Stewardship
The perception of risk management is fundamentally changing within today’s institutions. It is no longer purely used as a control mechanism but as a critical input in the decision making process. The industry continues to evolve rapidly, posing challenges from emerging technologies and business processes, new financial instruments, the growing scale and scope of financial institutions, and changing regulatory frameworks. Establishments in every industry and country are reminded all too frequently, that they operate in a risky environment. Recent drop in commodity prices, stressed construction and manufacturing activities, natural disasters, data breaches and other cyber threats affecting core operations, vividly illustrate the realities that organizations face, where the effects of such events can suddenly force them into worldwide headlines, creating complex enterprise wide risk events that threaten reputation and profits.
At NDB, we believe that a banking organization needs a good risk governance structure in place. An enterprise-wide approach is appropriate for setting objectives across the organization, implanting an enterprise-wide culture, and ensuring that vital events and threats are being monitored on a regular basis and that ʻRisk Managementʼ remains prominent as a key strategic focus at all times.
As a provider of banking and financial services, risk is at the core of our day-to-day activities. The Bank’s risk philosophy is that risk should be taken in line with the Bank’s risk appetite and it should complement the Bank’s business strategy.
The business of banking naturally entails assuming ʻRisksʼ in all business transactions. As a result, ‘Risk Management’ has gained prominence as a key strategic focus in managing banks effectively in today’s impulsive financial markets. The vision of risk management is to proactively assist the business in delivering superior shareholder value by ensuring an optimal trade-off between risks and rewards whilst upholding strong liquidity and adequate capital positions at all times combined with a robust asset quality. The operating model within the Bank encapsulates this vision and cascades the actions to fulfil same by promoting an organization-wide risk culture. Risk culture within the Bank aptly balances growth and risk, supported by a well-defined risk appetite, comprehensive integrated risk management framework, effective governance structure and appropriate tools to measure and manage risk.
The changing nature of todayʼs business world is increasing the scope and potential impact of the risks faced. The ability of a bank to take strategic initiatives within a predefined and consistent risk framework can be considered as a speciality that can make a difference in the Bank’s drive to ensure secure returns to all stakeholders in todayʼs competitive market scenario. Hence, the Bank has recognized that building its risk management capabilities is a ʻjourneyʼ rather than a destination and is committed to maintaining and continuously improving its risk management framework and capabilities through a number of initiatives including substantial investments in IT, training and development of human resources. The management of risks inherent in the loan portfolio remained a focal point for the Bank in the current year, even as the Bank continued its strategy to expand the loan book to greater levels.
The Risk Profile of the Bank at a Glance
Our risk management capabilities have progressed encouragingly towards best in class and will continue to be strengthened and enhanced to create value and be a competitive advantage to support the Group’s aspirations.
| Risk | Mitigants |
| Concentration risk arising from equity market activities |
|
| Risk of Natural Disasters |
|
| Geopolitical events |
|
| Interest rate movements |
|
| Risk of fraud/Cyber Risk |
|
| Financial markets instability |
|
| Regulatory changes and compliance |
|
| Exchange rate movements |
|
| Risk arising from inability to meet maturing deposit liabilities |
|
The Risk Organization
Risk Appetite, Objectives, Framework
Risk appetite is defined as the quantum of risk the Bank is willing to assume in different areas of business in achieving its strategic objectives and ensuring maintenance of desired risk profile. Maximum tolerance limits are set annually and reviewed monthly to capture any deviations. The risk appetite framework and risk tolerance limits have been defined by the Board in consultation with the Senior Management of the Bank in line with the Bank’s overall business strategy, providing clear direction to the business units for ongoing operations and risk management.
In the event, the risk appetite threshold has been breached, risk management and business controls are implemented to bring the exposure level back within the accepted range. Risk appetite, thus, translates into operational measures such as limits or qualitative checkpoints for the dimensions of capital, earnings volatility and concentration risk etc.
In order to effectively implement risk appetite, NDB has defined quantitative indicators (e.g. capital adequacy level and risk limits) or qualitatively embedded same in the policies and procedures (e.g. underwriting criteria).
Coverage of Risks
NDB has formulated its risk appetite covering the following categories: Bank Wide Level Risk Category Level, Credit Risk, Market Risk, Operational Risk, Concentration Risk, Liquidity Risk, Interest Rate Risk (in Banking Book) and Compliance Risk.
Integrated Risk Management Framework
The Bank’s approach to Risk Management is spelt out in the Integrated Risk Management Framework approved by the Board Sub-Committee for Integrated Risk Management and the Board of Directors. The framework sets out the process of identifying, measuring, monitoring and controlling the different types of risks, the governance structure in place. The main objectives of the framework are:
- To establish common principles, standards for the management and control of all risks and to inform behaviour across the Bank.
- Provide a shared framework and language to improve awareness of risk management processes among all stakeholders.
- To provide clear accountability and responsibility for risk management.
- To ensure consistency throughout the Bank in risk management.
- Define Bank’s risk appetite and align Bank’s portfolios and business strategy accordingly.
- Optimize risk return decisions.
- Maintain Bank’s capital adequacy and strong liquidity position.
- Further strengthen governance, controls and accountability across the organization.
In addition to the main risks (viz. Credit Risk, Market Risk and Operational Risk) NDB has considered fourteen other risks which are material to it. These additional risk categories include, Liquidity Risk, Interest Rate Risk in the banking book, Underestimation of Credit Risk in Standardized Approach, Residual Credit Risk, Concentration Risk, Compliance Risk, Legal Risk, Strategic Risk, Governance Risk, Cross-border Risk, Settlement Risk, Reputational Risk, Model Risk and Group Risk.
The Bank’s risk management framework is employed at all levels of the organization, and is instrumental in aligning the behaviour of individuals with the overall attitude to assuming and managing risk and ensuring that our risk profile is aligned to our risk appetite. In an attempt to cultivate risk-based decision making by the business lines, Group Risk Management Department plays an active role as a mentor and facilitator by instigating new ways of knowledge transfer, and it is one of the core values of the department’s culture.
Group Risk Management
The Bank together with its subsidiaries, in the process of financial intermediation are confronted with various kinds of financial and non-financial risks such as credit, interest rate, foreign exchange rate, liquidity, equity price, commodity price, legal, regulatory, reputational, operational, etc. These risks are highly interdependent and events that affect one area of risk can have consequences on a range of other risk categories. Thus, considerable importance is given to improve the ability to identify, measure, monitor and control the overall level of risks undertaken.
Aggregating the risks of Group Companies remains a challenge due to their diverse business models and risk profiles. The Group Companies are engaged in investment banking, capital market activities, unit trust management and property management activities. However, the Bank believes the ‘Group Risk’ is greatly mitigated as:
- NDB’s capital at risk is limited to the amount invested in these companies in the form of equity, at the time the companies were incorporated.
- There is representation by NDB’s Directors/Key Management Personnel on the Boards of Directors/Board Audit, Risk and Compliance Committee of its subsidiaries, thereby ensuring full and sufficient knowledge of subsidiaries’ operations and risk profiles.
- Due to the governance structure mandated by the laws governing banking and limited liability companies, all inter-company transactions are at arm’s-length and full disclosure of such transactions is made.
- Natural mitigation from the fact that the Bank is the holding company and owns the largest Balance Sheet in the Group.
- NDB Securities Ltd. and NDB Wealth Management Ltd. being Licensed Stock Brokers and Unit Trust Managers are regulated by the SEC.
- Risk reporting framework by Group Companies to centralized Group Risk Management of NDB/IRMC/Board for review/corrective action.
Each Group Company remains responsible for the management of risks, including associated controls and ongoing monitoring processes. Risks identified by Group companies are reported to Group Risk Management Department on a monthly basis through appropriate risk indicators (using a Risk Dashboard) and management information for review and escalation. Top risks and associated mitigants are also highlighted.
The main risk categories being reviewed are as follows:
- Investment/Credit Risk
- Operational Risk
- Market Risk
- Liquidity Risk
- Interest Rate Risk
- Concentration Risk
- Regulatory/Compliance Risk
- Legal/Reputation Risk
- Strategic Risk
- Any other risks relevant to the specific line of business of the Group Company
All Group Companies are required to have relevant policies and limits for monitoring purposes and to ensure that risks are within acceptable levels/in-line with its risk appetite. All risk-related policies of the Group Companies are vetted by Group Risk Management Department to ensure compliance with the regulatory requirements and internal policies applicable to the Bank. Hence, allocation of separate capital for Group Risk is not required.
Risk Governance
The Bank’s Board of Directors has the overall responsibility for risk management and sets the tone at the top, for an effective management of risks through its risk appetite. In discharging its governance responsibility, it operates through two key committees, namely the Integrated Risk Management Committee (IRMC) and the Board Audit Committee (BAC) which have been formed in compliance with the CBSL Direction No. 11 of 2007 on Corporate Governance. The Bank believes in combining the specialized knowledge of the business units and risk professionals in forming sub-committees for the management of risks.
Group Risk
The Bank’s Risk Management Division is independent of the business units. It monitors and reports directly to the Integrated Risk Management Committee and the CEO. Several units within the Risk Division contribute to the management of risk and co-ordinate across the business functions to guarantee risk management is impeccably integrated into the Bank’s corporate culture.
Risk Capital Governance
Sustained Profitability and Capital Management
The strategy of the Bank is ensuring sustained profitability through good and bad times. The need of the economy is resilient banks which create shareholder value. BASEL regulations have been introduced worldwide to ensure resilience of the individual banks as well as the banking system as a whole.
Basel II
The Bank is fully compliant with the BASEL II regulatory requirements.
Journey Towards Advanced Approaches of Pillar I
The Bank has already embarked on its journey towards advanced approaches of minimum capital computation under Pillar I in order to optimize on capital allocation. Thinking ahead, the Bank is in the process of automating its capital computation process in terms of Credit and Market Risks. This pioneering strategic move will help the Bank to optimize usage of shareholder capital, which will be critical in the next few years for all banks. The automation of manual process will ensure accuracy and better conformance to guidelines.
Credit Risk – The Bank is currently using the Standardized Approach for capital computation for Credit Risk. With the intention of moving to Internal Rating Based Approaches, the Bank has rolled out rating models with the assistance of CRISIL Risk and Infrastructure Solutions Ltd., India. The system supports the Probability of Default (PD) and Loss Given Default (LGD) computations.
Market Risk – The Bank uses The Standardized Approach for capital computation for Market Risk. The Bank has already rolled out its VaR models and is ready to move to advanced approach of capital computation for Market Risk on receipt of guidelines from the regulator.
