Key Indicators
Overview
Effective risk management is integral to the Bank’s business success. Financial industry players assume appropriately priced risks, and prudently manage them within a well-articulated risk management framework. Our risk management strategy is targeted at ensuring ongoing effective risk discovery and achieving effective capital management. Risks are managed within various levels established by the management and approved by the Board of Directors and its Subcommittees. A comprehensive framework of measurement, monitoring and control policies and procedures is established to enhance the Bank's discovery and management of such risks. This framework and its antecedent processes are reviewed by the Integrated Risk Management Committee (IRMC).
Our risk management philosophy is proactive and forward looking, that is clearly communicated throughout the Bank, which is necessary for the creation and evolution of an appropriate risk culture that balances growth and risk. Risk philosophy of the Bank is aligned with the vision, mission, policies and goals in order to ensure an efficient resource allocation within an appropriate strategic management framework. Our internal processes ensure that the risk return trade-off is managed within the defined risk appetite.
Risk Governance
The complexity of our business model and competitive business environment demand us to identify, assess, measure, monitor and manage our risks and to optimise capital allocation. Clear risk management framework, policies and organisational structure enable effective management of risk and capital.
Prime responsibility for risk management rests with the Board which has been delegated to Board subcommittees and senior management with responsibility for execution and oversight.
Chief Risk Officer (CRO), under the supervision of the IRMC which is a Board Subcommittee heads the Independent Integrated Risk Management Division (IIRMD) of the Bank. IIRMD functions as a separate division, independent from revenue generating Strategic Business Units (SBUs). New standards for financial institutions introduced by the Basel Committee and the Central Bank of
Sri Lanka (CBSL) are integrated into the risk management strategy and framework of the Bank through IIRMD.
Bank’s Risk Profile
Bank of Ceylon (BoC) has a risk profile that is dominated by credit risk. Market risk is negligible in terms of capital allocation, while capital usage for operational risk is in double digits because it is measured with basic indicator approach of the Basel II guidelines. BoC’s risk profile for the
past three years is given below.
| 2016 LKR million |
2015 LKR million |
2014 LKR million |
||||
| Available capital | 109,607 | 92,245 | 79,929 | |||
| Credit risk | 73,608 | 59,816 | 48,955 | |||
| Market risk | 1,987 | 2,529 | 2,689 | |||
| Operational risk | 9,522 | 8,242 | 7,336 | |||
| Regulatory buffer* | 5,320 | – | – | |||
| Total capital usage | 90,437 | 70,588 | 58,980 | |||
| Additional regulatory buffer** | 9,576 | – | – | |||
| Free capital available for expansion | 9,594 | 21,657 | 20,949 | |||
| Credit risk/Total RWA (%) | 87 | 85 | 83 | |||
| Market risk/Total RWA (%) | 2 | 3 | 5 | |||
| Operational risk/Total RWA (%) | 11 | 12 | 12 | |||
| RWA/Total assets (%) | 51 | 45 | 44 |
* Regulatory buffer required by Basel III guidelines as at 31 December 2016 (difference between 10% and 10.625%)
** Regulatory buffer required by Basel III guidelines as at 1 July 2017 (difference between 10.625% and 11.75%)
Bank continues to pursue the objective of optimising risk and return and therefore, total risk weighted assets as a percentage of total assets continue to increase which reached 50% level in 2016. This has greatly helped the Bank to increase profitability. On the other hand, this has taken the toll on the capital, while pressure is also building up from regulatory front in the form of Basel III additional buffers. Government of Sri Lanka, BoC’s sole shareholder, did subscribe to the capital issue proposed by the Bank during the year under review and has pledged required assistance for future growth plans.
Risk Culture
We seek to foster a strong risk culture throughout the Bank. It is to help reinforce Bank’s resilience by encouraging a holistic approach to the management of risk return trade-off as well as the effective management of our risk, capital and reputational profile. The Bank considers risks in connection with its business. As such our risk culture is based on the following principles:
- Risk is taken within a defined risk appetite
- Every risk taken is approved within the risk management framework
- Risk taken is adequately compensated
- Risk is continuously monitored and managed
Participation of all employees is expected in the process of management and escalation of risks. Employees are expected to exhibit behaviours that support a strong risk culture. To strengthen our risk culture, we conduct a number of bank-wide activities. The Board and senior management emphasise the importance of maintaining a strong risk culture. In addition to enhance knowledge of risk culture, IIRMD undertakes awareness programs at various intervals.
