Managing risk in turbulent times

In 2023, the Sri Lankan economy showed signs of stabilising after the formidable challenges lingering since 2020. This revival was considerable political stability, pivotal reforms, including the introduction of cost-reflective utility pricing, innovative revenue strategies, and tightened monetary policies. Notably, inflation receded to single digits by July 2023, marking a positive trend. Key economic indicators including a resurgence in tourism, an upswing in trade and worker remittances, ongoing external debt service suspension, increased development inflows, and a better trade balance owing to import restrictions contributed significantly to bolstering official reserves. Anomaly between the Prime Lending Rate and interest rates on Government Securities coupled with lacklustre demand for private sector credit, especially in the first half of the year, and absence of alternative investment opportunities for excess funds caused the banks’ exposure to the Government of Sri Lanka to increase further. Amid a global turbulent landscape – marked by the post-pandemic recovery challenges, the Ukraine-Russia conflict, increased hostilities between Israel and Palestine, escalating global inflation, climate-induced disasters, disruptions in food and energy supply chains, cyber threats, and shifts in the dominance of the US Dollar—the global economic growth demonstrated resilience despite a sluggish pace.

A detailed analysis of the global and local operating environment that provided context to the Bank’s performance in 2023 and efforts in the sphere of risk governance and management is given in operating context and outlook.

The Integrated Risk Management Department (IRMD) went through the challenge of managing the increased risk levels within the risk appetite, while at the same time supporting innovation and growth and delivering the desired results for stakeholders.

The IRMD diligently monitored and managed risks within acceptable thresholds, striving to strike a balance between risk mitigation and the Bank’s organisational objectives. The lending portfolio of the Bank continued to face heightened credit risks with rising defaults leading to a gradual deterioration of the asset quality. The Bank retained substantial investments in government securities amidst sluggish private sector credit growth, impacted by defaults in debt repayments, continued credit moratoria and increased interest rates. Moreover, the discrepancy in interest rates between government securities and private credit lending creates a more favourable environment for Banks to invest more funds toward government securities. However, the Bank did see an increase in consumption-based lending especially related to pawning. Market risks were relatively contained with gradual decrease in interest rates and improved foreign currency liquidity supported by import restrictions, rising tourist arrivals, and remittances. Operational risks surfaced due to suspect practices such as money laundering, terrorist financing and other contentious behaviours. The escalation of cyber risks due to surge in cybercrimes and system interruptions/ failures etc. posed additional challenges. Subdued earnings resulting from stressed economic conditions raised strategic risks impacting capital adequacy, credit ratings, and dealings with international counterparties, growing urgency to pivot the conventional business model.

Despite the risk landscape undergoing rapid changes and the resultant significant stresses, the Bank operated with utmost vigilance and maintained operational resilience during the year by being incisive, adaptable, and innovative in managing the many risks associated with the business model. Introduction of the Sustainability Framework helped the Bank identify and account for new risks in areas such as diversity, equity, and climate change as environment, sustainability, and governance (ESG) issues are brought to the heart of the corporate landscape. The Bank’s fundamental guiding imperative of prudent growth has allowed it to remain a stable and responsible value creator throughout, empowering its stakeholders to meet their financial ambitions. Pragmatic exercises of conducting risk-control self-assessments, regular evaluations of risk management processes and tools, probing the Key Risk Indicators (KRIs) in relation to the traffic of risks, introduction of additional risk reviews, testing business continuity and disaster recovery plans, and the strict compliance to laws, regulatory guidelines, and internal controls in all areas of the business operations helped the Bank manage risks commendably.

In relative terms, the success of these efforts is evident from the moderate risk profile the Bank has been able to maintain in line with its risk parameters (Refer Table 47) and the results of operations and the financial position as given in the financial statements published in this Annual Report.

Business model and risk

As a commercial bank, the Bank’s business operations revolve around the two primary activities of financial intermediation and maturity transformation (see Business Model for Sustainable Value Creation on pages 54 to 61 for more information). As a result, the Bank has been able to function with an on-balance sheet asset base of Rs. 2,580.33 Bn. as of December 31, 2023, having geared its capital of Rs. 214.93 Bn. 12 times. The increased degree of gearing exposes the Bank to a variety of risks, which typically include credit risk, operational risk, and market risk in that order based on the amount of capital allocated in accordance with the Basel capital adequacy standards. In addition, a number of ancillary risks have emerged as a result of various developing trends, endangering the Bank’s business model (Refer Operating context and outlook for a summary of such emerging events). These risks together with the events mentioned in the preceding paragraphs, may significantly affect nearly all of the Bank’s primary risk categories. However, the Bank was able to manage the related risks, optimise the trade-off between risk and return, maintain stability, retain the trust of its stakeholders - depositors in particular - and continue creating sustainable value due to the robust risk governance framework and the rigorous risk management function in place.

