Internal Control Framework

The Bank has developed a comprehensive Internal Control System (ICS), assigning the responsibilities provided by the law and the supervisory authorities -according to the applicable, until today, Act 2577/2006 of the Governor of the Bank of Greece - to independent units and to the BoD Committees.

The ICS is based on sufficiently documented and detailed mechanisms and procedures.

It incorporates the best corporate governance principles and covers, on a continuous basis, every activity and transaction of the Bank, contributing to its effective and safe operation, with a view to:

  • The consistent implementation of the business strategy;
  • The identification and management of the assumed risks;
  • Ensuring the completeness and reliability of information on its financial status;
  • The Bank’s operation compliance with applicable laws and regulatory provisions;
  • Safeguarding its assets, by safeguarding the interests of all stakeholders;
  • Ongoing control of outsourced work and activities (outsourcing).

The Board of Directors has established the Audit Committee, the Risk Management Committee and the Remuneration Committee, as provided for by the institutional and supervisory regulatory framework, in order to support its work and its efficacy.

The Internal Audit, Risk Management and Compliance Units are staffed with people with special qualifications, and operate in accordance with the applicable supervisory framework at each time, supporting the committees and the BoD in its work;

Planned and extraordinary audits of the compliance with the provisions of the supervisory and regulatory framework and the compliance of the Bank’s departments therewith, as well as of the compliance with the Bank’s procedures and operations, are performed by the Internal Audit Unit (IAU).

The IAU reports to the Audit Committee, and through it to the BoD.

The prevention and effective identification of the non-compliance risk of the Bank with the respective legislative and regulatory framework, is the object of the Compliance Unit (CU).

The head of the CU has been also been assigned the special institutional responsibilities of the Anti Money Laundering and Terrorist Financing function.

The Bank places particular emphasis on assessing and monitoring the risks to which it is exposed, as recognized in the Risk Management Strategy, which includes the risk appetite, and is based on a complete understanding and a holistic view of the risks to which [it is exposed].

The Bank regularly reviews its risk management policies and models, in order to integrate market and product changes and to develop more effective strategies.

The most important risks are

  • credit risk;
  • liquidity risk;
  • changes in the value of assets;
  • and the adequacy of supervisory and internal capital at acceptable levels, in order to support its activities.

The following organizational units/committees are significantly involved in the process of planning, monitoring and managing risks, as well as assessing the adequacy of equity in relation to the amount and nature of the assumed risks:

  • The Risk Management Committee and, ultimately, the BoD, are responsible for the development and supervision of the risk management framework. The formulation of a risk-taking and capital management strategy, in relation to the bank’s business targets, and the evaluation of the effectiveness of the risk management policy, as well as the adequacy of equity, in relation to the amount and nature of the assumed risks are assessed by the BoD.
  • The Assets and Liabilities Management Committee (ALCo), which is responsible for the implementation of the approved Risk Management Policies, in line with the respective qualitative and quantitative data and the developments in the business and economic environment, aiming at ensuring a high level of competitiveness and efficacy for the Bank, maintaining the established acceptable risk limits.
  • The Risk Management Unit (RMU) of the Bank, which is responsible for the implementation of the risk management framework. In addition to the assessment of capital requirements for credit risk, it monitors and assesses all risks to which the Bank is exposed and calculates the respective minimum capital requirements. In the parallel, great significance is ascribed to the assessment of the effectiveness of the management of non-performing loans, the reduction of which is a key priority for the Bank.
  • The Finance Division, which manages daily the credit risk, the market risk and the interest rates risk through participation with its recommendations in the approval procedure. One of its significant responsibilities is the preparation and maintenance of the Credit Policy, which, during the approval procedure, is a core tool for the implementation of the Bank's risk appetite.
  • The Lending-Arrears Committees/Boards, the senior bodies in the approval procedure, which make the final decision on the credit risk-taking, by evaluating the relevant recommendations of the competent Lending Division.
  • The Arrears Management Body (AMB), which has been established in compliance with the Executive Committee Acts 42/2014 and 47/2015 of the Bank of Greece for monitoring the Bank’s portfolio in arrears and enjoys the appropriate degree of independence in relation to its other operating structures and, in particular, with the lending and performing loan portfolio management functions.

IT at the Cooperative Bank of Epirus:

The operation of the Bank’s IT systems aims at the secure transmission, processing and storage of the Bank’s critical business information and data. For this reason, special emphasis is placed on the formulation and periodic assessment and update of its IT Strategy, as well as on the formulation and continuous development of a framework of principles for the safe, efficient and smooth operation of its systems and its electronic banking systems, particularly with regard to the organization, development, support and continuous monitoring thereof. A key role in this direction is played by the IT Division, which is a pillar of support of the approved Information Systems Development & Procurement Policy. The IT Steering Committee (IT-SC) is responsible for the overall supervision, the development of the strategy and the separate policies, as well as for the proper IT governance in general.

The Bank recognizes the need for an emergency plan and a recovery plan from a potential disaster and has established a Business Continuity Plan for its IT systems, in order to ensure the continuity of its most critical operations.

In addition, the Bank has an effective Disaster Recovery Plan, which is implemented in cases of catastrophic events that may cause prolonged downtime of a critical system, or even the entire computer center of the Bank.

The Information Systems Security Unit guarantees the security of business information and is responsible for a comprehensive picture of the level of security of the Bank’s systems and the risks arising from their development, integration and operation. It ensures the implementation of the approved Information System Security Policy and for the protection of data from unauthorized access and use.

The Bank manages its other, non-independent operations by means of decisions taken on matters within their competence, through its executive Management (Chief Executive Officer and Executive Director), as well as, in a subsidiary manner, by means of decisions of the Executive Committee (Ex.Co.), through discussions aiming to deepen the specialized knowledge of its members.

The Recovery Plan Steering Committee (RP-SC), through its specialized function assists the work of senior Management as a key tool of the mechanism for the drafting, preparation, monitoring, review and revision of the Recovery Plan.

The Bank, despite its size and the complexity of its activities, seeks to manage all its operations internally. It has developed, regularly reviews and updates its Outsourcing Policy for its business activities, taking seriously into account the impact of outsourcing and the risks involved (operating, including the legal, Information Technology, reputation and concentration risks), while remaining fully responsible for all outsourced services, as well as for the activities and decisions of the Management arising thereunder.