Governance and Risk Management

Risk Governance and Management

Business model and risk

The business model of the Bank is centered around financial intermediation and maturity transformation (refer Business Model for Sustainable Value Creation). This enabled the Bank to operate at a much higher level of assets (Rs. 1,387.35 Bn. as at December 31, 2019) relative to the capital available (Rs. 133.16 Bn.), leading to an on balance sheet gearing of 10.42 times. This exposed the Bank to a multitude of risks. While credit risk continues to be the dominant risk followed by operational and market risks based on the amount of capital allocated as per Basel capital adequacy requirements, a host of other risks also have arisen from various emerging developments.Some of these developments are threatening to disrupt the business model of the Bank built on playing an intermediary role (refer Outlook for a list of such emerging developments). As a result, it is imperative that the Bank has a robust risk governance framework and a rigorous risk management function to manage the associated risks, enabling it to optimise the trade-off between risk and return, and continue to create value sustainably into the future.

Bank has taken such context and outlook into account when formulating its risk management strategy in terms of the underlying risk governance and risk management framework.

From a risk management perspective, year 2019 was characterised by lacklustre economic growth, a sharp deterioration in asset quality following the April terrorist attack, stifled credit growth and the resulting excess liquidity, import restrictions and political instability.


The primary objectives of the Bank’s risk governance framework and the risk management function are:

  • to establish the necessary organisational structure for the management and oversight of risk;
  • to define the desired risk profile in terms of risk appetite and risk tolerance levels;
  • to institutionalise a strong risk culture within the Bank;
  • to establish functional responsibility for decisions relating to accepting, transferring, mitigating and minimising risks and recommending ways of doing so;
  • to evaluate the risk profile against the approved risk appetite on an ongoing basis;
  • to estimate potential losses that could arise from risk exposures assumed;
  • to periodically conduct stress testing to ensure that the Bank holds sufficient buffers of capital and liquidity to meet unexpected losses and honour contractual obligations; and
  • to integrate risk management with strategy development and execution.

Key developments in 2019

Major initiatives relating to risk governance and risk management during the year included:

  • Getting the internally developed credit risk rating model validated by an external party.
    The validation process led to further improvements and calibrations to the statistical and qualitative parameters of the models and provided the required confirmation that methods used to develop the models are conceptually sound, that rating models effectively capture the risk and that the underlying data is reasonably accurate. Rating models are currently being used for the evaluation of credit risk at the individual facility level, for the aggregation of credit risk at the portfolio level, assessment of the relative stability of the portfolio including stress testing on impact of rating migration on the Bank's performance and assessment of adequacy of regulatory capital, etc. Upon approval of the CBSL, the internal credit risk ratings can be used for the computation of regulatory capital requirements of the Bank under the advanced approaches of Basel III guidelines. Further, availability of robust credit rating models act as a precursor for adoption of risk-based pricing, sensitivity analysis, stress testing and computing statistical measurements for expected credit loss evaluation.
  • A project initiated for implementing an early warning signals (EWS) framework with a view to further enhancing credit quality.
    Based on a combination of financial and market intelligence, EWS will enable detection of financially stressed borrower accounts in the existing loan/lending portfolio across all segments. Further, it will provide alerts/signals in case of potential lending opportunities that are in application/evaluation stage, predict and prompt for proactive corrective actions on deteriorating borrowing relationships based on their health as against the defined directive of measurement of such assets and be used in reporting, monitoring and as a follow-up mechanism.
  • Establishment of Centralised Credit Processing Unit (CCPU) for advances.
    The CCPU was established during the year (described in detail in the section on Operational Excellence) to improve operational efficiency. The same contributed to the fundamental segregation of duties of credit analysis function from the marketing activities to ensure independence in assessment and do away with biases that will invariably assist underwriting activities towards high quality portfolio in the future.
  • Introduced Risk Adjusted Return on Capital (RAROC) framework.
    Having recognised the need for standard economic-risk measures derived from internally available data, the Bank initiated introduction of RAROC framework in 2019 under the consultancy of an external expert. With this, the Bank is optimistic about implementing performance tracking and a pricing tool that incorporates economic cost of risk and to capture the contribution of each business to the Bank’s cost of capital. This would significantly contribute for making improvements in capital allocation, business performance tracking and overall risk management. In addition, RAROC will add to the armoury of important strategic decision-making tools, further strengthening the risk management framework of the Bank.
  • Enhanced information security governance in line with CBSL directions.
    The Information Security Council of the Bank, which is the apex management-level body responsible for information security of the Bank was reconstituted in line with the CBSL Direction for Technology Risk Management (Consultation Paper), with the Managing Director as its Chairman, with periodic reporting to the BIRMC and the Board of Directors. In order to enable the Board of Directors to have effective oversight on the adequacy and effectiveness of information security and technology risk management procedures of the Bank, the Board participated in a knowledge enhancing session covering cyber security and technology risk resilience conducted by an industry expert.
  • Intensified focus on information and cyber security.
    Baseline Security Standard (BSS) was rolled-out across the branch network and in the Head Office departments. All information security related policies and procedures were independently reviewed under the BSS implementation and a draft framework for information security Key Performance Indicators was developed.
    Bank commenced work towards fulfilling requirements prescribed in the CBSL Direction for Technology Risk Management (Consultation Paper) through the information security road map devised for the Bank – with focus for 2019 being on Security Operations Centre, Privilege Access Management and Data Loss Prevention. Bank also initiated work towards establishing a proper data protection unit under a dedicated Data Protection Officer with responsibility for developing and implementing the Bank’s data protection strategy covering such aspects as data classification, data leakage prevention, maintaining comprehensive records of all data processing activities, managing/ controlling outgoing data, etc.

