Managing Risk at Commercial Bank

Risk Management Strategy and Framework

Financial Stability Through Risk Management

A clear understanding of risks surrounding the business activities is essential for any organisation to create sustainable stakeholder value through executing its strategies. It is therefore, essential to reinforce the overall strategy of an organisation with a prudent risk management strategy so that the opportunities could be optimised while minimising the effects of down-side risks. Banks which are responsible for the vital role of financial intermediation in the economy should be more committed to managing their risks in a prudent and transparent manner compared to a normal business organisation. Accordingly, Basel Committee on Banking Supervision has formulated broad supervisory standards and guidelines to inculcate industry best practices across the banking institutions through ‘Basel Accords’ (Basel II, the second of the Basel Accords which has been extended by Basel III). While Basel Accord encourages convergence towards common approaches and standards, the ultimate purpose of these rules is to create financial stability and resilience in financial sector institutions.

Basel II Framework

The Basel II framework is built on three Pillars and the progress made by the Bank in achieving these standards are discussed below:

		Pillar 1		Pillar 2		Pillar 3
Concept		Maintenance of minimum regulatory capital for credit risk, market risk and operational risk.		Supervisory review process to evaluate the activities and risk profile of the Bank to determine whether the Bank should hold higher level of capital than the minimum requirement in Pillar 1. This mechanism is commonly known as ICAAP (Internal Capital Adequacy Assessment Process).		Complements the minimum capital requirement and the supervisory review process (i.e., the first and the second pillars) by developing a set of disclosure requirements to facilitate market participants to assess the risk exposures of banks and way in which the risks are managed.
Progress Made by the Bank		Computation of capital adequacy as per regulatory requirements.		The Bank has developed a comprehensive ICAAP framework with the assistance of an overseas risk consultancy firm.		The Bank started providing a comprehensive set of risk management disclosures from 2012 in line with the regulatory requirements.

The local Regulator, Central Bank of Sri Lanka issued Banking Act Direction No. 07 of 2011, ‘Integrated Risk Management Framework to Licensed Banks’ on October 5, 2011 based on international best practices. During the last 2 years, the Bank has progressed well in implementing the Risk Management Framework prescribed by the Regulator within the Organisation.

Bank’s Risk Appetite Framework

The risk appetite of the Bank is established through its risk-related policy framework which communicates the processes, controls, systems and responsibilities of risk management function. Risk appetite defines the aggregate quantum of risk the Bank is willing to assume in different areas of business while maintaining the desired risk profile in achieving its strategic objectives.

The Bank’s risk appetite consists of tolerance limits for various types of risks such as Credit Risk, Market Risk and Operational Risk. Generally, the risk appetite and tolerance levels are periodically reviewed to capture factors such as:

• Evolving business and strategic objectives of the Bank.
• Changing local and global political and economic conditions.
• Changes in regulatory requirements.
• Dynamic competitive business environment.

Clearly defined risk appetite indicators in different categories of risk support consistency in risk-based decisions taken by various officers/committees across the organisation.

Well formulated risk appetite of the Bank ensures that the business plans are executed within the identified risk parameters to optimise the risk - return trade off.

Our Risk Culture and the Risk Management Framework

As a reputed financial institution which is rich with over 90 years of history, Commercial Bank of Ceylon PLC is privileged to have an established risk culture which has supported the Bank to become the largest private sector bank in Sri Lanka. During the last 5 years, this traditional prudent risk culture was reinforced and complemented with the introduction of a formal integrated risk management function independent to the business units.

The Bank’s risk culture focuses on enabling the risk assuming functions (i.e., business units) to make objective decisions, in a consistent manner across the Organisation. ‘Risk Decisions’ are considered to be a shared responsibility of the Business Managers and the Risk Managers; who formulate the ‘first and second lines of defence’ respectively. ‘Third line of defence’ in the risk culture is created by the audit and compliance functions which independently assure integrity and transparency of the risk-related decisions as well as the Risk Management Framework as a whole.

Responsibility of managing the risks across the Bank resides with all levels in the hierarchy from the Board of Directors, Executive Committees to Business and Risk Managers. This structure enables the Bank to take informed decisions after evaluating and challenging them from a risk perspective at various levels.

Risk Management Framework is strengthened by risk-related committees listed below:

Committees		Key Objectives		Represented by
Board Integrated Risk Management Committee (BIRMC)		To ensure that the Bank - wide risks are managed within the risk strategy and appetite established by the Board of Directors.
Board Credit Committee (BCC)		To assist the Board to analyse and review the credit risk control measures in the lending area and compliance with the CBSL regulations and evaluation and recommendation of high value credit proposals.
Executive Integrated Risk Management Committee (EIRMC)		To monitor and review all the risk exposures and risk-related policies/procedures affecting credit, market and operational areas in line with the directives from BIRMC.		Risk Management, Personal Banking, Corporate Banking, Treasury, Inspection, Compliance and Finance.
Assets and Liabilities Committee (ALCO)		To optimise the Bank’s financial goals, while maintaining market and liquidity risks within the Bank’s risk appetite.		Treasury, Corporate Banking, Personal Banking, Risk Management and Finance.
Credit Policy Committee		To review and approve credit olicies/procedures to ensure that all credit portfolios are properly managed within the lending strategies of the Bank.		Corporate Banking, Personal Banking, Risk Management, Inspection, Recoveries and Branch Credit Monitoring.
Executive Committee on Monitoring NPAs		To review and monitor the Bank’s Non-Performing Advances (NPAs) above Rs. 5.0 Mn. classified within the preceding one-year period to initiate timely corrective actions to prevent/reduce credit losses.		Corporate Banking, Personal Banking, Recoveries and Risk Management.

Managing Director and Chief Operating Officer are members of all the above Committees.

 

Basel II - Pillar 1

Adoption of Basel II - Pillar 1 Approaches

Risk Type		Approaches Prescribed by Basel II		Approaches adopted by CBC		Future Plan
Credit Risk		Basel Accord prescribes three approaches of increasing sophistication: The Standardised Approach Internal Rating Based (Foundation) Approach (F-IRB) Internal Rating Based (Advanced) Approach (A-IRB)		Presently, the Bank follows The Standardised Approach in calculating the capital requirement for credit risk.		The Bank procured a credit risk management software solution which complies with the Basel II requirements. This would facilitate migrating to Basel II advance approaches in measuring credit risk for capital calculations subject to regulatory approval.
Market Risk		Basel II allows two approaches for determining capital requirement for market risk: The Standardised Measurement Method Internal Models Approach - Value at Risk (VaR) Models		The Bank currently follows The Standardised Measurement Method in estimating the minimum capital requirement for its market risk exposures.		During the year under review, the Bank invested in a market risk software solution which includes VaR models to calculate VaR at portfolio level. This will enable the Bank in progressing towards Internal Models Approach in calculating the capital requirement for market risk as a precursor to our future plans.
Operational Risk		The operational risk related capital could be calculated under three approaches: Basic Indicator Approach (BIA) The Standardised Approach (TSA) The Advanced Measurement Approach (AMA)		The Bank adopts the Basic Indicator Approach in estimating the operational risk-related capital requirements. It also calculates the capital requirements under The Standardised Approach in line with the regulatory guidelines.		The Bank is in the process of developing an automated Risk Control Self-Assessment (RCSA) framework to support advancement towards more robust operational risk measurement techniques.

Capital Adequacy Computation - Group

Computation of Risk-Weighted Assets

Assets	2013	2012		Risk-Weighted-Balance
	Total Rs. ’000	Total Rs. ’000	Risk Weight Factor %	2013 Rs. ’000	2012 Rs. ’000
Claims on Government of Sri Lanka and Central Bank of Sri Lanka	186,224,330	104,847,253	0	–	–
Claims on foreign sovereigns and their Central Banks	13,013,457	8,387,655	0-150	13,013,457	8,387,655
Claims on Public Sector Entities (PSEs)	1,106,695	261,252	20-150	1,106,695	261,252
Claims on official entities and Multilateral Development Banks (MDBs)	–	–	20-150	–	–
Claims on banks	9,514,102	27,791,198	0-150	4,676,730	11,470,183
Claims on financial institutions	3,483,253	1,863,200	20-150	1,421,616	578,800
Claims on corporates	227,844,770	169,966,572	20-150	216,354,562	159,284,648
Retail claims	64,748,102	102,670,696	75-100	48,566,904	81,944,288
Claims secured by residential property	31,696,981	27,783,126	50-100	26,829,841	27,783,126
Claims secured by commercial real estate	–	–	100	–	–
Non-Performing Assets (NPAs)	7,731,921	6,171,866	50-150	10,914,776	8,179,084
Cash items	11,514,318	11,105,902	0	854	1,633
Property, plant & equipment	9,285,554	9,058,660	100	9,285,554	9,058,660
Other assets	9,928,510	12,352,879	100	9,928,510	12,352,879
Total	576,091,994	482,260,259		342,099,500	319,302,208

 

Instruments	2013	2012	Credit Conversion Factor	Credit Equivalent
				2013	2012
	Rs. ’000	Rs. ’000	%	Rs. ’000	Rs. ’000
Direct credit substitutes	19,134,294	18,638,673	100	19,134,294	18,638,673
Transaction-related contingencies	10,835,892	8,505,494	50	5,417,946	4,252,747
Short-term self-liquidating trade-related contingencies	40,559,775	37,441,224	20	8,111,955	7,488,245
Sale and repurchase agreements and assets sale with recourse where the credit risk remains with the Bank	–	–	100	–	–
Obligations under an ongoing underwriting agreement	–	–	50	–	–
Other commitments with an original maturity of up to one year or which can be unconditionally cancelled at any time	68,984,511	73,550,373	0	–	–
Commitments with an original maturity up to 1 year	–	–	20	–	–
Other commitments with an original maturity of over one year	–	–	50	–	–
Foreign exchange contracts	135,004,752	136,786,449	0-5	2,700,095	2,735,729
Interest rate contracts	–	–	0-3	–	–
Total	274,519,224	274,922,213		35,364,290	33,115,394

