Bankers to the Nation

Risk Management

Download Center

Key Risk Indicators

Risk is inherent in a bank given the nature of banking operations. Prudent management of risk is therefore, imperative to manage the security and stability. To be effective, this needs to be done within a defined framework with clearly defined systems and procedures. The risk management framework of BoC is proactively focused to identify and manage such risk backed by prudent allocation of capital. A rigorous risk governance structure and risk appetites are laid down by the Management and approved by the Board of Directors; it is implemented through a system involving management committees and Board subcommittees.

The vision, mission, strategies and goals of the Bank are the bedrock which decides the risk philosophy of the Bank. The risk appetite, which is the degree of risk the Bank is willing to take has been defined. A rigid quantitative framework with monitoring and control policies is in place to proactively identify and manage risks. Our risk management policies and procedures are clearly communicated throughout the Bank, which is necessary to ensure that they are successfully implemented. All internal stakeholders have been made aware of the need to balance risk and return. This risk return trade-off has to be managed within defined risk limits.

Governance Structure

Organisational arrangements have been made to strengthen the risk management function of the Bank. The Chief Risk Officer heads the Independent Integrated Risk Management Division (IIRMD) under the supervision of the Integrated Risk Management Committee (IRMC) which is a Board Subcommittee. Thus, the IIRMD is independent of the revenue generating Strategic Business Units (SBUs) which guarantees that it is organisationally well-placed to perform its functions.

Bank’s Risk Profile

Since lending is the major component of the balance sheet, the highest capital charge has been allocated to credit risk. In terms of capital allocation, market risk is comparatively low compared with credit risk and operational risk. BoC’s risk profile for the past three years is given below:

	2017 LKR million	2016 LKR million	2015 LKR million
Available capital	125,460	104,858	92,245
Credit risk	89,818	73,482	59,816
Market risk	922	1,987	2,529
Operational risk	10,270	9,504	8,242
Total capital usage	101,010	90,437	70,588
Additional regulatory buffer*	9,671	9,559	–
Free capital available for expansion	14,778	5,015	21,657
Credit risk/Total RWA	89%	86%	85%
Market risk/Total RWA	1%	2%	4%
Operational risk/Total RWA	10%	11%	12%
RWA/Total assets	44%	51%	45%

*Regulatory buffer required by Basel III guidelines as at 1 July 2017 (In 2016, difference between 10.625% and 11.75% and in 2017, difference between 11.75% and 12.875%).

Risk Culture

Having a comprehensive risk culture throughout the Bank has become a necessity in the banking landscape today. The Board and the senior management’s guidance are paramount in inculcating the risk culture among our staff. This includes awareness of the risk return trade-off as well as the management of all aspects of risk and capital. Risks are assumed within a defined risk appetite and approved within a defined risk management framework, which takes return into account. Risks have to be continually monitored and managed as their complexion could change rapidly for example due to changes in market or industry conditions.

In order to inculcate a deeply rooted risk culture in the Bank IIRMD has taken steps to educate the new recruits and also continuously update the knowledge of the existing staff in the area of evolving risk management. We strive to solicit the participation of all employees in the management of risk, and they are encouraged to escalate risk concerns when appropriate.

Three Lines of Defence

The Bank has a well-structured risk management model which is based on three lines of defence which are independent of each other. Each line of defence is executed by different organisational units. The first line of defence consists of the business divisions and support units from whose activities the risks arise. IIRMD being the second line of defence develops frameworks, policies, procedures and establishes risk appetite. Periodical stress testing and continuous monitoring are also an integral part of the second line of defence. The third is the Audit and Compliance functions which offer an independent oversight.

Risk Management Process

The probability of occurrence of negative events and the potential cost of such negative events demands a well-established risk management process in place. Our risk management process consists of identifying, measuring, monitoring, mitigating and reporting of risks. A set of internal controls have been developed to manage the material risks of the business.

Risk strategy is defined based on the strategic business plan and the Board-approved risk appetite and capital plan align risk, capital and performance targets of the Bank annually. It will need to strike a balance between risk, profitability and availability of capital. The risk management process has to address diverse types of risk such as credit risk, market risk, operational risk, reputational risk and strategic risk individually and holistically. Quantifying risks and the resulting capital requirements are carried out through quantitative models and tools developed by the IIRMD. The Bank conducts periodic stress tests to evaluate the Bank’s resilience under unfavourable scenarios which are bank and macro specific. The stress tests focus on all material risks such as credit, market, operational and liquidity. The results of such tests are escalated to the management and the Board for their vigilance of possible threats.