Objectives

The primary objectives of the Bank’s risk governance framework and risk management function include:

• Establishing the necessary organisational structure for risk management and oversight;
• Defining the desired risk profile in terms of risk appetite and risk tolerance levels;
• Institutionalising a positive risk culture within the Bank that embodies values, beliefs, attitudes, and practices to drive highly effective risk decisions;
• Assigning functional responsibility for decisions relating to accepting, transferring, mitigating, and minimising risks and recommending the best ways of doing so;
• Evaluating the risk profile against the approved risk appetite on an ongoing basis;
• Estimating potential losses that could result from plausible risk exposures;
• Conducting regular stress tests to make sure that the Bank has enough liquidity and capital buffers to meet unexpected losses and fulfill contractual obligations;
• Integrating risk management into the development and implementation of strategies;
• Ensuring the effective use of available capital to generate the best possible risk-return trade-off; and
• Encouraging improved communication of risk among all levels of the Bank.

Key challenges to risk management in 2023

The key challenges in 2023 from a risk management perspective are detailed below:

• Low demand for Credit – the overall demand for private sector credit continued to remain subdued during most part of the year under review due to the dampened economic conditions and high rates of interest that prevailed during the first half of the year. With a pickup in credit growth commencing from May 2023, the total loans and advances portfolio recorded a marginal growth of 4.27% as at December 31, 2023 over the previous year end.
• Heightened Credit Risk – The borrowers’ ability to repay debt continued to be negatively impacted by high interest rates and challenging economic conditions that overflowed from the previous year. Various schemes of moratoria that were given to borrowers in certain industries continued in 2023, but came to an end by December 2023. All these factors taken together, the Bank continued to witness a heightened level of credit risk.
• Provisioning for Government Securities – While the Domestic Debt Optimisation was finalised and a plan for settlement of Sri Lanka Development Bonds (SLDBs) was agreed during the year without much impact, the banks continued to increase impairment provisions on their investments in Sri Lanka Sovereign Bonds (SLSBs) in anticipation of higher loss rates. Accordingly, the Bank increased impairment provision on SLSBs by Rs. 27.0 Bn.,(with the exchange rate impact), bringing the cumulative provision to Rs. 95.9 Bn. as at December 31, 2023.
• “Masked” credit risk – This refers to the exposure of the Bank to a form of financial risk wherein certain aspects of a borrower’s credit risk profile are concealed or not fully transparent, influencing the overall determination of the borrower’s creditworthiness. The Bank has been compelled to safeguard borrowers’ privacy and mitigate bias or discrimination during lending decisions. The consequences of masked credit risk are extensive, potentially leading to a false sense of security within the Bank and consequently, a lack of transparency in financial reporting. This exposure places the Bank at risk of capital misallocation, losses resulting from unforeseen defaults, and even fraudulent activities, posing a significant threat to its reputation.
• Managing the exchange rate risk – With a significant proportion of both assets and liabilities being denominated in foreign currency and with operations in several countries, sharp fluctuations in exchange rates can have a notable impact on the profitability as well as the financial position of the Bank. Following the unprecedented depreciation from Rs. 200 to Rs. 367.00 against the US Dollar in 2022, the Sri Lankan Rupee settled down at Rs. 324.25 as at end 2023. However, continued stability in exchange rates is contingent upon many variables such as continuation of the IMF programme, achieving milestones in relation to debt sustainability, growth in worker remittances and tourist arrivals.
• Challenges in balance sheet management – Managing the balance sheet continued to be challenging due to the Bank having to make significant investments in government securities as a result of the lower demand for credit over the past four years. The Board and the Management level committees, including the ALCO, the Board Investment Committee, and the Board level, engaged in lengthy deliberations before making investment and re-investment decisions. After much discussion, solutions for managing investment risk, interest rate risk, liquidity risk, and foreign exchange risk were developed. These moves helped efficient management of the balance sheet. Reinvestment risk in government securities was given particular consideration.
• Increased cyber security risk – The potential for cyber security assaults continues to increase due to clients’ growing reliance on digital banking products and services and the increasing levels of automation of internal operations for operational efficiency. Therefore, in order to avoid related remediation expenses and reputational damage, the Bank prioritised and fortified its cyber security programs.
• Increased compliance risk – In the wake of increasing compliance requirements and regulatory scrutiny coupled with growing complexity of operations, compliance teams continued to engage with the risk management team to ensure compliance with regulatory requirements to prevent any financial impact and regulatory sanctions due to non-compliance and avoid reputational risk.

