Commercial Bank of Ceylon PLC

Annual Report 2018

Risk Management

Bank’s approach to risk management

The business model of a bank primarily centres around the two activities of financial intermediation and maturity transformation. With substantially lower Return on Assets (ROA), these activities encourage and enable banks to operate at higher levels of gearing in order to generate returns to the investors attractive in terms of Return on Equity (ROE). However, they expose banks to a multitude of industry specific risks over and above those that other organisations have to face, making it imperative that banks have solid frameworks to manage associated risks. It is an effective risk management system that enables banks to optimise the trade-off between risk and return.

In addition, certain emerging global developments are now threatening to disrupt the conventional business models of banks. These include digitalisation, unorthodox competition from FinTechs and TechFins, exponential technologies such as artificial intelligence, robotics and Blockchain, demographic changes, tightening regulations on supervision, anti-money laundering and privacy laws, cyber threats, increasing concerns on sustainability etc. ( refer for a list of such emerging developments). In particular, these developments have elevated the magnitude of strategic risks for banks. In such context, the Bank set up a Board Strategy Development Committee during the year (terms of reference, authority, activities undertaken, etc. of the Committee is given in the section on Board Committee Reports in the chapter on Governance. A study published in Harvard Business Review (July-August 2015) in fact found strategic risks to be the most damaging type of risk for companies now. Since they offer both potential for opportunities and significant risks, they call for a more focused strategy to evolve the business model to ensure sustainability of banks. Risk management needs to take these developments too into consideration when devising measures for managing risk.

Certain macroeconomic shocks and regulatory developments made things even more complicated and dynamic for the Sri Lankan financial services industry. Year 2018 was characterised by lackluster economic growth, unprecedented level of rupee depreciation, import restrictions, rising interest rates, one-time impact of SLFRS 9 adoption, phased in implementation of Basel III Framework, political instability and lack of policy consistency. Banking Sector felt the impact of these developments in the form of deteriorating asset quality, rising impairment costs, lower interest margins, escalating costs – all leading to lower levels of profitability.

Commercial Bank has a sound Risk Management Framework (RMF) with necessary oversight of the Board of Directors, for identifying, assessing, measuring, mitigating, monitoring and reporting risks, enabling such risks to be prudently managed. The Bank is cognisant of the fact that it needs to strengthen this framework on an ongoing basis in the wake of increasing intensity of regulatory supervision and various emerging developments.

Objectives of risk management

The primary objectives of the risk management function of the Bank are:

  • to assist in decisions relating to accepting, transferring, mitigating and minimising risks and recommending ways of doing so;
  • to evaluate the risk profile against the approved risk appetite on an ongoing basis;
  • to estimate potential losses that could arise from risk exposures assumed;
  • to periodically conduct stress testing to ensure that the Bank holds sufficient buffers of capital and liquidity to meet unexpected losses and honour contractual obligations;
  • to integrate risk management with strategy development and execution; and
  • to institutionalise a strong risk culture within the Bank.

Key development in 2018

SLFRS 9 implementation

Bank implemented SLFRS 9 which became effective from January 1, 2018, during the year. This Accounting Standard requires impairment provisioning to be based on forward looking expected credit loss model using statistical computation of Exposure at Default (EAD), Probability of Default (PD) and Loss Given Default (LGD). Further, the off-balance sheet exposures are also subjected to impairment under the new Accounting Standard. The permitted changes on account of the “Day 1” impact of the migration of SLFRS 9 was adjusted against the bank’s retained earnings brought forward to 2018, resulting in a net assets reduction by Rs. 5.3 Bn. The Bank has been preparing for this development over the past several years by focusing on capital planning strategies to withstand the impact associated with such changes.

Other developments

Other key initiatives, developments and outcomes relating to risk management during the year included:

  • Intensified focus on maintaining asset quality and cybersecurity;
  • Expanded coverage of the credit risk review to 41.3% of the total portfolio (against the CBSL minimum requirement of 30% – 40%) and provided feedback on credit evaluation for continuous improvement;
  • Conducted SEMS evaluation on all facilities which may have social and environmental implications;
  • Obtained CBSL approval to move into Alternative Standardised Approach for operational risk computation which has resulted in a capital saving;
  • Further enhanced the scope of Risk Control Self-Assessment by onboarding several more business functions/processes;
  • Initiated a process for Root Cause Analysis of cash management related risk events in order to determine the adequacy of controls associated with the incidents;
  • Information Security Management System of the Bank was re-validated by external auditors and recommended for renewal of the ISO/IEC 27001:2013 certification; and
  • Mobile banking application of the Bank was externally validated for adherence to minimum compliance standards for payment related mobile applications, issued by the CBSL during 2018.

