In addition to internal control activity as the core of the overall internal control system, Risk Management is the system’s cornerstone. Its main functions are identifing, controling and mitigating risks, developing the risk management-related policies and internal regulations, measuring and monitoring risks, offering recommendations as to risk management.

At VPBank, the risk management system is operated to achieve the following objectives: (i) to manage material risks, (ii) to identify fully, measure accurately and monitor regularly material risks in order to prevent and mitigate those risks timely, (iii) to control risk status with a view to ensuring compliance with applicable risk limits, (iv) to make sure that risk-involved decisions must be transparent, clear and consistent with risk management policies and limits, (v) to manage risks at VPBank’s subsidiaries through the Bank’s representatives.


At VPBank, the risk management policies and internal regulations are issued by the Board of Directors (“BOD”). The risk management policies and internal regulations are premised on the following principles:

  • They must be in line with the Bank’s business strategy, control culture, human resources, IT sophistication and management information system;
  • Risk status and risk-involved violations must be reported in a timely manner and there must exist necessary mechanisms for dealing with such violations;
  • Material activities and risks must be capable of being determined and identified; Material risks must be managed on the basis that identifying risk management strategies and limits, methods of identification, measurement and control.

VPBank's risk management policies and internal regulations contain the following components:

  • Risk management policies includes risk management framework policy and risk management policy on major risks;
  • Limits for each material risk;
  • Risk identification, measurement, monitoring and control for each material risk;
  • Tests for stamina;
  • Internal reporting mechanism on risk management;
  • Risk management for new products and operation on new markets;



Risk management is implemented on 3 lines at VPBank, namely:

  • At the First Protection Line ("Layer 1") are Business Units and Operational - Support Units: These are the units that bear risks firsthand and are first in line responsible for managing all operational risks by identifying, controlling and mitigating risks and providing full reports to Layer 2.
  • At the Second Protection Line ("Layer 2") are Risk Management Division and Legal and Compliance Division: These units are responsible for developing internal risk management policies and regulations, independently monitoring and controling the Layer 1’s Units to ensure that the latter comply with law and demanding for taking additional measures to prevent and mitigate operational risks to Layer 1.
  • At the 3rd Protection Line ("Layer 3"): Internal Audit Division assists the Supervisory Board to assess the risk management works, conducts independent inspection and make independent assessment of the performance by Layer 1 and Layer 2 of risk management tasks and makes recommendations as to risk management.

Risk Management Divison is the specialized unit responsible for risk management at VPBank with the following functions:

  • To assist the Risk Council in: (i) Making proposal and giving advice on the development and implemention of the risk management policy; implementing and evaluating the risk management policy; formulating, implementing and allocating risk limits; organizing the handling and tackling risk management problems and conducting inspection and assessment on risk management; (ii) Monitoring the risk status against applicable risk limits to give necessary warning and early identify risks/potential violations of risk limits;
  • To coordinate with business units and support units (at Layer 1) to fully identify and monitor risks that have arisen;
  • To develop and employ risk assessment methods and models;
  • To control and prevent risks and propose measures for risk mitigation;
  • To comment on risk-related contents in the risk-making process;
  • To construct scenarios of stamina test.


VPBank’s risk limits are promulgated by the CEO and always ensure:

  • Regulatory restrictions are complied with for operational safety;
  • Risk limits for material risks are available;
  • Compliance with risk appetite, risk management strategy and total risk-weighted assets allocated to that risk;
  • Adequate and specific to control risks;
  • Periodically/unexpectedly reviewed and re-evaluated;
  • Disseminated to related individuals and units.


  • Identification: VPBank is always committed to identifying material risks and interactions between risks, potential risks and causes that would lead to risks.
  • Measurement: Risks are measured at VPBank through determining their short-term and long-term impacts on earnings, capital adequacy ratios and business objectives thanks to certain methods and models. The measurement always requires to be performed timely and accurately so that risks can be monitored and controlled.
  • Monitoring: VPBank monitors risk status such that timely assessement can be made and early warning on a potential violation of risk limits can be sent and timely reports can be made to relevant individuals and units.
  • Control: VPBank controls risk status, transactions and operations within applicable risk limits and takes necessary measures to prevent, mitigate and deal with risks in a timely manner.
Chat với VPBank