Three Lines of Defence
Our risk management model comprises Three Lines of Defence (3 LoD) approach. All the business divisions and support units which are the ‘Originators’ of the risks are considered as the First Line of Defence (1st LoD). They ensure that all business activities are conducted in defined control environments.
Developing and reviewing policies, frameworks, tools and processes, establishing the risk appetite and stress testing are carried out by the IIRMD being the Second Line of Defence (2nd LoD) of the Bank.
The Third Line of Defence (3rd LoD) is Bank’s internal audit and compliance which are independent and assure oversight of the robustness of the risk management function.
The 3 LoD model covers comprehensive integrated risk management approach of the Bank and is independent of one another and is accountable for maintaining structures that ensure adherence to the designed principles at all levels.
The risk profile established by the Bank includes requirements to highlight the established policies/limits, process for identification, measurement, mitigation, controlling, monitoring and reporting of limits and a list of internal controls
for each of the identified material risk
for the Bank.
Risk strategy is approved by the Board on an annual basis and is defined based on the strategic business plan, risk appetite and capital plan in order to align risk, capital and performance targets.
Cross-risk analysis and risk reviews are conducted to validate that sound risk management practices and a holistic awareness of risk exist.
All material risk types are managed via risk management processes, including credit risk, market risk, operational risk, liquidity risk, business risk, reputational risk, model risk, strategic risk and compliance risk. Quantifying and allocation of capital for material risks are carried out through various models and measurement tools developed by IIRMD.
Conducting periodic stress testing and escalating the results to senior management, respective committees and the Board is an integral part of the Bank’s risk management process.
Integrated Risk Management Software (IRMS) procured in the year 2015 completed its successful implementation during the current year showcasing a leapfrog enhancement in all risk management functions.
IIRMD ensures that the Bank has a well articulated Disaster Recovery Plan and Business Continuity Plan to provide the escalation path for crisis management.
Strategic planning encompasses the Bank’s philosophy towards risk management and describes broad measures employed to balance risk and performance. This is achieved through formulating a comprehensive risk appetite for all risk types.
Risk Appetite
The Bank’s risk appetite is defined by the Risk Appetite Statement approved by the Board, which is governed by the Risk Appetite Framework. The framework also serves to reinforce our risk culture through the vision of the Board and senior management which is an articulation of risk that we are willing to accept. This is critically important as the Board approves the Risk Appetite Statement and ensures its consistency with the Bank’s risk and strategic goals.
The Bank’s risk appetite considers the various risk types and is operationalised through limits and thresholds, policies, processes and controls. Threshold and limit structure provides a framework in driving risk appetite into our businesses.
The Bank’s Risk Appetite Statement comprises qualitative and quantitative thresholds which are further divided into strategic and business levels. Portfolio risk limits for the quantifiable risk types are cascaded through a top down approach and operationalised through formal frameworks. Other significant risk aspects are guided by qualitative expression of principles.
Critical aspects such as regulatory breaches, damage to the Bank’s reputation, major business disruptions and concerns over due diligence events relating to the Bank’s existence are considered as having zero risk appetite.
In order to ensure that the thresholds emanating from risk appetite are fully risk sensitive to individual risk drivers as well as portfolio effects, we have adopted capital as our primary metric. Capital is also deployed as a core component in our Internal Capital Adequacy Assessment Process (ICAAP). In addition to capital measures various operational level risk limits are in place to fully operationalise the Bank’s risk appetite.
| Key Risks | Aspect | Risk Limiting Thresholds |
| Credit Risk | Default Risk | Gross Non-Performing Assets |
| Provision Cover | ||
| Concentration Risk | Single Borrower Limits for Groups and Individuals | |
| Industry/Sector | ||
| Market Risk | Foreign Exchange Risk | Exposure limits |
| VaR limits | ||
| Interest Rate Risk | Gap limits | |
| PVBP limits | ||
| Equity Price Risk | Portfolio limits | |
| VaR limits | ||
| Liquidity Risk | Liquid Assets Ratio | |
| Maturity Gap limits | ||
| Advances to Deposits Ratio | ||
| Liquidity Coverage Ratio | ||
| Operational Risk | Loss limits – Bank-wide Business unit wise |
ICAAP
The Internal Capital Adequacy Assessment Process is to identify and accurately assess the significance of all the material risks faced by the Bank. ICAAP is an integral part of the management and decision-making culture of the Bank. The risks identified must be quantified by translating these into capital requirement. It is important that the ICAAP, as an activity, remains the responsibility of the senior management and the Board.
