3 Risk management

Risk policy

As a financial institution, LUKB is confronted with various bank-specific risks: these include default, market, liquidity, operational, compliance, strategic and reputational risks. Sustainability risks (ESG) as well as climate risks and other nature-related financial risks are not a separate risk category, but rather drivers of the risk categories listed above.

Dealing with risks is one of LUKB's core activities. The appropriate management of risk is of great importance. The risk policy adopted by the Board of Directors defines the framework concept for bank-wide risk management in accordance with FINMA Circular 2017/01 ‘Corporate governance – banks’.

In line with its corporate strategy, LUKB endeavours to handle risks prudently. To this end, LUKB defines sustainable risk policy requirements, even if that means it does not follow all the trends. Accordingly, LUKB only engages in transactions for which it can be ensured that the bank has the basis for controlling the associated risks. In doing so, LUKB aims not only to protect its financial strength, but also to preserve its reputation. LUKB continuously develops its staff through regular training sessions so that all employees attach great importance to risk management.

The following information takes into account the qualitative information required by the FINMA Ordinance on Disclosure Obligations of Banks and Securities Firms (DisO-FINMA). Explanations of the credit, market and operational risk approaches applied to the calculation of capital adequacy, as well as information on quantity, can be found in the separate Disclosure Report 2025.

The Board of Directors is the highest governing body in the risk management organisation. It determines the risk policy and defines the risk strategy, risk identification, risk measurement, risk assessment, risk management and risk monitoring as well as the principles of the risk management organisation with regard to the independent Compliance and independent Risk Control functions. It also determines risk tolerance and approves strategic limits for the individual risks within the various risk categories, based on LUKB's risk-bearing capacity. When setting the strategic risk limits, care is taken to ensure that the legally required capital is maintained even if various negative events occur. Risk monitoring and compliance with the risk policy by the highest governing body are ensured by means of periodic and standardised reporting at the appropriate level and by providing immediate information in exceptional cases (for further information, please refer to the explanations in the section on corporate governance ‘Internal organisation’). The Board of Directors reviews the risk policy periodically – at least once a year – and adjusts it if necessary.

The Risk and Strategy Committee of the Board of Directors prepares the basis for decisions to be made on risk policy (principles and structure of the internal control system as well as determining the risk profile, risk-bearing capacity and risk appetite). It also assesses LUKB's overall risk situation and monitors the appropriateness of the risk policy and its implementation. The Risk and Strategy Committee of the Board of Directors defines the risk policy requirements in further detail in corresponding risk sub-policies. These are reviewed periodically – at least every two years – by the Risk and Strategy Committee of the Board of Directors and adjusted if necessary.

The Audit and Finance Committee of the Board of Directors forms an independent opinion on the internal audit, the external auditors, the internal control system (ICS) and the annual financial statements. It monitors compliance with legal and regulatory requirements.

The Group Executive Board is responsible for implementing the risk policy and risk sub-policies and thus for developing adequate systems and suitable processes for identifying, measuring, assessing, managing and monitoring the risks assumed by the Group. This also includes allocating the risk limits approved by the Board of Directors to the individual business areas, delegating the corresponding competencies and specifying the activities of the Risk Control and Compliance functions. The Group Executive Board regularly reviews the appropriateness of the internal control system and thus also the effectiveness of risk management.

Risk Control function

LUKB has a centrally managed risk function that is independent of income-oriented business activities and also performs the Risk Control function. It is responsible for all risks in the Group and has the following duties:

• Concept: Design of the risk system, the ICS measures in the processes in terms of methodology, principles and requirements as well as the risk-bearing capacity, risk tolerance and risk limits
• Independent risk control: Control of limits in accordance with risk policy and associated rules. Approval of management instruments and risk models as well as risk assessment of bank changes for the attention of the decision-making body
• Risk reporting: Reporting on the risk situation and compliance with limits in accordance with the risk policy and associated rules.

Risk Control reports directly to the CEO. It reports quarterly by means of a risk report covering all risk categories to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors as well as to the Board of Directors. A risk assessment and a comparison of the current situation with the corresponding limits are carried out for each risk category. In the event of extraordinary events or limits being exceeded, an extraordinary report (exception report) is sent immediately to the responsible decision makers.