Capital Charge for Market Risk

	2013	2012
	Rs. ’000	Rs. ’000
Capital charge for interest rate risk	290,331	214,062
Capital charge for equity	63,000	64,575
Capital charge for foreign exchange and gold	177,955	29,641
Total capital charge for market risk	531,286	308,278
Total Risk-Weighted Assets for market risk	5,312,861	3,082,784

Capital Charge for Operational Risk

Gross Income
Year 1	23,166,112	20,121,710
Year 2	25,763,771	23,166,112
Year 3	33,013,888	25,837,421
Average Gross Income	27,314,590	23,041,748
Total capital charge for operational risk - (15%)	4,097,189	3,456,262
Total risk-weighted assets for operational risk	40,971,886	34,562,622

Computation of Capital

	2013	2012
	Rs. ’000	Rs. ’000
TIER I : Core Capital
Paid-up ordinary shares/common stock/assigned capital ++	19,586,813	18,008,797
Statutory Reserve Fund	3,768,094	3,245,819
Published retained profits/(accumulated losses) ( +/- )	113,892	1,557
General and other reserves	28,620,738	24,307,575
Minority interests (consistent with the above capital constituents)	38,778	32,141
Less:
Other intangible assets	(477,728)	(506,160)
Advances granted to employees of the Bank for the purchase of shares of the Bank (ESOP)	(1,122)	(1,548)
50% Investments in the Capital of Other Banks and Financial Institutions	(402)	(402)
Total Eligible Core Capital ( TIER I Capital )	51,649,064	45,087,778
TIER II : Supplementary capital
Revaluation reserves (as approved by Central Bank of Sri Lanka)	2,034,231	2,034,231
General provisions	1,656,465	1,500,098
Approved subordinated term debt	10,408,596	778,238
Less:
50% investments in the capital of other banks and financial institutions	(402)	(402)
Total Eligible Supplementary Capital ( TIER II Capital )	14,098,890	4,312,165
Total Capital Base	65,747,955	49,399,944

Computation of Ratios

	2013	2012
	Rs. ’000	Rs. ’000
Total Risk-Weighted Assets (RWA)
Total risk-weighted assets for credit risk	342,099,500	319,302,207
Total risk-weighted assets for market risk	5,312,861	3,082,784
Total risk-weighted assets for operational risk	40,971,886	34,562,622
Sub Total	388,384,246	356,947,613
Minimum Capital Charge
Minimum capital charge for credit Risk	34,209,950	31,930,221
Minimum capital charge for market risk	531,286	308,278
Minimum capital charge for operational risk	4,097,189	3,456,262
Sub Total	38,838,425	35,694,761
Total Capital Available to Meet the Capital Charge for Credit Risk
Total eligible core capital (TIER I Capital )	51,649,064	45,087,778
Total eligible supplementary capital (TIER II Capital )	14,098,890	4,312,165
Total Capital Base	65,747,955	49,399,944
Core Capital Ratio (Minimum Requirement 5%)
Total eligible core capital (TIER I Capital )	51,649,064	45,087,778
Total risk-weighted assets	388,384,246	356,947,613
	13.30%	12.63%
Total Capital Ratio (Minimum Requirement 10%)
Total capital base	65,747,955	49,399,944
Total Risk-Weighted Assets	388,384,246	356,947,613
	16.93%	13.84%

(Audited by KPMG)

Credit Risk

Introduction and Objectives

Risk arising as a failure of borrowers/counterparties to meet their debt/contractual obligations is referred to as credit risk. Both On-Balance Sheet and Off-Balance Sheet activities could expose the Bank to credit risk. The lending portfolio of the Bank represents the notional value or principal amount of On-Balance Sheet financial products such as Loans, Overdrafts etc., while products such as Letters of Credit, Letters of Guarantees, Shipping Guarantees, Documents against Acceptance represent the Bank’s contingent commitments on behalf of its customers. A deterioration of counterparty credit quality and/or market volatility can lead to potential credit risk-related losses for the Bank. Credit Risk Management activities of the Bank therefore, focus on adopting proactive risk management practices to minimise potential losses from its lending portfolios whilst optimising the related returns.

Credit Risk Appetite

The Board of Directors set the credit risk appetite of the Bank which contains limits on maximum exposures to industry sectors, products and geographies to manage the credit risk within the pre-determined policy parameters. Risk appetite is well defined and documented in the credit policy and the lending guidelines of the Bank after a thorough qualitative and quantitative assessment. The Bank has classified the sectors which are of limited appeal or of no credit appetite into two main categories; i.e., ‘High Risk’ and ‘Prohibited Appetite’. The sectors which will not be entertained under any circumstances, either due to the very high levels of risks involved or because of negative social/ethical considerations are listed under the ‘Prohibited Appetite’ whereas the sectors which are perceived to be exceptionally risky have been listed under the ‘High Risk’ category. Proposals from such ‘High Risk’ sectors are entertained only under exceptional circumstances with a strong business rationale against suitable risk mitigants.

Credit Risk Management Process

Through assessing, quantifying, pricing, monitoring, mitigating and managing credit risk exposures according to established policies in a consistent manner, the Bank strives to optimise its credit portfolios. The Bank’s Credit Risk Management Process is supported by experienced Lending Officers/Committees at various levels in the approval hierarchy who maintain high ethical standards. The credit structuring is also independently monitored by the Risk Management and Audit Functions to ensure integrity and transparency in credit decisions.

The Bank’s well-established credit culture is complemented by its policy framework, credit related committees and the Credit Risk Management Function as discussed below:

Assessment and Approval

The Bank’s approach to making its lending decisions is systematic and consistent. All the potential credit risk exposures of the Bank are first evaluated by the Lending Officers who are the ‘risk owners’ of the credit mechanism. The Lending Officers and Credit Committees approve credit facilities in accordance with their respective Delegated Authority; strictly within the credit policy parameters established by the Board of Directors.

The Bank has introduced a comprehensive and robust risk rating system which is compliant with Basel II guidelines. The credit risk rating system encompasses both the capability of representing diverse risk factors through a single point of indicator and predicting the ‘Probability of Default’ (PD) based on borrower and transaction specific criteria. The sanctioning of credit decision of the Lending Officers will be complemented by these Credit Risk Ratings/Risk Scorings which quantify the overall risk in a credit proposal as per given risk parameters. The risk scoring method is being deployed to assess the personal loans products and microfinancing products while the risk grading is being used to complement the decision-making process in other lending proposals relevant to corporates and SMEs.

These indicators help the Lending Officers to measure the risk profile of the credit portfolios in an objective manner, while complementing the Bank’s endeavours in the direction of progressing from the present Basel II ‘The Standardised Approach’ towards advanced credit risk related capital computation methodologies.

Credit proposals from different lending areas exceeding certain thresholds are referred to the Integrated Risk Management Department (IRMD) for independent evaluation and final risk approval.

Components of Credit Risk Management

The Credit Risk Management comprises three main functional components namely, Credit Risk Management Function, Credit Risk Review Function and the Environmental Risk Review Function. While the Credit Risk Management Function evaluates proposals at the pre-sanction stage, the Credit Risk Review Function assesses the proposals at post sanction stage. Environmental Risk Review Function plays a role at both pre- and post-sanction stages to ensure that the Bank’s lending activities are in conformity with the Bank’s Social and Environmental Management System (SEMS) Policy.

Credit Risk Management Function		Independent evaluation and providing final risk approval for all high value credit proposals to ensure that they are in conformity with the established lending policies and the risk appetite of the Bank and to make recommendations for improvements if required.
		Independent evaluation of all new lending products from a risk perspective.
		Maintenance of the risk rating modules.
		Monitoring of Credit Portfolios.
		Monitoring of monthly Key Credit Risk Indicators and reporting them to the EIRMC and BIRMC.
Credit Risk Review Function		Providing an assurance on the quality of lending portfolios and practices through a ‘continuous assessment process’.
		Independent evaluation of emerging credit risks.
		Dissemination of the Credit Risk Review findings to the Lending Officers through relevant committees.
		Affirmation of internal risk ratings assigned to individual borrowers and recommending changes wherever required.
Environmental Risk Review Function		Providing assurance that all major lending decisions undertaken by the Bank are consistent with the Bank’s policy on Social and Environmental Management System (SEMS).

Policy Framework

The robustness of the Bank’s core Credit Risk Management Framework is reinforced by its established policies, procedures and processes including a well-defined approval hierarchy. The Bank’s conduct of its credit risk management activities is delineated in the Credit Policy and Lending Guidelines of the Bank to ensure consistency in credit sanctioning across the Bank. These policies ensure quality, consistency and transparency in the credit approvals at all times.

The Bank believes that the credit risk management should be a value enhancing activity that goes beyond regulatory compliance, encompassing:

1. i. a credit risk environment which seeks risk optimisation;
2. ii. a sound credit approval and granting process based on highest ethical standards;
3. iii. an appropriate credit administration, measurement and monitoring process; and
4. iv. adequate controls over credit risk on a continuous basis.

The credit risk related policies are designed to capture above standards to preserve the overall quality of the Bank’s lending activities.

Credit Risk Mitigation and Monitoring

Collateral Management and Valuation

The primary source of repayment of credit exposures being cash flows, collaterals obtained by the Bank wherever possible act as a secondary source of recovery. Collaterals generally include: cash, marketable securities, properties, stocks in trade, trade debtors, machinery, equipment and other physical/financial assets as well as guarantees. The charges created on the collateral could either be fixed or floating and the Bank has put in place clear guidelines to determine the acceptability of collateral as a means of credit risk mitigation based on characteristics of different collaterals [i.e., the realisability in stressed conditions, Loan To Value (LTV) etc.].

