Navigating 2020

The COVID-19 pandemic made the year 2020 unprecedented in the recent history with a vast majority of the individuals, communities and organisations across the globe being severely affected in terms of their lives and livelihoods. Besides the demand and supply side shocks, it has shaken the financial markets with bond yields, oil, and equity prices falling sharply and trillions of dollars across most of the asset classes seeking safety. Central banks world over proactively intervened with various measures such as interest rate cuts, intervention in the repo market, injecting liquidity into the markets, easing regulatory capital and liquidity requirements, extending moratoriums and concessionary refinancing schemes, temporary waiver of rules and regulations, etc. to calm the markets, minimise the impact, maintain customer confidence and support economic growth.

Hot on the heels of the Easter Sunday attack in 2019, the pandemic caused a double whammy on the Sri Lankan economy. Deteriorating economic activity and less favourable economic outlook exerted immense pressure on certain industries, affected asset quality, and reduced demand for banking products and services. These developments aggravated the challenges faced by the financial services industry in terms of growing business and maintaining operational excellence besides addressing health and safety concerns of employees and the public in general. These coupled with the still evolving nature of the pandemic and the continuing uncertainty surrounding it elevated the risk profiles of the financial institutions, requiring them to remain extra vigilant.

The pandemic also turned out to be a digital banking ‘reality check’ for financial institutions, regulators and governments. Despite all the preparations over the past several years for a ‘digital banking ecosystem’ many came to the realisation that basic digital banking deliverables were falling short of expectations at a time when the consumer has a few options. From the opening of a new account, on-boarding customers to digital platforms, to the application for a loan or authorising identities, the existing digital banking systems were found to be inadequate to support banking without branches.

However, with the swift action by the regulator to temporarily allow opening of wallet and wallet facilitation accounts fulfilling the KYC requirements digitally, the Bank was able to utilise its fully-fledged Digital Bank Account for on-boarding new customers and allow opening of accounts 100% digitally. The Bank also facilitated self on-boarding of existing customers to online applications to support the digital drive.

From a risk management perspective, restrictions on physical movements, strict health and safety regulations, adoption of new working arrangements, relaxation of certain regulatory requirements to accommodate continuity of banking operations, lacklustre economic growth, import restrictions, a deterioration in asset quality, muted credit growth resulting in excess local currency liquidity, and a dearth in foreign currency flows due to global business disruptions, etc. posed severe challenges to financial institutions.

Managing the impact of Covid-19

Covid-19 tested the effectiveness and agility of the risk management processes and practices in place at the Bank. As a result of the Bank having formulated its risk management strategy in terms of the underlying risk governance and risk management framework by taking the context and outlook into account, the Bank was able to take meaningful and timely measures to minimise the impact of Covid-19 on its day-to-day operations, continue to service the customer with minimal disruptions and maintain asset quality and viability of its operations. These measures included activation of the business continuity and contingency plans, close monitoring of stress indicators, regular communication with the stakeholders, strict adherence to health and safety guidelines, alternative workplace arrangements such as split work sites, Working From Home (WFH), flexible working arrangements by rotating shifts for employees, self on-boarding on digital applications as permitted by the regulator, strengthening further the outreach to customers through existing means such as ‘Banking on Wheels’/ mobile ATM etc. A lot of valuable lessons have also been learned in the process on how to retain operational resilience, which can be implemented when normalcy returns. Certainly, the pandemic has further accelerated migration of financial service delivery to digital channels and connectivity.

Although business continuity and disaster recovery plans in place had not been tested for wide-scale impacting scenarios such as those arising out of the pandemic leading to a real “Black Swan” event resulting in a “Perfect Storm”, and the proportion of staff that was required to work remotely exceeded what was envisaged while developing these plans, the Bank managed to promptly deploy effective and secure remote working solutions and collaboration tools in order to keep the interruptions to customer services at a minimum. Within a very short time-span, the Bank managed to enhance its existing remote access solutions by leveraging globally-renowned, sophisticated remote access technologies fortified with multiple layers of security.

As evident from the results of operations and financial position reflected in the financial statements published in this Annual Report, the Bank was able to demonstrate resilience against the tide and successfully weather the vulnerable, uncertain, complex, and ambiguous operating environment during the year. Further, the Bank has already commenced necessary re-building and improvements to fortify itself for possible crisis situations in the future, in a far more challenging environment than in the past.

Business model and risk

Being a commercial bank, the Bank’s business model is centered around financial intermediation and maturity transformation (refer Business Model for Sustainable Value Creation), which enabled the Bank to gear its capital of Rs. 157.2 Bn. 11 times to operate with an on-balance sheet asset base of Rs. 1,736.2 Bn. as at December 31, 2020. This exposes the Bank to a multitude of risks, which conventionally include credit risk (71%), operational risk (4%) and market risk (3%) in particular, based on the amount of capital allocated as per Basel capital adequacy requirements. In addition, a host of ancillary risks also have arisen due to various emerging developments, which are threatening to disrupt the business model of the Bank (refer Operating Context and Outlook for a list of such emerging developments) although many such risks are not self-made. These together with the impact of the Covid-19, which materially impacted almost all the main risk categories, elevated the risk profile of the Bank, making it imperative that it has a robust risk governance framework and a rigorous risk management function to manage the associated risks, enabling it to optimise the trade-off between risk and return, and continue to create value sustainably into the future.

Objectives

The primary objectives of the Bank’s risk governance framework and the risk management function are:

• to establish the necessary organisational structure for the management and oversight of risk;
• to define the desired risk profile in terms of risk appetite and risk tolerance levels;
• to institutionalise a positive risk culture within the Bank embodying values, beliefs, attitudes, and practices that drive highly effective risk decisions;
• to establish functional responsibility for decisions relating to accepting, transferring, mitigating and minimising risks, and recommending the best ways of doing so;
• to evaluate the risk profile against the approved risk appetite on an ongoing basis;
• to estimate potential losses that could arise from risk exposures assumed;
• to periodically conduct stress testing to ensure that the Bank holds sufficient buffers of liquidity and capital to honour contractual obligations and meet unexpected losses; and
• to integrate risk management with strategy formulation and execution.

Key developments in 2020

Major initiatives relating to risk governance and risk management during the year included:

• Carrying out analysis to proactively identify Risk Elevated Industries

Given that the challenging operating environment may have a significant impact on the Bank’s lending portfolio based on concentrations associated with different industries to which the Bank has exposures, it became of paramount importance to the Bank to isolate and manage industry risk by understanding its exposures most at risk. This became essential to develop capabilities and strategies to manage such exposures and to make an informed assessment of potential for expected credit losses and their impact on the Bank’s capital levels.

The Bank’s careful analysis revealed that, as the Government support for the economy tapers off and the Bank’s own relief schemes to borrowers subside, the delinquencies are likely to increase in the subsequent years owing to the prolonged effects of the economic downturn amplified by the COVID-19 pandemic. A more proactive approach therefore was warranted by making provisions to withstand the impact of exposures to Risk Elevated Sectors on the Bank’s capital base.

Accordingly, the Bank carried out an analysis to identify Risk Elevated Industries under Covid-19 related stressed operating environment based on the “Availing of Moratoria” by borrowers in the Bank’s loan book. This was done by identifying and classifying the facilities for which moratoria were granted based on the Lending Sectors to which the loan proceeds were utilised and making appropriate provisions to withstand the forecasted impact. Accordingly, the Bank has taken Rs. 2.9 Bn. overlays to reflect potential for any further credit deterioration.

• Private placement to strengthen the capital

The Bank secured a private placement of USD 50 Mn. to further strengthen the capital through IFC, the World Bank’s investment arm, demonstrating their faith in the future potential of the Bank.

• Continuous review of the USD liquidity position

The Bank constantly reviewed its USD liquidity position through liquidity gap reports, liquidity ratios, and forecasts. Reliance on FCY SWAPs used by the Bank as a funding tool was reduced towards the 04th quarter of 2020 as the demand for them decreased considerably in line with market movements. The Bank initiated negotiations with international banks for securing funding lines towards meeting any gaps in future commitments, while taking into account growth in FCY deposits secured by having constantly reviewed the rates offered.

• Managing excess Rupee liquidity

Muted credit growth and inflow of deposits caused the Bank to have excess Rupee liquidity throughout the year. Having analysed the potential movements of interest rate forecasts in coming years, the Bank rebalanced the maturity profile of its government securities portfolio in order to enhance returns.

• Loan Review Mechanism

The Loan Review Mechanism (LRM) was continuously carried out ensuring adherence to the regulatory Direction even during the pandemic. This was possible due to LRM which was initially implemented by the Bank as a physical activity by visiting the Lending Units/Branches being gradually transferred to a more digitalised platform in order to reduce physical interactions. The WFH service delivery channel adopted by the Bank during this period also helped the Bank to continue LRM as well as its other services to the Business Units.

