Risk culture and vision
DFCC Bank PLC (the Bank) adopts a comprehensive and well-structured mechanism for assessing, quantifying, managing and reporting risk exposures which are material and relevant for its operations within a well-defined risk management framework. An articulated set of limits under the risk management framework explains the risk appetite of the Bank for all material and relevant risk categories and the risk capital position. Risk management is integrated with strategic, business and financial planning and customer/client transactions, so that business and risk management goals and responsibilities are aligned across the organisation. Risk is managed in a systematic manner by focusing on a group basis as well as managing risk across the enterprise, individual business units, products, services, transactions, and across all geographic locations.
The following broad risk categories are in focus:
Risks covered under Pillar I of Basel regulations
- Credit risk
- Market risk including foreign currency risk, equity prices risk, and interest rate risk in the trading book
- Operational risk
Other risks covered under Pillar II of Basel regulations
- Business risk and strategic risk
- Liquidity risk
- Settlement risk in treasury and international operations
- Credit concentration risk
- Cybersecurity risk
- Interest rate risk in the banking book
- Legal risk
- Compliance risk
- Reputational risk
- Country risk
Credit risk amounts to the highest quantum of quantifiable risk faced by the Bank based on the quantification techniques currently in use. The Bank’s credit risk accounted for 92% of the total risk-weighted assets. Additionally, the Bank takes necessary measures to proactively manage operational and market risks as very important risk categories considered as Pillar I risks under the Basel regulations. Operational risk incidents may be either high frequency but low impact or with low frequency but high impact, yet all of them warrant being closely monitored and managed prudently.
The Bank’s general policies for risk management are outlined as follows:
- The Board of Directors’ responsibility for maintenance of a prudent integrated risk management function in the Bank.
- Communication of the risk policies to all relevant employees of the Bank.
- Structure of “Three Lines of Defence” in the Bank for management of risks which consists of the risk-assuming functions, independent risk management and compliance functions and the internal and external audit functions.
- Ensuring compliance with regulatory requirements and other laws underpinning the risk management and business operations of the Bank.
- Centralised integrated risk management function which is independent from the risk assuming functions.
- Ensuring internal expertise, capabilities for risk management, and ability to absorb unexpected losses when entering into new business and delivery channels, developing products, or adopting new strategies.
- An assessment of risk exposures on an incremental and portfolio basis when designing and redesigning new products and processes before implementation. Such analyses include among other areas, business opportunities, target customer requirements, core competencies of the Bank and the competitors and financial viability.
- Adoption of the principle of risk-based pricing.
- Ensuring that the Board approved target capital requirements, which are more stringent than the minimum regulatory capital requirements, are not compromised. For internal purposes, economic capital is quantified using Basel recommended guidelines together with the Internal Capital Adequacy Assessment Process (ICAAP). A cushion for the regulatory capital requirement is maintained to cover part of stress losses and losses caused by other risks such as strategic risk, liquidity and reputation risks which are not in Pillar I of Basel guidelines. Capital requirement is monitored on a quarterly basis based on certain stress scenarios.
- Aligning risk management strategy to the Bank’s business strategy.
- Ensuring comprehensive, transparent, and objective risk disclosures to the Board, Senior Management, Regulator, shareholders, and other stakeholders.
- Continuous review of risk management framework and ICAAP to align with Basel recommendations and regulatory guidelines.
- Maintenance of internal prudential risk limits based on the risk appetite of the Bank and wherever relevant, over and above the required regulatory limits.
- Ensuring a prudent risk management culture within the Bank.
- Periodic review of risk management policies and practices to be in line with the developments in regulations, business environment, internal environment and industry best practice.
A risk management culture has been created across the Bank that promotes its business objectives and an environment that enables Management to execute the business strategy in a more efficient and sustainable manner. The Board of Directors regularly reviews the risk profile of the Bank and its Group, and every business or function is included in developing a strong risk culture within the Bank. Further, the Bank ensures that, every employee has a clear understanding of his/her responsibilities in terms of risks undertaken in every step in their regular business activities. This has been inculcated mainly through the Code of Conduct, periodically conducted training programmes, clearly defined procedural manuals and integrated risk management function’s involvement as a review process in business operations.
Approach of “Three Lines of Defence”
The Bank advocates strong risk governance applied pragmatically and consistently with a strong emphasis on the concept of “Three Lines of Defence”. The governance structure encompasses accountability, responsibility, independence, reporting, communication and transparency, both internally and with our relevant external stakeholders.
The First Line of Defence involves management control at business level and adhering to relevant internal control mechanisms while discharging the responsibilities and accountability for day-to-day management of business operations. Independent risk monitoring, validation, centralised oversight of effective implementation of risk management framework, policy review and compliance by the Integrated Risk Management Department (IRMD), and the Compliance Department constitute the Second Line of Defence. The Third Line of Defence is provided by the independent check and quality assurance of the internal and external audit functions.
Risk governance of the Bank includes setting and defining the risk appetite statement, risk limits, risk management functions, capital planning, risk management policies, risk infrastructure, and risk profile analysis. The Bank exhibits an established risk management culture with effective risk management approaches, systems and controls. Policy manuals, internal controls, segregation of duties, clearly demarcated authority limits and internal audit form a part of key risk management tools. The Bank has developed a risk management framework covering risk governance, which includes, risk management structure comprising different subcommittees and clearly defined reporting lines ensuring risk management unit is functioning independently. The Chief Risk Officer (CRO), functions with direct access to the BIRMC.
Governance structure for risk management
The concept of “Three Lines of Defence” for integrated risk management function
Risk policies and guidelines
A set of structured policies and frameworks recommended by the Board Integrated Risk Management Committee and approved by the Board forms a key part of the risk governance structure. Integrated Risk Management Framework stipulates, in a broader aspect, the policies, guidelines, and organisational structure for the management of overall risk exposures of the Bank in an integrated approach. This framework defines risk integration and aggregation approaches for different risk categories. In addition, separate policy frameworks detail the practices for the management of key specific risk categories such as credit risk, market risk, credit concentration risk, liquidity risk, operational risk, reputation risk, and other policies governing information security risk. These policy frameworks are reviewed annually and communicated across the Bank. Respective staff members are required to adhere to the specifications of these frameworks when conducting business transactions.
Risk appetite of the Bank has been defined in the Overall Risk Limits System. It consists of risk limits arising from regulatory requirements, borrowing covenants, and internal limits for prudential purposes. The Limits System forms a key part of the risk indicators and covers key risk areas such as credit, interest rate, liquidity, operational, foreign exchange, concentration, and risk capital position amongst others. Lending limits have been established to manage credit concentration to industry sectors, rating grades, borrowers and countries as part of the prudential internal limits. Industry sector limits for the lending portfolio considers the inherent diversification within the subsectors and the borrowers within broader sectors. These limits are monitored monthly and quarterly on a “Traffic Light” system. These risk appetite limits are reviewed at least annually in line with the risk management capacities, business opportunities, business strategy of the Bank, and regulatory specifications.
In the event the risk appetite threshold has been breached or it is approaching the levels not desirable by the Bank, risk mitigating measures and business controls are implemented to bring the exposure level back within the accepted range. Risk appetite, therefore, translates into operational measures such as new or enhanced limits or qualitative checks for the dimensions such as capital, earnings volatility, and concentration of risks.