Key risk management initiatives adopted in 2023

In the wake of the aforementioned challenges, the Bank implemented various initiatives during the year to manage risks which, among others, included the following:

Classification / declassification of Risk Elevated Industries (REIs) – IRMD continued to independently classify / declassify industry sectors that are identified as susceptible to business cycles and could face higher negative impact during times of recession or negative economic growth (“Risk Elevated Industries or REIs”), thereby strengthening the underlying governance framework. This was done through analysis of stress levels of borrowers in the Bank’s loan book and their industries, taking into account macro and micro variables such as GDP growth, account operations / days past due position, early warning signals etc.

Strengthening individual impairment – In order to comply with the regulatory guidelines, further strengthen the process and enhance accuracy of related provisioning, IRMD commenced an independent review of credit facilities and borrowers subjected to individual impairment, on a quarterly basis. This involves a review of cash flow projections done by the business units to determine how objectively such projections have been made, based on the knowledge of the industry and borrowers IRMD possesses and challenge the business units wherever the conclusions significantly differ. The effectiveness of this review is evident from the gradual improvement of cash flow projections leading to improved back testing results. Hence, the further strengthening of impairment provisioning against credit exposures of Individually Significant Customers.

Risk management as an enabler in business innovation – IRMD is not merely about risk prevention; it acts as a catalyst for business innovation and helps the Bank maintain the optimum balance between risk and return. It takes on this role, for example, by identifying Risk Elevated Industries - sectors vulnerable to risks - and assisting them to manage their activities. Additionally, IRMD enhances credit risk rating mechanism of financial subsidiaries/ associate companies, ensuring alignment with industry standards.

Expanding the use of the Early Warning Signals (EWS) mechanism – The Early Warning System (EWS) framework has significantly aided the Bank in promptly identifying credit risk by using sophisticated analytical tools with predictive capabilities to anticipate potential defaults among borrowers. This capability has enabled the Bank to take pre-emptive measures to mitigate credit losses. Moreover, the system tracks the correlation between the risk assessments made during credit evaluation and the eventual classification of these facilities as Non-Performing Credit Facilities (NPCF). Additionally, it has bolstered underwriting standards for high-risk proposals. To reinforce this process, an EWS Health Council has been established.

Implementing RCSA in all IT related processes – The Bank implemented a quarterly Risk and Control Self-Assessment (RCSA) process in all business units responsible for technology driven banking products and services such as payment cards and electronic banking, and information technology and information security, as required by the CBSL Direction No. 16 on Regulatory Framework on Technology Risk Management and Resilience for licensed commercial banks. This RCSA process is monitored by the IRMD.

FCY Liquidity Contingency Plan – Further refined the foreign currency (FCY) liquidity contingency plan based on lessons learned during 2022 and early part of 2023 with regard to FCY liquidity. The Bank also extended the monitoring process to Bangladesh for both the Bangladesh Taka and the US Dollar.

Improving alignment with Social and Environmental Management System (SEMS) – enhanced the alignment with social and environmental dimensions by incorporating climate aspects into the Bank’s SEMS risk assessment introduced in 2010. The Bank is in the process of drawing a Climate Risk framework with the assistance of a third party focusing on the Bank’s carbon footprint against the country’s net zero targets. The Bank is also looking to lend towards sectors that contribute to a reduction in GHG emissions.

Green Financing Policy – The Bank identified green financing as an area of strategic focus and engaged the services of International Finance Corporation (IFC) in 2017 to assist in developing the Green Financing strategy for the Bank. Ever since, Green Financing has become well integrated in to the corporate strategies of the Bank. Given that it is a continuously evolving subject and hence, the need to align the Bank to suit the global standards as well as local regulations and requirements, the Bank developed a Green Financing Policy during the year.