• Appointment of the Chief Information Security Officer (CISO)

In consideration of CBSL directions, the Bank appointed a CISO during the year reporting to the Managing Director / Chief Executive Officer to provide leadership to the Bank’s overall information security function.

• Continuous process improvements to further strengthen information and cyber security

The Bank implemented several technical solutions and process improvements to address the ever-evolving cyber security threat landscape, especially in the wake of the COVID-19 pandemic and the resulting changes to the working arrangements. These included solutions related to Data Leakage Prevention, Privileged Access Management, Security Information and Event Management, etc. The Bank was cognisant of the increased cyber security risk arising from the rapid rolling out of at-scale WFH solutions, and continuous risk assessments were carried out on the critical processes to ensure that risk levels are maintained at acceptable levels.

• Development of a Climate Position Statement

The Bank firmly believes that natural resources are finite and need to be used sustainably. Moreover, the Bank has duly identified its role in providing private sector financial support to customers and subsidiaries in mitigating climate change effects through “Climate Financing”. It paved the way to integrate the Climate Change consideration into the Bank’s governance, strategy, risk management, and external reporting requirements under the vast scope of this subject.

As part of this initiative, the Bank has identified the importance of a well-articulated approach to climate change applicable to all the Branches and Departments regardless of their geographic location. Accordingly, the Position Statement on Climate Change 2020/2021 was developed and published expressing the Bank’s commitment to finance, climate change mitigation, adaptation, and environmentally beneficial activities within all main geographic locations where the Bank operates in i.e. Sri Lanka, Bangladesh, the Maldives, and Myanmar.

Other developments and outcomes relating to risk management during the year included;

• Devised tools to carry out in depth analysis of borrowers affected by the pandemic, enabling evaluation of specific aspects in detail to understand the risks stemming from the exposure to the pandemic.
• Managed reputational risk through elevated service levels under a constrained environment which included keeping the branches open for the customers, looking after the hygiene factors of all stakeholders, mobilisation of ATMs, facilitation of online on-boarding, and ensuring uninterrupted services to customers by promptly introducing necessary adjustments to the existing BCP/DRP arrangements to match the unprecedented operational changes resulting from the pandemic.
• The progress of the project initiated for implementing an Early Warning Signals (EWS) framework with a view to further enhance credit quality of the loan book of the Bank was delayed during the first half of the year due to prioritisation of pandemic related activities within the Bank. However, the evaluation of shortlisted products/vendors recommenced towards the latter part of the year considering the importance of having this capability within the Bank in the near future.

  The Overall credit risk of the Bank heightened leading to a deterioration in asset quality as reflected in the gross non-performing loans ratios of 5.11% whilst the net non-performing loans ratio improved to 2.18% as at 31.12.2020 as against 4.95% and 3.00% as at 31.12.2019, a trend that was witnessed across the industry. With the still evolving nature of the pandemic and the uncertainty surrounding it, the Bank is also cognisant of the potential for further deterioration in asset quality and has made additional impairment provisions. Lacklustre economic activities, travel and other restrictions on physical movements and muted credit growth caused the Bank to have excess liquidity throughout the year under review. Relaxation of systems and procedures, alternative workplace arrangements and heavy reliance on digital channels caused operational risk too to undergo changes, but there was no increase in the operational risk profile in terms of events and losses compared to the previous year. Despite the formidable challenges in the operating environment, the Bank was able to successfully maintain its stability, resilience and profitability during the year as evident from the operating results and financial position, as a result of the strategic responses to these developments and the robust risk governance and the rigorous risk management function in place.

Risk appetite and risk profile

The Bank has a well-defined Risk Appetite Statement that articulates the types and degree of risk and the maximum amount of aggregate risk exposure that the Bank is prepared to assume at any given point in time. It is expressed in terms of quantitative parameters for important risk indicators under each risk category for ease of monitoring. It manifests the desired asset quality, maximum market and operational risk losses and minimum capital and liquidity requirements, taking into account the regulatory requirements, strategic focus, ability to withstand losses and stress with the available capital, funding and liquidity positions and the robustness of the risk management framework.

The risk management function periodically reports the overall risk profile of the Bank to the Management and the Board in terms of Key Risk Indicators and a Risk Profile Dashboard. With the help of this information, the risk profile is rigourously monitored on an ongoing basis with the due consideration it deserves and swift remedial action is taken for any deviations, to ensure that the actual risk exposures across all the risk categories are kept within the risk appetite.

With strong capital adequacy and liquidity positions which define the capacity to assume risk, the Bank’s risk profile is characterised by a portfolio of high-quality assets and stable sources of funding fairly diversified in terms of geographies, sectors, products, currencies, size and tenors. The risk profile of the Bank as at December 31, 2020 and December 31, 2019 compared to the risk appetite as defined by the regulatory/Board approved policy parameters is given below.

Risk profile

Table - 33

Risk category and parameter	Key risk indicator	Policy parameter	Actual position
			As at December 31, 2020	As at December 31, 2019
Credit risk:
Quality of lending portfolio	Gross NPA ratio	3% – 8%	5.11%	4.95%
	Net NPA ratio	2% – 6%	2.18%	3.00%
	Impairment percentage over total NPA	40% – 60%	46.95%	44.23%
	Weighted average rating score of the overall lending portfolios	35% – 40%	52.93%	53.44%
Concentration	Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio	30% – 40%	21.72%	19.73%
	Advances by economic sub sector (using HHI-Herfindahl-Hirschman-index)	0.015 – 0.025	0.0145	0.0145
	Exposures exceeding 5% of the eligible capital (using HHI)	0.05 – 0.10	0.0057	0.0057
	Exposures exceeding 15% of the eligible capital (using HHI)	0.10 – 0.20	0.0055	0.0044
	Exposure to any sub sector to be maintained at	4% – 5%	4.33%	3.97%
	Aggregate of exposures exceeding 15% of the eligible capital	20% – 30%	12.25%	12.61%
Cross border exposure	Rating of the highest exposure of the portfolio on S&P Investment Grade AAA to BBB-	AA	AAA	AAA
Market risk:
Interest rate risk	Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY)	Maximum of Rs. 2,250 Mn.	Rs. 267.12 Mn.	Rs. 932.75 Mn.
	Re-pricing gaps (RSA/RSL in each maturity bucket – up toone- year period)	<1.5 Times (other than for the 1 month bucket which is <2.5 Times)	1.11 Times (1.78 Times for 1 month bucket)	1.39 Times (2.56 times for 1 month bucket)
Liquidity risk	Statutory Liquid Asset Ratio (SLA) for Domestic Banking Unit (DBU)	20%	44.99%	30.42%
	Liquidity Coverage Ratio (LCR) for All Currencies	100%	258.06%	224.74%
	Net Stable Funding Ratio (NSFR)	100%	157.49%	137.05%
Foreign Exchange risk	Exchange rate shocks on Total FCY exposure	Rs. 350 Mn.	Rs. 301.20 Mn.	Rs. 267.68 Mn.
Operational risk	Operational loss tolerance limit (as a percentage of last three years average gross income)	3% – 5%	0.58%	0.78%
Strategic risk:	Capital adequacy ratios:
	CET 1	Over 11%	13.217%	12.298%
	Total capital	Over 15%	16.819%	16.146%
	ROE	Over 20%	11.28%	13.54%
	Creditworthiness – Fitch Rating	AA(lka)	AA-(lka)	AA(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Credit ratings

In January 2020 Fitch Ratings Lanka Limited revised the Bank’s rating outlook of its National Long-Term Rating to negative from stable reflecting the challenging operating environment. However, following the recalibration of the agency’s Sri Lankan national rating scale to reflect changes in the relative creditworthiness among Sri Lankan issuers following its downgrade of the sovereign rating to ‘B-’/Negative from ‘B’/Negative in April 2020, the Bank’s Rating was revised upward from AA(lka) to AA+(lka) retaining the outlook at negative in June. Consequent to the downgrade of the sovereign rating by the agency in November 2020 and the recalibration of the agency’s Sri Lankan rating scale again, the Bank’s National Long-Term Rating was downgraded to AA-(lka)/Stable in January 2021.

The Bank’s Bangladesh operations continued to be rated AAA by Credit Rating Information and Services Limited (CRISL), the highest credit rating given to any financial institution in Bangladesh by CRISL. These credit ratings coupled with the high capital and liquidity buffers available in the Bank and the steady and consistent performance even during the pandemic period depict the creditworthiness of the Bank and its conservative risk profile.

