Introduction and Scope

The Operating Risk Management Policy of Sofisa, establishes the guidelines related to the nature of the unit that will answer for it and for respective procedures, attribution and responsibilities.


Operating Risk is the possibility of occurrence of losses resulting from failure, deficiency or inadequacy of internal processes, people and systems, and of external events, such as the following:

a) internal and external frauds;
b) labor demands and insufficient safety at the work place;
c) inadequate practices related to clients, products and services;
d) damages to own physical assets or physical assets being used by the institution;
e) events who cause the interruption of the institution’s activities;
f) failures in information technology systems;
g) failures in the execution, compliance with terms and management of the institution’s activities.


Sofisa’s Operating Risk Management structure is integrated with the Internal Control Management, subordinate to the Bank’s Corporate Governance and Risks office and includes the Compliance Agents in various units.

The Internal Control Unit, was mainly created in order to identify, assess, monitor, control and mitigate risks whose occurrence may generate operating losses, resulting from failures, deficiencies or inadequacy of internal processes, and systems, or from external events.

Roles and Responsibilities

The activities developed by the Internal Control Unit considering the operating risk management require other units to get involved according to their roles and responsibilities:

Picture 2: Internal Control Unit considering the Operating Risk Management’s Roles and Responsibilities.
  • Board of Directors: evaluates and decides annually on adjustments or maintenance of policies and strategies, technological options, and the reports of monitoring and management of operating risk, then eventually control suggestions.
  • Board of Executive Officers to supervise the operating risk management by receiving periodical reports, indicators and action plans; to approve the pertinent Policy and correct, whenever necessary, methods and mechanisms used in the management.
  • Internal Control unit: to support to the Organization, by means of mechanisms for monitoring, identification and assessment of operating risks; to recommend control improvement; to document and report to Board of Directors the results achieved as from risk monitoring and to promote the operating risk management culture, to reduce the risk exposure and the efficiency of capital allocation; and to submit to approval and publish regulations related to operating risk.
  • Compliance Agents: to review the risk matrices jointly with the Internal Control unit, and under it supervision, so as to merge the risk monitoring concept and risk mitigation into the daily routine by means of controls.
  • Auditing: to verify the effectiveness and the adherence, under rules of the procedures executed by the units related to operating risks mitigation.

Operating Risk Attributions

The Internal Control unit is responsible for the following activities:

a) coordinating and controlling the drafting and maintenance of operational risk matrixes, under the responsibility of the managers of each process, with the participation of the compliance agents;
b) managing, testing, updating and constantly evaluating the Business Continuity Plan (PCN), with the help of the Technology unit, in order to resolve certain IT aspects (hardware, software, structure, environment, etc);
c) preparing, maintaining, updating and improving the operational risk base, comparing it with the impact and probability of the registered losses in the risk matrixes and with the allocation of operational risk capital;
d) drafting the regulatory and management reports inherent to operational risk;
e) drafting and disclosing the operational risk management structure on the intranet and internet;
f) calculating capital allocation in accordance with the prevailing regulations and informing the Controllership Department;
g) updating, disclosing and publishing the Operational Risk Management Policy.

Processes and Procedures

For the purpose, the unit responsible for operating risk management makes use of mechanisms of monitoring, such as: Risk Matrix, loss base, capital allocation, monitoring of operating risk (client complaints, as well as notifications and external frauds), Operating Risk Management and Business Continuity Plan.

Identification, Assessment, Monitoring, Control and Mitigation Mechanisms

With the matrix review procedure, the Internal Control unit permanently assesses the validity, relevance, adequacy and scope of existing controls, compared to the risk factors, proposing changes, inclusions or exclusions whenever necessary, in accordance with the analysis performed with the Compliance Agents.

These assessments generate suggestions for improving processes through the Proposed Operating Procedures (POP) mechanism.

In addition, Sofisa has been revising and implementing the Business Continuity Plan, to be adopted in the event businesses are interrupted due to any kind of threat.

Operating Risk Communication

The annual report prepared by the Internal Control unit intend to comprise, in addition to the summary of the operating risk management structure, the documentation related to risk management and control deficiencies which allow identifying their appropriate correction.

Capital Allocation

Sofisa uses “Abordagem Padronizada Alternativa (ASA)” and seeks to consolidate its operating risk mechanisms by investing in management and control tools, training, integration of units, analysis of processes and preparation of reports.