ICAAP is a forward-looking and risk based process which includes;
- Assessment and review of the capital needs based on the business plans
- A strategic planning process which aligns risk strategy and appetite with business objectives
- An optimum capital and stress testing framework which also includes specific stress tests to underpin business strategies
- Headroom assessment in terms of the overall capital available and detailed contingency plans
The Bank has identified Credit, Market, Operational, Liquidity and Interest Rate Risk in Banking Book, Reputational, Compliance, Credit Concentration, Strategic Risk and Group Risk as part of its ICAAP.
ICAAP Steering Committee which is headed by the General Manager initiates the ICAAP and Board takes remedial action in case of capital falling short of the targeted levels.
In addition, the Bank has established a stress testing programme to assess the capital requirements and shortfall in stressed scenarios.
Stress Testing
Stress testing describes a range of techniques, qualitative and quantitative, used to assess the vulnerability of the Bank to major changes in the macroeconomic environment or to exceptional but plausible events. The objective of stress testing is to make risks more transparent by estimating the potential losses for the Bank in severe but plausible scenario and assess the capacity of its earnings and capital to absorb potentially significant losses. The Board is primarily responsible for ensuring effective management of the stress testing in the Bank.
Stress testing drives increased risk awareness throughout the Bank and safeguard business continuity by means of proactive management. It assists the Bank in risk identification and control, complementing other risk management tools, improving capital and liquidity planning and facilitating business decision-making.
Stress Testing Process
The Bank would use stress tests in order to understand the risk profile of the Bank under extreme negative market conditions and communicate same to the Board, IRMC, senior management and the stakeholders to facilitate setting up of suitable risk limits, allocating capital for various risks, managing risk exposures and formulating appropriate contingency plans for meeting situations that may arise under adverse circumstances. IIRMD plays a critical role for implementing the stress testing programme in the Bank.
Implementation of stress testing programme:| Activity | Description |
| Risk Assessment | The ICAAP Steering Committee is responsible for the identification of material risks for the Bank. |
| Stress Testing Plan | Stress tests are conducted on regular as well as ad hoc basis. The regular stress testing is carried out according to the Board approved stress testing policy and ad hoc stress testing is done as and when the situation demands. |
| Design Sensitivity Tests, Scenario Framework and Macroeconomic Factors | ICAAP Steering Committee in consultation with the research, finance and business departments develop sensitivity tests for the individual risks, integrated scenarios and macroeconomic scenarios for conducting stress testing. |
| Identification of Risk Drivers | Based on the identified material risks, drivers are identified which would lead to the eventual impact. |
| Measuring Results | The impact of risk drivers are identified on:
|
| Implementation of Stress Testing Programme | On completion of the above activities, the scenarios/sensitivity tests are deployed by ICAAP Steering Committee to get the relevant output for the various material risks identified. |
| Aggregation of Results | The results of the stress testing programme would be aggregated across risk categories based on selected scenarios/sensitivity tests for aggregation. |
| Review and Reporting of Results | The results of stress testing are presented to the IRMC for review and approval based on which the management action plans would be finalised. |
| Application in Management Decision-Making | The stress testing results would be used for the following management level decision points:
|
Credit Risk Management
Credit risk is defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with the agreed terms. More than 80% of the total risk weighted assets of the Bank accounts for the credit risk arising from lending and investment activities. Bank manages the credit risk inherent in the entire portfolio as well as the risk in individual credits and transactions covering the diversified customer base. The Bank caters to a customer base which is spanned the country and overseas locations encompassing individuals, micro, SMEs, large corporates and the state which are with different appetites for credit. The Bank wishes to maximise risk adjusted rate of return by maintaining credit risk exposures within acceptable parameters by managing credit risk. Granting loans and advances being the core business of the Bank, the successful management of credit risk is a critical factor for the Bank’s dominant market position.
