Risk Governance and Management

The year 2022 marked a period of unprecedented challenges in the Bank’s risk management landscape as the operating environment turned out to be volatile, uncertain, complex, and ambiguous. In the aftermath of the global COVID-19 pandemic, the interconnected and intricate external global environment developed a fragile geo-political backdrop, exacerbated by the invasion of Ukraine by Russia, rising global inflation, catastrophes induced by climate change, disruptions to food, energy and supply chains, cyber insecurity, and waning dominance of the US Dollar that made the external environment volatile. On the domestic front, the local economy, which was slowly recovering from the lingering effects of the Easter Sunday debacle of 2019 and COVID-19 pandemic was disrupted by the social unrest over the political landscape enflaming public sentiment that sparked a wave of fiery protests and a change of government, as the economy of Sri Lanka stood battered by domestic turbulence on top of the global tensions. Arbitrary changes made on agricultural policy frameworks, drop in worker remittances, acute Foreign Currency Shortage developed as a result of dwindling external reserves, sovereign debt downgrade, unsustainable levels of public debt, shortages in liquidity, sharp depreciation of the Rupee, import restrictions, severe shortage of petroleum products and an unprecedented rise in inflation that required policy action by way of an increase in interest rates worsened the turbulence in the local economy. These developments collectively caused a severe contraction in economic activities and defined the Sri Lankan operating environment in 2022.

Bangladesh, which was riding on a wave of growth in the decade from 2009-2019 reversed the trend in 2020. However, a broad-based recovery of Bangladesh economy appeared to have continued in fiscal year 2022 and the Bangladesh Bureau of Statistics has estimated 7.25% real GDP growth for the fiscal year 2022.

A detailed analysis of the global and local operating environment that provided context to the Bank’s performance in 2022 and efforts in the sphere of risk governance and management is given under 46.

In such an environment of rapid change and uncertainty, the resilience of the Bank was under pressure. The Intergraded Risk Management Department (IRMD) took on the challenge of balancing the risk levels faced by the Bank within the risk appetite parameters of the Bank while at the same time supporting innovation and growth and delivering the desired results for stakeholders.

Elevated risk landscape

Due to the factors enumerated above, the inherent risk levels across all categories of risk reached a new high in the period under review. With close monitoring and assessment, the IRMD made every effort to optimally balance the need to mitigate or eliminate the risks with the level of risk that the Bank is willing to accept in achieving its organisational goals. To this end, the IRMD monitored, assessed and managed the risk levels within the acceptable risk levels. The lending portfolio of the Bank was exposed to an elevated credit risk environment leading to rising defaults and hence, a gradual deterioration of the asset quality. The Bank has substantial investments on government securities that were positioned as relatively bleak in their outlook during the year due to the default in debt repayments increased interest rates. Market risks were aggravated by the sharp rise in interest rates and lack of foreign currency liquidity. Operational risks were brought to the surface by suspect practices such as terrorist financing, money laundering, and other contentious behaviours. With remote working enabled during most part of the year due to the situation that prevailed in the economy, cyber risks were elevated with increasing frequency and magnitude of cybercrimes and system interruptions/failures etc. The subdued earnings that were a result of the stressed economic conditions gave rise to strategic risks with the declining capital adequacy, credit rating downgrades, and consequent impact on dealings with international counterparties, and growing urgency to pivot the conventional business model. A host of emerging risks too brought forth ramifications, which are discussed later in this report.

Despite the risk landscape undergoing rapid changes and the resultant significant stresses, the Bank operated with utmost vigilance and maintained operational resilience during the year by being incisive, adaptable, and innovative in managing the many risks associated with the business model. Introduction of the Sustainability Framework helped the Bank to identify and account for new risks in areas such as diversity, equity, and climate change as environment, sustainability, and governance (ESG) issues are brought to the heart of the corporate landscape. The Bank’s fundamental guiding imperative of prudent growth has allowed it to remain a stable and responsible value creator throughout, empowering its stakeholders to meet their financial ambitions. Pragmatic exercises of conducting risk-control self-assessments, regular evaluations of risk management processes and tools, probing the Key Risk Indicators (KRIs) in relation to the traffic of risks, testing business continuity and disaster recovery plans, and the strict compliance to laws, regulatory guidelines, and internal controls in all areas of the business operations helped the Bank manage risks commendably.

In relative terms, the success of these efforts is evident from the moderate risk profile the Bank has maintained in line with its risk parameters (Refer Table 50) and the results of operations and the financial position as given in the financial statements published in this Annual Report.

Business model and risk

Being a commercial bank, the Bank’s business model is tap-rooted in the two primary activities of financial intermediation and maturity transformation (Refer Business Model for Sustainable Value Creation). This has enabled the Bank to gear its capital of Rs. 203.699 Bn. 11 times to operate with an on-balance sheet asset base of Rs. 2,425.798 Bn. as of December 31, 2022. Based on the amount of capital allocated as per the Basel capital adequacy requirements, the higher level of gearing exposes the Bank to a multitude of risks, which conventionally include credit risk, operational risk, and market risk. Furthermore, due to various emerging developments, a host of ancillary risks have arisen which are threatening to disrupt the business model of the Bank (Refer for a list of such emerging developments). These risks together with the developments referred to in the paragraphs above materially impacted almost all the main risk categories of the Bank. Nevertheless, the robust risk governance framework and the rigorous risk management function helped the Bank; manage the associated risks, optimise the trade-off between risk and return, and continue sustainable value creation.

The credit rating, business franchise and steady financial performance helped the Bank to maintain stability and retain confidence of the stakeholders, depositors in particular and ensure that there was no unwanted stress on liquidity despite the liquidity crunch encountered in the market at specific times.

Objectives

The primary objectives of the Bank’s risk governance framework and risk management function are:

• to establish the necessary organisational structure for the management and oversight of risk;
• to define the desired risk profile in terms of risk appetite and risk tolerance levels;
• to institutionalise a positive risk culture within the Bank embodying values, beliefs, attitudes, and practices that drive highly effective risk decisions;
• to establish functional responsibility for decisions relating to accepting, transferring, mitigating, and minimising risks and recommending the best ways of doing so;
• to evaluate the risk profile against the approved risk appetite on an ongoing basis;
• to estimate potential losses that could arise from plausible risk exposures;
• to periodically conduct stress testing to ensure that the Bank holds sufficient buffers of liquidity and capital to honour contractual obligations and meet unexpected losses;
• to integrate risk management with strategy formulation and execution;
• to ensure efficient allocation of available capital to generate optimum risk-return trade-off and
• to promote better communication of risk across all levels of the Bank.

Key challenges to risk management in 2022

The key challenges in relation to risk management in 2022 are detailed below:

• Fall in demand for Credit – the overall demand for private sector credit saw a substantial drop in the year under review due to the dampened economic conditions and high rates of interest that prevailed for most of the year. This led to a contraction in credit growth and a decline in the overall credit portfolio.
• Heightened Credit Risk – the high interest rates and the stressed economic conditions including the elevated inflation rates adversely affected the borrowers’ repayment capacity, increasing the level of credit risk.
• Provisioning for Government Securities – the default by Sri Lanka’s Government on its foreign currency debt resulted in the downgrading of the sovereign credit rating. The sizeable exposure of the Bank to Sri Lanka Development Bonds and Sri Lanka Sovereign Bonds that are denominated in foreign currency exposed the Bank to new risks as the debt holders had to brace for possible implications of non-payment of debt. This resulted in the need for impairment provisions for possible losses as a matter of prudence. Thus, gilt-edged securities lost their ‘risk-free’ characteristic and as a prudent measure, the Bank made an impairment provision of Rs. 47.134 Bn. on foreign currency denominated Government securities during the year.
• “Masked” credit risk – this is the risk the Bank is exposed to when financial risk assessment in which portions of an individual credit risk profile are hidden or obscured when determining a borrower's overall creditworthiness. The Bank had been compelled to help protect borrowers' privacy and reduce prejudice or discrimination when making lending decisions. The implications of masked credit risk are far-reaching as it can lead to a false sense of security at the Bank and hence, a lack of transparency in financial reporting. The Bank is therefore exposed to misallocation of capital, losses due to unexpected defaults, and even fraud, thus a high reputational risk as well.
• Re-classifying the Government Securities portfolio – a change of the existing business model of the Bank amidst the rapid changes taken place in the external environment necessitated a reclassification of the Government Securities portfolio. Accordingly, the Bank reclassified the portfolio to Amortised Cost from Fair Value through Other Comprehensive Income (FVOIC) in line with guidelines issued by the Institute of Chartered Accountants of Sri Lanka.
• Steep rise in interest rates – the CBSL increased its policy rates by 700 basis points in April 2022, in response to the rising inflationary pressures – the highest single rate increase ever reported. This was an unprecedented shock not only to the Bank but to the entire banking industry as the highest stress level hitherto considered for stress testing was around 300-400 basis points. This hike resulted in an upward movement of market interest rates, spiralling the interest rate risk for the Bank. The deposit base started growing faster, but the loan book was contracting, resulting in the Bank having to invest excess liquidity in Government Securities.
• Managing the exchange risk – The unprecedented exchange rate risk environment that emerged due to the sharp depreciation of the Sri Lankan Rupee from Rs. 200 to Rs. 367 against the US Dollar in 2022, as a result of the Government’s external debt default announcement and the negative market liquidity that ensued after the discontinuation of the controlled currency peg, has been strategically utilised by the Bank as a key contributor to its bottom line by carrying appropriately positive open positions, in addition to the foreign currency (FCY) denominated retained profits of the offshore banking unit. However, the FCY depreciation referred to above has negatively contributed to an increase in the provision charge of the Bank’s FCY-denominated bonds, which accounted for approximately 50% of the FCY assets.
• Risk in Foreign Currency Liquidity – given the dwindling foreign currency reserves and a fall in expatriate earnings and remittances, the foreign currency liquidity in the economy recorded low levels. The Bank was able to overcome this challenge to a great extent as a substantial share of the country’s exports and inward FCY remittances are routed through the Bank. With this positioning, the Bank was able to help the importers that banked with us as well as the government and state-owned enterprises in funding their essential imports.
• Increase in cost of funds – in the backdrop of the rising LKR rates, including Treasury Bill rates, the Bank was compelled to increase the rate on its Rupee deposits. This paused challenges and exerted pressure on interest margins.
• Challenges in balance sheet management – with the turbulent economic environment, managing the balance sheet was a tremendous challenge. This task was undertaken through extensive discussions at Board and Management level committees including ALCO, Management Committee, and Board Investment Committee and Board level. These deliberations came up with strategies for the management of liquidity risk, interest rate risk and foreign exchange management risk as well as investment risk, all of which culminated in the management of balance sheet. Special attention had to be paid to re-investment risk in government securities.
• Increased cyber security risk – limited mobility that had to be endured by the general public due to the effects of the pandemic as well as limited availability of fuel propelled our customers to rely more on digital banking solutions. Furthermore, our staff too were compelled to work remotely for most of the year. This increased the threat of cyber security attacks. Therefore, the Bank prioritised and strengthened its cyber security measures and prevent associated remedial costs and reputational damage.
• Challenges to business continuity – numerous external factors impacted the operational resilience and business continuity of the Bank daily. The effects of the pandemic, social unrest, staff commuting issues, fuel shortages, power outages, political uncertainty, disruptions to supply chains, and providing systems access to staff working from remote locations among others challenged the Bank in providing uninterrupted services to its customers.
• Increased compliance risk – in the wake of the socio-political climate that prevailed and the resultant economic turmoil, maintaining regulatory compliance became increasingly challenging. Compliance teams continued to engage with the risk management team to ensure compliance with regulatory requirements to prevent any financial impact and regulatory sanctions due to non-compliance and avoid reputational risk.