Operational Risk – The Bank is currently using the Basic Indicator Approach for operational risk capital computation. The Bank has also started parallel computation of capital requirements as per The Standardized Approach (TSA) as well as Alternative Standardized Approach (ASA) and planning to move to ASA during 2016.
Icaap Framework
Capital helps protect individual banks from insolvency, thereby promoting safety and soundness in the overall banking system. Minimum regulatory capital requirements under Pillar 1 establish a threshold below which a sound bank’s regulatory capital must not fall. The Pillar 2 (Supervisory Review Process – SRP) requires banks to implement an internal process, called the Internal Capital Adequacy Assessment Process (ICAAP), for assessing their capital adequacy in relation to their risk profiles as well as a strategy for maintaining their capital levels. The Pillar 2 also requires the supervisory authorities to subject all banks to an Evaluation Process/Supervisory Review Process (SRP), and to initiate such supervisory measures on that basis, as might be considered necessary. NDB has in place an ICAAP and has adhered to same from January 2013. ICAAP process has strengthened the risk management practices and capital planning process.
Stress Testing
Bank has in place a comprehensive Stress Testing Policy and Framework in line with the regulatory guidelines as well as international best practices. The policy describes the purpose of stress testing and governance structure and the methodology for formulating stress tests whilst the framework specifies in detail the Stress Testing programme including the tolerance limits and remedial action.
Stress testing is the process of determining the change to a portfolio due to the occurrence of extreme realistic events. Management reviews the outcomes of the stress tests and where necessary determines, appropriate mitigating actions such as reviewing and changing risk appetite in order to manage the risks identified by potential stresses.
Stress Testing Methodology and Results
| Item | Amount LKR. million |
| Regulatory Capital | |
| Core Capital | 20,018 |
| Capital Base | 29,614 |
| Calculation of Risk-weighted Amount | |
|
207,510 |
|
10,161 |
|
17,491 |
| Calculation of Capital Adequacy Ratios (%) | |
|
8.51 |
|
12.59 |
Credit Risk Stress Testing
The Bank has implemented stress tests to measure the resilience of its lending portfolio to adverse movements by applying low, moderate and high impact shocks on hypothetical scenarios.
The details of credit risk stress testing are given below:
| Scenario 1 | Scenario 2 | Scenario 3 | |
| 1. An increase in the NPLs in the loan book | 5% Increase | 10% Increase | 20% Increase |
| Revised CAR % | 12.5 | 12.4 | 12.2 |
| 2. A negative shift in NPL categories on the Bank’s credit portfolio | 50% Increase | 80% Increase | 100% Increase |
| Revised CAR % | 12.5 | 12.4 | 12.4 |
| 3. Fall in FSV of mortgaged collateral in credit portfolio | 10% Decline | 20% Decline | 40% Decline |
| Revised CAR % | 12.6 | 12.6 | 12.6 |
| 4. Default of Large Borrowers | Default of Top Borrower | Default of Top 2 Borrowers | Default of Top 3 Borrowers |
| Revised CAR % | 12.0 | 11.6 | 11.4 |
| 5. Default by the Largest Group | Default by Top member of the Group | Default by Top 2 members of the Group | Default by all members of the Group |
| Revised CAR % | 12.2 | 12.2 | 12.2 |
Market Risk Stress Testing
Losses beyond the confidence level are not captured by certain models, which therefore gives no indication of the size of unexpected losses in these situations. This is complemented by regular stress testing of market risk exposures to highlight the potential risk that may arise from extreme market events that are rare but plausible.
Stress testing is an integral part of the market risk management framework and considers both historical market events and forward-looking scenarios, to give early warning signals to align the business and take appropriate action in a proactive manner. A consistent stress testing methodology is applied to trading and non-trading books. The stress testing methodology assumes that scope for management action would be limited during a stress event, reflecting the decrease in market liquidity that often occurs. Stress scenarios are regularly updated to reflect changes in risk profile and economic events. Regular stress test scenarios are applied to interest rates, liquidity ratios, exchange rates, commodity prices and equity prices. Ad hoc scenarios are also prepared reflecting specific market conditions and for particular concentrations of risk that arise within the businesses.
Bank’s Foreign Currency Net Open Position Stress Test Results as at 31 December 2015
Bank’s net foreign currency position is tested on a daily basis under four stress scenarios giving shocks of 5%, 10%, 15% and an extreme shock of 25% to the exchange rate to arrive at the maximum loss scenarios the Bank is exposed to and is monitored against the limits set.
Limit is set at the minimum level of shock (Scenario 1) as an early warning where the Bank will take action to ensure that it does not surpass the first level of shock and reach worst case scenarios.
Bank’s Foreign Currency DBU Net Open Position and Stress Test Results as at 31 December 2015
| As at 31 December 2015 | Net Position USD/LKR |
Scenario 1 USD/LKR |
Scenario 2 USD/LKR |
Scenario 3 USD/LKR |
Scenario 4 USD/LKR |
| Magnitude of Shock (Adverse) | – | 5% | 10% | 15% | 25% |
| Spot Rate Movement | 144.00 | 136.80 | 129.60 | 122.40 | 108.00 |
| Net Open Position – DBU, Profit/(Loss) (LKR) | 600,067 | (4,320,480) | (8,640,959) | (12,961,439) | (21,602,398) |
The stress results of the Bank’s overnight Net Open Position is managed well within the risk limit and monitored on a daily basis.
Liquidity Stress Test Results as at 31 December 2015
Liquidity stress testing is carried out under three different scenarios which covers Bank specific and System specific conditions, where different magnitudes of shocks are given to liability portfolios to ensure that the Bank’s assets are sufficient to meet the liquidity stresses. The results are monitored against the limit and the minimum level of result (at 3%) will be considered as the management action point.
The Bank managed to maintain a healthy Liquid Assets Ratio well above the internal limit which is more stringent than the regulatory limit.
Stress Testing for Liquidity Risk
| % | |
| Bank’s Liquid Assets Ratio (DBU) as at 31 December 2015 | 22.24 |
| Bank’s Liquid Assets Ratio (FCBU) as at 31 December 2015 | 24.91 |
Stress Testing on Liquid Assets Ratio
| Scenario No. | Stress Scenarios | Magnitude of Shocks on Liquid Assets Ratio | ||
| 3% | 5% | 10% | ||
| Revised LAR after Relevant Shocks | ||||
| 1 DBU | Adverse Impact on MM & Institutional Borrowings/Drop in Market Liquidity (Market Specific) (%) | 21.65 | 21.25 | 20.24 |
| 1 FCBU | Adverse Impact on MM & Institutional Borrowings/Drop in Market Liquidity (%) | 24.59 | 24.37 | 23.82 |
| 2 DBU | Run Down on CASA & Time Deposits (%) | 20.63 | 19.52 | 16.61 |
| 2 FCBU | Run Down on CASA & Time Deposits (%) | 23.71 | 22.89 | 20.75 |
| 3 DBU | Impact on Total Liquid Liabilities (%) | 20.02 | 18.46 | 14.30 |
| 3 FCBU | Impact on Total Liquid Liabilities (%) | 23.38 | 22.32 | 19.53 |
Operational Risk Stress Testing
The Bank conducts stress tests for operational risk by computing the Operational Risk Value at Risk (Op VaR).Op VaR is calculated at Bank level based on 445 loss data points collected as at 31 December 2015, considering whole Bank as a single Operational Risk Category-ORC which includes two broad steps:
- i. Data Analysis
- ii. Frequency Analysis
The Bank uses Monte-Carlo simulation to generate aggregated distributions (by combining frequency and severity distribution) of operational losses for given loss data (with 99.9% confidence interval and 110,000 simulation runs). The Op VaR calculated as at 31 December 2015 was LKR 23.89 million.
The Op VaR under stressed conditions in LKR million is as follows:
| 5% | 10% | 15% |
| 25.09 | 26.28 | 27.48 |
The above figures are significantly lower than the operational risk capital allocated under the Basic Indicator Approach (BIA). Hence no additional capital is required under stressed conditions.
When the Bank calculates its operational risk capital requirement under the BIA, the average of 15% of the annual gross income over the preceding three years are considered. If the annual gross income is negative or zero it will be excluded from both the numerator and denominator when calculating the average capital charge. The Bank also performs BIA based Stress Testing on the assumption that the Operational Risk Losses assumed to have direct relationship with the gross income of the Bank considering three levels of shocks ranging from mild shock of 1% to severe shock of 3%. The stressed Op Risk capital considering a severe shock was LKR 349 million as at 31 December 2015.
Basel III
BASEL III is the new global regulatory standard on managing capital and liquidity of banks. With the introduction of Basel III the capital requirements of banks will increase with an aim to raise the quality, quantity, consistency and transparency of capital base and improve the loss absorbing capacity. The Bank is already in compliance with Basel III requirements on capital and liquidity coverage.
Optimal risk reward pay-off and maximization of returns are key focuses of our credit risk management endeavours
Credit Risk
Credit risk is the risk of financial loss if a customer or counterparty to a financial instrument fails to meet a payment obligation under a contract. It arises principally from direct lending, trade finance and leasing business and also from off-balance sheet products such as letters of credit and guarantees. Credit risk generates the largest regulatory capital requirement of the risks we incur. The Bank manages the credit risk in the entire portfolio as well as individual credits or transactions.
Objectives of Credit Risk Management
- Ensure optimal risk-reward pay-off for the Bank and to maximize returns
- Maintain the quality of the portfolio by minimizing the non-performing loans and probable losses
- Prudently manage its risk asset portfolio to ensure that the risk of excessive concentration to any industry, sector or individual customer is minimized and thereby maintain a well-diversified portfolio
- Ensure that exposures to any industry or customer are determined by the regulatory guidelines, clearly defined internal policies, debt service capability and balance sheet management guidelines
- Avoid all situations of conflict of interest and report all insider-related credits to appropriate bodies
Realignment of Structure to Better Meet Objectives of Credit Risk Management
In the current regulatory context, it has become necessary to make a clear distinction between pre credit review/approval and post credit review functions in the Bank. Earlier, both functions were combined within the Group Risk Management department. An independent pre credit review division was established to further strengthen the pre-approval process and make it independent from post credit review function in the Bank.
Further a loan Review team was formed within the Group Risk Management Department to carry out Loan Review Mechanism (LRM) as prescribed by the regulator.
The objectives of LRM are:
- Promptly identify loans with potential credit weaknesses.
- Identify relevant trends that affect the collectability of the portfolio and isolate segments of the portfolio that are potential problem areas.
- To appropriately grade or adversely classify loans especially those with well-defined credit weaknesses that jeopardize repayment, so that timely action can be taken and credit losses can be minimized.