Other key developments and outcomes relating to risk management during the year included;

  • Intensified focus on maintaining asset quality;
  • Conducted meetings of the Executive Committee on Monitoring NPAs on a monthly basis with the participation of Line Heads of Corporate/Personal Banking and Recoveries Department to discuss strategies to turnaround NPA portfolio;
  • Achieved credit risk review coverage of 39.8% of the total portfolio during the year (as compared to the CBSL minimum requirement of 30% – 40%);
  • Enhanced the scope of operational risk reviews on the subsidiaries of Commercial Bank Group by including CBC Myanmar Microfinance Ltd;
  • Successfully renewed the ISO27001:2013 and the PCI DSS certifications of the Bank for 2019, with the re-validation of the Information Security Management System and the PCI DSS implementation by external auditors;
  • Completed the pilot roll-out of the SEMS e-learning platform for staff training under the Sustainable Banking Initiative of the
    Sri Lanka Banks’ Association.

In line with the industry-wide trend experienced, overall credit risk of the Bank heightened with a deterioration in asset quality as reflected in the gross and net non-performing loans ratios of 4.95% and 3.00% respectively as at 31.12.2019 as against 3.24% and 1.71% a year before. As a result of interest rate reduction that took place in the market and excess liquidity prevailed in the Bank, market risk too increased slightly during the year. Operational risk however did not undergo any major changes compared to the previous year. Despite the formidable challenges in the operating environment, the Bank was able to successfully maintain its stability, resilience and profitability during the year as evident from the operating results and financial position, as a result of the strategic responses to these developments and the robust risk governance and the rigorous risk management function in place.

Risk profile

Risk profile of the Bank as at December 31, 2019 and December 31, 2018 compared to the risk appetite as defined by the policy parameters is given below:

Risk profile

Table – 16

Risk category and parameter Key risk indicator Policy parameter Actual position
31.12.2019 31.12.2018
Credit risk:
Quality of lending portfolio Gross NPA ratio 4% – 7% 4.95% 3.24%
Net NPA ratio 3% – 4% 3.00% 1.71%
Impairment percentage over total NPA 40% – 60% 42.39% 54.67%
Weighted average rating score of the overall lending portfolios 35% – 40% 53.44% 56.62%
Concentration Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio 30% – 40% 19.73% 20.43%
Advances by economic sub sector (using HHI-Herfindahl-Hirschman-Index) 0.015 – 0.025 0.015 0.015
Exposures exceeding 5% of the eligible capital (using HHI) 0.05 – 0.10 0.006 0.006
Exposures exceeding 15% of the eligible capital (using HHI) 0.10 – 0.20 0.004 0.007
Exposure to any sub sector 4% – 5% 3.97% 4.75%
Aggregate of exposures exceeding 15% of the eligible capital 20% – 30% 12.61% 20.32%
Cross border exposure Rating of the highest exposure of the portfolio on S&P Investment Grade AAA to BBB AA AAA AAA
Market risk:
Interest rate risk Interest rate shock: (impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY) Maximum of Rs. 2,500 Mn. Rs. 932.75 Mn. Rs. 1,560.76 Mn.
Re-pricing gaps (RSA/RSL in each maturity bucket – up to one-year period) <1.5 Times (other than for 1 month bucket which is <2.5 Times) 1.39 Times (2.56 Times for 1 month bucket) 0.98 Times (2.99 Times for 1 month bucket)
Operational risk Operational loss tolerance limit (as a percentage of last three years average gross income) 3% – 5% 0.78% 1.70%
Strategic risk: Capital adequacy ratios:
CET 1 Over 11% 12.298% 11.338%
Total capital Over 15% 16.146% 15.603%
ROE Over 20% 13.54% 15.56%
Creditworthiness – Fitch Rating AA(lka) AA(lka) AA(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Risk appetite and risk profile