Key risk management initiatives adopted in 2022

In the wake of the above challenges, some of the major initiatives implemented to manage risks during 2022 include:

• Identification of Risk Elevated Industries (REIs) – In the milieu of contracting credit portfolios and deteriorating credit quality due to the unprecedented operating context that prevailed during the year 2022, some sectors were identified as “Risk Elevated Industries (REIs).” This was done through analysis to identify those facing heightened stress as a result of the challenges – based on patterns of the availing of moratoria by borrowers in the Bank’s loan book and those who have been affected by economic stress and policy changes. The REI identification process was introduced in Bangladesh operations as well.
• Continuous monitoring of the Capital Adequacy Ratio (CAR) through the Internal Capital Adequacy Assessment Process (ICAAP) – the high levels of credit, market, and operational risk had an adverse impact on the Bank’s earnings with a resultant impact on the CAR. The Bank used different stress levels to monitor the CAR through the ICAAP and maintained the CAR at healthy levels.
• Preparation of a Recovery Plan –a Recovery Plan was developed to map the recovery process, as required by the CBSL. This was a risk-based assessment of the Bank’s ability to recover from a specified stressed situation. The recovery roadmap included the methodology of identifying risks, and the responsibility for each action item to recover from the risk, thereby assuring the Bank’s capacity to overcome risks.
• Risk management as an enabler in business innovation – the IRMD acted as not just a preventer of risk but also played the role of a business enabler in identifying impacted business sectors through the REI. This enabled the Bank to assist borrowers in high-risk sectors to manage their business activities. In addition, credit risk rating mechanisms in financial subsidiaries/ associate companies were reviewed by the IRMD for improvements.
• Implementing the Early Warning Signals (EWS) mechanism – the EWS framework has greatly assisted the Bank to make early detection of credit risk by anticipating the incipient stress in borrowers that are likely to default through advanced analytical tools with predictive capabilities. This has enabled the Bank to take early action to prevent credit losses. The mechanism also monitors the correlation between the risk assessment-based grading assigned at the time of credit evaluation and the subsequent classification of such facilities under Non-Performing Credit Facilities (NPCF), and strengthened the underwriting standards for high-risk proposals. An EWS Health Council was set up to strengthen this process.
• Continued efforts on capital optimisation – the Basel Committee of the Bank continued its efforts to optimise capital through asset portfolio planning to assess losses under different scenarios and propose effective risk mitigation initiatives. This facilitated to plan the growth of the loan book based on capital adequacy requirements and address challenges in restructuring the Bank’s balance sheet and managing the key components of CAR such as the Risk Weighted Assets and managing interest rate risk.
• Providing independent advisory – the IRMD played a pivotal role as an independent advisor in evaluating the upgrading of credit facilities in the credit evaluation process (upgrading from Stage 3 to Stage 2 or from Stage 2 to Stage 1).
• Formulating and reviewing policies and procedures – the IRMD reviewed the Bank’s policies and procedures that were subject to annual review, and developed two new policies namely the Conduct Risk Management Policy Framework and the Policy on upgrading of Credit Facilities (upgrading credit facilities from Stage 3 to Stage 2 or from Stage 2 or Stage 1) in consultation with the stakeholder divisions. Approval for the new policies was obtained from the Board Integrated Risk Management Committee (BIRMC) and the Board.
• Credit score reports issued by the CRIB were incorporated into the internal rating module to evaluate and approve retail credit proposals to enhance credit quality.
• The operational incidents reporting process of the Bank was streamlined and all the insurance policies of the Bank were reviewed as well.
• The effectiveness of Management level committees was reviewed during the year and recommendations were made to effect the necessary improvements.
• Capital augmentation plan – a capital augmentation plan was developed by the Finance Department and the IRMD together with Treasury, Planning and Investment Banking departments provided the necessary assistance. This was consequent to the draw down of the Capital Conservation Buffer (CCB) as of March 31, 2022, as permitted by the CBSL. The capital augmentation plan was submitted to the CBSL with the approval of the Board.
• Improving alignment with Social and Environmental Management System (SEMS) – enhanced the alignment with social and environmental dimensions by incorporating climate aspects into the Bank’s SEMS risk assessment introduced in 2010. The streamlining of the voucher posting, scanning, and validation process enhanced operational efficiency and contributed towards environmental and social management goals.
• Improving credit underwriting and assessments – the IRMD embarked on a project to analyse and comprehend the features of loans and advances transferred to NPCF within 12 months from granting. The learnings were used to improve the credit underwriting standards and credit assessments of the Bank.
• Streamlining customer complaint handling – customer complaint handling process was streamlined by implementing the customer complaint management system to improve customer satisfaction and enable better resolution of their grievances.
• Strengthening cyber security – the Bank conducted ongoing independent risk evaluations and monitored its IT risk profile based on the established key IT risk indicators. The Data Protection Impact Assessment was introduced in accordance with the Personal Data Protection Act No. 9 of 2002. Furthermore, several training programmes were conducted on the Data Protection Act with the assistance of external consultants for several layers of the Management and the Board. A data protection impact assessment was carried out and arrangements are being made to formalise the process and issue necessary guidelines and circular instructions.
• Mitigating risks of overseas operations – the risk-related activities of the Bangladesh operations were reviewed and Credit Risk Rating models were implemented for Commercial Bank Maldives, CBC Finance Ltd., CBC Myanmar Microfinance, and Bangladesh operations.

Risk appetite and risk profile

The Board-approved Risk Appetite Statement articulates the types of risks, degrees of risks, and the maximum amount of aggregate risk exposure that the Bank is willing to assume at any given point in time. For ease of monitoring, the risk appetite is expressed in terms of quantitative parameters for all the important risk indicators under each risk category. It, among others, reveals the desired asset quality, maximum market and operational risk losses and minimum capital and liquidity requirements, taking into account the volatile operating environment, regulatory requirements, strategic focus, ability to withstand losses, and stress with the available capital, funding and liquidity positions and the robustness of the risk management framework.

The risk management function periodically reports the overall risk profile of the Bank to the Management, BIRMC, and the Board, in terms of certain Key Risk Indicators and a Risk Profile Dashboard. With the help of this information, the risk profile is rigorously monitored on an ongoing basis with the due consideration it deserves and swift remedial action is taken for any deviations to ensure that the actual risk exposures across all the risk categories are kept within the approved risk appetite.

With capital adequacy and liquidity positions that define the capacity to assume risk, the Bank’s risk profile is characterised by a portfolio of high-quality assets and stable sources of funding sufficiently diversified in terms of geographies, sectors, products, currencies, size and tenors. The risk profile of the Bank’s Sri Lankan operation as of 31 December 2022 and 31 December 2021 compared to the risk appetite as defined by the regulatory/Board approved policy parameters is given below:

Table – 50: Risk profile

Risk category	Key Risk Indicator	Policy parameter	Actual position
			December 31, 2022	December 31, 2021
Credit risk:
Quality of lending portfolio	Impaired loans Stage 3 ratio (%)	2 – 5	5.25	3.85
	Impairment (Stage 3) to Stage 3 loans ratio (%)	40 – 45	39.60	42.76
	Weighted average rating score of the overall lending portfolios (%)	35 – 40	51.14	52.60
Concentration	Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio (%)	30 – 40	37.78	22.40
	Advances by economic sub sector (using HHI-Herfindahl-Hirschman-index)	0.015 – 0.025	0.0152	0.0149
	Exposures exceeding 5% of the eligible capital (using HHI)	0.05 – 0.10	0.0096	0.0063
	Exposures exceeding 15% of the eligible capital (using HHI)	0.10 – 0.20	0.0087	0.0053
	Exposure to any sub sector out of total loan portfolio to be maintained at (%)	4 – 5	4.05	4.49
	Aggregate of exposures exceeding 15% of the eligible capital (%)	20 – 30	19.61	9.98
Cross border exposure	Rating of the highest exposure of the portfolio on S&P Investment Grade – AAA to BBB-	AA	AAA	AAA
Market risk:
Interest rate risk	Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY)	Maximum of Rs. 2,250 Mn.	Rs. 392.20 Mn.	Rs. 195.23 Mn.
	Re-pricing gaps (RSA/RSL in each maturity bucket – up to one- year period)	<1-1.5 Times (other than for the 1 month bucket which is <2.5 Times)	0.56 Times (1.93 times for 1 month bucket)	0.77 Times (1.86 times for 1 month bucket)
Liquidity risk	Liquid Asset Ratio for Domestic Banking Unit (DBU)	22%	35.01%	38.73%
	Liquid Asset Ratio (LCR) for All Currencies	100%	293.91%	242.52%
	Net Stable Funding Ratio (NSFR)	100%	173.58%	157.47%
Foreign exchange risk	Exchange rate shocks on Total FCY exposure	Rs. 750 Mn.	Rs. 725.73Mn.	Rs. 373.47 Mn.
Operational risk	Operational loss tolerance limit (as a percentage of last three years average gross income)	3% – 5%	0.86%	0.78%
Strategic risk:	Capital adequacy ratios:
	CET 1	Over 8.5%	11.389%	11.923%
	Total capital	Over 14%	14.657%	15.650%
	ROE	Over 15%	12.46%	14.660%
	Creditworthiness – Fitch Rating	AA(lka)	A(lka)	AA-(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Credit rating

Having affirmed a National Long-term rating of AA-(lka) with a Stable Outlook by Fitch Rating in August 2021, the Bank witnessed a change in the rating outlook from Stable to Negative in April 2022. Accordingly, the AA-(lka) with a Negative Outlook was maintained by Fitch Ratings during 2022. Change of rating outlook from Stable to Negative was largely due to constrained access to foreign currency funding and the resulting indications of stress experienced by the banks in the system prevailed at that period. Further, given the heightened stress on the Bank’s funding and liquidity, and its significant exposure to the sovereign via investment in foreign-currency instruments that raised risks to its overall credit profile. Fitch Rating assessed that negative changes in the vital economic indicators such as inflation, exchange rates etc. had the potential to further distort the Bank’s underlying financial performance in the year 2022. Economy’s overall foreign currency liquidity issue also was factored in by the rating agency in arriving at their conclusion.

Future outlook and plans for 2023 and beyond

The tumultuous economic conditions that prevailed during 2022 have been outlined earlier in this report. The resulting risk impacts on the Bank and how the Bank navigated the storm were elaborated in the preceding sections of this risk management report. As cited by the CBSL and research institutions, the Sri Lankan economy will show some signs of recovery in 2023. However, the world economy is showing signs of a very delicate balance with political tensions between nations threatening to disrupt world peace. Furthermore, predictions of a world recession, increase in prices of essential commodities, disruptions to supply chains, global inflation, food insecurity, and increasing incidents due to climate change are threatening the outlook for 2023.