- Evaluate activities of lending personnel including their compliance with lending policies and the quality of their loan approval, monitoring and risk assessment.
- Assess the adequacy of and adherence to internal credit policies and loan administration procedures and to monitor compliance with relevant laws and regulations.
- Provide IRMC and the Board of Directors with an objective and timely assessment of the overall quality of the loan portfolio and that regulatory obligations are met in terms of credit management.
- Provide management with accurate and timely credit quality information.
The Loan Review function operates independently, reporting to the IRMC of the Bank. Its responsibilities extend to providing rational, objective and professional comments, observations for remedial action to be considered for implementation by line management.
A Loan reviewer’s responsibilities also extends to reviewing the adequacy of action taken in respect to recommendations made in credit review reports.
Process
At NDB credit risk management is considered to be a value addition activity rather than being confined only to a regulatory compliance function.
Credit Policy
The Bank has a well-defined credit policy approved by the Board of Directors. It defines the
- Credit culture of the Bank
- Specify target markets for lending
- Specify prohibited lending which the Bank under no circumstances will entertain due to either the very high risks involved in such proposals and/or its negative social/ethical consideration
- Set acceptable risk parameters
- Set remedial and recovery actions
Structured and Standardized Credit Approval Process
Depending on the nature of the project/product standardized formats have been designed and evaluations are carried out by competent staff. There are clear guidelines set to ensure that
- Credit is extended only to suitable and well-identified customers and never where there is any doubt as to their ethical standards and record, where the source of repayment is unknown or speculative nor where the purpose/destination of funds is undisclosed;
- Never to take a credit risk where the ability of the customer to meet obligations is based on the most optimistic forecast of events;
- Risk considerations shall have priority over business and profit considerations;
- Ensure that the primary source of repayment for each credit is from an identifiable cash flow from the counterparty’s normal business operations or other financial arrangements; the realization of security remains a fallback option;
- Adopt a pricing mechanism that reflects variation in the risk profile of various exposures to ensure that higher risks are compensated by higher returns;
- The financial performance of borrowers is to be continuously monitored and frequently reviewed, as is the manner in which the borrower operates his accounts.
Delegation of Authority
Final authority and responsibility for all activities that expose the Bank to credit risk rests with the Board of Directors and the Board of Directors has delegated approval authority to the CEO to re-delegate limits to the Credit Committees and the Business Lines. All approval limits are name specific and are based on individual experience, facility type and collateral in order to ensure accountability and mitigate any judgmental errors.
- There are two Credit Committees representing the Business Lines and these Committees comprise senior officers of business units.
- The delegated authority limits are reviewed periodically and the Bank follows the ‘four-eyes principle’ (i.e. minimum of two officers signing a credit proposal).
- Lending decisions are based on detailed credit evaluation carried out by Relationship Managers and reviewed/approved by designated approving authority.
Internal Risk Ratings of Obligors
The credit portfolio of the Bank is risk-rated using an internally developed system that takes into account quantitative as well as qualitative factors. The rating scale ranges from Triple A to B4 and the ratings of every obligor is reviewed at least annually or more frequently if required. This rating system is used as a guide for account monitoring, CBSL provisioning and pricing.
The Bank has rolled out the new Internal Risk Rating system which runs on sophisticated work flow based software and hosts obligor risk rating, facility risk rating and retail score cards to suit the diverse client portfolios of the Bank. This move facilitates accurate quantification of expected loss of Bank’s portfolio and also complies with Central Bank Direction No. 07 of 2011 on Integrated Risk Management.
The Bank has deployed varying models to gauge the default risk associated with Large Corporate, Mid Corporate, SME and Non-Banking Financial Institutes. All these models are structured in a manner incorporating both quantitative and qualitative parameters to reflect the underlying probabilities of default.
The risk rating model implemented facilitates both obligor and facility rating. Whilst obligor rating will indicate the expected probability of default (PD), the facility rating indicates the expected loss given default (LGD). Expected probability of default takes into account the characteristics of the obligor assessed via industry, business, management and financial risk silos, whilst facility rating takes into account the type of the facility, nature of the collateral and realisability as well. Using the expected probability of default and the loss given default calculated via obligor rating and facility rating models the system facilitates arriving at an expected loss for a specific credit.
Risk Scoring
The Bank deploys custom made scorecards to underwrite consumer assets. These scorecards were developed using Bank’s own data and re-weighted to align them for more recent economic conditions. Such scorecards take into account the customer demographics, together with credit worthiness of individuals and disposable income in deciding the level of accommodation of credit. In addition to above, the Bank also carries out a pre-screening of employers of salaried employees who seek consumer credit from the Bank in order to ensure that their level of income generation will not get interrupted in the foreseeable future. In this way, the Bank acts more responsibly as such an approach would negate possibility of overspending by consumers based on uncertain future income.
Risk Pricing
The Bank also views pricing for risk as fundamental to credit risk management. Thus, steps have been taken to price the credit risk using more scientific methods and blending it with prevailing market sentiments to contain off-market operations. The newly implemented Internal Risk Rating system facilitates calculation of Risk Adjusted Return on Capital (RAROC). This enables the Bank to link capital to expected losses.
Post Sanction Review and Monitoring Mechanism
Post sanction review and monitoring is carried out to ensure quality of credit is not compromised. Any deteriorating credits with emphasis on internal and external early warning signals are identified and such accounts are ‘Watch Listed’. The Watch Listed clients are monitored closely with quarterly reports submitted to the Credit Committees. Further, based on the Watch Lists, the Bank assesses the Portfolio at Risk in the event, such accounts deteriorate further. Non-performing assets are identified at an early stage, enabling management to take action as appropriate.
Prudential Limits
The industry and portfolio limits are set by the Board of Directors on the recommendation of the Group Risk Management department. Credit Risk Management, monitors compliance with approved limits. Desired diversification is achieved by setting maximum exposure limits on
- Single/group obligor limits – limits are more stringent than the limits set by the regulator and on a prudential basis, the off-balance sheet items are considered at face value instead of credit equivalent of such exposures.
- Prudential Group Exposure Limit – considered based on the Bank’s exposure to a ‘Group of Related Parties and is capped at 60% of the Bank’s Capital Base.
- Substantial Exposure Limits – this is in compliance with the Banking Act Direction No. 07 of 2011 on Integrated Risk Management Framework for Licensed Banks and the Bank has introduced a substantial exposure limit of 500% of the Tier II capital of the Bank.
- Industry/economic sector limits – limits are imposed for lending to different sub-sectors in the economy. This is a control mechanism introduced recognizing that during various economic cycles, different sectors of the economy could face difficulties. At present the maximum exposure to a sub-sector is 15% of the Bank’s total exposure/limits.
Portfolio Management
Credit portfolio management is an important function within the overall credit risk management function. Need for such critical and objective portfolio management emanates from the need to optimize the benefits associated with diversification. It also helps the Bank to identify and address potential adverse impact of concentration of exposures. 'The Bank has a well-structured portfolio management mechanism which evaluates exposures on the basis of industry concentration, rating quality, internally established prespecified early warning indicators apart from regulator imposed quantitative ceiling on single borrower and aggregate exposure. Based on the feedback from the credit portfolio management, the credit origination criterion is amended prudently to insulate portfolios from further deterioration. The portfolio management team also undertakes, apart from regular portfolio reviews, stress tests and scenario analysis when the external environment, both local and global, undergoes swift changes. Credit portfolio management envisages mitigating credit risks to a great extent by stipulating prudential risk limits on various risk parameters. As such, the Bank has established single borrower limit, limits for related party borrowings and aggregate limit for large exposures as prescribed by the regulators. Moreover, the Bank has also established maximum exposure limits to different industry segments. Such limits are clearly spelt out in the credit policy and the authority for permitting any deviations on an exceptional basis is also clearly documented. The Bank adopts a similar mechanism to assess the risks associated with off-balance sheet exposures. As part of the credit portfolio management and monitoring procedures, the exposures in off-balance sheet products such as FX Forwards, Guarantees and Letters of Credit are treated with utmost care.
KRIs supplement the overall portfolio management system, by providing a view of the credit risk of the portfolio as well as acting as an early warning system. Some of the KRIs monitored and reported to Board Integrated Risk Management Committee are given below:
| Portfolio of the Bank Industry portfolio | To assess the trends in comparison with industry and measure performance against budgets/Risk Appetite |
| Market Share | |
| NPL of the Bank Industry NPLs | |
| NPL Ratio of the Bank Industry Average NPL Ratio | |
| Provision Cover - % – Bank Industry | |
| Open Loan Position | |
| ROE % | |
| TIER I % | To assess compliance with Regulatory limits and the Bank’s Risk Appetite |
| TIER I & II % |
Credit Risk Mitigation
The Bank adopts various mechanisms to mitigate the credit risk of the loan book
- Ways out analysis – the primary source is established through a conservative evaluation of whether the borrower’s realistic projected cash flows will be sufficient to repay their debts. This is further mitigated by a second way out in the event of unforeseen adverse circumstances and availability of collateral alone does not make an unacceptable proposal viable. Exemptions on collateral are allowed in the event the borrower demonstrates strong and reliable financial performance.
- Documentation of credit transactions with adequate terms, conditions and covenants in a comprehensive and legally enforceable basis.
- Obtaining of collateral in-line with the Bank’s policy and ensuring it is supported by enforceable documentation. Collateral policy differs from business line to business line, according to the products offered. The main types of collateral taken by the Bank are:
- Immovable and movable property mortgages,
- Plant, machinery and equipment,
- Cash deposits,
- Mortgages on stocks and book debts and
- Corporate and personal guarantees.
It is the Bank’s policy to be on a pari passu status with other lenders. A decision to the contrary may be acceptable only where a non-pari passu position is accepted due to unavailability of security as a result of the Bank being a late entrant to the relationship and is supported by strong financial position of the entity financed. Facilities under Product Programmes are governed by guidelines given in such individual programmes.
In instances where facilities are granted without collateral, the Bank ensures that its position will not be subordinated to other creditors’ interests. In such instances, the Bank generally requires either a negative pledge agreement, not to encumber any assets without permission of the Bank or a pari passu clause, whereby the debtor will treat the Bank equally with respect to collateral with all current and future lenders.
The Bank has a panel of valuers who have been selected, based on the criteria set out by the Central Bank of Sri Lanka. The Bank ensures that the valuations are carried out and reviewed as following:
- Facilities in NPL:
- For facilities granted against residential property occupied by the borrower for residential purposes: every four years
- For all other NPL facilities: every three years
- Performing facilities:
- Watch listed clients with working capital facilities: every three years
- Single A rated clients with working capital facilities: every five years
No value is considered if valuations are not in-line with the time frames set out as per the CBSL guidelines.
