Risk Culture and Vision

DFCC Bank PLC (the Bank) adopts a comprehensive and well-structured mechanism for assessing, quantifying, managing and reporting risk exposures which are material and relevant for its operations within a clearly defined risk management framework. An articulated set of limits under the risk management framework explains the risk appetite of the Bank for all material and relevant risk categories and the risk capital position. Risk management is blended into the gamut of the Bank's activities, including strategic, business and financial planning and customer transactions, so business and risk management goals and responsibilities are aligned across the Organisation. Risk is managed systematically by focusing on a group basis and managing risk across the enterprise, individual business units, products, services, transactions, and across all geographic locations.

The following broad risk categories are in focus:

Risks covered under Pillar I of Basel regulations

• Credit risk.
• Market risk including foreign currency risk, equity prices risk, and interest rate risk in the trading book.
• Operational risk.

Other risks covered under Pillar II of Basel regulations

• Business risk and strategic risk.
• Liquidity risk.
• Settlement risk in treasury and international operations.
• Credit concentration risk.
• Cybersecurity risk.
• Interest rate risk in the banking book.
• Legal risk.
• Compliance risk.
• Reputational risk.
• Off-balance sheet exposures and securitisation risk.

Credit risk amounts to the highest quantum of quantifiable risk faced by the Bank based on the current quantification techniques. The Bank’s credit risk accounted for 87% of the risk-weighted assets. Additionally, the Bank takes necessary measures to proactively manage operational and market risks as fundamental risk categories considered as Pillar I risks under the Basel regulations.

The Bank’s general policies for risk management are outlined as follows:

1. The Board of Directors are responsible for maintaining a prudent integrated risk management function in the Bank.
2. Promoting awareness of the risk policies to all relevant Bank employees.
3. Structure of the “Three Lines of Defence” in the Bank for management of risks, which consists of the risk-assuming functions, independent risk management and compliance functions and the internal and external audit functions.
4. Ensuring compliance with regulatory requirements and other laws underpinning the risk management and business operations of the Bank.
5. Centralised integrated risk management function, which is independent from the risk-assuming functions.
6. Ensuring internal expertise, capabilities for risk management, and ability to absorb unexpected losses when entering new business and delivery channels, developing products, or adopting new strategies.
7. An assessment of risks involved on an incremental and portfolio basis when designing and redesigning products and processes before implementation. Such analyses include, among other areas, business opportunities, target customer requirements, core competencies of the Bank and the competitors and financial viability.
8. Adoption of the principle of risk-based pricing.
9. Ensuring that the Board approved target capital requirements, which are more stringent than the minimum regulatory capital requirements, are not compromised. For internal purposes, economic capital is quantified using Basel-recommended guidelines together with the Internal Capital Adequacy Assessment Process (ICAAP). A cushion for the regulatory capital requirement is maintained to cover part of stress losses and losses caused by other risks, such as strategic, liquidity, and reputation risks, which are not in Pillar I of Basel guidelines. Capital requirement is monitored periodically based on certain stress scenarios.
10. Aligning the risk management strategy to the Bank's business strategy.
11. Ensuring comprehensive, transparent, and objective risk disclosures to the Board, Senior Management, Regulator, Shareholders, and other Stakeholders.
12. Continuously review the risk management framework and ICAAP to align them with Basel recommendations and regulatory guidelines.
13. Maintenance of internal prudential risk limits based on the risk appetite of the Bank and, wherever relevant, over and above the required regulatory limits.
14. Instilling a prudent risk management culture within the Bank.
15. Periodic review of risk management policies and practices to align with the developments in regulations, business environment, internal environment and industry best practices.

The risk management culture promotes its business objectives and an environment that enables the Management to execute the business strategy more efficiently and sustainably. The Board of Directors regularly reviews the risk profile of the Bank and its Group, and every business or function is included in developing a strong risk culture within the Bank. Further, the Bank ensures that every employee clearly understands his/her responsibilities in terms of risks undertaken at every step of their regular business activities. This has been inculcated mainly through the Code of Conduct, periodically conducted training programmes, clearly defined procedural manuals, and integrated risk management functions' involvement as a review process in business operations.

Risk Governance

“Three Lines of Defence” Approach

The Bank advocates strong risk governance applied pragmatically and consistently, emphasising the “Three Lines of Defence” concept. The governance structure encompasses accountability, responsibility, independence, reporting, communication and transparency, internally and with our relevant external stakeholders.

The First Line of Defence involves management control at the business level and adhering to relevant internal control mechanisms while discharging the responsibilities and accountability for the day-to-day management of business operations. Independent risk monitoring, validation, centralised oversight of the effective implementation of the risk management framework, policy review and compliance by the Integrated Risk Management Department (IRMD) and the Compliance Department constitute the Second Line of Defence. The independent check and quality assurance of the internal and external audit functions provides the Third Line of Defence.

The Bank’s Risk governance includes setting and defining the risk appetite, risk limits, risk management functions, capital planning, risk management policies, risk infrastructure, and risk profile analysis. The Bank exhibits an established risk management culture and effective risk management approaches, systems, and controls. Policy manuals, internal controls, segregation of duties, clearly demarcated authority limits and internal audits form a part of key risk management tools. The Bank's risk management framework covers all aspects of risk governance, including risk management structure, which is implemented through different subcommittees and clearly defined reporting lines. The framework ensures that the risk management unit is functioning independently. The Chief Risk Officer (CRO) functions by directly reporting to the BIRMC.

Governance Structure for Risk Management

The Concept of the “Three Lines of Defence” for the Integrated Risk Management Function

Risk Policies and Guidelines

A set of structured policies and frameworks recommended by the Integrated Risk Management Committee and approved by the Board of Directors forms a key part of the risk governance structure. The integrated risk management framework stipulates, in a broader aspect, the policies, guidelines, and organisational structure for the management of overall risk exposures of the Bank in an integrated manner. This framework defines risk integration and aggregation approaches for different risk categories. In addition, separate policy frameworks detail the practices for managing key specific risk categories such as credit risk, market risk, credit concentration risk, liquidity risk, operational risk, reputation risk, and other policies governing information security risk. These policy frameworks are reviewed periodically and communicated across the Bank. Respective staff members are required to adhere to the specifications of these frameworks when conducting business transactions.

Risk Appetite

The Bank's risk appetite is defined in the Overall Risk Limits System. It consists of risk limits arising from regulatory requirements, borrowing covenants, and internal limits for prudential purposes. The Limits System is a cornerstone of the risk indicators and encompasses key risk areas such as credit, market, liquidity, operational, equity, and capital position, amongst others. Lending limits have been established to manage credit concentration to industry sectors, rating grades, borrowers and countries as part of the prudential internal limits. Industry sector limits for the lending portfolio consider the inherent diversification within the subsectors and the borrowers within broader sectors. A “Traffic Light” system monitors these limits monthly and quarterly. These risk appetite limits are reviewed at least annually in line with the risk management capacities, business opportunities, the Bank's business strategy and regulatory requirements.

If the risk appetite threshold has been breached or is approaching levels not desirable by the Bank, risk-mitigating measures and business controls are implemented to bring the exposure level back within the accepted range. Risk appetite, therefore, translates into operational measures such as new or enhanced limits or qualitative checks for dimensions such as capital, earnings volatility, and concentration of risks.

Tolerance Limits for Key Types of Risks

Risk area	Risk appetite criteria	Limit/Range
Integrated risk and capital management	Total Tier I capital adequacy ratio (under Basel III) (Total Tier I capital as a percentage of total risk-weighted assets)	> 8.5% (Regulatory) Internal limit is based on ICAAP
	Total capital adequacy ratio (under Basel III) (Total capital as a percentage of total risk-weighted assets)	> 12.5% (Regulatory) Internal limit is based on ICAAP
Credit quality and concentration	Stage 3 ratio	< Industry average as published by the CBSL (Internal)
	Single borrower limit – Individual	< 30% (Regulatory) < 28% (Internal)
	Single borrower limit – Group	< 33% (Regulatory) < 30% (Internal)
	Aggregate large accommodation	< 55% (Regulatory) < 45% (Internal)
	Exposures to industry sectors	< 5% to 20% (Internal)
	Aggregate limit for related parties	< 25% (Internal)
Liquidity risk	Statutory liquid assets ratio	> 20% (Regulatory) > 22% (Internal)
	Leverage ratio	> 3% (Regulatory)
	NSFR	> 100% (Regulatory) > 110% (Internal)
	Liquidity coverage ratio (all currencies and rupee only)	> 100% (Regulatory) > 110% (Internal)
Market risk	Forex net open long position or short position	As prescribed by the Central Bank of Sri Lanka

 

Board Integrated Risk Management Committee (BIRMC)

The BIRMC is a Board Subcommittee that oversees the risk management function as required by the Regulator. The BIRMC adheres to the responsibilities set out in the Board-approved Charter for the BIRMC, which incorporates corporate governance requirements for Licensed Commercial Banks issued by the Central Bank of Sri Lanka (CBSL). BIRMC sets the policies for Bank-wide risk management, including credit risk, market risk, operational risk, information system security risk, and liquidity risk.