Compliance function

LUKB has a centrally managed Compliance function for the Group that is independent of income-oriented business activities. This supports the Group Executive Board and employees in enforcing and monitoring compliance. The Compliance function identifies and assesses compliance risk and reports on changes in compliance risk as well as on serious compliance breaches. The Compliance function reports directly to the CEO. It reports annually to the Group Executive Board, the Audit and Finance Committee of the Board of Directors as well as the Board of Directors on its activities in the previous reporting period and on the assessment of compliance risk. In the event of extraordinary events, an exception report is sent immediately to the responsible competence levels.

Internal audit

The internal auditors report to the Board of Directors. The Board of Directors approves the risk-oriented annual budget and the annual activity report of Internal Audit. The Audit and Finance Committee of the Board of Directors is responsible for managing Internal Audit. Internal Audit regularly audits the ICS. The audit reports of Internal Audit are considered by the Audit and Finance Committee of the Board of Directors, which, if necessary, initiates additional measures in addition to the measures provided for in the reports.

Internal control system (ICS)

LUKB's ICS, which is defined in its risk policy, encompasses all tasks and processes that ensure the achievement of business policy objectives and proper operations.

The LUKB ICS consists of three levels:

• First and foremost, the ICS ensures appropriate risk management in all banking processes by systematically identifying, measuring, evaluating, managing and controlling risks.
• Secondly, the Risk Control and Compliance functions, which are independent of the income-oriented business activities, control the business processes.
• Thirdly, Internal Audit performs the audit of the entire bank.

Outside the bank's actual risk organisation, an audit firm audits the institution.

Managing risks

Default risks

Default risk (credit risk) refers to the risk of financial loss if a counterparty is unable or unwilling to meet its contractually agreed obligations temporarily or permanently. Default risks can be caused by counterparty-specific factors, disruptions to the settlement process (settlement risk, e.g. settlement risk in foreign exchange transactions) or economic and political difficulties in a country (country risk).

Default risks exist both in the actual lending business (loans, fixed loan commitments and contingent liabilities) and in the interbank and trading business (derivatives such as forward transactions, options and swaps, financial assets and repo transactions).

Methodology and instruments

The lending business is based on the risk sub-policies for non-banks, banks and countries adopted by the Risk and Strategy Committee of the Board of Directors and reviewed if necessary (at least every two years), as well as the accompanying detailed directives. This sets out the target client segments, the main products and their principles, the credit approval and monitoring process, standards and restrictions as well as limits for positions entered into and the ratings applied (for commercial clients, banks and countries).

Default risks in relation to loans to customers

The approval authority for all transactions is determined by the definition of areas of responsibility for the lending business. Depending on the structure of the business, certain loans can be approved directly within the market area (e.g. by client advisors). These transactions are subsequently audited by Central Credit Risk Management on the basis of random checks in order to assess compliance with risk and authority (second opinion). All other lending transactions are only approved after review by Central Credit Risk Management, or Credit Risk Management prepares the lending transactions for approval by the authority level (e.g. for the Credit Committee consisting of the heads of department).

Central Credit Production, which is independent of the client advisors and Credit Risk Management, is responsible for correctly recording data, checking collateral and contracts, suspending limits, the final checking of limit availability and disbursement. In doing so, it ensures that the loan processing also complies with the loan approval requirements.

Companies subject to the obligation to keep accounts are also subject to a rating process by the CreditMaster system (RSN Risk Solution Network AG). In the case of large companies, the key financial figures are supplemented with qualitative assessments of strategy and management. Five rating systems are available, for large companies (production and trading/services), for small companies (production and trading/services), and one for real estate companies. For the purposes of risk assessment and early detection, commercial client credit ratings are periodically updated and assessed on the basis of the annual financial statements to be submitted.

Overdue, impaired or non-performing loans/receivables are (co-)managed by specialists from Special Financing. The aim is to minimise the risk of default. Lending transactions outside the usual standard (exception to policy transactions) require increased attention and a special definition of areas of responsibility as part of the approval process. The Group Executive Board and the Risk and Strategy Committee of the Board of Directors receive a corresponding quarterly report on new business. Exception to policy (EtP) includes loans that do not comply with one or more of the following requirements upon their granting:

• Loan-to-value ratio outside defined limits (e.g. residential investment properties >75 %, building land >60 %)
• Affordability outside of defined thresholds (e.g. home financing: imputed costs exceed 34 % to 40 % of net income [depending on the level of net income])
• Amortisation is below the defined target in accordance with the risk sub-policy for non-banks. The individual property is considered in each case, even if no amortisation would be necessary in a portfolio analysis.