Procedures are in place to carry out periodic estimation of collateral values to ensure that they will continue to provide the anticipated secondary source of repayment in an eventuality. Where collateral values are vulnerable to high volatility of market variables, stringent haircuts and more frequent valuations are carried out by the Bank to take proactive decisions on risk mitigation.

The Non-Performing Advances portfolio is subjected to the ‘hair cut rule’ which is applicable on collateral valuations based on conservative and pre-determined loan: collateral ratios in compliance with the Banking Act Direction No. 3 of 2008 ‘Classification of Loans and Advances, Income Recognition and Provisioning’. Bank also adopts more stringent internal policies disregarding collateral cover for NPAs as a prudent measure at times.

The accounting policy relating to the collateral valuation is given in the Notes to the Financial Assets carried at Amortised Cost.

Credit Risk Monitoring and Reporting

Lending Officers follow up the timely recovery of the advances granted, as per the agreed terms and conditions with the borrower, using various monitoring mechanisms in place. Advances which have potential vulnerabilities requiring close monitoring, supervision or improvement of risk mitigants available for the Bank are identified by the Lending Officers with the assistance of the Branch Credit Monitoring Unit. Key Credit Risk Indicators (KCRIs) are compiled on a monthly basis to analyse the risks of the overall credit portfolio of the Bank, to ascertain potential risks in a proactive manner.

The overall credit risk exposure on certain risk categories (i.e., single borrower, industry sectors, products etc.) are monitored and controlled through a set of prudential exposure limits established by the Credit Policy Committee.

At portfolio level, mechanisms are in place to monitor and report the advances at the highest possible granularity to effectively capture portfolio characteristics including possible correlations between portfolios/environmental factors. Further, the Bank tracks the quality of the loan book on a regular basis by analysing the trends in different lending portfolios. This process also enables the Bank to identify any emerging risks in the individual credit portfolios and to take suitable corrective actions in a timely manner preserving the quality of loans and advances. Another main focus of this portfolio management process is to derive the maximum benefit associated with the diversification of the Bank’s advances portfolio into myriad of thriving economic segments in order to reduce the overall credit concentration risk while optimising returns.

 

The Western Province has recorded a higher percentage of lending based on geographical distribution of the Bank’s lending portfolio. It has accounted for 74% (approximately). of total advances portfolio of the Bank as at December 31, 2013. Although, Western Province is vested with highest credit concentration, we believe that a sizable portion of these lending has been utilised to facilitate industries scattered around the country. For example, most of the large corporates which have island-wide operations are being accommodated by the Branches and Corporate Banking Division situated in the Western Province thus reflecting a fairly diversified geographical concentration on such borrowers.

Segmentation of NPA Portfolio as at December 31, 2013 by Industry Sector (Sri Lanka Operations) (Rs. Mn.)

Industry Sector	Outstanding	Specific Provision	Amount Written Off
Exports	1,109.21	443.59	142.06
Imports	2,282.60	783.63	6.75
Wholesale& retail trading	842.75	332.21	3.76
Construction industry	881.22	210.82	0.06
Industrial	1,929.83	700.46	4.09
Agriculture	868.81	426.05	2.11
Housing	556.06	248.94	3.96
Tourism & allied	1,103.54	831.55	0.84
Personal	3,783.35	1,576.46	28.20
Services	1,322.05	431.26	6.61
Holding companies	4.27	2.51	–
Non-banking financial institutions	28.92	27.92	0.02
State institutions	14.51	14.51	–
Any other commercial activity	441.02	185.96	1.94
Miscellaneous	268.87	67.26	4.92
Total	15,437.01	6,283.14	205.32

(Audited by KPMG)

Note: The above figures have been prepared as per SLAS and may differ from figures based on SLFRS.

Segmentation of NPA Portfolio as at December 31, 2013 by Geographic Area (Rs. Mn.)

	Total NPA	Specific Provisions for bad debts	General Provision
Central Province	688.18	236.18	60.61
Eastern Province	323.50	95.95	12.83
North-Central Province	293.19	133.38	22.60
Northern Province	1,304.56	377.43	19.82
North-Western Province	1,159.48	342.45	68.78
Sabaragamuwa Province	485.26	192.21	29.30
Southern Province	1,412.73	714.04	67.85
Uva Province	186.91	53.92	17.55
Western Province	9,583.18	4,137.58	1,215.48
Bangladesh	429.61	92.03	74.08
Maldives	–	–	–
Other foreign Geographies	–	–	–
Total	15,866.62	6,375.17	1,588.89

Note: The above figures have been prepared based on SLAS and may differ from SLFRS.

Concentration Risk in Credit Portfolios

The total gross loans and receivables from other customers of the Bank stood at Rs. 370.306 Bn. as at December 31, 2013. The breakdown of this exposure by major product types is given under a graph on Financial Statements. By setting various concentration limits under different criteria within the established risk appetite framework (i.e. single borrower, industry sectors, product etc.) the Bank ensures that an acceptable level of risk diversification is maintained across the Bank on an ongoing basis. These limits are continuously monitored and periodically reviewed by the Credit Policy Committee (CPC), the Executive Integrated Risk Management Committee (EIRMC) and the Board Integrated Risk Management Committee (BIRMC) to strengthen the dynamic portfolio management practices and to provide an early warning on possible credit concentrations.

Counterparty Exposures

In addition to the exposure of the Bank to individual customers and local banks, it also has exposures to Banks operating overseas which are referred to as Counterparty Exposures.

The Bank monitors risk relating to counterparty banks at regular intervals by tracking such credit exposures against the established prudent limits. Exposure limits are reduced/cancelled in the event of adverse market information that might hamper performance of a counterparty bank.

 

Cross-Border Exposures

In addition to exposures pertaining to sanctioning and administration of individual credit facilities described under counterparty exposures, the Bank is also exposed to cross-border credit risks. Country/cross-border risk is the risk of the Bank’s inability to obtain payment from our customers, counterparty banks or third parties on their contractual obligations as a result of certain actions taken by foreign governments, mainly relating to convertibility and transferability of foreign currency.

Social and Environment Management System (SEMS)

Even though the operation of banks does not cause significant direct negative impact to the social and environmental well-being, there could be an indirect impact on the environment owing to the consequences of commercial and other activities of its customers and suppliers. In this backdrop, the Bank has put in place a number of procedures aimed at mitigating its indirect negative impact on the environment created by the business and industrial activities it finances via its Social and Environmental Management System (SEMS). Through the SEMS, the Bank takes every effort to ensure that the financing extended to its customers is used to set up and fund operations which are both sustainable and eco-friendly. Since this concern is at the heart of the Bank’s sustainability strategy, the SEMS is applied not only for finances extended to its customers but also by the Bank itself in implementation and monitoring of all major activities undertaken. SEMS Officer validates compliance with SEMS for all credit proposals that have an impact to the Social and Environmental aspects as per the independent evaluations of Lending Officers when such proposals are referred for risk evaluation. The SEMS co-ordinator of the Bank is required to submit periodic confirmations on compliance with International Finance Corporation's (IFC’s) terms and conditions and is subject to audit by the Bank’s Inspection Department. It is the Bank’s intention to extend application of SEMS to all credit proposals in future across all its branches in Sri Lanka in keeping with the Bank’s policy on environment sustainability.

Our Bangladesh operation too is in compliance with the Environmental Risk Management Guidelines (ERM) - issued by the Bangladesh Bank (i.e. Central Bank of Bangladesh) which supports and embraces good governance practices prescribed in the Credit Risk Management Function encompassing policy framework for credit approval process. Independent Environmental Risk Rating Mechanism is being adopted as per the Guidelines and any exposures with high vulnerability to be perused by specialised officer on this domain.

Market Risk

Introduction and Objectives

Basel Committee on Banking Supervision has defined market risk in its report on International Convergence of Capital Measurements and Capital Standards as ‘the risk of losses in On and Off-Balance Sheet positions arising from movements in market prices’. Accordingly, major sources of market risks are foreign exchange exposures, interest rate related instruments in trading book, equity/debt instruments in the trading book and commodity exposures.

The Bank, engages in market making, investing activities etc. during the normal course of its business. Trading/investment portfolios created in such activities may get adversely affected due to changes in the risk factors described below:

• Foreign Exchange Risks
  resulting from exposures to changes in spot and forward rates and volatilities of the exchange rates due to undertaking transactions in a foreign currency or from holding an asset or liability in a foreign currency.
• Interest Rate Risks
  arising out of exposures to instruments where values vary with the level and shape of the yield curve, volatility of interest rates and credit spreads that affect the Net Interest Income (NII) and profitability of the Bank. Such instruments include, but are not limited to, loans, debt securities, certain trading-related assets and liabilities, deposits, borrowings and derivatives. Sources of interest rate risk include re-pricing risk, basis risk, yield curve risk and option risk.
• Equity/Debt Price Risks
  resulting from exposures to changes in prices and volatilities of individual equities/debt instruments.
• Commodity Price Risks
  arising out of exposures to changes in prices and volatilities of individual commodities.

The Bank, with an objective of managing market risk exposure in order to optimise return on risk whilst maintaining an appropriate market profile adopts appropriate market risk management strategies and practices as discussed in the following sections.

Market Risk Appetite

Risk Management Framework of the Bank ensures that market risks emanating from money market activities, capital market activities and financial intermediation are well-managed within the overall risk appetite of the Bank, so that any adverse change in exchange rates, interest rates and debt/equity/ commodity prices do not materially affect the profitability, capital and/or the desired risk profile of the Bank.