Impairment Losses on Loans and Receivables
A credit risk provision for loan impairment is established if there is objective evidence that the Bank will be unable to collect all amounts due on loans and receivables according to the original contractual terms.
Objective evidence that a loan is impaired, includes observable data that comes to the attention of the Bank about the following loss events:
- Significant financial difficulty of the customer
- A breach of contract such as default of payment
- Where the Bank grants the customer a concession due to the customer experiencing financial difficulty
- It becomes probable that the customer will enter bankruptcy or other financial reorganization
- Observable data that suggests that there is a decrease in the estimated future cash flows from the loans, to name a few.
The Bank determines the allowances appropriate for each individually significant loan or receivable on an individual basis, if there is any objective evidence of a loss based on the above. Items considered when determining allowance amounts include
- The sustainability of the counterparty’s business plan,
- Its ability to improve performance if it is in a financial difficulty,
- Projected receipts and the expected payout should bankruptcy ensue,
- The availability of other financial support,
- The realizable value of collateral and the timing of the expected cash flows.
An allowance for loans and receivables is reported as a reduction of the carrying amount of a loan on the balance sheet. Additions to provisions for loan impairment are made through impairment losses on loans and receivables in the income statement.
The Bank assesses whether objective evidence of impairment exists for loans that are considered individually significant, i.e. all loans above LKR 100 million and collectively for loans that are not considered individually significant.
If there is objective evidence that an impairment loss on loans and receivables carried at amortized cost has been incurred, the amount of the loss is measured as the difference between the loans’ carrying amount and the present value of estimated future cash flows discounted at
- the loan’s original effective interest rate, if the loan bears a fixed interest rate, or
- current effective interest rate, if the loan bears a variable interest rate.
The estimation of the recoverable amount of a collateralized exposure reflects the cash flows that may result from Liquidation of Collateral where foreclosure is considered the likely course of action. The time, costs and difficulties involved in obtaining repayment through collateral should be taken into account when determining the recoverable amount.
For the purposes of a collective evaluation of impairment, loans are grouped on the basis of similar credit risk characteristics. Corporate and SME loans are grouped based on product type, economic sector and on days in arrears. Retail Banking loans are grouped, based on product type and number of days in arrears. Those characteristics are relevant to the estimation of historical loss experience for loans. Historical loss experience is adjusted on the basis of Probability of Default and Loss Given Default. The Bank also bases its analyses on economic factors and portfolio factors such as:
- Economic factors
- Historical experience
- Unemployment rates
- Historical losses on the portfolio
- Changes in laws
- Levels of arrears
- Changes in regulations
- Credit utilization
- Other relevant consumer data
- Loan to collateral ratios
The Bank may use the aforementioned factors as appropriate to adjust the impairment allowances. Allowances are evaluated separately at each Reporting date with each portfolio.
The Bank has in place, a detailed impairment policy which was approved by the Board of Directors.
Credit Risk Analytics
Bank’s Portfolio at a Glance
Product Concentration
27% of Bank’s portfolio continues to be concentrated in commercial banking term loans. Bank maintained a healthy product wise portfolio composition.
PRODUCT WISE PORTFOLIO COMPOSITION AS AT 31.12.2015
PRODUCT WISE PORTFOLIO COMPOSITION – AVERAGE FOR 2015
Business Line Wise Composition
The business line wise composition of portfolio changed during the period in-line with the Bank’s long term strategy.
BUSINESS LINE WISE COMPOSITION OF THE PORTFOLIO AS AT 31.12.2015
Rated Portfolio Concentration
Bank’s portfolio continues to be concentrated on ‘A’ rated clients, based on the internal rating model used by the Bank and the composition was within the risk appetite of the Bank, set by the Board.
RATED PORTFOLIO COMPOSITION 2015 vs 2014
CONCENTRATION OF COUNTERPARTY EXPOSURES
Credit Risk Concentrations
Single Name Concentration
- The Bank was in compliance with regulatory limits on Group and Single Borrower concentrations. The Bank was also in compliance with the internal limits set by the Board on Group and Single Borrower concentrations which are more stringent than those prescribed by the regulator.
- The substantial exposures of the Bank accounted to only 73.4% of the capital base and was well within the internal limit. The top 20 clients Sector Concentrationaccounted to only 18% of the portfolio and the concentrations were within the risk appetite set by the Board.
- The Bank’s portfolio was not concentrated on a particular client or a Group.
Sector Concentration
The Bank maintained a well-diversified portfolio and the portfolio was not over concentrated on a particular sector. The Bank was also in compliance with the minimum lending requirement of 10% to, Agricultural sector, with 11% of portfolio concentrated on same as at 31 December 2015.
SECTOR WISE CONCENTRATION OF THE PORTFOLIO AS AT 31.12.2015
Concentration measured using Herfindahl-Hirschman Index (HHI), also indicated a decline in sector concentration.
CONCENTRATION MEASURED USING HHI
The Bank analyses sector wise NPL ratios and also monitors the concentration of borrowers in lower rating notches for a given sector to identify sector stresses in advance.
SECTOR-WISE RATED PORTFOLIO AS AT 31.12.2015
Geographical Concentration
Based on economic activities, the highest concentration is in Western Province though the branch network is spread throughout the country. Concentration in Western Province declined during the year due to disbursements to infrastructure and power projects funded by the Bank. Bank also funded cross border exposures in Uganda, Bangladesh, Cambodia and Maldives in line with the Bank’s long-term strategy, resulting in further diversification of the portfolio.
GEOGRAPHICAL CONCENTRATION OF THE PORTFOLIO AS AT 31.12.2015
COLLATERAL WISE CONCENTRATION AS AT 31.12.2015
Non-Performing Loans
The Bank’s NPL ratio has always been below the industry ratio, reflecting a better quality portfolio than most players in the industry.
Provisioning and Impairment
The Bank continues to maintain provision covers above the industry.
SECTOR WISE INDIVIDUAL IMPAIRMENT AS AT 31.12.2015
GEOGRAPHY WISE INDIVIDUAL IMPAIRMENT AS AT 31.12.2015
Market Risk
Market risk is the potential loss in both On and Off-balance sheet positions, caused by movements in foreign exchange rates, interest rates, equity and commodity prices. In the ordinary course of business, banks deal in financial products such as deposits, short/long-term loans, borrowings, Debt/Equity Securities and Foreign Exchange transactions, which expose banks to Market Risk at different levels.
Objective of Market Risk Management
The primary objective of Market Risk Management (MRM) is to ensure that Business units of the Bank optimize the risk-reward relationship within the Bank’s predefined risk appetite and avoid exposing the Bank to unacceptable losses.
The activities of Market Risk Management are not directed purely at loss mitigation but also assist towards analyzing the interrelationship of risk, reward and capital. Thus, the focus is on assuring that risks are taken where it is most optimal, given the rewards and capital consumption.
Policy Framework for Market Risk Management
Risk monitoring is guided by a well-defined policy framework and limit structure designed to suit the business model and the balance sheet structure reflecting the risk appetite of the Bank. The Board supported by Integrated Risk Management Committee (IRMC), approves the risk parameters as recommended by the Assets and Liabilities Committee (ALCO) and Market Risk Management to facilitate the business needs.
Bank’s comprehensive risk management framework, covers the Market, Liquidity, Asset and Liability risks and proactively manages the exposures against the predefined risk parameters. Prudential internal limits have been defined for interest rate risk, price risks and exchange rate risks for close monitoring of exposures. All exposure limits are linked to the Bank’s capital base to ensure adequate and efficient capital allocation/planning. These limits are subject to annual review and are monitored on a daily, weekly and monthly basis. Where limits are exceeded, Market Risk Management is responsible for identifying and escalating those excesses to senior management on a timely basis.
Process
Market Risk Management defines and implements a framework to systematically identify, assess, monitor and report our market risk to support management on decision making and risk mitigation. Market risk managers identify existing and potential market risks by engaging with the business areas and through active portfolio analysis.
Our market risk management endeavours are aimed at the twin objectives of loss mitigation and optimizing the risk reward relationship within the bank's predefined risk appetite.
The Key Functions of Market Risk Management include Policy formulation, Risk Measurement methodologies, systems and control, reporting and communication.
- Policy Formulation – Policy formulation/renewal are carried out considering the regulatory concerns and material changes on MRM/ALM – Asset Liability Management Limit monitoring process.
- Risk Measurement methodologies – Exposures are assessed and limits recommended to ALCO for approval.
- Risk Monitoring – All limits in force are monitored on a predefined time bands.
- Risk Reporting Communication & Approval – MRM/ALM risk activities are identified and monitored on a timely basis. This includes timely investigation and reporting of limit excesses for management action and approval within the delegated levels of authority.
ALCO, as the key Management Committee that regularly monitors the Market Risk exposures, initiates appropriate actions to optimize the Risk exposures within the Risk appetite of the Bank. In this regard, key functions carried out by ALCO include:
- Review and recommend MRM/ALM policies, limits and guidelines for IRMC/Board approval
- Management of the balance sheet and risks associated with it
- Setting key balance sheet ratios/targets
- Planning strategies for funding, buffer investments, hedging and trading etc.
- Setting internal investment policies
- Approve investments
- Setting pricing policies (internal funds transfer and external product pricing).
Market Risk Measurement and Assessment
Market Risk Management aims to accurately measure all types of market risk by a comprehensive set of risk metrics reflecting economic and regulatory requirements.
In accordance with economic and regulatory requirements, we measure, monitor and control Bank’s exposures to market risk, given the size, complexity and risk profile of the Bank.
Key risk metrics:
- Metrics for Market Risk Standardized Approach
- Three types of stress tests: Portfolio Stress Testing, business level stress testing and event risk scenarios
- Market risk economic capital, including traded default risk
- Sensitivities
- Market value/Notional (concentration risk)
- Duration analysis, PVBP on Debt Securities Trading and AFS portfolios
- FX Risk monitoring metrics
- Selected KRIs are highlighted below, which provide a view of the Market Risk indicators, which are monitored and reported to Board Integrated Risk Management Committee.
| Indicator | Limit | Position as at 31 December 2015 |
| Price Sensitivity of Balance Sheet – P/L impact for a 1% Change in Interest Rate (LKR million) | (500) | 176 |
| Mark-to-Market of Debt Trading Portfolio (LKR million) | (60) | (4.64) |
| Bank’s Consolidated Net Open Position +/- (USD million) | 13 | 0.47 |
| Stress Testing Results on DBU Net Open Position (LKR million) | (175) | (4.32) |
These measures are viewed as complementary to each other and in aggregate define the Market Risk Framework, by which all businesses can be measured and monitored.