The degrees of risk that the Bank is willing to take are spelt out in detail in the risk appetite statement, which is approved by the Board. This in turn is governed by the risk appetite framework, which is a broad articulation of the Bank’s risk culture, also approved by the Board and the senior management which is aligned with the goals and strategies of the Bank. Thresholds and limits, which maybe qualitative or quantitative, for various types of risks act as a control mechanism. Policies, procedures and controls operationalise the risk management process. The thresholds and limits are further divided into strategic (organisation-wide) level and business (by division or product) level. Higher level risk limits are cascaded down to a more granular level and are operationalised through organisational structure frameworks.

Critical aspects such as regulatory breaches, damage to the Bank’s reputation, major business disruptions and concerns over due diligence events relating to the Bank’s existence are considered as having zero risk appetite.

To ensure that the thresholds emanating from risk appetite are fully risk sensitive to individual risk drivers as well as portfolio effects, we have adopted capital as our primary metric.

Internal Capital Adequacy Assessment Process (ICAAP)

The purpose of the ICAAP is to identify and assess the risks the Bank is exposed to ascertain how the Bank is mitigating these risks and how much capital is necessary for the smooth implementation of its strategic business plans. The ICAAP is an integral part of the management and decision-making culture of the Bank. The risks identified must be quantified by translating these into capital requirements. The Bank has identified: credit, market, operational, liquidity, interest rate risk on banking book, reputational, compliance, credit concentration and strategic risk on both the Bank and the Group basis for the purpose of ICAAP.

ICAAP is a strategically forward looking process which includes the following:

Assess and forecast capital needs based on business plans and statutory requirements. In this year the implications of Basel III made a major impact especially by way of increased capital and liquidity requirements.
A strategic planning process which aligns risk strategy and appetite with business objectives. A balanced capital and stress testing framework which includes specific stress tests to underpin business strategies.
Headroom assessment in terms of available capital and contingency plans.

Stress Testing

Stress testing is a process of simulating financial consequences under unfavourable macroeconomic circumstances or other exceptional, but plausible events. Through this we can gauge the ability of the Bank to withstand such situations. Stress testing promotes awareness of risk among all who are involved in its management and control. In addition, it promotes capital and liquidity planning and facilitates business decision-making.

Stress Testing Process

The Board is primarily responsible for effective stress testing within the Bank. The results of stress tests are also conveyed to senior management, IRMC and the Board. It facilitates setting of risk limits, allocation of capital for different risks, managing of risk exposures and formulation of contingency plans for adverse situations. The Bank’s Stress Test is conducted according to the Board approved Stress Testing policy. Testing has been made more stringent in view of the increasing volatility of the macroeconomic environment and group-wide stress testing too has been included. Highly vulnerable portfolios are being stressed on a daily basis and results are escalated to the senior management.

Implementation of Stress Testing Programme:

Activity		Description
Risk assessment		The ICAAP Steering Committee is responsible for the identification of material risks for the Bank.
Stress testing plan		Stress tests are conducted on regular as well as ad hoc basis. The regular stress testing is carried out according to the Board-approved stress testing policy and ad hoc stress testing is done as and when the situation demands.
Design sensitivity tests, scenario framework and macroeconomic factors		ICAAP Steering Committee in consultation with the research, finance and business departments develop sensitivity tests for the individual risks, integrated scenarios and macroeconomic scenarios for conducting stress testing.
Identification of risk drivers		Based on the identified material risks, drivers are identified which would lead to the eventual impact.
Measuring results		The impact of risk drivers are identified on: Capital Liquidity Profitability
Implementation of stress testing programme		On completion of the above activities, the scenarios/sensitivity tests are deployed by ICAAP Steering Committee to get the relevant outputs for the various material risks identified.
Aggregation of results		The results of the stress testing programme would be aggregated across risk categories.
Review and reporting of results		The results of stress testing are presented to the IRMC for review and approval, based on which the management action plans would be finalised.
Application in management decision-making		The stress testing results would be used for the following management level decision points: Risk Appetite Planning Capital Planning Liquidity Management

Credit Risk Management

Credit risk is the possibility that the counterparty to a credit transaction will fail to meet his obligations in accordance with the agreed terms. This may take the form of delay in payment or complete default. The credit risk arising from the Bank’s lending and investment activities accounts for approximately 80% of total risk weighted assets of the Bank. Credit risk is managed at transaction level and portfolio level covering the default risk and the concentration risk of the counterparties, business sectors or geographical region.