Tolerance limits for key types of risks
|Risk area||Risk appetite criteria||Limit/Range|
|Integrated risk and capital management||
Total Tier I capital adequacy ratio (under Basel III)
(Total Tier I capital as a percentage of total risk-weighted assets)
Internal limit is based on ICAAP
Internal limit is based on ICAAP
Total capital adequacy ratio (under Basel III)
(Total capital as a percentage of total risk-weighted assets)
|Credit quality and concentration||NP ratio||< Industry average as published by CBSL (Internal)|
< 30% (Regulatory)
< 28% (Internal)
|Single borrower limit – Individual|
< 33% (Regulatory)
< 30% (Internal)
|Single borrower limit – Group|
< 55% (Regulatory)
< 45% (Internal)
|Aggregate large accommodation|
|< 5% to 20% (Internal)|
|Exposures to industry sectors|
|< 25% (Internal)|
|Aggregate limit for related parties|
|Liquidity risk||Liquid asset ratio for DBU and FCBU||
> 20% (Regulatory)
> 21% (Internal)
|> 3% (Regulatory)|
> 100% (Regulatory)
> 110% (Internal)
> 100% (Regulatory)
> 110% (Internal)
|Liquidity coverage ratio (All currencies and rupee only)|
|Market risk||Forex net open long position/short position||As prescribed by the Central Bank of Sri Lanka|
|Operational risk||Reputation risk of the Bank Operational risks due to internal and external frauds, employee practices and workplace safety, client products, data leakages and business practices, damage to physical assets, business disruption and systems failures and failures in execution, delivery, and process management||Zero or very low risk appetite|
Board Integrated Risk Management Committee (BIRMC)
The BIRMC is a Board Subcommittee, which oversees the risk management function and the provisions of Basel III implementation as required by the Regulator from time to time in line with Board-approved policies and strategies. The BIRMC functions under the responsibilities set out in the Board-approved Charter for the BIRMC, which incorporates corporate governance requirements for Licensed Commercial Banks issued by the Central Bank of Sri Lanka (CBSL). BIRMC sets the policies for bank-wide risk management including credit risk, market risk, operational risk, cybersecurity risk, and liquidity risk.
In addition to the Board representatives, the BIRMC consists of the CEO and the CRO as members. Further, Heads representing Credit, Finance, Treasury, Information Technology, Operations, Internal Audit and Compliance attend the meeting as invitees. A summary of the responsibilities and functions of the BIRMC is given in the Report on the Board Integrated Risk Management Committee on page 153 of this Annual Report.
The BIRMC meets at least on a quarterly basis and reviews the risk information and exposures as reported by the Integrated Risk Management Department, Treasury, Finance, Compliance, and the other business and service units. Risk reporting includes reports on overall risk analysis relating to the Bank’s capital, risk appetite, limits position, stress testing, any strategic risks faced by the Bank, top and emerging risks to the Bank and risk analysis of the Group companies. Additionally, they include reports covering the main risk areas such as credit risk, market risk, liquidity risk, operational risk, information systems security risk, and compliance risk.
During 2021, the Committee paid more attention on reviewing risk in the increased operating environment due to COVID-19 pandemic. The Committee reviewed the adequacy of the risk mitigating actions taken and stress testing results under pandemic condition.
Scope and main content of risk reporting to Board Integrated Risk Management Committee
|Risk type||Scope and main content of risk reporting|
|Market and liquidity risk||
|IT and systems security risk||
Involvement of Management Committees
Management Committees such as the Credit Committees (CC), Asset and Liability Management Committee (ALCO), Operational Risk Management Committee (ORMC), Fraud Risk Management Committee (FRMC), Special Loan Review Committee (SLRC), IT Steering Committee (ITSC), Investment Committee (IC), Pre-Evaluation Committee (PEC) and Impairment Assessment Committee (IAC) are included in the organisational structure for integrated risk management function. The responsibilities and tasks of these committees are stipulated in the Board-approved Charters and Terms of References (TORs) and the membership of each committee is defined to bring an optimal balance between business and risk management.
Organisation structure for integrated risk management
The Integrated Risk Management Department (IRMD) is responsible for measuring and monitoring risk on an ongoing basis to ensure compliance with the parameters set out by the Board/BIRMC and other Management Committees for carrying out the overall risk management function in the Bank. It consists of separate units such as Risk Policy and Modelling, Credit Risk Management, Market Risk Monitoring, Operational Risk Management, Assets and Liability Management, Loan Review Mechanism, Risk Quantification, Information Systems Security Risk Management, and Treasury Middle Office. IRMD is involved with product or business strategy development and entering into new business lines and gives input from the initial design stage throughout the process from a risk management perspective.
Key developments in risk management function during the period under review
Several significant initiatives were undertaken focusing continuously on regulatory developments and reassessing the Bank’s existing risk management policies, guidelines, and practices for necessary improvements. In addition to these regulatory specifications, changes in business strategy, industry factors and international best practices were also considered in the improvement process. The following are the key initiatives during the period under review which led to further improvements in the overall integrated risk management function.
Prudential risk limits were reviewed in order to reflect the current risk appetite of the Bank by setting new limits wherever necessary. Internal limits were put in place to better manage the regulatory limits as trigger points, which are much stricter than the regulatory limits. Based on the current risk appetite and the business requirements, the Bank enhanced the exposure limit to the consumption sector which is a part of industry sector limits that is in place to manage the sector concentration.
All the Board-approved risk management frameworks, charters, and TORs were reviewed during the period, especially considering the changes in new regulations and the Bank’s business model.
An independent validation for all the credit rating models was carried out during the year by an external consultant. It is a best practice in risk management to validate the credit rating models by an external party in order to ensure unbiased assessment of model performance. The required calibrations/amendments to the rating models were identified based on the results of the model validation process and all the credit rating models were revised for better performance.
With the onset of COVID-19 in Sri Lanka, the potential impact to the credit portfolio of the Bank was evaluated based on exposure to high to low impacted industries.
Industry sectors were placed in four stress segments; minimal, short term, medium term and long term, based on magnitude of impact and expected timing of recovery.
Such categorisation was reviewed at regular intervals throughout the year, considering the evolving situation. Proactive precautionary measures were taken in lending decisions and disbursement of funds.
Risk quantification under ICAAP was strengthened by introducing a scorecard-based evaluation process for certain qualitative risk categories. This enables better assessment of Pillar II risks leading to better reflection of the economic capital requirement of the Bank.
Necessary amendments to the facility upgrading under SLFRS 9 policy were introduced to enhance the upgrading process given the increased operating environment related risks.
Treasury Middle Office (TMO) which is functionally segregated from the Treasury Department, directly reports to the CRO and monitors the Treasury-related market risk limits. The process of call recording of Treasury transactions was further improved during the year.
Scenario analysis and simulations by the ALM unit to assess the expected behaviour of interest margins enabled ALCO to take proactive measures to manage the erosion of margins. Looking at the trends in the market rates, ALCO proactively changed the pricing methods, thus managing net interest margins of the Bank.
IRMD continued to calculate loss ratios for key lending products using historical recovery data in support of impairment assessment under IFRS 9. As part of the risk management practices, the Bank computed the key credit risk quantification parameters such as Probability of Default (PD), Exposure at Default (ED), Loss Given Default (LGD) and the loss ratios which are defined and recommended under the Basel III and IFRS. The results indicated improvements in the credit risk rating process, rating models, recovery process and the collateral quality in the Bank.
The credit workflow ensures that every credit proposal except for centrally processed retail loans, small value loans and leases that do not require rating validation, is evaluated by an independent authority not connected to business lines, being the Credit Risk Management Unit of IRMD. The credit workflow of the Bank was further improved during the year, taking business requirements and changes in market conditions into consideration.
To conform with the CBSL requirement of Loan Review Unit independent from the Credit Risk Management Unit, a separate Loan Review Unit has been established. The Unit has taken specific actions to increase the sample selection and the scope of the loan reviews and to obtain feedback from business units with regard to the improvements brought into the post credit management that would contribute to the quality of the loan portfolio.