Bank defines its market risk appetite based on:

• economic and market conditions and their impact on market risk,
• availability of expertise to profit in specific markets together with the ability to identify, monitor and control market risk in such markets,
• desired portfolio mix and how it would be affected if more market risk is assumed.

The risk appetite so defined is expressed by way of quantitative exposure levels in the form of market risk limits and certain quantitative factors as well.

During the year 2013, the Bank did not have any exposures on commodity-related price risk and only a negligible exposure on equity and debt-related price risks which has been less than 1.2% of the total risk weighted exposure for Market Risk. Exposure of the Bank was therefore mainly confined to Interest Rate Risk (IRR) and Foreign Exchange (ForEx) Risk arising from traditional banking related activities.

Market Risk Management Process

Market risk identification is the first step towards systematic Market Risk Management in the Bank. It involves the recognition of various sources of risks, their characteristics, and possible outcomes as a result of transactions undertaken by the Bank. The three primary sources where the Bank may get exposed to market risk are granting credit facilities, treasury operations (trading and investment activities) and On/Off-Balance Sheet transactions. In all these instances, the existence of the market risk factors such as interest rates, exchange rates, equity prices or commodity prices and changes which could have an impact on the Bank’s profitability are identified through systematic evaluation.

Market Risk Management process is carried out in compliance with the Board approved Market Risk Management Policy of the Bank. Documents such as Asset and Liability Management (ALM) Policy, Foreign Exchange (FX) Policy, Derivative Policy, Treasury Policy, Stress Testing Policy and Treasury Operations Manual are used in the Market Risk Management process to ensure that all transactions undertaken by the Bank are within the market risk-related exposure limits and procedures set out therein.

Organisational Structure

Bank’s Market Risk Management governance structure is based on the principle that each business head is responsible for the identification and verification of market risks sources, events, causes, consequences and mitigation relevant to their business line.

Market Risk Management Unit (MRMU) of the IRMD is entrusted with the responsibility of co-ordinating and performing daily Market Risk Management activities including measuring, monitoring and reporting of market risk exposures. In addition, MRMU is entrusted with the task of reviewing Bank’s market risk-related policy framework which includes Market Risk Management Policy, Asset and Liability Management Policy, Foreign Exchange Risk Management Policy, Stress Testing Policy etc. The relevant exposure limits are reviewed at least annually, in order to facilitate efficient decision making whilst optimising risk-return trade off, within the Board approved policy limits and guidelines. MRMU also provides independent review on new investment proposals/products originated from different business units in order to evaluate the market risks associated with such proposals/products.

Treasury Middle Office is part of MRMU and functions independently from the risk-taking and operational units [i.e. Treasury Front Office (TFO) - Trading Unit and Treasury Back Office (TBO) - Settlement Unit]. Treasury Middle Office has direct access to information from risk-taking and operational units in order for it to carry out the Market Risk Management and control function effectively.

Policy Framework

Market Risk Management Policy provides a well-defined framework to ensure that market risks assumed by the Bank are well within the overall risk appetite of the Bank.

The Market Risk Management Policy details out factors such as definition of Market Risk, Board and Senior Management oversight in Market Risk Management, identification/measurement/ management strategy/monitoring and reporting Market Risk, Market Risk Management Information Systems and Model Risk Management.

Market risk related limits are set out in the Board approved Market Risk Management Policy, ForEx Risk Management Policy, ALM Policy, Stress Testing Policy and Derivative Policy which are regularly reviewed by ALCO. In addition to these limits, the Bank has set up Management Action Triggers (MATs) to notify the Management of impending limit breaches or recurring loss events so that proactive and timely preventive measures can be initiated to mitigate potential losses. MATs are set up either at portfolio level or risk factor level to ensure that the market risk exposures and/or potential losses are maintained within the overall risk appetite of the Bank.

Assessment and Approval

Primary responsibility of identifying and assessing market risk lies with the business unit that initiates a particular transaction which creates an exposure, whether it be granting credit facilities or engaging in Treasury transactions. The Bank has clearly laid down procedures and policies in assessing new products to identify potential exposures to market risk related factors. Market Risk Management function of the Bank is enriched with experienced officers/committees at various levels who ensure high ethical standards in the approval process at all times.

Once the exposures are assumed in the Bank’s portfolios, a range of techniques such as sensitivity analysis, stress testing, Marking to Market, are used to assess market risk exposures across its portfolios.

IRR, is a major component of the market risk exposure of the Bank which arises either from engaging in trading/banking activities such as granting credit facilities, accepting deposits, issuing debt or trading in fixed income securities. Bank uses the following mechanisms to assess IRR exposure:

1. Modified Duration Gap approach analyses change in Economic Value of Equity (EVE) focusing on the value of the Bank’s net cash flows. This method maps assets and liabilities into different time buckets, and compares weighted average durations of assets and weighted average durations of liabilities to arrive at the duration gap of equity. In addition, the Bank monitors the magnitude of negative/positive modified duration gaps to identify the impact of interest rate changes on EVE.
2. Earnings At Risk (EAR) approach analyses the impact on Net Interest Income (NII) resulting from interest rate changes on its near term earnings. In this approach, Rate Sensitive Liabilities (RSL) are deducted from Rate Sensitive Assets (RSA) to arrive at the ‘Gap’ on each time bucket which is measured against the Board approved tolerance limits.

The Bank assesses the impact of changes in interest rates on Net Interest Income (NII) using a methodology which requires forecasting the Balance Sheet for a 12 month period, giving due cognisance to expected future business growth based on the budget, Asset and Liability positioning and the interest rate projections. These factors are then used to evaluate the potential impact on Bank’s profitability due to changes in LKR and/or foreign currency interest rates.

In order to assess the impact on exposure to ForEx risk, the Bank regularly conducts sensitivity analysis on Net Open Position (NOP) due to possible changes in the US $/LKR exchange rates. An appropriate shock based on average of previous three months US $/LKR exchange rate is given to the NOP which is measured against the policy threshold.

Market Risk Mitigation and Monitoring

ALCO is entrusted with the responsibility of pricing products and maintaining an appropriate Balance Sheet mix to suit the current market rates, competition, and the Bank’s strategies whilst managing market risk efficiently.

ALCO regularly monitors the movement of indices such as Prime Lending Rate (PLR), Sri Lanka Inter Bank Offered Rate (SLIBOR), London Inter Bank Offered Rate (LIBOR) and rates of Government Securities in order to take appropriate decisions to re-price or re-balance portfolios as necessary to mitigate the Bank’s vulnerability to ‘Basis Risk’.

Yield curve risk (resulting in sudden shifts in shape and gradient of the yield curve from previous prediction may affect the Bank’s earnings or economic value), is also managed by the ALCO through rebalancing of portfolios as appropriate.

In addition, ALCO monitors asset and liability gaps, and rate shock results on NII to initiate appropriate measures such as changing interest rate structure of the Balance Sheet, launching suitable long term/short term products and portfolio rebalancing in order to minimise the impact of re-pricing risk on the Bank’s profitability.

IRR of the Bank is centrally measured by IRMD and managed by Treasury in a consolidated manner, through the Funds Transfer Pricing (FTP) mechanism under the guidance of ALCO which facilitates business units to concentrate on managing non-market risk related factors in their respective portfolios.

Foreign Exchange (ForEx) Risk of the Bank is defined as the likely impact on earnings or capital resulting from adverse fluctuations in exchange rates due to maturity mismatches of various foreign currency positions other than LKR held by the Bank. Stipulated stringent tolerance limits for individual currency exposures as well as aggregate exposures in accordance with the regulatory parameters, to ensure potential losses resulting from ForEx rate fluctuations are maintained within the risk appetite of the Bank.

Market Risk Portfolio Analysis

Interest Rate Sensitivity Gap Analysis of Assets and Liabilities [Bank]

As at December 31, 2013 (Rs. Mn.)

	Up to 1 Month	1-3 Months	3-6 Months	6-9 Months	9-12 Months	1-3 Years	3-5 Years	Over 5 Years	Non- Sensitive	Total
Assets
Cash on hand	–	–	–	–	–	–	–	–	11,508	11,508
Deposits with Central Banks	515	–	–	–	–	–	–	1,867	16,051	18,432
Balances due from head office, affiliates and own branches	–	–	–	–	–	–	–	–	–	–
Balances due from other banks	7,129	302	–	–	–	–	–	–	–	7,431
Investments	24,766	41,655	45,317	24,413	17,063	14,200	12,179	3,029	623	183,247
Bills of Exchange	5,015	–	–	–	–	–	–	–	–	5,015
Overdrafts	46,296	10,494	3,439	4,230	3,674	2	–	0	–	68,136
Loans and advances	132,376	31,443	22,873	8,673	25,057	40,030	16,802	2,134	–	279,388
NPLs	–	–	–	–	–	–	–	–	1,710	1,710
Fixed assets	–	–	–	–	–	–	–	–	8,855	8,855
Net inter-branch transactions	–	–	–	–	–	–	–	–	–	–
Accrued interest	–	–	–	–	–	–	–	–	–	–
Other assets	–	–	–	–	–	–	–	–	10,007	10,007
Reverse Repo	8,946	–	–	–	–	–	–	–	–	8,946
FRAs	–	–	–	–	–	–	–	–	–	–
Swaps	–	–	–	–	–	–	–	–	–	–
Futures	–	–	–	–	–	–	–	–	–	–
Options	–	–	–	–	–	–	–	–	–	–
Others	–	–	–	–	–	–	–	–	–	–
Total	225,044	83,895	71,629	37,315	45,794	54,232	28,981	7,030	48,755	602,675
Liabilities
Demand deposits	39,676	–	–	–	–	–	–	–	–	39,676
Savings deposits	150,534	–	–	–	–	–	–	–	–	150,534
Time deposits	43,147	64,684	46,471	49,607	23,612	7,119	5,962	7,569	–	248,172
Other deposits	–	–	–	–	–	–	–	–	–	–
Balances due to head office, affiliates and own branches	–	–	–	–	–	–	–	–	–	–
Balances due to other banks	2,612	2,659	2,623	–	–	–	–	–	–	7,894
Certificate of deposits	1,138	887	559	32	22	312	151	–	–	3,101
Other borrowings	–	8,695	712	882	–	2,256	1,198	1,178	–	14,920
Net inter-branch transactions	–	–	–	–	–	–	–	–	–	–
Bills payable	–	–	–	–	–	–	–	–	–	–
Interest payable	–	–	–	–	–	–	–	–	17,115	17,115
Provisions (others)	–	–	–	–	–	–	–	–	–	–
Capital	–	–	–	–	–	–	–	–	19,587	19,587
Reserves	–	–	–	–	–	–	–	–	35,069	35,069
Retained earnings	–	–	–	–	–	–	–	–	4,754	4,754
Subordinated debt	9,825	–	–	–	–	973	–	–	–	10,798
Other liabilities	–	–	–	–	–	–	–	–	5,536	5,536
Repos	27,735	4,937	6,163	4,043	2,640	–	–	–	–	45,519
FRAs	–	–	–	–	–	–	–	–	–	–
Futures	–	–	–	–	–	–	–	–	–	–
Swaps	–	–	–	–	–	–	–	–	–	–
Options	–	–	–	–	–	–	–	–	–	–
Total	274,668	81,862	56,529	54,564	26,274	10,660	7,311	8,746	82,061	602,675
Period gap	(49,624)	2,032	15,100	(17,249)	19,520	43,572	21,670	(1,716)
Cumulative gap	(49,624)	(47,592)	(31,491)	(49,740)	(30,220)	13,352	35,022	33,306
RSA/RSL	0.82	1.02	1.27	0.68	1.74	5.09	3.96	0.80

