Risk Governance and Management

Another year of disruption and challenge

Relatively speaking, Sri Lanka witnessed increased economic activity and favourable economic outlook in the year under review as evident from higher imports and exports as well as the increased demand for banking products and services. Yet, the economy continued to suffer from the long-lasting effects of the Easter Sunday attack in April 2019 and the COVID-19 pandemic in March 2020 that continued to spread in several waves. As widely speculated, the full social, economic and financial impact of these developments is yet to be seen. The downgrading of the sovereign rating by several rating agencies during the year based on their concerns about sovereign debt sustainability and financial vulnerability in the medium term, shortage of foreign currency liquidity, drop in worker remittances and pandemic-related policies and regulations impacted the operations and business performance of financial institutions. The Central Bank promulgated a series of new rules and regulations to help manage the foreign currency liquidity shortage in the market, with limited success.

From a risk management perspective, the challenge during the year was to build resilience across existing and new dimensions of risks, including risks associated with the increasing demand for digital products & services; risks associated with remote working arrangements; liquidity risks due to the shortfall of foreign currency; the continuing potential for rising defaults, especially as Government support and forbearance measures are phased out; and the need for a strong data infrastructure to anticipate and analyse compound and contagion risks. Additionally, as environment, sustainability, and governance (ESG) issues are brought to the centre of the corporate landscape, there is a need to identify and account for new risks in areas such as diversity, equity and climate change.

The Bank devoted more resources and effort to carefully monitor such risks and others, such as credit risk with respect to segments of the lending portfolio under moratorium and exposures to risk-elevated industries, market risks due to rising interest rates, and operational risks due to heightened concerns on anti-money laundering and terrorist financing. The Bank also successfully tested its business continuity and disaster recovery plans during the year along with monitoring the ongoing health and safety risks to staff and customers in the context of operating in the midst of the COVID-19 pandemic. The success of these efforts is evident from the conservative risk profile the Bank has been able to maintain Refer the section on Risk Governance and Management.) and the results of operations and the financial position as given in the financial statements published in this Annual Report.

Business model and risk

As a commercial bank, the Bank’s business model is centred around the two primary activities of financial intermediation and maturity transformation Refer Business Model for Sustainable Value Creation). This has enabled the Bank to gear its capital of Rs. 164.89 Bn. 11 times to operate with an on-balance sheet asset base of Rs. 1,949.21 Bn. as at December 31, 2021. The higher level of gearing exposes the Bank to a multitude of risks, which conventionally include credit risk (76%), operational risk (5%) and market risk (2%) in particular, based on the amount of capital allocated as per Basel capital adequacy requirements. In addition, a host of ancillary risks also have arisen due to various emerging developments, which are threatening to disrupt the business model of the Bank Refer the section on Operating Context and Outlook for a list of such emerging developments). These risks together with the developments referred to in the paragraphs above materially impacted almost all the main risk categories of the Bank. Nevertheless, the robust risk governance framework and the rigorous risk management function helped the Bank to manage the associated risks, enabling it to optimise the trade-off between risk and return, and continue sustainable value creation into the future.

Objectives

The primary objectives of the Bank’s risk governance framework and the risk management function are:

• to establish the necessary organisational structure for the management and oversight of risk;
• to define the desired risk profile in terms of risk appetite and risk tolerance levels;
• to institutionalise a positive risk culture within the Bank embodying values, beliefs, attitudes and practices that drive highly effective risk decisions;
• to establish functional responsibility for decisions relating to accepting, transferring, mitigating and minimising risks and recommending the best ways of doing so;
• to evaluate the risk profile against the approved risk appetite on an ongoing basis;
• to estimate potential losses that could arise from plausible risk exposures;
• to periodically conduct stress testing to ensure that the Bank holds sufficient buffers of liquidity and capital to honour contractual obligations and meet unexpected losses;
• to integrate risk management with strategy formulation and execution;
• to ensure efficient allocation of available capital to generate optimum risk return trade-off and
• to promote better communication of risk across all the levels of the Bank.

Key developments in 2021

Major initiatives relating to risk governance and risk management during the year included:

• Implementation of the Early Warning Signals (EWS) framework

Embarked on implementation of EWS framework, which is capable of early detection of credit risk by anticipating the incipient stress in borrowers that are likely to default by constantly monitoring behavioural components of internal and publicly available information on borrower and industry specific performance using advanced analytical tools with predictive capabilities, to help the Bank enhance its asset quality.

• Implementation of the Risk Adjusted Return on Capital (RAROC) Framework

Completed implementation of the RAROC framework across the Bank for Corporate and SME borrowers, enabling it to support business decisions with a view to optimise the trade-off between risk and return at varying levels of granularity such as account, borrower, customer segment, product, business unit etc.

• Carrying out analysis to proactively identify Risk Elevated Industries (REIs)

Developed capabilities to isolate and manage industry risk by understanding its exposures most at risk, which will help the Bank devise strategies to manage such exposures and to make an informed assessment of potential for expected credit losses and their impact on the Bank’s capital levels. Carried out an analysis to identify REIs – i.e. those facing heightened stress as a result of the pandemic – based on patterns of the availing of moratoria by borrowers in the Bank’s loan book and those who have been affected by economic stress and policy changes. This enabled the Bank to identify and classify the facilities for which moratoria were granted based on the lending sectors to which the loan proceeds were utilized and make appropriate provisions to withstand the forecasted impact. Accordingly, the Bank has taken Rs. 13 Bn. overlays on cumulative basis to reflect potential for any further credit deterioration.

• Issue of debentures to strengthen the capital

As identified in the Internal Capital Adequacy Assessment Plan for 2021, the Bank raised Rs. 8.595 Bn. by issuing Basel III compliant – Tier 2, Listed, Rated, Unsecured, Subordinated, Redeemable debentures with a Non-viability Conversion in order to further improve the capital adequacy ratio by increasing the Tier 2 capital base. Funds so collected also helped the Bank to grow the lending portfolio as well as reduce maturity gaps in the Bank’s Balance Sheet by matching medium to long term liabilities with medium to long term assets.

• Continuous review of the USD liquidity position

With substantial exposures to the Government of Sri Lanka in terms of assets, borrowings from overseas lenders and huge imbalances in demand for and supply of foreign exchange relating to foreign trade, the Bank devoted a lot of effort during the year to managing the USD liquidity position while accommodating customer requirements in the most equitable manner possible. The Bank continued negotiations with a number of parties throughout the year to secure USD funding and successfully mobilised USD 50 Mn. from multilateral funding agencies. As a policy, the Bank never resorted to maintaining open positions beyond the regulatory specified limits to manage foreign currency liquidity.

• Managing excess Rupee liquidity

Although the Bank experienced satisfactory credit growth during the year under review relative to 2020, the Bank continued to have excess Rupee liquidity throughout the year due to deposits continuing to grow at an unprecedented rate. Having analyzed the potential movements of interest rate forecasts in coming years, the Bank continued to rebalance the maturity profile of its Government securities portfolio in order to enhance returns.

• Conducted additional stress testing

Fair Value through Other Comprehensive Income (FVOCI) portfolios of both FCY and Rupee bond portfolios indicated high level of stress arising out of sharp interest rate movements experienced in the market due to varying factors. Much focus was placed on such portfolios and their impact arising from marking to market exercise leading to possible depletion of Capital Adequacy Ratio with a view to formulate strategies to minimize adverse impact.

Further, frequent downgrading of country rating experienced during the year prompted the Bank to review resilience levels of FCY Bond exposures. FCY liquidity remained a focus area, which is common to banking sector at large and as the stress levels are unprecedented, the Bank resorted to various scenario analysis to manage this constraint at a reasonable level.

• Continuous process improvements to further strengthen information and cyber security

The Bank continued to implement further technical solutions and make process improvements to address the ever-evolving cyber security threat landscape. These included;

• Cyber Security Incident Response Plan is in place for managing and responding to cyber security events;
• A security log management system is configured to alert on identified cyber security events such as abnormal behaviours in perimeter security devices such as firewalls, intrusion prevention/detection systems etc, denial of service attacks, password enumeration attacks, privilege access etc. These alerts/ dashboards are monitored and necessary action is taken on any identified events;
• Appointed a Chief Information Security Officer (CISO) to provide leadership to the Bank’s overall information security function including cyber security;
• Established an Information Security Risk Assessment Policy, and as per the Policy, information/cyber security risk assessments are carried out periodically;
• Conducted technical security assessments such as vulnerability assessments, penetration tests, application security assessments, configuration assessments etc. periodically, in order to gauge the cyber risk profile of the Bank;
• Performance of the Information Security Management Systems (ISMS) and any deviations, information security road-map/progress of cyber security projects as well as the information/cyber security risk profile of the Bank are regularly reported to the Information Security Council (ISC) and the BIRMC is kept updated periodically through risk indicators and other reports;
• Sufficient time is allocated in the agenda of the Board Technology Committee (BTC)for discussion on cyber risk management. Proceedings of both the BIRMC and the BTC meetings are submitted to the Board for information and necessary directions;
• Adoption of the Group Social and Environmental Management System (SEMS)

The Bank has been maintaining a robust SEMS since 2010 and it was extended to the subsidiaries of the Bank as recommended by the stakeholders, by adopting the Board approved Group Social and Environmental Management System during the year. Objective assistance was provided to the subsidiaries in adopting well-crafted Social and Environment Risk Management Procedure enabling the subsidiaries to conform to the SEMS of the Bank.