Having duly recognised the global trend on increasing threats on systems and information security, the Bank increased its focus on IT systems security under its operational risk management practices. The scope of the Information Systems Security Unit was further enhanced during the year under the Integrated Risk Management Department to proactively manage the information security risk of the Bank. The Operational Risk Management Committee oversees the effectiveness of security initiatives and directs the Management of information security risks within the Bank.
Server network, business application security reviews, technology risk assessments, network and other device security reviews are being conducted internally on regular basis to ensure required attention is given for rectifying known vulnerabilities and security weaknesses in a timely manner. Furthermore, the Unit is involved in new system implementations from request for proposal (RFP) stage to Go-live confirmation and make sure new systems are compliant with industry security best practices. Further, the Unit works with reputed external parties to ensure that critical and customer facing systems are appropriately secured.
Staff awareness programmes on operational risk were held for staff at various levels, from new recruits to Branch Managers. The Bank has developed a model for Risk and Control Self-Assessment (RCSA), and Key Risk Indicators (KRI) for operational risks across all major functions and departments, and continues to monitor closely their applicability, trends and effectiveness of the controls on a semi-annual basis.
Credit risk is the risk of loss to the Bank if a customer or counterparty fails to meet its financial obligations in accordance with agreed terms and conditions. It arises principally from on-balance sheet lending such as loans, leases, trade finance, and overdrafts as well as through off-balance sheet products such as guarantees and letters of credit. A deterioration of counterparty credit quality can lead to potential credit-related losses for a bank. Credit risk is the largest component of the quantified risk accounting for 92.2% of the total risk-weighted assets of the Bank.
The challenge of credit risk management is to maximise the risk adjusted rate of return by maintaining the credit risk exposure within acceptable levels. With the implementation of SLFRS 9, a proactive approach has been adopted by the Credit Risk Management Unit in monitoring credit risk parameters and indicators which include watch listing of customers through quantitative and qualitative indicators.
Note: “Other” category includes “Education”, “Information Technology and Communication Services”, “Professional, Scientific and Technical Activities” and “Arts, Entertainment and Recreation”
Credit risk management process
The Bank’s credit policies approved by the Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. The policies are based on CBSL Directions on integrated risk management, Basel recommendations, business practices, and risk appetite of the Bank.
Credit risk management guidelines identify target markets and industry sectors, define risk tolerance limits and recommend control measures to manage concentration risk. Standardised formats and clearly documented processes and procedures ensure uniformity of practices across the Bank.
|Credit risk culture||
|Credit approval process||
|Credit risk management||
|Credit risk monitoring and reporting||
|Credit risk mitigation||
Key credit risk measurement tools and reporting frequencies
The following credit risk measurement tools are being used in managing credit risk by the Bank and reported in the stipulated frequencies:
|Credit risk measure/indicator||Frequency|
|Rating model validation results||Annually|
|Probability of default||Annually|
|LGD under Basel III and IFRS||Quarterly/Annually|
|Top and emerging risks under credit risk||Monthly|
|Credit portfolio analysis||Quarterly|
|Rating-wise distribution across business segments||Quarterly|
|Summary of rating reviews including overridden ratings||Quarterly|
|Watch-listed clients||Monthly to the Senior Management and quarterly to the Board|
|Summary of reviews done under Loan Review Mechanism||Quarterly|
Dimensions for analysis and monitoring of credit concentration risk
|Credit concentration risk measure/indicator||Frequency|
|Industry sector limits positions||Quarterly|
|Top 20 borrower exposures||Quarterly|
|Top 20 borrower group exposures||Quarterly|
|Industry sector HHI*||Quarterly|
|Product distribution of the credit portfolio||Quarterly|
|Borrower distribution across rating grades||Quarterly|
Loan review mechanism
Loan Review Mechanism (LRM), an effective tool for constantly evaluating the quality of the loan book and bringing about qualitative improvements in credit function, is a regulatory requirement on integrated risk management.
LRM increased the percentage of loan portfolio reviewed during the year 2021 ensuring more reviews are carried out covering Branch Banking segment as well as Corporate Banking segment.
The LRM function was enriched by analytical review to include studying the clients whose facilities were reviewed in depth to ascertain the facility utilisation levels, current account performance, and trends in credit risk of such clients. Further, the scope was enhanced by capturing BB and below grade branch facilities. Based on the findings carried out with the business units, LRM recommendations are reported to the Credit Committee and to the BIRMC to ensure that the remedial actions are taken to enhance the quality of the credit portfolio.
Market risk is the possibility of losses arising from changes in the value of a financial instrument as a result of changes in market variables such as interest rates, exchange rates, equity prices, and commodity prices.
As a financial intermediary, the Bank is exposed primarily to the interest rate risk and as an authorised dealer, is exposed to exchange rate risk on foreign currency portfolio positions. Market risk could impact the Bank mainly in two ways: viz, loss of cash flows or loss of economic value. Market risk can be looked at in two dimensions; as traded market risk, which is associated with the trading book and non-traded market risk, which is associated with the banking book.
The ALCO oversees the management of both the traded and the non-traded market risks. The Treasury manages the foreign exchange risk with permitted hedging mechanisms. Trends in relevant local as well as international markets are analysed and reported by IRMD and the Treasury to ALCO and BIRMC. The market risks are controlled through various limits. These limits are stipulated by the Investment Policy, TMO Policy, Treasury Manual, and Overall Limits System of the Bank. Interest rate sensitivity analysis (Modified duration analysis), Value-at-risk (VAR), simulation and scenario analysis, stress testing and marking-to-market of the positions are used as quantification tools for the purpose of risk monitoring and management of market risks.
Treasury Middle Office (TMO) is segregated from the Treasury Front Office (TFO) and Treasury Back Office (TBO) and reports to the CRO. The role of the TMO includes the day-to-day operational function of monitoring and controlling risks assumed in the TFO based on clearly defined limits and controls. Being independent of the dealers, the TMO provides an objective view on front office activities and monitors the limits. TMO has the authority to escalate limit excesses as per delegation of authority to the relevant hierarchy. The Bank has allocated haircuts on Repo/Reverse Repo transactions according to the CBSL Direction No. 01 of 2019. TMO independently verifies the sufficient allocation of security with the minimum haircut as specified in the circular. There were no penalties on haircuts for repo and reverse repo transaction as the direction was complied.
Treasury implemented a new system in 2018. The new system has enhanced TMO’s capability to report crucial data with better accuracy and on real time basis. The strengthened Treasury and market risk management practices contribute positively to the overall risk rating of the Bank and efficiency in the overall Treasury operations. TBO which reports to the Chief Financial Officer is responsible for accounting, processing settlement and valuations of all Treasury products, and transactions. The Treasury transaction-related information is independently submitted by TBO to relevant authorities.
Market Risk Unit initiated computing product profitability in 2020. The process has been refined and improved in the last year to match the market dynamics.
Interest rate risk
Interest rate risk can be termed as the risk of loss in the net interest income (earnings perspective) or the net worth (economic value perspective) due to adverse changes in the market interest rates. Interest rate risk can consist of –
- Repricing risk, which arises from the inherent mismatch between the Bank’s assets and liabilities resulting in repricing timing differences
- Basis risk, which arises from the imperfect correlation between different yield and cost benchmarks attached to repricing of assets and liabilities
- Yield curve risk, which arises from shifts in the yield curve that have a negative impact on the Bank’s earnings or asset values
The Bank manages its interest rate risks primarily through asset liability repricing gap analysis, which distributes interest rate sensitive asset and liability positions into several maturity buckets. Board defined limits are in place for interest rate gaps and positions, which are monitored on a periodic basis to ensure compliance to the prescribed limits.