In addition to the Board representatives, the BIRMC consists of the CEO and the CRO as permanent members. Further, Heads representing Finance, Treasury, Information Technology, Operations, Internal Audit and Compliance attend the meeting as invitees. A summary of the responsibilities and functions of the BIRMC is given in the Report on the Board Integrated Risk Management Committee on page 215 of this Annual Report.

The BIRMC meets at least once every two months and reviews the risk information and exposures as reported by the Integrated Risk Management Department, Treasury, Finance, Compliance and Service units. Risk reporting includes reports on overall risk analysis relating to the Bank’s capital, risk appetite, limits position, stress testing, any strategic risks faced by the Bank, top and emerging risks to the Bank and risk analysis of the Group companies. Additionally, they include reports covering the main risk areas such as credit, market, liquidity, operational, information systems security, and compliance risks.

During 2023, six BIRMC meetings were conducted, and the Committee paid more attention to market risk, credit risk, and capital adequacy in the increasingly volatile operating environment due to the stressed macroeconomic landscape. The Committee reviewed the adequacy of the risk-mitigating actions taken and stress testing results to align the risk appetite of the Bank to navigate the economic challenges.

Scope and Main Content of Risk Reporting to the BIRMC

Risk type	Scope and main content of risk reporting
Overall risk	Review of the Internal Capital Adequacy Assessment Process (ICAAP) Regulatory capital adequacy position and trends compared with limits Overall risk limit system including regulatory and internal limits Stress testing of key risks and overall exposures Reports on top and emerging strategic and business risks Risk analysis of Group companies Review of risk management policies and frameworks
Credit risk	Credit portfolio analysis Summary of Loan Review Mechanism Reports on validation results and changes implemented for risk rating models
Market and liquidity risk	Reports on liquidity and foreign exchange risk management by Treasury Market risk analysis by Treasury Middle Office and review of any limits Equity portfolio analysis Liquidity risk monitoring under stock and flow approaches Status report of margin trading facilities Analysis of investment and trading fixed income portfolios Minutes of the ALCO including the key decisions and recommendations made by ALCO
Operational risks	Minutes of the ORMC and FRMC including the key decisions and recommendations made by committees Reports on Business Continuity Plan and disaster recovery drills undertaken
IT and systems security risk	External and internal vulnerability assessment reports Penetration testing reports Information security policies and the status of implementation Status report of current security posture Top and emerging risks and the status update
Compliance risk	Status of the Bank’s compliance with rules and regulations Results of compliance tests undertaken and assessment of overall compliance risk levels New rules and regulations Review of compliance related policies and procedures Anti Money Laundering (AML) and Countering Financing of Terrorism (CFT) Measures

 

Involvement of Management Committees

Management Committees such as the Credit Committee (CC), Asset and Liability Management Committee (ALCO), Operational Risk Management Committee (ORMC), Fraud Risk Management Committee (FRMC), Special Loan Review Committee (SLRC), IT Steering Committee (ITSC), Investment Committee (IC), Facility Restructuring Committee (FRC), Impairment Assessment Committee (IAC), Information Security Committee and Consequent Management Committee are included in the organisational structure for integrated risk management function.

The responsibilities and tasks of these committees are stipulated in the Board-approved Charters and Terms of Reference (TORs), and the membership of each committee is defined to bring an optimal balance between business and risk management.

Organisation Structure for Integrated Risk Management

The Integrated Risk Management Department (IRMD) is responsible for measuring and monitoring risk on an ongoing basis to ensure compliance with the parameters set out by the Board, BIRMC, and other Management Committees for performing the Bank's overall risk management function. It consists of separate units such as Credit Risk Management, Market Risk Management, Operational Risk Management, Asset and Liability Management, Loan Review Mechanism, Information Systems Security Risk Management, Integrated Risk Management, Treasury Middle Office, Portfolio Risk Management and Business Continuity Management. IRMD gets involved with product, business strategy development and new business lines, giving input from the initial design stage throughout the process from a risk management perspective.

Key Developments in the Risk Management Function During the Period Under Review

Several significant initiatives were undertaken, focusing continuously on regulatory developments and reassessing the Bank's existing risk management policies, guidelines, and practices for necessary improvements. In addition to these regulatory specifications, changes in business strategy, industry factors and international best practices were also considered in the improvement process. The following are the key initiatives during the period under review that led to further improvements in the overall integrated risk management function.

Prudential risk limits were reviewed to reflect the Bank's current risk appetite by setting new limits wherever necessary. Internal limits have been implemented to better manage the regulatory limits as trigger points, which are much more stringent than the regulatory limits. All Board-approved risk management frameworks, charters, and TORs were reviewed during the period, especially considering regulatory and business environment changes.

In order to make management decisions more proactive and protect the Bank's NII and capital, TMO introduced new advisory limits for VaR and stressed interest rate sensitivity limits based on duration and historical movements. To preserve a robust risk management culture within the Bank, all limits were established as a percentage of Tier 1 capital. Additionally, other limits were established to align with the best industry practices, i.e. tenor/duration limit, broker concentration limit, etc.

The credit workflow ensures that every credit proposal except for certain identified products is evaluated by an independent authority not connected to business lines. The credit workflow of the Bank was further improved during the year, taking business requirements and changes in market conditions into consideration.

The Bank's credit workflow, requirement of risk rating validations, and collateral guidelines were adjusted/improved during the year in accordance with the Bank's process requirements, subsequent developments and changes in market conditions. Further, some of the product guidelines were amended to safeguard against lending to high-risk categories, which pose risks of increased impairment charges to the Bank.

The lending portfolio was segregated into four stressed categories based on the client's industry, and the industries were reviewed quarterly.

Further delegation of lending and related authority was reviewed during the year. Clients with revolving facilities were reviewed annually, and those with non-revolving facilities who were undergoing difficulties were given longer payment tenures for repayment or were supported with exit strategies.

The Pre-evaluation Committee was converted to a Facility Restructuring Committee (FRC) with enhanced authorities. The number of ALCO and special ALCO meetings was significantly increased to proactively assess liquidity risk and other risks.

The Loan Review Unit, an independent unit from the Credit Risk Management Unit, constantly evaluates the quality of the loan book and brings about qualitative improvements in the credit function. The Unit has taken specific actions to increase the sample size and the scope of the loan reviews to obtain feedback from business units with regard to the improvements brought into the post-disbursement credit management that would contribute to the quality of the loan portfolio.

During the year, the frequency of knowledge sharing with the business on the lapses has increased. In addition, special assignments were carried out on the instructions of the Senior Management.

Being cognisant of the global trend of growing threats to systems and information security, the Bank increased its focus on IT systems security under its operational risk management practices. The scope of the Information Systems Security Unit was further enhanced during the year under the Integrated Risk Management Department to manage the Bank's information security risk proactively. The Information Security Committee oversees the effectiveness of security initiatives and directs the management of information security risks within the Bank.

Internal security reviews, encompassing server, infrastructure and business applications, are routinely conducted. Further, the Unit is involved in new system implementations from the request for proposal (RFP) stage to the Go-live confirmation and ensuring new systems comply with industry security best practices. Furthermore, the Unit works with reputed external parties to ensure that critical and customer-facing systems are appropriately secured.

During the year, we have continued implementing the CBSL Regulatory framework on Technology Risk Management Resilience and the Data Protection Act. The Bank’s Information Security Risk Management strategy has been revised based on regulatory and new system requirements. The risk assessment process of third-party IT vendors was improved by adapting controls from the Personnel Data Protection Act, industry best practices, and new regulatory requirements. Enhancements were also made to the Security Operating Centre reporting process. The Bank has implemented state-of-the-art cloud-based Security Information Event Management (SIEM) and Security Operations Center (SOC) solutions, marking the first adoption of the latest and advanced cloud-based solutions within the local banking community.

Due to continuous improvements in the core system, stability increased, and the related operational risk decreased. The number of ORMC subcommittee meetings has also increased to six per year, and the discussion topics are aligned to focus more on the core operational risks.