Outlook and plans for 2021 and beyond

The Operating Environment provides an analysis of the outlook for the Sri Lankan and the Bangladesh economies and the financial services sectors for 2021 and beyond. With long-term implications of Covid-19 for financial institutions not yet precisely known, deteriorating credit quality and potential for increased impairment losses, reduced demand for banking products and services, a high degree of uncertainty will continue to prevail in the short to medium term. With further acceleration of digital channels, remote work arrangements with potential disruptions and escalating cyber security threats, non-financial risks will become more pressing. Banking regulations will be further widened and deepened amidst pervasive technological advances and macroeconomic shocks. Recovery and resolution will require heightened attention.

The context of these circumstances necessitates further strengthening of the risk governance and risk management function. Hence, the Bank will continue to make the necessary changes to the mandate, structure, resourcing, competencies, technologies, data analytics, and MIS, etc., thereby aligning business strategies with sound risk management practices and making risk management function more forward looking, value adding and proactive.

Specific initiatives planned for 2021 and beyond will include:

• Developing systems and processes for data capturing and using predictive tools in preparation for Basel IV proposed to be implemented globally in January 2023.
• Redefining risk assessment functions to suit digital platforms and using predictive capabilities for non-performing assets.
• Monitoring risk of competitor activity, entry of Fintechs and telecom giants into the banking industry in particular, and evaluation of feasibility of possible partnerships to leapfrog competition.
• Completion of implementation of the Early Warning Signals (EWS) framework capable of early detection and mitigation of credit risk to further enhance credit quality.
• Completion of implementation of Risk Adjusted Return on Capital (RAROC) Framework across the Bank and corporate counterparty levels.
• Extension of the Social and Environmental Risk Management Framework to the subsidiaries of the Group.
• Implementation of a climate risk assessment tool with a view to address potential climate related risks by reducing Carbon footprint of banking operations.

With large scale vaccination campaigns now underway and it being deemed as an effective exit strategy from the pandemic, latest predictions are that the pandemic should be brought under control in the near future, reviving hopes for a better outlook for 2021 and beyond.

Risk management framework

The Bank has developed an all-encompassing Risk Management Framework (RMF) based on the Three Lines of Defence model, which enables it a structured approach to manage all its risk exposures. It is underpinned by rigorous organisational structures, systems, processes, procedures and industry best practices and takes into account all plausible risks, potential losses, and uncertainties the Bank is exposed to. The Three Lines of Defence model, which is the international standard, enables the Bank to have specific skills and framework for managing risk and guides its day-to-day operations with the optimum balance of responsibilities.

The RMF is subject to an annual review or more frequently if the circumstances so warrant, taking into account changes in the regulatory and operating environments.

Three lines of defence

Figure - 21

Risk Governance

Risk governance is the necessary organisational structure for maintaining a high standard of governance. It enables decisions relating to risks to be taken and implemented for the management and oversight of risk within the risk appetite and the risk tolerance levels and for institutionalising a strong risk culture. It enables the Management to undertake risk taking activities more prudently.

The Board of Directors has established a robust governance structure by leveraging the best practice in corporate governance to risk management. It comprises Board committees, executive functions and executive committees with delegated authority, facilitating accountability for risk at all levels and across all risk types of the Bank and enabling a disciplined approach to managing risk. The organisation of the Bank’s risk governance is given in Figure 22. Since it is highly specialised and also to ensure an integrated and consistent approach, decision-making on risk management is centralised to a greater extent in several risk management committees.

Board of Directors

As the apex governance body, the Board of Directors is responsible for strategy and policy formulation, objective setting and for overseeing executive functions and has the overall responsibility for understanding the risks assumed by the Bank and the Group and for ensuring that they are appropriately managed (refer the profiles of the members of the Board of Directors). Accordingly, the Board determines the risk appetite of the Bank with due regard to achieving its strategic goals and delegates oversight responsibility to Board committees (refer Annual Corporate Governance Report for a list thereof). These Board committees work closely with the executive functions and executive level committees to review and assess the effectiveness of the risk management function and report to the Board on a regular basis. These reports provide a comprehensive perspective of the Bank’s risk profile and risk management efforts and outcomes, enabling the Board to identify the risk exposures, any potential gaps and mitigating actions necessary, on a timely basis. The tone at the top and the corporate culture reinforced by the ethical leadership of the Board plays a key role in managing risk at the Bank.

In addition to the Three Lines of Defence model and the tone at the top, the Bank’s commitment to conduct its business in an ethical manner too plays a significant role in managing risk in the Bank. The Code of Ethics has set out the Bank’s unwavering commitment and expectations of all the employees to undertaking business in a responsible, transparent and disciplined manner and demands the highest level of honesty, integrity and accountability from all employees.

In view of the potential for financial losses and reputational risk and also as required by regulatory authorities, the Board of Directors closely monitors the risk profile of all the subsidiaries in the Group apart from that of the Bank (refer Note 1 for the list of subsidiaries).

Board committees

The Board has set up the following four Board committees to assist it in discharging its oversight responsibilities for risk management and for ensuring adequacy and effectiveness of internal control systems.

• Board Audit Committee (BAC)
• Board Integrated Risk Management Committee (BIRMC)
• Board Credit Committee (BCC)
• Board Strategy Development Committee (BSDC)

These committees periodically review and make recommendations to the Board on risk appetite, risk profile, strategy, risk management and internal controls framework, risk policies, limits and delegated authority.

Details relating to composition, terms of reference, authority, meetings held and attendance, activities undertaken during the year, etc., of each of these Board committees are given in the respective committee reports in the section on Board Committee Reports.

Executive committees

Executive Management is responsible for the execution of the strategies and plans in accordance with the mandate of the Board of Directors while maintaining the risk profile within the approved risk appetite. Executive Integrated Risk Management Committee (EIRMC) comprises members from units responsible for credit risk, market risk, liquidity risk, social and environmental risk, operational risk and IT risk. Spearheaded by the EIRMC, the following committees have been set up on specific aspects of risk to facilitate risk management across the First and the Second Lines of Defence.

• Asset and Liability Committee (ALCO)
• Credit Policy Committee (CPC)
• Executive Committee on Monitoring Non-Performing Advances (ECMN)
• Information Security Council (ISC)
• Business Continuity Management Steering Committee (BCMSC)

EIRMC coordinates communication with the BIRMC to ensure that risk is managed within the risk appetite. In addition, the Chief Risk Officer reports directly to the BIRMC. Details relating to composition of the executive committees are given in the section on “Annual Corporate Governance Report”.

The Chief Risk Officer, head of the Integrated Risk Management Department (IRMD) participates in the executive committees listed above as well as in BIRMC, BCC and BAC meetings. It is the responsibility of the IRMD to independently monitor compliance of the First Line of Defence to the laid down policies, procedures and limits and escalate deviations to the relevant executive committees. It also provides the perspective on all types of risk for the above committees to carry out independent risk evaluations and share their findings with the Line Managers and the Senior Management enabling effective communication of material issues and to initiate deliberations and necessary action.

Risk governance structure

Figure - 22

Risk Management

Risk management is the functional responsibility for identifying, assessing and mitigating risks, finding risk mitigation methods, monitoring early warning signs, forecasting potential for future losses and implementing plans to contain losses/risk transfer. The risk management framework depicted on Figure 23 enables development and implementation of strategies, policies and procedures to manage risks, taking into account the strategic focus as defined in the Corporate Plan and the risk appetite.

The Bank has made significant investments to develop and maintain up-to-date infrastructure required in terms of both human and physical resources to strengthen detection and management of risks, including mandates, policies and procedures, limits, software, databases, expertise, communication, etc. and to adopt international best practices. Since risk management is a responsibility of each and every employee of the Bank and they need to clearly understand the risks the Bank is exposed to, IRMD provides ongoing training/awareness to the employees, risk owners in particular, disseminating knowledge and enhancing their skills on all aspects related to risk, inculcating the desired risk culture.

Policies, procedures and limits

The Bank has a suite of comprehensive risk management policies encompassing all the risks managed by the Bank to provide guidance to the business and support units for managing risks and for also ensuring compliance with the regulatory requirements including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks based on the Basel Framework and subsequent directives issued by the CBSL. While institutionalising the risk knowledge base, this helps to minimise bias and subjectivity in risk decisions. These policy documents define the objectives, priorities and processes as well as the roles of the Board and the Management in managing risk and shape the risk culture of the Bank. The Risk Assessment Statement (RAS) sets out the risk limits and forms an integral part of the risk management framework. The RAS and all risk policies are reviewed by the BIRMC and the Board of Directors annually or more frequently, depending on the regulatory and business needs.