The Asset and Liability Management (ALM) Unit routinely assesses the Bank’s asset and liability profile in terms of interest rate risk and the trends in costs and yields are reported to ALCO for necessary realignment in the asset and liability structure and the pricing mechanism. ALM performed a number of scenario analysis and simulations on the effect of interest rate changes to the Bank’s interest income during the year, to facilitate pricing decisions taken at ALCO.
Foreign exchange rate risk
Foreign exchange rate risk can be termed as possibility of adverse impact to the Group’s capital or earnings due to fluctuations in the market exchange rates. This risk arises due to holding of assets or liabilities in foreign currencies. Net Open Position (NOP) on foreign currency indicates the level of net foreign currency exposure that has been assumed by the Bank at a point of time. This figure represents the unhedged position of the Bank in all foreign currencies. The Bank accrues foreign currency exposure through purchase and sale of foreign currency from customers in its commercial banking and international trade business and through borrowing and lending in foreign currency.
The Bank manages the foreign exchange risk using a set of tools which includes limits for net unhedged exposures, hedging through forward contracts and hedging through creating offsetting foreign currency assets or liabilities. TMO monitors the end of the day NOP as calculated by the TBO and the NOP movement in relation to the spot movement. TMO also conducts VAR for daily forex position and the NOP. Stress testing is also performed on a daily basis and reported by TMO. The daily interbank foreign currency transactions are monitored for consistency with preset limits and any excesses are reported to the Management and the BIRMC.
The Bank has obtained approval from the Central Bank of Sri Lanka for its foreign currency borrowings and credit lines as per regulatory requirements. The unhedged foreign currency exposure of the Bank is closely monitored and necessary steps are taken to hedge in accordance with the market volatilities.
Indirect exposures to commodity prices risk – Gold prices
The Bank’s pawning portfolio amounted to LKR 5,970 Mn as at 31 December 2021, which is less than 2% of total assets. The Market Risk Management Unit (MRMU) manages the risk emanating from Gold through constant analysis of the international and local market prices and adjusting the Bank’s preferred loan to value (LTV) ratio. MRMU also conducts stress testing for the Gold portfolio by forecasting adverse Loss Given Default and PD rates. Stress results are reported to ALCO, BIRMC and the Board.
Equity prices risk
Equity prices risk is the risk of losses in the marked-to-market equity portfolio, due to the decline in the market prices. The direct exposure to the equity price risk by the Bank arises from the equity portfolios classified as fair valued through profit and loss and other comprehensive income. Indirect exposure to equity price risk arises through the margin lending portfolio of the Bank in the event of crystallisation of margin borrower’s credit risk. The Investment Committee of the Bank is responsible for managing equity portfolio in line with the policies and the guidelines as set out by the Board and the BIRMC. Allocation of limits for equities taken as collateral for loans and margin trading activities of customers and for the Bank’s investment/trading portfolio forms part of the tools for managing the equity portfolio. Rigorous appraisal, proper market timing and close monitoring of the portfolio performance in relation to the market performance facilitate the management of the equity portfolio within the framework of investment strategy and the risk policy.
Liquidity risk is the risk of not having sufficient funds to meet financial obligations on time and in full, at a reasonable cost. Liquidity risk arises from mismatched maturities of assets and liabilities. The Bank has a well set out framework for liquidity risk management and contingency funding plan. The liquidity risk management process includes regular analysis and monitoring of the liquidity position by ALCO and maintenance of market accessibility. Regular cash flow forecasts, liquidity ratios and maturity gap analysis are used as analytical tools by the ALCO. Any negative mismatches up to the immediate three months revealed through cash flow gap statements are matched against cash availability either through incremental deposits or committed lines of credit. Whilst meeting the regulatory requirements relating to liquidity, for internal monitoring purposes, the Bank takes into consideration the liquidity of each eligible instrument relating to the market at a given point in time as well as undrawn commitments to borrowers when stress testing its liquidity position.
The maintenance of a strong credit rating and reputation in the market enables the Bank to access domestic wholesale funds. For short-term liquidity support, the Bank also has access to the money market at competitive rates. In line with the long-term project financing business, the Bank focuses on long-term funding through dedicated credit lines while its growing share of commercial banking business focuses on Current Accounts and Savings Accounts (CASA) and Term Deposits as the key source of funding for its lending. The structure and procedures for Asset and Liability Management at the Bank have been clearly set out in the Board approved ALCO Charter, which is reviewed on an annual basis.
The CBSL Direction No. 07 of 2011 specifies that liquidity can be measured through stock or flow approaches. Under the stock approach, liquidity is measured in terms of key ratios which portray the liquidity in the balance sheet. Under the flow approach banks should prepare a statement of maturities of assets and liabilities placing all cash inflows and outflows in the time bands according to their residual time to maturity in major currencies. The Bank has adopted both methods in combination to assess liquidity risk.
Liquidity risk management under flow approach
A statement of Maturities of Assets and Liabilities (MAL) is prepared by the Bank placing all cash inflows and outflows in the time bands according to their residual time to maturity and non-maturity items as per CBSL recommended and the Bank specific behavioural assumptions.
The gap analysis of assets and liabilities highlights the cash flow mismatches which assists in managing the liquidity obligations in a prudential manner.
Liquidity ratios under stock approach
The Bank regularly reviews the trends of the following ratios for liquidity risk management under the stock approach in addition to the regulatory ratios. During the year, the Bank maintained liquidity indicators comfortably above the regulatory minimums and the internal limits defined by the risk appetite statement.
The minimum liquidity standards (Liquidity Coverage Ratio) under Basel III were implemented from April 2015 and amended in November 2018 and November 2019. Accordingly, banks are required to maintain an adequate level of unencumbered High Quality Liquid Assets (HQLAs) that can be easily and readily converted into cash to meet their liquidity needs for a 30-calendar day time horizon under a significantly severe liquidity stress scenario. The computations of LCR performed for the Bank indicated that the Bank was comfortably in compliance with the Basel III minimum requirements, having sufficient High Quality Liquid Assets well in excess of the minimum requirements specified by the Central Bank of Sri Lanka (CBSL) throughout the year.
The Central Bank of Sri Lanka (CBSL) issued consultative guidelines for Net Stable Funding Ratio (NSFR) in November 2017, and progressively increased the requirement to 100% from 1 July 2019 onwards. However, due to COVID-19 concessions CBSL relaxed the requirement to 90% till June 2021 for both LCR and NSFR ratios and subsequently both ratio requirements were increased back to 100%. NSFR standards are designed to reduce funding risk over a longer time horizon by requiring banks to fund with sufficiently stable sources to mitigate the risk of future funding stress and require banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet exposures.
Key liquidity risk measurement tools and reporting frequencies
|Liquidity risk measure/indicator||Minimum frequency|
|Stock approach – Ratio analysis|
|Net loans to total assets||Quarterly|
|Loans to customer deposits||Quarterly|
|Large liabilities to earnings assets excluding temporary investments||Quarterly|
|Purchased funds to total assets||Quarterly|
|Commitments to total assets||Quarterly|
|Trends in the statutory liquid assets ratio||Monthly|
|Trends in Liquidity Coverage Ratio (LCR) and forecasts||Monthly|
|Net Stable Funding Ratio (NSFR)||Quarterly|
|Maturity gap report (on static basis)||Quarterly|
|Net funding requirement through dynamic cash flows||Quarterly|
|Scenario analysis and stress testing||Quarterly|
|Contingency funding plan||Annual Review|
The Bank has in place a contingency plan which provides guidance on managing liquidity requirements in stressed conditions based on different scenarios of severity. The contingency funding plan provides guidance in managing liquidity in bank specific or market specific scenarios. It outlines how assets and liabilities of the Bank are to be monitored, pricing strategies are to be devised and growth strategies to be reconsidered emphasising avoidance of a liquidity crisis based on the risk level. The management and reporting framework for ALCO identifies evaluating a set of early warning signals both internal and external in the form of a Liquidity Risk Matrix on a monthly basis in order to assess the applicable scenario ranging from low risk to extreme high liquidity risk and proposes a set of strategies to avoid and mitigate possible crises proactively. The action plan for each of the high risk contingency level scenarios is to be considered by a liquidity contingency management team which includes the CEO, Head of Treasury, CRO, Business Unit Heads and a few other members of Senior Management. The liquidity contingency plan was further improved during the year with quantified scenarios and further specifying responsibilities of the liquidity contingency management team. During the year, the Bank did not come across a high liquidity risk scenario and the Bank had sufficient standby liquidity facility agreements (Reciprocal agreements) to buffer against sudden liquidity stresses.
