1. In order to fulfil its responsibilities, the Board of the Bank as a Controlling Shareholder must ensure:

1. a. There is a corporate governance framework at Group level with clearly defined roles and responsibilities taking into account the complexity and significance of the individual entities;
2. b. There is an appropriate Group management structure and internal control framework which takes into account the material risks to which the Group and its individual entities are exposed;
3. c. The Group’s corporate governance framework includes adequate policies, processes and controls and addresses risk management across the entities;
4. d. The Group’s corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflict of interest, such as those arising from intragroup transactions;
5. e. There are Board-approved policies and clear strategies for establishing new structures and legal entities, which ensure that they are consistent with the policies and interests of the Group;
6. f. There are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the individual entities as well as of the Group as a whole, and to ensure effective control of the Group;
7. g. There are sufficient resources to monitor the compliance of all entities with all applicable legal, regulatory and governance requirements; and
8. h. There is an effective internal audit function, and in the case of a Bank offering Islamic financial services an effective internal Shari`ah audit function, which ensures audits are being performed on all Group entities and the Group itself.

2. While the Board of the Bank as a Controlling Shareholder must conduct strategic, group-wide risk management and prescribe corporate risk profiles, the individual entities’ management and boards must have appropriate input to their local or regional application and the assessment of local risks. It is the responsibility of the individual entities’ boards, or equivalent in the case of foreign branches, to assess the compatibility of the Group policy with local legal and regulatory requirements.

3. The Board and Senior Management must take into account the financial, legal, reputational and other risks to the Bank from operating through complex or non-transparent structures. Measures to avoid or mitigate these risks include, but are not limited to:

1. a. Avoiding setting up complicated structures that lack economic substance or business purposes;
2. b. Continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the Bank’s ability to manage those risks prior to setting up new structures and initiating associated activities;
3. c. Having a centralized process for approving the creation of new legal entities and dissolution of dormant entities based on established criteria, including the ability to monitor and fulfil each entity’s regulatory, tax, financial reporting, governance and other requirements;
4. d. Establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk, ensuring that structures are only approved if the material risks can be properly identified, assessed and managed; and
5. e. Ensuring that the activities and structure are subject to regular internal and external audit reviews and Shari`ah audit review in case of providing Islamic banking services.