Overall risk profile of the Bank underwent changes with regard to credit quality, interest rate and FX rate related risks during 2018. Despite the formidable challenges in the operating environment, as a result of the strategic responses to these developments and the rigorous risk management framework in place, the Bank was able to successfully strengthen its stability and resilience, and enhance profitability during the year as evident from the operating results posted for the year.

Risk appetite and risk profile of the Bank

The Bank has a clearly defined Risk Appetite Statement incorporating the strategic focus, the types of risk and the maximum amount of aggregate risk exposure the Bank is prepared to assume at any given point in time. Taking into account the regulatory requirements, the ability to withstand losses and stress with the available capital, funding and liquidity positions and the quality of the risk management framework, risk appetite has been expressed in terms of desired asset quality, maximum operational losses, maximum loss on forex operations, minimum liquid assets ratio and maximum repricing gaps on interest rate risk, among other exhaustive list of risk parameters in use to ascertain overall risk profile of the Bank.

Aided by the solid risk management framework, the Bank monitors its risk profile which is the actual risk exposures across all the risk categories on an ongoing basis and takes swift remedial action for any deviations to ensure that it is kept within the risk appetite. With a stable capital adequacy and a strong liquidity position which define the capacity to assume risk, the Bank’s risk profile is characterised by a portfolio of high quality assets and stable sources of funding fairly diversified in terms of geographies, sectors, products, currencies, size and tenors.

Risk profile as at December 31, 2018 and December 31, 2017 compared to risk appetite as defined by the policy parameters is given below:

Table – 15

Risk category and parameter Key risk indicator Policy parameter Actual position
31.12.2018 31.12.2017
Credit risk:
Quality of lending portfolio Gross NPA ratio 4% – 5% 3.24% 1.88%
Net NPA ratio 2.5% – 3.5% 1.71% 0.92%
Impairment percentage over total NPA 85% – 60% 61.45% 74.23%
Weighted average rating score of the overall lending portfolios 35% – 40% 56.62% 57.63%
Concentration Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio 30% – 40% 20.43% 21.46%
Advances by economic sub sector (using HHI-Herfindahl-Hirschman-index) 0.015 – 0.025 0.0151 0.016
Exposures exceeding 5% of the eligible capital (using HHI) 0.05 – 0.10 0.0056 0.0071
Exposures exceeding 15% of the eligible capital (using HHI) 0.10 – 0.20 0.0067 0.0095
Exposure to any sub sector to be maintained at 4% – 5% 4.75% 4.04%
Aggregate of exposures exceeding 15% of the eligible capital 20% – 30% 20.32% 24.71%
Cross border exposure Rating of the highest exposure of the portfolio on S&P Investment Grade – AAA to BBB- AA AAA AAA
Market risk:
Interest rate risk Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY) Maximum of Rs. 2,250 Mn. 1,538.85 Mn. Rs. 1,243.61 Mn.
Repricing gaps (RSA/RSL in each maturity bucket – up to one year period) <1.5 Times (other than for the 1 month bucket which is <2.5 Times) 0.98 Times (2.99 times for 1 month bucket) 0.89 Times (2.34 times for 1 month bucket)
Operational risk Operational loss tolerance limit (as a percentage of last three years average gross income) 3% – 5% 1.7% 2.85%
Strategic risk:
Capital adequacy ratios:
CET 1 Over 11% 11.34% 12.11%
Total capital Over 15% 15.60% 15.75%
ROE Over 20% 15.56% 17.88%
Creditworthiness – Fitch Rating AA(lka) AA(lka) AA(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Credit ratings

The Bank is rated AA(lka)/Stable by Fitch Ratings Lanka Limited while its Bangladesh operations is rated AAA by Credit Rating Information and Services Limited (CRISL). The rating of AA(lka) is the strongest rating given to a Sri Lankan non-state sector bank while AAA is the highest credit rating given to any financial institution in Bangladesh by CRISL. These credit ratings depict the creditworthiness of the Bank and its ability to borrow which in turn takes into account the underlying risk profile.

