Information on Risk Management Policies Applied by Risk Type and Related Risk Management Disclosures

Risk management activities at Ziraat Katilim Bank are carried out under the fundamental approach of aligning the risk management function with best practices through the establishment of a strong risk culture and the continuous improvement of systems and human resources.

Risk management activities cover the main categories of credit risk, market risk, operational risk, balance sheet risks and validation. Policies and implementation procedures related to the management of these risks are carried out in accordance with regulations approved by the Board of Directors for each risk type. Due care is taken to ensure that the activities performed are conducted in coordination with the contributions of all units involved in the business lines associated with each type of risk.

Within the scope of the Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks, the Internal Capital Adequacy Assessment Process (ICAAP) has been established. The objective of this process is to establish and maintain a system that enables the determination of the capital required to cover existing and potential risks, and to assess the level of capital requirement in line with the Bank's strategic objectives. Analyses carried out in accordance with the implementation principles of the BRSA are supported by stress tests and scenario analyses based on various risk categories. In this context, Stress Test and ICAAP Reports prepared with the contribution of relevant units as of each year-end are submitted to the BRSA following approval by the Board of Directors.

Credit Risk

Credit risk refers to the possibility of loss that the Bank may incur due to the counterparty's failure to partially or fully fulfil its obligations arising from an agreement with the Bank in a timely manner.

Credit risk management includes activities related to identifying the credit risks to which the Bank is exposed, as well as defining, measuring, monitoring, controlling and reporting such risks.

Within the framework of the Regulation on Measurement and Evaluation of Banks' Capital Adequacy, the Bank calculates its regulatory credit risk-weighted assets under Pillar 1 using the Standardised Approach. In this context, the amount subject to credit risk is reported monthly to the BRSA on both a solo and consolidated basis. Under Pillar 2, the Bank performs an annual enterprise-wide stress test in line with its plans and scenarios and prepares the annual Internal Capital Adequacy Assessment Process (ICAAP) Report in coordination with Bank management and relevant departments.

Counterparty credit risk refers to the risk that the counterparty to a transaction that imposes obligations on both parties may default prior to the final payment in the cash flow of the transaction. Counterparty credit risk, considered within the scope of credit risk, is calculated and reported monthly using the Standardised Approach for Counterparty Credit Risk (SA-CCR) in accordance with the provisions set out in the Regulation on Measurement and Evaluation of Banks' Capital Adequacy and its annexes. Counterparty credit risk calculations are performed for repo and derivative transactions. In addition, a capital requirement is calculated for Credit Valuation Adjustment (CVA) risk related to all derivative transactions.

Loan loss provisions are modelled in accordance with TFRS 9 and calculated based on the relevant regulatory requirements.

The Leverage Ratio is reported to the BRSA and the Central Bank of the Republic of Türkiye (CBRT) on a quarterly basis.

In order to assess the creditworthiness of customers included in Ziraat Katilim Bank's commercial portfolio, the Company Rating System is used. Credit risk limits and signal values are determined based on customer sector and risk group classifications approved by the Board of Directors, as well as limits and signal values related to the non-performing loan ratio, and these indicators are monitored on a weekly basis.

Market Risk

Market risk is defined as the possibility of loss arising from changes in profit share rates, foreign exchange rates, commodity prices and securities prices related to the positions held by the Bank in its on-balance sheet and off-balance sheet accounts.

In order to identify potential market risks, risk measurement and monitoring activities are carried out, and the results are taken into consideration in the strategic decision-making processes of Ziraat Katilim Bank. The factors giving rise to market risk and the potential effects of such risks are measured and regularly reported to the BRSA.

The amount subject to market risk is calculated and reported using the Standardised Method in order to be included in the regulatory capital adequacy ratio. In addition, within the scope of market risk, Value at Risk (VaR) calculations related to foreign exchange risk are performed daily using an internal model. Back-testing analyses are conducted to measure the effectiveness of the model used.

While conducting its daily activities, Ziraat Katilim Bank monitors signal values within the scope of an early warning process and limits risk levels in order to prevent its financial strength from being significantly affected by increased volatility in financial markets.