Group Social and Environmental Policy – Updated the Group Social and Environmental Policy by incorporating Green Financing Policy to the list of other aligned policies, viz. Social and Environmental Risk Management Procedure(s), Credit Policy and Lending Guidelines, committing to the principle of “Do No Significant Harm to the environment” to be in line with the Sri Lanka Green Financing Taxonomy, May 2022 and to acknowledge the Bank’s commitment towards emerging financial risks posed by climate change and climate risk assessment.

Updating the BIRMC Charter for Financial Consumer Protection Regulations – Updated the Board Integrated Risk Management Committee (BIRMC) Charter to include responsibilities for reviewing, approving, and providing oversight for the Financial Consumer Protection Regulations Framework of the Bank and periodic evaluation on the adequacy of controls to ensure that an appropriate monitoring mechanism is in place to ensure compliance with the Financial Consumer Protection Regulations.

Climate risk-based value generation – With a view to be the pioneer in climate risk-based value generation by embracing a robust ESG framework in support of Sustainable Banking Initiatives of the Bank by 2025, the Social and Environmental Risk Unit of the IRMD together with the Sustainability Banking Unit and the Investment Banking Unit initiated efforts to obtain global best practices/tools to be implemented in the Bank and become a beneficiary of concessionary financing. In this regard, the Bank commenced a pilot project to analyse the portfolio for climate risk.

Establishment of the Executive Sustainability Committee – To fortify the governance structure within the Bank and ensure a steadfast commitment to sustainability, the Bank established the Executive Sustainability Committee, which will play a pivotal role in steering the sustainability agenda and overseeing its implementation. The Committee convenes quarterly, providing a robust platform for strategic discussions, decision-making, and the alignment of the practices with global and national sustainability frameworks. The establishment of this Committee underscores the Bank’s dedication to improve our sustainability practices and maintain the highest standards in sustainable banking.

Streamlining customer complaint handling – customer complaint handling process was streamlined by implementing the customer complaint management system to improve customer satisfaction and enable better resolution of their grievances.

Strengthening cyber security – the Bank conducted ongoing independent risk evaluations and monitored its IT risk profile based on the established key IT risk indicators. The performance of the Commercial Bank of Ceylon PLC was ranked as ‘Excellent’ at TechCERT’s annual Cyber Security Drill 2023.

Improve the scope of Privilege Access Monitoring (PAM) – Commenced review of high priority systems with a view to onboard them to the PAM tool, arrange a mechanism to obtain native logs where any system cannot be onboarded due to the Bank not having application level access and to prepare scenarios to be checked.

Data Governance – In order to comply with the requirements of Banking Act Directions No. 16: Regulatory Framework for on Technology Risk Management and Resilience for Licensed Banks and to fulfill the obligations of the Bank in terms of the Personal Data Protection Act which came into effect from September 2023, the Bank took the several steps during the year. These included the introduction of a Data Protection Impact Assessment, development of a Board approved Data Governance Policy, appointment of a Data Protection Officer and creating awareness on the subject among several layers of the Management and the Board, putting in place the required framework to ensure compliance at the respective line of defence.

Policy for Continuous Professional Development – As mandated by the Banking Act Directions No. 16: Regulatory Framework for on Technology Risk Management and Resilience for Licensed Banks, the Bank developed a Policy for Continuous Professional Development (CPD) for Information Security, Technology Risk Management and Internal Audit Functions, during the year. The Policy has set out the applicable departments, CPD requirements, qualifying CPD activities, and submission of CPD details for assessment.

Contribution of the BIRMC – Throughout the year, the BIRMC too diligently discharged its duties by reviewing and addressing all the significant risk categories. The focus for 2023 was on managing the deteriorating credit quality in various industries due to challenging operating conditions. The Committee evaluated affected sectors and made strategic decisions to optimise growth, profitability, and asset quality in light of economic changes. It reviewed and approved parameters and limits, implemented the Data Governance Policy Framework, and monitored risk metrics regularly. The BIRMC recommended improvements to the Risk Management Framework, revised the Terms of Reference for Management Committees, and deliberated on operational efficiency and disruptions. It also oversaw the Bank’s Recovery Plan, assessed the impact of unusual market movements, and ensured the effectiveness of the risk management and compliance functions. The BIRMC took action against failures in risk management and continuously monitored the risk profiles of subsidiaries, Sustainable Banking Initiatives, and Business Continuity and Disaster Recovery plans. Additionally, findings from the bi-annual Risk Control Self-Assessment exercise were thoroughly reviewed.