In the local front, Sri Lanka continued to struggle amid low tax income and high debt burden. Supply shortages largely attributed to lack of foreign exchange liquidity and resultant social unrest escalated in 2022 to witness unprecedented political changes. Nevertheless, the country was sliding further downward when power and energy crisis almost paralyzed the economy for a considerable period within the year. This was unbearable for the economy as well as for its agents. CBSL made a drastic move to hike interest rates by 700 bps to curb inflation. Yet, the rate hike fueled sudden move of Rupee liquidity towards Government debt securities whilst sourcing credit for individuals and private sector almost impossible. Despite such, export sector continued to perform well bringing in much needed foreign exchange to the country. By the latter part of 2022, some confidence was evident in hard hit sectors such as tourism in the form of notable increase in foreign tourist arrivals. Renewed confidence, though small comparatively, motivated expatriates to increase foreign remittances. By the third quarter of the year, the economy was seeking a form of life-saving medicine in the form of financial aid from international funding agencies. Political stability was not high to be noted, but not so small to neglect by the end of the year.

In the aftermath of disasters the world has encountered as a result of climate change and the widespread awareness of sustainable finance, managing climate risk will be a topmost priority for governments and business entities alike. The initiatives that have taken place at the Bank over the past year will pave the way for a more methodical and sustainable approach to business.

It could be anticipated that risks would; become more unpredictable, increase in magnitude, and be interconnected. The Bank needs to be mindful of the connectivity of risks and contagion effects where one risk leads to a ripple effect on many other risks.

On the other hand, regulatory requirements are expected to be stringent in the wake of the emerging complexities of the economy and challenges to the industry. Regulations relating to anti-money laundering and sanction-related issues are likely to take centre stage. Thus, improved integrated risk management methodologies and systems will be critical in the coming years. The cost of doing business in terms of managing the risks will increase in tandem. The cost of non-compliance or the materialisation of an unanticipated risk, will be more devastating.

These developments necessitate further strengthening of the risk governance and risk assessment, and management function. Proactive anticipation of risks and implementing forward-looking measures to combat any adverse effects will be critical in such an environment. The rapid technological advancements and the use of Artificial Intelligence (AI) and Business Intelligence (BI) to drive business innovations will continue to take precedence in the future. Accordingly, the Bank will look at opportunities presented by such innovations to increase business growth and to manage the complicated, and intricate risks arising from these developments. The role of risk management will be to support the growth of the business by providing proactive and forward-looking risk management strategies, and being a true enabler of business.

The future of risk management will be driven by data and intelligence. Specific initiatives planned for 2023 and beyond will include:

• Introducing predictive capabilities into credit risk and operational risk supported by EWS and data analytics. This would facilitate effective prediction of risks and streamline capital requirements for such risks.
• The planned implementation of improved system capability in Q1 2023 by investing in a new system (FIS) in the Treasury function to facilitate market risk analysis.
• Following the implementation of Risk Control Self Assessment (RCSA) framework in CBC Myanmar Microfinance company and CBC Finance Ltd. during 2022, the framework is planned to be implemented in Commercial Insurance Brokers (Pvt.) Ltd. in 2023.
• Effecting further improvements to the collateral allocation process to enhance collateral optimisation by revisiting the security module in the Loan originating System (LOS).
• Enhancing the analytical capabilities of the EWS to capture retail lending (credit cards, personal loans and home loans) products in addition to SME lending, and providing business units with EWS analysis for effective business decisions and objective business growth.
• Enhancing the efficiency of risk control mechanisms and processes through knowledge enhancement on critical IT systems adopted in the Bank and through the introduction of benchmarked tools and effective software support.
• Improving the automation of impairment assessments with a high degree of objectivity and accuracy with the assistance of the Data Analytics Unit to ensure data interconnectedness.
• Introducing an intelligent Credit Risk Review (CRR) tool coupled with a workflow capability through a data repository to facilitate pattern recognition and proactive decision-making.
• Converging EWS with internal risk rating applicable to the SME lending portfolio and optimise Turn Around Time (TAT) of SME credit evaluations.
• Introducing behavioural decision-making models to selected retail lending products (credit cards and personal loans) through data analytic capabilities.
• Introducing a system-based mechanism to make available cross-border counterparty exposure and sanctioned limits on a real-time basis.
• Introducing a predictive model to estimate future trends and forecasts on the “movement of net cash flows from operating activities” of borrowers (listed and unlisted corporates).
• Introducing a climate risk assessment tool in line with emerging global initiatives to continue the pioneering activities of driving the ESG agenda. The Executive Sustainable Banking Committee established towards the end of 2022 will develop an ESG framework, and identify, and assess ESG risks and opportunities of the Bank.

Risk management framework

The Bank has a comprehensive IRMF, developed based on the CBSL guidelines and the Three Lines of Defence model, which takes into account the different roles played by the different departments of the Bank and their interplay determine the effectiveness of the Bank in dealing with risk. It is a structured approach to managing all its risk exposures and is underpinned by rigorous organisational structures, systems, processes, procedures, and industry/global best practices taking into account all plausible risks, potential losses, and uncertainties the Bank is exposed to. The Three Lines of Defence model, which is the international standard, enables the Bank to have specific skills and a framework for managing risk and guides its day-to-day operations with the optimum balance of responsibilities.

The IRMF is subject to an annual review or more frequently if the circumstances so warrant, taking into account changes in the regulatory and operating environments.

 

Risk governance

Risk governance is the organisational structure that has been institutionalised for maintaining a high standard of governance. It comprises the committees, rules, processes and mechanisms by which decisions relating to risk are taken and implemented for the management and oversight of risk within the risk appetite and the risk tolerance levels, and for institutionalising a strong risk culture. Risk governance enables the Management to undertake risk taking activities more prudently.

The Three Lines of Defence model enable the Bank to inculcate an effective risk culture with accountability at each level. The Board of Directors has established a robust governance structure by leveraging the best practice in corporate governance to risk management. It comprises Board committees, executive functions, and executive committees with required delegated authority, facilitating accountability for risk at all levels and across all risk types of the Bank, and enabling a disciplined approach to managing risk. The organisation of the Bank’s risk governance is given in Figure 27. Since it is highly specialised and also ensures an integrated and consistent approach, decision-making on risk management is centralised to a greater extent in several risk management committees.

 

Board of Directors

The Board of Directors is the apex governance body that is responsible for strategy and policy formulation, objective setting and providing oversight to the executive functions. It has the overall responsibility for overseeing the risks assumed by the Bank and the Group, and for ensuring they are appropriately identified and managed (Refer for the profiles of the members of the Board of Directors). Accordingly, the Board determines the risk appetite of the Bank which is a balance between achieving its strategic goals and the risk level assumed to achieve the same. The Board has delegated oversight responsibility to Board committees, a list of which is given in the section on Annual Corporate Governance Report. These Board committees are supported by executive-level committees working closely with the executive functions to review and assess the effectiveness of the risk management function and report to the Board on a regular basis. These reports provide a comprehensive perspective of the Bank’s risk profile and risk management actions and outcomes, enabling the Board to identify the risk exposures, and any potential gaps and take the necessary mitigating actions on a timely basis. The Board continuously guides the executive management in aligning the business strategies and objectives with desired risk levels. The tone at the top and the corporate culture reinforced by the ethical and effective leadership of the Board plays a key role in managing risk at the Bank.

In addition to the Three Lines of Defence model and the tone at the top, the Bank’s commitment to conduct its business in an ethical manner plays a significant role in managing risk in the Bank. The Bank’s unwavering commitment and expectations of all the employees to undertake business in a responsible, transparent, and disciplined manner are set out in a number of related documents including the Code of Ethics, Gift Policy, Communication Policy, Credit Policy, the Anti-Bribery and Anti-Corruption Policy, and Conduct Risk Management Policy Framework which demand the highest level of honesty, integrity and accountability from all employees.

Given the potential for financial losses and reputational risk and as required by regulatory authorities, the Board of Directors closely monitors the risk profile of all the subsidiaries in the Group apart from that of the Bank (Refer Financial review 2022 for the list of subsidiaries).

Board committees

The Board has set up the following four Board committees to assist in discharging its oversight responsibilities for risk management and for ensuring the adequacy and effectiveness of internal control systems.

• Board Audit Committee (BAC)
• Board Integrated Risk Management Committee (BIRMC)
• Board Credit Committee (BCC)
• Board Strategy Development Committee (BSDC)

Each sub-committee has its Terms of Reference (ToR) and conducts meetings at pre-determined frequencies and as and when circumstances require.

These committees through their deliberations, review and make recommendations to the Board on risk appetite, risk profile, strategy, risk management and internal controls framework, risk policies, limits, and delegated authority.

Details relating to composition, Terms of Reference, authority, meetings held and attendance, activities undertaken during the year, etc. of each of these Board committees are given in the respective sub-committee reports in the section on Board Committee Reports.

Executive Committees

Executive management is responsible for the execution of strategies and plans in accordance with the mandate assigned to each such committee by the Board of Directors while maintaining the risk profile within the approved risk appetite. Executive Integrated Risk Management Committee (EIRMC) comprises members from units responsible for credit risk, market risk, liquidity risk, operational risk, and IT risk. Spearheaded by the EIRMC, the following committees have been set up on specific aspects of risk to facilitate risk management across the First and the Second Lines of Defence.

• Asset and Liability Committee (ALCO)
• Credit Policy Committee (CPC)
• Executive Committee on Monitoring Non-Performing Credit Facilities (ECMN)
• Information Security Council (ISC)
• Business Continuity Management Steering Committee (BCMSC)

EIRMC coordinates communication with the BIRMC to ensure that the risk management activities are conducted in accordance with the Integrated Risk Management Framework and the risk is managed within the stipulated risk parameters. In addition, the Chief Risk Officer reports directly to the BIRMC ensuring the independence of the risk management function. Details relating to the composition of the executive committees are given in the section on “Annual Corporate Governance Report”.

The Chief Risk Officer, who heads the IRMD participates in the executive committees listed above as well as in BIRMC, BCC and BAC meetings. It is the responsibility of the IRMD to independently monitor compliance of the First Line of Defence to the laid down policies, procedures, guidelines, and limits and escalate deviations to the relevant executive committees. It also provides the perspective on all types of risk for the above committees to carry out independent risk evaluations and share their findings with the Line Managers and the Senior Management enabling effective communication of material issues, and initiating deliberations and necessary action.

Risk management

Risk management is the functional responsibility for identifying, assessing, controlling and mitigating risks, as well as determining risk mitigation strategies, monitoring early warning signals (EWS), estimating potential future losses and putting measures in place to contain losses/risk transfer. The risk management framework (Figure 28) facilitates the formulation and implementation of risk management strategies, policies and procedures, while taking into account the strategic focus as defined in the Bank’s Corporate Plan and the risk appetite.