• “Masked” credit risk

The overall credit risk and asset quality of the Bank improved during the year as reflected by the gross and net non-performing loan ratios improving to 4.62% and 1.44% respectively as at December 31, 2021 as against 5.11% and 2.18% as at December 31, 2020. The improvement in the ratios was as a result of the gross loans and advances portfolio grown by 13%, while the growth in the non-performing loans and advances being curtailed to 6.3%. However, the Bank is aware that, due to the still evolving nature of the pandemic and the uncertainties surrounding it as well as the Government support measures introduced to cushion the impact of the pandemic to the households and the business entities, the true underlying creditworthiness of some of the borrowers may be masked to some extent and that there is potential for some deterioration in asset quality in the years ahead. Being aware of such conditions, the Bank has taken necessary safeguards in terms of its business model and capital buffers to deal with any general deterioration in asset quality and the operating environment and made additional impairment provisions for the loans under moratoria and to exposures to REIs.

• Resilience to operational environment/changes

Despite certain relaxation of systems and procedures, remote working arrangements and heavy reliance on digital channels, there was no increase in the operational risk profile in terms of incidents and losses compared to the previous year. With proper strategic responses aided by the robust risk governance and the rigorous risk management function, the Bank was able to successfully maintain its stability, resilience and profitability although it continued to be a year of ongoing disruptions and challenges.

Risk appetite and risk profile

A clearly-defined and Board approved Risk Appetite Statement articulates the types of risks, degrees of risks and the maximum amount of aggregate risk exposure that the Bank is prepared to assume at any given point in time. In order to provide for ease of monitoring, risk appetite is expressed in terms of quantitative parameters for all the important risk indicators under each risk category. It, among others, reveals the desired asset quality, maximum market and operational risk losses and minimum capital and liquidity requirements, taking into account the volatile operating environment, regulatory requirements, strategic focus, ability to withstand losses, and stress with the available capital, funding and liquidity positions and the robustness of the risk management framework.

The risk management function periodically reports the overall risk profile of the Bank to the Management, BIRMC, and the Board, in terms of certain Key Risk Indicators and a Risk Profile Dashboard. With the help of this information, the risk profile is rigorously monitored on an ongoing basis with the due consideration it deserves and swift remedial action is taken for any deviations to ensure that the actual risk exposures across all the risk categories are kept within the approved risk appetite.

With strong capital adequacy and liquidity positions which define the capacity to assume risk, the Bank’s risk profile is characterised by a portfolio of high-quality assets and stable sources of funding sufficiently diversified in terms of geographies, sectors, products, currencies, size and tenors. Risk profile of the Bank’s Sri Lankan operation as at December 31, 2021 and December 31, 2020 compared to the risk appetite as defined by the regulatory / Board approved policy parameters is given below:

Table – 47: Risk profile

Risk category	Key Risk Indicator	Policy parameter	Actual position
			31.12.2021	31.12.2020
Credit risk:
Quality of lending portfolio	Gross NPA ratio	3% – 8%	4.62%	5.11%
	Net NPA ratio	2% – 6%	1.44%	2.18%
	Impairment over total NPA (*)	40% – 60%	49.97%	46.95%
	Weighted average rating score of the overall lending portfolios	35% – 40%	52.60%	52.93%
Concentration	Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio	30% – 40%	22.40%	21.72%
	Advances by economic sub sector (using HHI-Herfindahl-Hirschman-index)	0.015 – 0.025	0.0149	0.0145
	Exposures exceeding 5% of the eligible capital (using HHI)	0.05 – 0.10	0.0063	0.0057
	Exposures exceeding 15% of the eligible capital (using HHI)	0.10 – 0.20	0.0053	0.0055
	Exposure to any sub sector to be maintained at	4% – 5%	4.49%	4.33%
	Aggregate of exposures exceeding 15% of the eligible capital	20% – 30%	9.98%	12.25%
Cross border exposure	Rating of the highest exposure of the portfolio on S&P Investment Grade – AAA to BBB-	AA	AAA	AAA
Market risk:
Interest rate risk	Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY)	Maximum of Rs. 2,250 Mn.	Rs. 195.23 Mn.	Rs. 267.12 Mn.
	Re-pricing gaps (RSA/RSL in each maturity bucket – up to one- year period)	<1-1.5 Times (other than for the 1 month bucket which is <2.5 Times)	0.77 Times (1.86 times for 1 month bucket)	1.11 Times (1.78 times for 1 month bucket)
Liquidity risk	Statutory Liquid Asset Ratio (SLA) for Domestic Banking Unit (DBU)	22%	38.73%	44.99%
	Liquid Asset Ratio (LCR) for All Currencies	100%	242.52%	422.86%
	Net Stable Funding Ratio (NSFR)	100%	157.47%	157.49%
Foreign Exchange risk	Exchange rate shocks on Total FCY exposure	Rs. 450 Mn.	Rs. 373.47 Mn.	Rs. 301.20 Mn.
Operational risk	Operational loss tolerance limit (as a percentage of last three years average gross income)	3% – 5%	0.78%	0.58%
Strategic risk:	Capital adequacy ratios:
	CET 1	Over 7.5%	11.923%	13.217%
	Total capital	Over 13.0%	15.650%	16.819%
	ROE	Over 15%	14.660%	11.28%
	Creditworthiness – Fitch Rating	AA(lka)	AA-(lka)	AA-(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

(*) Impairment ratios (without undrawn amount) calculated for the years 2020 and 2021, based on the guidelines stipulated in the Banking Act Direction No. 13 of 2021, extracting the data given in vote 34  note 34, are 31.47% and 44.34%, respectively.

Credit ratings

In January 2021, following the recalibration of the agency’s Sri Lankan rating scale, Fitch Ratings Lanka Limited revised the Bank’s National Long-Term Rating to AA-(lka)/Stable. The Bank’s Bangladesh operations continued to be rated AAA by Credit Rating Information and Services Limited (CRISL), the highest credit rating given to any financial institution in Bangladesh by CRISL. These credit ratings coupled with the high capital and liquidity buffers available in the Bank and the steady and consistent performance even during a period of disruptions and challenges depict the stability and the creditworthiness of the Bank and its conservative risk profile.

Outlook and plans for 2022 and beyond

The Operating Context and Outlook provides an analysis of the outlook for the Sri Lankan and the Bangladesh economies and the financial services sectors for 2022 and beyond. With full social, economic and financial impact of COVID-19 yet to be seen, deteriorating credit quality and potential for increased impairment losses, lackluster economic activities, sovereign debt sustainability related concerns and forex liquidity related pressures, a high degree of uncertainty is likely to continue to prevail in the short to medium term. With further acceleration of digital channels with potential disruptions and escalating cyber security threats and potential for compound and contagion risks, non-financial risks will become more prominent. Banking regulations will be further widened and deepened amidst pervasive technological advances and macroeconomic shocks. Recovery and resolution will require heightened attention.

These developments necessitate further strengthening of the risk governance and risk management function. With compound and contagion risks arising from pandemic related developments and country specific/global economic, historical correlations underlying risk management models may be found to be inadequate and trigger the need for alternative sources of data. Risk management function will also require professionals who will better understand how to leverage data which in turn requires such skills and knowledge as data science, data modelling, machine learning and AI based model risk management. Accordingly, the Bank will continue to make the necessary changes to the mandate, structure, resourcing, competencies, technologies, data analytics and MIS etc., thereby aligning business strategies with sound risk management practices and making risk management function more forward looking, value adding and proactive.