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems, and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or from external events such as natural disasters, cyberattacks, terrorism, theft, political instability and extraordinary events such as the COVID-19 pandemic. The objective of the Bank is to manage, control and mitigate operational risk in a cost-effective manner consistent with the Bank’s risk appetite. The Bank has ensured an escalated level of rigour in operational risk management approaches for sensitive areas of its operations.
COVID-19 pandemic challenges continued in 2021. Keeping in adherence to the health guidelines, staff members were provided facilities to work from home on a roster basis. Further, staff members were split to various other locations to ensure the continuity of the business whilst managing the operational risk.
The Operational Risk Management Committee (ORMC) oversees and directs the management of operational risk of the Bank at an operational level with facilitation from the Operational Risk Management Unit (ORMU) of the IRMD. Active representation of the relevant departments and units of the Bank ensure the process of operational risk management through Operational Risk Coordination Officers (ORCOs).
Segregation of duties with demarcated authority limits, internal and external audit, strict monitoring facilitated by the technology platform and back-up facilities for information are the fundamental tools of operational risk management. Audit findings of high-risk nature and Management responses are forwarded to the Board’s Audit Subcommittee for their examination. Effective internal control systems, supervision by the Board, Senior Management and the line managers form part of the First Line of Defence for operational risk management at Bank. The Bank demands application of high level of technical skills, professionalism and ethical conduct from its staff and these serve as insulators for many operational risk factors.
The following are other key aspects of the operational risk management process at DFCC Bank PLC:
- Monitoring of Risk and Control Self-Assessment (RCSA) and Key Risk Indicators (KRIs) for the functions under defined threshold limits using a “Traffic Light” system
- Maintaining internal operational risk incident reporting system and carrying out an independent analysis of the incidents by IRMD to recognise necessary improvements in the systems, processes, and procedures
- Trend analysis on operational risk incidents and review at the ORMC
- Review of downtime of the critical systems and assessment of the causes. The risk and business impact are evaluated. Rectification measures are introduced whenever the tolerance levels are compromised
- Review of HR attrition and exit interview comments in detail evaluated at the ORMC in an operational risk perspective
- Establishment of the Bank’s complaint management process under the Board Approved Complaints Management Policy. IRMD analyses the complaints received to identify any systemic issues and reports to ORMC
- Conduct product and process reviews in order to identify the operational risks and recommend changes to the products and related processes
- Evaluate the operational risks associated with any new product developments
- Maintaining an external loss database in order to take proactive action to mitigate operational risks that may arise from the external environment
- Assist in the Business Continuity Planning and Disaster Recovery (DR) processes and review the results of DR drills conducted in the Bank to provide recommendations for future improvements
- Conduct Fraud Risk Management Committee meetings periodically in order to identify potential fraud risks that might impact the Bank and to take timely remedial actions
|Operational risk reporting|
|Risk identification||Risk assessment||Risk monitoring and controlling|
|Culture and awareness|
|Policies and guidelines|
Operational risk losses
The Bank has improved its operational risk incident reporting system overtime by creating an increased level of awareness among the employees with regard to operational risks and the importance of timely incident reporting. A total of 169 incidents were reported in 2021. The Operational Risk Coordination Officers (ORCO) are required to send a monthly report to the Operational Risk Management Unit (ORMU) regarding operational risk related incidents if any took place at their respective branches or departments. The operational risk incidents reported in 2021 based on the event type are given
in the graph.
The majority of the incidents reported were as a result of a failure in the execution, delivery and process management, and they also included near misses and no loss incidents. Due to the stringent controls that are in place, current losses from operational risk events have been kept to the barest minimum, with no significant losses.
Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) process of the Bank
Monitoring of Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) in key functions of the Bank, was further strengthened by identifying the new units of processes within the Bank and developing KRIs and RCSAs, during the year as a measure to allow the early detection of operational risks before actual failure occurs.
RCSA requires self-evaluation of operational risk exposures of processes in the Bank by respective departments semi-annually. Each department will assess the risks based on impact and likelihood of occurrence, while controls are assessed based on control design and control performance. The results are evaluated at ORMC for additional controls or mitigants in order to minimise risk exposure to the Bank.
Regular KRI monitoring assists business line managers by providing them with a quantitative, verifiable risk measurement which is evaluated against the thresholds. A summary of KRIs is presented to ORMC based on a traffic light system.
Insurance as a risk mitigant
Insurance policies are obtained to transfer the risk of low frequency and high severity losses which may occur as a result of events such as fire, theft/frauds, natural disasters, errors and omissions. Insurance plays a key role as an operational risk mitigant in the banking context due to the financial impact that any single event could trigger.
Insurance policies in force covering losses arising from undermentioned assets/processes include –
- Cash and cash equivalents
- Pawned articles
- Premises and other fixed assets
- Public liability
- Employee infidelity
- Personal accidents and workmen’s compensation
- Losses from counterfeit, forged, fraudulently altered, stolen cards and associated court costs and legal expenses
The Insurance Unit of the Bank reviews the adequacy and effectiveness of insurance covers on an annual basis and carries out comprehensive discussions with insurance companies on any revisions required at the time of renewal of the insurance covers.
Outsourcing of business functions
Outsourcing takes place when the Bank uses another party to perform non-core banking functions that would traditionally have been undertaken by the Bank itself. As a result, the Bank will be benefited in focusing on its core banking activities while having the non-core functions being taken up by outside experts.
The Bank has outsourced some business functions under its outsourcing policy after evaluating whether the services are suitable for outsourcing based on an assessment of the risks involved. Further, the Bank undertakes due diligence tests on the companies concerned such as credibility and ability of the owners, BCP arrangements, technical and skilled manpower capability and financial strength. Archival of documents, certain IT operations, security services, and selected recovery functions are some of the outsourced activities of the Bank. The Bank is concerned and committed in ensuring that the outsourced parties continue to uphold and extend the high standard of customer care and service excellence.
A report on outsourced activities is annually submitted to the CBSL for their review while adhering to the Banking Direction on Outsourcing of Business Operations.
Key operational risk measurement tools and reporting frequencies
|Operational Risk Measure/Indicator||Frequency|
Operational risk incidents reported during
the period (Internal)
|Risk and control self-assessments and key risk indicators||Semi-annually|
|Status and reports of any BCP/DR activities undertaken||As required|
|Customer complaints during the period||Quarterly|
|System and ATM downtime reports||Quarterly|
|Review of Outsourced Services Unit||Annually|
Management of Information Systems Security (ISS) risk under IRMD
Information security risk management (ISRM) is the process of managing the risks associated with the use of information technology and evaluating risks to the confidentiality, integrity, and availability (CIA) of Bank’s information assets and processes.
The established information security management system is designed to provide a systematic approach to managing the Bank’s sensitive information and processes by considering all aspects of people, processes, technology controls. Further, the Bank’s information security management system is ISO 27001:2013 certified since 2016.
Main objectives of ISRM are to ensure compliance with regulatory and contractual requirements while adopting industry security best practices and aligning information security risk management with corporate risk management objectives.
