Amidst continued geopolitical upheaval in the international arena and multiple crises at national level, Sri Lanka faced severely challenging economic conditions in 2022. In response to heightened fiscal, external sector, and financial sector imbalances; supporting the Sri Lanka’s financial system was the priority of the Bank, honouring its unique role as a state bank and its influential position as the largest bank in the country’s financial sector.

A deteriorating operating environment posed significant uncertainty for Sri Lanka’s economic outlook and resulted in realisation of several risks for the Bank. While some impacts of COVID-19 continued in 2022, major challenges came from new areas. Primary amongst these was the steady increase in interest rates, which had sweeping impacts on the sector. Floating of the exchange rate in the first quarter of 2022 resulted in significant knock-on effects and challenges during the year, including significant issues with regard to liquidity and foreign exchange availability. The regulator continued to aggressively monitor and supervise related developments.

In this environment, Bank of Ceylon’s role in supporting and stabilising the country’s economic fundamentals and financial system was of paramount importance. The Bank was successful in managing this difficult period without either breach of regulatory ratios or drawdown of buffers that were allowed by the regulator. The year closed on an upward trajectory, with additional limits incorporated, capital adequacy ratios in line with benchmarks, and previously delayed or deferred payments settled.

The following sections discuss the pivotal role played by Bank of Ceylon’s Risk Management function in responding to the challenging operating environment, upholding the Bank’s national responsibility, and exercising best practices in Risk Management to ensure resilience and stability.

Risk Landscape in 2022


Key Performance Highlights



Enterprise Risk Management (ERM) Framework

The Board approved risk management framework consists of clearly defined governance structures, policy frameworks and a culture of risk awareness which ensures judicious empowerment and the consistent management of risks across the Bank.

The framework provides comprehensive guidelines to identify, measure, mitigate, and report risks in a consistent manner and is regularly reviewed and revised to ensure that it remains relevant given the increasingly dynamic operating environment.

In response to significant changes to the operating environment and newly introduced internal processes, the Bank reviewed and updated all policies in 2022. Considering the complexity of the stressed operating environment, the Bank has widened the scope of monitored risks to increase focus on liquidity, interest rate, and environmental and social risks.


Risk Governance

The Board of Directors of the Bank has the overall responsibility for the establishment and oversight of the Risk Management Framework.


Integrated Risk Management Committee (IRMC)

IRMC comprises four members of which three are independent non-executive directors.

  • Assist the Board in discharging its oversight responsibilities for risk management.
  • Ensure that appropriate policies and procedures are in place for detection, oversight and analysis of existing and future risks.
  • Ensure the Bank’s risk management activities are aligned with the Bank’s risk appetite.
  • Assess all risks to the Bank on a periodic basis through appropriate risk indicators and management information.
  • Provide strategic guidance on various initiatives undertaken by the Bank towards management and mitigation of credit, market, operational and information security risks of the Bank.
  • Review the Bank’s capital position and future requirements in line with the Internal Capital Adequacy Assessment Process (ICAAP) while identifying and mitigating potential pain points highlighted in stress testing.
  • Review the Bank’s Business Continuity Plan.
  • Re-enforce the culture and awareness of risk management throughout the organisation.

Independent Integrated Risk Management Division (IIRMD)

Headed by the Chief Risk Officer (CRO), the Division operates independently. Some structural changes were made to the Division in 2022; a new Executive Management position to strengthen the Division’s focus on operational and market risk management as depicted in risk management framework. The Division ensures that the risk management process is carried out effectively.

Risk Management Process

Risk Profile

Risk category Key risk indicator Regulatory
policy parameter
Actual position
31.12.2022 31.12.2021
Credit risk
Asset quality
Net Stage 3 loans ratio (%)
Impairment Coverage (Stage 3) loans ratio (%)

5.27 59.73 5.08
Concentration and exposure Sector-wise concentration (HHI)
Geographical concentration


Market risk

Net interest income (NII) (LKR billion)
Net interest margin (NIM) (%)
Price Value per Basis Point (PVBP) of Treasury Bonds (LKR ’000)

Liquidity risk Liquid asset ratio (LCY) (%)
Liquid asset ratio (FCY) (%)
Liquidity coverage ratio (LCR) (%)
Net stable funding ratio (NSFR) (%)
Credit-Deposit (CD) ratio (%)

Strategic risk

Tier 1 capital ratio (%)
Total capital ratio (%)
Common equity Tier 1 ratio (%)
RoE (%)
Operational risk Operational loss as a percentage of risk appetite (%) 82 63

The Bank’s Approach to Risk Management

Bank of Ceylon’s risk management function centres around an Enterprise Risk Management (ERM) framework that ensures risks are managed within a framework aligned to the Bank’s strategic priorities, organisational culture and corporate governance practices.

