e. inadequacy or ineffectiveness of the internal audit program and other monitoring activities;

Transcription

1 TABLE OF CONTENTS Page I. BACKGROUND 1 II. SCOPE OF THE BANK INTERNAL CONTROL SYSTEM 2 1. Definition and Objectives 2 2. Stakeholders in the Bank Internal Control System 3 3. Factors to Consider in the Design of the Bank Internal Control System 4 4. Control Environment 4 III. KEY ELEMENTS IN THE BANK INTERNAL CONTROL SYSTEM 5 1. Management Oversight and Control Culture 5 2. Risk Recognition and Assessment 8 3. Control Activities and Segregation of Duties 9 4. Accountancy, Information, and Communications Monitoring Activities and Correcting Deficiencies 16 IV. MISCELLANEOUS PROVISIONS 18 i

2 I. BACKGROUND 1. An effective Internal Control System is a vital component of Bank management and provides the basis for sound and secure Bank operations. Effective Internal Control Systems help Bank managers to safeguard the assets of the Bank, ensure credible financial and managerial reporting, strengthen legal and regulatory compliance, and mitigate risks of losses, irregularities, and violations of prudential banking principles. 2. The operation of a reliable and effective Internal Control System is the responsibility of the managers and officers of the Bank. In addition, Bank managers are also required to improve the effectiveness of the risk culture in the Bank organization and ensure that the culture is in place at every level of the organization. 3. The Internal Control System must be an important Bank focus, given that the causes of the difficulties in Bank operations include various weaknesses in the operation of Bank Internal Control Systems. These weaknesses include: a. lack of a supervision mechanism, lack of clear accountability for Bank managers, and failure to develop an internal control culture at all levels of the organization; b. deficiencies in the work of recognition and assessment of risks in the operations of the Bank; c. absence of or failure in one of the key controls of Bank operations, such as segregation of functions, authorizations, verifications, and review of risk exposures and Bank performance; d. lack of communication and information between the different levels in the Bank organization, in particular information at decision making levels on deterioration in quality of risk exposures and application of corrective actions; e. inadequacy or ineffectiveness of the internal audit program and other monitoring activities; f. poor commitment by Bank management to implement internal control processes and impose firm sanctions on violations of regulatory provisions and the policies and procedures established by the Bank. 1

3 II. SCOPE OF THE BANK INTERNAL CONTROL SYSTEM 1. Definition and Objectives a. Definition Internal control is a mechanism for supervision instituted by the Bank management on an ongoing basis in order to: 1) safeguard and secure the property and assets of the Bank; 2) ensure greater accuracy in reporting; 3) strengthen legal and regulatory compliance; 4) minimize financial impact/losses, irregularities including fraud, and violations of prudential regulations; 5) strengthen the effectiveness of the organization and improve cost efficiency. b. Objectives 1) Legal and regulatory compliance (Compliance Objective) The Compliance Objective is to ensure that all business activities of the Bank are conducted in accordance with applicable laws and regulations, including regulations issued by the government and the Bank supervision authority, and the internal policies, regulations, and procedures established by the Bank. 2) Truthful and complete financial and managerial information shall be made available on a timely basis (Information Objective) The Information Objective is to ensure that truthful, complete, and relevant reports are made available on a timely basis as needed for sound decision making supported by adequate justification. 3) Efficiency and effectiveness of business operations (Operational Objective) The Operational Objective is intended to strengthen effectiveness and efficiency in the use of assets and other resources in order to protect the Bank from risk of losses. 2

4 4) Strengthen the effectiveness of risk culture throughout the organization (Risk Culture Objective) The Risk Culture Objective is intended for early recognition of weaknesses and assessment of deficiencies and ongoing review of the propriety of the policies and procedures in place at the Bank. 2. Stakeholders in the Bank Internal Control System The operation of a reliable and effective Internal Control System shall be the responsibility of all parties involved in the Bank organization, including but not limited to: a. Board of Commissioners The Board of Commissioners of the Bank shall be responsible for oversight of the general operation of internal control, including policies adopted by the Board of Directors that establish the internal control. b. Board of Directors The Board of Directors of the Bank shall be responsible for the creation and maintenance of an effective Internal Control System and ensuring that the system operates securely and properly according to the internal control objectives established by the Bank. The Compliance Director is required to play an active role in prevention of deficiencies in management policymaking in regard to prudential banking principles. c. Internal Audit Unit The Internal Audit Unit must be capable of evaluating and playing an active and ongoing role in building the effectiveness of the Internal Control System in regard to the conduct of Bank operations that may potentially impact the ability of the Bank to achieve the targets established by Bank management. In addition, the Bank must also devote attention to the operation of independent audits through adequate reporting lines and the expertise of internal auditors in the area of risk management practices and their application. 3