Note 1: The above figures have been prepared as per SLAS and may differ from LKAS/SLFRS figures given in the Statement of Financial Position.

Note 2: Prepared as per disclosure requirements given in the Banking Act Direction No. 7 of 2011 on ‘Integrated Risk Management Framework’.

Note 3: RSA = Rate Sensitive Assets

RSL = Rate Sensitive Liabilities

The Bank regularly monitors the sensitivity of NII resulting from changes in interest rates by providing 1% and 0.25% shocks to LKR and foreign currency asset and liability portfolios respectively and ensures that the variations are prudently managed within the internal tolerance limits. Above graph depicts the sensitivity of NII to rate shocks during the year 2013. The impact on NII in December 2013 compared to that of November 2013 depicts an increase due to a temporary increase in the securities purchased under re-sale agreement.

USD/LKR exchange rate fluctuated between a low of Rs. 125.35 and a high of Rs. 133.20 (source: Bloomberg) during the period under review and the annual Rupee depreciation was recorded at approximately 2.40%. Although, the movement in the exchange rate was marginal in 2013, the Bank continued to monitor the sensitivity of the NOP to changes in USD/LKR exchange rates by applying appropriate rate shocks.

ForEX Position as at December 31, 2013 ('000)

Currency		Spot				Forward				Net Open Position	Net Position in Other Exchange Contracts	Overall Exposure in Respective Foreign Currency	Overall Exposure in LKR
		Assets	Liabilities	Net		Assets	Liabilities	Net
1		2	3	4=2-3		5	6	7=5-6		8	9	10	11
US Dollars		10,423	6,807	3,616		3,595	4,403	(808)		1,474		4,282	561,004
Pound Sterling		812	54	759		100	906	(806)		(34)		(82)	(17,707)
Euro		920	186	734		100	832	(732)		(4)		(1)	(238)
Japanese Yen		13,172	12,356	816		10,537	16,922	(6,385)		(155)		(5,724)	(7,149)
Indian Rupee
Australian Dollar		640	177	463			475	(475)		(38)		(50)	(5,900)
Canadian Dollar		27	25	2						0		2	247
Other Currencies in USD		273		273		36	295	(259)		125		138	18,131
Total exposure										USD 1,502		USD 4,186	548,389
Total capital funds as per the latest Audited Financial Statements (capital base of the Bank as at December 31, 2013)													65,579,876
Total exposure as a % of total capital funds as per the latest Audited Financial Statements													0.84%

Liquidity Risk

Introduction and Objectives

Liquidity risk is the risk to the Bank’s financial condition or soundness arising from its inability to meet contractual and contingent financial obligations On or Off Balance Sheet, as they fall due without incurring unacceptable losses. Banks in the business of financial intermediation are by nature vulnerable to liquidity and solvency risks resulting from asset and liability mismatches. Thus, the Bank’s principal objective in liquidity risk management is to assess the need for funds to meet obligations and to ensure the availability of adequate funding to fulfil those needs at the appropriate time by co-ordinating diverse funding sources available to the Bank both under normal and stressed conditions. To achieve this objective, the Bank continuously analyses and monitors liquidity risk, and maintains an adequate margin of safety in high quality liquid assets at all times. Arrangements are made to access diverse funding sources such as inter-bank market, wholesale and retail repurchase agreements, and have contingency funding agreements with peer banks to meet liquidity requirements. As such, the Bank ensures adequate liquidity to fund its existing asset base as well as grow its business whilst maintaining sufficient liquidity buffers in order to operate smoothly in various market conditions including market disruptions for short term or long term periods.

Liquidity Risk Management Process

Organisational Structure

The Bank’s liquidity risk governance structure is modelled in such a way so as to ensure that its liquidity position is optimised to support business requirements while maintaining healthy earnings.

As the main stakeholder, ALCO plays a pivotal role in Bank’s Liquidity Risk Management Framework. ALCO meets at least fortnightly and is entrusted with responsibilities such as managing and controlling overall liquidity of the Bank, reviewing the impact of business decisions on Bank’s liquidity, establishing and monitoring liquidity targets as well as strategies and tactics to meet those targets, ensuring availability of sufficient liquidity for unanticipated contingencies while focusing on a strategy that provides effective diversification in sources and tenors of funding, monitoring Off-Balance Sheet activity related liquidity impact and diversifying deposit maturity base to avoid possible concentrations.

In addition, ALCO ensures that adequate liquidity levels are maintained at all times by the Bank to meet daily liquidity obligations with an appropriate asset mix, together with the availability of readily marketable assets, in order to enable the Bank to withstand a period of Bank specific liquidity stress. Further, ALCO analyses the liquidity and profitability requirements of the Bank in each and every investment proposal in compliance with the Bank’s overall risk appetite.

Bank’s day-to-day liquidity management process is initiated by the Treasury Division which is entrusted to monitor and manage the daily liquidity requirement based on forecasts of cash flow analysis for short and medium tenors. Treasury is also responsible for maintaining contingency funding arrangements with peer banks to meet possible unexpected out flows. Treasury Division also compiles a monthly liquidity gap report to the ALCO in Sri Lanka Rupees and US $ (covering all foreign currencies) together with proposals to meet any funding requirements.

MRMU monitors the liquidity profile of the Bank through Liquidity Gap Analysis and Liquidity Ratios and reports same through the Key Market Risk Indicators to ALCO.

Policy Framework

MRMU reviews the Bank’s ALM Policy, Liquidity Policy, Contingency Funding Plan and Liquidity Risk Tolerance limits at least annually and obtains Board approval through ALCO for the adoption of suitable policy parameters and procedures to strengthen the liquidity risk management framework of the Bank.

Liquidity risk management framework of the Bank established through these policies has been designed meticulously so as to optimise the business requirements whilst complying with the regulatory guidelines. In this regard, the Bank has developed certain funding and liquidity risk management procedures such as maintaining excess liquidity at appropriate levels, and analysing debt maturities together with other potential cash outflows including those that may occur during stressed market conditions, to ascertain liquidity requirements with sufficient buffers. The liquidity policy has established parameters to ensure diversified funding sources including liquidity contingency planning so that the Bank could meet its cash flow requirements without over constraining either resources or earnings.

The Bank conducts liquidity related stress testing exercises as per the guidelines in the Stress Testing Policy of the Bank and reports to the Board regularly. (Refer the discussion on Liquidity Stress Testing).

Assessment and Approval

The Bank uses a variety of measures in monitoring its liquidity. In this regard, both stock (based on key ratios) and flow (based on cash inflows/outflows in time bands) approaches in assessing its liquidity resources are used.

The range of key liquidity risk indicators used by the Bank to assess adequacy of its liquidity position includes, Statutory Liquid Asset Ratio (SLAR), Net Advances to Deposit Ratio, Dynamic and Static (Structural) Liquidity Gap Summary, Core Funding Ratio, Funding Concentration and Commitments Vs Funding Sources. In addition, the Bank has in place a more stringent internal limit for maintaining SLAR as compared to the minimum statutory requirement of 20% of total liabilities (excluding contingent liabilities) so that it has additional liquidity buffers to mitigate potential risks arising from unexpected liquidity requirements.

The ratio of Net Advances to Deposits is regularly monitored by ALCO to ensure that the assets and liability portfolios of the Bank are geared to maintain a healthy liquidity position. The following graph depicts the movement in Net Advances to Deposits Ratio during the year 2013.

Liquidity Risk Mitigation and Monitoring

Stress Testing

The Bank regularly carries out liquidity stress tests and scenario analysis as part of its liquidity monitoring activities to evaluate the potential impact of sudden and severe stress events on the Bank’s liquidity position. This exercise enables to proactively identify appropriate funding arrangements that can be utilised to manage such stress situations with a minimum financial and/or reputational impact to the Bank.