Types of risks

Conventionally, the Bank is exposed to credit, market, liquidity, operational, reputational, IT, legal and strategic risks which taken together determine the risk profile of the Bank. The Bank manages these risks through its robust risk management framework. Changes in various external and internal factors affect the risk profile on an ongoing basis. External factors include movements in macroeconomic variables, political instability, changes in Government fiscal and monetary policies, regulatory developments and growing stakeholder pressures. Such developments could impact disposable income of people, demand for banking products and services, funding mix, interest margins and tax liabilities of the Bank. Internal factors may include lapses in implementing the risk management framework, assumptions about macroeconomic variables turning out to be different, execution gaps in internal processes etc. Unlike internal factors which are inherently undesirable, external factors may at times have upside potential for banks to leverage. These factors, if not properly managed, may affect the risk profile of the Bank, hampering the objective of creating value for all its stakeholders through financial sustainability, overall stability and superior performance.

In addition, the Bank has identified certain potentially disruptive emerging risks and uncertainties. These have made the operating environment even more volatile and unpredictable for financial services institutions, leading to some of the long-standing assumptions about markets, competition and even business fundamentals to be less valid today. These call for the Bank to better understand the customer and deliver on their expectations while achieving execution excellence in internal processes. Believing that these offer opportunities to differentiate its value proposition for future growth, the Bank deals with these developments through appropriate strategic responses.

All these developments have made the operating environment very complex, dynamic and competitive and risk management very challenging. Nevertheless, the effective management of these risks and uncertainties is a sine qua non to the execution of the Bank’s strategy, creating value in the short, medium and long term for all its stakeholders. Hence, deliberations on risk management were on top of the agenda in all Board, Board Committee, and Executive Committee meetings of the Bank.

Risk management framework

In order to ensure a structured approach to managing all its risk exposures, the Bank has developed an overarching risk management framework based on the Three Lines of Defence model. Underpinned by rigorous organisational structures, systems, processes, procedures, and industry best practices, Risk Management Framework (RMF) takes into account all plausible risks and uncertainties the Bank is exposed to. The Three Lines of Defence model, which is the international standard, enables the Bank to have unique perspectives and specific skills for managing risk and guides its day-to-day operations with the optimum balance of responsibilities.

The components of the Bank’s RMF include risk governance comprising Board oversight, Management and respective committees, well-defined risk capacity, appetite and tolerance levels, Risk Control Self-Assessment, system of internal control, independent compliance and audit functions, infrastructure, risk culture and contingency planning for business continuity, disaster recovery and contingency funding.

RMF is subject to an annual review or more frequently if the circumstances so warrant, taking into account changes in the regulatory and operating environments.

Risk governance

As an essential element of the risk management framework, risk governance is basically the application of the best practice in corporate governance to risk management, comprising Board oversight, Board committees, executive functions and executive committees through which authority is exercised and decisions are taken and implemented. It facilitates accountability for risk at all levels of the Bank and across all risk types the Bank is faced with, enabling a disciplined approach to managing risk. The organisation of the Bank’s risk governance is given in Figure 30. Given the highly specialised nature and also in the interest of an integrated and consistent approach, decision-making on risk management is centralised to a greater extent in several risk management committees.

Board of Directors

As the body responsible for strategy and policy formulation, objective setting and for overseeing executive function, the Board of Directors has the overall responsibility for understanding the risks assumed by the Bank and the Group and for ensuring that they are appropriately managed. The Board discharges this responsibility directly by determining the risk appetite of the Bank which is strongly correlated to achieving its strategic goals and indirectly by delegating oversight responsibility to four Board committees which work closely with the executive functions and executive level committees to review and assess the effectiveness of the risk management function and report to the Board on a regular basis. These reports provide a comprehensive perspective of the Bank’s risk management efforts and outcomes, enabling the Board to identify the risk exposures, any potential gaps and mitigating actions necessary, on a timely basis. The tone at the top and the corporate culture reinforced by the ethical leadership of the Board play a key role in managing risk at the Bank.

Besides the tone at the top and the Three Lines of Defence, the ethical conduct of the business too plays a significant role in managing risk in the Bank. The Bank’s Code of Ethics sets out the Bank’s unwavering commitment and expectations of all the employees to undertaking business in a responsible, transparent and disciplined manner and demands the highest level of honesty, integrity and accountability from all employees.

Apart from the Bank, the Board of Directors carefully monitors the risk profile of all the subsidiaries in the Group; Commercial Development Company PLC, ONEzero Company Limited. Serendib Finance Limited, Commex Sri Lanka S.R.L. Italy, Commercial Bank of Maldives Private Limited and CBC Myanmar Microfinance Company Limited.