The Bank has made significant investments to develop and maintain the infrastructure required in terms of both human and physical resources to strengthen the detection and management of risks, including mandates, policies & procedures, limits, software, databases, expertise, communication, etc. and to adopt international best practices. Since risk management is the responsibility of every employee of the Bank, they need to have a clear understanding of the risks the Bank is faced with, IRMD provides ongoing training and awareness to the employees, risk owners in particular, disseminating knowledge and enhancing their skills on all aspects related to risk, instilling the desired risk culture.

Policies, procedures, and limits

The Bank has a set of comprehensive risk management policies that cover all the risks it manages to provide guidance to the business and support units on risk management and to ensure regulatory compliance including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks based on the Basel Framework, and subsequent CBSL directives. This helps to reduce prejudice and subjectivity in risk decisions by institutionalising the risk knowledge base. These key documents establish the Bank’s risk culture by defining its objectives, priorities and processes as well as the role of the Board of Directors and the Management in risk management. The Risk Assessment Statement (RAS) sets out the risk limits and forms an integral part of the risk management framework. The BIRMC and the Board of Directors review the RAS at least once a year, if not more frequently, based on regulatory and business needs.

The Bank has considered the regulatory needs of the countries in which it operates. The Bank’s overall risk exposure, including its international operations, is within the CBSL’s regulatory framework.

The Bank has issued comprehensive operational guidelines to facilitate the implementation of the Risk Management Policy and the limits specified in the RAS. These guidelines detail the types of facilities, processes, and terms and conditions under which the Bank conducts business, providing staff clarity to their daily tasks.

 

Risk management tools

The Bank uses a combination of qualitative and quantitative tools to identify, measure, manage, and report risks. The selection of the appropriate tool(s) for managing a particular risk is based on the likelihood of occurrence and the potential impact of the risk as well as the availability of data. These tools include EWS, threat analysis, risk policies, risk registers, risk maps, risk dashboards, RCSA, ICAAP, diversification, covenants, SEMS, workflow-based operational risk management system, insurance, benchmarking to limits, gap analysis, NPV analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modelling, duration, scenario analysis, marking to market, stress testing, and VaR analysis etc.

 

Types of risks

The Bank is exposed to a multitude of financial and non-financial risks, which can be broadly categorised into credit, market, liquidity, operational, reputational, IT, strategic, social & environmental and legal risks. All of these risks taken together determine the risk profile of the Bank which is monitored periodically against the risk appetite referred to earlier. The robust risk management framework in place enables the Bank to manage these risks prudently.

Nevertheless, banks are not entirely immune to the significant levels of uncertainty arising from various external developments, as well as internal factors that will continue to affect their risk profiles on an ongoing basis.

External developments may include;

• The outbreak of pandemics
• Movements in macroeconomic variables
• Fragile supply chains
• Sovereign risk destabilising financial markets
• Political instability
• Demographic changes
• Changes in Government fiscal and monetary policies
• Technological advances
• Regulatory developments
• Mounting stakeholder pressures
• Competitor activities
• Unsubstantiated information being circulated on social media
• A decline in property market valuations giving rise to higher losses on defaulting loans
• Unfounded public perceptions that banks are exploiting customers
• Distressed businesses and individuals
• Downgrading of ratings of the banks and
• Growing sustainability concerns

Besides limiting the physical movements of people and global trade, such developments could impact public perceptions, disposable income of people, demand for banking products and services, funding mix, interest margins, and tax liabilities of the Bank.

Internal factors may include;

• Knowledge and skill gaps among staff members
• Lapses in internal administration
• Deterioration of internal sub-cultures
• Deliberate acts of fraud, cheating, and misappropriation etc.
• Arbitrary decision making
• Inaccurate/insufficient risk reporting
• Inadequacies/misalignments of digitisation
• Strategic misalignments
• Lapses in implementing the risk management framework
• Improper alignment of remuneration to performance and risk
• Incorrect advice offered to customers
• Inaccurate predictions of macroeconomic variables
• Execution gaps in internal processes
• Lack of industrial harmony
• Critical accounting judgments and estimates turning to be inaccurate
• Lack of robust data infrastructure adversely affecting business and operational decisions and
• Subsidiaries and associates not performing up to the expectations of the Bank.

These factors, if not properly managed, may affect the risk profile of the Bank as well as cause reputational damage, hampering the objective of sustainable value creation for all its stakeholders.

Furthermore, the operating environment has become much more complex and unpredictable due to some potentially disruptive emerging threats and uncertainties, resulting in some of the long-standing assumptions about markets, competition, and even business fundamentals being less true today. These concerns call for the Bank to better understand its stakeholders and meet their expectations with excellence in the execution of internal processes. The Bank deals with these developments through appropriate strategic responses, believing that they would provide opportunities to differentiate the Bank’s value proposition for future growth. A summary of key risks is given in Figure 29.

These developments are making the operating environment more complex, dynamic, and competitive day by day and risk management is very challenging on an ongoing basis. Effective management of these risks with a congruent approach to face uncertainties is nevertheless a sine qua non to the implementation of the Bank’s strategy for value creation for all its stakeholders. Consequently, deliberations on risk management were on top of the agenda in all Board, Board Committee, and Executive Committee meetings of the Bank.

A description of the different types of risks managed by the risk management function of the Bank and the risk mitigation measures adopted are given below.

Credit risk

Credit risk refers to the potential loss arising from a borrower or a counterparty failing to meet obligations in accordance with agreed terms. The Bank is exposed to credit risk through direct lending activities as well as commitments, and contingencies . Credit risk depends on various factors such as the quality of the lending portfolio, concentration levels, ratings of counterparties with cross-border exposures, and sovereign ratings in relation to exposures to the Government. The COVID-19 pandemic, unprecedented market and supply disruptions and certain subsequent socio economic and political developments have triggered some implications, such as masked credit risk and elevation of the risks of most sectors. This has required the Bank to explore new approaches for managing and mitigating credit risk, whilst carrying out existing risk management and mitigation processes in a more granular and stringent manner.

The Bank’s total credit risk is made up of counterparty risk, concentration risk, and settlement risk.

Table – 51: Maximum credit risk exposure

	As of December 31, 2022
	Rs. Bn.	%
Net carrying amount of credit exposure:
Cash and cash equivalents	149.394	5.4
Placements with central banks and other banks (excluding reserves)	95. 900	3.5
Financial assets at amortised cost – Loans and advances to Banks
Financial assets at amortised cost – Loans and advances to Other Customers	1,130.442	40.9
Financial assets at amortised cost – Debt and Other financial instruments	725.935	26.2
Financial assets measured at fair value through other comprehensive income	117.056	4.2
Total (a)	2,218.727
Off-balance sheet maximum exposure:
Lending commitments	132.065	4.8
Contingencies	415.235	15.0
Total (b)	547.300
Total of maximum credit exposure (a + b)	2,766.027	100.0
Gross carrying amount of loans and advances to Other Customers	1,219.667
Stage 3 (credit impaired) loans and advances to Other Customers	114.739
Impaired loans as a % of gross loans and advances to Other Customers		9.4
Allowance for impairment – loans and advances to Other Customers	89.225
Allowance for impairment as a % of gross loans and advances to Other Customers		7.3
Impairment charge – loans and advances to Other Customers	21.962

Amid the COVID-19 pandemic related environmental challenges, the maximum credit exposure of the Bank has increased from Rs. 2,492.4 Bn. (as of end December 2021) to Rs. 2,766.0 Bn. (as of end December 2022).

During the year, owing to the aforementioned aggravated risks and new risks, the financial services industry experienced an increasing trend in loans and advances to other customers being classified as NPCF. This resulted in the credit-impaired (Stage 3) loans to customers of the Bank to increase to Rs.114.739 Bn. (Rs. 79.076 Bn. in 2021), which is 9.4% (7.3% in 2021) of the gross loans and advances to other customers. The Bank has provided a cumulative impairment allowance of Rs. 89.225 Bn. on the loans and advances portfolio as of December 31, 2022 (Rs. 64.066 Bn. as at December 31, 2021) as per the requirements of SLFRS 9. Furthermore, sovereign rating downgrade and the ongoing debt restructuring program of Sri Lanka necessitated classification of the Bank’s exposure to USD-denominated Government Securities to Stage 2 and substantial impairment provisions being made as at end December 2022. Accordingly, the Bank provided 35% and 10% of the Bank’s exposure to Sri Lanka Sovereign Bonds and Sri Lanka Development Bonds, respectively.

Managing credit risk

The lending portfolio accounts for 46% of total assets and credit risk accounts for over 90% of the total risk-weighted assets. Hence, managing credit risk prudently is of critical importance to the Bank’s sustainability. The Bank endeavoured to manage credit risk going beyond mere regulatory compliance. It is managed through the Board approved credit risk management framework comprising a robust risk governance structure and a comprehensive suite of risk management processes, which, among others include policies and procedures, risk ratings, risk review mechanism, collateral management and valuation, segregation of credit risk management functions, social and environmental risk management, independent verification of risk assessments, credit risk monitoring, post disbursement review, providing direction to business line managers, dissemination of credit risk related knowledge, and sharing information with internal audit.

During the year, the EIRMC/BIRMC were extra vigilant in their efforts on managing credit risk owing to the exacerbation of perennial risks and emergence of new risks. Accordingly, a close monitoring mechanism was in place on the exposures to high-risk segments under 3 categories – Watchlist, High-risk list, and Exit list, both in Sri Lanka and Bangladesh operations. The top 5 Stage 3 customers under each of the sub sectors coming under the three segments listed above were closely monitored. Furthermore, based on insights from EWS, the movement of exposures and the number of customers falling under EWS High, Medium, and Low-Risk categories were closely monitored. A well-designed process was deployed involving Lending Officers and IRMD for continuous monitoring of stressed lending assets highlighted through EWS.

The Bank also paid special attention to the exposures to REIs during the year under review and monitored the Expected Credit Loss (ECL) for individually impaired and collectively impaired facilities – against the underlying exposures for individually impaired and collectively impaired facilities in both Stage 2 and Stage 3. Tourism-related and other exposures were continued to be analysed and monitored separately. The top 10 borrowers under each of the REIs in Stage 2 and Stage 3 were closely monitored whilst exposures to the Government in terms of commercial lending, as well as against treasury guarantees, were closely monitored along with the collateral concentration of advances.

The Bank has the following internal limits:

• Open credit exposure
• Aggregate credit exposures to corporate borrowers owned and controlled by a single common shareholder or stakeholder
• Related party exposure
• Economic group exposure ratio
• Cross border exposures

Post disbursement credit review of Loans & Overdrafts is carried out as per the “Credit Risk Review Policy”. The scope of coverage of these reviews was determined in accordance with the provisions of the Credit Policy, Lending Guidelines, and the Credit Risk Review Policy. On completion of the review, the observations were submitted to the lending officers and their responses were reviewed. In addition to the existing reviews, the Bank paid special attention to the lending units/regions demonstrated heightened stress levels in terms of substandard lending. Granular analyses on these units were escalated to the Executive Committees for timely actions.

The credit health checks of branches and other lending units are carried out based on the credit evaluation process, behaviour of accounts, risk rating, compliance with guidelines, post-sanction compliance, concentration levels in the Loan Book, recovery, follow-up of NPCF, regular problematic advances, credit process, and the reporting system.