Market Risk Analytics
Foreign Exchange Risk
Foreign exchange risk is the risk of losses arising through holding of assets and liabilities in foreign currency and due to the movements in foreign exchange rates against the base currency. The Bank is exposed to foreign exchange risk when it’s on and off-balance sheet assets and liabilities are not equal in a given currency or when the timing and certainty of the inflows and outflows differ.
The Bank possesses a Board approved foreign exchange risk management policy and a limit framework to ensure that Bank maintains the Forex exposures within the risk parameters on a day-to-day basis. The policy framework consists of the roles and responsibilities, procedures, risk measurement framework, risk monitoring, reporting and controls taking in to account the rules and regulations and the best practices on the FX market to mitigate foreign exchange risk.
Open Exposure Position Monitoring
Daily foreign exchange (FX) open positions are monitored to ensure that the Bank is operating within the regulatory limits as well as internal prudential limits on open exposures. Whilst the currency wise positions are being revalued on a daily basis, FX net open position (NOP) is subject to daily stress testing to assess the ability to withstand adverse impacts to the exchange rate variations and is managed within the set parameters. Apart from the regulatory limit, the Bank has set internal prudential Forex position limits consisting of daily Forex turnover limit, Daylight position limit, Forex Gap limits, Swap funding limit and Stop loss limits, to closely monitor and mitigate foreign exchange risk. Exposures are managed within the recommended/applicable limits.
DBU NET OPEN POSITION DURING THE YEAR
Foreign Exchange Position as at 31 December 2015
| Currency | AL Position ’000 |
Spot Position ’000 |
Forward Positio n ’000 |
Overall Exposure in Respective Foreign Currency ’000 |
Absolute Positions in USD Equivalent ’000 |
Absolute Exposure in LKR ’000 |
| US Dollar | 62,185 | (103) | (60,972) | 1,110 | 1,110 | 159,836 |
| Pound Sterling | (12,622) | – | 12,624 | 2 | 3 | 399 |
| Euro | (14,540) | – | 14,479 | (60) | 66 | 9,497 |
| Japanese Yen | 17,697 | – | (76,184) | (58,487) | 486 | 69,940 |
| Australian Dollar | (23,136) | – | 23,128 | (8) | 6 | 816 |
| Canadian Dollar | 657 | – | – | 657 | 474 | 68,215 |
| Other Currencies | (9,282) | – | 8,868 | (414) | 821 | 118,179 |
| Total Exposure | 2,964 | 426,881 | ||||
| Total capital funds as per the audited Financial Statements as at 31 December 2015 | 29,613,941 | |||||
| Total exposure as a % of total capital funds | 1.44% | |||||
Sensitivity Analysis
Daily sensitivity analysis is carried out on major foreign currency Net Open Positions (NOP) giving positive and negative shocks to the spot rates to determine the impact of exchange rate movements by way of profit or loss to the Bank’s Income Statement.
Exchange Rate Sensitivity of Major Foreign Currency Net Open Positions as at 31 December 2015
| Spot Rate Shocks | LKR Depreciate | LKR Appreciate | ||||||
| Currency | Net Open Position |
-5% | -2.50% | -1% | Spot rate | 1% | 2.50% | 5% |
| USD | 1,109,969 | 7,991,780 | 3,995,890 | 1,598,356 | 144.00 | (1,598,356) | (3,995,890) | (7,991,780) |
| GBP | 1,869 | 19,827 | 9,913 | 3,965 | 212.21 | (3,965) | (9,913) | (19,827) |
| EUR | (60,350) | (471,700) | (235,850) | (94,340) | 156.32 | 94,340 | 235,850 | 471,700 |
| JPY | (58,487,255) | (3,498,579) | (1,749,290) | (699,716) | 1.20 | 699,716 | 1,749,290 | 3,498,579 |
| AUD | (7,759) | (40,653) | (20,327) | (8,131) | 104.79 | 8,131 | 20,327 | 40,653 |
| Total | 4,000,673 | 2,000,337 | 800,135 | (800,135) | (2,000,337) | (4,000,673) | ||
Interest Rate Risk (IRR)
Interest Rate Risk (IRR) is the exposure of an institution's financial commitments to adverse movements in interest rates. Changes in interest rates also affect the underlying value of the banking institution's assets, liabilities and Off-Balance Sheet instruments, as the present value of future cash flows (and in some cases, the cash flows themselves) change when interest rates change.
In order to manage the IRR, Bank has positioned the Balance Sheet into trading and banking books. While the assets in the trading book are held primarily for generating profit through short-term differences in prices/yields, the banking book comprises assets and liabilities, which are contracted basically for steady income generation and are generally held till maturity. Thus, while the price risk is the prime concern of banks in the trading book, earnings or economic value changes are the main focus of the banking book.
Bank’s trading portfolio mainly comprises securities (Treasury Bills/Bonds), and is subject to mark to market on a daily basis and is monitored against the set stop loss limits.
Interest Rate Sensitivity of the Balance Sheet as at 31 December 2015
The price sensitivity of the Balance Sheet was managed within the risk parameters whilst maximizing the market potential on interest sensitive assets and liabilities.
The maturity gap analysis of interest sensitive assets and liabilities distributed into a number of time bands according to their residual time to maturity is given below:
The Maturity Gap Analysis of Interest Sensitive Assets and Liabilities
| Up to 1 Month LKR ’000 |
1 to 3 Months LKR ’000 |
3 to 6 Months LKR ’000 |
6 to 12 Months LKR ’000 |
1 to 3 Years LKR ’000 |
3 to 5 Years LKR ’000 |
Over 5 Years LKR ’000 |
Non-sensitive LKR ’000 |
Total LKR ’000 |
|
| Assets | |||||||||
| Cash | 2,596,375.00 | – | – | – | – | – | – | – | 2,596,375.00 |
| Due from banks | 17,377,025.39 | – | – | – | – | – | – | – | 17,377,025.39 |
| Investments – current | 51,745,370.42 | 8,640,000.00 | 6,757,239.34 | 821,980.83 | 1,333,572.31 | 1,714,420.00 | – | 2,104,116.81 | 73,116,699.71 |
| Investments – non-performing | – | – | – | – | – | – | – | – | – |
| Loans and receivables – current | 57,381,716.64 | 32,930,184.92 | 13,818,478.37 | 13,604,195.91 | 42,438,264.70 | 25,057,247.89 | 22,225,078.31 | – | 207,455,166.73 |
| Loans and receivables – non-performing | – | – | – | – | – | – | – | 2,097,205.47 | 2,097,205.47 |
| Property, plant & equipment | – | – | – | – | – | – | – | 2,270,236.10 | 2,270,236.10 |
| Other assets | – | – | – | – | – | – | – | 3,504,176.84 | 3,504,176.84 |
| Total assets | 129,100,487.45 | 41,570,184.92 | 20,575,717.71 | 14,426,176.75 | 43,771,837.01 | 26,771,667.89 | 22,225,078.31 | 9,975,735.22 | 308,416,885.24 |
| Liabilities | |||||||||
| Capital | – | – | – | – | – | – | – | 22,277,843.39 | 22,277,843.39 |
| Deposits | 76,046,426.35 | 45,315,507.35 | 26,460,833.99 | 29,199,765.98 | 2,571,265.37 | 1,344,047.26 | 1,090,328.46 | – | 182,028,174.75 |
| Borrowings | 34,725,133.62 | 2,343,840.32 | 2,250,513.35 | 2,304,334.26 | 9,049,044.14 | 26,620,197.29 | 13,759,961.96 | – | 91,053,024.93 |
| Other liabilities | 468,246.59 | 946,637.49 | 625,160.12 | 583,215.70 | 245,076.24 | 73,223.71 | – | 10,116,282.81 | 13,057,842.65 |
| Total liabilities | 111,239,806.55 | 48,605,985.16 | 29,336,507.46 | 32,087,315.93 | 11,865,385.74 | 28,037,468.26 | 14,850,290.42 | 32,394,126.20 | 308,416,885.72 |
| Period Gap | 17,860,680.89 | (7,035,800.25) | (8,760,789.74) | (17,661,139.19) | 31,906,451.26 | (1,265,800.38) | 7,374,787.89 | (22,418,390.98) | – |
Duration Analysis
The Bank monitors the duration of the fixed income portfolio to ensure that the maximum market potential could be gained and is managed within the internal prudential limits set for trading and AFS portfolios.
WEIGHTED DURATION OF DEBT SECURITIES PORTFOLIO
PVBP Analysis
The Bank assesses the impact due to a PV01 change in the yields for fixed income trading and AFS portfolios on a daily basis. This will convey the sensitivity of the portfolio due to interest rate movement in the market.
PV01 ON TRADING AND AFS PORTFOLIOS
Equity Risk
The equity price risk arises due to adverse movement in the value of the individual stock price or of the corresponding equity index. The Bank was insensitive to Equity Risk as the Bank did not hold an active Equity Trading portfolio during the year.
Commodity Risk
Commodity price risk arises due to volatilities in the commodity exposure of the Bank. The Bank’s exposure to the Gold Buffer Stock of the underlying product ‘Raththaran Ithurum’ is negligible when compared to the Bank’s Balance Sheet size. However, a mark to market calculation is being performed on a monthly basis to assess the impact on Income Statement with the price movement.
Liquidity Risk
Liquidity risk is the risk that the Bank is unable to meet its financial obligations in a timely manner without incurring unacceptable losses. Financial obligations include liabilities to depositors, payments due under derivative contracts, settlement of securities borrowings and repurchase transactions, lending and investment commitments.
Effective liquidity risk management is essential to maintain the confidence of depositors and counterparties as well as to ensure that the Bank’s core businesses continue to generate revenue, even under stressed conditions.
Objective of Liquidity Risk Management
The objective of our liquidity framework is to ensure that all anticipated funding commitments can be met when due and allow us to withstand liquidity stresses whilst maintaining our business profile. It is designed to be adaptable to changing business models, market and regulations.
The liquidity position of the Bank strengthened in 2015 with the inflow from the customer deposits and funding from the Multi National funding agencies, which provides stable and long-term sources of funds, which resulted in an advance to core funding ratio of 106.3% as at 31 December 2015, reflecting a stable liquidity profile of the Balance Sheet. The Bank will continue to focus on liability generation through deposit mobilizaiton, which will be a necessary precondition for significant asset growth.
Policy Framework for Liquidity Risk Management
The Bank maintains well-articulated liquidity risk management policies and procedures, which drive the level of liquidity risk exposures and determine the business size and maturities which ensure that it has at all times sufficient liquidity to meet its financial obligations at a fair market price.
