The general principles of the Group’s risk management system

The underlying principles according to which Sberbank and Group members The risk management system is formed at the level of Sberbank and Group members in which Sberbank is the sole participant, shareholder, founder (100% of direct and/or indirect participation), or has a prevailing interest (>50% of direct and/or indirect participation). form the risk and capital management system are defined in the Risk and Capital Management Strategy of Sberbank Group, approved by the Supervisory Board of Sberbank on September 15, 2015.

Risk awareness: The decision to perform any transaction is made only after comprehensive analysis of risks arising in the course of such transaction.

Risk adjusted performance management: The Group evaluates the adequacy of available capital by way of implementing internal capital adequacy assessment procedures (ICAAP). The ICAAP results are used for decision making on business development (formation of the Development Strategy). Priority lines of development and allocation of capital shall be determined using analysis of the risk-adjusted performance figures of individual indicators and lines of business:

Involvement of senior management: The Supervisory Board, the CEO, Chairman of the Executive Board, the Executive Board, other collegial bodies of Sberbank, as well as supervisory boards and executive boards of Group members shall review reports on the level of assumed risks and violations of established risk management procedures, limits, and limitations on a regular basis.

Risk limits: The Group has an effective multilevel system of limits and restrictions, ensuring maintenance of an acceptable risk level, or Group risk appetite.

Allocation of functions, powers, and responsibility: For effective risk management and with due regard to the need to minimize the conflict of interest between risk assumption and limitation and control of risk levels, the organizational structure of Sberbank and Group members is formed proceeding from the allocation of functions and responsibility between Sberbank units and Group members’ units in accordance with the “three lines of defense” principle.

Centralized and decentralized approaches: The Group combines centralized and decentralized approaches toward risk management and capital adequacy to ensure maximum effectiveness.

Use of information technologies: Management of risks and capital adequacy is based on advanced information technologies that improve the quality and promptness of decision making.

Improvement of methods: Risk and capital adequacy management methods are continuously being improved, and procedures, technologies, and information systems are being refined in light of existing strategic objectives, environment changes, and innovations in international practice.

Risk culture: The Group is implementing a project to develop the risk culture to ensure the sustainable and effective operation of the risk management system. This project is aimed at encouraging employees to openly discuss and respond to any existing and potential risks and also at generating an internal mental intolerance toward ignoring or hushing up risks and the risky behavior of other people. Risk culture supplements the formal existing mechanisms and makes up an integral part of the integrated risk management system. Special attention is paid to the behavior of employees as a practical manifestation of risk culture.

Risk-based incentive system: The Group’s labor remuneration system ensures that the amount of employees’ remuneration is in line with the nature and scope of their operations and performance and the level and combination of accepted risks.

Information disclosure: All information required in compliance with regulators’ requirements related to risk and capital adequacy management is subject to disclosure. The scope and frequency of risk information disclosure conform to the requirements of Bank of Russia, requirements for managerial reporting, and requirements for risk information disclosure for all stakeholders.