Details of specific activities undertaken by the BIRMC during the year to further risk governance and risk management are given in its report on page 199 and 200 of this Annual Report.

Risk appetite and risk profile

The Board-endorsed Risk Appetite Statement outlines the types and degrees of risks, and the maximum amount of aggregate risk exposure that the Bank is willing to assume at any given point in time. It quantifies risk thresholds across various indicators for each risk category, showing the Bank’s preferred asset quality, maximum market and operational risk losses and minimum capital and liquidity requirements. This statement considers the dynamic operating environment, regulatory requirements, strategic focus, ability to withstand losses, and stress scenarios with available capital, funding, liquidity, and the strength of the risk management framework.

Regular reports from the risk management function to the Management, BIRMC, and the Board detail the Bank’s overall risk status using Key Risk Indicators and a Risk Profile Dashboard. This information allows for continuous monitoring of the risk profile, ensuring adherence to the approved risk limits. Swift corrective measures are taken for any deviations to maintain actual risk exposures within the approved risk appetite.

The Bank’s risk profile is shaped by its capital adequacy and liquidity positions, which determine its capacity to take on risks. It is characterised by a portfolio of high-quality assets and stable funding sources diversified across geographies, sectors, products, currencies, sizes, and tenors. The risk profile of the Bank’s Sri Lankan operations as of December 31, 2023, and December 31, 2022 in comparison to the defined risk appetite by regulatory/Board-approved policies, is presented below:

Risk profile

Table – 47

Risk category	Key Risk Indicator	Policy parameter	Actual position
			December 31, 2023	December 31, 2022
Credit risk:
Quality of lending portfolio	Impaired loans Stage 3 ratio (%)	2 – 5	5.85	5.25
	Impairment (Stage 3) to Stage 3 loans ratio (%)	40 – 45	43.22	39.60
	Weighted average rating score of the overall lending portfolios to be better than ‘6’ (%)	35 – 40	80.89	51.14
Concentration	Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio (%)	30 – 40	35.40	37.78
	Advances by economic sub sector (using HHI-Herfindahl- Hirschman-index)	0.015 – 0.025	0.0136	0.0152
	Exposures exceeding 5% of the eligible capital (using HHI)	0.05 – 0.10	0.0095	0.0096
	Exposures exceeding 15% of the eligible capital (using HHI)	0.10 – 0.20	0.0049	0.0087
	Exposure to any sub sector out of total loan portfolio to be maintained at (%)	4 – 5	3.18	4.05
	Aggregate of exposures exceeding 15% of the eligible capital (%)	20 – 30	15.04	19.61
Cross border exposure	Rating of the highest exposure of the portfolio on S&P Investment Grade – AAA to BBB-	AA	AAA	AAA
Market risk:
Interest rate risk	Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY)	Maximum of Rs. 2,000 Mn.	Rs. 100.79 Mn.	Rs. 392.20 Mn.
	Maximum repricing gap (RSA/RSL in each maturity bucket – up to one- year period)	<1-1.5 Times	0.99	1.36
Liquidity risk	Liquid Asset Ratio for Domestic Banking Unit (DBU)	22%	46.40%	35.01%
	Liquidity Coverage Ratio (LCR) for All Currencies	100%	516.27%	293.91%
	Net Stable Funding Ratio (NSFR)	100%	193.70%	173.58%
Foreign exchange risk	Exchange rate shocks on Total FCY exposure	Rs. 750 Mn.	Rs. 602.23 Mn.	Rs. 725.73Mn.
Operational risk	Operational loss tolerance limit (as a percentage of last three years average gross income)	3% – 5%	0.23%	0.86%
Strategic risk:	Capital adequacy ratios:
	CET 1	Over 8.5%	11.442%	11.389%
	Total capital	Over 14%	15.151%	14.657%
	ROE	Over 15%	9.78%	12.46%
	Creditworthiness – Fitch Rating	AA(lka)	A(lka)	A(lka)

RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Credit rating

Fitch Ratings Lanka Ltd. downgraded the Bank’s rating from AA-(lka) with a Negative Outlook to A(lka) in January 2023 amidst the sovereign downgrade and recalibration of the Fitch Ratings’ Sri Lanka’s national rating scale. A Stable Outlook with A(lka) rating was affirmed by Fitch in October 2023. Change of rating outlook from Negative to Stable was largely due to ease in downside risks for the banking sector with upgrades to Sri Lanka’s Long-Term-Local-Currency Issuer Default Rating to CCC- from RD (Restricted Default).