Reporting the quarterly internal loss events to CBSL, which Branch Operations previously handled, has been taken over by the ORMU/IRM w.e.f. Q1 2023. The following limits have been established to manage the operational risk at a desired level and in accordance with the overall risk appetite limit structure of the Bank.

• Loss/3 years
  Loss/3 years Average Gross Income at 0.25%
• Potential Loss
  Potential loss/3 years Average Gross Income at 0.50%

KRIs and RCSAs have been revised/removed/added for all departments on a biannual basis considering the changes to the Business scope of the Department. In addition, ORMU is evaluating the RCSAs of the Department, which carry high risks based on the risk weight of the significant process and control of the Department.

Staff awareness programmes on operational risk were held for staff at various levels, from new recruits to branch managers, and they were further facilitated through the e-Academy. Operational risk alerts were shared with the Bank staff as knowledge sharing by indicating the risk and learning from the incidents. The Bank has developed a model for Risk and Control Self-Assessment (RCSA) and Key Risk Indicators (KRI) for operational risks across all major functions and departments and continues to monitor closely their applicability, trends and effectiveness of the controls on a semi-annual basis. Currently, IRMD monitors 68 departments or units for the KRI, and in 2023, RCSA and KRIs were developed for seven units.

From July 2023, the Business Continuity Management System (BCP) functions under the Integrated Risk Management Department. Training for the Emergency Response Teams, such as first aid and fire drills, was conducted. The IT disaster recovery drill was conducted in June 2023, and all the critical IT systems were tested. The learnings from the drill were taken into consideration to prevent future occurrences.

Stress testing covers all main types of risks (Credit Risk, Market Risk, Operational Risk, IRRBB, Liquidity Risk, Reputational Risk, Credit Concentration Risk, group risk, etc). The impact on regulatory CAR was measured under each stress scenario. The Breach of Regulatory minimum requirement was considered as the maximum tolerance limit. The impact on LAR was measured under each scenario in liquidity risk stress testing. The combined impact of a few stress scenarios under the main risk types was also examined.

Credit Risk

Credit risk is the potential loss arising from the customers’ failure to meet contractual obligations as and when they fall due. For banks, credit risk occurs primarily due to their lending activities – granting loans and advances to individuals, MSMEs, SMEs and Corporates. Direct lending activities, commitments, and contingencies expose the Bank to credit risk.

The challenges the Bank experienced in 2022, with policy changes, inflationary pressures, the end of moratorium granted to customers with cash flow constraints, and the surrounding uncertainties in many industry sectors, continued in 2023.

The lending portfolio accounts for 54% of total assets, and credit risk accounts for 87% of the total risk-weighted assets. It is imperative to manage the credit risk of the Bank prudently to ensure its sustainability since the increase in credit risk will have a negative impact on the profitability and capital of the Bank.

Considering the above, the Bank has continued precautionary measures to ensure prudent lending, analysing various segments of the lending portfolio for signs of deterioration, extending repayment periods for identified borrowers, and managing overlays for risk-elevated sectors.

Credit Risk Mitigating Strategies Implemented by the Bank

Review of Credit Risk Framework, Credit Policies and Manuals

The Bank continues to review and update its credit policies and processes in response to evolving dynamics to ensure that risk practices are relevant and up to date and address the changing business requirements. During the year, several key policies, including Credit Policy and Credit Risk Management Framework, were reviewed and updated further to strengthen the Bank's credit risk management.

Concessions to Bank Customers

Expecting the recovery of businesses to take a considerable period given the backdrop of the current stressed economic situation, the Bank in addition to concessions granted by the CBSL, proactively engaged with customers and evaluated their future business cash flows, financial position, capacity to resume loan repayments and offered relief for repayments of the facilities.

Identification of Watch-listed Clients Based on Early Warning Signals

The Bank has established a watch-listing and close monitoring process to identify clients that have demonstrated signs of increased credit risk. The information on frequently watch-listed clients based on overdue exposures and rating downgrades monitored over a period of time is disseminated to management with a view of taking corrective measures to ensure the quality of the Bank loan book.

A sample of watch-listed borrowers with significantly extensive exposure is reported to the Board Credit Committee. A traffic light system is also employed to identify watch-listed clients with varying levels of impact on the portfolio.

Industry Analysis

As a prudent measure, the Bank has reviewed and analysed industries and portfolio segments to identify negative trends, risk-elevated industries and unsecured exposures proactively. IRMD reports to the BIRMC on portfolio dynamics through dashboards and reports that give a snapshot of credit portfolio quality and performance. These analyses guide business line managers on the direction of lending by disseminating credit risk-related knowledge and sharing information on critical areas. Further, IRMD has provided continuous contributions towards human resource development programmes by providing resource personnel to conduct knowledge-boosting training programmes in areas such as credit evaluation and credit risk management. Recognising the importance of accurate industry sector classification of the clients, IRMD initiated a project to cleanse the industry sector classifications and introduced a procedure to ensure the accuracy of the industry sectors.

Stressed Industry Segments

IRMD initiated a process to identify stressed industry segments in April 2020 with the outbreak of Covid-19 and has been reviewing stressed industry segments periodically. The Bank continues these reviews focusing on current challenges faced by each sector.

Risk Rating

DFCC use seven rating models for the rating of lending clients. Rating models are based on financial, non-financial and industry parameters. Risk rating varies from Low Risk (AAA) to Default (D). Pricing of the key products is based on the risk rating of the client.

Portfolio Risk Management Unit

An in-depth analysis of selected lending products is carried out by the Portfolio Risk Management unit to proactively identify and mitigate aggregate risks in the Bank’s credit portfolio. Various demographic and geographic customer dimensions and key internal aspects are analysed to assess the behaviour of different customer segments and sub-segments. Data analytics and modelling techniques are used to gain detailed insights into portfolios. The findings and recommendations are shared with business units and relevant internal stakeholders for decision-making and action. This adds value to prudently achieving business goals while managing risks more efficiently.

IT Involvement

To increase the efficiency of the credit facility allocation and progress monitoring, IRMD tracker version 2.0 was released in January 2022. The latest version is capable of measuring the Service Level Agreement (SLA) of facility delivery and consists of various dashboard functionalities. This system is an in-house development of the IRMD using the Google AppSheet application.

Credit Risk Management Process

The Bank's credit policies approved by the Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. The policies are based on CBSL Directions on integrated risk management, Basel recommendations, business practices, and the Bank's risk appetite.

Credit risk management guidelines identify target markets and industry sectors, define risk tolerance limits and recommend control measures to manage concentration risk. Standardised formats and clearly documented processes and procedures ensure uniformity of practices across the Bank.