The Bank has taken into account the regulatory requirements of the respective countries where the Bank conducts its operations. The Bank’s overall risk exposure including its overseas operations is compliant with the regulatory framework of the CBSL.

The Bank has issued comprehensive operational guidelines to facilitate implementation of the risk management policies and the limits specified in the RAS. These guidelines detail types of facilities, processes and terms and conditions under which the Bank conducts business, providing clarity to the employees in their day-to-day work.

Risk management framework

Figure - 23

Risk management tools

The Bank employs a combination of qualitative and quantitative tools to identify, measure, manage and report risks. Selection of the appropriate tool(s) for managing a particular risk depends on the likelihood of occurrence and the impact of the risk as well as the availability of data. These tools include early warning signals, threat analysis, risk policies, risk registers, risk maps, risk dashboards, RCSA, ICAAP, diversification, covenants, Social and Environmental Management System, workflow-based operational risk management system, Information Security Management System, insurance and benchmarking to limits, gap analysis, NPV analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modelling, Duration, scenario analysis, marking to market, stress testing, VaR analysis etc.

Summary of key risks

Figure - 24

Types of risks

The Bank is exposed to financial, non-financial and strategic risks. Financial and non-financial risks can be broadly categorised into credit, market, liquidity, operational, reputational, IT, strategic and legal risks. All these risks taken together determine the risk profile of the Bank. Having a robust risk management framework in place enables the Bank to manage these risks prudently. Various external developments and internal factors may affect the risk profile on an ongoing basis.

External developments include;

• The pandemic situation
• Movements in macroeconomic variables
• Sovereign risk destabilising financial markets
• Political instability
• Demographic changes
• Changes in Government fiscal and monetary policies
• Technological advances
• Regulatory developments
• Mounting stakeholder pressures
• Competitor activities
• Unsubstantiated information being circulated in social media
• Decline in property market valuations giving rise to higher losses on defaulting loans
• Unfounded public perceptions that banks are exploiting customers
• Supply chain disruptions
• Downgrading of ratings of the Bank and
• Growing sustainability concerns

Besides limited physical movements of people and global trade due to the pandemic, the aforesaid developments could impact public perceptions, disposable income of people, demand for banking products and services, funding mix, interest margins and tax liabilities of the Bank.

Internal factors include;

• Strategic misalignments
• Lapses in implementing the risk management framework
• Improper alignment of remuneration to performance and risk
• Issues relating to third party products sold in the Bank premises
• Incorrect advice offered to customers
• Inaccurate predictions of macroeconomic variables
• Execution gaps in internal processes
• Lack of industrial harmony
• Critical accounting judgements and estimates turning to be inaccurate
• Poor data quality adversely affecting business and operational decisions and
• Subsidiaries and associates not performing upto expectations of the Bank

These factors, if not properly managed, may affect the risk profile of the Bank, reputational risk included, hampering the objective of sustainable value creation for all its stakeholders.

Furthermore, the operating environment has been made much more complex and unpredictable by some potentially disruptive emerging threats and uncertainties, resulting in some of the long-standing assumptions about markets, competition and even business fundamentals being less true today. These call for the Bank to better understand its stakeholders and meet their expectations with excellence in execution in internal processes. The Bank deals with these developments through appropriate strategic responses, believing that these provide opportunities to differentiate its value proposition for future growth. A summary of key risks is given in Figure 24.

These developments are making the operating environment more complex, dynamic and competitive day by day and risk management very challenging. The effective management of these risks and uncertainties is nevertheless a sine qua non to the implementation of the Bank’s strategy for value creation for all its stakeholders. Consequently, deliberations on risk management were on top of the agenda in all Board, Board Committee and Executive Committee meetings of the Bank.

A description of the different types of risks managed by the risk management function of the Bank and risk mitigation measures adopted are given below.

Credit risk

Credit risk is the potential for loss arising from the failure of a customer/borrower or a counterparty to honour its financial or contractual obligations to the Bank. The Bank is primarily exposed to credit risk from direct lending activities as well as from commitments and contingencies. The total credit risk of the Bank constitutes counterparty risk, concentration risk and settlement risk.

Maximum credit risk exposure

Table - 34

	As at December 31, 2020
	Rs. Mn.	%
Net carrying amount of credit exposure:
Cash and cash equivalents	50,250	2.1
Placements with central banks and other banks (excluding reserves)	110,344	4.7
Financial assets at amortised cost – Loans and advances to banks	779	0.0
Financial assets at amortised cost – Loans and advances to other customers	896,845	38.1
Financial assets at amortised cost – Debt and other financial instruments	292,727	12.5
Financial assets measured at fair value through other comprehensive income	278,461	11.8
Total (a)	1,629,406
Off-balance sheet maximum exposure:
Lending commitments	129,571	5.5
Contingencies	596,004	25.3
Total (b)	725,575
Total of maximum credit exposure (a + b)	2,354,981	100.0
Gross carrying amount of loans and advances to other customers	947,842
Stage 3 (credit impaired) loans and advances to other customers	102,575
Impaired loans as a % of gross loans and advances to other customers		10.8
Allowance for impairment – loans and advances to other customers	50,996
Allowance for impairment as a % of gross loans and advances to other customers		5.4
Impairment charge – loans and advances to other customers	17,865

The maximum credit exposure of the Bank of Rs. 2,355.0 Bn. as at December 31, 2020 has grown by 28% compared to the previous year’s figure of Rs. 1,839.5 Bn., largely due to parking of excess liquidity in other financial assets due to muted credit growth and moratoria extended to the borrowers in a very challenging economic environment that prevailed in the country.

According to the SLFRS 9 classification, the credit impaired (Stage 3) loans to customers stood at Rs. 102.5 Bn. (Rs. 96.6 Bn. in 2019) which is 10.8% (10.5% in 2019) of the gross loans and advances to other customers portfolio of the Bank.

Further, the increasing trend experienced in loans and advances to other customers getting classified as impaired has resulted in a cumulative impairment allowance of Rs. 50.9 Bn. (Rs. 35.8 Bn. in 2019) and an impairment charge of Rs.17.8 Bn. (Rs. 10.0 Bn. in 2019) for the year under review.

Managing credit risk

The lending portfolio accounts for 52% of total assets and credit risk accounts for over 90% of the risk-weighted assets. Hence, it is needless to overemphasise the critical importance of prudently managing the credit risk to the Bank’s sustainability. In the circumstances, we endeavour to manage credit risk going beyond mere regulatory compliance in order to enhance value. It is managed through the Board approved credit risk management framework which comprises a robust risk governance structure and a comprehensive suite of risk management processes, which, among others, include policies and procedures, risk ratings, risk review mechanism, collateral management and valuation, segregation of credit risk management functions, social and environmental risk management, independent verification of risk assessments, credit risk monitoring, post disbursement review, providing direction to business line managers, dissemination of credit risk related knowledge and sharing information with internal audit.

Review of credit risk

The challenging operating environment following the Easter Sunday attack further deteriorated due to the Covid-19 pandemic related lockdowns, travel restrictions, supply chain disruptions, import restrictions and drop in exports. The consequent drop in economic activities and consequent loss of employment and disposable incomes led to a heightening of credit risk and a drop in asset quality across the financial services industry during the year, despite the numerous incentives offered by the Government to support businesses and individuals affected by the pandemic. The Bank too experienced this impact, but NPL ratios remained within the established policy parameters by the year end (refer risk profile on Table 33). Continuous follow up of facilities that were subjected to moratoriums, recovery initiatives such as offering incentives and elevated levels of attention given to loan approvals and post-sanction monitoring and recovery efforts together with planned implementation of early identification of stressed borrowers through EWS will assist the Bank to gradually bring down these ratios in 2021 and minimise potential credit risk.

In addition to the effective credit risk management framework referred above that guides the Bank when on-boarding new exposure and monitoring existing exposure which makes an enormous contribution to maintain the quality of the loan book, the Bank is vigilant and exercises caution when choosing customers, products, segments and the geographies it serves. Continuous monitoring of age analysis and the underlying movement of past due loans through arrears buckets enabled the Bank to swiftly take action, thereby moderating default risk during the year.

Concentration risk

It is through strategically diversifying the business across industry sectors, products, counterparties and geographies that the Bank manages concentration risk. The Bank’s RAS defines the limits for these segments and to ensure compliance, the Board, BIRMC, EIRMC and the CPC monitor these exposures. They also make suggestions and recommendations on modifications to defined limits based on the trends and developments shaping the business environment.

The distribution of stage 3 credit impaired loans and advances to other customers in terms of identified industry sectors as at year end is given in Table 35.