The Bank has an extremely large and diverse customer base encompassing individuals, microenterprises, SMEs, large corporates and the state covering Sri Lanka as well as overseas locations. The Bank has to manage the credit risk within acceptable limits within each customer group. Initiatives are ongoing to bring risk sensitivity to lending decisions by deciding the return based on the perceived risk.

Credit Risk Governance

The credit risk governance establishes the responsibility and approach through which the Board of Directors and senior management govern its business and the related credit risk management issues. An effective governance framework ensures the independence of the credit risk management function from the personnel managing the credit origination and administration. Through an effective Board-approved risk governance framework the Bank seeks to ensure adequate risk oversight, monitoring and reporting of credit risk.

The main management level committee responsible for credit risk management is the Credit Committee which is headed by the General Manager of the Bank.

The responsibilities of the Committee are as follows:

Formulating, reviewing and implementing credit risk appetite and ensuring actual risks taken are within the risk appetite; also monitors risk concentrations.
Ensuring regulatory compliance in the Bank’s risk policies and guidelines.
Approves credit up to the authorised limit for the Committee and makes appropriate recommendations to the Board when Board approval is needed.
Periodic monitoring of credit limits.

Credit risk management policies provides the guidelines for management of credit both at the level of the individual borrower and at the portfolio level. This is essential to ensure adherence to the regulatory requirement and prudent practices given the complexity of the Bank’s operations and the diversity of its portfolio and clientele.

Polices relating to the management i.e., Risk Rating Policy, Portfolio Management Policy were reviewed in the context of changing environment.

Credit risk management function is structured to ensure its independence from the business units.

Credit appraisal standards, processes and principles are consistently applied in corporate segment and retail segment.

Identification, Assessment and Monitoring

Loan origination process comprises initial screening and credit appraisal which focuses on the borrower’s ability to meet its obligations in a timely manner.

The Bank has established clear guidelines for loan approvals which requires every new credit, extension and any material change to the existing credit facilities to be subject to the approval of the appropriate delegated authority level.

Procedures are in place to review the credit facilities beyond a minimum threshold independently by the CRO.

An effective credit rating can measure risk accurately and can be used in decision-making process. Rating models are a key input how the credit risk in portfolios is managed, measured and monitored.

The Bank uses a range of credit risk rating models across the corporate and mid corporate portfolio covering the different industries the customers are in. Retail exposures are managed through retail score cards.

Mechanisms are also in place to reduce credit losses and increase recoveries. Post-sanctioning review of large exposures is carried out at intervals by the Credit Quality Assurance Unit at IIRMD. IIMRD tracks the health of the credit portfolio on an ongoing basis and issues early warning signals in case of possibility of a borrower defaulting. Credit Risk Management Reports are produced and presented to the Credit Committee and the IRMC periodically, to ascertain performance and safeguard against portfolio concentration.

Collateral Management

Collateral is a security provided on behalf of a borrower as a safeguard against a possible default. It may take the form of an asset or a third party obligation such as a guarantee. While collateral can mitigate risks it does not eliminate the need to maintain high quality lending standards.

Bank seeks to have in place legally effective and enforceable documentation for realisable and measurable collateral assets which are evaluated regularly.

Concentration Risk

Concentration of borrowers by any criterion always poses increased risks whether it is by industry, product, geography, sector, and collateral nature. The Bank measures credit risk on a portfolio basis to reduce the concentration risk and limits are laid down at different levels – individual, borrower group and industry. The Bank’s extremely wide-spread of customers helps it to minimise concentration while ensuring that the Bank generates adequate income from its loan portfolio. Bank uses analytical tools to quantify the concentration risk and significant concentrations are reported to the Credit Committee, IRMC and the Board for review.

