OVERVIEW OF THE RISK MANAGEMENT SYSTEM
 
In 2018, the Company's risk management policies and procedures continued to be completed and updated, in line with business practices as well as risks arising from new business operations such as derivative securities. In addition, in order to improve the effectiveness of risk management activities, training activities on risk awareness and risk prevention have been widely provided to all employees. 
 
Risk management activities are carried out seamlessly from top to bottom, initiated by the BOD through the development of business strategy and risk tolerance limits for each type of risks and each specific Business Unit, as follows:
 
To develop and align a culture of risk management to every employee whereby each individual to engage and contribute to risk management activities;
 
To develop a strong and transparent corporate governance structure in order to determine accountability of each individual and department in the organizational structure;
 
To develop a mechanism of control and oversight to keep risk within the limits allowed; 
 
To issue of documents under policy framework and methods to identify, measure, control and mitigate key risks.
 
The Risk Management is organized by types of risk in order to ensure a high level of specialization:
 
 
Risk management activities are conducted specifically according to the 5-step process as follows:
 
1. Risk identification
 
Risks are determined based on indicators or areas with exposure to potential risk in the Company's business operations. Input data to determine risks includes:
 
Database of risks occurred in business operations that have been identified, and have been reported and detected through Internal Control, Internal Audit, and Independent Audit activities. Based on this data, the Company can assess and predict the risks likely to occur in the future;
 
Based on analysis of historical data on the risks occurred and the likelihood of future risks to identify areas with high risk exposure. This method contributes to improve risk management based on the inheritance of experiences and lessons from the past;
 
Changes in business strategy, the operating procedures as well as the development of new products, new business activities or execution of business restructuring;
 
Recommendations and feedbacks from Government Agencies, Independent Audit, Internal Audit, and Internal Control;
 
 Changes in business environment, policies and laws.
 
2. Risk measurement and assessment
 
SSI uses qualitative and/or quantitative methods of assessment to appropriately measure each specific type of risk. 
 
Quantitative models are prioritized to quantify risks. These models could calculate and estimate exposure values of market risk, settlement risk, operational risk, liquidity risk, as well as others. These risk exposure values are quantified to a specific figure or a specific percentage. A number of typical models used by SSI to measure risk include:
 
Standard models, as stipulated in Circular no. 226/2010/TT-BTC dated December 31, 2010 and Circular no. 165/2012/TT-BTC dated October 9, 2012 issued by the Ministry of Finance;
 
Quantitative models VaR (Value-at-Risk) used to calculate the maximum level of volatility for a stock, or index to be used in derivative transactions with a predefined confidence level and time period;
 
Stress testing model used to assess the maximum loss that may occur according to a predetermined scenario for the Company to take loss limiting measures when necessary;
 
Quantitative scoring model and quantitative stock model based on historical data of price and volume volatility;
 
Banks' appraisal and rating models.
 
3. Risk limit identification
 
To ensure that risk is limited to the lowest level of tolerance, as well as to improve the effectiveness of risk oversight, the Company has established a set of risk indicators and limits for key risk exposure.
 
Risk limits are determined by both qualitative and quantitative methods. In particular, the latter has priority over the former. 
 
Limits for each type of risk is determined based on:
 
Data and historical events related to the risks being monitored;
 
Risk appetite and targets of the BOD;
 
Actual operating activities of trading and related business units based on views of the unit's heads.
 
The Risk Management Director proposes limits for each type of risk, with references to the characteristics of each business department for approval by the CEO. 
 
The CEO proposes the total risk limit as well as specific risk limits for each business unit for approval by the BOD.  
 
4. Risk monitoring
 
Risk monitoring activities are carried out on a daily basis, mainly through risk indicators and limits of the indicators. A number of risk parameters are set and limited automatically on the system, and others based on daily risk management reports in accordance with predetermined forms, or both. 
 
Risk monitoring activities are carried out firstly by the business departments where the risk incurring transactions take place, followed by supervision of independent departments including Risk Management, Internal Control and ultimately Internal Audit.
 
When risk positions approaching warning levels, the Risk Management will issue a warning and request specific measures from the risk-generating business departments, and at the same time, coordinate with them to develop action plan to bring the risk positions back to safety threshold.
 
5. Risk handling 
 
Risk handling activities are based upon review and assessment of factors such as the severity of the risk to be handled, the frequency of risk occurrences, costs of risk mitigation, risk characteristics, etc. The company implements a number of measures of basic risk handling as follows: 
 
 Risk tolerance: When the cost of risk handling is a significantly higher than that of the losses incurred due to risk exposure, no handling measure is necessary;
 
 Risk avoidance: Any activity that could lead to the risk exposure that the BOD has a zero or very low risk tolerance, or that exerts potentially serious impact on the image and activities of the Company shall not be carried out;
 
 Risk mitigation: Applying measures to mitigate potential impact on the Company or to minimize the probability of risk occurrences, or both;
 
 Risk sharing: Transferring all or part of the identified risks to another party, such as purchasing insurance (if comparable services are applicable) for operating activities;
 
 Developing a monitoring and risk warning system for timely detection of potential risks and marginal risks for prompt risk handling. 
 
General risk handling process: 
 
 Identifying causes of increased risk positions, and causes of risk generating events;
 
 Selecting and developing handling plan, including specifications of responsible units for implementation, implementation schedule, expected results, resource assessment and planning, and required procedures;
 
Performing risk handling in accordance with selected plan;
 
Reviewing and updating relevant policies and procedures to avoid similar incidents;
 
Adjusting relevant limits if necessary to align with reality.