The Bank has a clearly defined Risk Appetite Statement incorporating the strategic focus, the types of risk and the maximum amount of aggregate risk exposure the Bank is prepared to assume at any given point in time. Taking into account the regulatory requirements, the ability to withstand losses and stress with the available capital, funding and liquidity positions and the quality of the risk management framework, risk appetite has been expressed in terms of desired asset quality, maximum operational losses, maximum loss on forex trading operations, minimum liquid assets ratio and maximum re-pricing gaps on interest rate risk, among other exhaustive list of risk parameters in use to ascertain overall risk profile of the Bank.

Aided by the solid risk management function, the Bank monitors its risk profile which is the actual risk exposures across all the risk categories on an ongoing basis and takes swift remedial action for any deviations to ensure that it is kept within the risk appetite. With a strong capital adequacy and a strong liquidity position which define the capacity to assume risk, the Bank’s risk profile is characterised by a portfolio of high-quality assets and stable sources of funding fairly diversified in terms of geographies, sectors, products, currencies, size and tenors.

Credit ratings

The Bank was rated AA(lka)/Stable by Fitch Ratings Lanka Limited during 2019, but the outlook was revised to negative in January 2020 consequent to revision of the outlook of the Sri Lankan sovereign and the deterioration in the operating environment. Bank’s Bangladesh operations is rated AAA by Credit Rating Information and Services Limited (CRISL). The rating of AA(lka) is the strongest rating given to a Sri Lankan non-state sector bank while AAA is the highest credit rating given to any financial institution in Bangladesh by CRISL. These credit ratings depict the creditworthiness of the Bank and its ability to borrow which in turn takes into account the underlying risk profile.

Outlook and plans for 2020 and beyond

Please refer Operating Environment for an analysis of the outlook for the Sri Lankan economy and the financial services sector for 2020 and beyond.

The Bank envisages the importance of risk governance and risk management function to increase in the wake of the widening and deepening banking regulation, pervasive technological advances and macroeconomic shocks. Hence, the Bank will continue to strengthen the risk governance and risk management function further through the necessary changes to the mandate, structure, resourcing, competencies, technologies, MIS, data analytics etc., thereby aligning business strategies with sound risk management practices and making risk management function more forward looking and proactive.

Specific initiatives in this regard will include:

  • Implementing a Security Incident and Event Management solution and extending it towards a proper Security Operations Centre;
  • Complete the implementation of the identified Privilege Access Management solution and operationalise same by establishing required policy/procedure for independent review of privilege user access;
  • Active participation of risk management function in strategy setting and planning process;
  • Adopting a more forward-looking approach to risk management.

Risk management framework

In order to ensure a structured approach to managing all its risk exposures, the Bank has developed an overarching risk management framework based on the Three Lines of Defence model. Underpinned by rigorous organisational structures, systems, processes, procedures and industry best practices, Risk Management Framework (RMF) takes into account all plausible risks and uncertainties the Bank is exposed to. The Three Lines of Defence model, which is the international standard, enables the Bank to have specific skills for managing risk and guides its day-to-day operations with the optimum balance of responsibilities.

RMF is subject to an annual review or more frequently if the circumstances so warrant, taking into account changes in the regulatory and operating environments.

Three lines of defence

Figure – 19

Risk Governance

Risk governance is the responsibility of the Board for establishing the necessary organisational structure for the management and oversight of risk, defining the risk profile in terms of the risk appetite and the risk tolerance levels and institutionalising a strong risk culture.

Applying the best practice in corporate governance to risk management, Board of Directors has established a robust governance structure comprising Board committees, executive functions and executive committees through which authority is exercised and decisions are taken and implemented. It facilitates accountability for risk at all levels of the Bank and across all risk types the Bank is faced with, enabling a disciplined approach to managing risk. The organisation of the Bank’s risk governance is given in Figure 20. Given the highly specialised nature and also in the interest of an integrated and consistent approach, decision-making on risk management is centralised to a greater extent in several risk management committees.