Further, the successful conclusion of the local currency sovereign debt restructuring has alleviated some pressure on the Bank’s capital position from weakening loan quality and increased provisioning for Sri Lanka Sovereign Bonds.

Future outlook and plans for 2024 and beyond

The tumultuous economic conditions somewhat eased during 2023 compared to the precedent year. The resulting risk impacts on the Bank and how the Bank navigated through them are elaborated in the preceding sections of this risk management report. The CBSL and research institutions, have expressed a moderate recovery for the Sri Lankan economy for 2024. In the local front, some confidence was evident in hard hit sectors such as tourism in the form of notable increase in foreign tourist arrivals. Renewed confidence, though small comparatively, motivated expatriates to increase foreign remittances. Yet, Sri Lanka continued to struggle amid low tax income and high debt burden. The Government is yet to agree on the way forward for sovereign debt restructuring.

The world economy is showing signs of a very delicate balance with political tensions between nations threatening to disrupt world peace. Furthermore, increase in prices of essential commodities, disruptions to supply chains, global inflation, food insecurity, and increasing incidents due to climate change, increasing incidents of financial crimes, cyber-security breaches, negative impacts of misinformation/ disinformation, continue to threaten the outlook for 2024.

In the aftermath of climate change-induced disasters and the growing awareness of sustainable finance, both governments and businesses consider managing climate risks a paramount concern. The initiatives undertaken by the Bank in the past years are laying the groundwork for a more systematic and sustainable approach to business. It is expected that risks will become more unpredictable, increase in magnitude, and become interconnected. The Bank needs to be mindful of the interrelated nature of risks and the potential for contagion effects, where one risk sets off a ripple effect on many others.

Conversely, regulatory requirements are anticipated to become more stringent due to the emerging complexities of the economy and challenges to the industry. Further, Sri Lanka is preparing for the upcoming Financial Action Task Force (FATF) Mutual Evaluation scheduled for March 2025. It is crucial to attain technical compliance with the FATF’s 40 Recommendations and guarantee positive outcomes in the implementation of an Anti-Money Laundering/Countering the Financing of Terrorism framework. Hence, regulations pertaining to issues such as anti-money laundering and sanctions are likely to take a prominent role. Consequently, enhanced integrated risk management methodologies and systems will be crucial in the upcoming years. The cost of doing business, in terms of managing risks and ensuring compliance, is expected to rise accordingly. The consequences of non-compliance or the realisation of an unforeseen risk would be more challenging.

These circumstances require an enhanced focus on fortifying risk governance, assessment, control and management functions. Proactively anticipating risks and implementing preventive measures to counter potential adverse effects will be crucial in this environment. The swift progress in technology, particularly the utilisation of Artificial Intelligence (AI) and Business Intelligence (BI) for driving business innovations, will continue to hold significance in the times ahead. Consequently, the Bank will explore opportunities arising from these innovations to foster business growth and effectively handle the complex risks associated with these advancements. The role of risk management will be to facilitate business growth by offering proactive and forward-thinking risk management strategies, serving as a genuine catalyst for business development.

The future landscape of risk management will be heavily influenced by growing new regulatory requirements, cyber threats, prominence of cyber threats and customer expectations. The Bank is gearing itself to leverage technology and enhance collaboration to address these influences by heightening its focus on advanced digital predictive capabilities, data analytics and intelligence. In order to accelerate the journey to be future ready in this regard, the Bank entered into an agreement with an external party to obtain consultancy to develop a holistic view and adopt a scalable solution to achieve desired maturity.