ISRM is an ongoing process of identifying, assessing, and responding to security risks. To manage risks effectively, the Bank has adopted international security standards such as ISO 27001:2013 and PCI-DSS while being compliant with SWIFT customer security controls framework, Baseline Security Standard (BSS) and payment related mobile application security guidelines of CBSL.
Bank’s current ISRM strategy focuses on the following activities:
- Improve the existing Information Security Management System (ISMS) by adopting recent CBSL Regulatory Framework on Technology Risk Management and Resilience and the Data Protection Act.
- Improve information security policies, procedures and guidelines considering the regulatory requirements and dynamic threat landscape.
- Continuous assessment of security risks related to the Bank’s information assets and processes to ensure technology-related residual risks are maintained at acceptable levels.
- Review and monitor information security KPIs and report the status of the indicators to the Operational Risk Management Committee.
- Conduct internal vulnerability assessment and penetration testing covering IT infrastructure on defined time intervals to ensure known vulnerabilities are properly managed.
- Perform trend analysis on the Bank cybersecurity posture and manage information security incidents to minimise the risk.
- Ensure adequate information security awareness is given to staff members to follow security best practices and detect and report information security events and incidents.
As improvements to the management framework, Bank adopted a process-oriented risk assessment methodology for better clarity of risks involved in processes and the corresponding risk factors through an objective oriented risk identification approach last year. As a result of the establishment of a new independent user access review process covering common user access risk scenarios, the system user account management process was streamlined according to the information security policy of the Bank.
By understanding the complexity of current supply chain-based cybersecurity threats, the Bank consulted a specialised service provider due diligence and a risk assessment process to quantify risks associated with third-party vendors who are providing technology services to the Bank.
The Bank adopted new information security controls and processes to ensure the continuity of information security while empowering users to work remotely during the COVID-19 pandemic. Early adoption of information security controls helped the Bank maintain the same customer experience by increasing resource availability during rapid surges in demand for digital capabilities.
Further, the Bank revised the cybersecurity risk reporting process during the last year to improve the visibility of information security posture of the Bank to Senior Management considering the importance of cybersecurity to business continuation.
The Bank considers its customer information as a priceless asset and keeps on improving its information security governance processes factoring current cybersecurity threats and security best practices.
During the last year, the Bank undertook a few initiatives to improve the security of its digital assets by introducing new technologies.
- Improve the frequency of security assessments on critical business applications.
- Improve anomaly detection process based on a machine learning and AI based Endpoint Detection and Response (EDR) solution.
- Improving the existing security event monitoring and security incident management process by integrating cyberthreat intelligence feeds to improve the threat visibility and early detection capabilities.
- Implementation of SD-WAN solution for enhancing branch level information security and visibility while improving the performance and user experience.
- Performing technology and operational security gap assessments to the payment card related business functions and initiated control implementations to improve the security posture by aligning with the PCI-DSS security standard requirements.
- Implementation of Data Leakage Prevention (DLP) solution to ensure the protection of customer and business-sensitive data of the Bank as a part of the Bank’s data governance process.
- Implementation of endpoint data encryption solution to better align with data protection governance requirements.
- Improving Bank policy and procedure coverage to accommodate work from home requirements and strengthening the security controls and monitoring mechanisms to ensure the security continuation during a crisis situation.
- Improving information security training and awareness programme by introducing new modules to the existing computer-based training (CBT) platform.
Key Information Security risk measurement tools and
|Operational Risk Measure/Indicator||Frequency|
|IT infrastructure vulnerability assessments (internal)||Quarterly|
|Business application vulnerability assessment (internal)||Quarterly|
|3rd party Penetration Testing||Annually|
|Technology related risk assessment (internal)||Semi-annually|
|Vendor security assessment (internal)||Annually|
|Information security incident reporting||Quarterly|
|Top and emerging risk reporting (internal)||Monthly|
Reputational risk is the risk of losing public trust or tarnishing of the Bank’s image in the public eye. It could arise from environmental, social, regulatory, or operational risk factors. Events that could lead to reputational risk are closely monitored, utilising an early warning system that includes inputs from frontline staff, media reports, and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank’s business have been promulgated through internal communication and training, a specific policy was established to take action in case of an event which may affect the reputation. The Bank has zero tolerance for knowingly engaging in any business, activity, or association where foreseeable reputational damage has not been considered and mitigated. While there is a level of risk in every aspect of business activity, appropriate consideration of potential harm to the Bank’s good name is a part of all business decisions. The complaint management process and the whistle-blowing process of the Bank include a set of key tools to recognise and manage reputational risk. Based on the operational risk incidents, any risks which could lead to reputational damage are presented to the Board and suitable measures are taken by the Bank to mitigate and control such risks.
Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank’s medium-term strategic plan and annual business plan form a strategic roadmap for sustainable growth. Continuous competitor and customer analysis and monitoring of the macroeconomic environment enables the Bank to formulate its strategies for growth and business risk management. Processes such as Planning, ALM, IT and Product Development in collaboration with business functions facilitate the management of business risk through recognition, measurement, and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.
Legal risk arises from unenforceable transactions in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis, and a thorough understanding of, and adherence to related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure.
In the event of a legal risk factor, the Legal Unit of the Bank takes immediate action to address and mitigate these risks. External legal advice is obtained or counsel retained when required.
Compliance from a banking perspective can be defined as acting in accordance with a law, rule, regulation or a standard. Basel Committee on Banking Supervision in 2005 defines “compliance risk” as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules related self-regulatory organisation standards, and Codes of Conduct applicable to its banking activities”.
Bank’s governing principles on compliance are to: Ensure compliance starts from top, to emphasise standards of honesty and integrity and hold itself to high standards when carrying on business, at all times strive to observe the spirit as well as the letter of the law. Further, it sets compliance as an integral part of the Bank’s business activities and part of the culture of the Organisation and at all times will be observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice.
Compliance Governance Structure of the Bank has been set up to manage the compliance risk of the Bank independently. DFCC Bank has adopted a globally accepted compliance governance structure set following such recommendations, which is also ratified by the Central Bank of Sri Lanka. Accordingly, the Compliance Officer independently reports to the Board Integrated Risk Management Committee through which the Board of Directors of the Bank get updated on the compliance matters frequently.
The Bank’s Board of Directors are responsible for overseeing the management of the Bank’s compliance risk. Towards this; Board has delegated its powers to the Board Integrated Risk Management Committee which takes appropriate action to establish a permanent, independent and effective compliance function in the Bank, ensure that compliance issues are resolved effectively and expeditiously by Senior Management of the Bank with the assistance of the compliance function and assess the extent to which the Bank is managing its compliance risk effectively.
The Bank’s Corporate/Senior Management is responsible for the effective management of the Bank’s compliance risk and an independent robust compliance culture has been established within the Bank with processes and workflows designed with the required checks and balances to facilitate compliance. The compliance function works closely with the business and operational units to ensure consistent management of compliance risk.
Scope of the Compliance function encompasses legislative enactments: rules, regulations, directions, determinations, operating instructions, circulars issued by regulators; Bank’s internal policies, circulars, guidelines; Industry best practices and standards issued by professional bodies; and international regulations. In order to manage the compliance risk of the Bank, Compliance Function on a proactive basis, identifies, documents and assesses the compliance risks associated with the Bank’s business activities, including the development of new products and business practices. It has set in place, a Compliance Programme based on a risk-based approach to be carried out under a set of scheduled activities annually, that consists of, compliance testing, branch visits, verification of returns, developing and reviewing compliance KRIs and methodologies, ensuring of timely submission of regulatory returns, clarifications of regulatory circulars, reporting to Board and/or subcommittee and educating staff on compliance matters, conducting Bank-wide compliance training. It also manages and ensures information accuracy of the Data submitted to the Credit Information Bureau of Sri Lanka.