Review of credit risk

The challenging operating environment following the Easter Sunday attack further deteriorated due to the COVID-19 pandemic-related lockdowns, economic hardships undergone by the country travel restrictions, supply chain disruptions, and import restrictions continued throughout the year under review and heightened stress levels among individuals and businesses. Concerns fuelled by foreign currency liquidity shortages exerted pressure on the business entities. However, certain proactive measures taken by the Government such as the effective vaccination drive, reasonable political stability, and efforts to boost FDIs and revive tourism helped the country sustain economic activities at a reasonable level. Demonstrating its resilience, the Bank managed to gradually weather the effects of the pandemic and make progress. Continuous follow-up of advances that were subjected to moratoria, recovery initiatives such as offering incentives and heightened scrutiny in loan appraisals elevated levels of attention given to loan approvals, rationalisation of credit exposures with deep analyses, and post-sanction monitoring and recovery efforts together with the planned implementation of early identification of stressed borrowers through EWS will assist the Bank to gradually improve credit quality in 2023 and minimise potential credit risk. The Bank took extra caution in new credit exposure creation as well as in managing existing credit exposures, given the increased social stress amid the country’s economic condition.

In addition to the effective credit risk management framework referred to above that guides the Bank when on-boarding new exposure and monitoring existing exposure which makes an enormous contribution to maintaining the quality of the loan book, the Bank is vigilant and exercises caution when choosing customers, products, industries, segments, and geographies it serves. Continuous monitoring of age analysis and the underlying movement of overdue loans through arrears buckets enabled the Bank to swiftly take action, thereby moderating default risk during the year.

Concentration risk

The Bank manages concentration risk by strategically diversifying the business across industry sectors, products, counterparties, and geographies. The Bank’s RAS defines the limits for these segments and ensures compliance, whilst the Board, BIRMC, EIRMC, and the CPC monitor these exposures. They also make suggestions and recommendations on modifications to defined limits based on the trends and developments shaping the business environment.

Graph 44 depicts the tenure-wise breakdown of the portfolio of total loans and advances to other customers within the risk appetite of the Bank.

The distribution of Stage 3 credit-impaired loans and advances to other customers in terms of identified industry sectors at the year-end is given in Table 52.

Table – 52: Distribution of Stage 3 credit impaired loans and advances to other customers as of December 31, 2022

Industry category	Stage 3 loans and advances Rs. ’000	Allowance for individual impairment Rs. ’000	Allowance for collective impairment Rs. ’000	ECL allowance Rs. ’000	Amount written-off Rs. ’000
Agriculture, forestry, and fishing	11,949,935	2,266,138	2,367,404	4,633,542	24,901
Arts, entertainment, and recreation	124,782	–	41,691	41,691	54
Construction	8,034,938	3,951,605	1,065,638	5,017,243	6,988
Consumption and others	7,303,608	44,389	2,594,245	2,638,634	692
Education	324,818	–	104,527	104,527	102
Financial services	1,135,683	770,753	139,152	909,905	–
Healthcare, social services, and support services	1,299,652	106,977	380,440	487,417	–
Information technology and communication services	707,779	–	256,215	256,215	922
Infrastructure development	2,273,404	1,053,454	296,362	1,349,816	834
Lending to overseas entities	8,314,558	393,234	456,199	849,433	–
Manufacturing	19,245,186	5,153,287	2,869,661	8,022,948	2,568
Professional, scientific, and technical activities	718,840	–	230,598	230,598	–
Tourism	20,742,718	5,859,811	1,934,170	7,793,981	1,715
Transportation and storage	3,586,462	1,844,307	293,563	2,137,870	1,435
Wholesale and retail trade	28,976,492	6,783,806	5,119,775	11,903,581	15,996
Total	114,738,855	28,227,761	18,149,640	46,377,401	56,207

Given the facts that economic activities are centered around the Western Province and corporates’ registered offices are located therein, the Loan Book is highly concentrated in this province (Graph 45).

An analysis of the Bank’s lending portfolio by product (Graph 46) also reveals that the efficacy of the Bank’s credit policies is effective and the risk being diversified across a range of credit products.

The relatively high exposure of 39% to long-term loans is rigorously monitored and mitigated with collateral.

Counterparty risk

The Bank manages counterparty risk through the established policies/procedures and limit structures including single borrower limits and group exposure limits for different products etc. The Bank has set limits far more stringent than those stipulated by the regulator, providing a greater flexibility in managing concentration levels with regard to the counterparty exposures.

Loans and receivables to the Bank, both from local and foreign counterparties contribute mainly to the counterparty risk. The Bank monitors the exposures against the established product limits at frequent intervals. A specific set of policies, procedures, and a limit structure are in place to monitor it. Whilst market information on the financial/economic performance of these counterparties is subject to rigorous scrutiny throughout the year, the counterparty bank exposures are monitored against the established prudent limits at frequent intervals and the limits are revised to reflect the latest information, where deemed necessary.

The analysis uses ratings provided by Fitch Ratings for local banks in Sri Lanka and Credit Ratings Agency in Bangladesh (CRAB) for local banks in Bangladesh (Equivalent CRISL/Alpha ratings are used where CRAB ratings are not available). Exposures for local banks in Sri Lanka rated AAA to A category stood at 88% (Graph 47) whilst 100% of exposure of the local banks in Bangladesh consisted of AAA to AA rated counterparty banks (Graph 48).

Cross-border risk

This denotes the risk that the Bank will be unable to secure payments from its customers or third parties on their contractual obligations due to certain actions taken by foreign governments, mainly relating to the convertibility and transferability of foreign currency. Assets exposed to cross-border risk comprise loans and advances, interest-bearing deposits with other banks, trade and other bills, and acceptances and those predominantly relating to short-term money market activities.

To minimise the risk arising from over-concentration in cross-border exposures, the Bank has set limit structures, continuously monitors macroeconomic and market developments of the countries with exposure to counterparties, and conducts a stringent evaluation of counterparties while maintaining frequent dialogue with them. Timely action is taken to suspend/revise limits to countries with adverse economic/political developments.

The Bank limits its total cross-border exposure to 8% of its total assets (Graph 49). The Bank has cross-border exposures to a range of countries which primarily include the Singapore, Maldives, UK, UAE, India, USA, etc. 93% of the cross-border exposures relating to Sri Lankan and Bangladesh operations are to AAA to BBB- countries while 7% are to below BBB- and unrated countries. (Graph 50).

Market risk

Market risk is the risk that a bank's financial position may be negatively impacted by fluctuations in financial market conditions such as changes in interest rates, exchange rates, commodity prices, equity/debt prices and their correlations against the expectations the Bank had at the time of making decisions. Market risk arises from the Bank’s trading activities, investments in financial instruments, and exposure to volatile financial markets. The Bank’s operations are exposed to these variables and correlations in varying magnitudes. Market risk includes interest rate risk, liquidity risk, foreign currency risk and equity risk.

Table – 53: Market risk categories

Major market risk category	Risk components	Description	Tools to monitor	Severity	Impact	Exposure
Interest rate		Risk of loss arising from movements or volatility in interest rates
	Re-pricing	Differences in amounts of interest-earning assets and interest-bearing liabilities getting re-priced at the same time or due to timing differences in the fixed rate maturities, and appropriately re-pricing of floating rate assets, liabilities, and off-balance sheet instruments	Re-pricing gap limits and interest rate sensitivity limits	High	Medium	Medium
	Yield curve	Unanticipated changes in shape and the gradient of the yield curve	Rate shocks and reports	High	High	High
	Basis	Differences in the relative movements of rate indices which are used for pricing instruments with similar characteristics	Rate shocks and reports	High	Medium	Medium
Foreign exchange		Possible impact on earnings or capital arising from movements in exchange rates arising out of maturity mismatches in foreign currency positions other than those denominated in base currency, Sri Lankan Rupee (LKR)	Risk tolerance limits for individual currency exposures as well as aggregate exposures within regulatory limits for NOP	High	Medium	Medium
Equity		Possible losses arising from changes in prices and volatilities of individual equities	Mark-to-market calculations are carried out daily for Fair Value Through Profit and Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) portfolios	Low	Low	Negligible
Commodity		Exposures to changes in prices and volatilities of individual commodities	Mark to market calculations	Low	Low	Negligible

Managing market risk

Market risk is managed through the market risk management framework approved by the Board, comprising a robust risk governance structure and a comprehensive suite of risk management processes which include policies, market risk limits, Management Action Triggers (MATs), risk monitoring, and risk assessment.

The impact on the Bank’s Net Interest Income (NII) was assessed in a stress situation for a period of 12 months from a given point in time based on a change of 100 – 400 bps on LKR and 25 – 100 bps on FCY. The Bank also adopts the Economic Value of Equity (EVE) which is a long-term measure of IRR that analyses the value of the Bank in present market conditions and the sensitivity of that value to changes in market rates. Moreover, the repricing gap of Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) was analysed.

The Bank monitored the change in Net Interest Margin (NIM) month on month, for both LKR and FCY for Sri Lanka and Bangladesh operations. Additionally, the FX position gain/loss in a stress situation was assessed with 1% up/down in exchange rate between USD and LKR rates. Furthermore, the Mark To Market (MTM) gains/losses impact was assessed if interest rates change by 1% up/down and 2% up/down on the FVTPL portfolio of LKR Government securities. The same was done on the FVTOCI portfolio as well.

The Bank monitored opportunity loss of the amortised cost portfolio and the FCY cashflow for the next three months on an ongoing basis. The FCY liquidity gap summary was prepared which includes the funding liquidity against undrawn OD limits and the next 3 months projected loan disbursements. The Bank also prepares the funding concentration in terms of tenor and values, top 20 depositors, and based on currency as well.

Review of market risk

Market risk arises mainly from the Non-Trading Portfolio (Banking Book) which accounted for 91.16% of the total assets and 93.09% of the total liabilities as of December 31, 2022. Exposure to market risk arises mainly from IRR and FX risk as the Bank has negligible exposure to commodity-related price risk and equity and debt price risk which was less than 12% of the total risk-weighted exposure for market risk.

The Bank’s exposure to market risk analysed by Trading Book and Non-Trading Portfolios (or Banking Book) is set out in the Note 66.3.1.

Market risk portfolio analysis

The gap report is prepared by stratifying RSA and RSL into various time bands according to maturity (if they are fixed rated) or time remaining to their next re-pricing (if they are floating rated). Balances of savings deposits are distributed in line with the findings of a behavioural analysis conducted by the Bank and based on the guidelines of the CBSL on overdrafts and credit cards. The vulnerability of the Bank to interest rate volatility is indicated by the gap between RSA and RSL (Refer Table 54).

Table – 54: Interest rate sensitivity gap analysis of assets and liabilities of the Banking Book as of December 31, 2022 – Bank

Description	0-90 Days	3-12 Months	1-3 Years	3-5 Years	Over 5 years	Non-sensitive	Total as at
	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000	Rs. ’000
Total financial assets	779,088,288	378,017,501	458,110,679	246,707,660	177,899,941	246,914,112	2,286,738,181
Total financial liabilities	571,718,478	825,190,163	194,875,265	197,195,333	155,428,710	210,359,365	2,154,767,314
Interest rate sensitivity gap	207,369,810	(447,172,662)	263,235,414	49,512,327	49,512,327	36,554,747	131,970,867
Cumulative gap	207,369,810	(239,802,852)	23,432,562	72,944,889	95,416,120	131,970,867
RSA/RSL	1.36	0.46	2.35	1.25	1.14

Interest rate risk (IRR)

Extreme movements in interest rates expose the Bank to fluctuations in NII and have the potential to impact the underlying value of interest-earning assets, interest-bearing liabilities, and off-balance sheet items. The main types of IRR to which the Bank is exposed are re-pricing risk, yield curve risk, and basis risk.