Specific initiatives planned for 2024 and beyond in this regard will encompass:

• Development of a Data Analytics Roadmap with use cases for several business units to be implemented along with required training.
• Introducing predictive capabilities into credit risk and operational risk supported by EWS and data analytics. This would facilitate effective prediction of risks and streamline capital requirements for such risks.
• Introducing technology to independently predict future cash flows to further improve accuracy of impairment provisions relating to individually significant customers. This will enable the IRMD to assess the accuracy and acceptability of the assumptions used by the business units for cash flow projections. This initiative is expected to enable the IRMD to assess all the individually significant customers within the prescribed time horizon and improve acceptability from independent assurers’ perspective as well.
• As part of the efforts to digitalise the Treasury operations through an integrated system encompassing trade finance, remittances, digital banking and a client interface, implementation of the new Treasury system will be completed in Q2 2024. This will enable the IRMD to independently monitor Treasury operations in both Sri Lankan and Bangladesh operations.
• Subsequent to the integration of the Risk Control Self-Assessment (RCSA) framework within CBC Myanmar Microfinance Company and Commercial Insurance Brokers Limited during the year 2023, Risk Management framework is planned to be implemented at Commercial Insurance Brokers (Pvt.) Ltd. in the year 2024.
• Enhancing the analytical capabilities of the EWS to capture retail lending (credit cards, personal loans and home loans) products in addition to SME lending and providing business units with EWS analysis for effective business decisions and objective business growth.
• Introduction of risk control mechanisms and processes through knowledge enhancement on critical IT systems adopted in the Bank and through benchmarked tools and effective software support.
• Introducing an intelligent Credit Risk Review (CRR) tool coupled with a workflow capability through a data repository to facilitate pattern recognition and proactive decision-making.
• Introducing behavioural decision-making models to selected retail lending products (credit cards and personal loans) through data analytic capabilities.
• Introducing a climate risk assessment tool in line with emerging global initiatives to continue the pioneering activities of driving the ESG agenda. The Executive Sustainable Banking Committee to develop an ESG framework, and identify, and assess ESG risks and opportunities of the Bank.
• Reviewing the pending regulation on large exposure limits which will impact the Bank as well as large borrowers of the Bank.
• Extending the scope of Bank’s ISO 27001 Certification to encompass additional business functions in accordance with Banking Act Directions No. 16 of 2021.

Risk management framework

The Bank has a comprehensive Integrated Risk Management Framework (IRMF) developed according to CBSL guidelines and the Three Lines of Defence model. This framework considers the distinct roles of different Bank departments and how they collectively contribute to the Bank’s risk management effectiveness. It is a structured approach encompassing all risk exposures, supported by robust organisational structures, systems, processes, procedures, and global best practices. It addresses potential risks, losses, and uncertainties faced by the Bank. Following the international standard of the Three Lines of Defence model, the IRMF equips the Bank with specialised skills and a framework to manage risks efficiently while balancing responsibilities across daily operations.

The IRMF undergoes an annual review or more frequent updates, particularly considering changes in regulatory and operational environments.

Risk governance

Risk governance represents the structured organisational setup aimed at upholding high standard of governance. It encompasses committees, regulations, processes, and mechanisms guiding risk-related decisions aligned with the risk appetite and tolerance levels. Its goal is to embed a robust risk culture while overseeing and managing risks effectively.

Implementing the Three Lines of Defence model fosters a responsible risk culture with clear accountability at every level. The Board of Directors has established a strong governance framework, blending corporate governance best practices with risk management. This structure, inclusive of Board committees, executive functions, and empowered executive committees, ensures accountability for risks across all Bank levels and types.

This disciplined approach to risk management is illustrated in the Bank’s risk governance organisation outlined in Figure 46 on page 238. Decision-making in risk management, due to its specialised and cohesive nature, is somewhat centralised across various risk management committees to ensure an integrated and consistent approach.

Board of Directors

The Board of Directors serves as the highest governing body, tasked with formulating strategy and policies, setting objectives, and overseeing executive functions. It bears the overarching responsibility for supervising the risks undertaken by both the Bank and the Group, ensuring their proper identification and management (Refer Board of Directors and profiles for detailed profiles of the members of the Board of Directors).

Hence, the Board establishes the risk appetite of the Bank by striking a balance between achieving strategic goals and the level of risk assumed in pursuit of those goals. Oversight responsibility has been delegated by the Board to various Board committees, as listed on page 181. These committees, supported by executive-level counterparts, collaborate closely with the executive functions to evaluate the effectiveness of the risk management function. They regularly report their findings to the Board, providing a comprehensive view of the Bank’s risk profile, management actions, and outcomes. This facilitates the Board in recognising risk exposures, identifying potential gaps, and implementing necessary mitigating actions promptly. The Board consistently guides the executive management in aligning business strategies and objectives with the desired risk levels. The ethical and effective leadership of the Board, coupled with the established tone at the top and corporate culture, plays a pivotal role in effectively managing risks at the Bank.