5 d. Bank officers and employees Each officer and employee of the Bank is required to understand and put into practice the Internal Control System instituted by the Bank management. Effective internal control will strengthen the responsibility of Bank officers and employees, promote an adequate risk culture, and expedite processes for identification of improper banking practices within the organization by means of an efficient early detection system. e. External parties External stakeholders include the Bank supervision authority, the external auditor, and Bank customers, all of whom have an interest in the operation of a reliable and effective Internal Control System. 3. Factors to Consider in the Design of the Bank Internal Control System The Bank must have an Internal Control System that can be applied on an effective basis, taking into account the following factors: a. total assets; b. products and services offered, including new products and services; c. complexity of operations, including office network; d. risk profile for each business line; e. methods used for data processing and information technology and methodology applied in measurement, monitoring, and establishment of risk limits; and f. legal and regulatory provisions. 4. Control Environment The control environment reflects the entirety of commitments, behavior, concern, and actions of the Board of Commissioners and Board of Directors of the Bank in conducting activities for control of Bank operations. 4

6 The factors that make up the control environment include: a. adequate organizational structure; b. leadership style and management philosophy of the Bank; c. integrity, ethical values, and competence of all employees; d. human resources policy and procedures of the Bank; e. attention and direction pursued by the Bank management and other committees, such as the Risk Management Committee; and f. external factors affecting Bank operations and the application of risk management. III. KEY ELEMENTS IN THE BANK INTERNAL CONTROL SYSTEM The Internal Control of a Bank consists of five key interrelated elements: Management Oversight and Control Culture, Risk Recognition and Assessment, Control Activities and Segregation of Duties, Accountancy, Information, and Communication, and Monitoring Activities and Correcting Deficiencies. Internal Control shall consist of at least these five key elements as follows: 1. Management Oversight and Control Culture a. Board of Commissioners The Board of Commissioners shall have the following responsibilities: 1) approval and regular review of the overall policies and business strategy of the Bank; 2) understanding the main risks faced by the Bank, establishment of risk tolerance, and ensuring that the Board of Directors has taken the necessary measures to identify, assess, monitor, and control these risks; 3) approval of the organizational structure; 4) ensuring that the Board of Directors monitors the effectiveness of the Internal Control System. 5

7 In order to fulfill these responsibilities, the Board of Commissioners must: 1) maintain objectiveness and possess knowledge, capacity, and keen interest in understanding the business lines and risks of the Bank; 2) play an active role in ensuring corrective actions to Bank deficiencies that may undermine the effectiveness of the Internal Control System, such as impediments to flow of information from subordinates to management and weaknesses in the operation of the financial, legal, and internal audit functions; 3) hold regular meetings with the Board of Directors and executive officers of the Bank to discuss the effectiveness of the Internal Control System; 4) review findings from evaluation of the internal control system, prepared by the Board of Directors, Internal Audit Unit, and external auditor; 5) take regular measures to ensure that the Board of Directors appropriately follows up the findings and recommendations presented by the Bank supervision authority, internal auditors, and external auditor; 6) conduct a regular review of the validity of the Bank s strategy. b. Board of Directors The Board of Directors shall have the following responsibilities: 1) implement the policy and strategy approved by the Board of Commissioners; 2) develop procedures to identify, assess, monitor, and control risks faced by the Bank; 3) maintain an organizational structure that reflects clearlydelineated powers, responsibilities, and reporting lines; 4) ensure that delegations of authority operate effectively, supported by accountability applied on a consistent basis; 6