The compliance functions carried out to mitigate the compliance risk can be illustrated as follows:
Banking being the largest segment in the global financial system, is the most vulnerable sector used by the criminals and terrorists to launder money. Regulators all over the world are therefore adopting strict measures to ensure that banks have in place adequate systems and processes to mitigate the Money Laundering (ML) and Terrorism Financing (TF) risk. Sri Lanka as a country and its Regulator, the Financial Intelligence Unit (FIU) are also subject to assessment by the international organisations on the commitment towards global Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) efforts. Therefore, any non-compliance in banks related to this area is taken seriously and is subject to fines and penalties by the FIU.
Thus, AML and CTF related compliance programme of the Bank creates a core activity of the Compliance Function. To make the Bank safe and sound in terms of AML and STF, compliance department spearheads a number of activities such as formulating policies, procedures connected with KYC and Customer Due Diligence, Transaction Monitoring to identify suspicious transactions, Name Screening process to ensure that the Bank is not dealing with sanctioned persons or entities, Politically Exposed Persons (PEP) related Enhanced Due Diligence process etc. Further, in line with the Customer Due Diligence (CDD) rules issued by the Financial Intelligence Unit and the Financial Action Task Force ecommendations, the Bank has adopted a risk based approach in identifying ML/TF exposure of the Bank relating to customers, products, services, channels, countries, geographic regions and transaction volumes.
With implementation of the new core banking system, the Bank has also implemented a new Financial Crime Mitigation (FCM) system by replacing the existing AML Software. FCM has sound functionalities such as sanctions screening, identifying the Politically Exposed Persons (PEPs), KYC Risk scoring and categorisation, AML Transaction Monitoring and fraud mitigation and support all user functions including alert management, case management, reporting and dashboards and the same is used in managing the ML/TF Risk that the Bank is exposed to.
The FCM has features in line with the CDD rules, supporting risk-based customer reviews through the system. Front staff can now update the customer risk at the time of on-boarding using the FCM KC+ Module and it is capable of retaining data on changes of risk rating. Further reviews based on the risk category can also be managed through the system on a timely basis. Using the real time screening, all new on-boarding customers, inward and outward Telegraphic Transfers (TT) and other trade transactions are closely monitored.
Further, Compliance Department uses a Risk Matrix consisting of regulatory ratios as well as a number of other quantifiable compliance Key Risk Indicators (KRI) to assess the Bank wide compliance risk level. Results are presented to the Operational Risk Management Committee and to the Board Integrated Risk Management Committee every quarter. Based on this matrix, the Bank is rated low in compliance risk category for the last three consecutive years.
Business continuity management
The Business Continuity Plan (BCP) of the Bank ensures timely recovery of critical operations that are required to meet stakeholder needs based on identified disruptions categorised into various severity levels. BCP has been designed to minimise risk to human and other resources and to enable the resumption of critical operations within reasonable time frames specified according to Recovery Time Objectives (RTOs) with minimum disruption to customer services and payment and settlement systems. The Disaster Recovery (DR) site, which is located in a suburb of Colombo is used for periodic testing drills. These DR drills are subject to independent validation by the Internal Audit Department. A report on the effectiveness of the drill is submitted to the BIRMC/Board and also to the Central Bank with the observations. Learnings and improvements to disaster recovery activities are discussed and implemented through the ORMC and the BIRMC. Training is carried out to ensure that employees are fully aware of their role within the BCP.
Stress testing of key risks
DFCC Bank PLC has been conducting stress testing on a regular basis. The Bank has in place, a comprehensive Stress Testing Policy and Framework, which is in line with the regulatory guidelines as well as international best practices. The Policy describes the purpose of stress testing and governance structure and the methodology for formulating stress tests, whilst the framework specifies in detail the Stress Testing Programme including the stress tests, frequencies, assumptions, tolerance limits and remedial action.
Stress testing and scenario analysis have played a major role in the Bank’s risk mitigation efforts. Stress testing has provided a dynamic platform to assess, “What If” scenarios and to provide the Bank with an assessment on areas to improve. The Bank covers a wide range of stress tests that checks the resilience of the Bank’s capital, liquidity, profitability, etc.
The outcome of stress testing process is monitored carefully and remedial actions taken and used by the Bank as a tool to supplement other risk management approaches.
The details of stress tests carried out by the Bank for 2021 are given below:
|Risk area and methodologies adopted||Results|
|Credit and concentration risk|
|Multifactor stress testing|
The findings of the Bank’s stress testing activities are an input into several processes including capital computation under Internal Capital Adequacy Assessment Process (ICAAP), strategic planning and risk management. As an integral part of ICAAP under Pillar II, stress testing is used to evaluate the sensitivity of the current and forward risk profile relative to the stress levels which are defined as low, moderate and high in the Stress Testing Policy. The resultant impact on the capital through these stress tests is carefully analysed and BIRMC conducts regular review stress testing outcomes including assumptions that underpin them.
As it provides a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in a hypothetical stress situation, stress testing has become an effective communication tool to Senior Management, risk owners, risk managers as well as supervisors and regulators. The results of the stress testing are reported to the BIRMC and the Board on a quarterly basis for appropriate and proactive decision-making.
Risk capital position and financial flexibility
The Bank adopts a proactive approach to ensure satisfactory risk capital level throughout its operations. In line with its historical practice and the capital targets, the Bank aims to maintain its risk capital position above the regulatory minimum requirements for Tier I and total capital under Basel guidelines.
As a regulatory measure introduced under the pandemic condition, the Bank was allowed to draw down 0.5% of the capital conservation buffer setting the regulatory minimum requirement as 8% for Tier I ratio and 12% for total capital ratio.
As at 31 December 2021, DFCC Bank PLC maintained a risk capital position of 9.305% Tier I capital ratio and 13.029% total capital ratio based on the Basel III regulatory guidelines.
Capital adequacy measures the adequacy of the Bank’s aggregate capital in relation to the risk it assumes. The capital adequacy of the Bank has been computed under the following approaches of the Basel regulations which are currently effective in the local banking industry:
- Standardised approach for credit risk
- Standardised approach for market risk
- Basic Indicator approach for operational risk
The graph below shows the Bank’s capital allocation and available capital buffer as at 31 December 2021, based on the quantified risk as per the applicable regulatory guidelines. Out of the regulatory risk capital (total capital) available as at 31 December, capital allocation for credit risk is 84.9% of the total capital while the available capital buffer is 7.9%.
Capital adequacy management
BASEL III is the global regulatory standard on managing capital and liquidity of banks which is currently in effect. With the introduction of Basel III from mid-2017, the capital requirements of banks have increased with an aim to raise the quality, quantity, consistency and transparency of capital base and improve the loss absorbing capacity.
Additionally, the Pillar II (Supervisory Review Process – SRP) under the Basel regulations requires banks to implement an internal process, of Internal Capital Adequacy Assessment Process (ICAAP), for assessing capital adequacy in relation to the risk profiles as well as a strategy for maintaining capital levels. The Bank has in place an ICAAP, which has strengthened the risk management practices and capital planning process. It focuses on formulating a mechanism to assess the Bank’s capital requirements covering all relevant risks and stress conditions in a futuristic perspective in line with the level of assumed risk exposures through its business operations. The ICAAP formulates the Bank’s capital targets, capital management objectives and capital augmentation plans.
The ICAAP demonstrates that the Bank has implemented methods and procedures to capture all material risks and adequate capital is available to cover such risks. This document integrates Pillar I and Pillar II processes of the Bank wherein Pillar I deals with regulatory capital, primarily covering credit, market and operational risks whilst Pillar II deals with economic capital involving all other types of risks.