Sensitivity of projected NII

Regular stress tests are carried out on Interest Rate Risk in Banking Book (IRRBB) encompassing changing positions and new economic variables together with systemic and specific stress scenarios. Change in the value of the Fixed Income Securities (FIS) portfolio in FVTPL and FVOCI categories due to abnormal market movements is measured using both EVE and Earnings At Risk (EAR) perspectives. Results of stress tests on IRR are analysed to identify the impact of such scenarios on the Bank’s profitability and capital.

Impact on NII due to rate shocks on LKR and FCY is continuously monitored to ascertain the Bank’s vulnerability to sudden interest rate movements (Refer Table 55).

Table – 55: Sensitivity of NII to rate shocks

	2022		2021
	Parallel increase Rs. ’000	Parallel decrease Rs. ’000	Parallel increase Rs. ’000	Parallel decrease Rs. ’000
As at December 31,	392,200	(392,737)	195,232	(195,288)
Average for the year	369,472	(369,892)	258,265	(200,260)
Maximum for the year	813,181	(813,616)	655,218	(655,219)
Minimum for the year	19,531	(20,281)	(87,864)	245,713

Foreign exchange risk

Stringent risk tolerance limits for individual currency exposures as well as aggregate exposures within the regulatory limits ensure that potential losses arising out of fluctuations in FX rates are minimised and maintained within the Bank’s risk appetite.

USD/LKR exchange rate depreciated by 44.8% (Source – the CBSL) during the year under review. Please refer Note 66.3.3 – Exposure to currency risk – non-trading portfolio.

Stress testing is conducted on net open position (NOP) by applying rate shocks ranging from 2% to 15% to estimate the impact on profitability and capital adequacy of the Bank (Refer Table 59). The impact of a 1% downward change in exchange rate on the foreign currency position indicated a loss of Rs. 725.73 Mn. on the positions as of December 31, 2022 (Graph 73 indicated the impact of a 1% upward change in exchange rate).

Equity price risk

Although the Bank’s exposure to equity price risk is negligible, mark-to-market calculations are conducted daily on FVTPL and FVOCI portfolios. The Bank has also calculated VaR on equity portfolio. Note 66.3.4 summarises the impact of a shock of 10% on equity price on profit, other comprehensive income (OCI), and equity.

Commodity price risk

The Bank has negligible exposure to commodity price risk which is limited to the extent of the fluctuations in the gold price on the pawning portfolio.

Liquidity risk

Liquidity risk is the Bank’s inability to meet “on” or “off” balance sheet contractual and contingent financial obligations as they fall due, without incurring unacceptable losses.

Banks are vulnerable to liquidity and solvency problems arising from mismatches in the maturities of assets and liabilities. Consequently, the primary objective of liquidity risk management is to assess and ensure the availability of funds required to meet obligations at appropriate times, both under normal and stressed conditions.

Liquid assets ratios as of December 31, 2022 are given below:

Table – 56: Statutory liquidity ratios

	2022	2021
	%	%
Statutory Liquid Assets Ratio (SLAR)
Domestic Banking Unit	35.01	38.73
Off shore Banking Centre	32.37	36.39
Consolidated (Sri Lankan Operation)	35.88	N/A
Liquidity Coverage Ratio (LCR)
Rupee	405.91	425.97
All Currencies	293.91	242.52
Net Stable Funding Ratio (NSFR)	173.58	157.47

Managing liquidity risk

The Bank manages liquidity risk through policies and procedures, measurement approaches, mitigation measures, stress testing methodologies and contingency funding arrangements. As experienced across the industry, relatively slow credit growth compared to deposit inflow, caused the Bank to have an excess liquidity situation throughout the year, as can be seen by the ratios given in Table 56 it was a challenge for the Bank to manage such excess liquidity to generate an optimum return. A major portion of the excess liquidity had to be invested in Government securities, both denominated in LKR and FCY at optimum yields to minimise adverse effects on profitability.

The Bank paid special attention and made a concerted effort to leverage opportunities available to negate the impact of the negative carry on certain treasury investments. However, the Bank has to go through a painful period until such time majority of the bonds in the portfolio mature over the next 2-3 years. A scenario analysis of the magnitude of the negative carry was conducted during the year.

To avoid the risk of potential haircuts and potential impairment provisioning, the Bank decided to accept the proceeds of the maturing USD denominated Sri Lanka Development Bonds (SLDBs) in Rupees and the NOP created as a result of forex sales was managed by operating within the permanent negative NOP limit.

Furthermore, the Bank reclassified its bonds (except LKR bonds maturing before October 2022) in line with the guidelines issued by CA Sri Lanka by way of a Statement of Alternative Treatment (SoAT) on Reclassification of Debt Portfolio and necessary disclosures have been made in the interim financials as well as in this Annual Report.

Liquidity risk review

The net loans to deposits ratio is regularly monitored by the ALCO to ensure that the asset and liability portfolios of the Bank are geared to maintain a healthy liquidity position. NSFR indicating the stability of funding sources compared to loans and advances granted was maintained well above the policy threshold of 100%, which is considered healthy to support the Bank’s business model and growth.

The key ratios used for measuring liquidity under the stock approach are given in below:

Table – 57: Key ratios used for measuring liquidity under the stock approach

Liquidity ratios %	As at December 31, 2022	As at December 31, 2021
Loans to customer deposits	0.64	0.75
Net loans to total assets	0.47	0.52
Liquid assets to short-term liabilities	0.53	0.58
Purchased funds to total assets	0.26	0.22
(Large liabilities – Temporary Investments) to (Earning assets – Temporary Investments)	0.26	0.19
Commitment to total loans	0.15	0.18

Maturity gap analysis

Maturity gap analysis of assets and liabilities of the Bank as of December 31, 2022 is given in Note 66.2.2. (a) to the Financial Statements.

Maturity analysis of financial assets and financial liabilities of the Bank indicates that there is sufficient funding available to weather adverse situations based on prescribed behavioural patterns.

Maturity analysis of financial assets and financial liabilities of the Bank does not indicate any adverse situation when due cognisance is given to the fact that cash outflows include savings deposits which can be considered as a quasi-stable source of funds based on historical behavioural patterns of such depositors as explained below.

Behavioural analysis on savings accounts

In the absence of a contractual agreement on maturity, savings deposits are treated as a non-maturing demand deposit. There is no exact re-pricing frequency for the product and the Bank resets rate offered on these deposits based on the re-pricing gap and liquidity and profitability, etc. Since there is no exact re-pricing frequency and it is less sensitive to market interest rates, the segregation of savings products among the predefined maturity buckets in the maturity gap report is done based on the regular simulations carried out by the Bank in line with behavioural study.

The liquidity position is measured in all major currencies at both individual and aggregate levels to ensure potential risks are within specified threshold limits. Additionally, potential liquidity commitments resulting from loan disbursements and undrawn overdrafts are also monitored to ensure sufficient funding sources.

Funding diversification by product

The Bank’s primary sources of funding are deposits from customers and other borrowings. Graph 51 provides a product-wise analysis of the Bank’s funding diversification as of the end of 2022 and 2021.

Operational risk

Operational risk is the possibility of incurring losses due to insufficient or failed internal processes, people and systems, or from external events such as natural disasters, or social, or political events. It is inherent in all banking products and processes and the Bank’s objective is to control it cost-effectively. The seven standard criteria in operational risk are execution, delivery and process management, internal frauds, external frauds, employment practices and workplace safety, clients, products and business practice, damage to physical assets and business, and disruption and system failures. Operational risk includes legal risk but excludes strategic and reputational risk.

Managing operational risk

The Bank manages operational risk through policies, risk assessment, and risk mitigation including insurance coverage, procedures relating to outsourcing of business activities, managing technology risk, formulating a comprehensive Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), creating a culture of risk awareness across the Bank, stress testing, and monitoring and reporting.

Policies and procedures relating to outsourcing of business activities of the Bank ensure that all significant risks arising from outsourcing arrangements of the Bank are identified and effectively managed continuously. Details of all outsourced functions are reported to the CBSL annually. Due diligence tests on outsourced vendors are carried out by respective risk owners prior to executing new agreements and renewal of existing agreements. Further, bi-annual review meetings are conducted with key IT service providers to monitor service performance levels and verify adherence to the agreements.

The EIRMC/BIRMC closely monitored and ensured timely rectification of other business disruptions arising from such causes as telephone line failures, branch level system failures, fire/natural perils, industrial unrest, branch closures due to hartals, police curfew, and the COVID-19 pandemic, etc..

The Bank conducted an operational risk review of the BCP and the DRP documents including a review of the Disaster Recovery (DR) site. This process was carried out by the IRMD in accordance with Section 3 (6) (v) of the Banking Act Direction No. 11 of 2007 on Corporate Governance for LCBs. The Act requires the BIRMC to assess the adequacy of preparedness based on an independent review of the BCP and DRP of the Bank.

During the year the Bank implemented a Group-wide Conduct Risk Management Policy Framework. Furthermore, a database that includes all operational loss events for the past 10 years of the Bank is now available in the Operational Risk Management System (ORMS). In addition, the RCSA Framework was extended to other financial entities in the Group [CBC Finance Ltd. (CBCF), CBC Myanmar Microfinance Ltd. (CBCMM)] during the year. This framework allows each entity to identify, assess, and manage its own risks while also ensuring alignment with the Group's risk management objectives.

Business continuity management

The Business Continuity Management (BCM) framework of the Bank encompasses various activities such as business continuity, disaster recovery, crisis management, incident management, emergency management, and contingency planning activities. Through the BCM, the Bank ensures its commitment to serving all its stakeholders ,even in times of an unforeseen disruption to business activities arising from man-made, natural, or technical disasters ,with minimum business interruptions and quickly resume its operations.

The scope of the BCM includes programme initiation and management, risk evaluation and business impact analysis, developing business continuity strategies, emergency preparedness and response, developing and implementing business continuity plans, awareness building and training, business continuity plan exercise, audit and maintenance, and crisis communications and coordination with external agencies.

In 2018, the BCP of the Bank was revamped in line with industry best practices in consultation with an external BCP expert. IT Disaster Recovery Plan, which is a key component of BCP was also reviewed and approved by the Board of Directors. IT system recovery capabilities of core banking and other critical systems of the Bank have been further strengthened by way of introducing a secondary high-availability set-up leading to improved redundancy.

The Bank was compelled to postpone the scheduled BCP exercise for 2022 to the second quarter of 2023, with the approval of the CBSL, due to delay in receiving essential network communications related equipment ordered by the Bank which needs to be installed at the Bank’s DR site prior conducting the drill exercise.