From clearly delineated roles and responsibilities, to well-defined policies, procedures, and processes; the Bank’s ERM framework supports consistent identification and management of risks across business units, functions, and operations.

In 2022, the Bank brought forward new systems, processes, and protocols in response to the changing and challenging operating environment. Focus was placed on Information Security Risk Management in light of continued digitalisation and adoption of new systems instituted in response to the COVID-19 pandemic such as remote work and work from home initiatives.

The Bank instituted a number of changes to its risk management function in 2022, primarily in response to the state of Sri Lankan economy and the financial sector:

Looking to the future, Bank of Ceylon expects to strengthen baseline security alongside stringent Information Security Risk Management to manage continued technology enhancement and updates to banking systems and processes.

Further, plans are underway to continue progressing the Bank’s Environmental and Social Management System ensuring it is in line with international best practices, related legal provisions of the country, and the Central Bank of Sri Lanka (CBSL) Sustainable Finance Initiative. Major milestones in this regard involve introduction of counterparty Environmental and Social (E&S) risk assessments and rollout of awareness and training of staff related to the Bank’s ESMS.

The Bank retains the focus on strengthening risk management processes for Information Security and Information Technology (IT) Risk, and is in the process of obtaining ISO 27001 for Information Technology Service Management.

The Bank’s risk management function will be further strengthened to ensure alignment with the direction of Sri Lanka’s economy and the financial sector.

Risk Culture

Bank of Ceylon fosters an enterprise-wide risk culture with the primary goal of supporting the Bank’s business units and functions, which serve as a First Line of Defence, to better identify, discuss, escalate, and mitigate emerging risks.

Strong emphasis on organisational and market intelligence go hand-in-hand with internal controls, the Bank Code of Ethics and comprehensive policy framework. Continuous training programmes in the subject areas including strong credit culture, E&S risk management, information security, market and operational risk management conducted in order to strengthen bank wide risk management culture. These serve to reinforce the Bank’s ''Three Lines of Defence''’ model, which in turn contributes to sustainability of the Bank and creation of value for stakeholders in the short, medium, and long-term.

Risk Appetite

The Bank’s risk appetite is defined as the level of risk the Bank is prepared to assume within its risk capacity to achieve its strategic objectives. It is articulated quantitatively as risk measures and qualitatively in terms of policies and controls. In addition to defined limits on risk exposures, the risk appetite statement includes risk appetite triggers and defines specific corrective action to be taken in the event that such limits are exceeded/triggered. It is reviewed annually, considering the volatilities in following factors:

  • Capital base
  • Macroeconomic changes (New technology and environmental changes, GDP, economic sectors, regulatory/policy changes)
  • Country and counterparty risk
  • Expected business growth
  • Corporate plan

In response to shifts in the above-mentioned factors during 2022, the Bank introduced revised limits for certain sectors.

Stress Testing

Routine stress testing evaluates potential risk effects on the Bank’s business and assesses sensitivity of the Bank’s current and potential risk profile relative to risk appetite. The Bank’s stress testing framework utilises a combination of techniques including macroeconomic and business model stress testing along with sensitivity and scenario analysis.

Stress testing also contributes to increased risk awareness across the

Bank’s functions and works to safeguard business continuity by means of proactive management. It assists the

Bank in setting up of risk appetite and tolerance limits, risk identification and control, complements other risk management tools, development of contingency plans, improves capital and liquidity planning and facilitates strategic business decision-making.

The stress testing policy framework covers all the material risks such as credit, market, operational, concentration, liquidity, foreign exchange and interest rate under three different stress levels; Mild, Moderate and Severe. Resulting impact on the profitability, liquidity and capital is evaluated and reported to the top management and IRMC on a quarterly basis and more frequently as and when required for effective decision making. The stress testing also provides a broader view to supervisors and regulators on the resilience of the Bank in plausible stress scenarios.