As per the direction issued by the CBSL, under supervisory review of Basel III, CBSL encourages banks to enhance their risk management framework and manage emerging risks in a more proactive manner. This is to ensure that the Bank maintains adequate capital buffer in case of a crisis while more importance has been placed on Pillar II and ICAAP. The Bank uses a mix of quantitative and qualitative assessment methods to measure Pillar II risks. A quantitative assessment approach is used for concentration risk, liquidity risk, and interest rate risk whilst qualitative approaches are used to assess the risks such as reputational risk and strategic risk.
The Senior Management team is closely involved in formulating risk strategy and governance, thereby considering the Bank’s capital planning objectives under the strategic planning process. Capital forecasting for the next three years covering envisaged business projections is considered in the budgeting process. This forward-looking capital planning helps the Bank to be ready with additional capital requirements in the future. It integrates strategic plans and risk management plans with the capital plan in a meaningful manner with inputs from Senior Management, Management Committees, Board Committees and the Board.
Capital adequacy ratio and risk-weighted assets of DFCC Bank PLC on a solo and group basis under Basel III
|Quantified as per the CBSL Guidelines||31 December 2021||31 December 2020|
|Credit risk-weighted assets (LKR Mn)||339,261||339,722||293,506||293,920|
|Market risk-weighted assets (LKR Mn)||10,006||10,006||12,956||12,956|
|Operational risk-weighted assets (LKR Mn)||18,910||19,381||17,400||17,752|
|Total risk-weighted assets (LKR Mn)||368,177||369,109||323,862||324,628|
|Total Tier I capital adequacy ratio – Basel III (%)||9.305||9.283||10.820||10.816|
|Total capital adequacy ratio – Basel III (%)||13.029||12.997||15.764||15.749|
Financial flexibility in the DFCC Group’s capital structure
The Bank has access to contributions from shareholders as well as it possesses built-up capital reserves over a period of time by adopting prudent dividend policies, maintaining an increased level of retained profits and issuing Tier II eligible capital instruments as and when necessary.
Apart from the capital position reported on balance sheet, the Bank maintains financial flexibility through the stored value in its equity investment portfolio. The unrealised capital gain of the listed equity portfolio is included in the fair value reserve.
Assessment of integrated risk
In the process of assessment of integrated risk, the Bank reviews key regulatory developments in order to anticipate changes and their potential impact on performance. The nature and impact of changes in economic policies, laws and regulations, are monitored and considered in the way the Bank conducts business and manages capital and liquidity.
The Bank has complied with all the currently applicable risk-related regulatory requirements while closely monitoring the internal limits as shown in the table below:
|Risk category||Impact||Key risk indicators||Limit type|
|Integrated risk management||An adequate level of capital is required to absorb unexpected losses without affecting the Bank’s stability. (Total capital as a percentage of total risk-weighted assets.)||Common Equity Tier I Ratio (Common Equity Tier I as a percentage of total risk-weighted assets)||Regulatory|
|Total Tier I Capital Ratio (Total Tier I Capital as a percentage of total risk-weighted assets)||Regulatory Internal|
|Total Capital Ratio (Total capital as a percentage of total risk-weighted assets)||Regulatory Internal|
Credit risk management
|When the credit portfolio is concentrated on a few borrowers or a few groups of borrowers with large exposures, there is a high risk of a substantial loss due to failure of one such borrower.||Single Borrower Limit – Individual (Amount of accommodation granted to any single company, public corporation, firm, association of persons or an individual/capital base)||Regulatory Internal|
|Single Borrower Limit – Group||Regulatory Internal|
|Aggregate large accommodation limit (Sum of the total outstanding amount of accommodation granted to customers whose accommodation exceeds 15% of the capital base/outstanding amount of accommodation granted by the Bank to total customers excluding the Government of Sri Lanka)||Regulatory Internal|
|Aggregate limits for related parties (Accommodation to related parties as per the CBSL Direction/Regulatory Capital)||Internal|
|Exposure to agriculture sector as defined by CBSL Direction||Regulatory|
|Exposure to each industry sector (Exposure to each industry as a percentage of total lending portfolio)||Internal|
|Leases portfolio (On-balance sheet exposure to the leasing product as a percentage of total lending portfolio plus securities portfolio)||Internal|
|Exposure to GOSL||Internal|
|Exposure to institutions in the Maldives||Internal|
|Loan and OD – Exposure in BB grade||Internal|
|Loan and OD – Exposure in B and below grades||Internal|
|Leasing – Exposure in BB and below grades||Internal|
|Leasing – Exposure in B and below grades||Internal|
|Limit on margin lending for individual borrowers||Regulatory|
|Margin trading (Aggregate exposure of margin loans extended/total loans and advances)||Internal|
|Liquidity risk management||If adequate liquidity is not maintained, the Bank will be unable to fund the Bank’s commitments and planned assets growth without incurring additional costs or losses.||Liquid Assets Ratio for DBU (Average monthly liquid assets/total monthly liabilities)||Regulatory Internal|
|Liquid Assets Ratio for FCBU||Regulatory|
|Liquidity Coverage Ratio (All currencies and Rupee only)||Regulatory|
|Liquidity Coverage Ratio (Rupee only)||Internal|
|Single Depositor Limit (Highest Single Depositor/Total fixed deposits)||Internal|
|Statutory Reserve Ratio||Regulatory|
|Foreign Currency Borrowing Limit – Short-term borrowings||Regulatory|
|Foreign Currency Borrowing Limit – Total borrowings||Regulatory|
|Net Stable Funding Ratio||Regulatory|
|Market risk management||Forex Net Open Long Position||Regulatory|
|Forex Net Open Short Position||Regulatory|
|Limit for counterparty off-balance sheet market risk||Internal|
|Max holding period for trading portfolio||Internal|
|Maximum Fx Swap||Internal|
|Clean Money Market Borrowing Limit||Internal|
|Treasury trading securities portfolio||Internal|
|Portfolio limit on HTM||Internal|
|Investment risk||Equity exposure – Individual (Equity investment in a private or public company/Capital funds of the Bank)||Regulatory|
|Equity exposure – Individual (Equity investment in a private or public company/Paid-up capital of the Company)||Regulatory|
|Aggregate equity exposure in public companies (Aggregate amount of equity investments in public companies/capital funds of the Bank)||Regulatory|
|Equity exposure (Equity exposure as a percentage of Total Lending Portfolio plus Securities Portfolio)||Internal|
|Equity exposure in each sector||Internal|
|Single equity exposure out of the quoted equity portfolio||Internal|
|Operational efficiency||Operational efficiency ratio||Internal|
|Operational risk||Adequately placed policies, processes and systems will ensure and mitigate against excessive risks which may result in direct financial impact, reputational damages and/or regulatory actions||Regulatory breaches (Zero risk appetite)||Internal|
|Inability to recover from business disruptions over and above the Recovery Time Objectives (RTO) as defined in the BCP of the Bank (Zero risk appetite)||Internal|
Internal fraud (Zero tolerance for losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or Bank policy, excluding diversity/discrimination events, which involve
at least one internal party)
|External fraud (Very low appetite for losses due to act of a type intended to defraud, misappropriate property or circumvent laws, by a third party)||Internal|
|Employee practices and workplace safety (Zero appetite for losses arising from acts inconsistent with employment, health or safety laws or agreements from payment of personal injury claims, or from diversity/discrimination events)||Internal|
|Client products and business practices (Zero risk appetite for losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or, from the nature or design of a product)||Internal|
|Damage to physical assets (Very low appetite for loss arising from loss or damage to physical assets from natural disasters or other events)||Internal|
|Business disruption and systems failures (Low appetite for business disruptions/system failures for more than 30 minutes during service hours)||Internal|
|Execution, delivery, and process management (Low appetite for losses from failed transaction processing or process management)||Internal|