The responsibility for the liquidity risk management of the Bank rests with the ALCO. Bank’s Treasury/ALM units are responsible for executing the day-to-day liquidity management of the Bank within the parameters set by ALCO.
Also the Bank monitors key liquidity metrics on a regular basis, both on local currency and foreign currency Balance Sheets and prudential limits are set to better manage the liquidity profile of the Bank.
Process
Liquidity measurement could be measured through Stock approach or Flow approach. Under the Stock approach liquidity is measured in terms of key ratios which portray the liquidity stored in the Balance Sheet. In the Flow approach a Statement of Maturities of Assets and Liabilities is prepared placing all cash flows in time bands according to the residual time to maturity and maturity profiles built into non-maturity assets and liabilities based on their behavioural paterns.
A satisfactory trade-off between liquidity and profitability is maintained by categorizing liquidity shortfalls in the Balance Sheet into suitable time buckets, placing exposure limits on each time bucket to monitor the liquidity mismatch gaps. These limits correspond to the liquidity available to NDB Bank through various fund providers, at an agreed level of confidence.
We have carefully assessed and revised our Balance Sheet maturity mismatch limits in order to optimize market opportunities which are being effectively managed by our Asset Liability Management Desk. Separate gap limits are set for the local currency and foreign currency Balance Sheets based on the size and the nature of the Bank’s Balance Sheet.
The Bank is equipped with a comprehensive Liquidity Contingency Funding Plan (LCFP) linked to the Business Continuity Plan, which is in line with the regulatory guidelines. The LCFP clearly defines the responsibilities of the Liquidity Management Team and ensures the business continuity through close monitoring of the Bank’s liquidity position against the predefined liquidity risk trigger points. Trigger points have been defined taking into consideration the Bank specific and systemic triggers which would cause a liquidity crisis. Action Plans are set out under each level of liquidity crisis (Mild, Moderate, Severe) with responsibilities assigned to a Liquidity Management Team nominated from all areas of business to ensure that all stakeholders of the Bank are safeguarded. We have also entered into reciprocal liquidity funding agreements with identified counterpart banks to ensure stability.
Liquidity Risk Analytics
Liquid Assets Ratio
Our principal mechanism for implementation of the liquidity policy is to maintain the Bank’s liquid assets to liabilities ratio above the regulatory defined ratio of 20%. The internally set prudential liquidity limits/ratios and stress results would give early warnings of tightening liquidity positions of the Bank. The Bank has maintained a healthy Liquid Assets Ratio throughout the year.
Statutory Liquid Assets Ratio (LAR)
| As at 31 December | 2015 | 2014 |
| Domestic Banking Unit | 22.24 | 23.85 |
| Foreign Currency Banking Unit | 24.91 | 25.18 |
Advances to Deposits Ratio
This is defined as the ratio of total loans and advances to customers relative to deposits available which has been managed ensuring the liquidity requirements. The increasing trend in customer deposits in line with the advances has proven the positive trend in Balance Sheet growth.
Medium-Term Funding (MTF) Ratio
Healthy MTF ratio throughout the year represents the stable funds available for the Bank to fund the long-term assets of the Balance Sheet.
Net Loans to Total Assets Ratio
The consistency in the net loans to total assets ratio of the Bank reflects that the Bank has maintained the share of loans and advances in total asset base focusing mainly on loans and advances.
NET LOANS TO TOTAL ASSETS RATIO
Liquid Assets to Short-Term Liabilities
The statutory liquid assets ratio has been maintained above the regulatory requirement at all times. Hence the liquid assets to short-term liabilities (less than one year) ratio was also maintained at a prudent level whilst meeting the commitments on a daily basis.
LIQUID ASSETS TO SHORT-TERM LIABILITIES
Purchased Funds to Total Assets
The Bank has maintained the purchased funds to total assets ratio below 30% throughout the year. The ratio has increased in relation to the expansion of the asset base during the period.
PURCHASED FUNDS TO TOTAL ASSETS RATIO
Commitments to Total Loans
The Bank’s Balance Sheet expanded during the year with the growth of loan portfolio and the new facilities booked. As a result, the commitments to total loans ratio was also on an increasing trend which is being managed within accepted levels.
COMMITMENTS TO TOTAL LOANS RATIO
Key Risk Indicators
Selected KRIs are highlighted below which provide a view of the liquidity risk indicators where regulatory/internal limits are set and monitored on predefined intervals, which provides early warning signals on liquidity position of the Bank.
Liquidity Risk
| Indicator | Limit | Position as at 31 December 2015 |
| Statutory Liquid Assets Ratio – DBU | 20 | 22.24 |
| Statutory Liquid Assets Ratio – FCBU | 20 | 24.91 |
| Advances to Deposit Ratio | 111 | 106.3 |
| Medium-term Funding Ratio | 110 | 77.2 |
| Commitment Limit – LKR billion | 118 | 110.65 |
| Liquidity Coverage Ratio (LCR) – LKR Currency | 60 | 427.33 |
| Liquidity Coverage Ratio (LCR) – All Currency | 60 | 212.15 |
Liquidity Gap Analysis of Foreign Currency Denominated Assets and Liabilities
The gap analysis of foreign currency denominated assets and liabilities provides the cash flow obligations which assist in managing the foreign exchange liquidity in a prudential manner.
Liquidity Gap Analysis for Foreign Currency Denominated Assets and Liabilities – as at 31 December 2015
| Up to 1 Month USD ’000 |
1 to 3 Months USD ’000 |
3 to 6 Months USD ’000 |
6 to 12 Months USD ’000 |
1 to 3 Years USD ’000 |
3 to 5 Years USD ’000 |
Over 5 Years USD ’000 |
Total USD ’000 |
|
| Total Assets | 158,138 | 169,683 | 35,761 | 4,098 | 122,019 | 47,357 | 62,378 | 599,434 |
| Total Liabilities | 94,844 | 109,014 | 58,542 | 89,583 | 47,813 | 110,883 | 88,755 | 599,434 |
| Net Liquidity Period Gap | 63,293 | 60,668 | (22,781) | (85,485) | 74,206 | (63,526) | (26,376) | – |
Segregation of Duties
Clear segregation of duties has been established between different business units ensuring prudent control and monitoring mechanisms. The Treasury Front Office reports to the CEO and the Treasury Back Office reports to Head of Operations. The Market Risk Management Unit reports directly to the CRO who is a member of BIRMC. All senior level staff attached to Market Risk, Treasury Front Office & Treasury Back Office have obtained the internationally recognized ACI qualification offered by the Financial Markets Association, as required by the CBSL directives and are competent in their job profile.
The Assets and Liabilities Committee (ALCO), comprising senior management staff from the Treasury, Risk Management, Finance and all business units of the Bank together with the Market Risk Management unit is responsible for the supervision and management of market and liquidity risks of the Bank.
The ALCO meets on a monthly basis and whenever circumstances demand.
ALCO is the governing body for market risk, liquidity risk and asset liability risk management. The implementation of the Bank’s risk management policies, procedures and systems is delegated to the Head of Market Risk Management who reports to the Chief Risk Officer. Market and liquidity risks are addressed at ALCO on a monthly basis and at the BIRMC level on a monthly/quarterly basis.
Market and Liquidity Risk Reporting
Risk reporting creates transparency on the risk profile and facilitates the understanding of the core market/liquidity risk drivers to all levels of the organization. The Board, Senior Management and Risk Management Committees receive regular reporting, as well as ad hoc reporting as required, on market risk, liquidity risk, regulatory capital and stress testing. Senior Risk Committees receive risk information at a number of frequencies, including weekly, monthly or quarterly.
Additionally, Market Risk Management produces daily and weekly market risk specific reports and daily limit excess reports for management review and action. Such reports include:
- Daily market risk report on foreign exchange/ Debt Trading to Treasury, Finance, CEO and GRM
- Daily limit exception report to Treasury, GRM and ALCO
- Weekly/monthly liquidity risk report on internal/external liquidity trends/analysis to ALCO and IRMC
- Monthly market risk reports on foreign exchange, liquidity, and deposit concentration
- Monthly ALM reports to ALCO
- Quarterly market, ALM and liquidity reports to CMRPC and IRMC
- Quarterly risk assessment report to the Board
At ndb managing operational risk is of vital importance to proactively mitigate risks in bank Operations
Operational Risk
Banks are exposed to changing environment marked by increasing regulatory requirements, growing consolidation, rising customer expectations, proliferating financial engineering, uprising technological innovation and mounting competition. The external environmental changes expose banks to increase in probability of failure from the operations perspective. Therefore the need for increased focus in managing operational risks is of vital importance, to proactively address issues through warning signals.
Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, which also includes legal risk.
At NDB, operational risk is based on a Group-wide consistent framework that enables to determine the Bank’s operational risk profile in comparison to the risk appetite and systematically identify operational risk themes and concentrations to define risk mitigating measures and priorities.
Operational Risk Management Process
In order to cover the broad range of operational risks as outlined in the definition of operational risk, our framework applies a number of techniques. These aim to efficiently manage the operational risk in the business and are used to identify, assess and mitigate operational risk.
The Operational Risk Management Unit (ORMU) is notably responsible for:
- Devising and implementing the Bank’s Operational Risk Policy in co-operation with the business units and support functions.
- Promoting an operational risk culture throughout the Group.
- Defining at Group level, methods for identifying, measuring, managing and monitoring operational risks, in co-operation with the Business units and Support functions.
- Managing/maintaining the Bank’s Business Continuity Plan (BCP) and Crisis Management Policy and co-ordinating its implementation.
The Bank has been guided by the Basel II Regulations (Capital Requirements Directive and ‘Sound Practices Principles for the effective management and supervision of operational risk’) in the design and implementation of the broad framework to manage operational risks. This is a comprehensive end-to-end process encompassing risk identification, assessment, reporting, management and control.
Escalation of Operational Risks
While the ORMU functions as the command and control centre in managing operational risks, Operational Risk Managers (ORMs) have also been appointed in the Business and Supporting units under the authority of the Bank’s Head of Operational Risk to ensure accountability. The ORMs operate from the respective business units/support functions, collaborating closely with the Business/Support function Heads and responsible for implementing the Bank’s procedures and guidelines, monitoring and managing operational risks, with the support of the staff.
Objectives of Operational Risk Management Unit
The Operational Risk Management Unit (ORMU) is established within Group Risk Management Department and works towards the following objectives:
- Reduce losses from operational failures and in particular to avoid potentially large or catastrophic losses;
- Ensure better control of operations through increased understanding of risk activities within various business units, the Board and Senior Management will lead to improvements in the control of operations and the emergence of a more proactive operational risk management culture;
- Provide early warning signals of deterioration in the Bank’s internal control system. Raise awareness of operational risk in the Bank from top to bottom through the implementation of an enterprise-wide operational risk approach.
