ANZ - 2021 Annual Review

NON-FINANCIAL RISK We are improving how we manage our obligations and operational risks by strengthening our non-financial risk, control, governance and compliance focus in line with our Risk Management Framework. This year, to further enhance non-financial risk management, we have adopted a new taxonomy into our Operational and Compliance Risk Framework. Our Compliance and Operational Risk Strategy provides a comprehensive, proactive and well-planned approach to improving our management of non-financial risk by driving transformation across our processes, policies, systems and people, guided by our purpose and contributing to the bank’s strategic priority to improve the financial wellbeing of our customers. Last year we reviewed our Risk Appetite Statement (RAS) metrics to ensure appropriate coverage of our non-financial risks. The review concluded earlier this year, with the Board Risk Committee approving a collection of over 36 metrics and indicators. This is an increase from 12 prior to the review, and demonstrates the growing importance of non-financial factors in helping inform decisions within our Risk function. We have developed and launched a new tool that streamlines how we capture and report against the RAS metrics, reducing the time it takes from weeks to days. In addition, we developed a purpose-built dashboard to support the proactive management of our risk appetite using trend analysis technology. These changes have provided our Board Risk Committee and management with greater visibility and control over our non- financial risk appetite. FINANCIAL CRIME We continue to improve our financial crime risk management program. We have invested significantly in enhancing data analytics capability for the bank, creating a central Financial Crime Data Hub and Intelligence ecosystem that uses a range of analytical tools, including: • Network and link analysis capability – using these tools we can better detect syndicated crimes and demonstrate a ‘big picture’ view of criminal activity • Dynamic algorithms – using agile monitoring and detection solutions, we can detect changes in customer behaviours, which can assist AUSTRAC and police investigations. Further information on financial crime is available in our 2021 ESG Supplement at EMERGING RISKS Two risks that continue to evolve and that we are paying particular attention to are: Cyber security risk: We take the security of our bank, our customers and our customers’ information very seriously. Cyber security threats continue to be significant and our approach to mitigating cyber security risk involves a range of controls relying on people, technology and process. We are continually testing our defences internally and through independent third parties. We have a very sophisticated cyber security protection capability and have invested heavily in a range of recognised industry practices and technologies, processes and defences. In addition, we are cooperating with our counterparts, governments and associated 1. PACT: P ause before sharing your personal information; A ctivate two layers of security; C all out suspicious messages; T urn on automatic software updates. entities around the world to protect against cyber security threats, which have increased since COVID-19 and the consequent shift to digital banking and remote working. We are now blocking around 16 million malicious emails a month – compared to about four million pre-COVID-19 in October 2019. There has been a significant increase in ‘business email compromise’ (BEC), with cyber scammers targeting transactions and payment systems by intercepting business correspondence. Many of these compromised emails appear to represent existing suppliers, customers and professional advisors such as accountants or lawyers, and request changes to account or payment details. A publication released by the Australian Cyber Security Centre (ACSC) shows total losses for the 2020–21 financial year were approximately $81million, an increase of nearly 15% from the previous financial year. Average loss per successful BEC transaction also increased by 54%. To assist our customers to protect their businesses against these types of scams, we encourage them to take a number of steps including making an organisational PACT1 to protect their virtual valuables. In addition, we are educating our customers on data protection and privacy through focused campaigns, threat intelligence newsletters and cyber security business guide books. CYBER SCAMMERS ON THE RISE Climate change risk: The financial risks associated with climate change remain a key focus. We have set a public ESG target to develop an enhanced risk management framework that anticipates potential climate-related impacts, and associated regulatory requirements, by the end of 2022. To help deliver on this target, a number of work streams have been established, including regulatory monitoring and carbon metrics. A new Climate Advisory and Coordination Forum, which is Chaired by the Group Executive, Institutional and includes the Group Chief Risk Officer, has also overseen the development of an updated climate change statement that will be released prior to our Annual General Meeting. We are continuing to work with our customers to better understand how they are transitioning to a low carbon future. We have now engaged with 100 of our largest emitting business customers to encourage and support them to develop their low carbon transition plans. The majority of the 100 customers recognise climate change risk and have started their transition plan ‘journey’. Some customers have advanced plans towards net zero by 2050. We are using what we learn from this customer engagement to inform how we manage the risks in higher emitting customer portfolios. We are participating in APRA’s Climate Vulnerability Assessment (CVA), which examines the material exposures and financial risks that banks, the financial system and economy may face due to climate risks. APRA’s CVA comprises two stress tests, counterparty assessment and data assessment. APRA intends to disclose the outcomes of the CVA in 2022, which may also be used to inform future supervisory guidance. OVERVIEW HOW WE CREATE VALUE PERFORMANCE OVERVIEW REMUNERATION OVERVIEW SHAREHOLDER INFORMATION 52