Considering the current operating environment and prevailing market conditions in 2022, the Bank improved stress testing by increasing frequency of analysis and including a range of differing scenarios, giving special emphasis on liquidity and interest rate risks. The Bank proactively and comprehensively evaluated the impact of possible debt restructuring (haircut on investment securities, both domestic and foreign), impact of interest rate hike to Bank's NIM and possibility of restrictions on CBSL repo window (which later became a reality) amongst the full range of stress testing scenarios. The resultant impact of such analysis comfort the Bank's decision making process, providing the foresight which enabled revisiting and revising of pricing mechanism, adequate impairment provisioning for potential risk and searching for alternative funding avenues.

Capital Management and Internal Capital Adequacy Assessment Process (ICAAP)

As a state bank, BoC is limited in its ability to access the equity market for capital and must rely primarily on internal profit generation and government infusions in enhancing capital.

The Bank managed its available capital optimally amidst the restraints in fresh capital infusion by the Government due to economic exertion in 2022 and was able to strengthen the capital position by raising LKR 6.49 billion via Basel III compliant, subordinated, Tier II debentures.

The Bank’s capital position during the year improved by LKR 22 billion to LKR 264 billion as a result of these initiatives.

Capital adequacy December
Tier I 12.41 14.25
Total 15.38 17.77

Aligned with the Pillar II requirements, ICAAP enables robust management of the Bank’s capital structure, through aligning capital requirements to its risk profile, thereby ensuring that adequate capital is maintained to deliver its strategic agenda. In addition to the credit, market and operational risks the Bank’s ICAAP takes into consideration concentration, liquidity, interest rate risk in the banking book, reputational, compliance, strategic and information security risks. The Internal Capital Adequacy Assessment Process and Recovery Plan (ICAAP and RCP) Steering Committee which is headed by the General Manager is responsible for assessing and managing these material risks.

Stress testing is an important element of Pillar II (Supervisory Review) and showcases the sensitivity of the Bank’s risk profile to a range of variables. The Board of Directors is responsible for ensuring that stress testing is conducted regularly and effectively in line with the Board-approved Stress Testing Policy supported by reviews of the ICAAP Steering Committee.

Recovery Plan (RCP)

The Recovery plan sets out the framework for Bank’s governance, identification of credible options to survive a range of severe but plausible stress scenarios, triggers and sets out the plan for liquidity and capital management arrangements while improving the risk profile and ensuring the business continuity.

The Bank’s RCP is integrated with the Bank’s

  • Strategic, Risk management and business decision making processes
  • Capital and funding planning, stress testing approaches and business continuity planning
  • Capital and Liquidity assessments
  • Risk data aggregation and risk reporting

Under RCP, triggers and early warning indicators are set based on the capital, liquidity, profitability, asset quality and Market & macroeconomic indicators. A range of recovery options are predetermined to deal with shocks to capital, liquidity and all other aspects that could arise from institution specific stresses, market wide stresses or a combination of both. The Bank submitted its first Recovery Plan prepared according to the regulator’s directions with full range of credible recovery options in year 2022.

Continuous monitoring of the predetermined set of alerts and early warning indicators specify the requirement for reporting to higher management for precautionary actions before triggering an event. In the event of a trigger, the ICAAP and RCP Steering Committee of the Bank headed by the General Manager shall immediately activate the recovery options. Activation of predetermined recovery options will restore the financial position and market confidence in bank's resilience following an adverse shock which will ensure interest of all the stakeholders are safeguarded.

Risk Reporting

All risk exposures are reported to the relevant management level committees and escalated to the Board subcommittees as appropriate. A comprehensive risk report, comprising risk dashboards and performance against risk appetite indicators is provided to the IRMC on a monthly basis, and as and when required. Given the continued challenging operating environment in 2022, risk reporting to the Board was strengthened, with special focus on the credit, liquidity, interest rate risk and information security related risks.

In addition to the above, tightened scrutiny from the regulator in 2022 required more frequent reporting in a dynamic and rapidly changing risk landscape.