Credit Risk Governance
The credit risk governance establishes the responsibility and approach through which the Board of Directors and senior management govern its business and the related credit risk management issues. An effective governance framework ensures the independence of the credit risk management function from the personnel managing the credit origination and administration. Through an effective, Board approved risk governance framework, the Bank seeks to ensure adequate risk oversight, monitoring and reporting of credit risk.
The Credit Committee which is headed by the General Manager of the Bank is the main management level Committee responsible for credit risk management.
The Credit Committee:
- Formulates, reviews and implements credit risk appetite and ensures compliance with the Board approved risk parameters and monitors risk concentrations
- Ensures the Bank’s policies and guidelines in regard to credit risk, incorporates regulatory compliance
- Approves sanctioning of credit up to its delegated authority limit or makes appropriate recommendations to the Board
- Reviews the credit limits from time to time with a view to monitor and ensure maintenance of credit quality
- Establishing and maintaining an appropriate structure for managing market risk
- Ensuring treasury operations are efficiently and effectively managed
- Establishing appropriate risk limiting thresholds for all areas of treasury activities including trading and investments
- Monitoring and managing impacts arising from the operating environment on relevant parameters, including results of stress testing
- Trading market risk arises from trading activities of Government Securities denominated in local and foreign currency, equity and foreign exchange as well as in equivalent derivatives
- Traded default risk arising from defaults by counterparties
- Non-trading market risk arises from market movements in our banking book and from off-balance sheet items.
Credit risk management policy lays down the conditions and guidelines for granting, maintenance, monitoring and management of credit at both the transaction and portfolio levels. This policy is consistent with prudent practices, regulatory requirements and nature and complexity of the Bank’s activities.
Credit risk management function is independent from our business divisions and credit decision standards, processes and principles are consistently applied in corporate segment and retail segment.
Business divisions being the 1st LoD select the customers after having client credit due diligence which is a key principle of credit risk management.
In order to get rid of concentration risk and tail risks a diversified credit portfolio is maintained by assessing and managing borrower and industry specific concentrations against our risk appetite.
Identification, Assessment and Monitoring
New credit facilities, extensions and any material changes to existing credit facilities are subject to the approval of appropriate delegated authority level.
Credit risk is measured by credit rating which is an essential part of the Bank’s credit process and builds the basis for our risk appetite on an individual and portfolio level. While the corporate borrowers are rated using an array of rating models covering different industries the customers are in, scorecards are used for retail exposures. Procedures are in place to review the large credit exposures by the CRO.
Credit risk is managed by thoroughly understanding our customers, the business they are in, and economies in which they operate. Procedures are also in place to identify the credit exposures for which there may be an increased risk of loss at an early stage.
In order to reduce potential credit losses and to increase the recovery of obligations credit risk mitigants are applied.
Post sanctioning review of large credit exposures is carried out periodically by the Credit Quality Assurance Unit at IIRMD.
IIRMD measures and tracks the status of the credit portfolio, undertakes impact studies and identifies early warning signals pointing to a deterioration of the financial health of the borrowers. Credit risk management reports are presented to the Credit Committee and the IRMC on a regular basis to ascertain performance and portfolio concentration.
Collateral Management
Collateral is a security in the form of an asset or third-party obligation that serves to mitigate the inherent risk of credit loss, by either substituting the borrower default risk or improving recoveries in the event of a default. While collateral can be an alternative source of repayment, it generally does not replace the necessity of high quality lending standards and a thorough assessment of the debt service ability of the borrower.
The Bank seeks to ensure that the collateral accepted for risk mitigation purposes is of high quality. Documentation for collateral has to be legally effective and enforceable. As the secondary source of repayment collateral is measured and revalued to minimise losses in an eventuality.
Concentration Risk
Concentration of exposures under various categories including industry, products, geography, sectors, underlying collateral nature and single/group borrower exposures create credit concentration risk.
The Bank monitors credit risk on a portfolio basis to manage concentration risk. Limits have been stipulated on single borrower, borrower group and industry. The Bank’s loan portfolio is diversified across different industries and geographic regions. The Bank has established appropriate limits to maintain concentration risk at an acceptable level and significant concentrations are reported to the Credit Committee, IRMC and the Board for review. Analytical tools are used to quantify the concentration risk of the Bank.