Specific initiatives planned for 2022 and beyond will include:

• Developing systems and processes for data capturing in preparation for Basel IV, proposed to be implemented globally with effect from January 1, 2023;
• Monitoring risk of competitor activity, entry of Fintech and telecom giants into the banking industry in particular, and evaluation of feasibility of possible partnerships to leapfrog competition;
• Developing a risk database to strengthen cybersecurity to address risks arising from increasing interconnectedness and resulting financial contagion and carrying out scenario-based stress testing;
• Implementation of a climate risk assessment tool with a view to address potential climate related risks by reducing carbon footprint of banking operations;
• Development of a policy framework to manage the conduct risk;
• Development of the CBSL mandated Recovery Plan;
• Effective involvement in the asset classification, recognition, and measurement as per the Banking Act Direction Nos. 13 and 14 issued by the Central Bank;
• Introduction of an ESG (Environment, Social and Governance) Framework that would enable practical initiatives that address ESG ambitions at Group level, identify growth opportunities and meet stakeholder needs whilst creating value;
• Studying the options available to make the capital allocation process more efficient;
• Introduction of a congruent and intelligent broad Credit, Operational and Market Risk Management frameworks in subsidiaries;
• Converge the EWS with Internal credit evaluation to bring about a more robust mechanism to identify, predict, measure and control quality of credit exposures created by the Bank;
• Inculcate a Data Culture throughout the organization by way of a comprehensive Data Roadmap and a well augmented Data Analytics Unit supporting effective business growth;
• Implement robust Capital Optimization Initiatives

With success of the vaccination campaigns, the latest variant, Omicron, being classified as a less severe form of COVID-19 and most of the countries easing on their earlier strict zero COVID-19 policies, latest predictions are that the pandemic will be over soon, reviving hopes for a better outlook for 2022 and beyond.

Risk management framework

The Bank has an all-encompassing Risk Management Framework (RMF) based on the Three Lines of Defence model, which takes into account the different roles played by the different departments of the Bank and their interplay determining effectiveness of the Bank in dealing with risk. It is a structured approach to manage all its risk exposures and is underpinned by rigorous organisational structures, systems, processes, procedures and industry/global best practices taking into account all plausible risks, potential losses and uncertainties the Bank is exposed to. The Three Lines of Defence model, which is the international standard, enables the Bank to have specific skills and framework for managing risk and guides its day-to-day operations with the optimum balance of responsibilities.

The RMF is subject to an annual review or more frequently if the circumstances so warrant, taking into account changes in the regulatory and operating environments.

Risk Governance

Risk governance is the necessary organisational structure for maintaining a high standard of governance and comprises of the committees, rules, processes and mechanisms by which decisions relating to risk are taken and implemented for the management and oversight of risk within the risk appetite and the risk tolerance levels and for institutionalizing a strong risk culture. It enables the Management to undertake risk taking activities more prudently.

The Board of Directors has established a robust governance structure by leveraging the best practice in corporate governance to risk management. It comprises Board committees, executive functions and executive committees with required delegated authority, facilitating accountability for risk at all levels and across all risk types of the Bank and enabling a disciplined approach to managing risk. The organisation of the Bank’s risk governance is given in Figure 33. Since it is highly specialized and also to ensure an integrated and consistent approach, decision-making on risk management is centralized to a greater extent in several risk management committees.

Board of Directors

The Board of Directors is the apex governance body responsible for strategy and policy formulation, objective setting and for overseeing executive functions. It has the overall responsibility for understanding the risks assumed by the Bank and the Group and for ensuring that they are appropriately managed (Refer Board of Directors and Profiles for the profiles of the members of the Board of Directors). Accordingly, the Board determines the risk appetite of the Bank with due regard to achieving its strategic goals and delegates oversight responsibility to Board committees, a list of which is given in the section on Annual Corporate Governance Report. These Board committees work closely with the executive functions and executive level committees to review and assess the effectiveness of the risk management function and report to the Board on a regular basis. These reports provide a comprehensive perspective of the Bank’s risk profile and risk management efforts and outcomes, enabling the Board to identify the risk exposures, any potential gaps and mitigating actions necessary, on a timely basis. The tone at the top and the corporate culture reinforced by the ethical and effective leadership of the Board plays a key role in managing risk at the Bank.

In addition to the Three Lines of Defence model and the tone at the top, the Bank’s commitment to conduct its business in an ethical manner too plays a significant role in managing risk in the Bank. The Bank’s unwavering commitment and expectations of all the employees to undertaking business in a responsible, transparent and disciplined manner are set out in a number of related documents such as the Code of Ethics, Gift Policy, Communication Policy, Credit Policy and the Anti-Bribery and Anti-Corruption Policy which demand the highest level of honesty, integrity and accountability from all employees.

In view of the potential for financial losses and reputational risk and also as required by regulatory authorities, the Board of Directors closely monitors the risk profile of all the subsidiaries in the Group apart from that of the Bank (Refer Notes to the Financial Statements  for the list of subsidiaries).

Board committees

The Board has set up the following four Board committees to assist it in discharging its oversight responsibilities for risk management and for ensuring adequacy and effectiveness of internal control systems.

• Board Audit Committee (BAC)
• Board Integrated Risk Management Committee (BIRMC)
• Board Credit Committee (BCC)
• Board Strategy Development Committee (BSDC)

These committees periodically review and make recommendations to the Board on risk appetite, risk profile, strategy, risk management and internal controls framework, risk policies, limits and delegated authority.

Details relating to composition, terms of reference, authority, meetings held and attendance, activities undertaken during the year etc., of each of these Board committees are given in the respective committee reports in the section on Board Committee Reports.

Executive committees

Executive management is responsible for the execution of strategies and plans in accordance with the mandate of the Board of Directors while maintaining the risk profile within the approved risk appetite. Executive Integrated Risk Management Committee (EIRMC) comprises members from units responsible for credit risk, market risk, liquidity risk, operational risk and IT risk. Spearheaded by the EIRMC, the following committees have been set up on specific aspects of risk to facilitate risk management across the First and the Second Lines of Defence.

• Asset and Liability Committee (ALCO)
• Credit Policy Committee (CPC)
• Executive Committee on Monitoring
  Non-Performing Advances (ECMN)
• Information Security Council (ISC)
• Business Continuity Management Steering Committee (BCMSC)

EIRMC coordinates communication with the BIRMC to ensure that risk is managed within the risk appetite. In addition, the Group Chief Risk Officer reports directly to the BIRMC. Details relating to composition of the executive committees are given in the section on “Annual Corporate Governance Report”.

The Group Chief Risk Officer, head of the Integrated Risk Management Department (IRMD) participates in the executive committees listed above as well as in BIRMC, BCC and BAC meetings. It is the responsibility of the IRMD to independently monitor compliance of the First Line of Defence to the laid down policies, procedures, guidelines and limits and escalate deviations to the relevant executive committees. It also provides the perspective on all types of risk for the above committees to carry out independent risk evaluations and share their findings with the Line Managers and the Senior Management enabling effective communication of material issues and to initiate deliberations and necessary action.

Risk Management

Risk management is the functional responsibility for identifying, assessing and mitigating risks as well as determining risk mitigation strategies, monitoring early warning signals, estimating potential future losses and putting measures in place to contain losses/risk transfer. The risk management framework (Figure 34) facilitates the formulation and implementation of risk management strategies, policies and procedures while taking into account the strategic focus as defined in the Corporate Plan and the risk appetite.

The Bank has made significant investments to develop and maintain the infrastructure required in terms of both human and physical resources to strengthen detection and management of risks, including mandates, policies & procedures, limits, software, databases, expertise, communication etc. and to adopt international best practices. Since risk management is a responsibility of each and every employee of the Bank and that they need to have a clear understanding of the risks the Bank is faced with, IRMD provides ongoing training and awareness to the employees, risk owners in particular, disseminating knowledge and enhancing their skills on all aspects related to risk, instilling the desired risk culture.

Policies, procedures and limits

The Bank has a set of comprehensive risk management policies that cover all the risks it manages in order to provide guidance to the business and support units on risk management and regulatory compliance including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks based on the Basel Framework and subsequent CBSL directives. This helps to reduce prejudice and subjectivity in risk decisions by institutionalizing the risk knowledge base. This key document establishes the Bank’s risk culture by defining its objectives, priorities and processes as well as the Board’s and the Management’s roles in risk management. The Risk Assessment Statement (RAS) sets out the risk limits and forms an integral part of the risk management framework. The BIRMC and the Board of Directors review the RAS at least once a year, if not more frequently, based on regulatory and business needs.

The Bank has considered the regulatory needs of the countries in which it operates. The Bank’s overall risk exposure including its international operations is within the CBSL’s regulatory framework.

The Bank has issued comprehensive operational guidelines to facilitate implementation of the risk management policy and the limits specified in the RAS. These guidelines detail types of facilities, processes and terms and conditions under which the Bank conducts business, giving staff clarity in their day-to-day tasks.

Risk management tools

To identify, measure, manage and report risks, the Bank uses a combination of qualitative and quantitative tools. Selection of the appropriate tool(s) for managing a particular risk is based on the likelihood of occurrence and the impact of the risk as well as the availability of data. These tools include early warning signals, threat analysis, risk policies, risk registers, risk maps, risk dashboards, RCSA, ICAAP, diversification, covenants, SEMS, workflow-based operational risk management system, insurance and benchmarking to limits, gap analysis, NPV analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modelling, duration, scenario analysis, marking to market, stress testing, VaR analysis etc.