Credit risk culture	Reviewed credit risk management framework and credit policy to meet the requirements of the current economic conditions. Governance structure and specific organisational structure for credit risk management. IRMD creates awareness of credit risk management through training programmes and experience-sharing sessions, including online channels and infographic e-learning modules to enhance credit underwriting and evaluation capabilities in the Bank. Continuously review and monitor the bank lending portfolios to proactively take steps to restructure facilities, including identifying those that require greater credit supervision. Carried out industry studies to evaluate specific challenges, risks and opportunities available to realign the credit strategy and provide direction on lending to the business units.
Credit approval process	Structured and standardised credit approval process is documented in the credit manual. The entire gamut of activities involving credit appraisal, documentation, funds disbursement, monitoring performance, restructuring and recovery procedures are described in detail in the manual which is reviewed once in two years at minimum or more frequently if required. Standardised appraisal formats and workbooks have been designed for each facility type and are being reviewed annually or as and when required to be in line with the business needs. The Bank is using an inbuilt application software to process finance leases. Collateral guidelines for lending were amended/improved during the year considering the market conditions and current economic situation of the country to safeguard the Bank’s interest. Clearly defined credit workflow ensures segregation of duties among credit originators, independent review and approval authority. Delegation of Lending Authority sets out approval limits based on a combination of risk levels, as defined by risk rating and security type, loan size, proposed tenure, borrower, and group exposure. IRMD’s involvement in independent rating review of every credit proposal with the exception of certain identified products. CRO and VP CRM is an observer of the Credit Committees and evaluates credit proposals from a risk perspective. Risk-based pricing is practised at the Bank. However, deviations are allowed for identified products, funding through credit lines, and where strong justification is made for business development purposes.
Control measures	Exclusion lists and special clearance sectors are identified based on the country’s laws and regulations, the Bank’s corporate values and policies and level of risk exposure. Exclusion list specifies the industry sectors to which lending is disallowed while special clearance sectors specify industry sectors and credit products to which the Bank practices caution in lending. Advisory limits on single borrower exposure, group exposure and industry sectors are set by the Board of Directors on the recommendation of IRMD.
Credit risk management	Timely identification of problem credits through product-wise and concentration analysis in relation to industries, specific products and geographical locations such as branches or regions. Industry reports or periodical economic analyses provide direction to lending units to identify profitable business sectors to grow the Bank’s portfolio and to identify industry-related risk sources and their impact. Categorisation of the industry sectors into four stress segments: minimum, short-term, medium-term and long-term, based on the magnitude of impact and timing of recovery and reviewing the industry stress segments at frequent intervals based on the evolving situation. Evaluation of new products from a credit risk perspective. Independent rating review by the Credit Risk Management Unit of IRMD ensures an assessment of credit quality at the time of credit origination and credit reviews. A post-sanction review of loans by the Loan Review Unit, which is independent of the Credit Risk Management Unit, within a stipulated time frame is in place in accordance with the Loan Review Policy to ensure credit quality is maintained. Periodic validation of credit rating models and introducing necessary adjustments to the models for better discriminatory power based on model validation results and existing macroeconomic outlook.
Credit risk monitoring and reporting	Analysis of the total portfolio in terms of stage movement, product distribution, industry sectors, top 20 borrower exposures, borrower rating distribution, branch-wise portfolio distribution, and collateral distribution is carried out periodically and reported to the BIRMC. A comprehensive and systematic process of watch-listing is in place for identifying, monitoring and reporting clients that demonstrate a significant increase in credit risk, which will contribute to the continuous improvement of the quality of the loan book. Reporting periodically to BIRMC on credit concentration risk positions regarding regulatory limits such as single borrower and group exposure limits and internal advisory limits on industry sectors, selected geographical regions, and exposure based on credit rating grades. Reporting on top key risks to the BIRMC and the Board. Continuous contribution to effective financial reporting through stage upgrades in accordance with SLFRS 9 and involvement in the Impairment Committee.
Credit risk mitigation	An independent portfolio Risk Management Unit proactively identifies and manages the credit risk at the portfolio level. Comprehensive and in-depth analyses are continuously carried out to evaluate portfolio behaviour, covering various demographic, geographic, and customer dimensions. Credit strategy on the portfolio level is realigned with the findings of this unit.

Key Credit Risk Measurement Tools and Reporting Frequencies

The following credit risk measurement tools are being used in managing credit risk by the Bank and reported in the stipulated frequencies

Credit risk measure or indicator	Frequency
Probability of default	Annually
LGD under Basel III and IFRS	Quarterly/Annually
Top and emerging risks under credit risk	Monthly
Credit portfolio analysis	Once in two months
Rating-wise distribution across business segments	Once in two months
Summary of rating reviews including overridden ratings	Once in two months
Watch-listed clients	Monthly to the Senior Management and quarterly to the Board
Summary of reviews done under Loan Review Mechanism	Quarterly

Dimensions for Analysis and Monitoring of Credit Concentration Risk

Credit concentration risk measure/indicator	Frequency
Industry sector limits positions	Quarterly
Top 20 borrower exposures	Quarterly
Top 20 borrower group exposures	Quarterly
Industry sector HHI*	Quarterly
Product distribution of the credit portfolio	Once in two months
Borrower distribution across rating grades	Quarterly

* The Herfindahl-Hirschman Index (HHI) is a measure of concentration, calculated by squaring the share of each sector and then summing-up the resulting numbers.

 

Loan Review Mechanism

Loan Review Mechanism (LRM) is a regulatory requirement under the CBSL Direction No. 07 of 2011 on Integrated Risk Management and is an effective tool for constantly evaluating the quality of the loan book and bringing about qualitative improvements in credit functions. The LRM function is carried out by the Loan Review Unit (LRU) of IRMD.

Total volume of the facilities that were reviewed by the LRU in 2023 was well above the regulatory and advisory limit covering all the aspects specified in the policy. Based on the findings, LRM recommendations are reported to the Credit Committee and BIRMC on a quarterly basis to enhance the quality of the credit portfolio.

During 2023, the frequency of knowledge sharing with the Business Units on the lapses found has increased. In addition, the following special assignments were carried out on the instructions of the Senior Management.

1. Review the facilities crossing to stage III within 180 days of grant
2. Special follow-up on two facilities approved by the credit committee
3. Review of possible errors in pricing at the migration of the core system

Market Risk

Market risk is the possibility of losses arising from changes in the value of a financial instrument as a result of changes in market variables such as interest rates, exchange rates, equity prices, and commodity prices.

As a financial intermediary, the Bank is exposed primarily to the interest rate risk and, as an authorised dealer, is exposed to exchange rate risk on foreign currency portfolio positions. Market risk could impact the Bank mainly in two ways: loss of cash flows or loss of economic value. Market risk can be viewed in two dimensions: traded market risk, which is associated with the trading book, and non-traded market risk, which is associated with the banking book.

The ALCO oversees the management of both traded and non-traded market risks. The Treasury manages the foreign exchange risk with permitted hedging mechanisms.Trends in relevant local as well as international markets are analysed and reported to ALCO and BIRMC by IRMD and the Treasury. The market risks are controlled through various limits. These limits are stipulated by the Investment Policy, TMO Policy, Treasury Manual, and Overall Limits System of the Bank. Interest rate sensitivity analysis (Modified duration analysis), Value-at-risk (VaR), simulation and scenario analysis, stress testing and marking-to-market of the positions are used as quantification tools for the purpose of risk monitoring and management of market risks.

The Treasury Middle Office (TMO) is segregated from the Treasury Front Office (TFO) and Treasury Back Office (TBO) and reports to the CRO.

TMO is responsible for the Bank's market risk management, which refers to the processes and strategies implemented by the Bank to identify, assess, monitor, and control the potential losses arising from changes in financial market conditions. It encompasses the risk associated with fluctuations in market prices such as interest rates, exchange rates, commodity prices and equity prices. TMO's functions include market risk management aspects such as market risk identification, market risk quantification, risk measurement models, risk limits and guidelines, hedging strategies, monitoring and reporting stress testing, regulatory compliance, and analytics, thereby continuously improving the risk culture.

Market risk management is an integral component of overall risk management within the Bank; effectively managing market risk is crucial for maintaining financial stability, protecting assets and achieving long-term business objectives.

Interest Rate Risk

Interest rate risk can be termed as the risk of loss in the net interest income (earnings perspective) or the net worth (economic value perspective) due to adverse changes in the market interest rates. Interest rate risk can consist of

• Repricing risk that arises from the inherent mismatch between the Bank’s assets and liabilities, resulting in repricing timing differences.
• Basis risk that arises from the imperfect correlation between different yield and cost benchmarks attached to the repricing of assets and liabilities.
• Yield curve risk that arises from shifts in the yield curve that have a negative impact on the Bank’s earnings or asset values.

The Bank manages its interest rate risks primarily through an asset-liability repricing gap analysis, which distributes interest rate-sensitive asset and liability positions into several maturity buckets. Board-defined limits are in place for interest rate gaps and positions, monitored periodically to ensure compliance with prescribed limits. The Asset and Liability Management (ALM) Unit routinely assesses the Bank’s asset and liability profile in terms of interest rate risk, and the trends in costs and yields are reported to ALCO for necessary realignment in the asset and liability structure and the pricing mechanism. ALM performed several scenario analyses and simulations on the effect of interest rate changes on the Bank’s interest income during the year to facilitate pricing decisions taken at ALCO.

Foreign Exchange Rate Risk

Foreign exchange rate risk can be termed as the possibility of an adverse impact on the Group’s capital or earnings due to fluctuations in the market exchange rates. This risk arises due to holding of assets or liabilities in foreign currencies. Net Open Position (NOP) on foreign currency indicates the level of net foreign currency exposure that the Bank has assumed at a point in time. This figure represents the unhedged position of the Bank in all foreign currencies. The Bank accrues foreign currency exposure by purchasing and selling foreign currency from customers in its commercial banking and international trade business and through borrowing and lending in foreign currency.

The Bank manages the foreign exchange risk using tools that include limits for net unhedged exposures, hedging through forward contracts, and hedging through creating offsetting foreign currency assets or liabilities. Overall, NOP and currency-wise NOP limits have been established and monitored in real-time. The Bank conducts VaR for the forex position. Stress testing is also performed and reported by TMO. The daily interbank foreign currency transactions are monitored for consistency with preset limits, and any deviations are reported to the Management and BIRMC. The Bank has set limits for FX forward mismatch negative gap for USD currency and all currencies separately.

The unhedged foreign currency exposure of the Bank is closely monitored, and necessary steps are taken to hedge it in accordance with market volatilities.