Credit Risk Indicators

Risk Factor	Risk Indicator	Remarks
Default Risk Risk that a borrower or counterparty is unable to meet its commitments		Bank was able to keep the NPA ratio same as previous year despite the challenges encountered.
Concentration Risk Concentration risk in credit portfolios arises due to an uneven distribution of loans to individuals, industry sector or geographical regions.		Sector exposures are within the risk appetite limits.
		Bank’s loan portfolio is well diversified among the products.
		62% of the credit exposure is secured with collaterals.

Market Risk

Market risk is defined as changes in the market value of our trading positions or obligations. The causes can be fluctuations in interest rates, exchange rates, commodity prices or equity prices. The main objective of market risk management is to optimise the risk reward relationship without exposing the Bank to unacceptable losses.

Market Risk Governance

The core of the market risk governance is laid down in the updated Market Risk Management Policy which is in line with Basel accords and CBSL regulations and also; should be read along with regularly updated other policies covering asset and liability management, foreign exchange risk, liquidity risk, limit management framework and middle office operations manual.

These policies provide guidance on:

Establishing and maintaining a robust structure for managing market risk.
Efficiently and effectively monitoring treasury operations.
Establishing appropriate risk limiting thresholds for treasury operations.
Foreseeing and managing potential impacts from changes in the operating environment.

There are a variety of market risks that can arise, both of a trading and non-trading nature.

Trading risks can arise due to price fluctuations in items such as foreign currencies and securities.
Trading default risks arise from counterparties defaulting on their commitments.
Non-trading market risks arise from items such as market movement in the banking books and off-balance sheet items.

The Asset and Liability Management Committee (ALCO) plays a key role in managing market risk and is chaired by the General Manager and comprises key corporate management members. The Committee manages market risks by monitoring advances, deposits and investment portfolios and recommending corrective actions. The important functions of the Committee are managing interest rates, liquidity position and balancing assets and liability mismatches.

The middle office function plays a key role in monitoring market risk and is guided by a comprehensive framework of limits stated in the limit management framework and middle office operation manual approved by the Board.

Identification, Assessment and Monitoring

Several metrics have been developed for measuring market risks in adherence with both internal and regulatory requirements. Value at Risk (VaR), Price Value for Basis Point (PVBP), Duration, Stress Testing, Gap Analysis and Sensitivity Analysis are the mostly used instruments for managing market risk at the level of the overall portfolio. VaR is a quantitative measure of possibility of market fluctuations calculated within a 99% confidence level. Currently the Bank uses a historical method for VaR calculation, with the calculation being done separately for each portfolio. PVBP measures the fluctuation of the price of a security for one basis point change in yield. Stress testing for market risk is carried out on a daily basis.

Market risk unit monitors Board-approved limits on daily basis and limit exceptions are escalated to ALCO, IRMC and the Board periodically.

Market Risk Indicators

Factor	Description	Remarks
Foreign Exchange Risk		Forex open position of the Bank was well within the Risk Appetite limit throughout the year.
Interest Rate Risk		The duration of the portfolios is monitored regularly to assess sensitivity of prices to interest rate changes.
Equity Price Risk		Equity VaR position of the Bank was well within the Risk Appetite throughout the year.

Liquidity Risk Management

Liquidity risk is the risk arising from potential inability to meet payment obligations when they are due or only being able to do so at excessive costs. Liquidity risk often arises from the fact that receivables and payables have different time frames. The Bank has a Liquidity Risk Management Framework in place to ensure that the Bank can meet its payment obligations in a timely manner and do so within the defined risk appetite. ALCO, is tasked with managing liquidity position of the Bank. The Board approves the liquidity strategy of the Bank and the risk appetite based on the recommendations made by the IIRMD, ALCO and IRMC.

The Bank’s liquidity management strategies are articulated in its Liquidity Management policy and Asset and Liability Management Policy. These policies describe a range of possible strategies to manage liquidity. These include maintaining a substantial percentage of assets in a liquid form, the capacity to borrow from money markets as well as certain other strategies to improve liquidity.

Identification, Assessment and Monitoring

The primary tool to identify liquidity risk is the Maturity Gap of Assets and Liabilities Statement. This analyses the temporal gap between receivables and payables under both normal and adverse scenarios.

