Risk Management

Risk Management

Sabancı Group has adopted corporate risk management principles to maximize stakeholder value by eliminating or minimizing the risks which may threaten the existence, development and continuity of the Group and its sustainability while achieving the strategic goals set out by the Board of Directors of Sabancı Holding.

The Group manages risk in line with its risk appetite through a combination of quantitative and qualitative metrics. In line with the Group’s strategic and financial targets, prioritized risks are handled in accordance with the following risk management strategies: risk avoidance, risk transfer, risk reduction and risk acceptance. The corporate risk management framework includes categories such as identifying, analyzing & measuring, prioritizing, and monitoring of risks. Group Risk operation results are evaluated periodically by the Risk Coordination Committee at the Holding’s senior management level and through the Early Detection of Risk Committee (EDRC) at the Board of Directors level.

Early Detection of Risk Committee and its responsibilities

The Early Detection of Risk Committee (EDRC) is responsible for initially evaluating, identifying, and determining the necessary risk measures and management processes for strategic, operational, financial and compliance risks that can jeopardize Sabancı Holding’s existence, development, and continuity; and informing the Board of Directors of these issues so decisions can be made accordingly. The Committee reviews risk management systems at least once a year. The tolerance and critical levels of each prioritized risk are also reviewed and updated on a yearly basis. Review process includes both quantitative and qualitative approaches such as statistical analysis by historical data, Monte Carlo simulations and incorporating the company’s strategic direction and financial performance targets. In 2022, the Committee convened on six occasions and presented its evaluations to the Board of Directors. Guest participants may be invited to EDRC meetings according to the items on the agenda. Detailed information regarding EDRC members can be found in the Sabancı Holding Management section of this report.

Risk management in Group companies

Risks are managed in line with risk appetite through a combination of quantitative and qualitative measurement metrics. Steps are taken to ensure that Group companies are well prepared to tackle ESG risks. Group companies receive guidance on introducing measures in their business models to eliminate the possible impact of these risks.

At Akbank, Sabancı Group’s banking institution, risk management is conducted in compliance with Banking Regulation and Supervision Agency regulations under the responsibility and supervision of the bank’s Board of Directors. The Board of Directors and senior management are responsible for building up a risk appetite framework and developing risk management policies and strategies. The Board of Directors approves Akbank’s general principles of risk control and risk management, and its limits for all relevant risks and the procedures that Akbank applies in controlling and managing its risks. Board members periodically attend five risk management related committees: Audit Committee, Credit Committee, Executive Risk Committee, Conduct Risk Management Committee, and Information Security Committee.

In addition to these board level committees, the Risk Management Office and the Information Risk Management Office (IRMO), as well as the Internal Control, Compliance and Internal Audit departments report directly to the Board of Directors. Internal methods and risk models are continuously improved upon and developed to ensure effective risk management.

At Sabancı Group’s non‑bank companies, corporate risks are managed by designated risk management officers and company senior management responsible for risk management processes and activities. These efforts come under the supervision of the Board of Directors and related Risk Committees that report to the Board. Group companies report potential risks and prioritized risks to the EDRC and the Board of Directors via periodic reports. The financial, strategic, operational and compliance risks of the subsidiaries are also overseen and supervised by the Risk Directorate, Risk Coordination Committee, and the relevant Group Presidents in the Holding.

Risk Categories

The Risk Management unit is responsible for managing the financial, strategic, operational and compliance risks of Sabancı Holding and providing guidance to Group companies.

Financial Risks

Financial risks include risks that may arise because of a company’s financial position and preferences. This category includes those risks caused by movements in exchange rates, interest rates, equity and commodity prices, as well as management of the investment portfolio, liquidity/cash position, and credit positions. The Sabancı Holding Treasury Management Policy, defining the rules and principals of the company’s investment policy and covering interest, exchange rate and liquidity risks, was prepared and approved in 2022.

The Holding’s Finance and Risk Management teams closely monitor and manage financial risks through various financial indicators on both a company basis and a consolidated basis. These teams ensure that financial risks remain within the set limits.

Strategic Risks

Strategic risks include structural risks that may prevent a company from reaching its short-, medium- or long‑term goals. This category is assessed within the scope of corporate risk, industrial risks, economic risks, regulatory changes (both local and global), reputational risk, and sustainability risk.

At the Holding level, strategic risks are efficiently managed with a long‑term dynamic business lines management approach. Sabancı Holding’s strategic business line management approach is designed to focus on highly profitable and sustainable businesses to create a competitive advantage.

Under Sabancı Holding’s Enterprise Risk Management System, sustainability risks (evaluated as part of the Holding’s strategic risks and having a transversal impact across other risk groups) are defined as the risk of non-compliance with sustainability policies, regulations and international sustainability standards, transition risk arising from investments to align with requirements of a lower‑carbon economy, and physical risks such as financial losses caused by extreme weather events. These risks and the concomitant opportunities arising from them are addressed by the Holding’s Sustainability Roadmap. Sustainability opportunities are integrated into Sabancı Holding’s strategic direction.

Operational Risks

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events such as natural disasters. The Audit Department conducts regular checks of company processes and systems to determine and eliminate these risks. The Information Technology Department manages technology risks – damage to information systems, cyber­attacks, deterioration of data security, data leaks and failure to ensure business continuity – through preventive actions, regular tests and back up plans. Cyber risk insurance is also used by Sabancı Group to ensure an effective level of cyber security and mitigate technology risks.

The Human Resources Department monitors and manages occupational health and safety risks. In 2022, Sabancı Group launched a large-scale crisis management and business continuity initiative in order for the Group to assess the readiness of its internal processes and improve them if necessary.

Compliance Risks

Legal regulations can directly and significantly affect a company’s field of activity, ways of doing business, business model, business portfolio, strategic goals and operating results. Compliance risk occurs when a company faces substantial fines, operational restrictions or disruptions of business operations. Ensuring compliance with all applicable laws, rules and regulations is one of the primary responsibilities of Sabancı Holding. Within the Holding, the Legal and Compliance team is responsible for conducting effective compliance risk analyzes in relation to competition law, sanctions and export controls, third party due diligence and data privacy. Risk Management team monitors the compliance risks in a broader sense. Please read our Compliance page for further explanations.