Review of operational risk

The Bank has a low appetite for operational risk and has established tolerance levels for all types of material operational risk losses based on historical loss data, budgets and forecasts, the performance of the Bank, existing systems and controls governing Bank operations, etc. The following thresholds have been established based on audited financial statements for monitoring purposes:

• Alert level – 3% of the average gross income for the past three years
• Maximum level – 5% of the average gross income for the past three years

Operational losses for the financial year 2022 were below the internal alert level at 0.86% (of average audited gross income for the past three years). The Bank has been consistently maintaining operational losses below the alert level for the past ten years, reflecting the “tone at the top”, effectiveness of the governance structures, and the rigour of processes and procedures in place to manage operational risk.

Graph 52 analyses the operational risk losses incurred by the Bank in 2022 under each business line/category.

When analysing the losses incurred during 2022 under the Basel II defined business lines, it is evident that the majority (60%) of losses with financial impact falls under the business line of “Payment and Settlement”, followed by the losses reported under the “Retail Banking” (39%) and “Trading & Sales” (1%) business lines. Losses relating to other business lines remained negligible.

Graphs 53 and 54 depict the comparison of operational losses reported during 2022 and 2021 under each Basel II loss event type, both in terms of the number of occurrences and value.

Losses by number of events

As typical with operational risk losses, the majority of the losses encountered by the Bank during 2022 consisted of high frequency/low financial impact events mainly falling under the loss category Execution, Delivery and Process Management. These low-value events are mainly related to cash and ATM operations of the Bank’s service delivery network comprising over 1,000 points across Sri Lanka and Bangladesh. Individual events with monetary values less than Rs.100,000 accounted for more than 89% of the total loss events for the year. Also, the number of loss events for the year when compared to the number of transactions performed during the year stands at a mere 0.0050%.

The Bank continued to strengthen its AML compliance with new audit reports for monitoring transactions and ensuring compliance with KYC requirements during the year.

The values of the losses incurred by the Bank during the year can mainly be categorised under Execution, Delivery and Process Management related, Business Disruption and System Failures related and Damages to Physical Assets. The losses for the year were primarily driven by a limited number of events in these three categories majority of which the Bank managed to resolve through subsequent recovery/ rectification with minimum financial impact to the Bank. Further, necessary process improvements have been introduced to prevent recurrence Capital allocation pertaining to the operational risk for 2022 under Alternative Standardised Approach as per Basel III is Rs. 10.31 Bn., whereas the net losses after discounting the subsequent recoveries amount to a mere 0.488% of this capital allocation. This trend of exceptionally low levels of operational risk losses of the Bank bears testimony to the effectiveness of the Bank’s operational risk management framework and the internal control environment.

IT risk

IT risk is the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an organisation. It is a major component of operational risk comprising IT-related events such as system interruptions/failures, errors, frauds through system manipulations, cyberattacks, obsolescence in applications, and falling behind competitors in terms of technology, etc., that could potentially affect the whole business. IT risks encompass governance aspects, critical system availability, access control, threat management, change management, physical and environmental security, and DR/BC planning.

Given the uncertainty pertaining to the frequency and magnitude, managing IT risk poses challenges. Hence, the Bank has accorded top priority to address IT risk placing more focus on cyber security strategies and continually investing in cyber security improvements. The Bank’s cyber security strategy is focused on securely enabling new technology and business initiatives while maintaining a persistent focus on protecting the Bank and its customers from cyber threats.

The IT Risk Unit of the IRMD is responsible for implementing the IT risk management framework of the Bank, ensuring appropriate governance framework, policies, processes, and technical capabilities are in place to manage all significant IT risks. The IT Risk Management Policy, aligned with the Operational Risk Management Policy complements the Information Security Policy, the related processes, objectives, and procedures relevant to managing risk and improving the information security of the Bank.

RCSA is one of the core mechanisms for IT risk identification and assessment, and the IT Risk Unit conducts independent IT risk reviews in line with the established structure of the operational risk management process. Results of these independent IT risk assessments, together with audit findings, analysis of information, security incidents, and internal and external loss data are also employed for IT risk identification and assessment purposes.

IT risk mitigation involves prioritising, evaluating, and implementing the appropriate risk-reducing controls or risk treatment techniques recommended from the risk identification and assessment process. The Bank has built a multi-layered approach to controls into each layer of technology, including data, applications, devices, network, etc. This ensures robust end-to-end protection, while enhancing cyber threat detection, prevention, response, and recovery controls. The Bank is certified under the globally accepted, de facto standard for Information Security Management System (ISMS) – ISO/IEC 27001:2013 and Payment Card Industry Data Security Standard (PCI DSS), both focusing on ensuring Confidentiality, Integrity, and Availability of data/ information. The ISMS is independently validated on an annual basis by the ISO 27001 ISMS external auditors and Qualified Security Assessors of the PCI Council.

The Bank has continued to invest in information security, by enhancing information security governance in line with the CBSL directions and intensifying focus on information and cyber security with the Baseline Security Standards (BSS) rolled out across the branch network and in the head office. Initiatives taken in this regard are given under Key risk management initiatives in 2022 in this section of this report.

Given that risk management relies heavily on an effective monitoring mechanism, the IT Risk Unit carries out continuous, independent monitoring of the Bank’s IT risk profile using a range of tools and techniques including Key IT Risk Indicators (KIRIs). The KIRI review process involves monitoring a range of indicators including information security-related incidents, supplemented by trend analyses that accentuates high-risk or emerging issues so that prompt action can be taken to address them.

The increasing staff turnover during the year compared to the historically low levels was a concern during 2022. To address this issue, the Bank plans to implement several strategies such as creating a special grading system for IT staff and increasing the salaries of IT professionals in tandem with the market rates. The Bank also engaged in identifying the root cause of major incidents relating to IT Operations during the year. It is noteworthy to mention that despite the growth in business volumes and operations, the number of major incidents relating to IT has remained at the same level over the past decade. The mitigatory actions taken on all major operational risk events including IT-related incidents during the year were closely reviewed. There are many indicators under each of these broader categories of IT risk which is monitored on a monthly basis.

Legal risk

Legal risk is an integral part of operational risk and is defined as the exposure to the adverse effects arising from inaccurately drawn up contracts, their execution, the absence of written agreements, or inadequate agreements. It includes, but is not limited to exposure to reprimanding, fines, penalties, or punitive damages resulting from supervisory actions as well as the cost of private settlements.

The Bank manages legal risk by ensuring that applicable regulations are fully taken into consideration in all relations and contracts with individuals and institutions who maintain business relationships with the Bank and are supported by the required documentation. The potential risk of any rules and regulations being breached is managed by the establishment and operation of an effective system for verifying the conformity of operations with relevant regulations.

Compliance and regulatory risk

Compliance and regulatory risk refer to the potential risk to the Bank resulting from non-compliance with applicable laws, rules, and regulations and codes of conduct that could result in regulatory fines, financial losses, disruptions to business activities, and reputational damage. A compliance function reporting directly to the Board of Directors is in place to assess the Bank’s compliance with external and internal regulations on an ongoing basis. A comprehensive Compliance Policy defines how this key risk is identified, monitored, and managed by the Bank in a structured manner. The Bank’s culture and the Code of Ethics too play a key role in managing this risk.

The Bank maintains a strong culture of compliance by ensuring that the entire operation of the Bank is carried out in line with the prevailing regulations. The following measures were taken to further strengthen regulatory compliance requirements to ensure that effective monitoring, testing, reporting and to verify compliance with risk mitigation activities are in place and functioning as intended across the Bank.

• Incorporated new regulatory developments to internal policies, procedures, and controls.
• Added new scenarios for transaction monitoring.
• Regularly reviewed the Compliance program of the Bank.
• Covered Compliance Audit for over 125 branches/business units .
• Analysed Compliance risk and established effective controls to avoid identified shortcomings.
• Provided required training to staff members.

Strategic risk

Strategic risk is related to strategic decisions and may manifest in the Bank not being able to keep up with the evolving market dynamics, resulting in loss of market share and failure to achieve strategic goals. Corporate planning and budgeting process, and critical evaluation of their alignment with the Bank’s vision, mission, and risk appetite facilitate the management of strategic risk. The detailed scorecard-based qualitative model aligned to ICAAP is used to measure and monitor the strategic risk of the Bank. This scorecard-based approach takes a number of variables into account, including the size and sophistication of the Bank, and the nature and complexity of its operations, and highlights the areas that require focus to mitigate potential strategic risks. Strategic risk is assessed based on capital adequacy, earnings volatility, shareholder value, etc. with suitable weightage allocated for the respective criteria and scores allocated against such weights.

Reputational risk

Reputational risk refers to risk of an adverse impact on earnings, assets, and liabilities or brand value arising from negative stakeholder perception of the Bank’s business practices, activities, and financial position. The Bank recognises that reputational risk is driven by a wide range of other business risks relating to the “conduct” of the Bank that must all be actively managed. In addition, the proliferation of social media has widened the stakeholder base and expanded the sources of reputational risk. Accordingly, reputational risk is broadly managed through the systems and controls adopted for all other risk types such as credit, market, operational risk, etc., which are underpinned by the code of conduct, Anti-Bribery and Anti-Corruption Policy, Conduct Risk Management Policy Framework, Communication Policy, and business ethics that prohibit unethical behaviour and promote employees to live by the claims made. Furthermore, the detailed scorecard available to measure and monitor reputational risk under ICAAP was formalised and implemented as the Group Reputational Risk Management Policy framework during the year 2020.

Conduct risk

As an organisation that thrives on public trust and confidence, yet is faced with many conflicting interests and trade-offs aligning the interests with those of the customers is imperative for the Bank’s success and sustainability. Unfair business practices, professional misbehaviour, ethical lapses, inefficient operations, bribery and corruption, compliance failures, governance weaknesses, etc. dent customer confidence in the Bank. Proper conduct with fair outcomes for the customer is closely associated with the culture, governance structure, and the tone at the top of the Bank. The Bank adopts a customer-centric approach encompassing accountability, remuneration structures, compliance with the laws, rules and regulations in spirit, learning culture, transparency, public disclosures, Service Level Agreements and monitoring thereof, customer complaint handling procedure, and customer engagement to maintain high standards of behaviour and integrity to minimise conduct risk. During the year, the Bank developed and adopted a Board approved Conduct Risk Management Policy Framework covering the entire Group.

Contagion risk

From a banking perspective, Contagion (Systemic) risk refers to the risk of financial stress or shock in one country, market, industry, or a counterparty spilling across to other countries, markets, industries, or counterparties, triggering disturbance and even defaults, given the highly integrated nature of the global financial systems and cross-market linkages. The impact of a single shock can amplify existing stresses and lead to larger and sustained impacts on lives and livelihoods. The spill-over effects, a form of negative externalities, can create financial volatility and cause damage to financial systems. Although COVID-19 began as a viral outbreak, it has already created a financial contagion in global markets. In the current fragile context where the outlook for the pandemic and the path to economic recovery continue to remain uncertain, the Bank is to take additional steps to identify risk elevated industries and monitor levels of distress among customers, industry sectors, regions etc. that may cause contagion risk, through the EWS, based on internal data, with a view to limit the potential impact.