Graph 15 indicates that the tenor-wise breakdown of the portfolio of total loans and advances to other customers is within the risk appetite of the Bank.

Distribution of stage 3 credit impaired loans and advances to other customers as at December 31, 2020

Table - 35

Industry Category	Stage 3 Loans > and Advances Rs. ’000	Allowance for Individual Impairment Rs. ’000	Allowance for Collective Impairment Rs. ’000	ECL Allowance Rs. ’000	Amount Written-off Rs. ’000
Agriculture, forestry and fishing	11,658,180	925,407	3,154,672	4,080,079	107,728
Arts, entertainment and recreation	282,039	9,962	50,376	60,338	63
Construction	7,052,936	3,206,972	1,373,811	4,580,783	71,041
Consumption and others	11,890,683	926,101	4,492,966	5,419,067	983,946
Education	341,000	367	114,732	115,099	19,037
Financial services	388,593	221	131,834	132,055	28
Health care, social services and support services	1,172,622	6,319	337,053	343,372	5,884
Information technology and communication services	1,796,746	3,305	287,848	291,153	2,210
Infrastructure development	3,063,165	159,252	288,633	447,885	–
Lending to overseas entities	1,599,311	151,572	241,416	392,988	–
Manufacturing	21,717,503	1,933,890	5,062,633	6,996,523	204,462
Professional, scientific and technical activities	512,312	2,104	189,685	191,789	6,430
Tourism	18,800,368	783,849	1,584,364	2,368,213	7,650
Transportation and storage	3,393,427	997,745	392,002	1,389,747	5,737
Wholesale and retail trade	18,906,548	1,038,318	4,433,730	5,472,048	63,252
Total	102,575,433	10,145,384	22,135,755	32,281,139	1,477,468

It is due to economic activities being heavily concentrated in the Western province and the headquarters of most borrowing entities being located there, that a geographical analysis (Graph 16) reflects a high concentration of loans and advances to other customers in the province.

Product-wise analysis of the lending portfolio (Graph 17) too reveals the efficacy of the Bank’s credit policies with risk being diversified across a range of credit products.

The relatively high exposure of 42% to long-term loans is rigorously monitored and mitigated with collateral.

90% – Distribution of exposure country rating-wise Exposure to countries which are rated AAA to BBB- (S&P or equivalent) accounted for 90% of the total cross-border exposure of the Bank.

73.9% – Distribution of exposure borrower rating-wise Borrowers with Investment Grade Rating where default risk is considered to be very low, comprised 73.9% of the total loans and advances to other customers.

Counterparty risk

The Bank manages counterparty risk through the laid down policies/procedures and limit structures including single borrower limits and group exposure limits with sub-limits for products etc. The Bank has set limits far more stringent than those stipulated by the regulator, providing it a greater leeway in managing concentration levels with regard to the counterparty exposures.

A major component of counterparty risk is in relation to loans and receivables to banks, both local and foreign. A specific set of policies, procedures and a limit structure are in place to monitor it. Whilst market information on the financial/economic performance of these counterparties is subject to a rigorous scrutiny throughout the year, the counterparty bank exposures are monitored against the established prudent limits at frequent intervals and the limits are revised to reflect the latest information where deemed necessary.

The analysis uses Fitch Ratings for local banks in Sri Lanka and Credit Ratings Agency in Bangladesh (CRAB) ratings for local banks in Bangladesh (Equivalent CRISL/Alpha ratings are used where CRAB ratings are not available). Exposures for local banks in Sri Lanka rated AAA to A category stood at 96% (Graph 18) whilst 100% of exposure of local banks in Bangladesh consisted of AAA to A rated counterparty banks (Graph 19).

 

 

Cross-border risk

It is the risk that the Bank will not be able to secure payment from its customers or third parties on their contractual obligations due to certain actions taken by foreign governments, mainly relating to convertibility and transferability of foreign currency. Assets exposed to cross-border risk comprise loans and advances, interest-bearing deposits with other banks, trade and other bills and acceptances and those predominantly relating to short-term money market activities.

Limit structures in place, continuous monitoring of macroeconomic and market developments of the countries with exposure to counterparties and stringent evaluation of counterparties and maintaining frequent dialogue with them help minimise risk arising from over concentration to cross-borders. Timely action is taken to suspend/revise limits to countries with adverse economic/political developments.

Bank’s total cross-border exposure is only 6% of its total assets (Graph 21). The Bank has cross-border exposures to a spread of countries which primarily include India, the Maldives, Singapore, USA, Denmark, Bangladesh, etc.

 

Market risk

Market risk is the risk of loss arising from movements in market driven variables such as interest rates, exchange rates, commodity prices, equity and debt prices and their correlations against the expectations the Bank had at the time of making decisions. The Bank’s operations are exposed to these variables and correlations in varying magnitudes.

Market risk categories

Table - 36

Major market risk category	Risk components	Description	Tools to monitor	Severity	Impact	Exposure
Interest rate		Risk of loss arising from movements or volatility in interest rates
	Re-pricing	Differences in amounts of interest earning assets and interest-bearing liabilities getting re-priced at the same time or due to timing differences in the fixed rate maturities and appropriately re-pricing of floating rate assets, liabilities and off-balance sheet instruments	Re-pricing gap limits and interest rate sensitivity limits	High	Medium	High
	Yield curve	Unanticipated changes in shape and gradient of the yield curve	Rate shocks and reports	High	High	High
	Basis	Differences in the relative movements of rate indices which are used for pricing instruments with similar characteristics	Rate shocks and reports	High	Medium	Medium
Foreign exchange		Possible impact on earnings or capital arising from movements in exchange rates arising out of maturity mismatches in foreign currency positions other than those denominated in base currency, Sri Lankan Rupee (LKR)	Risk tolerance limits for individual currency exposures as well as aggregate exposures within regulatory limits for NOP	High	Medium	Medium
Equity		Possible loss arising from changes in prices and volatilities of individual equities	Mark-to-market calculations are carried out daily for Fair Value Through Profit and Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) portfolios	Low	Low	Negligible
Commodity		Exposures to changes in prices and volatilities of individual commodities	Mark to market calculations	Low	Low	Negligible

Managing market risk

Market risk is managed through the market risk management framework approved by the Board, which comprises a robust risk governance structure and a comprehensive suite of risk management processes which include policies, market risk limits, Management Action Triggers (MATs), risk monitoring and risk assessment.

Review of market risk

Market risk arises mainly from the Non-Trading Portfolio (Banking Book) which accounted for 92.75% of the total assets and 93.50% of the total liabilities as at December 31, 2020. Exposure to market risk arises mainly from IRR and FX risk as the Bank has negligible exposure to commodity related price risk and equity and debt price risk which was less than 10% of the total risk weighted exposure for market risk.

The Bank’s exposure to market risk analysed by Trading Book and Non-Trading Portfolios (or Banking Book) are set out in the Note 68.3.1.

Market risk portfolio analysis

The gap report is prepared by stratifying Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) into various time bands according to maturity (if they are fixed rates) or time remaining to their next re-pricing (if they are floating rates). Balances of savings deposits are distributed in line with the findings of a behavioural analysis conducted by the Bank. Vulnerability of the Bank to interest rate volatility is indicated by the gap between RSA and RSL (refer Table 37).

Interest rate sensitivity gap analysis of assets and liabilities of the Banking Book as at December 31, 2020 – Bank

Table -37

Description	Up to 3 Months	3-12 months	1-3 years	3-5 years	More than 5 years	Non-sensitive	Total as at 31/12/2020
	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000
Total financial assets	624,694,736	249,419,975	319,110,455	204,137,823	156,054,359	92,557,459	1,645,974,807
Total financial liabilities	562,661,711	549,185,169	111,889,666	57,145,938	172,692,251	84,083,172	1,537,657,907
Period gap	62,033,025	(299,765,194)	207,220,789	146,991,885	(16,637,892)	8,474,287	108,316,900
Cumulative gap	62,033,025	(237,732,169)	(30,511,380)	116,480,505	99,842,613	108,316,900
RSA/RSL	1.11	0.45	2.85	3.57	0.90

Interest rate risk (IRR)

Extreme movements in interest rates expose the Bank to fluctuations in Net Interest Income (NII) and have the potential to impact the underlying value of interest-earning assets and interest-bearing liabilities and off-balance sheet items. The main types of IRR to which the Bank is exposed to are re-pricing risk, yield curve risk and basis risk.

Sensitivity of projected NII

Regular stress tests are carried out on Interest Rate Risk in Banking Book (IRRBB) encompassing changing positions and new economic variables together with systemic and specific stress scenarios. Change in value of the Fixed Income Securities (FIS) portfolio in FVTPL and FVOCI categories due to abnormal market movements is measured using both Economic Value of Equity (EVE) and Earnings At Risk (EAR) perspectives. Results of stress tests on IRR are analysed to identify the impact of such scenarios on the Bank’s profitability and capital.

