What management systems are in place to deal with operational risks?

Operational risk is defined as any risk arising, directly or indirectly, from the inadequacy or non-conforming performance of internal processes, people, activities or systems, or from external events. Operational risk includes the following risks: control and management risk; legal risk; regulatory risk; human resources risk; information technology risk; procedure risk; model risk; liquidity risk; market risk; and business risk. Bondora’s operational risk management function is overseen by its Chief Financial Officer.

To guard against operational risk, Bondora has developed and implemented guidelines that require (i) appropriate segregation of duties, including the independent authorization of business transactions; (ii) reconciliation and monitoring of transactions; (iii) effective documentation of controls and procedures; (iv) compliance with regulatory and other legal requirements; and (v) periodic assessments of operational risks and the adequacy of controls and procedures in place to address such risks.

Bondora’s internal policy details key risks and includes carefully thought out hedging measures. There is also a separate internal risk-mapping register, reviewed quarterly, that includes a wide range of risks. Risks are evaluated with regard to their potential financial impact as well as their impact on Bondora’s image in the marketplace. Each mapped risk is mitigated through a documented hedging measure.

Mapping operational risks is an integral part of the processes of (i) introducing new products or new versions of existing products; (ii) implementing new IT systems or new versions of existing IT systems; (iii) commissioning new hardware; (iv) commissioning a new physical location; (v) implementing new or altered processes; (vi) altering the organizational structure; (vii) introducing new cooperation partners and agreements; and (viii) outsourcing services to external service providers. Bondora seeks to mitigate the effects of loss events associated with operational risks by developing and updating business continuity plans; through the application of suitable and sufficient crisis management methods; and by executing applicable insurance agreements, if deemed suitable and necessary.

Employees

Employee theft, fraud, misdemeanors and other illicit activities, including mishandling of confidential information; employee negligence in concluding transactions; organized activities by employees; absence or loss of key personnel; and inadequate compliance with occupational health requirements.

Bondora has created a system of authorization and validation to ensure that all activities are performed at the appropriate management level. The hiring of sufficiently qualified and experienced personnel and employee training are critical elements of managing the operational risks associated with the human factor.

Processes

Payment-related errors; omissions in documentation and agreements; service pricing errors; omissions in internal and external reports; nonconformity with statutory requirements; and inappropriate sales and marketing activities.

Bondora has internal rules governing payment-related activities that are designed to minimize the risk of errors in making and receiving payments. All documentation and valid contracts are reviewed at least once a year to minimize the risk of omissions in said documents and contracts; in the event of omissions, the relevant documents or contracts are updated to conform with the statutory requirements and/or actual situations. Bondora constantly monitors the legislative process and, if there are changes in legislation, makes whatever internal adjustments are necessary to ensure its operations conform with the statutory requirements.

Systems

Insufficient technology investment; insufficient systems development and implementation; insufficient system capacity; system disturbances and interruptions, including those of external systems that are integrated with Bondora’s systems; and deficient security and information security (e.g., with regard to the exchange of data between Bondora and external service providers).

Ensuring that agreed procedures are followed helps to mitigate information technology risks. Ensuring that agreed procedures are followed helps to mitigate document and database security risks and those associated with the mishandling of confidential information.

External factors

Criminal activity; external service provider issues (e.g., insufficiently qualified or negligent service provider personnel, potential expiration of service provider agreements); lawsuits and prosecutions (including the potential damage to Bondora Group's reputation stemming from such activities); natural disasters; infrastructure disturbances, including communications network disturbances, power disturbances that affect communications networks and vandalism; political risk; inappropriate or unwarranted supervision by authorities; legislative changes; damage to Bondora's reputation; and damage to the reputation of marketplace lending.

Any criminal activity targeted at Bondora, or the suspicion thereof, will be reported to the police. Ensuring that agreed procedures are followed helps to mitigate operational risks associated with external service providers. Bondora avoids transactions, activities and situations that might damage its reputation. It has an active public relations program designed to explain Bondora Group's activities to the public, including prospective investors and borrowers.