Credit Risk Management Framework
Credit Risk Indicators
| Risk Factor | Risk Indicators | Remarks |
| Default Risk Potential loss due to borrower/counterparty unable or unwilling to meet its obligation |  |
The Bank’s continuous reviewing and strong follow-up mechanism for speedy recovery of its NPA yieled very good results. |
 |
62% of the credit exposure is collateralised mitigating the default risk. | |
| Concentration Risk Credit exposure being concentrated on one or few lending sectors, groups, insufficient diversification |  |
Sector exposure are within the risk appetite limits (in absolute terms). |
 |
Significant concentration on Western Province is mainly due to financing infrastructure projects from which the country and economy would benefit as a whole. |
Market Risk Management
Market risk is defined as the potential for change in the market value of our trading positions. Markets risk can arise from changes in interest rates, foreign exchange rates, equity prices and commodity prices. The main objective of market risk management is to optimise the risk reward relationship without exposing the Bank to unacceptable losses.
Market Risk Governance
The Bank has a comprehensive framework for managing the market risk as laid down in the Market Risk Management Policy, along with other policies covering Asset and Liability Management, Foreign Exchange Risk, Liquidity Risk, Limit Management Framework, Stress Testing and Middle Office Operational Manual. These form the basis for structure, processes and controls in line with Basel II Standardised Measurement Method prescribed by the CBSL. These policies provide guidance on:
Bank’s market risk consists of the followings:
The Asset and Liability Management Committee (ALCO) is the key management committee that is entrusted with responsibility for managing market risk. ALCO comprises key corporate management members and is chaired by the General Manager. The Committee manages these risks through constant monitoring and implementing corrective actions through various mechanisms such as the management of advances, deposits and investment portfolios. Key functions of the Committee include decisions on product pricing, determining the optimum mix of assets and liabilities and stipulating the liquidity gap position and interest rate risk limits, formulating views on interest rates, setting benchmark lending rates and determining the asset and liability management strategy in light of the current and expected operating environment.
The Middle Office function plays a key role in monitoring market risk and is guided by a comprehensive framework of limits stated in the Limit Management Framework and Middle Office Operational Manual approved by the Board.
Identification, Assessment and Monitoring
We gauge all types of market risks by a comprehensive set of risk measures reflecting internal and regulatory requirements. In order to adhere with internal and regulatory requirements, risks are measured by several internally developed risk metrics.
Our methodology to manage market risk is the application of risk appetite of which the limit framework is a key component. Value at risk (VaR), Price Value for Basis Point (PVBP), Duration, Stress Testing and Sensitivity Analysis are used for managing all types of market risk at an overall portfolio level.
VaR is a quantitative measure of the potential loss of fair value positions due to market changes that will not be exceeded in a defined period of time and with a 99% confidence level. Currently the Bank uses historical method for VaR calculation. Each portfolio has a separate VaR calculation according to risk types.
Business units are responsible for adhering to the limits against which exposures are monitored and reported. The market risk limits set by Market Risk Management unit and approved by the Board are monitored on a daily, weekly and monthly basis. Limit threshold exceptions are escalated to ALCO, IRMC and the Board.
Market Risk Indicators
| Risk Factor | Risk Indicators | Remarks |
| Foreign Exchange Risk – Risk arising from foreign exchange position |  |
Forex open position of the Bank was well within the Risk Appetite Limit throughout the year |
| Interest Rate Risk – Risk arising from bond portfolio |  |
The duration of the bond portfolio is monitored regularly to assess sensitivity of bond prices to interest rate changes |
| Equity Price Risk – Risk arising from equity price |  |
Equity VaR position of the Bank was well within the Risk Appetite Limit throughout the year |
Liquidity Risk Management
Liquidity risk is the risk arising from potential inability to meet payment obligations when they are due or only being able to do so at excessive costs. The objective of the Bank’s Liquidity Risk Management Framework is to ensure that the Bank can fulfil its payment obligations at all times and manage funding risks within the risk appetite.