Contingency Funding Plan

Contingency Funding Plan (CFP) details out the procedure to address unlikely events of both short and long term funding crisis and forecasts funding needs as well as funding sources under different market scenarios including aggressive asset growth or loan rollover, rapid liability erosion or sharp decline in deposits across a 3-month horizon, which the Bank considers the most critical time span in case of a liquidity crisis. The net funding gaps resulting from contractual and contingent cash and collateral outflows are analysed in order to model the steps to meet the short fall as per the guidelines in the CFP.

Liquidity Stress Testing provides the basis for CFP of the Bank. This is an important part of the wider Asset and Liability Management (ALM) Policy Framework of the Bank and outlines various ways in which the Assets and Liabilities of the Bank are monitored and managed while emphasising ways to avoid any major crisis in liquidity. The CFP covers various scenarios under three levels considering different stress situations, viz. normal conditions, for both Bank specific (short-term liquidity squeeze) and market specific crisis (Serious Liquidity Crisis). Based on the above scenarios, the Bank’s liquidity position shall be gauged for low, medium, and high stress situations for increase in premature withdrawal or sharp decline of wholesale and retail deposits and roll-over of loans. The potential impact of a sharp decline in deposits and loan roll-over on the Bank’s Asset and Liability gap would invoke the appropriate Contingency Plan in case a negative cumulative gap is observed in the 3 months maturity bucket. Further, the CFP covers the following areas in detail:

• Management and reporting framework with early warning signals and means to avoid/mitigate possible crisis.
• Documented Management Action Plan with alternative sources of inflows and trigger levels for action.
• Communication plan covering both internal and external communications to prevent further escalation or contagion situation.
• Regular sources of liquidity supplemented with contingent sources.

The Bank monitors the stability of funding sources compared to loans and advances granted, using Core Funding Ratio which indicates the quantum of Bank’s asset base funded by sufficiently long term liabilities. Throughout 2013, Bank has maintained the Core Funding Ratio well above the policy threshold of 90% which is considered healthy to support the Bank’s business model and expected growth. Funding concentration for both LKR and Foreign Currencies is regularly monitored by ALCO, where distribution of main deposit account types is measured against the appropriate deposit base to ascertain potential risks and to initiate corrective action such as rebalancing the portfolios if necessary.

The Bank monitors its potential liquidity commitments by way of future loan disbursements and undrawn overdrafts compared to the available funding sources on a regular basis, to properly plan its cash flows. Potential liquidity risk from undrawn commitments is considered to be very remote as the Bank generally does not have any credit limits having irrevocable commitments.

The graph above depict the trends in various liquidity related ratios of the Bank during the period from December 2011 to December 2013.

Operational Risk

Introduction and Objective

Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Further, Operational Risk can be broadly defined as risks which cannot be classified as credit risk, market risk or any other specified risk. According to the definition under Basel II Guidelines, strategic risk and reputational risk have been excluded while legal risk has been included under Operational Risk.

There is no mathematical link between individual risk factors vs the likelihood vs size of operational loss. However, Operational Risks losses may exceed those stemming from credit and market risk related losses due to control failures, natural disasters etc. as experienced in several instances in the international banking arena. Hence, it is vital to focus on management of Operational Risk by establishing proper control mechanisms to eliminate/ minimise the risks inherent in the business processes and monitor/review such mechanisms on a regular basis.

Operational Risk Management can be viewed as an optimisation between the Bank’s desire to cause the least inconvenience to its clients while reducing transaction cost and time on one hand and the desire to implement controls/safeguards against possible losses on the other hand. Hence, the management of Operational Risk in the Bank is based on the concept of optimising ‘Risk vs Service vs Cost’.

Key Objectives of the Operational Risk Management Function of the Bank are to:

1. Ensure that the Bank-wide Operational Risks are properly identified, assessed, monitored, reported and mitigated on a continuous basis.
2. Minimise the impact of losses suffered in the normal course of business (Expected Losses) and to avoid or reduce the likelihood of suffering large extreme losses (Unexpected Losses).

Operational Risk Appetite and Tolerance

Though risk appetite relating to credit and market risks could be associated with returns, risk appetite for Operational Risk is not aligned with any direct returns. Hence, ideal risk appetite level for Operational Risk is zero. However, if processes, systems, products etc are to be designed to achieve zero risk tolerance level, such mechanisms are bound to be lengthy, time consuming, costly and causing great inconvenience to the customers as well. Thus in designing a process, system or product, the Bank has to strike a balance between the need to minimise Operational Risk and causing the least inconvenience to clients to keep in line with the concept of ‘Risk vs Cost Vs Service’. Hence, zero level tolerance for Operational Risk cannot be practically achieved since all banking products and processes are associated with varying levels of Operational Risks where some of those cannot be fully mitigated unless the product or process is completely withdrawn.

The Bank has a low appetite for material risks it is exposed to. Accordingly, Bank has established tolerance levels for all material Operational Risk Loss types by considering several factors which include historical loss data, budgets and forecasts, performance of the Bank, existing systems and controls governing Bank operations.

Considering the above factors, following thresholds have been established by the Bank for monitoring purpose based on audited financials:

• Alert Level - 03% of the average gross income for the last three years.
• Maximum Level - 05% of the average gross income for the last three years.

In addition to the above, the Bank has established thresholds for selected non-financial Operational Risk Indicators as well. Operational Risk Unit (ORU) of the Bank closely monitors and reports the actual operational losses against the above tolerance levels on a monthly basis under each loss type to the EIRMC.

ORU initiates necessary actions to review the existing controls relating to any operational loss event type which reaches Alert Level and proposes additional controls if the existing controls are deemed to be inadequate.

Actual Operational Risk related losses for the current year is mere 0.18 % (of average audited gross income for last three years) which is well within the internal alert level of 03% as illustrated in the graph below. Further, consistency of the Bank in maintaining losses at minimal levels over the last five years is evident when comparing position over the period which is depicted in the graph below:

Operational Risk Management Process

Bank’s Operational Risk Management structure consists of the following vertically arranged elements.

 

Policy Framework

A well articulated Operational Risk Management Policy has been implemented in the Bank with a view to minimise the operational losses and to improve the systems and controls in relation to the business processes of the Bank.

The Operational Risk Management Policy mainly focuses on the factors such as definition and types of Operational Risk, organisational structure relating to management of Operational Risk, authorisation and responsibilities of the Board of Directors/Corporate Management/all other risk owners, role of Operational Risk Unit, general approach towards addressing and minimising Operational Risk through risk identification/assessment/monitoring/mitigation/reporting, risk appetite/tolerance levels, developments in Business Continuity Management and Disaster Recovery Plans.

Identification and Assessment of Operational Risk

Risk Control Self-Assessment (RCSA) forms an integral part of the overall Operational Risk Framework, as it helps the Bank in risk identification and improving the understanding, control and oversight of its Operational Risks. As a part of RCSA exercise, the Bank identifies and assesses the risks and controls in various products and processes of its critical units.

Half-yearly review of risk management measures adopted by the Bank is in place to facilitate an effective Operational Risk Management process. The Bank applies a consistent approach to the identification of key risks, evaluates the impact of such risks and adopts appropriate risk management measures to mitigate the risks across all business lines. All the identified risks are assigned to the relevant risk owners and reviewed/updated at regular intervals with the assistance of the ORU.

With the assistance of the recently acquired Operational Risk software solution, the Bank is planning to automate the RCSA processes which in turn will enhance the capabilities to manage the Operational Risks. The findings from the RCSA exercise is used to formulate appropriate action plans to address identified control gaps which are monitored as part of the overall operational risk management exercise. Thus, RCSA promotes analysis and monitoring of factors that affect the level of Operational Risk profile of the Bank.

This exercise helps to;

• assist the business entities to identify and assess major Operational Risks relating to their respective areas on a regular basis,
• identify high level of inherent and residual risks,
• facilitate in drawing action plan for the improvement of Operational Risk management and control gaps, and
• generate reports on the overall control environment of the Bank.

Risk assessment assists the Bank in understanding the way in which a potential event might affect the achievement of objectives and estimating the impact of such events on the overall Operational Risk profile of the Bank. The Bank assesses the identified Operational Risks from two perspectives: ‘Impact and Likelihood’. Likelihood represents the possibility that a given event will occur, while the Impact represents the effect of such an event materialising.

Each risk is assessed in terms of the likelihood and impact to quantify and map the seniority by using a ‘5X5 Impact: Likelihood’ matrix. All identified risks are then prioritised based on the individual scores derived for each risk. This helps the Bank to adopt suitable risk responses/mitigatory measures for identified risks depending on the potential threat.

Operational Risk Mitigation and Monitoring

Monitoring and Reporting

Monitoring and reporting under the Operational Risk Management Framework mainly rallies around the functions relating to monitoring of Key Operational Risk Indicators (KORIs) and their tolerance levels and reporting the same to designated committees. Further, monitoring/reporting of compliance with mandatory banking and other statutory requirements, abnormal transactions including Anti-Money Laundering and Terrorist Financing activities, internal/external reporting of losses/other Operational Risk events could also be counted as key functions supporting the monitoring and reporting of Operational Risk.

Mitigation Strategies

Operational Risk mitigation strategies of the Bank consists of comprehensive policies approved by the Board of Directors and close supervision exercised by the relevant officers supported by clear lines of management responsibility, accountability and reporting. Further, the Bank maintains a strong internal control environment encompassing detective, preventive, oversight, resolution/response, planning/guidance, governance etc. controls to mitigate various risks associated with banking operations. Continuous emphasis through training and creating risk awareness across the Bank together with high standards of ethics and integrity also boost Bank’s risk mitigatory measures.