Types of risks

The Bank is exposed to a multitude of financial and non-financial risks, which can be broadly categorised into credit, market, liquidity, operational, reputational, IT, strategic and legal risks. All these risks taken together determine the risk profile of the Bank which is monitored periodically against the risk appetite referred to earlier. Robust risk management framework in place enables the Bank to manage these risks prudently.

Nevertheless, banks are not immune to the significant levels of uncertainty arising from various external developments as well as internal factors that will continue to affect their risk profiles on an ongoing basis.

External developments may include;

• The outbreak of pandemics
• Movements in macroeconomic variables
• Fragile supply chains
• Sovereign risk destabilising financial markets
• Political instability
• Demographic changes
• Changes in Government fiscal and monetary policies
• Technological advances
• Regulatory developments
• Mounting stakeholder pressures
• Competitor activities
• Unsubstantiated information being circulated in social media
• Decline in property market valuations giving rise to higher losses on defaulting loans
• Unfounded public perceptions that banks are exploiting customers
• Distressed businesses and individuals
• Downgrading of ratings of the banks and
• Growing sustainability concerns

Besides limiting physical movements of people and global trade, such developments could impact public perceptions, disposable income of people, demand for banking products and services, funding mix, interest margins and tax liabilities of the Bank.

Internal factors may include;

• Knowledge and skill gaps among staff members
• Lapses in internal administration
• Deterioration of internal sub-cultures
• Deliberate acts of fraud, cheat, misappropriation etc
• Arbitrary decision making
• Inaccurate/insufficient risk reporting
• Inadequacies/misalignments of digitisation
• Strategic misalignments
• Lapses in implementing the risk management framework
• Improper alignment of remuneration to performance and risk
• Incorrect advice offered to customers
• Inaccurate predictions of macroeconomic variables
• Execution gaps in internal processes
• Lack of industrial harmony
• Critical accounting judgements and estimates turning to be inaccurate
• Lack of robust data infrastructure adversely affecting business and operational decisions and
• Subsidiaries and associates not performing up to expectations of the Bank.

These factors, if not properly managed, may affect the risk profile of the Bank as well as cause reputational damage, hampering the objective of sustainable value creation for all its stakeholders.

Furthermore, the operating environment has been made much more complex and unpredictable by some potentially disruptive emerging threats and uncertainties, resulting in some of the long-standing assumptions about markets, competition and even business fundamentals being less true today. These call for the Bank to better understand its stakeholders and meet their expectations with excellence in execution in internal processes. The Bank deals with these developments through appropriate strategic responses, believing that these provide opportunities to differentiate its value proposition for future growth. A summary of key risks is given in Figure 35.

These developments are making the operating environment more complex, dynamic and competitive day by day and risk management very challenging on an ongoing basis. Effective management of these risks with a congruent approach to face uncertainties is nevertheless a sine qua non to the implementation of the Bank’s strategy for value creation for all its stakeholders. Consequently, deliberations on risk management were on top of the agenda in all Board, Board Committee and Executive Committee meetings of the Bank.

A description of the different types of risks managed by the risk management function of the Bank and risk mitigation measures adopted are given below.

Credit risk

Credit risk refers to the potential that a borrower or a counterparty will fail to meet its obligations in accordance with agreed terms. Direct lending activities as well as commitments and contingencies expose the Bank to credit risk. COVID-19 pandemic related developments have triggered certain implications such as masking credit risk and changes in creditworthiness of certain sectors, requiring the Bank to explore new approaches for managing and mitigating credit risk.

The Bank’s total credit risk is made up of counterparty risk, concentration risk and settlement risk.

Table – 48: Maximum credit risk exposure

	As at December 31, 2021
	Rs. Bn.	%
Net carrying amount of credit exposure:
Cash and cash equivalents	68.078	2.7
Placements with central banks and other banks (excluding reserves)	24.690	1.0
Financial assets at amortised cost – Loans and advances to banks
Financial assets at amortised cost – Loans and advances to other customers	1,014.618	40.7
Financial assets at amortised cost – Debt and other financial instruments	369.418	14.8
Financial assets measured at fair value through other comprehensive income	335.463	13.5
Total (a)	1,812.267

	As at December 31, 2021
	Rs. Bn.	%
Off-balance sheet maximum exposure:
Lending commitments	143.400	5.8
Contingencies	536.753	21.5
Total (b)	680.153
Total of maximum credit exposure (a + b)	2,492.420	100.0
Gross carrying amount of loans and advances to other customers	1,078.685
Stage 3 (credit impaired) loans and advances to other customers	79.076
Impaired loans as a % of gross loans and advances to other customers		7.3
Allowance for impairment – loans and advances to other customers	64.066
Allowance for impairment as a % of gross loans and advances to other customers		5.9
Impairment charge – loans and advances to other customers	14.553

Amid the COVID-19 pandemic related environmental challenges, the maximum credit exposure of the Bank has grown from Rs. 2,354.9 Bn. (as at end December 2020) to Rs. 2,492.4 Bn. (as at end December 2021).

According to the SLFRS 9 classification, the credit impaired (Stage 3) loans to customers stood at Rs. 79.0 Bn. (Rs. 102.5 Bn. in 2020) which is 7.3% (10.8% in 2020) of the gross loans and advances to other customers portfolio of the Bank.

Further, the increasing trend experienced in loans and advances to other customers getting classified as impaired which has resulted in a cumulative impairment allowance of Rs. 64.0 Bn. as at December 31, 2021 (Rs. 50.9 Bn. as at December 31, 2020).

Managing credit risk

The lending portfolio accounts for 52% of total assets and credit risk accounts for over 90% of the total risk-weighted assets. Hence, it is needless to overemphasise the critical importance of prudently managing the credit risk to the Bank’s sustainability. In the circumstances, we endeavour to manage credit risk going beyond mere regulatory compliance in order to enhance value. It is managed through the Board approved credit risk management framework which comprises a robust risk governance structure and a comprehensive suite of risk management processes which, among others, include policies and procedures, risk ratings, risk review mechanism, collateral management and valuation, segregation of credit risk management functions, social and environmental risk management, independent verification of risk assessments, credit risk monitoring, post disbursement review, providing direction to business line managers, dissemination of credit risk related knowledge and sharing information with internal audit.

Review of credit risk

The challenging operating environment following the Easter Sunday attack further deteriorated due to the COVID-19 pandemic related lockdowns, travel restrictions, supply chain disruptions, and import restrictions continued throughout the year under review. Concerns fuelled by foreign currency liquidity shortages exerted pressure on the business entities. However, certain proactive measures taken by the Government such as the effective vaccination drive, efforts to boost FDIs and revive tourism helped the country sustain economic activities at a reasonable level. Demonstrating its resilience, the Bank managed to gradually weather the effects of the pandemic and make progress. NPL ratios improved during the year (Refer Table 47 on risk profile). Continuous follow up of facilities that were subjected to moratoria, recovery initiatives such as offering incentives and elevated levels of attention given to loan approvals and post-sanction monitoring and recovery efforts together with planned implementation of early identification of stressed borrowers through EWS will assist the Bank to gradually bring down these ratios further in 2022 and minimise potential credit risk.

In addition to the effective credit risk management framework referred to above that guides the Bank when on-boarding new exposure and monitoring existing exposure which makes an enormous contribution to maintain the quality of the loan book, the Bank is vigilant and exercises caution when choosing customers, products, segments and geographies it serves. Continuous monitoring of age analysis and the underlying movement of overdue loans through arrears buckets enabled the Bank to swiftly take action, thereby moderating default risk during the year.

Concentration risk

It is through strategically diversifying the business across industry sectors, products, counterparties and geographies that the Bank manages concentration risk. The Bank’s RAS defines the limits for these segments and to ensure compliance, the Board, BIRMC, EIRMC and the CPC monitor these exposures. They also make suggestions and recommendations on modifications to defined limits based on the trends and developments shaping the business environment.

Graph 23 depicts that the tenor-wise breakdown of the portfolio of total loans and advances to other customers is within the risk appetite of the Bank.

The distribution of Stage 3 credit impaired loans and advances to other customers in terms of identified industry sectors as at year end is given in Table 49.

