets, which pertain to the risk of deviations in the enterprise value or shareholders’ returns driven by capital market conditions. At a Group level, capital market risks are closely monitored and managed through the Holding’s Finance team. Exposure to risk is managed through strong financial results and investments with the goal of sustainable growth, investor relations activities and share buy‑back programs.

Strategic Risks

Strategic risks include structural risks which may prevent a company from reaching its short, medium or long‑term goals. Strategic business line management risk is assessed within the scope of strategic risks such as economic, political and industrial risks, regulatory changes and changes in regulatory practices (both local and global), governance, reputation, sustainability (transition, physical and compliance aspects) and intellectual property risks.

At the Holding level, strategic risks are efficiently managed with a long‑term dynamic business lines management approach. Sabancı Holding’s strategic business line management approach is designed to focus on highly profitable and sustainable businesses to create a competitive advantage.

Operational Risks

Operational risks may result when companies’ business activities are affected from factors such as disruption to business continuity, faults or negligence due to failures in a company’s control systems, including their IT systems. The Audit Department conducts regular checks of company processes and systems to determine and eliminate these risks.

At the Holding level, strategic risks are efficiently managed under an approach which focuses on long‑term dynamic strategic business line management.

Damage to information systems, cyber­attacks, deterioration of data security, data leaks and failure to ensure business continuity within the Group are critical factors in operational risks. As part of the cyber risk management efforts which take place within the Sabancı Group, risk is mitigated via cyber risk insurance.

The purpose EDRC is: (i) to evaluate the early identification, the determination of necessary measures and the management processes regarding strategic, operational, financial and compliance risks which can jeopardize Sabancı Holding’s existence, development and continuity; and (ii) to inform the Board of Directors of these issues so decisions can be taken accordingly. The Committee convened on six occasions in 2021 and presented its evaluations to inform the Board of Directors. Detailed information regarding EDRC members can be found in the Sabancı Holding Management section of this report.

Steps are taken to ensure that Group companies are well prepared to tackle ESG risks. Group companies receive guidance to introduce measures in their business models to tackle the possible impact of these risks.

Sustainability Risks

Under Sabancı Holding’s Enterprise Risk Management System, sustainability risks (which are evaluated as part of the Holding’s strategic risks and which has a transversal impact across other risk groups) are defined as ‘the risk of failure to comply with sustainability requirements’ and subcategorized into the following three main topics:

Transition Risks

Transition risks refer to changes in strategies, policies or investments to address mitigation and adaptation requirements related to a lower‑carbon economy. Transition risks may have diverse affect depending on the nature, speed, and focus of the changes.

1. Technology Risk

2. Market Risk

Compliance Risk

Compliance risks refer to incidences of not complying with or violating applicable laws, rules or regulations, codes of ethics or a company’s internal policies and directives.

1. Emerging Regulation Risk

2. Legal Risk

3. Reputational Risk

Physical Risks

Physical risks are diverse and predominantly global. These include acute risks such as wildfires, hailstorms, hurricanes and flood, as well as chronic risks such as extreme heat, epidemics, pandemics, drought and access to water.

1. Acute & Chronic Physical Risk

2. Water Risk

3. Biodiversity Risk

Compliance

As one of Turkey’s leading conglomerates, Sabancı Holding closely monitors increasingly stringent regulatory expectations, global trends, new approaches and developments in compliance.

In 2021, Sabancı Holding launched a comprehensive transformation program to achieve the highest standards of compliance. Under this program, as well as continuous adaptation of the fast‑evolving needs and a risk‑based approach, a set of rules and regulations is also translated into specific operational requirements. In this regard, the policies of competition compliance, sanctions, export controls and third‑party due diligence were rolled out.

As part of the Legal, Risk and Compliance Group, a Compliance Manager was appointed who is responsible for the development and implementation of the compliance program, who oversees and supports the compliance activities in Sabancı Group companies.

Competition law

The Competition Compliance Policy and Dawn‑Raid Procedures were launched in 2021. Competition risks have been addressed through a comprehensive compliance program which ensures the establishment of an effective training, on‑the‑spot inspection and preparation of an evaluation report on an annual basis. This involved a shift from a siloed approach to a centralized and sustainable process.

Sanctions and export controls

Sabancı Group companies operate in regions throughout Europe, the Middle East, Asia, North Africa, North America and South America. This requires dedicated attention to complex trade sanctions and export control laws and regulations, which basically prohibits the import, export or re‑export of certain products to or from certain countries or parties.

The Sanctions and Export Control Policy and its supporting procedures provide instructions on how to deal with complex cross‑border commercial transactions without impeding the continuity of business and operations in a foreign country.

Third party due diligence

Sabancı Group companies are market leaders in most of their respective sectors and engage with a broad category of third parties including suppliers, distributors, intermediaries, agents and business consultants. This increases the likelihood of Sabancı Group companies being accountable for the non‑compliant activities and behaviors of business partners.

The Third‑Party Due Diligence Policy has been introduced in order to identify and manage third‑party risks. In this regard, Sabancı Group companies are required to perform a due diligence process for new third parties as well as for the third parties with whom we have an ongoing business relationship.

The due diligence process includes the critical steps of implementing an effective third‑party screening program, performing enhanced due diligence and taking measures and safeguards to mitigate the risks.

Data privacy

Compliance with data privacy laws and regulations is an essential part of Sabancı Holding’s business operations. In this regard, the Data Protection Committee continues to follow the best practices observed in the industry to keep up with the new developments, offer company‑wide guidance and implement security measures in collaboration with the cyber security team. The Data Protection Committee also successfully completed the Data Controllers’ Registry Information System (VERBIS) registration in accordance with the local regulation and procured digital solutions to effectively monitor and update the data inventories.