8 5) establish internal control policy, strategy, and procedures; and 6) monitor the adequacy and effectiveness of the internal control system. To carry out these responsibilities, the Board of Directors must pursue various measures including the following: 1) assign managers/officers and staff responsible for specific activities to formulate the policy and procedures for internal control of operations and adequacy of the organization; 2) institute effective control to ensure that these policies and procedures have been developed by the managers/officers and employees and, once adopted, put into practice; 3) document an organizational structure that clearly depicts lines of authority and reporting responsibilities and the operation of an effective communication system at all levels of the Bank organization, and familiarize personnel with this organizational structure; 4) take appropriate measures to ensure that internal control activities are conducted by managers/officers and employees possessing adequate experience and capacity; 5) effectively implement corrective actions or recommendations issued by the internal auditor and/or external auditor, including but not limited to delegation of responsibility to employees for putting these actions and recommendations into effect. c. Control Culture The Board of Commissioners and Board of Directors shall be responsible for upholding a high standard of working ethics and integrity and creating an organizational culture that emphasizes to all Bank employees the importance of the internal control established within the Bank. Specific actions that call for the attention and action of the Bank in creating this control culture include the following: 7

9 1) The Board of Commissioners and Board of Directors must be a role model for all employees, having strong personal commitments to the development of a sound Bank; 2) the Board of Commissioners and Board of Directors must be capable of human resources management that includes processes for employee placement according to skills, knowledge, and conduct; 3) improve the awareness of all Bank employees on the importance of effectiveness in carrying out their individual duties and responsibilities and of employees subsequently communicating any problems that may arise in the course of Bank operations to the appropriate management. To support this control culture, all policies, standards, and operating procedures must be documented in writing and made available to all concerned employees. To strengthen ethical values, the Bank must steer clear of polices and practices that may encourage or provide opportunity for irregularities or violations, such as emphasis on the achievement of short-term targets while neglecting the impact of long-term risks, compensation systems disproportionately based on short-term performance, ineffective segregation of duties, and imposition of overly lenient or excessive sanctions for misconduct. 2. Risk Recognition and Assessment a. Risk assessment constitutes a series of actions by the Board of Directors to identify, analyze, and assess the risks faced by the Bank in the pursuit of its business targets. b. Risks may arise or undergo change in keeping with conditions at the Bank, including but not limited to: 1) changes in the operations of the Bank; 2) changes in organization of personnel; 3) changes in the information system; 4) rapid growth in specific business lines; 5) advancements in technology; 8

10 6) development of new services, products, or activities; 7) merger, consolidation, acquisition, and Bank restructuring; 8) changes in the accounting system; 9) business expansion; 10) changes in laws and regulations; and 11) changes in customer behavior and expectations. c. An effective Internal Control System requires that the Bank continuously recognize and assess risks that may impact the achievement of targets. Assessment of risks must also be conducted by internal auditors, and thus the scope of audit must be broader and more comprehensive. d. This assessment must be capable of identifying the risks faced by the bank and determining risk limits and the techniques for control of the risks. The risk assessment methodology must be used as a yardstick in preparing the risk profile in the form of documented data that can be updated on a periodic basis. Risk assessment must also encompass assessment of quantitative risks and qualitative risks in addition to controllable risks and uncontrollable risks, taking account of costs and benefits. The Bank must then decide whether to take on these risks or avoid risks by cutting back certain business activities. e. The assessment must cover all risks faced by the Bank, whether individual or aggregate risk, encompassing credit risk, market risk, liquidity risk, operational risk, legal risk, reputation risk, strategic risk, and compliance risk. f. Internal control must be appropriately reviewed in the event of discovery of any uncontrolled risks, whether comprising existing or newly emerging risks. The review must be conducted, among others, by means of ongoing evaluation of the influence of each change in environment and conditions and the impact of achievement of targets or effectiveness of internal control on the operations and organization of the Bank. 3. Control Activities and Segregation of Duties Control activities must involve all employees of the Bank, including the Board of Directors. Accordingly, control activities will operate 9

11 effectively if planned and applied for the control of identified risks. Control activities also extend to the establishment of control policies and procedures and an earlier verification process to ensure consistent compliance with these policies and procedures, and represent an integral part of all functions or day-to-day activities of the Bank. a. Control Activities Control activities shall encompass the policies, procedures, and practices that provide assurance to Bank officers and employees that the directions of the Board of Commissioners and Board of Directors of the Bank are effectively implemented. These control activities will assist Board members, including the Board of Commissioners of the Bank, in managing and controlling risks that may affect performance or incur losses for the Bank. Control activities shall be applied at all functional levels according to the organizational structure of the Bank, encompassing at least the following: 1) Top Level Reviews The Board of Directors shall regularly request information and operational performance reports from officers and staff, thus enabling a review of progress against target, for example, the financial statement in comparison with budget. On the basis on this review, the Board of Directors will immediately detect problems such as weaknesses in control, errors in the financial statement, or fraud. 2) Functional Review This review shall be conducted by the Internal Audit Unit on a more frequent basis, and may comprise a daily, weekly, or monthly review. a) review of the risk assessment (risk profile report) produced by the risk management unit; b) analysis of operational data, including data pertaining to risks as well as financial data, by verification of transaction detail and activities against the outputs (reports) generated by the risk management unit; and 10