Model Risk

A subset of Operational Risk, Model Risk is the risk that occurs when financial models used to measure quantitative information fail, leading to adverse outcomes for the Bank. The Bank uses a number of models that apply statistical, economic, financial, and mathematical theories, techniques and assumptions to process data into a quantitative estimate, for the management of various risks. Model failures can occur due to programming errors, incorrect data, technical errors as well as misinterpretation of model outputs. The Bank uses extensive testing, robust governance policies, and independent reviews to manage model risk.

Bribery and corruption-related risks

Bribery and Corruption are illegal and dishonest, and damage the reputation of the Bank. Therefore, the Bank expects its employees to refrain from giving or accepting bribes, kickbacks, or commissions nor take part in any form of corruption. The Bank has a Board approved Anti-Bribery and Anti-Corruption Policy setting out the principles for countering bribery and corruption and managing bribery and corruption risk which is accessible at www.combank.lk/info as well as in the intranet of the Bank. In addition, the Bank has a Whistleblowers Charter and guidelines on accepting and/offering gifts or other illegal gratification, collection, and borrowing of funds/obtaining undue favours from customers and suppliers, holding a Directorship/being a Partner/Shareholder in private companies enumerated in the Code of Ethics and administrative circulars. In implementing the Code of Ethics and affirming its commitment to the 10th Principle of the UN Global Compact, the Bank expects all employees not only to fight corruption, but also to demonstrate that they do not abuse the power of their position as employees for personal financial or non-financial gain, solicit or accept gifts, or compromise employees or the Bank. No employee of the Bank should offer any bribe or other illegal gratification in order to obtain business for the Bank.

The Bank does not make any political contributions and the Anti-Bribery and Anti-Corruption Policy will be amended to include a prohibition of any form of political contributions during its annual review in March 2023.

Sustainability risk

Sustainability risks can arise from the failure of the Bank to identify and manage risks related to many different aspects in accordance with the policies, guidelines, commitments and ambitions of the Bank. These risks can include harm to the society, the environment, and the climate as well as failures relating to human rights, working conditions, financial crimes, information and IT security, and even corporate governance in its operations. Sustainability risks may also be present in most other risks described above as well. Besides the SEMS Policy, with a view to formalise the Bank’s approach to sustainability, the Bank adopted a Sustainability Framework during the year. Any failures in relation to these aspects could result in adverse implications for the Bank in financial and reputational as well as legal perspectives. Besides the risk perspective, the Bank is aware that placing due attention on these aspects will instil public confidence and enhance stakeholder relationships. Accordingly, the Bank manages the sustainability related risks within the framework of established systems and processes.

Capital Adequacy and ICAAP Framework

The Bank follows the Basel requirements and uses internal models as prescribed in the ICAAP framework to evaluate the risk profile, stress test risk drivers, and to determine the necessary internal capital adequacy requirements. Internal limits which are more stringent than the regulatory requirements providing early warnings with regard to capital adequacy.

ICAAP supports the regulatory review process providing valuable inputs for evaluating the required capital in line with future business plans. It integrates strategic focus and risk management plans with the capital plan in a meaningful manner, using inputs from the Senior Management, Management Committees, Board Committees, and the Board. It also takes into account the potential risk of capital being inadequate under stressed conditions. ICAAP also supports profit optimisation through proactive decisions on exposures both current and potential, measuring vulnerabilities by conducting stress testing and scenario-based analysis. The ICAAP process also identifies gaps in managing qualitative and quantitative aspects of reputational risk and strategic risk which are not covered under Pillar I of Basel III.

The Bank is compliant with both regulatory and its prudential requirements of capital adequacy. With a loyal base of shareholders and profitable operations, the Bank is also well positioned to meet capital requirements in the longer term to cover its material risks and to support business expansion, as a Domestic Systemically Important Bank (D-SIB).

Basel III minimum capital requirements and buffers

The Banking Act Direction No. 01 of 2016 required licensed commercial banks to meet the capital requirement set forth by Basel III commencing from July 1, 2017, with specified timelines to progressively increase minimum capital ratios to be fully implemented by January 1, 2019, which included Higher Loss Absorbency component for D-SIBs. However, as an extraordinary regulatory measure for licensed banks to support businesses and individuals affected by the outbreak of COVID-19, the CBSL permitted D-SIBs to draw down their Capital Conservation Buffers by 100 basis points.

Table – 58: Target and actual capital

Capital ratios	Regulatory minimum %	Goal (internal requirement) %	2022 %	2021 %
CET 1	8.500	>8.500	11.389	11.923
HLA	1.500	>1.500
Tier I	10.000	>10.000	11.389	11.923
Total	14.000	>14.000	14.657	15.650

A comparison of the status as of December 31, 2022, and the minimum capital requirement prescribed by the CBSL effective from January 01, 2019, as tabulated above, demonstrates the capital strength of the Bank and bears testimony to the ability to meet stringent requirements imposed by the regulator despite the persistent economic headwinds.

The ICAAP helps the Bank to periodically evaluate the capital requirements for the next five years, develop capital augmentation plans based thereon, and submit the same for review by the CBSL. Certain unprecedented developments such as the increased impairment provisioning and the exponential increase in risk weighted assets due to the impact of the sharp depreciation of the Rupee on FCY denominated assets, the Bank had to draw down the Capital Conservation Buffer during the year based on a Capital Augmentation Plan submitted to the Central Bank. However, with the issue of Rs. 10 Bn. worth Basel III compliant – Tier II, Listed, Rated, Unsecured, Subordinated, Redeemable debentures with a Non-viability Conversion and profits generated for the year enabled the Bank to restore the capital adequacy to be above the minimum requirements by the end of the year.

The Bank has a “Basel Workgroup” consisting of members from a cross-section of business and support units to assess capital adequacy in line with the strategic direction of the Bank. While ICAAP acts as a foundation for such assessment, the Basel Workgroup is continuously seeking improvements amidst the changing landscape in different frontiers, to recommend the desired way forward to the ALCO including indications on current and future capital requirements, anticipated capital expenditure-based assessments, and desirable capital levels, etc.

Being in a capital-intensive business, the Bank is cognisant of the importance of capital. The Bank has access to a loyal base of shareholders who takes a long-term view of the Bank as well as the profits retained over the years by adopting prudent dividend policies, etc. Moreover, in order to achieve an optimised level of capital allocation, the Bank is continuously finding ways to improve the judicious allocation of capital to requirements associated with its day-to-day operations. The challenges associated with mobilising capital from external sources are also taken into account, but not excluded as a sustainable option to boost capital in the long run. The Bank is comfortable with the available capital buffer to support its growth plans/withstand stressed market conditions. However, the Bank is never complacent with the current comfort levels and believes in providing stakeholder confidence that the Bank is known for, through sound capital buffer levels.

Stress testing

As an integral part of ICAAP under Pillar II, the Bank conducted stress testing for severe but plausible shocks on its major risk exposures periodically to evaluate the sensitivity of the current and forward risk profile relative to risk appetite and their impact on the resilience of capital, funding, liquidity, and earnings.

It also supports strategic planning, the ICAAP including capital management, liquidity management, setting of risk appetite triggers and risk tolerance limits, mitigating risks through reviewing and adjusting limits, restricting or reducing exposures and hedging strategies where appropriate, facilitating the development of risk mitigation or contingency plans across a range of stressed conditions, and supporting communication with internal and external stakeholders.

The Bank’s governance framework for stress testing sets out the responsibilities and approaches to stress testing activities undertaken at the Bank, business line and risk type levels. The Bank uses a range of stress testing techniques, including scenario analysis, sensitivity analysis, and reverse stress testing to perform stress testing for different purposes.

The framework covers all the material risks such as credit risk, credit concentration risk, operational risk, liquidity risk, FX risk, and IRRBB using EVE and EAR perspectives. The Bank evaluates various degrees of stress levels identified in the Stress Testing Policy as Minor, Moderate, and Severe. The resulting impact on the capital is then carefully evaluated. If stress tests indicate a deterioration of the capital that does not breach the policy-level capital maintenance requirements, the same is described as a Minor risk, while a deterioration of up to 1% is considered as Moderate risk. If the impact results in the capital falling below the statutory minimum, this is considered Severe risk, warranting immediate attention of the Management to rectify the situation.

Stress testing is an effective communication tool to Senior Management, risk owners and risk managers as well as supervisors and regulators. It offers a broader view of all risks borne by the Bank in relation to its risk tolerance and strategy in hypothetical stress scenarios. The outcomes of stress testing are reported to the EIRMC and BIRMC on a quarterly basis for appropriate and proactive decision-making. Extracts from the stress testing results are set out in Table 59.

Table – 59: Impact on CAR at minor, moderate and severe stress levels

Particulars	Description	2022			2021
		Minor	Moderate	Severe	Minor	Moderate	Severe
		%	%	%	%	%	%
Credit risk – asset quality downgrade	Increasing the direct non- performing facilities over the direct performing facilities for the entire portfolio(1)	-0.42	-1.16	-1.76	-0.14	-0.35	-0.68
Operational risk	Impact of; 1. Top five operational losses during last five years 2. Average of yearly operational risk losses during last three years whichever is higher	-0.04	-0.09	-0.19	-0.05	-0.11	-0.22
Foreign exchange risk	Percentage shock in the exchange rates for the Bank and Maldives operations (gross positions in each Book without netting)	-0.21	-0.39	-0.59	-0.10	-0.20	-0.47
Liquidity risk (LKR) –	1. Withdrawal of percentage of the clients, banks and other banking institution deposits from the Bank within a period of three months 2. Rollover of loans to a period greater than three months	-0.03	-0.12	-0.25	-0.06	-0.14	-0.27
Interest rate risk – EAR and EVE (LKR) – Sri Lanka	To assess the long-term impact of changes in interest rates on Bank’s EVE through changes in the economic value of its assets and liabilities and to assess the immediate impact of changes in interest rates on Bank’s earnings through changes in its net interest income	-1.18	-1.69	-1.95	-0.27	-0.41	-0.42

(1) Stress scenarios for 2022 are based on SLFRS-9 guidelines and Staging of credit facilities pursuant to the Banking Act Direction No. 13 of 2021, whereas those for 2021 follow previous accounting standards (LKASs).

Monitoring and reporting

The risk management function of the Bank is responsible for identifying, measuring, monitoring, and reporting risk. To enhance the effectiveness of its role, the staff attached to it is given regular training, enabling them to develop and refine their skills. They are well supported by IT systems facilitating data extraction, analysis, and modelling of possible scenarios. Regular and ad-hoc reports are generated on Key Risk Indicators and risk matrices of the Bank as well as the subsidiaries, for review by the Senior Management, Executive and Board Committees, and the Board which relies on such reports for evaluating risk and providing strategic direction.

The reports provide information on aggregate measures of risks across products, portfolios, tenures, and geographies relative to agreed policy parameters, providing a clear representation of the risk profile and sensitivities of the risks assumed by the Bank and the Group.

Basel III – Market Discipline

Refer Annex 2 for the minimum disclosure requirements under Pillar III as per the Banking Act Direction No. 01 of 2016.

Refer Annex 2 for the D-SIB Assessment Exercise disclosed as required by the Banking Act Direction No. 10 of 2019.