Board of Directors

As the body responsible for strategy and policy formulation, objective setting and for overseeing executive functions, the Board of Directors (refer the section on Board of Directors and Profiles for the profiles of the members) has the overall responsibility for understanding the risks assumed by the Bank and the Group and for ensuring that they are appropriately managed. The Board discharges this responsibility directly by determining the risk appetite of the Bank which is strongly correlated to achieving its strategic goals and indirectly by delegating oversight responsibility to four Board committees (listed below) which work closely with the executive functions and executive level committees to review and assess the effectiveness of the risk management function and report to the Board on a regular basis. These reports provide a comprehensive perspective of the Bank’s risk management efforts and outcomes, enabling the Board to identify the risk exposures, any potential gaps and mitigating actions necessary, on a timely basis. The tone at the top and the corporate culture reinforced by the ethical leadership of the Board plays a key role in managing risk at the Bank.

Besides the tone at the top and the Three Lines of Defence model, the ethical conduct of the business too plays a significant role in managing risk in the Bank. The Bank’s Code of Ethics sets out the Bank’s unwavering commitment and expectations of all the employees to undertaking business in a responsible, transparent and disciplined manner and demands the highest level of honesty, integrity and accountability from all employees.

Apart from the Bank, the Board of Directors closely monitors the risk profile of all the subsidiaries in the Group (refer the list of subsidiaries).

Board committees

The Board has setup four Board committees as given below to assist it in discharging its oversight responsibilities for risk management;

  • Board Audit Committee (BAC)
  • Board Integrated Risk Management Committee (BIRMC)
  • Board Credit Committee (BCC)
  • Board Strategy Development Committee (BSDC)

Among other things, these committees periodically review and make recommendations to the Board on risk appetite, risk profile, strategic decisions, risk management and internal controls framework, risk policies, limits and delegated authority.

Details relating to composition, terms of reference, authority, meetings held and attendance, activities undertaken during the year etc., of each of these Board committees are given in the chapter on Governance and Risk Management.

Executive committees

Responsibility for the execution of the strategies and plans in accordance with the mandate of the Board of Directors while maintaining the risk profile within the approved risk appetite, rests with the Executive Management. Spearheaded by the Executive Integrated Risk Management Committee (EIRMC), a number of committees (listed below) on specific aspects of risk have been set up to facilitate risk management across the First and the Second Lines of Defence.

  • Asset and Liability Committee (ALCO)
  • Credit Policy Committee (CPC)
  • Executive Committee on Monitoring Non-Performing Advances (ECMN)
  • Information Security Council (ISC)
  • Business Continuity Management Steering Committee (BCMSC)

Comprising members from units responsible for credit risk, market risk, liquidity risk, social and environmental risk, operational risk and IT risk, EIRMC coordinates communication with the BIRMC to ensure that risk is managed within the risk appetite. Details relating to composition of each of the executive committees are given in the section on “How We Govern”.

Integrated Risk Management Department (IRMD) is headed by the Chief Risk Officer who participates in the executive committees listed above and the BIRMC, BCC and BAC. The IRMD independently monitors compliance of the First Line of Defence (LOD) to the laid down policies, procedures and limits and escalates deviations to the relevant executive committees. It also provides the perspective on all types of risk for the above committees to carry out independent risk evaluations and share their findings with the Line Managers and Senior Management enabling effective communication of material issues and to initiate deliberations and necessary action.

Risk governance structure

Figure – 20

BAC – Board Audit Committee, BIRMC – Board Integrated Risk Management Committee, BCC – Board Credit Committee, BSDC – Board Strategy Development Committee,
ISC – Information Security Council, ALCO – Asset & Liability Committee, EIRMC – Executive Integrated Risk Management Committee, BCMSC – Business Continuity Management Steering Committee,
ECMN – Executive Committee on Monitoring NPAs, CPC – Credit Policy Committee, ESDC – Executive Strategy Development Committee, IRMD – Integrated Risk Management Department,
CRMU – Credit Risk Management Unit, CRRU – Credit Risk Review Unit, SEMS – Social & Environmental Management System, TMO – Treasury Middle Office, MRMU – Market Risk Management Unit,
ORMU – Operational Risk Management Unit, ITRU – IT Risk Management Unit

Risk Management

Risk management is the functional responsibility for identifying, assessing and mitigating risks, finding risk mitigation methods, monitoring early warning signs, forecasting potential for future losses and implementing plans to contain losses/ risk transfer.

