Globalization, technological developments, and evolving regulations are constantly transforming the nature of risks faced by the banking sector. Adapting to this rapidly changing risk environment is critically important for ensuring long-term sustainable growth, strength financial performance, and the effective management of climate and environmental risks. In this context, VakıfBank regards risk management not only as a compliance tool, but also as a cornerstone that supports strategic decision-making processes under changing market and regulatory conditions, while also covering climate and sustainability risks.

Our risk management activities are carried out in accordance with legal regulations and international best practices, in line with the regulations of the Banking Regulation and Supervision Agency (BRSA). The Internal Audit Department, the Internal Control Department, the Risk Management Department, and the Compliance and Legislation Department — whose duties and responsibilities are clearly defined — work under the supervision of the Audit Committee in a coordinated manner to ensure holistic risk management.

Primary responsibility for risk management lies with the Risk Management Department. In the field of risks stemming from Information Technologies (IT), the Information Security Department is responsible. Within our Bank, a Risk Management Committee is also in place.

Three Lines of Defense

In order to effectively manage not only the first- and second-structural block risks but also sustainability and climate risks, our Bank applies the Three Lines of Defense approach:

First Line: Business units are directly responsible for managing risks in their own operations and in the delivery of products/services to customers.

Second Line: Ensures the identification, monitoring, and reporting of risks. It oversees the development, implementation, and continuous improvement of risk management practices across processes, systems, and the institution. It is responsible for setting control standards to achieve risk management objectives such as compliance with laws, regulations, and acceptable ethical conduct, as well as internal control, information and technology security, sustainability, and quality assurance.

Third Line: The Internal Audit Department, which evaluates and audits the effectiveness of internal systems, provides independent and objective assurance to senior management and the Board of Directors on whether banking activities are conducted in compliance with the Banking Law and other related legislation, as well as the Bank’s internal strategies, policies, principles, and objectives. It also ensures that governance, internal control, and risk management systems are effective and adequate, and reports its findings to the Board of Directors and the Audit Committee.

Risk Culture and Policy Framework

Risk management practices are carried out through policies, action plans, implementation procedures, and limits determined in line with VakıfBank’s risk–return profile and the nature and scope of its activities. These practices cover the identification, measurement, and reporting of risks on both a solo and consolidated basis, as well as the monitoring of total capital requirements and liquidity adequacy associated with risk profiles.

VakıfBank conducts awareness activities to strengthen its corporate risk culture and encourages participation at all levels for the proactive identification and management of risks. Risk management policies and procedures are prepared taking into account national regulations and international standards and are approved by the Board of Directors. In addition, in order to assess the internal and external risks the Bank may face, take necessary measures, and identify opportunities arising from the economic context while ensuring the necessary awareness throughout the organization, various sensitivity analyses, internal scenario analyses, stress tests, and similar studies are also conducted, and the results of these studies are reported regularly.