Indirect Exposures to Commodity Prices Risk – Gold Prices

The Bank’s pawning portfolio amounted to LKR 13,359 Mn as at 31 December 2023, which amounts to 2% of total assets. The Market Risk Management Unit (MRMU) manages the risk emanating from gold by constantly analysing the international and local market prices and adjusting the Bank’s preferred loan-to-value (LTV) ratio. MRMU also conducts stress testing for the Gold portfolio by forecasting adverse Loss Given Default and PD rates. Stress results are reported to ALCO, BIRMC and the Board.

Equity Prices Risk

Equity price risk is the risk of losses in the marked-to-market equity portfolio due to decline in the market prices. The Bank's direct exposure to the equity price risk arises from the equity portfolios classified as fair value through profit, loss, and other comprehensive income. Indirect exposure to equity price risk arises through the margin lending portfolio of the Bank in the event of crystallisation of the margin borrower's credit risk. The Investment Committee of the Bank is responsible for managing the equity portfolio in line with the policies and guidelines set out by the Board and BIRMC. Allocation of limits for equities taken as collateral for loans and margin trading activities of customers and for the Bank's investment/trading portfolio forms part of the tools for managing the equity portfolio. Rigorous appraisal, proper market timing and close monitoring of the portfolio performance in relation to the market performance facilitate the management of the equity portfolio within the investment strategy framework and the risk policy.

Liquidity Risk

Liquidity risk is the risk of insufficient funds to meet financial obligations on time and in full at a reasonable cost. It arises from mismatched maturities of assets and liabilities. The Bank has a well-set framework for liquidity risk management and a contingency funding plan. The liquidity risk management process includes regular analysis and monitoring of the liquidity position by ALCO and maintenance of market accessibility. Regular cash flow forecasts, liquidity ratios and maturity gap analysis are used as analytical tools by ALCO. Any negative mismatches up to the immediate three months revealed through cash flow gap statements are matched against cash availability through incremental deposits or committed lines of credit. While meeting the regulatory requirements relating to liquidity, for internal monitoring purposes, the Bank considers the liquidity of each eligible instrument about the market at a given time and undrawn commitments to borrowers when stress testing its liquidity position.

Maintaining a strong credit rating and reputation in the market enables the Bank to access domestic wholesale funds. The Bank also has access to the money market at competitive rates for short-term liquidity support. In line with the long-term project financing business, the Bank focuses on long-term funding through dedicated credit lines, while its growing share of commercial banking business focuses on Current Accounts and Savings Accounts (CASA) and Term Deposits as the key funding source for its lending. The structure and procedures for Asset and Liability Management at the Bank have been clearly set out in the Board-approved ALCO Charter, which is reviewed annually.

The CBSL Direction No. 07 of 2011 specifies that liquidity can be measured through stock or flow approaches. Under the stock approach, liquidity is measured in terms of key ratios which portray the liquidity in the balance sheet. Under the flow approach, banks should prepare a statement of maturities of assets and liabilities, placing all cash inflows and outflows in the time bands according to their residual time to maturity in major currencies. The Bank has adopted both methods in combination to assess liquidity risk.

Liquidity Risk Management Under the Flow Approach

The Bank prepares a statement of Maturities of Assets and Liabilities (MAL), placing all cash inflows and outflows in the time bands according to their residual time to maturity and non-maturity items as per CBSL recommended and the Bank-specific behavioural assumptions.

The gap analysis of assets and liabilities highlights the cash flow mismatches, which assist in prudently managing liquidity obligations.

Liquidity Ratios under the Stock Approach

The Bank regularly reviews the trends of the following ratios for liquidity risk management under the stock approach in addition to the regulatory ratios. During the year, the Bank maintained liquidity indicators above the regulatory minimums.

According to minimum liquidity standards (Liquidity Coverage Ratio) under Basel III, banks are required to maintain an adequate level of unencumbered High-Quality Liquid Assets (HQLAs) that can be easily and readily converted into cash to meet their liquidity needs for a 30-calendar daytime horizon under a significantly severe liquidity stress scenario. The computations of LCR performed for the Bank indicated that the Bank was comfortably in compliance with the Basel III minimum requirements, having sufficient High-Quality Liquid Assets well in excess of the minimum requirements specified by the Central Bank of Sri Lanka (CBSL) throughout the year.

Net Stable Funding Ratio (NSFR) guidelines issued by the Central Bank of Sri Lanka (CBSL) are designed to reduce funding risk over a longer time horizon by requiring banks to fund with sufficiently stable sources to mitigate the risk of future funding stress and require banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet exposures.

Key Liquidity Risk Measurement Tools and Reporting Frequencies

Liquidity risk measure/indicator	Minimum frequency
Stock approach – Ratio analysis:
Net loans to assets	Once in two months
Loans to customer deposits	Once in two months
Large liabilities to earning assets excluding temporary investments	Once in two months
Purchased funds to total assets	Once in two months
Commitments to total assets	Once in two months
Trends in statutory liquid assets ratio	Monthly
Trends in Liquidity Coverage Ratio (LCR) and forecasts	Monthly
Net Stable Funding Ratio (NSFR)	Quarterly
Flow approach:
Maturity gap report (on static basis)	Quarterly
Net funding requirement through dynamic cash flows	Quarterly
Scenario analysis and stress testing	Quarterly
Contingency funding plan	Annual Review

The Bank has a contingency plan that provides guidance on managing liquidity requirements in stressed conditions based on different scenarios of severity. The contingency funding plan provides guidance in managing liquidity in bank-specific or market-specific scenarios. It outlines how the assets and liabilities of the Bank are to be monitored, pricing strategies are to be devised, and growth strategies are to be reconsidered, emphasising avoidance of a liquidity crisis based on the risk level. Management and reporting framework for ALCO identifies evaluating a set of early warning signals, both internal and external, in the form of a Liquidity Risk Matrix on a monthly basis in order to assess the applicable scenario ranging from low risk to extremely high liquidity risk and proposes a set of strategies to avoid and mitigate possible crises proactively. The action plan for each high-risk contingency level scenario is to be considered by a liquidity contingency management team, which includes the CEO, Head of Treasury, CRO, Business Unit Heads and a few other members of Senior Management. The liquidity contingency plan was further improved during the year with quantified scenarios and further specifying the responsibilities of the liquidity contingency management team. During the year, the Bank encountered no high liquidity risk scenarios.

Operational Risk

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems, and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or external events such as natural disasters, cyberattacks, terrorism, theft, political instability and extraordinary events such as the COVID-19 pandemic. The objective of the Bank is to manage, control and mitigate operational risk in a cost-effective manner consistent with the Bank’s risk appetite. The Bank has ensured an escalated level of rigour in operational risk management approaches for sensitive areas of its operations. The Operational Risk Management Committee (ORMC) oversees and directs the management of the operational risk of the Bank with facilitation from the Operational Risk Management Unit (ORMU) of the IRMD. Active representation of the relevant departments and units of the Bank ensures the process of operational risk management through Operational Risk Coordination Officers (ORCOs). Segregation of duties with demarcated authority limits, internal and external audits, strict monitoring facilitated by the technology platform and backup facilities for information are the fundamental tools of operational risk management. The Unit has completed five reviews and was involved in six process/product improvement discussions to provide inputs.

The following are other key aspects of the operational risk management process at DFCC Bank PLC:

• Monitoring of Risk and Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) for the functions under defined threshold limits using a “Traffic Light” system.
• Maintaining an internal operational risk incident reporting system and carrying out an independent analysis of the incidents by IRMD to recognise necessary improvements in the systems, processes, and procedures.
• Trend analysis on operational risk incidents and review at the ORMC.
• Review the downtime of the critical systems and assess the causes. The risk and business impact are evaluated. Corrective action is taken whenever tolerance levels are compromised.
• Review of HR attrition and exit interview comments in detail evaluated at the ORMC from an operational risk perspective.
• Establishment of the Bank’s complaint management process under the Board Approved Complaints Management Policy. IRMD analyses complaints received to identify any systemic issues and reports to ORMC on an annual basis, where the Customer Experience Unit submits quarterly analyses.
• Conduct product and process reviews to identify operational risks and recommend changes to products and related processes.
• Evaluate the operational risks associated with any new product developments.
• Maintaining an external loss database to proactively mitigate operational risks that may arise from the external environment.
• Assist in the Business Continuity Planning and Disaster Recovery (DR) processes and review the results of DR drills conducted in the Bank to provide recommendations for future improvements.
• Conduct Fraud Risk Management Committee meetings periodically to identify potential fraud risks that might impact the Bank and take timely remedial actions.