The Bank strives to minimise liquidity risk by building a diversified funding base across different market segments and both local and overseas. Similarly the deposit base is diversified across individuals, SMEs, corporates, and Governments. The Bank should be able to cope with crisis situations such as excessive credit growth, unexpected rollovers, defaults of large credit exposures and unexpected withdrawals of deposits. Contingency plans are in place to handle such situations. Stress testing is used to gauge the severity of impact of such events and develop mitigating strategies.

Liquidity Risk Indicators

Risk Factor	Risk Indicators	Remarks
Liquidity Risk		Unencumbered securities available for funding have improved in 2017 indicating a comfortable liquidity position.
		Cumulative positive gap is maintained up to three months by the Bank.
		Liquid Assets Ratio of the Bank was well within the risk appetite throughout the year.
		Liquidity Coverage Ratio of the Bank was well within the risk appetite throughout the year.

Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Operational risk includes legal risk but excludes strategic and reputational risk. Operational risk that originates from both business and support units of the Bank are managed within the set risk appetite through a well-defined internal control system. The Bank has aligned its operational risk management with the three lines of defence model. At the second line, IIRMD is responsible for laying down the Operational Risk Management Framework and overall risk appetite and is also responsible for crafting a macro level control structure. All the business and support units are expected to adhere to such control structure as risk is encountered and primarily managed by the first liners. Audit and compliance as the third line of defence play their role by validating effectiveness of structures and controls in place.

Operational Risk Governance

The overall responsibility for the governance of operational risk lies with the Board of Directors and the Senior Management. The Board-approved Operational Risk Management Policy, Fraud Risk Management Policy and IT Risk Management Policy define the entire operational risk management governance of the Bank. Operational Risk Management Executive Committee (ORMEC) and Fraud Risk Management Committee supported by IIRMD which are headed by the Chief Risk Officer, are responsible for identifying operational risk, formulating operational risk management policies, evaluating results and recommending changes when appropriate. IIRMD oversees the implementation of the Business Continuity Plan where Chief Risk Officer is the Co-chairman of the Business Continuity Coordinating Committee. Responsibility of the Bank’s overall information security lies with the Corporate Information Security Committee in which Chief Risk Officer is a member. All new product initiatives are also evaluated from a risk perspective. This is done through IIRMD being represented in all new product initiative committees.

Identification, Assessment and Monitoring

Well-tested techniques are used to identify, assess and monitor operational risks. These include Key Risk Indicators (KRIs), Risk and Control Self-Assessments (RCSA), internal loss data collection and analysis, root cause analysis and lessons learnt exercises. The possible impacts of major external events are carefully analysed to ascertain what risks they may pose to the Bank and what mitigating action may be needed. KRIs are proactive tools that identify risks in advance for key decision-makers to take corrective action. RCSA is the process of identifying, recording and assessing potential risks and related controls. IIRMD conducts RCSA in critical business and support units periodically to assess risks.

Loss data collection and analysis collects data regarding actual losses on an ongoing basis with inputs from all business and support units. The reports produced by this process are then reviewed and evaluated; any lacunae identified are reported by IIRMD to ORMEC, the IRMC and the Board which then take decisions on any actions needed.

Through an active lessons learnt process, IIRMD has taken the initiative to promptly alert the relevant business and support units including the branch network of any near misses, threats from external environment in order to strengthen internal controls.

Control and Mitigation

A robust internal control framework which spells out segregation of duties, streamlined reporting channels, clearly defined business continuity management are some salient features of operational risk management framework. Insurance instruments are used as a risk transfer strategy to mitigate high severity non controllable risks. The Bank annually reviews and updates it’s insurance to cover such identified risks adequately.

The Business Continuity Management Policy stipulates that all critical business and supporting units have developed their own business continuity plans. During the year two test runs were successfully completed and results were reported to the appropriate authorities. To make the Bank resilient to any possible disasters a fully-equipped Disaster Recovery Centre has been established outside Colombo city limit to facilitate continuity of operations.

Today’s banking landscape encounters significant legal risks due to increased customer demands and complex business model. To address this risk component IIRMD assesses legal risk in consultation with the Legal Division, which is integrated to the Bank’s annual ICAAP.