Board committees

The Board has setup four Board committees to assist it in discharging its oversight responsibilities for risk management. The four Board committees are:

  • Board Audit Committee (BAC)
  • Board Integrated Risk Management Committee (BIRMC)
  • Board Credit Committee (BCC)
  • Board Strategy Development Committee (BSDC)-set up in August 2018

Among other things, these committees periodically review and make recommendations to the Board on risk appetite, risk profile, strategic decisions, risk management and internal controls framework, risk policies, limits and delegated authority.

Details relating to composition, terms of reference, authority, meetings held and attendance, activities undertaken during the year etc., of each of these Board committees are given on pages 89 to 101.

Executive committees

Responsibility for the execution of the strategies and plans in accordance with the mandate of the Board of Directors while maintaining the risk profile within the approved risk appetite, rests with the Executive Management. Spearheaded by the Executive Integrated Risk Management Committee (EIRMC), a number of committees (listed below) on specific aspects of risk have been set up to facilitate risk management across the First and the Second Lines of Defence. Comprising members from units responsible for credit risk, market risk, liquidity risk, operational risk and IT risk, EIRMC coordinates communication with the BIRMC to ensure that risk is managed within the risk appetite. Details relating to composition of each of the executive committees are given in the section on “How We Govern”.

  • Asset and Liability Committee (ALCO)
  • Credit Policy Committee (CPC)
  • Executive Committee on Monitoring Non-Performing Advances (ECMN)
  • Information Security Council (ISC)
  • Business Continuity Management Steering Committee (BCMSC)

Integrated Risk Management Department (IRMD) is headed by the Chief Risk Officer who participates in the above executive committees and also participates in the four Board committees overseeing risk management. The IRMD independently monitors compliance of the First Line of Defence to the laid down policies, procedures and limits and escalates deviations to the relevant executive committees. It also provides the perspective on all types of risk for the above committees to carry out independent risk evaluations and share their findings with the Line Managers and Senior Management to ensure effective communication of material issues and to initiate deliberations and necessary action.

Risk management infrastructure

Risk management infrastructure of the Bank includes both human and physical resources that enhance the preparedness to identify and manage risk including the mandate, policies and procedures, limits, tools, databases, competencies, communication etc. Significant investments have been made in resources to build capacity in risk management infrastructure and to maintain it up to date by embracing international best practices. This is as part of the overall risk management system in line with the Board-approved roadmap in the direction of achieving a fully-fledged risk management system in the near future.

Given that managing risk is a responsibility of each and every employee of the Bank for which each and every employee needs to understand the risks the Bank is exposed to, IRMD provides appropriate training/awareness to the employees, risk owners in particular, disseminating knowledge and enhancing skills on all aspects related to risk, inculcating the desired risk culture.

Risk management policy, procedures and limits

The Bank has a comprehensive risk management policy that addresses all the risks managed by the Bank, encompassing compliance with the regulatory requirements including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks based on the Basel Framework and subsequent directives issued by the CBSL. Apart from institutionalising the risk knowledge base, this helps minimise bias and subjectivity in risk decisions. This key document clearly defines the objectives, outlines priorities and processes and roles of the Board and the Management in managing risk, shaping the risk culture of the Bank. The Risk Assessment Statement (RAS) sets out the limits for risks and forms an integral part of the risk management framework. The RAS and all risk policies are reviewed by the BIRMC and Board of Directors at least annually or more frequently depending on the regulatory and business needs.

The overall risk exposure of the Bank including its overseas operations is compliant with the regulatory framework of the CBSL. Additionally, in order to ensure compliance, the risk management framework takes into account the regulatory requirements of the respective countries where the Bank conducts its operations.

The Bank has issued detailed operational guidelines to facilitate implementation of the risk management policy and the limits specified in the RAS. These guidelines relate to specification of types of facilities, processes and terms and conditions under which the Bank conducts business, providing clarity to the employees in their day-to-day work.

Risk management tools

The Bank employed a combination of qualitative and quantitative tools for identifying, measuring, managing and reporting risks. The choice of a tool(s) for managing a particular risk depended on the likelihood of occurrence and the impact of the risk as well as the availability of data. These tools varied from threat analysis, risk policies, risk registers, risk maps, risk dashboards, diversification, Social and Environmental Management System, workflow-based operational risk management system, insurance and benchmarking to limits, gap analysis, NPV analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modelling, duration, scenario analysis, marking to market, stress testing and VaR analysis.

A description of the different types of risks managed by the risk management function of the Bank and risk mitigation measures adopted are as follows: