A set of structured policies and frameworks recommended by the BIRMC and approved by the Board of Directors forms a key part of the risk governance structure. The integrated risk management framework stipulates, in a broader aspect, the policies, guidelines, and organisational structure for the management of overall risk exposures of the Bank in an integrated manner. This framework defines risk integration and aggregation approaches for different risk categories. In addition, separate policy frameworks detail the practices for managing key specific risks. These frameworks and policies are subject to regular review and updating. Risk Policies and Guidelines have been integrated across all business relationships to ensure alignment with the Bank’s core values and policy commitments. By embedding these commitments into business practices, the Bank maintains a responsible and transparent approach that reflects its dedication to long-term value creation and corporate responsibility.

Risk Appetite

The Bank’s risk appetite is defined in the Overall Risk Limits System (ORLS). It consists of risk limits arising from regulatory requirements, borrowing covenants, and internal limits for prudential purposes. The Limits System is a cornerstone of the risk indicators and encompasses key risk areas such as credit, market, liquidity, operational, equity, and capital position, amongst others.

Lending limits have been established to manage credit concentration to industry sectors, rating grades, borrowers and countries as part of the prudential internal limits. Industry sector limits for the lending portfolio consider the inherent diversification within the subsectors and the borrowers within broader sectors.

A “Traffic Light” system monitors these limits monthly and quarterly. These risk appetite limits are reviewed at least annually in line with the risk management capacities, business opportunities, the Bank’s business strategy and regulatory requirements.

If the risk appetite threshold has been breached or is approaching levels not desirable by the Bank, risk-mitigating measures and business controls are implemented to bring the exposure level back within the accepted range. Risk appetite, therefore, translates into operational measures such as new or enhanced limits or qualitative checks for dimensions such as capital, earnings volatility, and concentration of risks.

Main Tolerance Limits for Key Types of Risks

Board Integrated Risk Management Committee (BIRMC)

The BIRMC is a Board Subcommittee that oversees the risk management function as stipulated by the regulator. The Board approved charter sets out its responsibilities, which includes corporate governance requirements for Licensed Commercial Banks issued by the Central Bank of Sri Lanka (CBSL).

With the new Banking Act Direction on Corporate Governance No. 05 of 2024, the BIRMC Charter was revised during the latter part of 2024. The committee consists of three Board representatives and the Chief Executive Officer (CEO), Deputy Chief Executive Officer (DCEO) and key management personnel supervising broad risk categories including Chief Risk Officer (CRO), Chief Compliance Officer (CCO), Chief Operating Officer (COO), Head of Treasury, are permanent invitees to the meeting.

For a summary of responsibilities and functions of the BIRMC refer page 203.

The BIRMC meets at least once every two months and reviews the risk information and exposures as reported by the Integrated Risk Management Department, Treasury, Finance, Compliance and Service units. Risk reporting includes reports on overall risk analysis relating to the Bank’s capital, risk appetite, limits position, stress testing, any strategic risks faced by the Bank, and risk analysis of the Group companies. Additionally, they include reports covering the main risk areas such as credit, market, liquidity, operational, information systems security, and compliance risks.

In 2024, six BIRMC meetings were held, where the Committee focused more on market risk, credit risk, and capital adequacy amidst the volatile operating environment in Sri Lanka’s challenging macroeconomic landscape. Given the pressures of inflation, currency fluctuations, interest rate volatility, and debt restructuring efforts, the Committee closely monitored the adequacy of risk-mitigating actions and reviewed stress testing outcomes. These measures were aligned with the Bank’s risk appetite to ensure resilience in navigating ongoing economic challenges.

Scope and main content of risk reporting to the BIRMC

Involvement of management committees

Several management committees play an important role in risk management.

The Credit Committee (CC), Asset and Liability Management Committee (ALCO), Operational Risk Management Committee (ORMC), Operational Risk Sub Committee (ORSC), Fraud Risk Management Committee (FRMC), Special Loan Review Committee (SLRC), IT Steering Committee (ITSC), Investment Committee (IC), Facility Restructuring Committee (FRC), Impairment Assessment Committee (IAC), Information Security Committee (ISC) and Consequent Management Committee (CMC) are included in the risk management framework of the Bank. Responsibilities and tasks of these committees are stipulated in the Board-approved Charters and Terms of Reference (TORs), and the membership of each committee is defined to bring an optimal balance between business requirements and risk management.

The Integrated Risk Management Department (IRMD) plays the role of measuring and monitoring risk on an ongoing basis to ensure compliance within the parameters set out by the Board, BIRMC, and other management committees for performing the Bank’s overall risk management function. It consists of separate units namely Credit Risk Management, Market Risk Management, Operational Risk Management, Asset and Liability Management, Loan Review Mechanism, Technology & Information Security Risk Management, Integrated Risk Management, Treasury Middle Office, Portfolio Risk Management and Business Continuity Management.

Changes to Operating Environment and Key Developments in the Risk Management Function

The following emerged as significant cybersecurity risks in 2024:

• Surge in cyberattacks targeting outdated systems
• Exploitation of vulnerabilities due to rapid technology adoption
• Social engineering and phishing schemes targeting individuals and organisations

The following emerged as significant fraud risks in 2024:

• Increased attempts at fraudulent applications (e.g. loans, credit cards)
• Emerging use of advanced fraudulent technologies, such as deepfakes
• Increase of identity theft fraudulent cases

To address such risks, the Bank has increased the frequency of its Risk and Control Self-Assessments (RCSA) to a quarterly basis. This enhancement aligns with technology-driven process and product risk management. It strengthens the Bank’s risk management practices and ensures compliance with evolving regulations. The revised RCSA framework impacts five key departments. A formal management escalation process has been established to address significant gaps identified during assessments, ensuring timely corrective action.

During the year, the Bank implemented significant technology-driven advances in risk management. Recognising the profile of emerging threats, the Bank has adopted a zero trust security model. This provides a conservative approach by treating all users and devices as potentially malicious and implementing strict access controls. Vigilance is also exercised in cloud security and data privacy as more applications are moved to the cloud.

It is not only the Bank’s internal processes that risk procedures have been upgraded. The supply chain security too has been reinforced by implementing rigourous vendor management practices. The Bank has also conducted employee awareness programmes to mitigate risks arising from phishing and social engineering attacks.

The Bank’s organisational framework and policies have been updated to reflect the changing cybersecurity landscape. The role of the Chief Information Security Officer (CISO) has been expanded, and a dedicated risk management committee has been established to oversee cybersecurity risks and compliance. The Bank also developed a comprehensive incident response plan to ensure effective response to any potential cyberattacks.

The Bank remains committed to keeping up with technology trends and adapting security strategies to protect the assets and reputation in an increasingly complex digital environment.

Additionally, a robust procedure has been implemented to monitor third-party service providers with enhanced oversight. This includes periodic on-site visits and assessments based on criticality of the service provider. The process ensures active involvement of all relevant stakeholders such as Internal Audit, Compliance, Information Security and respective business units.

Advanced threat analysis enabled the security teams to detect and mitigate technology risk, not limited to the Bank but also threats targeting customers themselves. The Bank is planning to extend the threat detection to other stakeholders as well.

These initiatives demonstrate the Bank’s dedication to maintaining operational resilience and safeguarding technological systems in an ever-changing risk environment.

Businesses are operating in increasingly competitive environments, where an accurate understanding of customer value is critical. The Bank has automated the customer profitability analysis providing a granular view of which customers contribute most to profitability, enabling more focused growth strategies.

Heightened regulatory scrutiny in financial and risk management has driven organisations to adopt more transparent and systematic approaches. Advancing technology has also spawned changes. The availability of advanced analytics and data visualisation tools has made automation and dash boarding practical and efficient. IRMD implemented Risk Dashboards to facilitate monitoring and reporting key risks including credit risk, liquidity risk, foreign exchange risk, equity risk, and interest rate risk, to ensure compliance with evolving standards. This has also improved data visibility for senior management, enabling informed decision-making to mitigate potential risks and drive strategic growth.

The Business Continuity Plan (BCP) was strengthened with the initiation of the Business Continuity Management System ISO 22301 certification process.

The implementation of the advanced Asset and Liability Management (ALM) system, a platform to manage assets and liabilities more efficiently while effectively addressing liquidity and interest rates risks, is in progress.

Key Risk Indicators (KRIs) for branches were implemented with the objective of enhancing operational resilience and fostering a risk awareness culture by selecting relevant risk indicators with periodic reporting requirements.

Proactive measures under scenario analysis were introduced to strengthen the stress testing framework for the Liquidity Coverage Ratio (LCR), ensuring a more robust liquidity risk management process.

The Bank confirmed compliance with the FX Global Code, demonstrating that treasury operations align with international best practices.

Equity individual share limits were established based on Beta values to identify and manage exposure to the most sensitive shares. This was accompanied by the strengthening of control and monitoring mechanisms. The Value-at-Risk (VaR) model underwent validation and was confirmed as acceptable, with a limited set of assumptions, ensuring its reliability for risk assessment.

The Credit Policy, Credit Risk Management Framework, and Credit Manual were updated to incorporate the latest regulatory requirements and market trends, ensuring alignment with industry best practices. Credit Risk Management Unit (CRMU) streamlined the process of identification of clients with significant increase in credit risk during renewals, enhancement of exposures, restructures and in trade extensions. The unit continues to monitor industry sector performances and identify facilities that can be considered under long term stress. The watch-listing of clients was streamlined to more accurately identify those at risk of defaulting. This will enable the Bank to take timely action to tighten recovery measures.

The CRMU has implemented a system to capture and integrate all assigned risk ratings of clients into the Core Banking System, ensuring accurate and in tracking of client risk profiles. This enhancement streamlines risk assessment processes and enables more effective monitoring and management of client-related risks.

The CRMU also organised knowledge-sharing sessions with Credit Hubs nationwide to provide guidance on enhancing credit appraisal processes, communicate insights on the Bank’s strategic direction as outlined by the CRO, and solicit input from Credit Hub officers for integration into the Bank’s credit policies.

A detailed analysis of credit facilities granted during the last three years was undertaken by the Portfolio Risk Management Unit and the findings showed significant progress in the credit quality and repayment conduct of facilities granted during this period vis-à-vis facilities granted during previous years.

Further, an analysis of credit cards granted to the self-employed sector was carried out where the behaviour of different sub-segments falling under this category was examined, and recommendations were provided to improve portfolio quality as well as business objectives. Several such analyses covering leasing, MSME, personal loans, housing loans and OD products were carried out and the insights gathered have been used to re-align risk management, credit decision making and business approaches accordingly.

Contribution to Bank performance

The IRMD plays a key role in the overall performance of the Bank. Management of key risks contributes to financial stability. Proactive risk mitigation strategies have strengthened the Bank’s ability to withstand sudden changes in the market.

In certain specific products, the department aligned with business requirements to capitalise on favourable market opportunities. In such cases, limits were adjusted, taking into account calculated risks associated with possible adverse market movements. Comprehensive risk assessments and robust control mechanisms provided senior management with a clear understanding of the overall impact on the Capital Adequacy Ratio (CAR), facilitating well-informed and confident decision-making.

Risk Management and Governance

The IRMD has aligned its responsibilities to be compliant with Corporate Governance for licensed banks under Banking Act Direction No. 5 of 2024. As part of the review, the Department has revised the BIRMC Charter to be in line with the new framework, reaffirming the Bank’s commitment to strong risk management governance practices.

With the introduction of CBSL Direction No. 1 of 2024, CBSL discontinued the requirement for licensed banks to maintain Statutory Liquid Assets Ratio (SLAR) and emphasised the importance of maintaining the Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR). Accordingly, the Bank utilises specified monitoring tools to effectively assess liquidity positions, ensuring compliance with regulatory requirements and maintaining strong liquidity management practices.

Sustainability and Social Responsibility

As Environmental, Social, Governance (ESG) considerations are becoming a global concern, customers and stakeholders expect businesses to align with ESG goals. The credit appraisal format has been updated to incorporate additional information regarding the sustainability of projects financed by the Bank.

Employees and Culture Development

IRMD believes in value of diversity, and welcomes employees from diverse backgrounds and offers training and upskilling opportunities to meet the changing needs of the workforce.

Further, IRMD has identified the importance of improving credit evaluation knowledge of the “First Line of Defence” in order to safeguard the Bank’s interest and ensure prudent risk management is well addressed across the credit evaluation process. In view of achieving the training objectives, IRMD plans to offer various training and development opportunities at its Training & Development arm “DFCC – Risk Management Academy‘’.

Credit risk is the main risk that arises from the Bank’s core operations. It is the potential loss resulting from customers’ failure to meet contractual obligations when they fall due. Credit risk arises from lending operations, granting of loans and advances to the entire gamut of customers. The lending portfolio accounts for 56% of total Bank assets and 83% of the risk weighted assets. Monitoring the credit risk is a vital aspect of the Bank’s operations since it has a direct bearing on its profitability. Considering the above, the Bank has continued precautionary measures to ensure prudent lending, analysing various segments of the lending portfolio for signs of deterioration, extending repayment periods for identified borrowers, and managing overlays for risk-elevated sectors. The Bank periodically reviews its risk policies, procedures and practices to ensure they align with the current environment.

Watch – listing

The Bank has established a watch-listing and close monitoring process to identify clients that have demonstrated signs of increased credit risk. The information on frequently watch-listed clients based on overdue exposures and rating downgrades monitored over a period of time, is disseminated to management with a view of taking corrective measures to ensure the quality of the Bank’s loan book.

Clients who show signs of high risk are reported periodically to the credit committee. A traffic light system is also in operation to classify clients according to the impact they have on the portfolio.

Industry Analysis

As part of its safeguards, the Bank reviews and analyses trends of clients grouped as industry segments or portfolios. There is a regular cycle of reporting from the IRMD to the BIRMC on client portfolio performance. These reports guide business line managers on credit decisions. IRMD also contributes to the human resource evaluation by arranging for resource persons to conduct training on credit evaluation and credit risk management.

A process to identify stressed industry segments was initiated with the COVID-19 pandemic in 2020. The Bank continues these reviews based on the challenges faced by particular sectors.

Risk Rating

DFCC Bank uses seven rating models for the rating of lending clients. Rating models are based on financial, non-financial and industry parameters. Risk rating varies from Low Risk (AAA) to Default (D). Pricing of the key products is based on the risk rating of the client.

Credit Risk Management Process

The Bank’s credit policies which define the credit strategy to be adopted by the Bank are approved by the Board of Directors. The policies are based on CBSL Directions on integrated risk management, Basel recommendations, business practices, and the Bank’s risk appetite. The Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. Credit risk management provides several guiding directives; identifying target markets and industry sectors, defining risk tolerance limits and recommending control measures to manage concentration risk. Uniformity of practice across the Bank is ensured by standardised formats and clearly documented processes and procedures.

Credit risk culture

• Reviewed credit risk management framework and credit policy to meet the requirements of the current economic conditions.
• The Bank’s governance and organisational structures are aligned with its established risk appetite to enhance the culture of credit risk management within the Bank.
• IRMD creates awareness of credit risk management through training programmes and experience sharing sessions, including online channels and infographic e-learning modules to enhance credit underwriting and evaluation capabilities in the Bank. Evaluate challenges, risks and opportunities available in identified industries to realign the credit strategy and provide direction on lending to the business units.

Credit approval process

• A structured and standardised credit approval process is documented in the credit manual. All activities involving credit appraisal, documentation, funds disbursement, monitoring performance, restructuring and recovery procedures are described in detail in the manual, which is reviewed every two years at minimum, or more frequently if required. Standardised appraisal formats and workbooks have been designed for each facility type and are being reviewed annually or as and when required, to be in line with business needs.
• The Bank is using specialised application software to process finance leases. Collateral guidelines for lending were amended/improved during the year considering the market conditions and current economic situation of the country to safeguard the Bank’s interest. Clearly defined credit workflow ensures segregation of duties among credit originators, independent review and approval authority. Delegation of Lending Authority sets out approval limits based on a combination of risk levels, as defined by risk rating and security type, loan size, proposed tenure, borrower, and group exposure.
• Independent rating review of every credit proposal with the exception of certain identified products is performed by IRMD. CRO and VP CRM are observers of the Credit Committees and evaluates credit proposals from a risk perspective. Risk-based pricing is practiced at the Bank. However, deviations are allowed for identified products, funding through credit lines, and where strong justification is made for business development purposes.

Control measures

• Exclusion lists and special clearance sectors are identified based on the country’s laws and regulations, Bank’s corporate values and policies and level of risk exposure. Exclusion list specifies the industry sectors to which lending is disallowed while special clearance sectors specify industry sectors and credit products to which the Bank practices caution in lending. Advisory limits on single borrower exposure, group exposure and industry sectors are set by the Board of Directors on the recommendation of IRMD.

Credit risk management

• Timely identification of problem credit through concentration risk analysis in relation to industries, products and geographical locations such as branches or regions.
• Industry reports or periodical economic analyses provide direction to lending units to identify profitable business sectors to grow the Bank’s portfolio and to identify industryrelated risk sources and their impact.
• Categorisation of the industry sectors into four stress segments: minimum, short-term, medium-term and long-term, based on the magnitude of impact and timing of recovery and reviewing the industry stress segments at frequent intervals based on the evolving situation.
• Evaluation of new products from a credit risk perspective to highlight any embedded risks and mitigants. Independent rating review by the Credit Risk Management Unit of IRMD ensures an assessment of credit quality at the time of credit origination and credit reviews.
• A post-sanction review of loans by the Loan Review Unit, which is independent of the Credit Risk Management Unit, within a stipulated time frame is in place in accordance with the Loan Review Policy to ensure credit quality is maintained.
• Periodic validation of credit rating models and introducing necessary adjustments to the models for better discriminatory power based on model validation results and existing macroeconomic outlook.

Credit risk monitoring and reporting

• Periodic reporting of an analysis of the Bank’s portfolio covering stage movement and concentration risk across various dimensions including product, borrower, rating, collateral, location, industry as well as regulatory and advisory limits will be presented to BIRMC and other management committees.
• A comprehensive and systematic process of watch-listing is in place for identifying, monitoring and reporting clients that demonstrate a significant increase in credit risk, which will contribute to the continuous improvement of the quality of the loan book.
• Continuously review and monitor the lending portfolio in order to proactively take steps to restructure facilities.
• Continuous contribution to effective financial reporting through stage upgrades in accordance with SLFRS 9 and involvement in the Impairment Committee.

Key Credit Risk Measurement Tools and Reporting Frequencies

The following credit risk measurement tools are being used in managing credit risk by the Bank and reported in the stipulated frequencies.

Dimensions for Analysis and Monitoring of Credit Concentration Risk

*The Herfindahl-Hirschman Index (HHI) is a measure of concentration, calculated by squaring the share of each sector and then summing-up the resulting numbers.

PORTFOLIO RISK

Portfolio Risk Management Unit (PRMU) is tasked with the primary responsibility of identifying risks in high volume lending product portfolios of the Bank by carrying out extensive analysis of data stored across multiple platforms. Data analytic tools and modelling techniques are used to gain in-depth and multidimensional insights of customer segments covering demographic, geographic & behavioural dimensions. The findings are disseminated to business units and other stakeholders to facilitate prudent decision making.

Loan Review Mechanism

Loan Review Mechanism (LRM) is currently a regulatory requirement under the CBSL Direction No. 07 of 2011 on Integrated Risk Management. It is an effective tool for constantly evaluating the quality of the loan book and bringing about qualitative improvements in credit functions. The LRM function is carried out by the Loan Review Unit (LRU) of IRMD.

Market risk is the possibility of losses arising from changes in the value of a financial instrument as a result of changes in market variables such as interest rates, exchange rates, equity prices, and commodity prices. Various acceptable limits set to control market risk are stipulated by the Investment Policy, Treasury Middle Office (TMO) Policy, Treasury Manual, and overall limits system. Market risk impact the Bank mainly in two ways: loss of cash flows or loss of economic value. Market risk is of two types: traded market risk, which is associated with the trading book, and non-traded market risk, which is associated with the banking book. The ALCO oversees the management of both traded and non-traded market risks. Market risk management is an integral component of overall risk management within the Bank; effectively managing market risk is crucial for maintaining financial stability, protecting assets and achieving long-term business objectives.

The Treasury manages the foreign exchange risk with permitted hedging mechanisms. Trends in relevant local as well as international markets are analysed and reported to ALCO and BIRMC by IRMD and the Treasury.

Interest rate sensitivity analysis (modified duration analysis), Value-at-Risk (VaR), simulation and scenario analysis, stress testing and marking-to-market of positions are used as quantification tools for the purpose of risk monitoring and management of market risks. TMO is responsible for the Bank’s market risk management, which refers to the procedures implemented by the Bank to identify, assess, monitor, and control the potential losses arising from changes in financial market conditions. It encompasses the risk associated with fluctuations in market prices such as interest rates, exchange rates, commodity prices and equity prices. TMO’s functions include market risk management aspects such as market risk identification, market risk quantification, risk measurement models, risk limits and guidelines, hedging strategies, monitoring and reporting stress testing, regulatory compliance, and analytics, which continuously improve the risk culture.

Interest Rate Risk can be termed as the risk of loss in the net interest income (earnings perspective) or the net worth (economic value perspective) due to adverse changes in the market interest rates. The main cause of interest rate risk is the repricing risk arising due to any mismatch between repricing assets and liabilities. The Bank manages its interest rate risks primarily through an asset liability repricing gap analysis, which groups interest-sensitive asset and liability positions into several maturity buckets. The gaps are monitored periodically against limits defined by the Board. The Asset and Liability Management unit routinely assesses the assets and liabilities in terms of interest rates. The results are reported to ALCO for necessary corrective action.

Interest rate risk can consist of,

• Repricing risk that arises from the inherent mismatch between the Bank’s assets and liabilities, resulting in repricing timing differences.
• Basis risk that arises from the imperfect correlation between different yield and cost benchmarks attached to the repricing of assets and liabilities.
• Yield curve risk that arises from shifts in the yield curve that have a negative impact on the Bank’s earnings or asset values.

Foreign exchange risk refers to the potential adverse impact on the Bank’s capital or earnings due to fluctuations in market exchange rates. This risk arises from holding a Net Open Position (NOP), where the Bank’s assets and liabilities in foreign currencies differ at any given point in time. The NOP reflects the level of net foreign currency exposure the Bank has, representing the unhedged position across all foreign currencies.

To manage this risk, the Bank employs various strategies, including setting limits on net unhedged exposures, utilising forward contracts for hedging, and offsetting foreign currency assets and liabilities. NOP and currency-specific NOP limits are established and monitored in real-time. The Bank also conducts Value-at-Risk (VaR) assessments for its forex positions and undertakes stress testing, which is performed and reported by the Treasury Middle Office (TMO).

Daily interbank foreign currency transactions are carefully monitored against preset limits, and any deviations are promptly reported to the Management and the Board Integrated Risk Management Committee (BIRMC). Additionally, the Bank has set limits for FX forward mismatch negative gaps, both for USD and other currencies. The unhedged foreign currency exposure is closely monitored, with appropriate steps taken to hedge against market volatility.

The Bank has implemented cumulative stop-loss and take-profit limits at the individual level for the trading book, to mitigate potential risks from sudden adverse exchange rate fluctuations. These limits are effectively managed within the system’s limit module and monitored on a real-time basis.

Indirect Exposures to Commodity Prices Risk – Gold Prices

The Bank’s pawning portfolio as at 31 December 2024 amounted to LKR 16,152 Mn, which accounts for 2% of total assets. The Market Risk Management Unit (MRMU) manages the risk emanating from gold by constantly analysing the international and local market prices and adjusting the Bank’s preferred loan-to-value (LTV) ratio. The Bank also conducts stress testing for the gold portfolio and the stress results are reported to ALCO, BIRMC and the Board.

Equity price risk refers to the potential loss in the mark-to-market equity portfolio due to a decline in market prices. The Bank’s direct exposure to this risk arises from equity portfolios classified as fair value through profit or loss and fair value through other comprehensive income. Indirect exposure occurs through the margin lending portfolio in cases where a borrower’s credit risk crystallises.

The Bank’s Investment Committee manages the equity portfolio in accordance with the policies and guidelines established by the Board and BIRMC. Key risk management tools include setting limits for equities used as collateral for loans and margin trading, as well as for the Bank’s own investment and trading portfolios. The management process is further strengthened through detailed appraisals, proper market timing, and close monitoring of portfolio performance relative to market trends. The Bank has also adopted a more risk-based approach by implementing limits linked to the Beta value of shares, which reflect market volatility. These measures ensure that the equity portfolio is managed effectively within the Bank’s investment strategy and risk policy framework.

Liquidity risk refers to risk of being unable to meet its financial obligations on time and in full at a reasonable cost. This risk arises from mismatches in the maturities of assets and liabilities. The Bank has a well-structured framework for liquidity risk management and a contingency funding plan. The liquidity risk management process includes regular analysis and monitoring of the liquidity position by ALCO through regular cash flow analysis, liquidity ratios, and maturity gap analysis as regulatory tools. Any negative mismatches up to the immediate three months revealed through cash flow gap statements are matched against cash availability through incremental deposits or committed lines of credit. While adhering to regulatory liquidity requirements, the Bank integrates stress testing as a key component of its liquidity risk management strategy, ensuring readiness to implement alternative liquidity strategies swiftly and effectively.

Maintaining a strong credit rating and reputation in the market enables the Bank to access domestic wholesale funds. The Bank also has access to the money market at competitive rates for short-term liquidity support. In line with the long-term project financing business, the Bank focuses on long term funding through dedicated credit lines; Bank’s growing share of commercial banking business focuses on Current Accounts and Savings Accounts (CASA) and Term Deposits as the key funding source for its lending. The structure and procedures for Asset and Liability Management at the Bank have been clearly set out in the Board-approved ALCO Charter, which is reviewed annually.

Measuring Liquidity

Under CBSL Direction No. 7 of 2011, liquidity can be measured through stock approach or flow approach. The Bank has adopted both methods in combination to assess the liquidity risk.

Under the flow approach, the Bank prepares a statement of Maturities of Assets and Liabilities (MAL), placing all cash inflows and outflows in the time bands according to their residual time to maturity and non-maturity items as per CBSL recommended and the Bank-specific behavioural assumptions. The gap analysis of assets and liabilities highlights the cash flow mismatches, which assist in prudently managing liquidity obligations.

Under the stock approach, liquidity is measured in terms of key ratios which portray the liquidity in the balance sheet. The Bank regularly reviews the trends of ratios given in the table for liquidity risk management. During the year, the Bank maintained liquidity indicators above the regulatory minimums.

Under Basel III minimum liquidity standards (Liquidity Coverage Ratio), banks are required to maintain an adequate level of unencumbered High-Quality Liquid Assets (HQLAs) that can be easily and readily converted into cash to meet their liquidity needs for a 30-calendar day time horizon under a significantly severe liquidity stress scenario. The computations of LCR performed for the Bank indicated that the Bank was comfortably in compliance with the Basel III minimum requirements, having sufficient High-Quality Liquid Assets well in excess of the minimum requirements specified by the Central Bank of Sri Lanka (CBSL) throughout the year.

Net Stable Funding Ratio (NSFR) guidelines issued by CBSL are designed to reduce funding risk over a longer time horizon by requiring banks to fund with sufficiently stable sources to mitigate the risk of future funding stress and require banks to maintain a stable funding profile in relation to the composition of their assets and off-balance sheet exposures.

The Bank has a contingency funding plan that gives guidance on managing liquidity requirements in stressed conditions based on different scenarios of severity. The contingency funding plan outlines how liquidity should be managed under certain bank-specific or market-specific scenarios. It outlines how the assets and liabilities of the Bank are to be monitored, pricing strategies are to be devised, and growth strategies are to be reconsidered, emphasising avoidance of a liquidity crisis based on the risk level. Management and reporting framework for ALCO identifies evaluating a set of early warning signals, both internal and external, in the form of a Liquidity Risk Matrix on a monthly basis in order to assess the applicable scenario ranging from low risk to extremely high liquidity risk and proposes a set of strategies to avoid and mitigate possible crises proactively. The action plan for each high-risk contingency level scenario is to be considered by a liquidity contingency management team, which includes the Chief Executive Officer, Head of Treasury, Chief Risk Officer, Business Unit Heads and other ALCO members of the Senior Management.

The liquidity contingency funding plan was further improved during the year with updating Bank specific and market specific Liquidity Risk Indicators (LRIs) to strengthen the Bank’s ability to monitor and respond to potential liquidity risks effectively. During the year, the Bank encountered no high liquidity risk scenarios.

Key Liquidity Risk Measurement Tools and Reporting Frequencies

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems, and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or external events such as natural disasters, cyberattacks, terrorism, theft, political instability and extraordinary events such as the COVID-19 pandemic. The Bank endeavours to manage, control and mitigate operational risk in a cost effective manner consistent with the Bank’s risk appetite.

The Operational Risk Management Committee (ORMC) oversees and directs the management of the operational risk of the Bank with facilitation from the Operational Risk Management Unit (ORMU) of the IRMD. Active representation of the relevant departments and units of the Bank ensures the process of operational risk management through Operational Risk Coordination Officers (ORCOs). Segregation of duties with demarcated authority limits, internal and external audits, strict monitoring facilitated by the technology platform and backup facilities for information are the fundamental tools of operational risk management.

The following are other key aspects of the operational risk management process at DFCC Bank.

• Monitor Risk and Control Self-Assessment (RCSA) and Key Risk Indicators (KRIs) for the functions under defined threshold limits using a “Traffic Light” system.
• Maintain an internal operational risk incident reporting system and carry out an independent analysis of the incidents by IRMD to recognise necessary improvements in the systems, processes, and procedures.
• Trend analysis on operational risk incidents and review at the ORMC. Review the downtime of the critical systems and assess the causes. The risk and business impact are then evaluated. Corrective action is taken whenever tolerance levels are compromised.
• Review of HR attrition and exit interview comments in detail and evaluate at the ORMC from an operational risk perspective.
• Establishment of the Bank’s complaint management process under the Board approved Complaints Management Policy. IRMD analyses complaints received to identify any systemic issues and reports to ORMC on an annual basis, where the Customer Experience Unit submits quarterly analyses.
• Conduct product and process reviews to identify operational risks and recommend changes to products and related processes.
• Evaluate the operational risks associated with any new product developments.
• Maintain an external loss database to proactively mitigate operational risks that may arise from the external environment.
• Business Continuity Planning and Disaster Recovery (DR) processes and review the results of DR drills conducted in the Bank to provide recommendations for future improvements.
• Conduct Fraud Risk Management Committee (FRMC) meetings periodically to identify potential fraud risks that might impact the Bank and take timely remedial actions.

Operational risk reporting
Risk identification	Risk assessment	Risk monitoring and controlling
Risk and Control Self-Assessments (RCSA) Operational risk incident analysis (internal and external) Risk analysis of products and services Analysis of customer complaints	Evaluation of risks against the controls through RCSA Key Risk Indicators (KRIs) Incident assessment and escalation (internal and external) Stress testing	Action plans based on incident analysis, RCSA and KRI Insurance Business Continuity Plan and periodic testing
Culture and awareness
Policies and guidelines

The Bank has improved its operational risk incident reporting system over time by creating an increased level of awareness among the employees with regard to operational risks and the importance of timely incident reporting. A total of 354 incidents were reported in 2024. Reporting is carried out by Operational Risk Coordination Officers (ORCO) to the Operational Risk Management Unit (ORMU) on operational risk related incidents, that took place at their respective branches or departments. The operational risk incidents reported in 2024 based on the event type are provided in the graph below.

Operational Risk Incidents

Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs)

Monitoring of Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) in key functions of the Bank is carried out as a measure to allow the early detection of operational risks before actual failure occurs. Currently, IRMD monitors 70 departments/units for the KRI, and in 2024, RCSA and KRIs were developed for three units. RCSA requires semi-annual and quarterly self-evaluation of operational risk exposures of processes in the Bank by respective departments. Each department will assess risks based on impact and likelihood of occurrence, while controls are assessed based on control design and control performance. During 2024 Key Risk Indicator (KRI) monitoring was introduced for branches. The initiative focused on identifying emerging risks, tracking trends, and ensuring timely corrective actions to mitigate potential threats to branch operations. A robust monitoring procedure has been implemented to strengthen oversight of third-party service providers through site visits by enhanced collaboration with Risk, Audit, Information Security, Compliance, and Business teams.

Insurance as a Risk Mitigant

Insurance policies are obtained to transfer the risk of low frequency and high severity losses, which may occur as a result of events such as fire, theft, fraud, natural disasters, errors and omissions. Insurance plays a key role as an operational risk mitigant in the banking context due to the financial impact that any single event could trigger. Insurance policies in force covering losses arising from the undermentioned assets/processes include; cash and cash equivalents, pawned articles, premises and other fixed assets, public liability, employee infidelity, negligence, personal accidents and workmen’s compensation, losses from counterfeit, forged, fraudulently altered, stolen cards and associated legal expenses.

Outsourcing of Business Functions

Outsourcing occurs when the Bank uses another party to perform non- core banking functions that the Bank itself would have traditionally undertaken. This enables the Bank to concentrate more on its core banking activities while having outside experts take care of the non-core functions. When outsourcing to a party, the Bank undertakes due diligence tests on the companies concerned, such as credibility and ability of the owners, BCP arrangements, technical and skilled workforce capability, financial strength, etc. Further, the Bank considers whether the function is suitable for outsourcing. Archival of documents, certain IT operations, security services, and selected recovery functions are some of the outsourced activities of the Bank. The Bank is concerned and committed to ensuring that the outsourced parties continue to uphold and extend a high standard of customer care and service excellence. A report on outsourced activities is annually submitted to the CBSL for their review while adhering to the Banking Direction on Outsourcing of Business Operations.

Key Operational Risk Measurement Tools and Reporting Frequencies

Technology and Information Security Risk Management

Technology and Information Security Risk Management (TISRM) is managing the risks associated with using information technology and evaluating risks to the Confidentiality, Integrity, and Availability (CIA) of the Bank’s information assets and processes. The established information security management system is designed to provide a systematic approach to managing the Bank’s sensitive information and processes by considering all aspects of people, processes and technology controls.

Further, the Bank’s information security management system has been ISO 27001:2013 certified since 2016.

There are many risks associated with information threats such as cyberthreats which can lead to disclosure of confidential data to unauthorised parties or loss of valuable data. Threats are continually evolving and security systems need to evolve in turn. Information Security Risk Management (ISRM) is an ongoing process of identifying, assessing, and responding to security risks.

The main objective of TISRM is to ensure compliance with regulatory and contractual requirements, while adopting industry security best practices and aligning information security risk management with corporate risk management objectives. The Bank’s current TISRM strategy focuses on the following activities;

• Improving the existing Information Security Management System (ISMS) by adopting the recent CBSL Regulatory Framework on Technology Resilience and the Data Protection Act.
• Improving information security policies, procedures, and guidelines while considering regulatory requirements and the dynamic threat landscape.
• Continuous assessment of security risks related to the Bank’s information assets and processes to ensure technology-related residual risks are maintained at acceptable levels.
• Reviewing and monitoring information security KPIs and reporting the status of the indicators to the Operational Risk Management Committee
• Conducting internal vulnerability assessment and penetration testing covering IT infrastructure at defined intervals to ensure known vulnerabilities are appropriately managed.
• Performing trend analysis on the Bank’s cybersecurity posture and managing information security incidents to minimise risk.
• Ensuring adequate information security awareness is given to staff members and the Board of Directors to follow security best practices, detect and report information security events and incidents.
• Monitoring and assessing multiple aspects of the use of technology including physical security, safety, and also the use of technical components in banking operations.

Information Systems Security

The establishment of a separate Chief Information Security Officer (CISO) office within the Bank is a strategic initiative aimed at strengthening the information security framework in accordance with the governance requirements set forth by the CBSL. This initiative ensures the robust management of information security risks, aligning with regulatory expectations and industry best practices.

The CBSL mandates that all licensed banks establish an independent CISO function to oversee the Bank’s information security strategy, policies, and risk management. The CISO office operates autonomously from IT operations, ensuring that security oversight remains impartial and objective. The Bank’s compliance with these directives is demonstrated through the appointment of a dedicated CISO reporting directly to the Deputy Chief Executive Officer (DCEO), development and enforcement of a comprehensive Information Security Policy (ISP), implementation of CBSL-mandated controls for cybersecurity risk assessment, monitoring, and mitigation, and regular reporting to the management committees on security threats and incidents. Additional milestones include the achievement of ISO/IEC 27001 certification since 2016, demonstrating Bank’s commitment to global security standards, and plans to obtain the latest versions of ISO 27001, ISO 20000, ISO 22301 and PCI DSS certifications during 2025. Further the Bank has aligned the data governance structures in accordance with Sri Lanka’s Personal Data Protection Act (PDPA) ensuring customer rights in terms of data protection.

To enhance the Bank’s resilience against cyber threats, CISO office has undertaken several responsibilities, including conducting security risk assessments, ensuring adherence to regulatory standards, conducting employee awareness programmes, maintaining an incident response plan, monitoring vendor security, and implementing advanced threat detection systems.

During the past year, the CISO office has made significant progress in enhancing the Bank’s cybersecurity posture. Key achievements include the implementation of a Security Operations Center (SOC) for continuous threat monitoring, conducting penetration testing and vulnerability assessments, establishing a Cybersecurity Incident Management Framework, strengthening collaboration with the Financial sector National Cybersecurity Agency and initiating the PCI DSS certification process for completion by 2025.

While substantial progress has been made, challenges remain, including evolving cyber threats, resource constraints, and increased regulatory expectations. Moving forward, the CISO office aims to further automate security monitoring, enhance AI-driven threat detection, expand security awareness training, and strengthen collaboration with law enforcement.

The establishment of a separate CISO office has significantly contributed to fortifying the Bank’s information security governance. By aligning with CBSL regulations and global best practices, DFCC Bank is committed to continuously enhancing cybersecurity resilience, ensuring the protection of customer data and maintaining stakeholder trust.

Key Information Security Risk Measurement Tools and Reporting Frequencies

Reputational risk is the risk of losing public trust or the Bank’s image being tarnished in the public eye. It could arise from environmental, social, regulatory, or operational risk factors. Events that could lead to reputational risk are closely monitored, through an early warning system that includes inputs from frontline staff, media reports, and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank’s business have been promulgated through internal communication and training, a specific policy was established to take action in case of an event that may affect the Bank’s reputation. The Bank completely eschews knowingly engaging in any business, activity, or association where foreseeable reputational damage has not been considered and mitigated. The complaint management process and the whistleblowing process of the Bank encompass a set of key tools to recognise and manage reputational risk. Based on the operational risk incidents, any risks that could lead to reputational damage are presented to the Board, and the Bank takes suitable measures to mitigate and control such risks.

Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank’s medium-term strategic plan and annual business plan form a strategic roadmap for sustainable growth. Continuous competitor and customer analysis and monitoring of the macroeconomic environment enable the Bank to formulate its strategies for growth and business risk management. Processes such as Planning, ALM, IT and Product Development, in collaboration with business functions, facilitate business risk management through recognition, measurement, and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.

Legal risk arises from transactions unenforceable in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis, thorough understanding and adherence to related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure. In the event of a legal risk factor, the Legal Unit of the Bank takes immediate action to address and mitigate these risks. External legal advice is obtained, or counsel retained when required.

The Bank’s compliance programme encompasses all policies and procedures in managing its compliance risks: regulatory, reputational, operational and legal. It ensures the Bank’s compliance with applicable laws, regulations, guidelines and standards of good practice. Non-compliances could result in financial penalties and damaged reputation. As the Second Line of Defence, the compliance function plays a key role in the Bank’s risk management function. The compliance function of the Bank is structured effectively to manage the dynamic challenges posed by the national and international regulations and to address the risks associated with money laundering, financing of terrorism, and other compliance risks. Unwavering direction from the top has immensely helped to create a sound compliance culture within the Bank and implement compliance strategies in a healthy manner. The Bank has a robust screening and compliance monitoring system to track transactions and activities.

The compliance function conducts regular reviews and assessments to ensure the Bank’s adherence to regulatory requirements, identify gaps and promptly address any issues found. Continuous employee training on governing regulations is being conducted to ensure staff adherence to compliance requirements at all levels of the Bank. The Bank’s compliance function closely works with regulatory bodies and key stakeholders in the banking industry to ensure smooth operation.

Business Continuity Management

A key objective of the Bank is resilience and continuity of its operations. The Bank has established a Business Continuity Management System (BCMS) and a BCP to ensure timely recovery of critical operations that are required to meet stakeholder needs, based on identified possible disruptions categorised into various severity levels. The BCMS has been designed to minimise risk to human and other resources and to enable the resumption of critical operations within reasonable time frames specified according to Recovery Time Objectives (RTOs), with minimum disruption to customer services and payment and settlement systems.

The Bank conducts periodic DR drills. These DR drills are subject to independent validation by the Internal Audit Department. A report on the effectiveness of the drill is submitted to the BIRMC/Board and also to CBSL with the Board’s observations. Learnings and improvements to DR activities are discussed and implemented through the BCSC and the BIRMC. Training and drills are carried out with the participation of employees which makes them aware of their role within the BCP.

DFCC Bank is well on its way to obtaining ISO 22301 certification for its business continuity management system by 2025.

Key initiatives driving this include:

• Comprehensive Risk Assessment
• Enhanced Preparedness
• Stakeholder engagement via comprehensive business impact assessments
• Training and Awareness
• Adherence to Global Standards

These efforts reflect the Bank’s proactive approach to safeguarding its operations, building stakeholder confidence, and positioning itself as a leader in operational resilience within the industry. The anticipated ISO certification further cements the Bank’s standing as a trusted and reliable partner in the financial ecosystem.

Key ESG risks relevant to overall risk management include climate-related risks, regulatory changes, reputational risks, and social factors. The Bank recognises the growing importance of Environmental, Social, and Governance (ESG) factors in maintaining financial stability and effective risk management, and has therefore integrated several risk mitigation measures into its credit evaluation process. A dedicated team with specialised expertise in ESG is tasked with assessing large loan facilities to identify potential ESG-related risks. These identified risks are then incorporated into the overall credit evaluation.

Additionally, climate risk is carefully considered when evaluating the risk profile of a client’s business operations. DFCC Bank has already implemented a process to monitor borrowers who may be facing stress due to external challenges, including ESG factors.