Insurance Policies (For Transferring Operational Risk)

The Bank adopts a ‘risk transfer strategy’ for low probability - high impact events and uncontrollable Operational Risk events such as damage to physical assets by natural disasters, fire etc. Accordingly, the Bank has transferred insurable risks by obtaining insurance policies from reputed insurance providers covering assets of the Bank against possible harm from natural causes and other hazards, external and internal frauds. etc.

Controllable Operational Risks such as errors/ omissions, information security incidents and losses incurred in facilitating electronic payment mechanisms have been insured where the possible loss value exceeds a certain threshold. All insurance policies obtained by the Bank have been reviewed by the Operational Risk Unit regularly to ascertain the adequacy of insurance cover against various risks associated with the banking operations.

Outsourcing

Certain functions have been outsourced by the Bank after carefully evaluating the risk factors and carrying out cost-benefit analysis of such decisions in accordance with the outsourcing policy. All outsourced functions are covered by agreements executed by the Bank with the relevant vendors.

The Bank carries out regular reviews of the outsourced vendors including due diligence tests and Business Continuity Plans adopted by the service providers. Details of all outsourced functions are reported to the Central Bank of Sri Lanka annually.

Employment of Technology

Upgrading of existing Information Technology systems including the core-banking system and implementation of new software solutions is being done as and when required. These software solutions are implemented/upgraded in a timely manner to avoid any technological obsolescence which could result in potential operational losses to the Bank. All modifications to the existing systems and the implementation of new systems are routed through proper approving channels with recommendations of the Information Systems Audit and IT Risk to ensure that all the required security measures and controls are in place before they are put into use.

During the year, the Bank acquired an Operational Risk Management software solution to enhance effectiveness of the Operational Risk Management Framework. This particular software covers loss data collection and reporting, Risk Control Self Assessment (RCSA), Key Risk Indicators (KRIs), Operational Risk capital calculation etc., which will ultimately increase Operational Risk Management capabilities.

Business Continuity Plan (BCP)

A comprehensive disaster recovery process covering all business units of the Bank has been laid down under the Business Continuity Plan (BCP) which is regularly reviewed/ updated by the BCP Committee of the Bank. Present BCP of the Bank consists of following
key areas:

• Emergency guidelines for banking services
• Risk assessment worksheets
• Emergency response procedure
• Call Trees
• Site and road plans

Further, independent risk assessments of the BCP have been carried out by the Operational Risk Unit as well as the Internal Audit in order to ensure the effectiveness of the Bank’s BCP and to verify its conformity to regulatory guidelines.

Analysis of Loss Events

The Operational Risk Unit (ORU) of IRMD is maintaining an Operational Risk loss event database of the Bank by collecting losses reported from various units, including losses without any financial impact and ‘near misses’. ORU is analysing such data to ascertain trends, patterns of recurring losses in order to identify potential risks in advance, and to adopt proactive mitigatory measures to prevent/minimise potential losses.

The loss data has been recorded according to the Basel event types under each business line as per the regulatory guidelines. Bank has successfully collected loss data for a period of six years which is one of the major components in moving towards advance approaches in Operational Risk capital calculations in future as prescribed by Basel II, subject to regulatory approval.

Following charts indicate the percentages of Operational Risk losses incurred by the Bank under each business line/category during the year 2013.

 

Similarly to the last year, most of the losses with financial impact come under the business line of ‘Retail Banking’ followed by losses reported under the business lines of Payment and Settlements while losses relating to other business lines are negligible.

The following graphs depict the comparison of operational losses reported during the last three years under each Basel loss event type in terms of value and number of occurrences.

Operational Loss Events by Category - Percentage of Total Losses by Number of Events

High frequency of loss events of the Bank are with very low financial impact which is in line with the loss patterns observed during last few years. Individual events with monetary values less than Rs. 100,000/- accounted for more than 97% of the total loss events for the year 2013. Loss category of ‘Execution, Delivery and Process Management’ which mainly consists of lower value losses relating to cash and ATM operations in over 850 delivery points in Sri Lanka and Bangladesh accounted for the major portion of the loss events for this year as well. However, average operational loss events for the year under review is mere 0.002% of average number of transactions carried out during the period, which is a further improvement compared to the last year’s statistics.

Operational Loss Events by Category - Percentage of Total Losses by Value

As in previous years, the loss type of ‘Execution, Delivery and Process Management’ accounted for the highest percentage of loss values for the year 2013. Loss categories of ‘External Frauds’ and ‘Damages to Physical Assets’ are next in line when considering the loss values for the year. However, as stated under ‘Operational Risk Appetite and Tolerance’, gross value of the total operational losses for the year (which includes even the losses recovered in full and ‘near-miss’ incidents reported) as a percentage of average gross income for the last three years (based on the income considered for the calculation of capital requirement for Operational Risk) is extremely low at 0.18% when compared to the capital allocation of 15% under the Basic Indicator Approach of capital computation as per Basel II. Sound and effective systems/controls in place and proper implementation of the Operational Risk Management Framework by the Bank are the major contributory factors for these exceptionally lower levels of Operational Risk related losses reported during the last few years.

Computation of Operational Risk Requirement under The Standardised Approach

Parallel computation of capital required for Operational Risk under The Standardised Approach (TSA) is being carried out along with the Basic Indicator Approach (BIA).

Operational Risk requirement as per Basic Indicator Approach for the year 2013 would be Rs. 4,097.2 Mn.

Capital required for Operational Risk of the Bank for the year 2013 as per TSA is computed as follows:

Business Line	Weighted Average Rate		Capital Requirement
	(%)		Rs. Mn.
Corporate Finance	18		66.6
Trading and Sales	18		405.8
Payment and Settlements	18		36.1
Agency Services	15		Nil
Asset Management	12		Nil
Retail Brokerage	12		Nil
Retail Banking	12		1,991.9
Commercial Banking	15		1,183.6
Total Requirement			3,684.0

IT Risk Management

Introduction and Objectives

Over the years, Information Technology (IT) has become the backbone of the strategic business model of the Bank. Information and Communication Technology is considered to be the critical success factor of the Bank in effectively and efficiently delivering services to its customers. Consequently, risk management plays a critical role in protecting the Bank’s IT infrastructure and resources from potential vulnerabilities.

In this context, the Bank recognises the significance of implementing an appropriate Information Technology Risk Management (IT Risk Management) Framework to sustain the operational continuity of mission critical IT systems and resources, whereby all significant IT risks are identified, measured, assessed, prioritised, treated, managed and monitored in a consistent and effective manner across the organisation.

The Bank is on a journey to embed robust IT Risk Management practices, culture and environment beyond regulatory compliance as a value driver that enhances and contributes to stakeholder value.
As part of this initiative, the Bank introduced a dedicated, independent IT Risk function under the Operational Risk Unit in 2012, becoming the pioneering local Bank to undertake such initiative.

IT Risk Management Process

Organisation Structure

The Bank is embedding and continuously improving upon a robust IT Risk Management Framework based on the principle of ‘three lines of defence’ in risk management.

 

The ‘first line of defence’ is the IT line management and relevant business units with the primary responsibility for risk identification, assessment, mitigation, management and compliance with standards and policies.

The IT Risk function constitutes the ‘second line of defence’ with responsibility for establishing frameworks, standards and policies, and providing independent oversight of the IT Risk management activities of the ‘first line of defence’.

The IS/IT Audit and Compliance functions serve as the ‘third line of defence’ by providing independent assurance on the adequacy and effectiveness of IT Risk management.

Based on this partnership model, IT Risk is managed within acceptable levels through appropriate management focus and resources aimed at minimising IT-related losses in the Bank.

IT Risk-Related Committees

The Board of Directors of the Bank has the ultimate accountability for the risk and related control environment, and is primarily responsible for exercising oversight over the effective management of all Operational Risks, including IT Risk. The Board’s responsibilities are discharged through the Board (BIRMC) and Management (EIRMC) Committees, assisted by several other IT Risk-related committees that include the Board Technology Sub-Committee, IT Management Committee, BCM Steering Committee and the Information Security Council in effectively deploying the IT Risk Management Framework and capabilities to achieve strategic objectives of the Bank.

Policy Framework

Bank's IT Risk Management Framework consists of the core elements which include a comprehensive IT Risk Management Policy that complements the Information Security Management Policy, related processes, objectives and procedures, IT Risk Management organisational structure, Key IT Risk Indicators (KIRIs) and other monitoring and review structures.

The Bank focuses on preventive and proactive IT Risk management practices rather than a reactive approach. Risk and vulnerabilities are identified through a systematic process of risk evaluation and management practice, while documented policies and procedures are used to drive the daily operations of the Bank to effectively manage the IT Risk exposures.

IT Risk Assessment and Evaluation

IT Risks are constantly changing, as are the approaches and techniques used in managing them, which include constant monitoring and risk assessment. IT Risk assessment is used to determine the risks associated with the Information Technology infrastructure and operations of the organisation.

The Bank has implemented a systematic IT Risk evaluation process through the use of proven risk assessment methodologies which identify key risk areas, in order to derive controls necessary in reducing/mitigating such risks to an acceptable level. These methodologies include an array of tools and techniques such as IT Risk Registers, Risk Control Self-Assessments, results of independent IT Risk assessments and audit findings, analysis of information security incidents. Internal and external loss data are also employed for IT Risk identification and assessment purposes.

The formal risk assessment aspect of the Bank’s IT operations has been further strengthened by integrating IT Risk Management into various phases of the System Development Life Cycle (SDLC). IT Risk feedback is also provided for the Bank’s Information Security Management System (ISMS) established as per ISO/IEC 27001 Information Security Standard and related policies targeting continuous improvement.

IT Risk Mitigation

Risk mitigation involves prioritising, evaluating, and implementing the appropriate risk-reducing controls or risk treatment techniques recommended from the risk identification and assessment process. The Bank has implemented a range of controls including technical, operational and management controls required to mitigate its identified IT Risks and potential vulnerabilities.