The Bank’s overall approach towards liquidity risk management is set out in the Liquidity Risk Management and Assets and Liability Management (ALM) Policies which describe the range of strategies to manage liquidity. These include maintenance of sufficient liquid assets, the capacity to borrow from the money markets as well as forms of managerial interventions that improve liquidity. The ALCO which is headed by the General Manager is responsible for the management of liquidity risk.
The Board approves the liquidity and funding strategy of the Bank as well as the risk appetite, based on recommendations made by the ALCO.
Identification, Assessment and Monitoring
The primary method of identification to mange liquidity within the tolerance limits defined by the Bank is the Maturity Gap of Asset and Liability Statement. This analysis is carried out on a regular basis under normal and adverse scenarios.
The Bank strives to develop a diversified funding base with access to funding sources across retail and wholesale via local and overseas channels. The deposit base is diversified across retail, corporate and institutional customer segments.
In the event of a potential or actual crisis such as excessive credit growth, unexpected rollovers or defaults of large exposures and unpredicted deposit outflows the Bank has in place a liquidity contingency and recovery plan to ensure that decisive actions are taken to arrest the situation.
We use stress testing and scenario analysis to evaluate the impact of sudden and severe stress events on our liquidity position.
Liquidity Risk Indicators
| Risk Factor | Risk Indicators | Remarks |
| Liquidity Risk – Inability to meet obligations as and when they fall due |  |
Unencumbered securities available for funding have improved in 2016 indicating a comfortable liquidity position. |
 |
Cumulative positive gap is maintained up to nine months by the Bank. Bank maintains positive gaps for all maturity buckets except 9-12 months. |
Operational Risk Management
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes legal risk but excludes business and reputational risk.
It originates from both business and support units of the Bank and is distinct and controlled within the criteria set out in the risk appetite through an effective and efficient system of internal controls.
Bank has strengthened its Operational Risk Management (ORM) capabilities, in line with the 3 LoD model and this is important as we manage day-to-day
operational risks and strategic level operational risks.
As 1st LoD, risk owners have full accountability to manage their operational risks within the risk appetite. IIRMD that takes initiative in establishing the Operational Risk Management Framework and bank-wide risk appetite, is also responsible for laying down an appropriate independent controls structure as 2nd LoD. Bank’s Internal Audit and Compliance functions play a pivotal role as 3rd LoD in providing key inputs to further strengthen our operational risk culture.
Bank further enhanced its capabilities in ORM, with the implementation of IRMS. It enables the IIRMD to connect with its widely diversified branch network.
Operational Risk Governance
The operational risk governance establishes the responsibility and approach through which the Board of Directors and Senior Management govern its operational risk management. The Board approved Operational Risk Management Policy, Fraud Risk Management Policy, IT Risk Management Policy and Electronic Banking and Electronic Money Activities Risk Management Policy and procedures define the entire operational risk management governance of the Bank. IIRMD is responsible for identification, measurement, monitoring and reporting operational risk and also review of policy frameworks and procedures related to operational risk. It is supported by the Operational Risk Management Executive Committee (ORMEC) and the Fraud Risk Management Committee headed by the CRO. These committees’ review reports and recommend corrective actions on a regular basis and make amendments to policies and procedures if required. Additionally, IIRMD has oversight responsibility for the Business Continuity Plan and reports to the IRMC on a regular basis on its functioning. Also CRO is a member of the Corporate Information Security Committee chaired by the General Manager which directs the information security initiatives of the Bank. IIRMD is represented in all new product initiative committees and appropriate sign off is provided prior to implementing new or improved products and processes. Similarly, all system developments, new system acquisitions and upgrades are reviewed by the IIRMD.
Identification, Assessment and Monitoring
IIRMD uses several techniques to identify, assess and monitor operational risks which include Key Risk Indicators (KRI), Risk and Control Self Assessments (RCSA), Internal Loss Data Collection and Analysis, Root Cause Analysis and Lessons Learned Exercises. It also reviews and analyses external events to identify areas of risk and appropriate mitigating activities.
KRIs are forward looking operational risk management tool which provides early warning signals. KRIs are used to monitor the operational risk profile and alert the senior management to impending problems in a timely manner. Analyses of KRIs enable the Bank to monitor its control culture and business environment and enforce risk mitigating actions.
RCSA is a methodology that involves review and assessment of the operational risks across the Bank and the internal controls designed to manage those risks. IIRMD conducts RCSA in critical business and support units periodically to assess risk.