12 c) review of progress in implementation of the business plan and budget in order to: (1) identify causes of significant variations; (2) determine the requirements for corrective actions. 3) Control of the Information System a) The Bank shall verify the accuracy and completeness of transactions and operate authorization procedures in accordance with internal rules. b) Information control activities may be classified by two criteria: general control and application control. (1) General control includes control of the data center operations, the software procurement and maintenance system, security of access, and development and maintenance of existing applications. General control is applied for mainframes, servers, and user workstations, as well as for internal and external networks. (2) Application control is applied for programs used by the Bank in processing transactions to ensure that all transactions are true, accurate, and duly authorized. In addition, application control must be capable of ensuring that an effective audit process is in place and of checking the integrity of that audit process. 4) Physical Controls a) Control of physical assets shall be carried out to ensure the physical security of Bank assets. b) This activity encompasses the securing of assets, records, and restricted access to computer programs and data files, and compares the value of the Bank s assets and liabilities with the value stated in the controller s records, specifically by means of periodic checks on asset value. 5) Documentation 11

13 a) The Bank shall at least formalize and adequately document its accounting policies, procedures, systems, and standards and the audit process. b) The documents must be updated regularly to depict the actual operations of the bank, and officers and employees must be informed accordingly. c) Documents must always be available on demand for internal auditors, the public accountant, and the Bank Indonesia supervision authority. d) The accuracy and availability of the documents must be assessed by the internal auditor when conducting routine and non-routine audits. b. Segregation of Duties 1) Segregation of duties is intended so that no individual in any position has the opportunity to commit and conceal errors or deficiencies in the course of performing their tasks and duties at all levels of the organization and in all stages of operations. The Bank must comply with this principle of segregation of functions, known as the Four Eyes Principle. 2) If necessary, due to changes in the characteristics of business lines, transactions, and organization of the Bank, the Board of Directors shall be required to establish procedures (powers), including the establishment of a list of officers who may access a high risk transaction or business line. 3) An effective Internal Control System requires segregation of duties and steering clear of assigning powers and responsibilities that could give rise to various forms of conflict of interest. All aspects that may give rise to conflict of interest must be carefully identified, minimized, and monitored by an independent party, such as a Public Accountant. 4) In implementing the segregation of duties, Banks must take measures that include the following: a) designation of certain functions or tasks at the bank that must be segregated or allocated to a number of persons 12

14 in order to reduce risk of manipulation of financial data or misuse of Bank assets; b) this segregation of duties is not restricted to front and back office activities, but is also for control of: (1) approvals for release of funds and realized expenditures; (2) customer accounts and accounts of the Bank owners; (3) transactions in the bookkeeping of the Bank; (4) provision of information to Bank customers; (5) assessment of the adequacy of credit documentation and monitoring of debtors after loan disbursement; (6) other business activities that may give rise to significant conflict of interest; (7) independence of the risk management function at the Bank. 4. Accountancy, Information, and Communications The purpose of adequate accounting, information, and communications systems is to identify problems that may arise and to support exchange of information for performance of tasks in line with individual responsibilities. a. Accountancy 1) Accountancy covers the methods and records for identifying, grouping, analyzing, classification, recording/bookkeeping entry, and reporting of Bank transactions. 2) To ensure that accounting data is accurate and consistent with available data based on the output of system processes, accounting data must be reconciled with the management information system on a regular basis or at least every month. Any variations that arise must be immediately investigated and the problem resolved. The 13