The regular collection and analysis of information security incident related data by the IT Risk function has lead to greater awareness of the Bank’s IT Risk profile by relevant employees at various levels in the organisation enabling them to provide clear guidance and direction on mitigating IT Risks in a proactive manner.

Disaster Recovery Plan

As part of the overall Business Continuity Management (BCM) process of the Bank, a Disaster Recovery Plan (DRP) focused on technical functionality and continuity of the IT systems and infrastructure is in place. Events that can cause interruptions to key business processes and their impacts are identified in the DRP, and redundancies are built-in to ensure continuous service to customers during any such instances. A framework exists where the DRP is regularly reviewed, updated and tested by the DRP and BCP Committees, under the guidance of the BCM Steering Committee.

An Information Technology disaster recovery site has been established in a geographically separate location from the primary site, allowing continuous operations in an unlikely event of the primary site becoming inaccessible or unavailable. The existing infrastructure is resilient to handle disaster situations and management of crisis. This disaster recovery facility is compliant with ‘ISO/IEC 27001 Information Security Standard’ and is annually verified by both external and internal auditors. Alternate sites have also been established to carry out key business operations in case of an emergency, and functionality of these sites are reviewed regularly by internal and external auditors and IRMD.

Training and Awareness

Training and awareness has also been considered as an integral component of the implemented IT Risk Management Framework, where the importance of creating a risk-conscious and information security-aware culture has been afforded much emphasis. Accordingly, an organisation-wide training initiative to influence positive behavioural change for all employees towards IT Risk and information security awareness, leading to create a more secure environment was implemented during the year under review. Under this initiative, comprehensive IT Risk awareness workshops have been conducted for the Corporate and the Senior Management as well as the Middle Management of the Bank.

IT Risk Monitoring and Reporting

Realising that risk management relies heavily on effective monitoring, the IT Risk function carries out continuous, independent risk monitoring, which involves comparing the actual risk levels with criteria established by the Bank's risk appetite and tolerance levels.

For the purpose of articulating the IT Risk appetite, the Bank has defined a list of Key IT Risk Indicators (KIRIs) along with corresponding thresholds that are set according to what level is deemed ‘Tolerable’, ‘Alert’ and ‘Unacceptable’. The KIRIs are periodically reviewed by the IT Risk function, and risks that are outside the set thresholds receive a higher level of management attention in order to initiate corrective action as necessary. The KIRI review process involves monitoring a range of indicators including information security-related incidents, supplemented by trend analysis that accentuates high-risk or emerging issues so that prompt action can be taken to address them.

Significant external events or internal failures that have occurred are also being analysed to identify the root cause of such incidents for remediation and mitigation. Actual IT loss events are systematically recorded for informed decision-making.

Further, an array of automated tools such as Security Information and Event Management Systems, Intrusion Detection and Prevention Systems, Transaction Monitoring Tools etc. are utilised by the IT, IT Risk and IS Audit functions to continuously check the effectiveness of information security controls and understand any security risks faced by the systems in order to initiate necessary mitigation action.

Other Related Risks

Legal Risk

Legal risk, an integral part of Operational Risk, arises out of the legal implications of failed systems, people, processes or external events. Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

Legal risk is managed by ensuring that applicable regulations are fully taken into consideration in all relations and contracts with individuals and institutions who maintain business relationships with the Bank. Risk of breaching the rules and regulations shall be managed by establishing and operating a sufficient mechanism for verification of conformity of operations with applicable regulations.

Legal risks of the Bank are monitored and reviewed regularly by the EIRMC and BIRMC under its Operational Risk Management Framework to mitigate potential risks.

Compliance and Regulatory Risk

Compliance risk is the risk of legal or regulatory sanctions, material financial loss or loss of reputation as a result of failure to comply with laws, regulations, rules and codes of conduct applicable to the banking activities.

Compliance function is in place to assess the Bank’s compliance with external and internal regulations. A comprehensive Compliance Policy has been implemented to strengthen the compliance function. The Compliance Risk is managed through the procedures adopted by closely monitoring the Bank’s compliance with all applicable laws, internal/ external regulations, codes of conduct and standards of good practice in carrying out its business activities. These include responsibility for ensuring that appropriate remedial or disciplinary action is taken if breaches are identified.

A quarterly exercise has been carried out by the Bank to confirm the compliance with mandatory banking and other statutory requirements and a report prepared consisting of confirmations from all Department/Unit Heads on adherence to the above requirements which have been verified by the Inspection Department. All exceptions are reported to the Board Audit Committee with copies to EIRMC/BIRMC and appropriate actions have been taken to minimise such exceptions in order to avoid any compliance issues.

Strategic Risk

Strategic risk of the Bank refers to the risk to its earnings and profitability that could arise from strategic decisions, changes in the business conditions and improper implementation of decisions. Thus, strategic risk could materialise due to internal or external factors that can cause reduction in shareholder value, loss of earnings, etc.

Strategic risk is managed by critically reviewing the strategic goals in the Bank’s well-defined Corporate Planning and Budgeting process and aligning the Vision and Mission statements to set a clear strategic direction. In addition to the above, strategic risk is measured through the detailed scorecard based qualitative model aligned to ICAAP to measure and monitor strategic risk. This scorecard based approach takes into consideration a range of factors, including size and sophistication of the Bank’s business model and the nature and complexity of its activities in measuring strategic risk and highlights the areas that need emphasis to mitigate potential strategic risks.

Reputational Risk

Reputational risk is multi-dimensional and it exists throughout the Bank. Further, it refers to the potential adverse effects which can arise from the Bank’s reputation being tarnished due to a wide array of actions, including failure to comply with regulatory or legal obligations, failure to deliver expected standards of service and products, unethical practices, failure to achieve financial performance targets, labour unrest, environmental breaches etc.

Reputational risk is broadly managed through the systems and controls adopted for all other risk types such as Credit, Market, Operational etc. including maintenance of high ethical standards and corporate governance. Further, reputational risk is measured through the detailed scorecard based model developed by the Bank to measure and monitor reputational risk under ICAAP. Timely actions are initiated to mitigate potential reputational risks by critically evaluating the criteria given in the said scorecard.

Basel II Pillar 2 and Internal Capital Adequacy Assessment Process (ICAAP)

In July 2013 the Central Bank of Sri Lanka issued Directions on the implementation of Supervisory Review Process for Licensed Commercial Banks (LCBs) and Licensed Specialised Banks (LSBs). The Direction focuses on the requirements for the Banks operating in Sri Lanka to develop and maintain a rigorous and well-documented Internal Capital Adequacy Assessment Process (ICAAP) according to its size, complexity and business strategies, proportional to its operations and risk profile and consistent with prudential requirements. These prudential requirements include: Board and Senior Management oversight, comprehensive assessment of risks, sound capital assessment, monitoring and reporting, internal controls and independent review.

Using the concepts of the Regulatory Capital and the Risk-Weighted Assets,
Pillar 1 of Basel II deals with the Capital Adequacy Ratio for Credit, Operational and Market Risks. Meanwhile Pillar 2 is based on four principles:

1. Bank’s own assessment of capital adequacy.
2. Supervisory review process.
3. Capital above regulatory minimum ratios.
4. Supervisory intervention.

With the establishment of capital requirement of Basel II, Pillar 1, capital has been allocated for certain inherent risks which are within the scope of the minimum capital requirement. Yet, there are residual risks arising out of some of these risks which are not covered under Pillar 1, and a number of other inherent risks which are not covered in Pillar 1 calculations. Both these risk aspects are addressed by the Internal Capital Adequacy Assessment Process (ICAAP) established in the Bank.

The first principle under Pillar 2 which states that the Bank should have a process for assessing total overall capital adequacy in relation to its risk profile and a strategy for maintaining their capital levels has been introduced through implementation of an ICAAP Framework in the Bank. This project was facilitated by a reputed overseas risk consultancy firm.

Whilst serving the primary objective of supporting the regulatory review process, ICAAP provides valuable inputs for evaluating the required capital compared to future business plans, thus setting target levels of capital over time, integrating strategic plans and risk management plans with capital plan in a meaningful manner. It also supports profit optimisation through proactive decisions on exposures both current and potential, through measurement of vulnerabilities by carrying out stress testing and scenario analysis to support proactive decision-making. Identifying gaps in managing qualitative but important risks such as reputational risks and strategic risks which are not covered under Pillar 1 is yet another business benefit for the Bank arising out of ICAAP.

Stress Testing

Stress testing refers to various techniques (quantitative and/or qualitative) used by the Bank to gauge its vulnerability to exceptional but plausible events and has become an essential component and a vital tool in risk management. It is also considered as an integral part of ICAAP under Pillar 2. Based on the concept of ‘proportionality and complexity’ and its applicability to the Bank, stress testing considers the size of the Bank, sophistication and diversification of its activities, materiality of different risk types and Bank’s vulnerability to such type of risk factors.

Stress testing also serves as an effective communication tool to Senior Management, Risk Owners and Risk Managers as well as Supervisors/Regulators where a broader view of all risks borne by the Bank, in relation to its risk tolerance and strategy in a hypothetical stress situation is provided.

The Bank has taken into consideration a number of factors such as historical data, the current portfolio mix, desired portfolio etc. in deciding the scenarios for stress testing. Stress testing framework has also focused on forward-looking hypothetical scenarios that cover issues and risks which may not be identified by evaluating past and present data alone.

All the material risks such as Credit Risk, Credit Concentration Risk, Liquidity Risk, Foreign Exchange Risk, Interest Rate Risk in the Banking Book using Economic Value of Equity (EVE) and Earnings at Risk (EAR) perspectives are covered under the stress testing framework.

The results of the stress testing are reported to the EIRMC and BIRMC on a quarterly basis for appropriate proactive decision-making if required.