Risk management infrastructure

Risk management infrastructure of the Bank includes both human and physical resources that enhance the preparedness to identify and manage risk including the mandate, policies and procedures, limits, tools, databases, competencies, communication etc. Significant investments were made in resources to build capacity in risk management infrastructure and to maintain it up to date by embracing international best practices.

Given that managing risk is a responsibility of each and every employee of the Bank for which each and every employee needs to understand the risks the Bank is exposed to, IRMD provides appropriate training/awareness to the employees, risk owners in particular, disseminating knowledge and enhancing skills on all aspects related to risk, inculcating the desired risk culture.

Risk management policy, procedures and limits

The Bank has a comprehensive risk management policy that addresses all the risks managed by the Bank, encompassing compliance with the regulatory requirements including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks based on the Basel Framework and subsequent directives issued by the CBSL. Apart from institutionalising the risk knowledge base, this helps to minimise bias and subjectivity in risk decisions. This key document clearly defines the objectives, outlines priorities and processes as well as the roles of the Board and the Management in managing risk, shaping the risk culture of the Bank. The Risk Assessment Statement (RAS) sets out the limits for risks and forms an integral part of the risk management framework. The RAS and all risk policies are reviewed by the BIRMC and Board of Directors at least annually or more frequently depending on the regulatory and business needs.

The overall risk exposure of the Bank including its overseas operations is compliant with the regulatory framework of the CBSL. Additionally, in order to ensure compliance, the risk management framework takes into account the regulatory requirements of the respective countries where the Bank conducts its operations.

The Bank has issued detailed operational guidelines to facilitate implementation of the risk management policy and the limits specified in the RAS. These guidelines relate to specification of types of facilities, processes and terms and conditions under which the Bank conducts business, providing clarity to the employees in their day-to-day work.

Risk management framework

Figure – 21

Risk management tools

The Bank employs a combination of qualitative and quantitative tools for identifying, measuring, managing and reporting risks. The choice of a tool(s) for managing a particular risk depends on the likelihood of occurrence and the impact of the risk as well as the availability of data. These tools vary from early warning signs, threat analysis, risk policies, risk registers, risk maps, risk dashboards, RCSA, diversification, covenants, Social and Environmental Management System, workflow-based operational risk management system, insurance and benchmarking to limits, gap analysis, NPV analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modelling, Duration, scenario analysis, marking to market, stress testing and VaR analysis.

Summary of key risks

Figure – 21

Types of risks

Conventionally, the Bank is exposed to credit, market, liquidity, operational, reputational, IT, legal and strategic risks which taken together determine the risk profile of the Bank. The Bank manages these risks through its robust risk management framework. Changes in various external and internal factors affect the risk profile on an ongoing basis. External factors include movements in macroeconomic variables, political instability, changes in Government fiscal and monetary policies, regulatory developments mounting stakeholder pressures and growing sustainability concerns. Such developments could impact public perceptions, disposable income of people, demand for banking products and services, funding mix, interest margins and tax liabilities of the Bank. Internal factors may include strategic miscalculations, lapses in implementing the risk management framework, assumptions about macroeconomic variables turning out to be different, execution gaps in internal processes etc. These factors, if not properly managed, may affect the risk profile of the Bank, hampering the objective of sustainable value creation for all its stakeholders in the short, medium and long term.

In addition, certain potentially disruptive emerging risks and uncertainties have made the operating environment even more volatile and unpredictable, leading to some of the long-standing assumptions about markets, competition and even business fundamentals to be less valid today. These call for the Bank to better understand the customer and deliver on their expectations while achieving execution excellence in internal processes. Believing that these offer opportunities to differentiate its value proposition for future growth, the Bank deals with these developments through appropriate strategic responses. Summary of key risks is given in Figure 22.

All these developments have made the operating environment very complex, dynamic and competitive and risk management very challenging. Nevertheless, the effective management of these risks and uncertainties is a sine qua non to the execution of the Bank’s strategy, creating value in the short, medium and long term for all its stakeholders. Hence, deliberations on risk management were on top of the agenda in all Board, Board Committee and Executive Committee meetings of the Bank.

A description of the different types of risks managed by the risk management function of the Bank and risk mitigation measures adopted are as follows: