Risk Management & Compliance

Risk Management

Sabancı Group manages risk in line with its risk appetite using a mix of quantitative and qualitative metrics.

Sabancı Group has adopted corporate risk management principles to maximize stakeholder value by eliminating or minimizing risks which may threaten the Group’s existence, development and continuity and its sustainability while achieving the strategic goals set out by the Sabancı Holding Board of Directors.

The Group manages risk in line with its risk appetite using a mix of quantitative and qualitative metrics. Prioritized risks are handled under the strategies of risk avoidance, risk transfer, risk reduction and risk acceptance. The Group’s corporate risk management framework includes specific categories, such as identifying, analyzing and measuring, prioritizing, and monitoring of risks. Group risk operation results are evaluated periodically by the Risk Coordination Committee and the Early Detection of Risk Committee.

Early Detection of Risk Committee

The Early Detection of Risk Committee (EDRC) initially evaluates, identifies, and determines any necessary risk measures and management processes for strategic, operational, financial and compliance risks. The EDRC also informs the Board of Directors about these issues. The Committee reviews risk management systems at least once a year. Tolerance and critical levels of prioritized risks are updated annually. The review process includes quantitative and qualitative approaches – statistical analysis by historical data, Monte Carlo simulations – incorporating the company’s strategic direction and financial performance targets. In 2023, the EDRC convened on six occasions and presented its evaluations to the Board of Directors. Guest participants may be invited to EDRC meetings if relevant to the agenda.

Risk Management in Group companies

Akbank, Sabancı Group’s banking institution, conducts risk management in compliance with Banking Regulation and Supervision Agency regulations under the responsibility and supervision of the bank’s Board of Directors. The Board of Directors and senior management formulate a risk appetite framework and develop risk management policies. The Board of Directors approves Akbank’s general principles of risk control and risk management in addition to limits for all relevant risks and risk management procedures. Board members periodically attend five risk management related committees: Audit Committee, Credit Committee, Executive Risk Committee, Conduct Risk Management Committee, and Information Security Committee.

The Risk Management Office, the Information Risk Management Office (IRMO) and the Internal Control, Compliance and Internal Audit departments also report directly to the Board of Directors. Internal methods and risk models are continuously improved to ensure effective risk management.

At Sabancı Group’s non‑bank companies, corporate risks are managed by risk management officers and senior management responsible for risk management processes. Group companies issue periodic reports on potential and prioritized risks to the EDRC and the Board of Directors. Financial, strategic, operational and compliance risks of subsidiaries are supervised by the Risk Directorate, Risk Coordination Committee, and relevant Group Presidents in the Holding.

Risk Categories

Financial Risks

The Sabancı Holding Treasury Management Policy defines the rules and principles of the company’s investment policy encompassing interest, exchange rate and liquidity risks.

The Holding’s Finance and Risk Management teams closely monitor and manage financial risks through various indicators on both a company and consolidated basis to ensure that financial risks remain within prescribed limits.

Strategic Risks

Strategic risks are assessed within the scope of corporate risk, industrial risks, economic risks, regulatory changes, reputational risk, and sustainability risk.

The Holding manages strategic risks with a long‑term dynamic business lines management approach. This approach focuses on highly profitable and sustainable businesses to create a competitive advantage.

Sabancı Holding categorizes sustainability risks within the framework of strategic risks. Sustainability risks include the potential for non-compliance with sustainability policies, regulations, and international standards in addition to transition risks stemming from investments aimed at aligning with a lowercarbon economy. This risk type also encompasses physical risks, such as financial implications resulting from extreme weather events. These risks and associated opportunities are managed systematically by the Holding to align with its overall strategic direction.

Operational Risks

The Audit Department conducts regular checks of company processes and systems to determine and eliminate operational risks. The Information Technology Department manages technology risks – damage to information systems, cyberattacks, and the like – via preventive actions, regular tests and back up plans. Sabancı Group utilizes cyber risk insurance to ensure an effective level of cyber security and mitigate technology risks.

The Human Resources Department manages occupational health and safety risks. Sabancı Group’s crisis management and business continuity initiative was widened with disaster management studies in 2023.

Compliance Risks

Compliance with applicable laws, rules and regulations is a key responsibility of Sabancı Holding. The Holding’s Legal and Compliance team conducts effective compliance risk analyzes in relation to competition law, sanctions/export controls, thirdparty due diligence and data privacy.

Our standards apply to all Group companies and require acting lawfully, ethically, and in the best interests of Sabancı Group wherever our business operates.

In 2023, Sabancı Group completed its policies and procedures on compliance including third parties and data privacy by consolidating efforts among all strategic business units to facilitate working together and sharing knowledge.

Compliance

Our standards apply to all Group companies and require acting lawfully, ethically, and in the best interests of Sabancı Group wherever our business operates.

In 2023, Sabancı Group completed its policies and procedures on compliance including third parties and data privacy by consolidating efforts among all strategic business units to facilitate working together and sharing knowledge.

Competition and anti-trust

As a Group, we ensure that our companies compete fairly and ethically, in line with competition laws.

Where Group companies are involved in mergers and acquisitions, Sabancı Group conducts a competition risk assessment and ensures mandatory filings are made before the transaction is closed.

Sanctions and export controls

Sabancı Group companies operate in regions throughout the world. This expansive geographic footprint requires dedicated attention to complex trade sanctions and export control laws and regulations that prohibit the import, export or re ‑export of certain products and services to or from certain countries or parties.

Policies and procedures are in place to ensure that our business is conducted in compliance with all applicable sanctions and export control regimes.

Third parties

Sabancı Group companies are market leaders in most of their respective sectors and engage with a wide range of third parties, including suppliers, distributors, intermediaries, agents and business consultants. This broad scope of commercial relationships increases the likelihood of Sabancı Group companies being held accountable for non ‑compliant activities and behaviors of business partners.

Policies and procedures are in place to assess third party risks, perform enhanced due diligence where appropriate and take measures and safeguards to mitigate risks.

Data privacy

It is essential for Sabancı Group to protect personal data, confidential information, and IT systems from unauthorized access, use or disclosure. The Data Protection Committee adopts and implements industry best practices to keep pace with emerging developments, providing company ‑wide guidance and implementing security measures in collaboration with the cyber security team. Procedures were introduced to govern data loss prevention, information security, cloud computing systems and personal data security breaches. The Group regularly provides privacy training to its employees.