Improved performance measurement by way of improved understanding of its operational risk profile shall enable appropriate allocation of risk and capital to individual lines of business.
Operational Risk Governance
Staff at all levels is accountable for directing and controlling the operational risks in his/her area of responsibility. Board of Directors is responsible for the overall risk levels and in ensuring risks are managed appropriately and the management is vested with the required authority to implement the related control framework. The IRMC submits regular operational risk assessments to the Board, seeking its views, concurrence or specific directions.
The Operational Risk Policy Committee is headed by the CEO, which has been set up at Bank level comprising members of The Leadership Team (TLT), which provides a forum for the discussion and management of all aspects of operational risks/losses and control lapses, monitor and ensure that appropriate Operational Risk Management Frameworks are in place, adhering to the Policies of the Bank.
Operational Risk Policy Committee Functions
- Assessment and approving the impact of changes to Bank’s risk profile as a result of new products, outsourcing, strategic initiatives and acquisitions and divestments.
- Once operational risks are identified, mitigation is required following through a heat map identifying high risk items. High risk items once identified are followed through by ORPC members for mitigation activities and accept any residual risks.
- KRIs are used to monitor the operational risk profile and alert the organization to impending problems in a timely fashion. The Committee will take appropriate measures to address the early warning signals identified by reviewing the results of the KRI programme.
- In our bottom-up approach in identifying the risks through Risk Control and Self-Assessment (‘RCSA’) process, areas with high risk potential are highlighted. The risk mitigating measures identified by the lines are reviewed by the Committee.
Business Operational Risk Sounding Board
Business Operational Risk Sounding Boards (BORSB) have been set up at key Business functions and Support function levels to discuss operational risk matters encompassing responsibilities such as:
- Provide a forum for the identification, assessment, mitigation and subsequent monitoring of business level operational risk trends and issues.
- Ensure that there is full compliance with internal policies and relevant regulations, as well as the Bank’s Operational Risk Management Framework.
- Promote and sustain a high level of operational risk management discipline culture within the Business or Support function.
- Review the Business or Support functions operational risks and ensure appropriate ownership, actions for closure within the agreed target date and progress for all risks.
- Review outstanding/overdue audit findings.
Basis of Managing Operational Risk
The following criteria are used to rate risks and losses that are being reported through the operational risk management process based on the likelihood and impact:
The Risk Matrix
Likelihood Dimensions
The likelihood is the chance or the frequency that the potential operational risk event will materialize. The proxy used for likelihood is exactly the frequency of occurrence of a risk event. The recommended criteria for likelihood are:
Likelihood Rating
Very Low or Rare
Low or Unlikely
Medium or Possible
High or Likely
Very High or Almost Certain
Impact Dimensions
Impact on operational risks/events are measured based on five dimensions covering the varied areas of impact the Bank is exposed to ranging from human aspect to financials:
Impact Dimensions
Financial Impact (Expressed in Monetary Figures)
Reputational Impact (Measured in Media Coverage – Bad Press)
Regulatory Impact (Penalty Level or Breach of Guidance)
Human Resources (Staff Level Impacting Service Delivery)
Business Disruption (Measured in Time Out-of-Business)
Operational Risk Tools
The Bank presently implements the following frameworks to assist in the management of operational risk:
- Key Risk Indicators (KRI)
- Risk and Control Self-Assessment (RCSA)
- Gathering of Internal Data on Operational Risk Events and losses
- Internal Controls
- Scenario Analysis and Stress Testing
- Business Continuity Planning and Crisis Management
Risk and Control Self-Assessment (RCSA)
The RCSA is used for performing operational risk assessments as required by Basel II guidelines. At NDB, the annual RCSA exercise is typically undertaken to comply with regulatory requirements which requires a firm-wide, self-analysis of operational risks. RCSA requires the documentation of risks, identifying the levels of risk (derived from an estimate of frequency and impact), and controls associated with each process conducted by the organization. Controls and mitigants that adequately counteract the risks are introduced thereby minimizing the impact and incidence of losses.
At NDB, to simplify the output and better organize the assessment approach, the exercise is generally conducted at the business-unit level. Each business unit assessment is typically collected and presented as a comprehensive repository of assessed operational risks. Following are the activities.
- Identifying and assessing the major operational risks to which each business unit or support function is inherently exposed (the ‘intrinsic’ risks), while disregarding prevention and control systems.
- Assessing the quality of major risk prevention and mitigation measures, including their effectiveness in detecting and preventing major risks and/or their capacity to reduce their impact.
- Assessing the major risk exposure of each business unit or support function that remains once the risk prevention and mitigation measures are taken into account (the ‘residual’ risk), while disregarding insurance coverage.
- Correcting any deficiencies in risk prevention and mitigation measures and implementing corrective action plans.
Application of the Risk Matrix
As part of this exercise, major risks of a given scope are described using a double scale of impact and probability. The Bank identifies the top risks and plot against the following matrix in order to ascertain the residual risks.
Inherent Risk
Residual Risk
* The values inside the heat map indicate the number of risks.
Key Risk Indicators (KRI)
KRIs supplement the overall operational risk management system, by providing a dynamic view of changes in business line risk profiles as well as an early warning system to identify potential events that affect the day-to-day business activities and consequently have an impact on the entire Bank.
The KRIs stated below are monitored that may have a significant impact on the entire Bank. These are reported to the Operational Risk Policy Committee once in two months and the Board Integrated Risk Management Committee on a quarterly basis:
| System | Core Banking System Downtime |
| ATM Downtime | |
| Number of cyber attacks | |
| HR | Staff turnover |
| Number of disciplinary actions | |
| Finance | Reconciliations not submitted |
| Compliance | Issues raised by external professional bodies |
| Policies and procedures- Number not reviewed/renewed | |
| Number of regulatory changes which were not implemented | |
| Operational Losses | Severity of losses |
| Loss Frequency over one month | |
| Number of fraud incidents- Internal/ External | |
| BCP | Number of BCP tests that are past due |
Internal Risk Events and Loss Data Collection
The Bank has been compiling a database of risk events and loss data reported since 2010 and maintained centrally to supplement the effectiveness of the operational risk management function. It has served to:
- Facilitate meeting capital adequacy requirements for operational losses set by the regulator.
- Identify trends in loss events and achieve a deeper understanding of risk areas.
- Enable operational staff to define and implement appropriate corrective actions.
- Sharpen the existing operational risk management concepts and tools.
Risk event reporting by the Business units and Support functions indicates the inculcating of a strong operational risk culture through the line ORMs well-supported by the respective heads of units.
- The continuous collection of operational loss events is a prerequisite for operational risk management including detailed analysis, definition of mitigating actions and timely information to senior management. All losses are collected via incidents reported on a monthly basis.
- Our Lessons Learned process is required for risk events, including near misses. This process includes but is not limited to:
- Systematic risk analysis including a description of the business environment in which the loss occurred, including previous events, near misses and event-specific Key Risk Indicators (‘KRI’),
- Consideration of any risk management decisions in respect of the specific risk taken,
- Root cause analysis,
- Identification of control improvements and other actions to prevent and/or mitigate recurrence, and
- Assessment of the residual operational risk exposure.
- The Lessons Learned process serves as an important means to identify the inherent risk and to define appropriate risk mitigating actions. All corrective actions are captured and monitored for resolution via action taken which could either be project driven, amendment to process or assigning additional resources.
The operational loss recognition follows a formal approval process defined in the Operational Risk Policy where both Gross and Net losses are recorded in the General Ledger and such losses above the value of LKR 100,000/- are reported to the Board Integrated Risk Management Committee on a monthly basis and losses over LKR 500,000/- are reported to the regulator on a quarterly basis.
The Bank’s classification of operational losses is based on the Basel guidelines of classifying categories thereby ensuring consistency throughout the system and enabling analysis across the Bank.
The Bank’s risk tolerance on operational risk losses is 1% of total operating profits after provisions for the FY 2015. The risk tolerance is applied to three categories:
- Total operational risk losses
- Losses due to external factors
- Internal frauds
Key Operational Risk Controls (KORC)
KORCs provides a snapshot of the processes with a focus on the key operational risks and related controls. The risks are based upon the standard Risk Framework for Operational Risk as approved by the Operational Risk Policy Committee and the Integrated Risk Management Committee (IRMC).
Some of the following elements are highlighted in a KORC:
- Key controls are checked based on a written procedure of a specific process with the description of the control procedure;
- Documentation is the evidence of the control;
- Efficiency of the controls are evaluated;
KORC visits are currently done at branch level based on predefined selection criteria by Operational Risk Co-ordinators. In 2016, this framework will be implemented Bank wide.
Operational Risk Capital Measurement
Current Practice
Since 2009, the Bank has used the Basic Indicator Approach (BIA) as proposed by the Capital Requirements Directive, to measure operational risk.
The Bank holds capital for operational risk equal to the average over the previous three years of a fifteen percentage of positive annual gross income.
The Bank’s regulatory capital requirements for operational risks within the scope of BIA (Basic Indicator Approach) requirements are calculated using the above stated formula. The Bank’s capital requirement for operational risks was LKR 17.49 billion at the end of 2015.
Moving Towards Advanced Approaches
The Bank has analyzed both The Standardized Approach (TSA) and the Alternate Standardized Approach (ASA) since December 2011 and compared it with the currently used Basic Indicator Approach (BIA) and found that the two advanced approaches result in savings on capital charge for operational risk over and above the BIA approach.
The Operational Risk Management Unit (ORMU) has thus decided to propose a move towards advanced approaches by 2016 with the capital savings in mind.
Under ASA, the operational risk capital requirement/methodology is the same as under TSA, except for the two business lines Retail Banking and Commercial Banking. For these business lines, outstanding amount of loans and advances are multiplied by a fixed factor ‘m’ (0.035) as the exposure indicator which replaces gross income of the two business lines. The capital savings under ASA over TSA depends on the portfolio values of the Bank.
This approach notably makes it possible to:
- Meet unforseen risk events
- Identify the impact on the Bank’s risk profile and determine the overall capital requirements
- Enhance the Bank’s operational risk culture and overall management, by introducing a virtuous cycle of risk identification, management and mitigation.
Future Outlook
At NDB we are in the process of evaluating vendor proposals for a comprehensive operational risk management solution for automating the operational risk management framework.