Impact on NII due to rate shocks on LKR and FCY is continuously monitored to ascertain the Bank’s vulnerability to sudden interest rate movements (refer Table 38).

Sensitivity of NII to rate shocks

Table - 38

	2020		2019
	Parallel increase Rs. ’000	Parallel decrease Rs. ’000	Parallel increase Rs. ’000	Parallel decrease Rs. ’000
As at December 31,	267,122	(132,005)	932,750	(911,553)
Average for the year	708,924	(648,050)	1,425,767	(1,413,235)
Maximum for the year	1,060,589	(1,040,835)	1,646,844	(1,643,315)
Minimum for the year	249,878	(132,005)	932,750	(911,553)

Foreign exchange risk

Stringent risk tolerance limits for individual currency exposures as well as aggregate exposures within the regulatory limits ensure that potential losses arising out of fluctuations in FX rates are minimised and maintained within the Bank’s risk appetite.

USD/LKR exchange rate depreciated by 2.84% (Source-CBSL) during the year under review.

Please refer to Note 68.3.3 – Exposure to currency risk - non trading portfolio.

Stress testing is conducted on NOP by applying rate shocks ranging from 2% to 15% in order to estimate the impact on profitability and capital adequacy of the Bank (refer Table 42). The impact of a 1% change in exchange rate on the foreign currency position indicated a loss of Rs. 301.20 Mn. on the positions as at December 31, 2020 (refer Graph 40).

Equity price risk

Although the Bank’s exposure to equity price risk is negligible, mark to market calculations are conducted daily on FVTPL and FVOCI portfolios. The Bank has also calculated VaR on equity portfolio. Note 68.3.4 summarises the impact of a shock of 10% on equity price on profit, other comprehensive income (OCI) and equity.

Commodity price risk

The Bank has a negligible exposure to commodity price risk which is limited to the extent of the fluctuations in Gold price on the pawning portfolio.

Liquidity risk

Liquidity risk is the Bank’s inability to meet “on” or “off” balance sheet contractual and contingent financial obligations as they fall due, without incurring unacceptable losses.

Banks are vulnerable to liquidity and solvency problems arising from mismatches in maturities of assets and liabilities. Consequently, the primary objective of liquidity risk management is to assess and ensure availability of funds required to meet obligations at appropriate times, both under normal and stressed conditions.

Liquid asset ratios as at December 31, 2020 are given below:

Liquid asset ratios

Table - 39

	2020 %	2019 %
Statutory Liquid Assets Ratio (SLAR)
DBU	44.99	30.42
OBC	32.70	25.25
Liquidity Coverage Ratio (LCR)
Rupee	330.84	158.79
All Currencies	258.06	224.74
Net Stable Funding Ratio (NSFR)	157.49	137.05

Managing liquidity risk

The Bank manages liquidity risk through policies and procedures, measurement approaches, mitigation measures, stress testing methodologies and contingency funding arrangements. As experienced across the industry, poor credit growth caused the Bank to have an excess liquidity situation throughout the year, as can be seen by the ratios given in Table 40. It was a challenge for the Bank to manage such excess liquidity to generate an optimum return. Major portion of the excess liquidity had to be invested in Government securities, both denominated in LKR and USD at optimum yields to minimise adverse effects on profitability.

Liquidity risk review

The net loans to deposits ratio is regularly monitored by the ALCO to ensure that the asset and liability portfolios of the Bank are geared to maintain a healthy liquidity position. NSFR indicating stability of funding sources compared to loans and advances granted was maintained well above the policy threshold of 100%, which is considered healthy to support the Bank’s business model and growth.

The key ratios used for measuring liquidity under the stock approach are given in Table 40 below:

Table - 40

Liquidity ratios %	As at December 31, 2020	As at December 31, 2019
Loans to customer deposits	0.75	0.87
Net loans to total assets	0.52	0.64
Liquid assets to short-term liabilities	0.60	0.48
Purchased funds to total assets	0.23	0.21
(Large liabilities – Temporary Investments) to (Earning assets – Temporary Investments)	0.18	0.18
Commitment to total loans	0.24	0.19

Maturity gap analysis

Maturity gap analysis of assets and liabilities of the Bank as at December 31, 2020 is given in Note 68.2.2 (a) to the Financial Statements.

Maturity analysis of financial assets and liabilities of the Bank indicates sufficient funding for foreseeable adverse situations based on prescribed behavioural patterns observed.

Maturity analysis of financial assets and financial liabilities of the Bank does not indicate any adverse situation when due cognisance is given to the fact that cash outflows include savings deposits which can be considered as a quasi-stable source of funds based on historical behavioural patterns of such depositors as explained below.

Behavioural analysis on savings accounts

In the absence of a contractual agreement about maturity, savings deposits are treated as a non-maturing demand deposit. There is no exact re-pricing frequency for the product and the Bank resets rate offered on these deposits based on re-pricing gap, liquidity and profitability etc. Since there is no exact re-pricing frequency and that it is not sensitive to market interest rates, segregation of savings products among the predefined maturity buckets in the maturity gap report is done based on the regular simulations carried out by the Bank in line with a behavioural study.

The liquidity position is measured in all major currencies at both individual and aggregate levels to ensure that potential risks are within specified threshold limits. Additionally, potential liquidity commitments resulting from loan disbursements and undrawn overdrafts are also monitored to ensure sufficient funding sources.

Funding diversification by product

The Bank’s primary sources of funding are deposits from customers and other borrowings. The Graph 22 provides a product-wise analysis of the Bank’s funding diversification as at end of 2020 and 2019.

Operational risk

Operational risk is the risk of losses stemming from inadequate or failed internal processes, people and systems, or from external events such as natural disasters, social or political events. It is inherent in all banking products and processes and the Bank’s objective is to control it in a cost-effective manner. Operational risk includes legal risk but excludes strategic and reputational risk.

Managing operational risk

The Bank manages operational risk through policies, risk assessment, risk mitigation including insurance coverage, procedures relating to outsourcing of business activities, managing technology risk, a comprehensive Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), creating a culture of risk awareness across the Bank, stress testing and monitoring and reporting.

Policies and procedures relating to outsourcing of business activities of the Bank ensure that all significant risks arising from outsourcing arrangements of the Bank are identified and effectively managed on a continuous basis. Details of all outsourced functions are reported to the CBSL annually. Due diligence tests on outsourced vendors are carried out by respective risk owners prior to executing new agreements and renewal of existing agreements. Further, bi-annual review meetings are conducted with key IT service providers to monitor service performance levels and to verify adherence to the agreements.

Business continuity management

Business Continuity Management (BCM) framework of the Bank encompasses business continuity, disaster recovery, crisis management, incident management, emergency management and contingency planning activities. These activities ensure that the Bank is committed to serve its customers, employees, shareholders and suppliers with minimum business interruptions in the event of an unforeseen disruption to its business activities arising from man-made, natural or technical disasters.

The scope of the BCM includes programme initiation and management, risk evaluation and business impact analysis, developing business continuity strategies, emergency preparedness and response, developing and implementing business continuity plans, awareness building and training, business continuity plan exercise, audit and maintenance, crisis communications and coordination with external agencies.

In 2018, the BCP of the Bank was revamped in line with industry best practices in consultation with an external BCP expert. IT Disaster Recovery Plan, which is a key component of BCP was also reviewed and approved by the Board of Directors. IT system recovery capabilities of core banking and other critical systems of the Bank have been further strengthened by way of introducing a secondary high-availability set-up leading to improved redundancy.

Due to the second wave of the pandemic, the Bank was compelled to postpone the scheduled BCP exercise for 2020 to the second quarter of 2021,with the approval of the CBSL.

Review of operational risk

The Bank has a low appetite for operational risks and has established tolerance levels for all types of material operational risk losses based on historical loss data, budgets and forecasts, performance of the Bank, existing systems and controls governing Bank operations etc. Following thresholds have been established based on audited financial statements for monitoring purposes:

• Alert level – 3% of the average gross income for the past three years
• Maximum level – 5% of the average gross income for the past three years

Operational losses for the financial year 2020 were below the internal alert level at 0.58% (of average audited gross income for the past three years). The Bank has been consistently maintaining operational losses below the alert level for the past ten years, reflecting the “tone at the top”, effectiveness of the governance structures and the rigour of processes and procedures in place to manage operational risk.

The Graph 23 analyses the operational risk losses incurred by the Bank in 2020 under each business line/category.