Strategic Risk

Strategic risk may arise from flaws in the Bank’s strategy formulation and decision-making process. In a rapidly changing environment speedy decisions need to be made regarding products, services, resource allocation and communication channels among a host of other subjects. Inability to swiftly respond to such needs has the potential to pose threats to profitability and liquidity. The Bank’s strategic direction is laid down in the corporate plan and there is a process in place to verify alignment of actual performance with the plan. Bank uses a scorecard based approach in its ICAAP to assess strategic risk.

Reputation Risk

In BoC’s 78-year history, reputation has remained unscarred, prompting high regard and confidence among all stakeholders. BoC has maintained top of mind recall in the minds of all stakeholders due to its pioneering stance, financial stability and insistent compliance. Unprecedented awards the Bank receives year on year vouch for the continued and solid reputation it has built over years. However, in both local and global ever challenging and volatile scenario it is understood that reputation can at any given time be subject to risk.

Hence we recognise that identifying risk factors that could damage our reputation and being vigilant to these, maintaining and continually enhancing our risk management capabilities are critical to ensure that the Bank’s financial and strategic objectives are achieved within approved levels of risk appetite. Managing reputation risk is an organisation wide effort. BoC therefore, is highly committed to promote a good corporate governance culture and best practices in risk management throughout the Bank.

Compliance Risk

Compliance risk is the consequences that may follow from non-compliance with laws, regulations, guidelines, or rules of conduct of regulatory authorities. This could also extend to self-regulated standards of practice of the banking industry.

Compliance laws and regulations cover matters such as market conduct, conflicts of interest, equitable treatment of customers and customer relations. They also include safeguards against malpractices such as money laundering and terrorist financing.

The Bank has a governance structure, systems and procedures in place to address compliance requirements. This compliance framework identifies, assesses and mitigates against risk, identifies and implements controls and takes timely corrective action to prevent instances of non-compliance when there are any signs of deviation. Comprehensive policies are in place for compliance and anti-money laundering/terrorist financing. Compliance requirements are addressed in formulating strategic plans. The fact that we have not been found lacking in adhering to compliance requirements enhances our reputation and builds stakeholder confidence.

The Compliance Function in the Bank has been endowed with sufficient authority, independence and resources to fulfil its functions effectively. Changing global regulations such as Basel III have increased the demands on the compliance function but it has shown itself capable of handling the additional responsibilities.

One role of the compliance function is to advise the Board and the senior management on the laws, rules and regulations relating to the Bank, the impact of any changes, how such changes should be implemented through internal systems and procedures and the monitoring required to ensure compliance. The Compliance Unit also plays the role of educating the staff on compliance requirements and handling any queries regarding the subject.

The functions of the compliance function includes assessing any proposed new products and services, new business practices, new business or customer relationships from the standpoint of compliance.

An automated Anti-Financial Crime Detection system – AMLOCK facilitates Knowing Your Customer (KYC) and identifying suspicious transactions. Furthermore, an inbuilt system from SWIFT has been installed to screen the outward remittances in real time. A need was also felt to align the AML/CTF activities of the Bank with the Risk-Based Approach (RBA) of the Financial Intelligence Unit of the Central Bank. To address this need a new comprehensive real-time ALF/CTF system was procured and implemented in the year under review.

The Bank is also a Participating Foreign Financial Institution (PFFI) under the Foreign Account Tax Compliance Act (FATCA) under the Global Intermediary Identification Number (GIIN).

Compliance – Organisation Structure

The Compliance Function is handled by the Compliance Division which consists of two separate divisions – Regulatory Compliance Unit and Anti-Money Laundering/Combating Terrorism Financing Unit. The Division is headed by a Senior Management Executive, who is designated as the Head of Compliance. The Head of Compliance reports directly to the Board IRMC on changes in the compliance requirements, performance indicators, any possible breaches or warning signals of same, deficiencies in systems and procedures and any necessary corrective action.

Basel III

The Basel III requirements for capital adequacy came into effect on 1 July 2017. New directions for capital requirements were issued by the Central Bank, and the Bank was proactively preparing for the new requirements from 2016. The Bank has refined the ICAAP to be aligned with the new requirements. The regulatory requirements are phased over three years and the Bank has developed a capital augmentation plan to support capital requirements and adequately cover all risks while promoting buffers. Qualitative impact studies and stress tests are carried out by IIRMD, to strengthen the process of monitoring capital adequacy.

The change also demonstrated the flexibility and resilience of the original Internal Risk Management System to adapt to a major change.