Table – 49: Distribution of Stage 3 credit impaired loans and advances to other customers as at December 31, 2021

Industry Category	Stage 3 Loans and Advances Rs. ’000	Allowance for Individual Impairment Rs. ’000	Allowance for Collective Impairment Rs. ’000	ECL Allowance Rs. ’000	Amount Written-off Rs. ’000
Agriculture, forestry and fishing	10,020,367	996,468	3,570,968	4,567,436	51,527
Arts, entertainment and recreation	78,162	–	28,658	28,658	78
Construction	7,791,382	3,449,065	2,258,071	5,707,136	38,790
Consumption and others	7,601,095	7,420	3,378,997	3,386,417	256,730
Education	305,324	–	117,352	117,352	692
Financial services	1,205,504	784,597	136,675	921,272	629
Health care, social services and support services	1,590,064	61,884	507,360	569,244	2,212
Information technology and communication services	657,123	4,220	261,577	265,797	1,821
Infrastructure development	2,532,161	620,781	259,999	880,780	154
Lending to overseas entities	2,735,791	67,065	668,510	735,575	–
Manufacturing	16,585,196	2,838,447	4,047,918	6,886,365	470,767
Professional, scientific and technical activities	634,977	-	236,223	236,223	3,298
Tourism	6,143,146	188,100	1,774,473	1,962,573	3,719
Transportation and storage	2,852,214	1,228,902	270,056	1,498,958	42,472
Wholesale and retail trade	18,343,130	2,210,175	5,091,240	7,301,415	67,253
Total	79,075,636	12,457,124	22,608,077	35,065,201	940,142

It is due to economic activities being heavily concentrated in the Western province and the headquarters of most borrowing entities being located there that a geographical analysis (Graph 24) reflects a high concentration of loans and advances to other customers in the Province.

Product-wise analysis of the lending portfolio (Graph 25) too reveals the efficacy of the Bank’s credit policies with risk being diversified across a range of credit products.

The relatively high exposure of 39% to long-term loans is rigorously monitored and mitigated with collateral.

Counterparty risk

The Bank manages counterparty risk through the laid down policies/procedures and limit structures including single borrower limits and group exposure limits with sub-limits for products etc. The Bank has set limits far more stringent than those stipulated by the regulator, providing it a greater leeway in managing concentration levels with regard to the counterparty exposures.

A major component of counterparty risk is in relation to loans and receivables to banks, both local and foreign. A specific set of policies, procedures and a limit structure are in place to monitor it. Whilst market information on the financial/economic performance of these counterparties is subject to a rigorous scrutiny throughout the year, the counterparty bank exposures are monitored against the established prudent limits at frequent intervals and the limits are revised to reflect the latest information, where deemed necessary.

The analysis uses Fitch Ratings for local banks in Sri Lanka and Credit Ratings Agency in Bangladesh (CRAB) ratings for local banks in Bangladesh (Equivalent CRISL/Alpha ratings are used where CRAB ratings are not available). Exposures for local banks in Sri Lanka rated AAA to A category stood at 94% (Graph 26) whilst 100% of exposure of local banks in Bangladesh consisted of AAA to AA rated counterparty banks (Graph 27).

Cross-border risk

It is the risk that the Bank will be unable to secure payments from its customers or third parties on their contractual obligations due to certain actions taken by foreign governments, mainly relating to convertibility and transferability of foreign currency. Assets exposed to cross-border risk comprise loans and advances, interest-bearing deposits with other banks, trade and other bills and acceptances and those predominantly relating to short-term money market activities.

Limit structures in place, continuous monitoring of macroeconomic and market developments of the countries with exposure to counterparties and stringent evaluation of counterparties and maintaining frequent dialogue with them help to minimize risk arising from over concentration of cross-border risk. Timely action is taken to suspend/revise limits to countries with adverse economic/political developments.

The Bank’s total cross-border exposure is only 5% of its total assets (Graph 29). The Bank has cross-border exposures to a spread of countries which primarily include the Maldives, India, Singapore, USA, Denmark, Malaysia, etc.

Market risk

Market risk is the risk of loss arising from movements in market driven variables such as interest rates, exchange rates, commodity prices, equity and debt prices and their correlations against the expectations the Bank had at the time of making decisions. The Bank’s operations are exposed to these variables and correlations in varying magnitudes.

Table – 50: Market risk categories

Major market risk category	Risk components	Description	Tools to monitor	Severity	Impact	Exposure
Interest rate		Risk of loss arising from movements or volatility in interest rates
	Re-pricing	Differences in amounts of interest earning assets and interest-bearing liabilities getting re-priced at the same time or due to timing differences in the fixed rate maturities and appropriately re-pricing of floating rate assets, liabilities and off-balance sheet instruments	Re-pricing gap limits and interest rate sensitivity limits	High	Medium	Medium
	Yield curve	Unanticipated changes in shape and gradient of the yield curve	Rate shocks and reports	High	High	High
	Basis	Differences in the relative movements of rate indices which are used for pricing instruments with similar characteristics	Rate shocks and reports	High	Medium	Medium
Foreign exchange		Possible impact on earnings or capital arising from movements in exchange rates arising out of maturity mismatches in foreign currency positions other than those denominated in base currency, Sri Lankan Rupee (LKR)	Risk tolerance limits for individual currency exposures as well as aggregate exposures within regulatory limits for NOP	High	Medium	Medium
Equity		Possible loss arising from changes in prices and volatilities of individual equities	Mark-to-market calculations are carried out daily for Fair Value Through Profit and Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) portfolios	Low	Low	Negligible
Commodity		Exposures to changes in prices and volatilities of individual commodities	Mark to market calculations	Low	Low	Negligible

Managing market risk

Market risk is managed through the market risk management framework approved by the Board, which comprises a robust risk governance structure and a comprehensive suite of risk management processes which include policies, market risk limits, Management Action Triggers (MATs), risk monitoring and risk assessment.

Review of market risk

Market risk arises mainly from the Non-Trading Portfolio (Banking Book) which accounted for 92.05% of the total assets and 94.05% of the total liabilities as at December 31, 2021. Exposure to market risk arises mainly from IRR and FX risk as the Bank has negligible exposure to commodity related price risk and equity and debt price risk which was less than 12% of the total risk weighted exposure for market risk.

The Bank’s exposure to market risk analysed by Trading Book and Non-Trading Portfolios (or Banking Book) is set out in the Note 67.3.1.

Market risk portfolio analysis

The gap report is prepared by stratifying Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) into various time bands according to maturity (if they are fixed rated) or time remaining to their next re-pricing (if they are floating rated). Balances of savings deposits are distributed in line with the findings of a behavioural analysis conducted by the Bank and based on the guidelines of the CBSL on overdrafts and credit cards. Vulnerability of the Bank to interest rate volatility is indicated by the gap between RSA and RSL (Refer Table 51).

Table – 51: Interest rate sensitivity gap analysis of assets and liabilities of the Banking Book as at December 31, 2021 – Bank

Description	0-90 Days	3-12 Months	1-3 Years	3-5 Years	Over 5 years	Non-sensitive	Total as at 31/12/2021
	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000
Total financial assets	570,948,878	325,874,708	426,432,258	205,863,555	204,935,130	121,006,704	1,855,061,233
Total financial liabilities	679,465,109	576,555,364	130,206,477	91,360,929	244,974,815	17,110,538	1,739,673,232
Interest rate sensitivity gap	(108,516,231)	(250,680,656)	296,225,781	114,502,626	(40,039,685)	103,896,166	115,388,001
Cumulative gap	(108,516,231)	(359,196,887)	(62,971,106)	51,531,520	11,491,835	115,388,001
RSA/RSL	0.84	0.57	3.28	2.25	0.84

Interest rate risk (IRR)

Extreme movements in interest rates expose the Bank to fluctuations in Net Interest Income (NII) and have the potential to impact the underlying value of interest-earning assets and interest-bearing liabilities and off-balance sheet items. The main types of IRR to which the Bank is exposed to are re-pricing risk, yield curve risk and basis risk.

Sensitivity of projected NII

Regular stress tests are carried out on Interest Rate Risk in Banking Book (IRRBB) encompassing changing positions and new economic variables together with systemic and specific stress scenarios. Change in value of the Fixed Income Securities (FIS) portfolio in FVTPL and FVOCI categories due to abnormal market movements is measured using both Economic Value of Equity (EVE) and Earnings At Risk (EAR) perspectives. Results of stress tests on IRR are analyzed to identify the impact of such scenarios on the Bank’s profitability and capital.

Impact on NII due to rate shocks on LKR and FCY is continuously monitored to ascertain the Bank’s vulnerability to sudden interest rate movements (Refer Table 52).

Table – 52: Sensitivity of NII to rate shocks

	2021		2020
	Parallel increase Rs. ’000	Parallel decrease Rs. ’000	Parallel increase Rs. ’000	Parallel decrease Rs. ’000
As at December 31,	195,232	(195,288)	267,122	(132,005)
Average for the year	237,725	(195,758)	708,924	(648,050)
Maximum for the year	655,218	(655,219)	1,060,589	(1,040,835)
Minimum for the year	(161,529)	245,713	249,878	(132,005)

Foreign exchange risk

Stringent risk tolerance limits for individual currency exposures as well as aggregate exposures within the regulatory limits ensure that potential losses arising out of fluctuations in FX rates are minimised and maintained within the Bank’s risk appetite.

USD/LKR exchange rate depreciated by 7.0% (Source - CBSL) during the year under review.

Please refer to Note 67.3.3 – Exposure to currency risk - non trading portfolio.