Operational risk reporting
Risk identification	Risk assessment	Risk monitoring and controlling
Risk and Control Self-Assessments (RCSA) Operational risk incident analysis (internal and external) Risk analysis of products and services Analysis of customer complaints	Evaluation of risks against the controls through RCSA Key Risk Indicators (KRIs) Incident assessment and escalation (internal and external) Stress testing	Action plans based on incident analysis, RCSA and KRI Insurance Business Continuity Plan and periodic testing
Culture and awareness
Policies and guidelines

Operational Risk Losses

The Bank has improved its operational risk incident reporting system over time by creating an increased level of awareness among the employees with regard to operational risks and the importance of timely incident reporting. A total of 409 incidents were reported in 2023. The Operational Risk Coordination Officers (ORCO) are required to send a report to the Operational Risk Management Unit (ORMU) regarding operational risk-related incidents, if any, that took place at their respective branches or departments. The operational risk incidents reported in 2023 based on the event type are given in the graph.

Most of the reported incidents were due to failure in the execution, delivery and process management, and they also included near misses and no-loss incidents. Due to the stringent controls, current losses from operational risk events have been kept to the barest minimum.

Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) Process of the Bank

Monitoring of Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) in key functions of the Bank was further strengthened by identifying the new processes within the Bank and developing KRIs and RCSAs during the year as a measure to allow the early detection of operational risks before actual failure occurs. Currently, IRMD monitors 68 departments/units for the KRI, and in 2023, RCSA and KRIs were developed for 7 units.

RCSA requires semi-annual self-evaluation of operational risk exposures of processes in the Bank by respective departments. Each department will assess the risks based on impact and likelihood of occurrence, while controls are assessed based on control design and control performance. The results are evaluated at ORMC for additional controls or mitigants to minimise risk exposure to the Bank. Regular KRI monitoring assists business line managers with a quantitative, verifiable risk measurement evaluated against the thresholds. A summary of KRIs based on a traffic light system is presented to ORSC.

Insurance as a Risk Mitigant

Insurance policies are obtained to transfer the risk of low frequency and high severity losses, which may occur as a result of events such as fire, theft, fraud, natural disasters, errors and omissions. Insurance plays a key role as an operational risk mitigant in the banking context due to the financial impact that any single event could trigger.

Insurance policies in force covering losses arising from the undermentioned assets/processes include;

• Cash and cash equivalents
• Pawned articles
• Premises and other fixed assets
• Public liability
• Employee infidelity
• Negligence
• Personal accidents and workmen’s compensation

Losses from counterfeit, forged, fraudulently altered, stolen cards and associated legal expenses.

The Insurance Unit of the Bank reviews the adequacy and effectiveness of insurance coverages on an annual basis and carries out comprehensive discussions with insurance companies on any revisions required at the time of renewal of the insurance coverages.

Outsourcing of Business Functions

Outsourcing occurs when the Bank uses another party to perform non-core banking functions that the Bank itself would have traditionally undertaken. As a result, the Bank will benefit from focusing on its core banking activities while having outside experts take care of the non-core functions. The Bank has outsourced some business functions under its outsourcing policy after evaluating whether the services are suitable for outsourcing based on assessing the risks involved. Further, the Bank undertakes due diligence tests on the companies concerned, such as credibility and ability of the owners, BCP arrangements, technical and skilled workforce capability, financial strength, etc. Archival of documents, certain IT operations, security services, and selected recovery functions are some of the outsourced activities of the Bank. The Bank is concerned and committed to ensuring that the outsourced parties continue to uphold and extend a high standard of customer care and service excellence.

A report on outsourced activities is annually submitted to the CBSL for their review while adhering to the Banking Direction on Outsourcing of Business Operations.

Key Operational Risk Measurement Tools and Reporting Frequencies

Operational risk measure/indicator	Frequency
Operational risk incidents reported during the period (Internal)	Every other month
Risk and control self-assessments and key risk indicators	Semi-annually
Status and reports of any BCP/DR activities undertaken	As required
Customer complaints during the period	Quarterly
System and ATM downtime reports	Quarterly
Attrition information	Quarterly
Review of outsourced services unit	Annually

For better operational risk management and monitoring, the ORMC and – Subcommittee meeting frequency has been increased to six each per year.

Operational Risk Management of Information Systems Security (ISS) Risk Under IRMD

Information security risk management (ISRM) is managing the risks associated with using information technology and evaluating risks to the confidentiality, integrity, and availability (CIA) of the Bank’s information assets and processes. The established information security management system is designed to provide a systematic approach to managing the Bank’s sensitive information and processes by considering all aspects of people, processes and technology controls. Further, the Bank’s information security management system has been ISO 27001:2013 certified since 2016. The main objective of ISRM is to ensure compliance with regulatory and contractual requirements while adopting industry security best practices and aligning information security risk management with corporate risk management objectives. ISRM is an ongoing process of identifying, assessing, and responding to security risks. To manage risks effectively, the Bank is implementing the latest version 4 of PCI-DSS certification controls while complying with the SWIFT customer security controls framework, Baseline Security Standard (BSS), and payment-related mobile application security guidelines of CBSL.

The Bank’s current ISRM strategy focuses on the following activities:

• Improving the existing Information Security Management System (ISMS) by adopting the recent CBSL Regulatory Framework on Technology Resilience and the Data Protection Act.
• Improving information security policies, procedures, and guidelines while considering regulatory requirements and the dynamic threat landscape.
• Continuous assessment of security risks related to the Bank’s information assets and processes to ensure technology-related residual risks are maintained at acceptable levels.
• Reviewing and monitor information security KPIs and report the status of the indicators to the Operational Risk Management Committee.
• Conducting internal vulnerability assessment and penetration testing covering IT infrastructure at defined intervals to ensure known vulnerabilities are appropriately managed.
• Performing trend analysis on the Bank's cybersecurity posture and manage information security incidents to minimise the risk.
• Ensuring adequate information security awareness is given to staff members and the Board of Directors to follow security best practices and detect and report information security events and incidents.

As improvements to the management framework, the Bank adopted a process-oriented risk assessment methodology last year to better clarify risks involved in processes and the corresponding risk factors through an objective-oriented risk identification approach. As a result of establishing a new independent user access review process covering common user access risk scenarios, the system user account management process was streamlined according to the Bank's information security policy. By understanding the complexity of current supply chain-based cybersecurity threats, the Bank consulted a specialised service provider for due diligence and a risk assessment process to quantify risks associated with third-party vendors providing technology services to the Bank. The Bank adopted new information security controls and processes to ensure the continuity of information security while empowering working remotely, which helped the Bank maintain the same customer experience by increasing resource availability during rapid surges in demand for digital capabilities. Further, the Bank revised the cybersecurity risk reporting process last year to improve the visibility of the information security posture of the Bank to the Senior Management, considering the importance of cybersecurity to business continuation. The Bank considers its customer information a priceless asset and keeps improving its information security governance processes, factoring current cybersecurity threats and best practices. During the last year, the Bank undertook a few initiatives to improve the security of its digital assets by introducing new technologies.

• Improving the Security Operations Center (SOC) capabilities by investing in a state-of-the-art cloud Security Information and Event Management (SIEM) solution as the first Bank to adopt a cloud-based SIEM in Sri Lanka.
• Improving the frequency of security assessments and the depth of critical business applications.
• Improving real-time vulnerability detection and risk-based vulnerability management capabilities bank-wide through improvements to the existing Endpoint Detection and Response (EDR) solution.
• Performing technology and operational security gap assessments in payment card related business functions and initiated control implementations to improve the security posture by aligning it with the PCI-DSS security standard requirements.
• Implementation of a Data Leakage Prevention (DLP) solution to ensure the protection of customer and business-sensitive data of the Bank as a part of the Bank's data governance process.
• Implementation of endpoint data encryption solution to better align with data protection governance requirements.
• Improving Bank policy and procedure coverage to accommodate work-from-home requirements and strengthening the security controls and monitoring mechanisms to ensure the security continuation during a crisis.
• Improving information security training and awareness programmes by introducing new modules to the existing computer-based training (CBT) platform.
• The annual phishing simulation exercise enhances the Bank's user awareness and implementation of robust human controls as a defence mechanism against increasingly sophisticated phishing attacks.