Internal Control
Internal control certification is broadly defined as a process, carried out by the management and other personnel, designed to provide reasonable assurance to the Board regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations by:
- Minimizing the operating risk of loss from irregularities, fraud and errors;
- afeguarding assets;
- nsuring an effective risk management system;
- Reliability of financial reporting;
- Ensure compliance with relevant laws, regulations and internal policies.
Internal control certification exercise is carried out at NDB covering all departments annually to ensure the controls are intact with segregation of duties, clear management reporting lines and adequate operating procedures in order to mitigate operational risks.
The internal control mechanism assists in identifying the risks while ensuring the controls are in place to mitigate the risks encountered by the Bank.
A similar exercise is also carried out for new products and procedures to have a broader understanding of the risks the Bank is exposed to due to external factors and ensuring internal controls are in place to mitigate the risks.
Business Continuity Management
In order to cover the risks arising out of crisis and disasters which could threaten the safety of staff, customers, service providers, the security of assets, the continuity of operations and confidence in the Bank’s reputation, the Bank’s Business Continuity Management Policy requires that a full set of up to date and exercised plans be in place encompassing a minimum of: Crisis Management Plan (CMP), Business Continuity Plan (BCP) and IT Disaster Recovery Plan (IT DRP) amongst other relevant plans including a Pandemic Plan. This Framework is designed to comply with the requirements of the Central Bank of Sri Lanka and is approved by the Board of Directors.
These plans are drawn upon integrating Enterprise Risk Management (ERM) Framework with effective Business Impact Analysis (BIA) processes and methodologies which anticipate all forms of threats, crisis and disasters that are inherent in the Business Environment.
Communications, Security and Safety, Emergency Response and Recovery Teams plans are periodically reviewed and biannual drills are conducted; all part of the Bank’s commitment that is showcased undoubtedly within this Business Continuity Management Framework. For the first time a virtual disaster scenario was simulated having all required teams in one location.
The Bank now enjoys an increased recovery capacity at its Disaster Recovery Site, backed by infrastructure to support key services, core systems and critical business processes. Bank has also started discussions on maintaining split operations enhancing the disaster recovery capabilities.
The Governance of Business Continuity Management is steered through the Crisis Management Team comprising senior management and co-ordinated by the Bank’s Business Continuity Manager.
Insurance Cover in Operational Risk Management
The Bank has a comprehensive insurance policy as a key measure to mitigate operational risks. This falls within the framework of risk mitigation and control which in turn is an integral component of the risk management framework of the Bank. This Policy will be reviewed and further enhanced on an ongoing basis. The Bank has engaged an insurance broker to provide expertise in evaluating the policies at the time of renewal for 2016.
Description of coverage
General Risks
Buildings and their contents, including IT equipment, are insured at their replacement value. Liability other than professional liability (i.e. relating to operations, Directors’ vehicles, etc.) is covered by insurance policies.
Theft/Fraud
These risks are included in the “Bankers’ Indemnity Cover” policy that insures all the Bank’s financial activities around the country. Fraudulent actions by an employee or by a third party acting on its own or with the aid of an employee with the intent to obtain illicit personal gain or through malice are covered. The claim on the internal fraud during 2015 was fully-paid by the insurer thereby reducing the loss.
Professional Liability
The consequences of any legal action against staff or managers as a result of their professional activity are insured under the Bank’s Bankers Indemnity Policy (BID).
Computer Crime
The adverse consequences surfacing while using computer systems and software are covered by the Bank’s BID policy. The policy covers fraudulent input and modification via computer systems, electronic computer programmes, electronic data and media, computer viruses, electronic and telefacsimile communications, electronic transmissions, electronic securities and voice incinerated transfers.
Operating Losses
The consequences of any accidental interruptions to activity are insured under a Bank wide policy. This policy supplements the business continuity plans. The amounts insured are designed to cover losses incurred between the time of the event and the implementation of an emergency solution.
Risks Arising from Operations
Insurance is only one of the measures to offset the consequences of the risks inherent in the Bank’s activity. It complements the risk monitoring policy led by the Bank and also by its internal controls.
Outsourcing
The Bank is concerned and committed to ensuring that the outsourced parties continue to uphold and extend the high standard of customer care and service excellence that has become synonymous with NDB. Hence due diligence tests are routinely carried out to assess the performance of these outsourced parties through a sub-committee established to monitor outsourced activities for the Bank. The outsourcing policy was revised by including more standardized forms/questionnaires enhancing the due diligence over service providers.
Managing Cyber Risk
The Bank having understood the importance of managing the Cyber Risk has deployed the following technical controls to mitigate the risks:
- Multi-layer firewalls
- Network separation
- Intrusion prevention systems
- Gateway level content filtering
- Anti-malware solutions
- Updates to operating systems
- Vulnerability remediation
- Control of privileged accounts
The exposures created due to cyber risks are of many types including but not limited to the following:
- Data Leakage/Breach
- Business Disruption/Denial of Service
- Loss/Corruption of Data
- Transmission of Viruses/Malicious Codes
- Cyber Extortion
- Misuse of Facilities to Commit Cyber Crime
- Phishing Attacks/Identity Theft
The Bank has been exposed to cyber risk with only 02 minor incidents of Denial Service on the corporate website and receipt of a malware email in the past 3-year period. However, this did not lead to any financial losses.
In addition to the above, Bank has subscribed to the services provided by Bank CSIRT where latest threat intelligence to the Banking industry is provided to IT security team of the Bank to take proactive steps to address the potential exposures. The Bank has prepared its IT policies and procedures complying to Baseline Security Standards Guidelines issued by Central Bank of Sri Lanka. The Bank also conducts both internal and external penetration tests by employing external service providers time to time to ensure the systems are resilient to such attacks. Thus far, the tests carried out have not highlighted any serious security concerns.
Hence we do not foresee a need to allocate separate capital for Cyber risks.
Other Risks
Strategic Risk
Strategic risk is the most fundamental of business risks and at its very basic, can be defined as the current and prospective risk to earnings and viability arising from,
- Adverse changes in business environment with respect to the economy, political landscape, regulations, technology, actions of competitors.
- Adverse business decisions.
- Improper implementation of decisions.
- Lack of responsiveness to changes in the business environment.
Strategic risk for a bank such as NDB can manifest itself through lack of well-defined long-term strategy but more importantly because of failure to appropriately communicate and implement the strategy or due to unforeseen changes in the socio-political, economic or business environment. Drawing of appropriate response plans to tweak the strategy to suit the changes in the business environment is essential to management of strategic risk.
The Bank has a well-formulated strategic plan, which is articulated by the Board and the corporate management. The strategic plans are drawn at various level of granularity e.g. a branch level strategy will detail the growth targets at branch level whereas a department level strategy will feature the achievement metrics at that level. The implementation of strategy is checked through monthly meetings where variances from the growth targets are analyzed and corrective actions recommended.
The strategic plan is also linked to individual employee performance through a goal setting process and periodic performance reviews are carried out to motivate employees and create a performance culture to ensure that business goals and objectives are achieved, thus mitigating strategic risk.
Legal Risk
Legal risk is understood more from its consequences, which is incurrence of penalties, fines and sometimes loss of reputation due to the institution being in non-compliance with regulations. Legal risk may vary from institution to institution depending on the manner in which it conducts its business and the documentation it follows and is closely related to compliance and regulatory risk.
Legal risk in the Bank can manifest itself through -
- Business not being conducted in accordance with applicable laws
- Inadequate legal documentation of securities and collateral accepted for credit risk mitigation
- Legal repercussions of lacunae in documents, forms and advertisements
- Other modes of conduct and communication adopted by the Bank
- Intellectual property not being adequately protected
Legal risk is owned and managed by the Legal Department and the Legal Department is assisted by third party lawyers as and when necessary to obtain an independent opinion. Specific risks relating to legal risk are reported on a monthly basis to the Board.
Compliance Risk
Compliance risk is defined as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation and integrity an institution may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organizational standards, and codes of conduct applicable to its business activities.
The Bank has a well-laid out Board approved Compliance Charter, which defines the fundamental principles, roles and responsibilities of the compliance function within the organization as well as its relationship with senior management, the Board of Directors and the business and operational functions.
Model Risk
The Bank has a Board approved Risk Model Validation Policy. This sets out process for periodic validation of a Risk Models in order to ensure Model Risk is mitigated.
Settlement Risk
Settlement risk refers to the risk arising on account of failed trades with counterparty banks in the foreign currency transactions. Settlement risk arises from possible losses when the Bank is in a foreign exchange transaction pays the currency it sold but does not receive the currency it bought. Forward contract settlement failures can arise from counterparty default, operational problems, and other factors. Settlement risk exists for any traded product. Currently, the Bank has a procedure for regular monitoring of limit utilization, failed trades and excess monitoring. Settlement risk is currently controlled by way of prudent allocation and monitoring of counterparty limits including Maximum Daily Delivery Risks (MDDR) limits for counterparts.
Cross Border Risk
Cross border risk is the risk that the Bank will be unable to obtain payment from our customers or third parties on their contractual obligations as a result of certain actions taken by foreign governments, mainly relating to convertibility and transferability of foreign currency.
Cross border assets comprise loans and advances, interest-bearing deposits with other banks, trade and other bills, acceptance, amounts receivable under finance leases, Foreign Exchange contracts, certificates of deposits and other negotiable paper, investment securities and formal commitments where the counterparty is resident in a country other than where the assets are recorded. Cross border exposure also includes the assets owned by the Bank/Group that are held in a given country.
The Bank has a Board approved policy/limits based on country ratings, economic indicators/outlook, political risk and exchange rate risk. Cross border exposure limits are allocated to countries in which NDB does have an acceptable risk appetite and one-off limits may be allocated based on business needs, with ultimate recourse to the borrower.
Reputational Risk
Reputation risk is risk of indirect loss (current or prospective) arising from one or multiple stakeholders’ adverse experience while dealing with the institution or which resulted in an adverse perception of the institution. It can also be understood as the potential that negative publicity regarding the Bank’s business practices, whether true or not, will cause a decline in customer base, costly litigation or revenue reduction. The Bank is of the view that reputational risk can be triggered by a risk event in any or all of the above risk categories hitherto described.
Reputation risk management and mitigation aspects are embedded in the Bank’s policies and procedures, training programmes, the Business Continuity Plan and through the Audit and Board Risk Management Committees.
The Bank monitors its reputation risk profile through a set of early warning indicators based on the reputation risk drivers and the factors within the reputation risk scorecard to ensure that the overall reputation risk profile remains low. The risk mitigation and control processes for reputation risk at NDB are designed to consider appropriate response actions to address the risks identified. A Customer Complaint Handling Process has been established under which the customers have a range of options through which they can forward their grievances to the Bank.