Loss Data Collection and Analysis which has been strengthened during the year with the implementation of IRMS captures operational risk loss events on a continuous basis, enabling timely updates from our geographically scattered branch network. Loss data reports are evaluated, reviewed and aggregated by IIRMD and escalated to ORMEC for recommendation to IRMC and the Board to take appropriate actions on a regular basis.
A Lessons Learned Process is activated for events including near misses and threats from FINTECH environment as preventive and remedial action taken to mitigate these critical risks: IIRMD will act promptly to send alerts to the branch network if threats are found to be from the external environment.
Control and Mitigation
The Bank has in place a policy and procedure framework for managing operational risks. These include segregation of duties, clear management reporting lines, robust internal controls and business continuity management together with more targeted actions such as insurance, information security and outsourcing. Insurance instruments are used as a risk transfer strategy to mitigate high severity risk from
non-controllable sources.
In accordance with the Business Continuity Management Policy all critical business and support units have developed their own Unit Business Continuity Plans. Three test runs were successfully completed during the year under review and detailed results were reported to relevant authorities. A fully-equipped disaster recovery centre is in place outside Colombo city limits with alternate arrangements to facilitate continuing key operations in the event of various predefined disaster scenarios.
Legal risk is assessed by ORMEC with the assistance of the Chief Legal Officer for legal implications arising from the Bank’s operational risk issues.
| Risk Factor | Risk Indicators | Remarks |
| Loss data management |  |
Strategic Risk Management
Strategic risk arises from the Bank’s inability to implement appropriate business plans, strategies, decision-making, resource allocation and to adapt to changes in business environment. The Bank operates in a highly competitive, dynamic and regulated environment. Inability to respond to frequent changes and demand for business will adversely affect the profitability and liquidity. The Bank’s strategic direction is well articulated in the Corporate Plan and the Corporate Budget. The Bank has in place a robust mechanism to ensure the congruence of the actual performance with the strategic direction. As part of the Bank’s ICAAP, strategic risk is assessed using a scorecard based model.
Strategic Risk Index 2016
| Risk Indicator | Weighted Score |
| Industry/System | 7.50 |
| Competition | 17.19 |
| Strategic Plans | 12.19 |
| Access to Capital Markets | 5.63 |
| Management | 8.44 |
| Total | 50.95 |
According to the strategic risk scorecard parameters, strategic risk is low for the Bank.
Reputation Risk Management
In a volatile global marketplace, where media coverage is almost simultaneous across the world and where reputation is seen as a key source of competitive advantage, trust and confidence are
understood to be the key business drivers. For a bank which deals with public money, reputation is a source of strength. Reputation risk management can be a matter of corporate trust and also serves as a tool in crisis prevention. The Bank is therefore dedicated to managing reputation risk by promoting strong corporate governance and risk management practices at all levels.
The Bank has not faced any material adverse publicity, deposit runs or regulatory penalties and has created a strong brand recall in the minds of all stakeholders. The Bank uses a scorecard approach to assess the reputation risk.
Reputation Risk Index 2016
| Risk Indicator | Weighted Score |
| Operational loss events | 14.58 |
| Business loss events | 5.00 |
| Market perception | 23.33 |
| Management | 12.50 |
| Total | 55.41 |
The results of the scorecard, shows lower risk for reputation risk. The consistent positioning of BoC as the leading brand in the country provides a high degree of comfort on the Bank’s ability to manage this risk.
Readiness for Basel III Implementation
Consistency in the adoption and implementation of Basel standards is critical to improve the flexibility of the banking industry, promote public confidence and encourage a predictable, comparable and transparent regulatory environment for banks.
CBSL has issued the directions on capital requirement under Basel III which shall be applicable to every Licensed Commercial Bank (LCB) and Licensed Specialised Bank (LSB) incorporated in Sri Lanka, since 1 July 2017.
Accordingly, the Bank has developed and implemented a strong and sound ICAAP in accordance with the requirements specified in Regulatory Framework. The Bank’s capital augmentation plan supports to maintain adequate capital to cover its exposures to all risks and preserve additional buffers considering the three-year plan of regulatory requirements. The Quantitative Impact Studies (QIS) carried out by IIRMD assist the ongoing analytical and monitoring process of capital requirement.