15 reconciliation process must also be documented as part of the requirements for the overall audit trail. b. Information 1) The information system must be capable of generating reports on business operations, financial condition, application of risk management, and legal compliance that support the Board of Commissioners and Board of Directors in the performance of their duties. 2) An effective internal control system shall at the minimum provide adequate and comprehensive internal data/information on financial condition, legal and regulatory compliance of the Bank, market information (external conditions), and any events and conditions necessary for sound decision making supported by proper justification. 3) The Internal Control System shall at the minimum provide credible information on all business lines of the Bank, and in particular significant business lines and business lines with potential for high risk. The information system, including the systems for electronic data storage and use, must be guaranteed security, monitored by an independent party (internal auditor), and supported by an adequate contingency recovery plan. 4) The Bank shall at least organize a contingency recovery plan and a backup system to prevent business failure and the attendant high risks. The procedures, process, and the backup system must be documented and reviewed for effectiveness on a regular basis. To ensure that the entire contingency recovery plan and processes operate effectively, the operation of the process and system must be documented and regularly tested. The Bank must document the regular testing and the Board of Directors of the Bank shall give full attention to weaknesses discovered in the system on the basis of the testing and thereafter take the necessary corrective actions. 5) The Bank at the minimum shall have and maintain an information management system operated in both electronic and non-electronic form. In view of the risks posed by an electronic information system and the use of information technology, the Bank must institute effective 14

16 control of these risks to avoid disruption to business and possible major losses to the Bank. 6) In regard to internal control of the operation of the information system and information technology, the Bank must take account of the following: a) the availability of adequate evidence and documents to support the audit trail. The audit trail process must operate effectively and be documented to ensure the effective and accurate operation of automated processes. The Internal Audit Unit shall be required to assess the effectiveness and accuracy of the audit trail when evaluating the operation of the Bank internal control; b) operation of control for the computer system and its security (general controls) and control of software applications and other manual procedures (application controls); c) anticipation of risk of breakdown or losses caused by factors outside the scope of routine control by the Bank, for which the Bank must have in place a recovery system, contingency plans, and regular checks for the possibility of unforeseeable events (disaster and recovery plan). d) the information system must provide relevant, accurate, and timely data and information that is accessible to stakeholders and presented in a consistent format. e) as part of the recording or bookkeeping process, the information system must be supported by a proper accounting system, including procedures and schedules for retention of transaction records. c. Communications 1) The communications system must be capable of providing information to all internal parties and external parties, such as the Bank supervision authority, external auditor, shareholders, and Bank customers. 2) The Internal Control System of the Bank must ensure that effective communication lines are in place to enable all 15

17 officers/employees to fully understand and comply with the applicable policies and procedures when performing their duties and responsibilities. 3) The Board of Directors must operate effective lines of communication so that needed information is accessible to stakeholders. This requirement shall apply to all information, including established policies and procedures, risk exposures, actual transactions, and the operational performance of the Bank. 4) The organizational structure of the Bank must enable adequate information flows, i.e., bottom-up, top-down, and cross-unit information: a) bottom-up information to ensure that the Board of Commissioners, Board of Directors, and executive officers of the Bank are informed of the risks and performance of Bank operations. These lines of communication must be capable of delivering responses for implementing corrective actions and keeping line management informed accordingly. b) top-down information to ensure that the objectives, strategy, and expectations of the Bank and its policies and procedures are communicated to lower level managers and personnel. c) cross-unit information to ensure that information known to one unit can be conveyed to all other relevant units, in particular for prevention of conflict of interest in decision making and to build adequate coordination. 5. Monitoring Activities and Correcting Deficiencies a. Monitoring Activities 1) The Bank must constantly monitor the overall effectiveness of internal control operations. Priority must be given to monitoring the major risks of the Bank and this monitoring must be incorporated into day-to-day Bank activities, including regular evaluation by both operational units and the Internal Audit Unit. 2) The Bank must constantly monitor and evaluate the adequacy of the Internal Control System in regard to 16

