ECCB 2025-2026 Annual Report

EASTERN CARIBBEAN CENTRAL BANK ANNUAL REPORT 2025 - 2026

Organisational Effectiveness and Development

Enterprise Risk Management and Governance The Bank’s risk strategy is based on a combination of the Organisation for Standards Organisation's (ISO) 31000 Risk Management Standard and COSO Framework, which is consistent with our ERM Policy Framework. The Bank’s risk appetite describes the extent to which we are accepting risks in realising our strategic objectives. Considering the public impact of our services, we follow a prudent approach with a low to moderate risk appetite. The Board has overall responsibility to ensure that appropriate risk management and internal control systems, designed to identify, manage and mitigate risks, which may affect the achievement of the Bank’s objectives, are in place. The Board also ensures an appropriate risk appetite is approved and consider how the Bank’s longer-term viability may be threatened by the realisation of one or more of these risks. The Board Audit and Risk Committee (BARC) provides structured and systematic oversight of the Bank’s risk management and internal control systems. The BARC reviews and monitor the effectiveness of the Bank’s risk management and internal control systems throughout the year. Risk Management Governance Framework Although the Bank has a generally conservative (Low) risk appetite, it is prepared to make certain financial and operational decisions in pursuit of growth objectives, accepting the risk that the anticipated benefits from these decisions may not always be fully realised. The Bank's acceptance of risk is subject to ensuring that potential benefits and risks are fully understood and appropriate measures to mitigate those risks are established. Each of the Bank’s principal risks is assigned a management owner who is responsible for ensuring adequate mitigating actions are in place

to reduce risks within the agreed appetite.

The Three Lines of Defense model embedded in our risk management practices ensures that these mitigations and internal controls are operating effectively throughout the organisation: ; The first line establishes and maintains appropriate processes for the management of operations and risk and internal control. It ensures compliance with legal, regulatory and ethical expectations. ; Operating from an independent position, the second line provides complementary expertise, support, monitoring and challenge related to the management of risk. ; The third line provides independent and objective assurance and advice to (senior) management on the adequacy and effectiveness of governance and risk management (including internal controls). The third line of defense is provided by the Internal Audit function. The ECCB's enterprise risk management process is embedded across the Bank to support the delivery of its strategic objectives and its annual risk assessment is an integral part of this process. This risk assessment incorporates a Bank-wide evaluation to determine the likelihood of occurrence and potential impact of risks on the Bank at a residual level. A standard risk scoring methodology is utilised to ensure consistency in reporting and evaluation of risks. The output from this process is consolidated to determine the principal risks and uncertainties for the Bank. The Management Risk Committee (MRC) review and validate these risks, providing further input where necessary before submission to the BARC for final consideration and approval.

48