Risk Performance 2022

Credit Risk

The Bank's credit risk management framework is governed in line with the ''Three Lines of Defence Model'', with credit originating mainly from the client-facing primary business lines. A robust framework enables the Bank to identify, manage, mitigate and report credit risks in a consistent manner across the organisation and in line with the Bank’s risk appetite.


Credit Reisk

Focus Areas and Developments in 2022


Continuous credit support to the customers

Support provided for SMEs and corporate customers to continue their businesses by granting moratoria, restructure and rescheduling of credit facilities, and extending additional credit facilities where appropriate.


Business revival and rehabilitation

Expanded the Bank’s Business Revival and Rehabilitation Units across the island, to support survival of businesses that were highly affected by the protracted economic crisis. The Bank took this decision and stance to focus on revival of businesses over standard recovery initiatives; as a measure that would benefit the nation and economy in the long-run.


Providing moratoria

Debt moratoria extended above and beyond the regulator’s recommendation; providing relief for businesses and individuals who were affected by import restrictions, economic crisis, and political instability up to the end of 2022.


Timely review of policies

Comprehensive review of policies carried out in order to incorporate new developments in the business and regulatory environment.


Maintaining credit quality under new normal

Analysis carried out for highly affected/vulnerable sectors (risk elevated industries) in order to maintain credit quality during the crisis and adapt to the new-normal situation.


ESMS implementation

Initiatives undertaken to operationalise assessment of environmental and social risk in lending activities.


ESMS implementation

Initiatives undertaken to operationalise assessment of environmental and social risk in lending activities.


Strengthening credit quality assurance

Post sanctioning reviews carried out through the Credit Quality Assurance Unit by expanding the scope.

A brief overview of the governance structures, policy framework, and methodologies used in driving credit risk management is set out below:


Credit Risk Performance in 2022

Environmental and Social Management System (ESMS)

The failure to identify and manage E&S risks arising from its customers’ operations can represent a serious threat to the bank’s reputation and its business and can lead to costly litigation, or loss of revenue. The Bank issued comprehensive Environmental and Social Management System guidelines in compliance with its Integrated Environmental and Social Management System Policy, which explains the procedures for identifying, assessing and managing environmental and social risks of financial transactions. The Bank recognises that its customers’ financial and operational sustainability can be challenged by adverse impacts of their operations on the environment, their employees and surrounding communities. While supporting proliferation of products to promote sustainable green financing and financial inclusion, Bank’s ESMS entwined with ESG considerations, ensures that banks’ lending activities and operations are environmentally and socially responsible and compatible with the applicable regulatory environmental and social standards, country regulations as well as internationally recognised best practices. The Bank has strengthened its human resource by conducting island-wide training programs on ESG.

The Bank supports the implementation of road map for Sustainable Finance in Sri Lanka by identifying and evaluating the associated climate related risks and green financing activities in lending portfolio of the Bank, with the focus of promoting sustainable and environmental friendly infrastructure to our customers by identifying opportunities through Environmental and Social Due Diligence (ESDD) procedures that contribute to more greener and sustainable economy in Sri Lanka.

Market Risk

Market risk is the adverse variation around expectation and arises due to negative movement in variables such as interest rates, exchange rates, share prices and commodity prices. Market risk arises through the Banking Book and the Trading Book and comprises the following:

Interest Rate Risk (IRR) – arising from the Bank’s trading and non-trading books Foreign exchange risk – stemming from foreign currency denoted transactions Equity risk – losses from volatilities in equity prices

IRR is significant, given the Bank’s material exposure to interest rate sensitive assets and liabilities.

BoC manages IRR through a clearly defined set of tools and indicators.

Maturity mismatches, interest rate gaps and Price Value per Basis Point (PVBP) are monitored on a consistent basis, while implications of changes in macroeconomic conditions are assessed through regular stress testing.

Forex transactions are governed by stringent internal policies, including approval mechanisms, external regulatory guidelines and limits set by the Bank and the regulator.

Internally, a comprehensive limit structure, comprising Value at Risk (VaR) limits and volume limits for open positions of both individual and aggregate currency exposures, is used to manage vulnerabilities.

The Bank also conducts stress testing on plausible Forex risk scenarios.

A dedicated Investment Committee is in place to ensure that the Bank’s investment decisions are in line with the Board’s expectations on risk-return dynamics.

The Market Risk Division ensures the limit structure is in place for proper management of the equity portfolio.