Default risks in interbank business

In interbank business, a multi-level, system-supported limit system is used to manage counterparty risks. This system differentiates between del credere and settlement risks. The amount of the limit depends on the rating of the counterparty and its capital adequacy. The limit system is structured in such a way that adequate diversification of counterparties is taken into account. Depending on the risk situation of the counterparty and the market situation, interbank transactions are settled selectively against collateral (repo). In addition, collateral agreements (Credit Support Annex – CSA) are concluded with the counterparties as part of the ISDA agreements. Compliance with the limits is checked daily.

Country risks

Foreign exposures comprise all assets with a foreign risk domicile at their carrying amount or, in the case of derivatives, at their replacement value plus add-ons. Based on country ratings, management is carried out using a multi-stage limit system that takes account of adequate diversification. Compliance with limits is checked on a monthly basis.

Market risks

‘Market risk‘ refers to the loss potential resulting from unfavourable changes in interest rates, share prices, foreign exchange and cryptocurrency rates and real estate prices as well as other relevant market parameters such as volatilities. Market risks are present in both the banking and trading books.

Methodology and instruments

Market risks are managed via the modified duration of the present value of equity (banking book), value-at-risk limits (banking and trading books) and other limits. These are supplemented by periodic scenario analyses and stress tests.

Market risk management is essentially based on the risk sub-policies on asset & liability management (ALM) and trading adopted by the Risk and Strategy Committee of the Board of Directors and reviewed if necessary (but at least every two years), as well as the associated detailed directives.

Market risks in the banking book

Due to LUKB's strong positioning in the interest margin business, interest rate risk represents a significant risk. Interest-rate risks may arise due to temporal mismatches in the fixed-interest period or the interest rate restatement of assets, liabilities and off-balance-sheet items (interest rate restatement risk) or from changes in the balance sheet structure as well as changes in the interest rates for instruments that have a similar tenor but are valued on the basis of different interest rates (basic risk). Interest-rate risk is managed by the Asset & Liability Committee (ALCO), consisting of the heads of department, at the request of the ALCO preparatory committee. As part of the monitoring activities performed by the Finance department, the interest-rate risk metrics and the draw-down of the defined limits are determined monthly and reviewed by the independent Risk Control function. Callable positions or positions that are due on demand are taken into account in the individual parameters using a replication model that is to be reviewed annually. In addition, a dynamic analysis of the income effect is carried out quarterly based on various scenarios. The results of regular stress tests round off the decision-making basis for managing interest-rate risk. Derivative financial instruments are also used as part of asset & liability management (ALM) to manage and hedge interest-rate risks. For further information on the management of interest rate-risks, please refer to the ‘Interest-rate risks in the banking book’ section of the 2025 Disclosure Report.

In addition to interest-rate risk, other market risks must be managed in the banking book. The foreign currency risk of balance sheet items in the banking book is part of the trading book and is limited by the value-at-risk limits of the trading book (see the following Section ‘Market risks in the trading book’). The risks arising from financial investments and real estate are managed using a limit system (position and loss limits as well as risk spread limits). Financial investments mainly comprise good-quality listed securities traded on recognised markets. The vast majority are interest-bearing securities (see Section 8.5 ‘Financial investments’).

Market risks in the trading book

LUKB maintains a trading book with holdings of securities, foreign currencies, cryptocurrencies, interest-bearing securities and the respective derivatives that are subject to price fluctuations or their volatility. The derivative components and the corresponding hedges of the structured products issued by LUKB also form an integral part of the trading book. In addition, the foreign currency risk of balance sheet items in the banking book is managed via the trading book.

