Privately held companies
The TCC introduced the concept of ‘early risk detection’ as a measure to be taken by an early risk detection committee to foresee and mitigate risks. Privately held companies exceeding certain thresholds and, therefore, subject to independent audit requirements, may be required to immediately form a committee upon written request from an independent auditor if considered necessary. This committee is obliged to issue their first risk determination report within one month of formation.
Privately held companies are also free to adopt risk and compliance management processes inspired by those available at listed or regulated companies (detailed below).
For listed companies, compliance with corporate governance principles stands out as an important requirement of the CMB. As per the comply-or-explain principle, listed companies are required to prepare annual corporate governance compliance reports, annexed to the annual activity reports, and to disclose to what extent they comply with the CMB’s corporate governance principles. These principles deal with a large range of topics including risk management.
Under the TCC, companies listed on the stock exchange are obliged to establish a specialised committee for the early detection of risks or threats jeopardising the existence, development and continuation of the company. These committees must also implement any measures necessary to manage these risks.
Under the Corporate Governance Principles Communique, listed companies, excluding banks, are obliged to establish early risk detection committees. Formation of these committees is not obligatory for banks since internal control mechanisms (explained below) cover this function. Early risk detection committees report to the board of directors once every two months and alert the directors of any potential risks or threats that the company may face in order to allow directors to take any necessary precautions. Under the Corporate Governance Communique, corporate governance and early risk detection committees are the entities that are expected to oversee listed company’s compliance and risk management practices, and are each composed of a minimum of two members. The board of directors and early risk detection committees must review the effectiveness of the risk management and internal control systems annually.
The risk and compliance management process for banks is regulated in a stricter manner. Accordingly, the board of directors of a bank is obliged to establish efficient and effective internal systems for risk tracking, covering all activities of domestic and foreign branches and consolidated subsidiaries of banks operating in Turkey. Internal systems consist of internal audit, internal control and risk management systems run by the relevant units under the board of directors’ supervision. The duties and responsibilities related to overseeing internal systems may be delegated to a non-executive board member, a committee consisting of non-executive members, or to the audit committee. All of these systems target compliance and risk management issues of the bank.
Internal control units inform the audit committee of information provided by internal control personnel and personnel carrying out operations in intervals no longer than three months.
The internal audit unit focuses on the sufficiency and effectiveness of internal control and risk management systems. Internal audit unit activities will be reported to the audit committee by the relevant manager in three-month intervals. The report is reviewed by the manager and audit committee, and the audit committee then presents the report to the board of directors within 10 days.
The risk management unit deals with the establishment of a risk management system, the design, selection and implementation of risk measurement models and compliance monitoring concerning risk management policies specifically tailored for different types of risks (such as interest rate risk, treasury risk, credit risk, indirect country risk, etc) by the board of directors. These risk types are specified and detailed under the banking regulations.
Insurance company regulations create an obligation of sufficient and active internal systems within the corporate organisation. Accordingly, insurance companies are required to establish internal audit, internal control and risk management systems. Risk management activities are directly reported to the general manager.
In terms of corporate social responsibility, listed companies are encouraged to adopt universal standards in terms of human rights and moral standards regarding the environment, consumer rights and public health, and to combat against bribery. They must disclose in their annual report any social responsibility activities that have an environmental or social aspect. The importance of maintaining customer satisfaction as well as product and service quality is specifically emphasised for listed companies under the Corporate Governance Communique.
Back to top