Stress testing is conducted on NOP by applying rate shocks ranging from 2% to 15% in order to estimate the impact on profitability and capital adequacy of the Bank (Refer Table 56). The impact of a 1% change in exchange rate on the foreign currency position indicated a loss of Rs. 373.47 Mn. on the positions as at December 31, 2021 (Refer Graph 47).

Equity price risk

Although the Bank’s exposure to equity price risk is negligible, mark to market calculations are conducted daily on FVTPL and FVOCI portfolios. The Bank has also calculated VaR on equity portfolio. Note 67.3.4 summarizes the impact of a shock of 10% on equity price on profit, other comprehensive income (OCI) and equity.

Commodity price risk

The Bank has a negligible exposure to commodity price risk which is limited to the extent of the fluctuations in gold price on the pawning portfolio.

Liquidity risk

Liquidity risk is the Bank’s inability to meet “on” or “off” balance sheet contractual and contingent financial obligations as they fall due, without incurring unacceptable losses.

Banks are vulnerable to liquidity and solvency problems arising from mismatches in maturities of assets and liabilities. Consequently, the primary objective of liquidity risk management is to assess and ensure availability of funds required to meet obligations at appropriate times, both under normal and stressed conditions.

Liquid assets ratios as at December 31, 2021 are given below:

Table – 53: Statutory Liquidity Ratios

	2021	2020
	%	%
Statutory Liquid Assets Ratio (SLAR)
DBU	38.73	44.99
OBC	36.39	32.70
Liquidity Coverage Ratio (LCR)
Rupee	425.97	599.38
All Currencies	242.52	422.86
Net Stable Funding Ratio (NSFR)	157.47	157.49

Managing liquidity risk

The Bank manages liquidity risk through policies and procedures, measurement approaches, mitigation measures, stress testing methodologies and contingency funding arrangements. As experienced across the industry, relatively slow credit growth compared to deposit inflow, caused the Bank to have an excess liquidity situation throughout the year, as can be seen by the ratios given in Table 53. It was a challenge for the Bank to manage such excess liquidity to generate an optimum return. Major portion of the excess liquidity had to be invested in Government securities, both denominated in LKR and FCY at optimum yields to minimize adverse effects on profitability.

Liquidity risk review

The net loans to deposits ratio is regularly monitored by the ALCO to ensure that the asset and liability portfolios of the Bank are geared to maintain a healthy liquidity position. NSFR indicating stability of funding sources compared to loans and advances granted was maintained well above the policy threshold of 100%, which is considered healthy to support the Bank’s business model and growth.

The key ratios used for measuring liquidity under the stock approach are given in below:

Table – 54: Key ratios used for measuring liquidity under the stock approach

Liquidity ratios %	As at December 31, 2021	As at December 31, 2020
Loans to customer deposits	0.75	0.75
Net loans to total assets	0.52	0.52
Liquid assets to short-term liabilities	0.58	0.60
Purchased funds to total assets	0.22	0.23
(Large liabilities – Temporary Investments) to (Earning assets – Temporary Investments)	0.19	0.18
Commitment to total loans	0.18	0.24

Maturity gap analysis

Maturity gap analysis of assets and liabilities of the Bank as at December 31, 2021 is given in Note 67.2.2 (a) to the Financial Statements.

Maturity analysis of financial assets and financial liabilities of the Bank indicates sufficient funding for foreseeable adverse situations based on prescribed behavioural patterns observed.

Maturity analysis of financial assets and financial liabilities of the Bank does not indicate any adverse situation when due cognisance is given to the fact that cash outflows include savings deposits which can be considered as a quasi-stable source of funds based on historical behavioural patterns of such depositors as explained below.

Behavioural analysis on savings accounts

In the absence of a contractual agreement about maturity, savings deposits are treated as a non-maturing demand deposit. There is no exact re-pricing frequency for the product and the Bank resets rate offered on these deposits based on re-pricing gap, liquidity and profitability etc. Since there is no exact re-pricing frequency and that it is not sensitive to market interest rates, segregation of savings products among the predefined maturity buckets in the maturity gap report is done based on the regular simulations carried out by the Bank in line with a behavioural study.

The liquidity position is measured in all major currencies at both individual and aggregate levels to ensure that potential risks are within specified threshold limits. Additionally, potential liquidity commitments resulting from loan disbursements and undrawn overdrafts are also monitored to ensure sufficient funding sources.

Funding diversification by product

The Bank’s primary sources of funding are deposits from customers and other borrowings. The Graph 30 provides a product-wise analysis of the Bank’s funding diversification as at end of 2021 and 2020.

Operational risk

Operational risk is the risk of losses stemming from inadequate or failed internal processes, people and systems, or from external events such as natural disasters, social or political events. It is inherent in all banking products and processes and the Bank’s objective is to control it in a cost-effective manner. Operational risk includes legal risk but excludes strategic and reputational risk.

Managing operational risk

The Bank manages operational risk through policies, risk assessment, risk mitigation including insurance coverage, procedures relating to outsourcing of business activities, managing technology risk, a comprehensive Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), creating a culture of risk awareness across the Bank, stress testing and monitoring and reporting.

Policies and procedures relating to outsourcing of business activities of the Bank ensure that all significant risks arising from outsourcing arrangements of the Bank are identified and effectively managed on a continuous basis. Details of all outsourced functions are reported to the CBSL annually. Due diligence tests on outsourced vendors are carried out by respective risk owners prior to executing new agreements and renewal of existing agreements. Further, bi-annual review meetings are conducted with key IT service providers to monitor service performance levels and to verify adherence to the agreements.

Business continuity management

Business Continuity Management (BCM) framework of the Bank encompasses business continuity, disaster recovery, crisis management, incident management, emergency management and contingency planning activities. These activities will ensure that the Bank is committed to serve all its stakeholders with minimum business interruptions in the event of an unforeseen disruption to its business activities arising from man-made, natural or technical disasters.

The scope of the BCM includes programme initiation and management, risk evaluation and business impact analysis, developing business continuity strategies, emergency preparedness and response, developing and implementing business continuity plans, awareness building and training, business continuity plan exercise, audit and maintenance, crisis communications and coordination with external agencies.

In 2018, the BCP of the Bank was revamped in line with industry best practices in consultation with an external BCP expert. IT Disaster Recovery Plan, which is a key component of BCP was also reviewed and approved by the Board of Directors. IT system recovery capabilities of core banking and other critical systems of the Bank has been further strengthened by way of introducing a secondary high-availability set-up leading to improved redundancy.

A BCP exercise (working day) was carried out in July 2021, which was conducted over a period of one week, beyond the current CBSL requirement of one working day. During the week of the BCP drill, the core banking and other critical systems were running from the DR systems. The exercise was a great success with minimum disruptions, which bears testimony to the maturity attained by the Bank by conducting such exercises over the years.

Review of operational risk

The Bank has a low appetite for operational risk and has established tolerance levels for all types of material operational risk losses based on historical loss data, budgets and forecasts, performance of the Bank, existing systems and controls governing Bank operations etc. Following thresholds have been established based on audited financial statements for monitoring purposes:

• Alert level – 3% of the average gross income for the past three years
• Maximum level – 5% of the average gross income for the past three years

Operational losses for the financial year 2021 were below the internal alert level at 0.78% (of average audited gross income for the past three years). The Bank has been consistently maintaining operational losses below the alert level for the past ten years, reflecting the “tone at the top”, effectiveness of the governance structures and the rigour of processes and procedures in place to manage operational risk.

The Graph 31 analyses the operational risk losses incurred by the Bank in 2021 under each business line/category.

When analysing the losses incurred during 2021 under the Basel II defined business lines, it is evident that the majority (64%) of losses with financial impact falls under the business line of “Payment and Settlement”, followed by the losses reported under the “Retail Banking” business line (36%). Losses relating to other business lines remained negligible.

The Graphs 32 and 33 depict the comparison of operational losses reported during 2021 and 2020 under each Basel II loss event type, both in terms of number of occurrences and value.

As typical with operational risk losses, majority of the losses encountered by the Bank during 2021 consisted of high frequency/low financial impact events mainly falling under the loss category Execution, Delivery and Process Management. These low value events are mainly related to cash and ATM operations of the Bank’s service delivery network consisting of over 1,000 points across Sri Lanka and Bangladesh. Individual events with monetary values less than Rs.100,000 accounted for more than 90% of the total loss events for the year. Also, the number of loss events for the year when compared to the number of transactions performed during the year stands at a mere 0.0047%.

During the year, the Financial Intelligence Unit of the CBSL imposed a penalty of Rs. 3 Mn. on the Bank for certain lapses in relation to AML compliance. Following this, the Bank further strengthened AML compliance with new audit reports for monitoring transactions and ensuring compliance with KYC requirements.