Furthermore, DFCC Bank is actively working on the development of advanced systems to identify ESG risks associated with both the client’s business operations and the mortgage securities pledged to the Bank. These systems are aimed at enhancing the Bank’s ability to assess and manage ESG risks effectively and proactively.

In alignment with global best practices, the Bank is committed to enhancing its risk assessment framework by integrating ESG considerations into its stress testing processes and capital requirements. Accordingly, the Bank is in the process of considering all material ESG risks for Pillar II assessment under the capital requirements for licensed banks.

The Bank has been conducting stress testing on a regular basis. They are conducted according to the stress testing policy that is aligned with international best practices and regulatory guidelines. The Bank covers a wide range of stress tests that check the resilience of the Bank’s capital and liquidity. The policy describes the purpose of stress testing and the governance structure, methodology for formulating stress tests, frequencies, assumptions, tolerance limits and remedial action. Stress testing and scenario analysis have played a significant role in the Bank’s risk mitigation efforts. Stress testing has provided a dynamic platform to assess “what if” scenarios and to provide the Bank with an assessment of areas to improve.

The outcome of the stress testing process is monitored carefully, and remedial actions are taken and used by the Bank as a tool to supplement other risk management approaches. During 2024, the stress scenarios were updated to accommodate new regulatory requirements and to be more relevant in the current economic landscape.

Risk Areas and Methodologies Adopted

Findings of the Bank’s stress testing activities are used as input in several processes, including capital computation under the Internal Capital Adequacy Assessment Process (ICAAP), strategic planning and risk management. As an integral part of ICAAP under Pillar II, stress testing is used to evaluate the sensitivity of the current and forward risk profile relative to the stress levels defined as low, moderate and high in the Stress Testing Policy. The resultant impact on the capital through these stress tests is carefully analysed, and BIRMC regularly reviews stress testing outcomes, including assumptions underpinning them. They provide a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in a hypothetical stress situation. Stress testing has become an effective communication tool for senior management, risk owners, risk managers, supervisors, and regulators. The results of the stress testing are reported to BIRMC and the Board periodically to support proactive decision-making.

Risk Capital Position and Financial Flexibility

Capital adequacy measures the adequacy of the Bank’s aggregate capital in relation to the risk it assumes.

The Bank proactively ensures a satisfactory risk capital level throughout its operations. In line with its historical practice and capital targets, the Bank aims to maintain its risk capital position above the regulatory minimum requirements for Tier I and total capital under Basel guidelines. As at 31 December 2024, the Bank maintained a risk capital position of 12.40% Tier I capital ratio and 15.76% total capital ratio based on the Basel III regulatory guidelines. Both ratios are above the minimum regulatory requirement of 8.5% for Tier 1 and 12.5% for total capital. The Bank’s capital adequacy has been computed using the following approaches of the Basel regulations currently practiced in the local banking industry.

• Standardised approach for credit risk
• Standardised approach for market risk
• Basic Indicator approach for operational risk

The graph below shows the Bank’s capital allocation and available capital buffer as at 31 December 2024, based on the quantified risk as per the applicable regulatory guidelines. Out of the regulatory risk capital (total capital) available as of 31 December 2024, the capital allocation for credit risk is 66% of the total capital, while the available capital buffer is 21%.

Capital Adequacy Management

BASEL III is the global regulatory standard on managing banks’ capital and liquidity, which is currently in effect. With the introduction of Basel III in mid-2017, the capital requirements of banks have been increased with an aim to raise the quality, quantity, consistency and transparency of the capital base and improve the loss absorbing capacity.

Under Pillar II (Supervisory Review Process – SRP) of Basel III, banks are required to implement an Internal Capital Adequacy Assessment Process (ICAAP) for assessing capital adequacy in relation to the risk profiles, and a strategy for maintaining capital levels. The Bank has in place an ICAAP, strengthening the risk management practices and capital planning process. The ICAAP sets out the process of formulating a mechanism to assess the Bank’s capital requirements, covering all relevant risks and stress conditions in a futuristic perspective in line with the level of assumed risk exposures through its business operations. The ICAAP formulates the Bank’s capital targets, capital management objectives and capital augmentation plans. It demonstrates that the Bank has implemented methods and procedures to capture all material risks, and adequate capital is available to cover such risks. This document integrates Pillar I and Pillar II processes of the Bank, wherein Pillar I deals with regulatory capital, primarily covering credit, market and operational risks, whilst Pillar II deals with economic capital involving all other types of risks.

As per the direction issued by the CBSL, under supervisory review of Basel III, CBSL encourages banks to enhance their risk management framework and proactively manage emerging risks. This is to ensure that the Bank maintains an adequate capital buffer in case of a crisis, while more importance has been placed on Pillar II and ICAAP. The Bank uses a mix of quantitative and qualitative assessment methods to measure Pillar II risks. A quantitative assessment approach is used for concentration risk, liquidity risk, and interest rate risk, whilst qualitative approaches are used to assess risks such as reputational risk and strategic risk.

The Senior Management team participates actively in formulating risk strategy and governance, considering the Bank’s capital planning objectives under the strategic planning process. Capital forecasting for the next three years covering envisaged business projections is considered in the budgeting process. This forward looking capital planning helps the Bank to be proactive with additional capital requirements in the future. This integrates strategic plans and risk management plans with the capital plan in a meaningful manner, with inputs from Senior Management, Management Committees, Board Committees and the Board.

Capital adequacy ratio and risk-weighted assets of DFCC Bank PLC on a solo and a group basis under Basel III

Financial flexibility in DFCC Group’s Capital Structure

The Bank has access to contributions from shareholders and has built-up capital reserves over time by adopting prudent dividend policies, maintaining an increased level of retained profits and issuing Tier II eligible capital instruments as and when needed. Apart from the capital position reported on the balance sheet, the Bank maintains financial flexibility through the stored value in its equity investment portfolio. The unrealised capital gain of the listed equity portfolio is included in the fair value reserve.

The Assessment of Integrated Risk

In the assessment of integrated risk, the Bank reviews key regulatory developments to anticipate changes and their potential impact on performance. The nature and impact of changes in economic policies, laws and regulations are monitored and considered in how the Bank conducts business and manages capital and liquidity.

The Bank has complied with all the currently applicable risk-related regulatory requirements, while closely monitoring internal limits, as shown in the table below.