18 changes in internal and external conditions and must improve the capacity of the internal control system in order to raise effectiveness. 3) The measures that must be pursued by the Bank for effective organization of monitoring are at least the following: a) ensure that the monitoring function is clearly established and properly structured within the Bank organization; b) designate a unit/employee assigned to monitor the effectiveness of internal control; c) determine the proper frequency for monitoring activities on the basis of the inherent risks in the Bank and the nature/frequency of changes in operations; d) integrate the Internal Control System into operations and provide regular reports such as the bookkeeping journal, management review, and reports on justification for irregularities for subsequent review; e) review documentation and results of evaluation conducted by units/employees assigned to monitoring duties; f) adopt a suitable format and frequency for information and feedback. b. Functions of the Internal Audit Unit 1) The Bank must conduct an effective and comprehensive internal audit of the internal control system. The internal audit work conducted by the Internal Audit Unit must be supported by an adequate number of independent, competent auditors. 2) As part of the Internal Control System, the Internal Audit Unit must report its findings directly to the Board of Commissioners or Audit Committee (if any), the President Director, and the Compliance Director. 3) The Internal Audit Unit must conduct an independent evaluation of the adequacy of established polices and 17

19 procedures and the Bank s compliance with these policies and procedures. 4) In determining the position, powers, responsibilities, professionalism, organization, and scope of the Internal Audit Unit, the Bank must also follow the guidelines in the applicable Bank Indonesia regulations concerning the Compliance Director and the Standard Practices for the Internal Audit Function (SPFAIB). c. Correction of Weaknesses and Corrective Actions 1) Any weaknesses in internal control, whether identified by a risk taking unit, the Internal Audit Unit, or any other party, must be immediately reported to and receive the attention of the competent officer or member of the Board of Directors. Any material weaknesses in internal control must also be reported to the Board of Commissioners. 2) Improvements that must be made by the Bank to correct weaknesses in internal control include but are not limited to the following: a) each report of weaknesses in internal control or lack of effectiveness in the risk management of the Bank must be immediately followed up by the Board of Commissioners, Board of Directors, and the relevant executive officers; b) the Internal Audit Unit must review or otherwise conduct adequate monitoring of weaknesses that come to light and immediately inform the Board of Commissioners, Audit Committee (if any), and the President Director in the event of any failure to remedy weaknesses or follow up corrective actions; c) to ensure prompt follow up of all weaknesses, the Board of Directors must create a system capable of tracking weaknesses in internal control and taking correcting actions; d) the Board of Commissioners and Board of Directors must receive regular reports in the form of summarized findings of all problems identified in internal control. 18

20 IV. MISCELLANEOUS PROVISIONS In their application of internal control, Banks are required to take into account various aspects of internal control stipulated in other Bank Indonesia regulations, including those set forth in: 1. Decree of the Management of Bank Indonesia Number 27/162/ KEP/DIR and Circular Letter of Bank Indonesia Number 27/7/UPPB, both dated March 31, 1995, concerning the Requirement for Formulation and Implementation of Credit Policy for Commercial Banks; 2. Decree of the Management of Bank Indonesia Number 27/164/ KEP/DIR and Circular Letter of Bank Indonesia Number 27/9/UPPB, both dated March 31, 1995, concerning Use of Information System Technology by Banks; 3. Decree of the Management of Bank Indonesia Number 28/119/ KEP/DIR and Circular Letter of Bank Indonesia Number 28/13/UPPB, both dated December 29, 1995, concerning Derivative Transactions; 4. Decree of the Management of Bank Indonesia Number 31/150/ KEP/DIR and Circular Letter of Bank Indonesia Number 31/12/UPPB, both dated November 12, 1998, concerning Debt Restructuring, as amended by Bank Indonesia Regulation Number 2/15/PBI/2000 dated June 12, 2000; 5. Bank Indonesia Regulation Number 1/6/PBI/1999 dated September 20, 1999, concerning Designation of Compliance Director and Standard Practices for the Bank Internal Audit Function (SPFAIB); 6. Bank Indonesia Regulation Number 3/10/PBI/2001 dated June 18, 2001, concerning Application of Know Your Customer Principles as amended by Bank Indonesia Regulation Number 3/23/PBI/2001 dated December 13, 2001; 7. Circular Letter of Bank Indonesia Number 3/29/DPNP dated December 13, 2001, concerning Standard Guidelines for Application of Know Your Customer Principles; 8. Bank Indonesia Regulation Number 3/22/PBI/2001 dated December 13, 2001, concerning Transparency of Financial Condition of Banks; 19

21 9. Bank Indonesia Regulation Number 5/10/PBI/2001 dated December 13, 2001, concerning Prudential Principles in Equity Participation; 10. Circular Letter of Bank Indonesia Number 5/21/DPNP dated September 29, 2003, concerning Application of Risk Management for Commercial Banks. 20