When considering the values of the losses incurred by the Bank during the year, they can mainly be categorized under Business Disruption and System Failures related, Execution, Delivery and Process Management related and Damages to Physical Assets. The losses for the year were primarily driven by a limited number of events in these three categories majority of which the Bank managed to resolve through subsequent recovery / rectification with minimum financial impact to the Bank. Further, necessary process improvements and system changes have been introduced to prevent recurrence. Capital allocation pertaining to operational risk for 2021 under Alternative Standardised Approach as per Basel III is Rs.12.23 Bn., whereas the net losses after discounting the subsequent recoveries amounts to a mere 0.207% of this capital allocation. This trend of exceptionally low levels of operational risk losses of the Bank bears testimony to the effectiveness of the Bank’s operational risk management framework and the internal control environment.

IT risk

IT risk is the business risk associated with use, ownership, operation, involvement, influence and adoption of IT within an organisation. It is a major component of operational risk comprising IT-related events such as system interruptions / failures, errors, frauds through system manipulations, cyberattacks, obsolescence in applications, falling behind competitors concerning the technology etc., that could potentially affect the whole business. Given the uncertainty with regard to frequency and magnitude, managing IT risk poses challenges. Hence, the Bank has accorded top priority to addressing IT risk, giving more focus to cyber security strategies and continually investing on improving the cyber security capabilities. The Bank’s cyber security strategy is focused on securely enabling new technology and business initiatives while maintaining a persistent focus on protecting the Bank and its customers from cyber threats.

The IT Risk Unit of the IRMD is responsible for implementing the IT risk management framework for the Bank, ensuring that the appropriate governance framework, policies, processes and technical capabilities are in place to manage all significant IT risks. The IT Risk Management Policy, aligned with the Operational Risk Management Policy complements the Information Security Policy, the related processes, objectives and procedures relevant for managing risk and improving information security of the Bank.

Risk Control Self Assessment (RCSA) is used as one of the core mechanisms for IT risk identification and assessment, while the IT Risk Unit carries out independent IT risk reviews in line with the established structure of the operational risk management process. Results of these independent IT risk assessments together with audit findings, analysis of information, security incidents, internal and external loss data are also employed for IT risk identification and assessment purposes.

IT risk mitigation involves prioritizing, evaluating and implementing the appropriate risk-reducing controls or risk treatment techniques recommended from the risk identification and assessment process. The Bank has a multi-layered approach of building controls into each layer of technology, including data, applications, devices, network, etc. This ensures robust end-to-end protection, while enhancing the cyber threat detection, prevention, response and recovery controls. Bank is certified under the globally accepted, de-facto standard for Information Security Management System (ISMS) – ISO/IEC 27001:2013 and Payment Card Industry Data Security Standard (PCI DSS), both focusing on ensuring Confidentiality, Integrity and Availability of data/ information. The ISMS is independently validated on an annual basis by the ISO 27001 ISMS external auditors and Qualified Security Assessors of the PCI Council.

The Bank has continued to invest in information security, by enhancing information security governance in line with the CBSL directions and intensifying focus on information and cyber security with the Baseline Security Standards (BSS) being rolled-out across the branch network and in the Head Office. Initiatives taken in this regard are given under Key Developments in 2021 on Risk Governance and Management of this report.

Given that risk management relies heavily on an effective monitoring mechanism, the IT Risk Unit carries out continuous, independent monitoring of the Bank’s IT risk profile using a range of tools and techniques including Key IT Risk Indicators (KIRIs). The KIRI review process involves monitoring a range of indicators including information security-related incidents, supplemented by trend analysis that accentuates high-risk or emerging issues so that prompt action can be taken to address them.

Legal risk

Legal risk is an integral part of operational risk and is defined as the exposure to the adverse effects arising from inaccurately drawn up contracts, their execution, the absence of written agreements or inadequate agreements It includes, but is not limited to, exposure to reprimanding, fines, penalties, or punitive damages resulting from supervisory actions, as well as cost of private settlements.

The Bank manages legal risk by ensuring that applicable regulations are fully taken into consideration in all relations and contracts with individuals and institutions who maintain business relationships with the Bank and supported by required documentation. Potential risk of any rules and regulations being breached is managed by the establishment and operation of an effective system for verifying conformity of operations with relevant regulations.

Compliance and regulatory risk

Compliance and regulatory risk refers to the potential risk to the Bank resulting from non-compliance with applicable laws, rules and regulations and codes of conduct and could result in regulatory fines, financial losses, disruptions to business activities and reputational damage. A compliance function reporting directly to the Board of Directors is in place to assess the Bank’s compliance with external and internal regulations on an ongoing basis. A comprehensive Compliance Policy defines how this key risk is identified, monitored and managed by the Bank in a structured manner. The Bank’s culture and the Code of Ethics too play a key role in managing this risk.

Strategic risk

Strategic risk is related to strategic decisions and may manifest in the Bank not being able to keep up with the evolving market dynamics, resulting in loss of market share and failure to achieve strategic goals. Corporate planning and budgeting process and critical evaluation of their alignment with the Bank’s vision, mission and the risk appetite facilitate management of strategic risk. The detailed scorecard-based qualitative model aligned to ICAAP is used to measure and monitor strategic risk of the Bank. This scorecard-based approach takes a number of variables into account, including the size and sophistication of the Bank, the nature and complexity of its operations and highlights the areas that require focus to mitigate potential strategic risks.

Reputational risk

Reputational risk is the risk of adverse impact on earnings, assets and liabilities or brand value arising from negative stakeholder perception of the Bank’s business practices, activities and financial position. The Bank recognizes that reputational risk is driven by a wide range of other business risks relating to the “conduct” of the Bank that must all be actively managed. In addition, the proliferation of social media has widened the stakeholder base and expanded the sources of reputational risk. Accordingly, reputational risk is broadly managed through the systems and controls adopted for all other risk types such as credit, market, operational risk etc., which are underpinned by the code of conduct, Anti-Bribery and Anti-Corruption Policy, Communication Policy and business ethics that prohibit unethical behaviour and promote employees to live by the claims made. Further, the detailed scorecard which was available to measure and monitor reputational risk under ICAAP was formalized and implemented as Group Reputational Risk Management Policy framework during the year 2020.

Conduct risk

As an organization that thrives on public trust and confidence, yet is faced with many conflicting interests and trade-offs, aligning of the Bank’s interests with those of the customers is imperative for the Bank’s success and sustainability. Unfair business practices, professional misbehaviour, ethical lapses, inefficient operations, bribery and corruption, compliance failures, governance weaknesses etc. dent customer confidence on the Bank. Proper conduct with fair outcomes to the customer is closely associated with the culture, governance structure and the tone at the top of the Bank. The Bank has a customer centric approach that encompasses accountability, remuneration structures, compliance with the laws, rules and regulations in spirit, learning culture, transparency, public disclosures, Service Level Agreements and monitoring thereof, customer complaint handling procedure and customer engagement to maintain high standards of behaviour and integrity with a view to minimize conduct risk. The Bank is currently in the process of developing a comprehensive Conduct Risk policy framework covering the entire Group.

Contagion Risk

From a banking perspective, Contagion (Systemic) Risk refers to the risk of a financial stress or shock in one country, market, industry or a counterparty spilling across to other countries, markets, industries or counterparties, triggering disturbance and even defaults, given the highly integrated nature of the global financial systems and cross market linkages. The impact of a single shock can amplify existing stresses, leading to larger and sustained impacts on lives and livelihoods. The spill-over effects, a form of negative externalities, can create financial volatility and cause damage to financial systems. Although the COVID-19 began as a viral outbreak, it has already created a financial contagion in global markets. In the current fragile context where the outlook for the pandemic and the path to economic recovery continuing to remain uncertain, the Bank is to take additional steps to incorporate identifying risk elevated industries and monitor levels of distress among customers, industry sectors, regions etc. that may cause contagion risk, through the EWS, based on internal data, with a view to limit the potential impact.

Model Risk

A subset of Operational Risk, Model Risk is the risk that occurs when financial models used to measure quantitative information fail, leading to adverse outcomes for the Bank. The Bank uses a number of models that apply statistical, economic, financial and mathematical theories, techniques and assumptions to process data into quantitative estimate, for the management of various risks. Model failures can occur due to programming errors, incorrect data, technical errors as well as from misinterpretation of model outputs. The Bank uses extensive testing, robust governance policies and independent reviews to manage model risk.

Bribery and corruption related risks

Bribery and Corruption is illegal, dishonest and damages the reputation of the Bank and therefore, the Bank expects all its employees to refrain from giving or accepting bribes, kickbacks or commissions nor taking part in any form of corruption. The Bank has a Board approved Anti-Bribery and Anti-Corruption Policy setting out the principles for countering bribery and corruption and managing bribery and corruption risk which has been made available at https://www.combank.lk/info/file/91/anti-bribery-and-anti-corruption-policy as well as in the intranet of the Bank. In addition, the Bank has a Whistleblowers Charter and guidelines on accepting and/offering gifts or other illegal gratification, collection and borrowing of funds/obtaining undue favours from customers and suppliers, holding a Directorship/being a Partner/Shareholder in private companies enumerated in the Code of Ethics and administrative circulars. In implementing the Code of Ethics and affirming its commitment to the 10th Principle of the UN Global Compact, the Bank expects all employees not only to fight corruption, but also to demonstrate that they do not abuse the power of their position as employees for personal financial or non-financial gain, solicit or accept gifts, compromise employees or the Bank. No employee of the Bank should offer any bribe or other illegal gratification in order to obtain business for the Bank.