Operational Risk

Operational risk refers to the possibility of loss arising from inadequate or failed internal processes, people and systems, or from external events, and includes legal risk. The amount subject to operational risk is calculated using the Basic Indicator Approach.

All employees of the Bank perform their duties with a sense of responsibility, taking into consideration that the principles and practices set out in the Bank's internal regulations, particularly the operational risk policy, aim to establish a working environment that is sensitive to the existence of operational risks and incorporates control mechanisms designed to reduce the likelihood of losses arising from such risks.

Signal values and limits related to operational risks, approved by the Board of Directors, have been established within the framework of internal regulations and are monitored periodically.

Risks arising within the scope of Information Technologies and the actions taken in response are also monitored and included in the reports submitted to executive management regarding operational risk.

Within the framework of the Business Continuity Plan, the Bank has completed Business Impact Analysis studies in which potential risks arising from possible disruptions to operations and their potential impacts are assessed.

In order to ensure the continuity of services received from outsourced service providers, risks arising from such services are evaluated in accordance with the Regulation on Outsourcing by Banks issued by the BRSA.

Balance Sheet Risks

Within the scope of balance sheet risks, the Bank aims to effectively manage risks arising from its assets, liabilities and off-balance sheet items.

As part of balance sheet risk management, risk measurement and monitoring activities are carried out in order to identify liquidity risk, net stable funding ratio risk and profit share rate risk arising from banking book positions that the Bank may face, and the results are taken into consideration in Ziraat Katilim Bank's strategic decision-making processes.

Liquidity risk consists of funding liquidity risk and market liquidity risk.

Funding liquidity risk refers to the possibility of loss arising from the Bank's inability to adequately meet its cash flow requirements, whether anticipated or unanticipated, or to sustain its daily operations without adversely affecting its financial structure.

Market liquidity risk refers to the possibility of loss arising from the Bank's inability to close or offset a position at market prices due to insufficient market depth or excessive market volatility.

Profit share rate risk is defined as the potential decline in value of assets and liabilities sensitive to profit share rate changes, as well as off-balance sheet transactions, resulting from fluctuations in profit share rates.

Except for items monitored in trading accounts and capital-like borrowings considered in the calculation of shareholders' equity under the BRSA's Regulation on Banks' Shareholders' Equity, all on-balance sheet and off-balance sheet items sensitive to profit share rates are monitored within the banking book. The standard ratio for profit share rate risk arising from banking book positions is calculated for the Bank's on-balance sheet and off-balance sheet positions in accordance with the BRSA's Regulation on the Measurement and Evaluation of Interest Rate Risk Arising from Banking Book Positions Using the Standard Shock Method.

Regulatory ratios related to liquidity risk and profit share rate risk arising from banking book positions are regularly monitored. In liquidity risk control, maturity mismatches between sources and uses of funds, the remaining repricing maturities of assets and liabilities in addition to their contractual maturities, the level of primary liquid reserves consisting of cash and cash equivalents sufficient to sustain the Bank's normal daily activities, and the Central Bank liquidity capacity that may be used to address unexpected liquidity needs are monitored. In addition, scenario and sensitivity analyses related to liquidity risk are conducted.

While carrying out daily activities, signal values are monitored within the scope of an early warning process and risk levels are limited through predefined risk limits in order to prevent the Bank's financial strength from being significantly affected by increased market volatility and potential mismatches in cash inflows and outflows. Risk limits are determined by considering the Bank's liquidity position, targeted return levels and risk appetite, and are put into effect upon approval by the Board of Directors.

Modelling and Validation

Within the Bank, TFRS 9 Expected Credit Loss (ECL) calculations are carried out by the Risk Management Department. The models used to calculate the parameters of Probability of Default (PD), Loss Given Default (LGD) and Exposure at Default (EAD) applied in these calculations are reviewed on a regular basis. In 2025, the Rating Model, Probability of Default Model, PD Macroeconomic Model and Loss Given Default Model were redesigned. Following the modelling studies, initial validation processes were performed. In addition, validation studies were conducted for the Company Rating System used in the loan allocation process and the Income Estimation Model used in the credit card limit allocation system. Furthermore, studies were carried out on the creation of a heat map for climate risk and on the Expected Credit Loss impact analysis for certain sectors.