When analysing the losses incurred during 2020 under the Basel II defined business lines, it is evident that the majority (89%) of losses with financial impact falls under the business line of “Retail Banking”, followed by the losses reported under the ‘‘Payment and Settlement” business line (11%). Losses relating to other business lines remain negligible.

The Graphs 24 and 25 depict the comparison of operational losses reported during 2020 and 2019 under each Basel II loss event type, both in terms of number of occurrences and value.

 

 

 

As typical with operational risk losses, majority of the losses encountered by the Bank during 2020 consisted of high frequency/low financial impact events mainly falling under the loss category Execution, Delivery and Process Management. These low value events are mainly related to cash and ATM operations of the Bank’s service delivery network consisting of over 1,000 points across Sri Lanka and Bangladesh. Individual events with monetary values less than Rs.100,000 accounted for more than 93% of the total loss events for the year. Also, the number of loss events for the year when compared to the number of transactions performed during the year stands at a mere 0.0036%.

When considering the values of the losses incurred by the Bank during the year, they can mainly be categorised under Execution, Delivery and Process Management, Business Disruption and System Failures and External Frauds. The losses for the year were primarily driven by a limited number of events in these three categories, majority of which the Bank managed to resolve through subsequent recovery/rectification with minimum financial impact to the Bank. Further, necessary process improvements and system changes have been introduced to prevent recurrence. Capital allocation pertaining to operational risk for 2020 under Alternative Standardised Approach as per Basel III is Rs. 6.9 Bn., whereas the net loss after discounting the subsequent recoveries amounts to a mere 0.83% of this capital allocation. This trend of exceptionally low levels of operational risk losses of the Bank bears testimony to the effectiveness of the Bank’s operational risk management framework and the internal control environment.

IT risk

IT risk is the business risk associated with use, ownership, operation, involvement, influence and adoption of IT within an organisation. It is a major component of operational risk comprising IT-related events such as system interruptions/failures, errors, frauds through system manipulations, cyberattacks, obsolescence in applications, falling behind competitors concerning the technology, etc., that could potentially affect the whole business. Given the uncertainty with regard to frequency and magnitude, managing IT risk poses challenges. Hence, the Bank has accorded top priority to addressing IT risk, giving more focus to cyber security strategies and continually investing on improving the cyber security capabilities. The Bank’s cyber security strategy is focused on securely enabling new technology and business initiatives while maintaining a persistent focus on protecting the Bank and its customers from cyber threats.

The IT Risk Unit of the IRMD is responsible for implementing the IT risk management framework for the Bank, ensuring that the appropriate governance framework, policies, processes and technical capabilities are in place to manage all significant IT risks. The IT Risk Management Policy, aligned with the Operational Risk Management Policy complements the Information Security Policy, and the related processes, objectives and procedures relevant for managing risk and improving information security of the Bank.

RCSA is used as one of the core mechanisms for IT risk identification and assessment, while the IT Risk Unit carries out independent IT risk reviews in line with the established structure of the operational risk management process. Results of these independent IT risk assessments together with audit findings, analysis of information security incidents, internal and external loss data are also employed for IT risk identification and assessment purposes.

IT risk mitigation involves prioritising, evaluating and implementing the appropriate risk-reducing controls or risk treatment techniques recommended from the risk identification and assessment process. The Bank has a multi-layered approach of building controls into each layer of technology, including data, applications, devices, network, etc. This ensures robust end-to-end protection, while enhancing the cyber threat detection, prevention, response and recovery controls. The Bank is certified under the globally accepted, de-facto standard for Information Security Management System (ISMS) – ISO/IEC 27001:2013 and Payment Card Industry Data Security Standard (PCI DSS), both focusing on ensuring Confidentiality, Integrity and Availability of data/ information. The ISMS is independently validated on an annual basis by the ISO 27001 ISMS external auditors and Qualified Security Assessors of the PCI Council.

The Bank has continued to invest in information security, by enhancing information security governance in line with the CBSL directions and intensifying focus on information and cyber security with the Baseline Security Standard (BSS) being rolled-out across the branch network and in the Head Office. Initiatives taken in this regard are given under Key Developments in 2020 of this report.

Given that risk management relies heavily on an effective monitoring mechanism, the IT Risk Unit carries out continuous, independent monitoring of the Bank’s IT risk profile using a range of tools and techniques including Key IT Risk Indicators (KIRIs).

Legal risk

Legal risk is an integral part of operational risk and is defined as the exposure to the adverse effects arising from inaccurately drawn up contracts, their execution, the absence of written agreements or inadequate agreements. It includes, but is not limited to, exposure to reprimanding, fines, penalties, or punitive damages resulting from supervisory actions, as well as cost of private settlements.

The Bank manages legal risk by ensuring that applicable regulations are fully taken into consideration in all relations and contracts with individuals and institutions who maintain business relationships with the Bank, supported by required documentation. Potential risk of any rules and regulations being breached is managed by the establishment and operation of an effective system for verifying conformity of operations with relevant regulations.

Compliance and regulatory risk

Compliance and regulatory risk refers to the potential risk to the Bank resulting from non compliance with applicable laws, rules and regulations and codes of conduct and could result in regulatory fines, financial losses, disruptions to business activities and reputational damage. A compliance function reporting directly to the Board of Directors is in place to assess the Bank’s compliance with external and internal regulations on an ongoing basis. A comprehensive compliance policy defines how this risk is identified, monitored and managed by the Bank in a structured manner. The Bank’s culture and the Code of Ethics too play a key role in managing this risk.

Strategic risk

Strategic risk is related to strategic decisions and may manifest in the Bank not being able to keep up with the evolving market dynamics, resulting in loss of market share and failure to achieve strategic goals. Corporate planning and budgeting process and critical evaluation of their alignment with the Bank’s vision, mission and the risk appetite facilitate management of strategic risk. The detailed scorecard-based qualitative model aligned to ICAAP is used to measure and monitor strategic risk of the Bank. This scorecard-based approach takes a number of variables into account, including the size and sophistication of the Bank, the nature and complexity of its operations and highlights the areas that require focus to mitigate potential strategic risks.

Reputational risk

Reputational risk is the risk of adverse impact on earnings, assets and liabilities or brand value arising from negative stakeholder perception of the Bank’s business practices, activities and financial position. The Bank recognises that reputational risk is driven by a wide range of other business risks relating to the “conduct” of the Bank that must all be actively managed. In addition, the proliferation of social media has widened the stakeholder base and expanded the sources of reputational risk. Accordingly, reputational risk is broadly managed through the systems and controls adopted for all other risk types such as credit, market, operational risk, etc., which are underpinned by Code of Ethics, Communication policy and business ethics that prohibit unethical behaviour and promote employees to live by the claims made. Further, the detailed scorecard which was available to measure and monitor reputational risk under ICAAP was formalised as Reputational Risk Management Policy framework during the year.

Conduct risk

As an organisation that thrives on public trust and confidence, yet is faced with many conflicting interests and trade-offs, aligning of the Bank’s interests with those of the customer is imperative for the Bank’s success and sustainability. Unfair business practices, professional misbehaviour, ethical lapses, inefficient operations, bribery and corruption, compliance failures, governance weaknesses etc. dent customer confidence on the Bank. Proper conduct with fair outcomes to the customer is closely associated with the culture, governance structure and the tone at the top of the Bank. The Bank has a customer centric approach that encompasses accountability, remuneration structures, compliance with the laws, rules and regulations in spirit, learning culture, transparency, public disclosures, Service Level Agreements and monitoring thereof, customer complaint handling procedure and customer engagement to maintain high standards of behaviour and integrity with a view to minimise conduct risk.

Bribery and corruption related risks

Bribery and Corruption is illegal, dishonest and damages the reputation of the Bank and therefore, the Bank expects all its employees to refrain from giving or accepting bribes, kickbacks or commissions and taking part in any form of corruption. The Bank has developed an Anti-Bribery and Corruption Policy which will be submitted for approval of the Board in March 2021. It will be made available at www.combank.lk no sooner it is approved by the Board. In addition, the Bank has a Whistleblowers Charter and guidelines on accepting and/offering gifts or other illegal gratification, collection and borrowing of funds/obtaining undue favours from customers and suppliers, holding a Directorship/being a Partner/Shareholder in private companies enumerated in the Code of Ethics and administrative circulars. In implementing the Code of Ethics and affirming its commitment to the 10th Principle of the UN Global Compact, the Bank expects all employees not only to fight corruption, but also to demonstrate that they do not abuse the power of their position as employees for personal financial or non-financial gain, solicit or accept gifts, compromise employees or the Bank. No employee of the Bank should offer any bribe or other illegal gratification in order to obtain business for the Bank.