Market risks in the trading book are managed in the Trading & Treasury Services and Structured Products Trading organisational units, while limits are monitored by the independent Risk Control function. The limits are checked daily to ensure they are being adhered to. In addition to volume and sensitivity limits, value-at-risk limits are applied at the level of total trading and at the level of individual trading desks (securities and money trading, foreign exchange trading and structured products) at a confidence level of 99 % with a holding period of one day. The forecasting quality of the value-at-risk model is checked with a daily backtest.

Liquidity risks

Liquidity risk refers to the risk that the bank will be unable to refinance its assets (and increases thereof) or meet its obligations on prevailing market terms. Liquidity risks may arise for the bank as a result of unexpected events. Examples include the unscheduled use of credit limits by clients, outflows of client funds and the cancellation of refinancing limits by counterparties.

Methodology and instruments

Liquidity risks are managed as part of asset & liability management (ALM). Liquidity risk management is essentially based on the ALM risk sub-policy and internal directives adopted by the Risk and Strategy Committee of the Board of Directors and reviewed if necessary (but at least every two years). While the short-term management of liquidity on the money market is the responsibility of Trading, long-term refinancing is carried out in Treasury.

The Finance department periodically determines the utilisation of the limits and targets set by the Board of Directors for liquidity management with regard to the liquidity coverage ratio and net stable funding ratio as well as other liquidity risk parameters and reports these to the ALCO preparatory committee, ALCO, Trading and the independent Risk Control function. The independent Risk Control function reviews the information and reports it to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors as well as the Board of Directors as part of the quarterly risk report. In addition, Risk Control regularly conducts liquidity stress tests together with the Finance department. A contingency plan is in place for unexpected liquidity events.

Short-term and structural liquidity

Through prudent liquidity management, LUKB aims to maintain a solid liquidity position to ensure that it is always able to meet its payment obligations on time. With regard to the development of the liquidity coverage ratio (LCR) and net stable funding ratio (NSFR), we refer to the 2025 Disclosure Report (see Section ‘LIQ1: Information on the liquidity coverage ratio (LCR)’ and ‘LIQ2: Information on the net stable funding ratio (NSFR)’).

In addition to the aforementioned minimum regulatory requirements, the liquidity risk is managed via internal limits and target values.

Operational risks

An operational risk is the risk of financial losses incurred as a result of the inadequacy or failure of internal processes or systems, improper actions or errors made by employees, or as a result of external events.

Methodology and instruments

The operational risks sub-policy, which is reviewed by the Risk and Strategy Committee of the Board of Directors as required (but at least every two years), and the associated guidelines essentially form the basis for managing operational risks.

Operational risks are identified and quantified by means of a structured self-diagnosis carried out by Risk Control with the process owners. They are classified according to loss event categories in accordance with the framework of the Basel Committee on Banking Supervision or FINMA. In order to measure the risks, the potential extent of damage must be determined both under normal circumstances (95 % of the possible risks that can occur in the normal course of business) and in the event of the occurrence of extreme cases (risks with a very high potential for damage and a low probability of en event occurring). Risk Control also maintains a claims database of losses that have occurred.

In order to manage the risk, the possible loss events are divided into four different risk zones. Based on this risk assessment, appropriate measures are then defined to mitigate the identified potential losses.

In accordance with the Operational Risks sub-policy, authority for approving operational risks and their management measures is derived from the risk assessment and, depending on the risk zone, lies with the process owners, the Group Executive Board or the Board of Directors.

Operational risks are managed and the risks and ICS are documented in a specialised GRC tool for which Risk Control is responsible. The persons responsible for performing the controls also send control reports from the inventoried downstream controls directly to Risk Control via the GRC tool.

As part of the risk report, Risk Control reports quarterly on operational risks to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors and the Board of Directors. In addition to the development of operational risks, this includes, in particular, claims and incidents that occur, summary reporting on downstream control activities and key controls as well as other specific aspects of operational risk management such as the measures taken in BCM, operational resilience, cyber risks and model risk management.

Every year, Risk Control also submits all of the risks identified as part of the structured self-diagnosis in a report on operational risks to the relevant competence levels for approval.

Procedures, processes and people

LUKB makes great efforts to implement risk-reducing measures in the areas of process and quality management, information security and internal controls. To this end, a high level of risk awareness, among other things, is promoted at all levels and LUKB employees receive targeted training and development. In addition, all risk-relevant aspects are checked before new products and services are introduced, the development of an efficient early warning system is promoted and the smooth operation of the business is ensured, including in the event of infrastructure failures and disasters. In addition, specialists in independent Risk Control deal with ICT security as well as building and personal security (physical security).

Business continuity management (BCM)

BCM refers to the institution-wide approach for restoring the operation of critical processes in the event of a significant disruption or interruption beyond incident management. It defines the response to significant faults or interruptions.

An annual business impact analysis is used to identify the criticality of the business processes and their underlying critical resources (facilities, personnel, ICT, information and external parties). Based on this, appropriate business continuity plans (BCP) are drawn up for critical processes. The BCP define the necessary procedures, recovery options and replacement resources for ensuring continuity and restoring critical processes. The BCPs are documented in a crisis and BCP manual.

The functionality of the BCM is tested annually and improved if deficiencies are identified.

Operational resilience

Operational resilience refers to the bank's ability to restore its critical functions in the event of interruptions within the interruption tolerance. This means LUKB's ability to identify, protect against and react to internal or external risks and possible outages, to restore normal business operations in the event of disruptions and to learn from them in order to minimise the impact of disruptions on the provision of critical functions.

The independent Risk Control function maintains an inventory of the bank's critical functions and their interruption tolerances as well as the connections and dependencies between the critical processes required and their resources to perform the critical functions. Compliance with the defined interruption tolerances is regularly tested using scenario-based tests and exercises. Any weaknesses identified must be assessed and, if possible, remedied by means of additional improvement measures.

The Board of Directors approves the identified critical functions and their interruption tolerances on an annual basis. It also approves and monitors the procedure for ensuring operational resilience by means of an annual report on operational resilience by the independent Risk Control function.

Compliance risks

Compliance risk is defined as the risk of breaches of legal, regulatory and internal regulations, market standards and codes of conduct, as well as the risk of corresponding legal and regulatory sanctions and financial damage. Implementing compliance is one of the management tasks of all line managers. The central Compliance function supports the Group Executive Board and employees in this task.

As part of its risk policy, the Board of Directors determines the Group-wide compliance organisation and compliance risk policy. The Audit and Finance Committee of the Board of Directors assesses and monitors the functionality and appropriateness of the compliance organisation and compliance risk management.

LUKB is involved in individual legal disputes and legal proceedings as part of its ordinary business activities. Adequate provisions are made for these cases. All legal cases are handled in-house by the central Legal department.

Strategy risks

The strategic objectives and orientations are set by the Board of Directors. A strategy risk is defined as the risk of

• not addressing the strategy process or addressing it in a unstructured manner,
• pursuing the wrong strategy, or
• being unable to implement the defined strategy.

Strategy risks are monitored by means of a periodic review of the strategy as part of rolling corporate planning and the corresponding key performance indicators (KPIs) defined in the strategy. The independent Risk Control function reports on strategy risks as part of its quarterly risk report to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors and the Board of Directors.

Reputational risks

Reputational risk refers to the risk that the perceived behaviour of LUKB does not meet the expectations of its stakeholders, resulting in a loss. Reputational risk is identified and assessed on a quarterly basis. If necessary, risk-reducing measures are defined and their implementation monitored. The risk management and control mechanisms mentioned above serve to protect against reputational losses. Key elements include, in particular:

• the consistent implementation of the mission statement,
• business conduct that does not result in damage to the good reputation, and
• open internal and external communication.

The independent Risk Control function reports on reputational risks as part of its quarterly risk report to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors and the Board of Directors.

Stress testing

In addition to the methods and instruments for dealing with risks described above, LUKB periodically conducts overall bank stress tests under the direction of the independent Risk Control function. Scenario analyses are used to determine the impact of changes in various macroeconomic factors. This involves simulating the development of the balance sheet and income statement as well as the main financial indicators over a period of five to ten years. The results of the overall bank stress tests are taken into account in capital planning, among other things.

Based on the overall bank stress tests, a liquidity stress test is also carried out over a period of eight quarters. Intraday stress analyses are also carried out.

The independent Risk Control function reports the results of the stress testing annually to the Group Executive Board, the Risk and Strategy Committee of the Board of Directors and the Board of Directors.