Key Information Security Risk Measurement Tools and Reporting Frequencies

Information security risk measure/indicator	Frequency
IT infrastructure vulnerability assessments (internal)	Quarterly
Business application vulnerability assessments (internal)	Quarterly
Third party penetration testing	Annually
Technology related risk assessment (internal)	Semi-annually
Vendor security assessment (internal)	Annually
Information security incident reporting	Quarterly
Top and emerging risk reporting (internal)	Monthly

Reputational Risk

Reputational risk is the risk of losing public trust or the Bank’s image being tarnished in the public eye. It could arise from environmental, social, regulatory, or operational risk factors. Events that could lead to reputational risk are closely monitored, utilising an early warning system that includes inputs from frontline staff, media reports, and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank's business have been promulgated through internal communication and training, a specific policy was established to take action in case of an event that may affect the Bank's reputation. The Bank has zero tolerance for knowingly engaging in any business, activity, or association where foreseeable reputational damage has not been considered and mitigated. The complaint management process and the whistleblowing process of the Bank include a set of key tools to recognise and manage reputational risk. Based on the operational risk incidents, any risks that could lead to reputational damage are presented to the Board, and the Bank takes suitable measures to mitigate and control such risks.

Business Risk

Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank's medium-term strategic plan and annual business plan form a strategic roadmap for sustainable growth. Continuous competitor and customer analysis and monitoring of the macroeconomic environment enable the Bank to formulate its strategies for growth and business risk management. Processes such as Planning, ALM, IT and Product Development, in collaboration with business functions, facilitate business risk management through recognition, measurement, and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.

Legal Risk

Legal risk arises from transactions unenforceable in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis and a thorough understanding of and adherence to related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure.

In the event of a legal risk factor, the Legal Unit of the Bank takes immediate action to address and mitigate these risks. External legal advice is obtained, or counsel retained when required.

Compliance Risk

The Bank's compliance programme encompasses all policies and procedures in managing its compliance risks: regulatory, reputational, operational and legal. It ensures the Bank's compliance with applicable laws, regulations, guidelines and standards of good practice. As the second line of defence, the compliance function plays a key role in managing the risks.

The compliance function of the Bank is structured effectively to manage the dynamic challenges posed by the national and international regulations and to address the risks associated with money laundering, financing of terrorism, and other compliance risks. Setting the right tone from the top has immensely helped to create a sound compliance culture within the Bank and implement compliance strategies in a healthy manner.

The Bank has a robust screening and compliance monitoring system to track transactions and activities for any suspicious patterns that may indicate money laundering or regulatory non-compliance. Leveraging advanced technologies has enabled the Bank to enhance the efficiency and accuracy of compliance processes.

The compliance function conducts regular reviews and assessments to ensure the Bank's adherence to regulatory requirements, identify gaps and promptly address any issues found. Continuous employee training on governing regulations is being conducted to ensure staff adherence to compliance requirements at all levels of the Bank.

The Bank's compliance function closely works with regulatory bodies and key stakeholders in the banking industry to ensure smooth operation.

The Bank has a robust system comprising processes and procedures to ensure compliance with the governing legal and regulatory framework.

Business Continuity Management

The Business Continuity Management System (BCMS) and the Business Continuity Plan (BCP) of the Bank ensure timely recovery of critical operations that are required to meet stakeholder needs based on identified disruptions categorised into various severity levels. The BCMS has been designed to minimise risk to human and other resources and to enable the resumption of critical operations within reasonable time frames specified according to Recovery Time Objectives (RTOs) with minimum disruption to customer services and payment and settlement systems.

In order to enhance the resilience of the Bank's IT systems, the Primary Data Centre and backup Disaster Recovery (DR) IT Systems were relocated to two separate Tier 3 certified co-location data centres during the year. The existing DR site located in a suburb of Colombo will continue to be used as an alternate work site for critical business operations. The Bank conducts periodic DR drills. These DR drills are subject to independent validation by the Internal Audit Department. A report on the effectiveness of the drill is submitted to the BIRMC/Board and also to the Central Bank with the Board's observations. Learnings and improvements to DR activities are discussed and implemented through the BCMS Committee, the ORMC and the BIRMC. Training and drills are carried out to ensure that employees are aware of their role within the BCP.

Stress Testing of Key Risks

The Bank has been conducting stress testing on a regular basis. A comprehensive stress testing policy in line with the regulatory guidelines and international best practices are in place. The policy describes the purpose of stress testing and governance structure methodology for formulating stress tests, frequencies, assumptions, tolerance limits and remedial action. Stress testing and scenario analysis have played a significant role in the Bank’s risk mitigation efforts. Stress testing has provided a dynamic platform to assess “what if” scenarios and to provide the Bank with an assessment of areas to improve.

The Bank covers a wide range of stress tests that check the resilience of the Bank’s capital, liquidity, profitability, etc.

The outcome of the stress testing process is monitored carefully, and remedial actions are taken and used by the Bank as a tool to supplement other risk management approaches. During 2023, the stress scenarios were updated to be more relevant in the current economic landscape and considering the dynamic nature of the risk types, stress testing frequencies were also amended.

The details of stress tests carried out by the Bank for 2023 are given below:

Risk Area and Methodologies Adopted

Risk area and methodologies adopted	Results
Credit and concentration risk Impact of adverse movement of the impairment stages Impact of increase in impaired loan ratio Sector concentration, concentration of credit rating, concentration of products and concentration of borrowers Capital Adequacy Ratios (CAR) were stressed to see if the ratios fall below the regulatory levels Additional capital was computed for all extreme concentration risks and was reported to the Senior Management	The CAR remained above the minimum regulatory limit under low stressed conditions At medium and high stress conditions, CAR stands above 10% which is the minimum regulatory requirement at a full drawdown of the Capital Conservation Buffer (CCB).
Market risk Stress testing and VaR calculations of currency exposure Stress testing and VaR calculations for the equity portfolio Change of interest rates and its effect on the Bank’s profitability and capital	VaR on currency exposure and equity portfolio were within the Bank’s acceptable risk matrices. At all stress conditions, CAR stands above 10% which is the minimum regulatory requirement at a full drawdown of the Capital Conversation Buffer (CCB).
Operational risk Stress on the Bank’s capital against increase of possible operational losses	No significant effect on capital and is well within the Bank’s risk absorption capability.
Liquidity risk Stress on liquidity due to settlement risk, decline in collections, and bulk deposit redemption Stress on liquid assets ratio due to run on liabilities Erosion of deposits due to sudden reputation risk and associated liquidity risks	Liquid asset ratio was maintained above the minimum regulatory limit at all stress scenarios.
Multifactor stress testing Combined stress of all risks	The CAR remained above the minimum regulatory limit under low stressed conditions At medium and high stress conditions, CAR stands above 10% which is the minimum regulatory requirement at a full drawdown of the Capital Conservation Buffer (CCB).

Findings of the Bank’s stress testing activities are input into several processes, including capital computation under the Internal Capital Adequacy Assessment Process (ICAAP), strategic planning and risk management. As an integral part of ICAAP under Pillar II, stress testing is used to evaluate the sensitivity of the current and forward risk profile relative to the stress levels defined as low, moderate and high in the Stress Testing Policy. The resultant impact on the capital through these stress tests is carefully analysed, and BIRMC regularly reviews stress testing outcomes, including assumptions underpinning them. They provide a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in a hypothetical stress situation. Stress testing has become an effective communication tool for senior management, risk owners, risk managers, supervisors, and regulators. The results of the stress testing are reported to BIRMC and the Board periodically to support proactive decision-making.

Risk Capital Position and Financial Flexibility

The Bank adopts a proactive approach to ensure a satisfactory risk capital level throughout its operations. In line with its historical practice and capital targets, the Bank aims to maintain its risk capital position above the regulatory minimum requirements for Tier I and total capital under Basel guidelines. As at 31 December 2023, the Bank maintained a risk capital position of 11.49% Tier I capital ratio and 13.51% total capital ratio based on the Basel III regulatory guidelines. Both ratios are above the minimum regulatory requirement of 8.5% for Tier 1 and 12.5% for total capital. Capital adequacy measures the adequacy of the Bank's aggregate capital in relation to the risk it assumes. The Bank's capital adequacy has been computed using the following approaches of the Basel regulations currently practised in the local banking industry.

• Standardised approach for credit risk
• Standardised approach for market risk
• Basic Indicator approach for operational risk

The graph below shows the Bank's capital allocation and available capital buffer as at 31 December 2023, based on the quantified risk as per the applicable regulatory guidelines. Out of the regulatory risk capital (total capital) available as of 31 December 2023, the capital allocation for credit risk is 81% of the total capital, while the available capital buffer is 8%.

Capital Adequacy Management

BASEL III is the global regulatory standard on managing banks' capital and liquidity, which is currently in effect. With the introduction of Basel III in mid-2017, the capital requirements of banks have been increased with an aim to raise the quality, quantity, consistency and transparency of the capital base and improve the loss-absorbing capacity.