Capital Adequacy and ICAAP Framework

In line with the Basel requirements and as prescribed in the ICAAP framework, the Bank used internal models to assess and quantify the risk profile, to stress test risk drivers and to assess capital requirements to support them. Internal limits which are more stringent than the regulatory requirements provide early warnings with regard to capital adequacy.

ICAAP supports the regulatory review process providing valuable inputs for evaluating the required capital in line with future business plans. It integrates strategic focus and risk management plans with the capital plan in a meaningful manner with inputs from Senior Management, Management Committees, Board Committees and the Board, and also takes into account potential risk of capital being inadequate under stressed conditions. It also supports profit optimisation through proactive decisions on exposures both current and potential through measurement of vulnerabilities by carrying out stress testing and scenario-based analysis. The ICAAP process also identifies gaps in managing qualitative and quantitative aspects of reputational risk and strategic risk which are not covered under Pillar 1 of Basel III.

The Bank is compliant with both regulatory and its own prudential requirements of capital adequacy. With a loyal base of shareholders and profitable operations, the Bank is also well positioned to meet capital requirements in the longer term to cover its material risks and to support business expansion, as a Domestic Systemically Important bank (D-SIB).

Basel III minimum capital requirements and buffers

The Banking Act Direction No. 01 of 2016 introduced capital requirements for licensed commercial banks under Basel III starting from July 1, 2017 with specified timelines to progressively increase minimum capital ratios to be fully implemented by January 1, 2019 which included Higher Loss Absorbency component for D-SIBs. However, as an extraordinary regulatory measure for licensed banks to support businesses and individuals affected by the outbreak of COVID-19, CBSL permitted D-SIBs to draw down their Capital Conservation Buffers (CCB) by 100 basis points.

A comparison of the Bank's position as at December 31, 2020 and the minimum capital requirement prescribed by the CBSL effective from January 1, 2019 is tabulated below. This demonstrates the capital strength of the Bank and bears testimony to its ability to meet stringent requirements imposed by the regulator.

Target and actual capital

Table - 41

Capital ratios	Regulatory minimum %	HLA %	Total %	Goal (Internal requirement) %	2020 %	2019 %
CET 1	7.0 (2019) 6.0 (2020)	1.5	8.5 (2019) 7.5 (2020)	>11	13.217	12.298
Total	12.5 (2019) 11.5 (2020)	1.5	14.0 (2019) 13.0 (2020)	>15	16.819	16.146

* Even though the CCB applicable to the Bank is 2.5% as per the original direction, with the permission granted by the CBSL to D-SIBs to draw down part of the Capital Conservation Buffer as a COVID-19 relief measure, the ratio applicable to the Bank as of December 31, 2020 was 1.5%.

(Refer in Annex 3 for the detailed capital adequacy computation)

The ICAAP helps the Bank to periodically evaluate the capital requirements for the next five years, develop capital augmentation plans based thereon and submit same for review by the CBSL. Consequently, despite the non-conducive operating environment, SLFRS 9 adoption and taxes that impacted internal capital generation capabilities of the Bank in 2019 and 2020, the Bank has been able to secure availability of capital to fund its expansion plans and meet Higher Loss Absorbency (HLA) requirements prescribed by the CBSL for D-SIBs. In particular, issue of upto USD 50 Mn. worth shares to IFC through a private placement enabled the Bank to increase its stated capital during the year.

“Basel Workgroup” of the Bank consists of members from a cross section of business and support units to assess capital adequacy in line with strategic direction of the Bank. While ICAAP acts as a foundation for such assessment, the Basel Workgroup is continuously searching for improvements amidst changing landscape in different frontiers, to recommend the desired way forward to the ALCO including indications on current and future capital requirements, anticipated capital expenditure-based assessments and desirable capital levels, etc.

Being in a capital-intensive business, the Bank is cognisant of the importance of capital. The Bank has access to a loyal base of shareholders who takes a long-term view of the Bank as well as profits retained over the years by adopting prudent dividend policies, etc. Moreover, in order to achieve an optimised level of capital allocation, the Bank is continuously finding ways to improve judicious allocation of capital to requirements associated with its day-to-day operations. The challenges associated with mobilising capital from external sources are also taken into account, but not excluded as a sustainable option to boost the capital in the long run. The Bank is comfortable with the available capital buffer to support its growth plans/withstand stressed market conditions. However, the Bank is never complacent with current comfort levels and believes in providing stakeholder confidence that the Bank is known for, through sound capital buffer levels.

Stress testing

As an integral part of ICAAP under Pillar II, the Bank conducted stress testing for severe but plausible shocks on its major risk exposures on a periodic basis to evaluate the sensitivity of the current and forward risk profile relative to risk appetite and their impact on resilience of capital, funding, liquidity and earnings.

It also supports strategic planning, the ICAAP including capital management, liquidity management, setting of risk appetite triggers and risk tolerance limits, mitigating risks through reviewing and adjusting limits, restricting or reducing exposures and hedging thereof, facilitating the development of risk mitigation or contingency plans across a range of stressed conditions supporting communication with internal and external stakeholders.

The Bank’s governance framework for stress testing sets out the responsibilities and approaches to stress testing activities undertaken at the Bank, business line and risk type levels. The Bank uses a range of stress testing techniques, including scenario analysis, sensitivity analysis and reverse stress testing to perform stress testing for different purposes.

The framework covers all the material risks such as credit risk, credit concentration risk, operational risk, liquidity risk, FX risk, IRRBB using EVE and EAR perspectives. The Bank evaluates various degrees of stress levels identified in the Stress Testing Policy as Minor, Moderate and Severe. The resulting impact on the capital is then carefully evaluated. Where stress tests point to a deterioration of the capital which has no impact on the policy level on capital maintenance, same is described as Minor risk, while a deterioration of up to 1% is considered as Moderate risk. If the impact results in the capital falling below the statutory minimum, such a level would be regarded as Severe risk, warranting immediate attention of the Management to rectify the situation.

Stress testing is an effective communication tool to Senior Management, risk owners and risk managers as well as supervisors and regulators since it offers a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in hypothetical stress scenarios. The outcomes of stress testing are reported to the EIRMC and BIRMC on a quarterly basis for appropriate, proactive decision making. Extracts from the stress testing results are set out in Table 42.

Impact on CAR at Minor, Moderate and Severe stress levels:

Table - 42

Particulars	Description	2020			2019
		Minor	Moderate	Severe	Minor	Moderate	Severe
		%	%	%	%	%	%
Credit risk – asset quality downgrade	Increasing the direct non- performing facilities over the direct performing facilities for the entire portfolio	-0.14	-0.37	-0.72	-0.15	-0.38	-0.74
Operational risk	Impact of; 1. Top five operational losses during last five years 2. Average of yearly operational risk losses during last three years whichever is higher	-0.09	-0.21	-0.43	-0.05	-0.13	-0.25
Foreign exchange risk	Percentage shock in the exchange rates for the Bank and Maldives operations (gross positions in each Book without netting)	-0.10	-0.19	-0.45	-0.06	-0.13	-0.29
Liquidity risk (LKR) –	1. Withdrawal of percentage of the clients, banks and other banking institution deposits from the Bank within a period of three months 2. Rollover of loans to a period greater than three months	-0.07	-0.19	-0.39	-0.03	-0.11	-0.26
Interest rate risk – EAR and EVE (LKR) – Sri Lanka	To assess the long-term impact of changes in interest rates on Bank’s EVE through changes in the economic value of its assets and liabilities and to assess the immediate impact of changes in interest rates on Bank’s earnings through changes in its net interest income	-0.12	-0.20	-1.16	-0.15	-0.30	-0.44

Monitoring and reporting

Risk management function of the Bank is responsible for identifying, measuring, monitoring and reporting risk. To enhance the effectiveness of its role, staff attached to it are given regular training, enabling them to develop and refine their skills. They are well supported by IT systems that have made data extraction, analysis and modelling possible. Regular and ad-hoc reports are generated on Key Risk Indicators and risk matrices of the Bank as well as the subsidiaries, for review by the Senior Management, Executive and Board Committees, and the Board which rely on such reports for evaluating risk and providing strategic direction.

The reports provide information on aggregate measures of risks across products, portfolios, tenures and geographies relative to agreed policy parameters, providing a clear representation of the risk profile and sensitivities of the risks assumed by the Bank and the Group.

Basel III – Market Discipline

Please refer Annex 3 for the minimum disclosure requirements under Pillar III as per the Banking Act Direction No. 01 of 2016.

Please refer Annex 3 for the D-SIB Assessment Exercise disclosed as required by the Banking Act Direction No. 10 of 2019.