The equity risk management function is complemented by a comprehensive stress testing analysis.

Market Risk

Focus Areas and Developments in 2022


Limits review

Revision of limits assigned to counterparties to manage current local and foreign risk environments.


Improved reporting

Improved information provided to management more frequently regarding current and future risk factors arising due to systemic and idiosyncratic risk factors.


Assessment of potential risks

Carried out stress testing on plausible assessment of potential risk scenarios (e.g. Haircut of ISBs) to evaluate the impact on capital adequacy.


Review of policies

Review of policies in line with recent developments and market conditions.


Market Risk Management Framework


Market Risk Performance in 2022

Liquidity Risk

Liquidity risk involves potential losses to earnings and/or capital due to inability to meet the Bank’s financial obligations as and when they are due.

The Bank’s liquidity risk management framework is based on strategy, governance, processes, systems and data, methodology and reporting. It ensures Bank's resiliency in facing unexpected liquidity crisis situations.

The ALCO holds responsibility for managing liquidity risks and consistently monitors the Bank’s liquidity position to ensure compliance with regulatory requirements and internal targets.

Liquidity Risk

Focus Areas and Developments in 2022


New liquidity risk management committee

Establishing an Internal Management Committee to monitor the Bank’s daily liquidity position and a new FCY outflow committee.


Robust reporting mechanism

Reporting up-to-date liquidity position continuously on a frequent basis to requisite committees


Initiatives to manage liquidity

Recommendation of new money market product for Repo, deposit mobilisation target, and strengthening the contingency funding plan of the Bank

Key Liquidity Indicators in 2022

2021 – 111.45%

2021 – 24.97%

2021 – 124.31%

CD Ratio
2021 – 89.88%

Operational Risk

Focus Areas and Developments in 2022


Strengthening internal controls

Focusing on arresting possible internal frauds Bank carried out awareness programmes to all levels of staff especially to Managers and Internal Control Officers.


Risk Control Self-Assessment (RCSA)

Chosen critical units were subject to the RCSA process which enabled improving process controls which mitigated the inherent risks that would be imbedded in the processes without the attention of the process owner.


Reviewing policies

To incorporate new regulations and changes in operations.


Providing risk perspective

All new products/processes are routed through the Risk Management Division which provides feedback on risk aspects as well as its appropriateness and sustainability which has enabled the Bank to take sound decisions on its new developments.


Revamping bank-wide circulars

As a Bank with over eight decades history it was identified that our operating procedures need to be cleansed. A special task was undertaken by the BPRP unit with the feedback and analysis from risk and other stakeholders.

Key Operational Risk Indicators in 2022

Information Security and Technology Risk

Information Security and Technology Risk involves risk of loss or theft of information, data and money, or potential service disruption stemming from adoption of IT within the Bank.

Information Security and Technology Risk

Focus Areas and Developments in 2022


Alignment of technology risk posture

Commencing alignment of technology risk posture of the Bank in compliance with the regulatory framework on technology risk and resilience.


IT Governance and Cybersecurity initiatives

Initiating process to implement COBIT, IT Governance framework

Initiating the process to obtain insurance cover for cybersecurity.

Introducing leading industry-accepted information security guidelines for inhouse developments.


Awareness building

Conducting information security awareness sessions, including practical sessions on social engineering attacks.

Highlighting emerging and current information on IT risks to the management to facilitate informed decision-making



Ensuring 24x7 operation of the Security Operation Centre (SOC) and establishing a Network Operation Centre (NOC) to provide on-time response to alerts generated by the SOC.


Risk assessment

Completing comprehensive SWIFT scenario-based risk assessment in order to better understand risks faced by the Bank with regard to SWIFT operations.


Technology risk mitigation

Scrutinising new system requirements, new developments, and changes to existing systems in order to mitigate technology risk (included piloting of measures for data privacy and classification, loss-prevention, etc.)

Human Resource Risk

People-related risk aspects remained a factor in 2022 as pandemic-induced challenges were exacerbated by sociopolitical upheaval during the year. Risks with regard to physical and mental well-being, risk of employee isolation, and challenges in supporting work-life balance of employees continued to be considered by the Bank’s people management strategy during the year.