Capital Adequacy and ICAAP Framework

In line with the Basel requirements and as prescribed in the ICAAP framework, the Bank uses internal models to assess and quantify the risk profile, to stress test risk drivers and to assess capital requirements to support them. Internal limits which are more stringent than the regulatory requirements provide early warnings with regard to capital adequacy.

ICAAP supports the regulatory review process providing valuable inputs for evaluating the required capital in line with future business plans. It integrates strategic focus and risk management plans with the capital plan in a meaningful manner with inputs from Senior Management, Management Committees, Board Committees and the Board and also takes into account potential risk of capital being inadequate under stressed conditions. It also supports profit optimisation through proactive decisions on exposures both current and potential through measurement of vulnerabilities by carrying out stress testing and scenario-based analysis. The ICAAP process also identifies gaps in managing qualitative and quantitative aspects of reputational risk and strategic risk which are not covered under Pillar 1 of Basel III.

The Bank is compliant with both regulatory and its own prudential requirements of capital adequacy. With a loyal base of shareholders and profitable operations, the Bank is also well positioned to meet capital requirements in the longer term to cover its material risks and to support business expansion, as a Domestic Systemically Important Bank (D-SIB).

Basel III minimum capital requirements and buffers

The Banking Act Direction No. 01 of 2016 introduced capital requirements for licensed commercial banks under Basel III starting from July 1, 2017 with specified timelines to progressively increase minimum capital ratios to be fully implemented by January 1, 2019 which included Higher Loss Absorbency component for D-SIBs. However, as an extraordinary regulatory measure for licensed banks to support businesses and individuals affected by the outbreak of COVID-19, the CBSL permitted D-SIBs to draw down their Capital Conservation Buffers by 100 basis points.

Table – 55: Target and actual capital

Capital ratios	Regulatory minimum %	Goal (Internal requirement) %	2021 %	2020 %
CET 1	7.50	>7.50	11.923	13.217
HLA	1.50	>1.50
Tier I	9.00	>9.00	11.923	13.217
Total	13.00	>13.00	15.650	16.819

A comparison of the status as at December 31, 2021 and the minimum capital requirement prescribed by the CBSL effective from January 1, 2019 as tabulated above demonstrates the capital strength of the Bank and bears testimony to the ability to meet stringent requirements imposed by the regulator.

The ICAAP helps the Bank to periodically evaluate the capital requirements for the next five years, develop capital augmentation plans based thereon and submit same for review by the CBSL. Consequently, despite the non-conducive operating environment, SLFRS 9 adoption and taxes and levies that impacted internal capital generation capabilities of the Bank in 2019 and 2020, the Bank has been able to secure availability of capital to fund its expansion plans and meet Higher Loss Absorbency (HLA) requirements prescribed by the CBSL for D-SIBs. In particular, issue of upto USD 50 Mn. worth shares to IFC through a private placement in 2020 and issue of Rs. 8.595 Bn. worth Basel III compliant – Tier 2, Listed, Rated, Unsecured, Subordinated, Redeemable debentures with a Non-viability Conversion in 2021 enabled the Bank to increase its stated capital and the Tier 2 capital base respectively.

The Bank has a “Basel Workgroup” consisting of members from a cross section of business and support units to assess capital adequacy in line with strategic direction of the Bank. While ICAAP acts as a foundation for such assessment, the Basel Workgroup is continuously searching for improvements amidst changing landscape in different frontiers, to recommend the desired way forward to the ALCO including indications on current and future capital requirements, anticipated capital expenditure-based assessments and desirable capital levels, etc.

Being in a capital-intensive business, the Bank is cognisant of the importance of capital. The Bank has access to a loyal base of shareholders who takes a long-term view of the Bank as well as profits retained over the years by adopting prudent dividend policies, etc. Moreover, in order to achieve an optimized level of capital allocation, the Bank is continuously finding ways to improve judicious allocation of capital to requirements associated with its day-to-day operations. The challenges associated with mobilizing capital from external sources are also taken into account, but not excluded as a sustainable option to boost the capital in the long run. The Bank is comfortable with the available capital buffer to support its growth plans / withstand stressed market conditions. However, the Bank is never complacent with current comfort levels and believes in providing stakeholder confidence that the Bank is known for, through sound capital buffer levels.

Stress testing

As an integral part of ICAAP under Pillar II, the Bank conducted stress testing for severe but plausible shocks on its major risk exposures on a periodic basis to evaluate the sensitivity of the current and forward risk profile relative to risk appetite and their impact on resilience of capital, funding, liquidity and earnings.

It also supports strategic planning, the ICAAP including capital management, liquidity management, setting of risk appetite triggers and risk tolerance limits, mitigating risks through reviewing and adjusting limits, restricting or reducing exposures and hedging thereof, facilitating the development of risk mitigation or contingency plans across a range of stressed conditions supporting communication with internal and external stakeholders.

The Bank’s governance framework for stress testing sets out the responsibilities and approaches to stress testing activities undertaken at the Bank, business line and risk type levels. The Bank uses a range of stress testing techniques, including scenario analysis, sensitivity analysis and reverse stress testing to perform stress testing for different purposes.

The framework covers all the material risks such as credit risk, credit concentration risk, operational risk, liquidity risk, FX risk, IRRBB using EVE and EAR perspectives. The Bank evaluates various degrees of stress levels identified in the Stress Testing Policy as Minor, Moderate and Severe. The resulting impact on the capital is then carefully evaluated. Where stress tests point to a deterioration of the capital which has no impact on the policy level on capital maintenance, same is described as Minor risk, while a deterioration of up to 1% is considered as Moderate risk. If the impact results in the capital falling below the statutory minimum, such a level would be regarded as Severe risk, warranting immediate attention of the Management to rectify the situation.

Stress testing is an effective communication tool to senior management, risk owners and risk managers as well as supervisors and regulators sine it offers a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in hypothetical stress scenarios. The outcomes of stress testing are reported to the EIRMC and BIRMC on a quarterly basis for appropriate, proactive decision making. Extracts from the stress testing results are set out in Table 56.

Table – 56: Impact on CAR at Minor, Moderate and Severe stress levels:

Particulars	Description	2021			2021
		Minor	Moderate	Severe	Minor	Moderate	Severe
		%	%	%	%	%	%
Credit risk – asset quality downgrade	Increasing the direct non- performing facilities over the direct performing facilities for the entire portfolio	-0.14	-0.35	-0.68	-0.15	-0.38	-0.74
Operational risk	Impact of; 1. Top five operational losses during last five years 2. Average of yearly operational risk losses during last three years whichever is higher	-0.05	-0.11	-0.22	-0.05	-0.13	-0.25
Foreign exchange risk	Percentage shock in the exchange rates for the Bank and Maldives operations (gross positions in each Book without netting)	-0.10	-0.20	-0.47	-0.06	-0.13	-0.29
Liquidity risk (LKR) –	1. Withdrawal of percentage of the clients, banks and other banking institution deposits from the Bank within a period of three months 2. Rollover of loans to a period greater than three months	-0.06	-0.14	-0.27	-0.03	-0.11	-0.26
Interest rate risk – EAR and EVE (LKR) – Sri Lanka	To assess the long-term impact of changes in interest rates on Bank’s EVE through changes in the economic value of its assets and liabilities and to assess the immediate impact of changes in interest rates on Bank’s earnings through changes in its net interest income	-0.27	-0.41	-0.42	-0.15	-0.30	-0.44

Monitoring and reporting

Risk management function of the Bank is responsible for identifying, measuring, monitoring and reporting risk. To enhance the effectiveness of its role, staff attached to it is given regular training, enabling them to develop and refine their skills. They are well supported by IT systems that have made data extraction, analysis and modelling possible scenarios. Regular and ad-hoc reports are generated on Key Risk Indicators and risk matrices of the Bank as well as the subsidiaries, for review by the senior management, Executive and Board Committees, and the Board which rely on such reports for evaluating risk and providing strategic direction.

The reports provide information on aggregate measures of risks across products, portfolios, tenures and geographies relative to agreed policy parameters, providing a clear representation of the risk profile and sensitivities of the risks assumed by the Bank and the Group.

Basel III – Market Discipline

Refer Annex 2 for the minimum disclosure requirements under Pillar III as per the Banking Act Direction No. 01 of 2016.

Refer Annex 2 for the D-SIB Assessment Exercise disclosed as required by the Banking Act Direction No. 10 of 2019.