Additionally, Pillar II (Supervisory Review Process – SRP) under the Basel regulations requires banks to implement an Internal Capital Adequacy Assessment Process (ICAAP) for assessing capital adequacy in relation to the risk profiles and a strategy for maintaining capital levels. The Bank has in place an ICAAP, strengthening the risk management practices and capital planning process. It focuses on formulating a mechanism to assess the Bank's capital requirements, covering all relevant risks and stress conditions in a futuristic perspective in line with the level of assumed risk exposures through its business operations. The ICAAP formulates the Bank's capital targets, capital management objectives and capital augmentation plans.

The ICAAP demonstrates that the Bank has implemented methods and procedures to capture all material risks, and adequate capital is available to cover such risks. This document integrates Pillar I and Pillar II processes of the Bank wherein Pillar I deals with regulatory capital, primarily covering credit, market and operational risks, whilst Pillar II deals with economic capital involving all other types of risks.

As per the direction issued by the CBSL, under supervisory review of Basel III, CBSL encourages banks to enhance their risk management framework and proactively manage emerging risks. This is to ensure that the Bank maintains an adequate capital buffer in case of a crisis while more importance has been placed on Pillar II and ICAAP. The Bank uses a mix of quantitative and qualitative assessment methods to measure Pillar II risks. A quantitative assessment approach is used for concentration risk, liquidity risk, and interest rate risk, whilst qualitative approaches are used to assess risks such as reputational risk and strategic risk.

The Senior Management team is closely involved in formulating risk strategy and governance, considering the Bank’s capital planning objectives under the strategic planning process. Capital forecasting for the next three years covering envisaged business projections is considered in the budgeting process. This forward-looking capital planning helps the Bank to be proactive with additional capital requirements in the future.

This integrates strategic plans and risk management plans with the capital plan in a meaningful manner with inputs from Senior Management, Management Committees, Board Committees and the Board.

Capital adequacy ratio and risk-weighted assets of DFCC Bank PLC on a solo and a group basis under Basel III.

31 December Quantified as per the CBSL Guidelines	2023			2022
	Bank	Group	Bank		Group
Credit risk-weighted assets (LKR Mn)	331,726	332,340	331,751		332,256
Market risk-weighted assets (LKR Mn)	14,062	14,062	8,392		8,392
Operational risk-weighted assets (LKR Mn)	33,950	34,616	24,960		25,492
Total risk-weighted assets (LKR Mn)	379,738	381,018	365,103		366,140
Total Tier I capital adequacy ratio – Basel III (%)	11.49	12.46	10.09		9.94
Total capital adequacy ratio – Basel III (%)	13.51	14.48	13.15		12.99

Financial Flexibility in the DFCC Group’s Capital Structure

The Bank has access to contributions from shareholders and has built-up capital reserves over time by adopting prudent dividend policies, maintaining an increased level of retained profits and issuing Tier II eligible capital instruments as and when needed.

Apart from the capital position reported on the balance sheet, the Bank maintains financial flexibility through the stored value in its equity investment portfolio. The unrealised capital gain of the listed equity portfolio is included in the fair value reserve.

Assessment of Integrated Risk

In the assessment of integrated risk, the Bank reviews key regulatory developments to anticipate changes and their potential impact on performance. The nature and impact of changes in economic policies, laws and regulations are monitored and considered in how the Bank conducts business and manages capital and liquidity.

The Bank has complied with all the currently applicable risk-related regulatory requirements while closely monitoring the internal limits as shown in the table below:

Risk category	Impact	Key risk indicators	Limit type
Integrated risk management	An adequate level of capital is required to absorb unexpected losses without affecting the Bank’s stability (Capital as a percentage of total risk-weighted assets).	Common Equity Tier I Ratio (Common Equity Tier I as a percentage of total risk-weighted assets)	Regulatory
		Total Tier I Capital Ratio (Total Tier I Capital as a percentage of total risk-weighted assets)	Regulatory/ Internal
		Total Capital Ratio (Total capital as a percentage of total risk-weighted assets)	Regulatory/ Internal
Concentration/credit risk management	When the credit portfolio is concentrated on a few borrowers or a few groups of borrowers with large exposures, there is a high risk of a substantial loss due to failure of one such borrower.	Single Borrower Limit – Individual (amount of accommodation granted to any single company, public corporation, firm, association of persons or an individual/capital base)	Regulatory/ Internal
		Single Borrower Limit – Group	Regulatory/ Internal
		Aggregate large accommodation limit (sum of the total outstanding amount of accommodation granted to customers whose accommodation exceeds 15% of the capital base/outstanding amount of accommodation granted by the Bank to total customers excluding the Government of Sri Lanka)	Regulatory/ Internal
		Aggregate limits for related parties (accommodation to related parties as per the CBSL Direction/Regulatory Capital)	Internal
		Exposure to agriculture sector as defined by CBSL Direction	Regulatory
		Exposure to each industry sector (exposure to each industry as a percentage of total lending portfolio)	Internal
		Leases portfolio (on-balance sheet exposure to the leasing product as a percentage of total lending portfolio)	Internal
		Exposure to GOSL	Internal
		Exposure to institutions in the Maldives	Internal
		Stage 3 Ratio	Internal
		Industry HHI	Internal
		Project lending	Regulatory
		Loan and OD – Exposure in BB grade	Internal
		Loan and OD – Exposure in B and below grades	Internal
		Leasing – Exposure in BB and below grades	Internal
		Leasing – Exposure in B and below grades	Internal
		Limit on margin lending for individual borrowers	Regulatory/ Internal
		Margin trading (aggregate exposure of margin loans extended/total loans and advances)	Internal
Liquidity risk management	If adequate liquidity is not maintained, the Bank will be unable to fund the Bank’s commitments and planned assets growth without incurring additional costs or losses.	Statutory Liquid Assets Ratio	Regulatory/ Internal
		Liquidity Coverage Ratio (all currencies and Rupee only)	Regulatory/ Internal
		Statutory Reserve Ratio	Regulatory
		Foreign Currency Borrowing Limit – Short-term borrowings	Regulatory
		Foreign Currency Borrowing Limit – Total borrowings	Regulatory
		Net Stable Funding Ratio	Regulatory/ Internal
		Leverage Ratio	Regulatory
Market risk management		Forex Net Open Long Position	Regulatory
		Forex Net Open Short Position	Regulatory
		Limit for counterparty off-balance sheet market risk	Internal
		Max holding period for trading portfolio	Internal
		Maximum FX Swap	Internal
		Clean money market borrowing limit	Internal
		Portfolio limit on Trading	Internal
		Portfolio limit on AFS	Internal
		Portfolio limit on HTM	Internal
Investment risk		Equity exposure – Individual (equity investment in a public company/Capital funds of the Bank)	Regulatory
		Equity exposure – Individual (equity investment in a public company/Paid-up capital of the Company)	Regulatory
		Aggregate equity exposure in public companies (aggregate amount of equity investments in public companies/capital funds of the Bank)	Regulatory
		Aggregate equity exposure in public companies	Internal
		Equity exposure (equity exposure as a percentage of Total Lending Portfolio plus Securities Portfolio)	Internal
		Equity exposure in each sector	Internal
		Single equity exposure out of the quoted equity portfolio	Internal
Operational efficiency		Operational efficiency ratio	Internal
Operational risk	Adequately placed policies, processes and systems will ensure and mitigate against excessive risks which may result in direct financial impact, reputational damages and/or regulatory actions	Regulatory breaches (zero risk appetite)	Internal
		Inability to recover from business disruptions over and above the Recovery Time Objectives (RTO) as defined in the BCP of the Bank (zero risk appetite)	Internal
		Internal fraud (zero tolerance for losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or Bank policy, excluding diversity/discrimination events, which involve at least one internal party)	Internal
		External fraud (very low appetite for losses due to act of a type intended to defraud, misappropriate property or circumvent laws, by a third party)	Internal
		Employee practices and workplace safety (zero appetite for losses arising from acts inconsistent with employment, health or safety laws or agreements from payment of personal injury claims, or from diversity/discrimination events)	Internal
		Client products and business practices (zero risk appetite for losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or, from the nature or design of a product)	Internal
		Damage to physical assets (very low appetite for loss arising from loss or damage to physical assets from natural disasters or other events)	Internal
		Business disruption and systems failures (low appetite for business disruptions/system failures for more than 30 minutes during service hours)	Internal
		Execution, delivery, and process management (low appetite for losses from failed transaction processing or process management)	Internal