Challenging economic and sociopolitical conditions during 2022 led to emergence of new risks including employee turnover for the Bank. Increased employee turnover coupled with natural attrition and constraints on hiring adversely impacted the Bank’s talent pool.

The Bank’s people management strategy involves the following:

  • Ensuring comprehensive safety measures for all employees.
  • Ongoing virtual engagement and development initiatives.
  • Facilitating work from home and remote working arrangements.
  • Continuous assessment and realignment of staff roles to meet operational needs.
  • Selective sourcing of new recruits including professionals for critical operations.
  • Exit interview to formulate strategies to arrest any flaws in the Bank.

Regulatory and Compliance Risk

Frequent changes in regulatory guidelines have increased the risk of non-compliance stemming from varied interpretation and manner of implementation. This is mitigated through close and proactive engagement with regulators, and operations of a dedicated Compliance Unit monitoring all compliance with guidelines and regulations.

Climate-related Risk

Climate-related risks including natural disasters and failure to implement long-term climate adaptations and solutions, are among some of the key risks faced by the Bank’s customers. In cognisance of this, BoC works to strengthen its climate risk management framework, and took steps during the year in alignment with its commitment to continual improvement of identification and mitigation measures for climate-related risks.

Measures adopted by the Bank in this regard, include:

  • Continuous scale-up of adoption of the Bank’s Environment and Social Management System (ESMS). Refer ESMS and the Community and environment section for more information.
  • Increased focus on renewable energy both from a lending perspective and internal operations
  • Raising employee awareness on ESMS management within the Bank.
  • Steps taken to establish a foundation for compliance with the Task force on Climate-related Financial Disclosures (TCFD).

Legal Risk

Legal risk entails potential losses to earnings and reputational damage arising from non-compliance with regulatory/statutory provisions, uncertainty due to legal actions, or uncertainty in the applicability or interpretation of relevant laws or regulation applicable to the Bank.

  • A highly-skilled and experienced legal function ensures that all exposures are mitigated through ongoing review of legally binding agreements. This is supported by the Bank’s compliance function.
  • Ensuring all policies, procedures and guidelines are robust and relevant given changing regulatory requirements and stakeholder considerations.

There were no material losses suffered by the Bank due to legal risk.

Reputational Risk

Reputational risk arises from the loss of confidence and negative perception of the Bank which can adversely impact earnings, assets, capital position and/or brand value.

During the year, reputational risk was mitigated through:

  • BoC playing a leading role in supporting the Nation’s macroeconomic stability and economic revival through lending to critical sectors of the economy, rehabilitating/reviving customers where possible, and stimulation of inward-remittance contributing to forex inflows.
  • Efforts taken to ensure business continuity and customer service despite challenging conditions.
  • The Bank’s efforts to promote financial inclusion throughout the island.
  • The Bank continues to be ranked as one of Sri Lanka’s leading brands and the No.1 brand in the banking sector.
  • The Bank extended support to key institutions that enabled uninterrupted access to essentials via the import of fuel, medicine, vaccinations, and more.

Strategic Risk

Potential losses arising from the possible flaws in the Bank’s future business plans and the possibilities of strategies being inadequate.

The Bank’s strategic risks are mitigated through:

  • Strategic direction of the Bank given by its vision and mission, articulated in BoC’s corporate plan with specific measurable time-bound targets.
  • Existence of a robust mechanism for formulating strategy, including inputs by the Corporate Management and Executive Management team, assessment of the operating landscape, consideration of stakeholder needs, and finally deliberations by the Board of Directors
  • Continued monitoring of performance against defined targets.
  • Use of comprehensive scorecards to measure strategic risk exposures.
Way Forward

Considering the dynamic nature of the risk landscape and the stressed operating environment going into 2023, the Bank has plans in place and measures underway to ensure stability in the coming year while maintaining the Bank's No 1 position.

Focus for 2023


Ensure achievement of corporate objectives and improve stakeholder value


Optimal use and augmentation of capital


Focus on revival and rehabilitation of businesses


Ensure prudent management of liquidity


Managing and improving NIM


Improve products and processes to minimise operational losses


Strengthening the environmental and social governance


Adopting international best practices


Manage and mitigate reputational risk in order to maintain brand value under highly volatile economic conditions


Manage and mitigate compliance risk through a compliant business framework


Effective concentration risk management through portfolio management