The initially implemented IRMS plays a comprehensive role in facilitating implementation of new regulatory requirements. This complements the development of a method of computing capital and also contributes to MIS requirements in adopting regulatory standards.
Compliance Risk
Compliance risk is the threat posed on the Bank’s financial, organisational, or reputational standing resulting from violations of laws, regulations, rules, codes of conduct or self-regulated organisational standards of practice applicable to the banking activities.
Compliance laws, rules and standards generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice. They typically include specific areas such as the prevention of money laundering and terrorist financing.
In this connection to strengthen the Compliance Risk Management Programme, the Bank has implemented a robust framework which clearly identifies and assesses risks, implement and monitor controls, mitigate and eliminate the gaps/deviations across all levels of operations. Further, the Bank has Board approved comprehensive Compliance and Anti Money Laundering/Combating Financing Terrorism policies embedded into the Bank’s strategic plan which is communicated to each member across the Bank.
We, at Bank of Ceylon strongly believe that managing compliance risk effectively maximises the Bank’s opportunities in the market and enhances our competitive advantage through building trust. It helps us to protect our hard built reputation, lower the cost of capital, reduce costs and mitigate the risk of investigations, prosecutions and penalties because we do the right things the right way.
Compliance Function
The Compliance Function has been set up in the Bank with the appropriate level of standing, authority and independence. It has been endowed with substantial resources to manage the compliance risk effectively amidst the proliferation of global regulations.
The prime responsibility of the Compliance Function is to assist the Board and the senior management to effectively manage the compliance risk faced by the Bank through advising them on the compliance laws, rules, regulations and the new developments, educating the staff and acting as a central contact point in handling compliance related queries from the staff.
The Compliance Function on a proactive basis, identifies, documents and assesses the compliance risks associated with the Bank’s business activities, including the development of new products and business practices, new types of business or customer relationships, or material changes in the nature of such relationships.
To achieve this, the Compliance Function has a Board approved risk-based
compliance programme subject to oversight by the Head of Compliance which ensures the adherence across
the business.
Automation of AML/CTF Activities
The Bank has implemented an automated Financial Crime Detection System – AMLOCK by 3i-infotech since the end of year 2014 which facilitates the Know Your Customer (KYC), Sanction Screening, Transaction Monitoring, Customer Risk Profiling and Regulatory Reporting requirements. In addition to the above, the Bank has procured the inbuilt solution from SWIFT to screen the outward remittances in real time. However, to further strengthen the AML/CTF activities of the Bank in parallel to the Risk Based Approach (RBA) by the Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka (CBSL) and to be on par with the global standards, the Management has approved the procurement of a new comprehensive real time AML/CTF system and plans to complete the implementation within the year 2017.
FATCA Compliance
The Bank has become a Participating Foreign Financial Institution (PFFI) under the Foreign Account Tax Compliance Act (FATCA) with effect from 30 June 2014 under the Global Intermediary Identification Number (GIIN) WH2Q9Y.00000.LE.144.
The GIINs of the other overseas branches are as follows.
| Branch | Country | GIIN |
| Chennai | India | WH2Q9Y.00000.BR.356 |
| Male | Maldives | WH2Q9Y.00000.BR.462 |
| Seychelles | Seychelles | WH2Q9Y.00000.BR.690 |
Organisation Structure
A senior executive management staff member has been designated as the Head of Compliance who spearheads the Compliance Function, an independent, dedicated unit which ensures the proper adherence of the compliance framework across the Bank. The Compliance Division comprises two separate units namely – Regulatory Compliance Unit and the Anti-Money Laundering/Combating Financing Terrorism Unit.
The Head of Compliance reports directly to the Board Integrated Risk Management Committee on a monthly and quarterly basis including any changes in the compliance risk profile based on relevant measurements such as performance indicators, summarise any identified breaches and/or deficiencies and the corrective measures recommended to address them, and report on corrective measures already taken.
In terms of the duties and responsibilities assigned to it, the Compliance Function has the right to carry out work on its own initiative across the business where compliance risk may exist, conduct investigations on possible breaches of compliance framework and to communicate with any staff member and obtain unfettered and direct access to any records or files necessary to continue with the investigations.