Beyond the Three Lines of Defence model and the tone set by top management, the Bank places considerable emphasis on conducting its business ethically as a crucial aspect of risk management. The Bank’s steadfast dedication and its demands on all employees to conduct business responsibly, transparently, and with discipline are clearly outlined in various documents. These include the Code of Ethics, Gift Policy, Communication Policy, Credit Policy, Anti-Bribery and Anti-Corruption Policy, and Conduct Risk Management Policy Framework. These documents underscore the expectation for the highest standards of honesty, integrity, and accountability from every employee.

Due to the potential for financial losses and reputational risk, and in compliance with regulatory requirements, the Board of Directors diligently oversees the risk profiles of all subsidiaries within the Group, in addition to that of the Bank (Refer Financial review 2023 for the list of subsidiaries.)

Board committees

The Board has established four Board committees to aid in fulfilling its oversight responsibilities for risk management and ensuring the sufficiency and effectiveness of internal control systems. These committees are:

• Board Audit Committee (BAC)
• Board Integrated Risk Management Committee (BIRMC)
• Board Credit Committee (BCC)
• Board Strategy Development Committee (BSDC)

Each sub-committee operates according to its Terms of Reference (ToR) and holds meetings at predetermined intervals and as needed. Through their discussions and evaluations, these committees review and provide recommendations to the Board on matters such as risk appetite, risk profile, strategy, risk management and internal control frameworks, risk policies, limits, and delegated authority.

For comprehensive information regarding the composition, Terms of Reference, authority, meeting details, attendance records, activities conducted during the year, and more, refer to the respective subcommittee reports.

Executive Committees

The executive management holds the responsibility for implementing strategies and plans as per the mandates assigned to each committee by the Board of Directors. This is done while ensuring that the risk profile remains within the approved risk appetite. The Executive Integrated Risk Management Committee (EIRMC) consists of members from units overseeing credit risk, market risk, liquidity risk, operational risk, and IT risk. Led by the EIRMC, several committees have been established to address specific aspects of risk, facilitating comprehensive risk management across both the First and the Second Lines of Defence.

• Asset and Liability Management Committee (ALCO)
• Credit Policy Committee (CPC)
• Executive Committee on Monitoring Non-Performing Credit Facilities (ECMN)
• Information Security Council (ISC)
• Business Continuity Management Steering Committee (BCMSC)
• Executive Sustainability Committee (ESC)

The EIRMC actively communicates with the BIRMC to ensure that risk management activities align with the Integrated Risk Management Framework and that risks are managed within the specified parameters. Furthermore, the Chief Risk Officer directly reports to the BIRMC, emphasising the independence of the risk management function. Specifics regarding the composition of the executive committees can be found in the “Annual Corporate Governance Report”.

Ensuring adequate presence in all major risk and control forums, the Chief Risk Officer, who is leading the Integrated Risk Management Division (IRMD), actively engages in the executive committees mentioned earlier, as well as in BIRMC, BCC and BAC meetings. The IRMD bears the responsibility of autonomously overseeing the compliance of the First Line of Defence with established policies, procedures, guidelines, and limits. Any deviations are to be escalated to the relevant executive committees. The IRMD also offers a comprehensive perspective on all types of risk to facilitate independent risk assessments by these committees. The findings are then shared with Line Managers and Senior Management, fostering effective communication of significant issues and prompting discussions and necessary actions.

Risk management

Risk management entails the functional responsibility of identifying, assessing, controlling, and mitigating risks. This includes formulating risk mitigation strategies, monitoring early warning signals (EWS), estimating potential future losses, and implementing measures to contain losses or transfer risk. The risk management framework (depicted in Figure 47) aids in devising and executing risk management strategies, policies, and procedures. This framework considers the strategic focus outlined in the Bank’s Corporate Plan and its risk appetite.

To bolster the detection and management of risks, the Bank has made substantial investments in developing and maintaining the necessary infrastructure, encompassing human and physical resources. This includes mandates, policies and procedures, limits, software, databases, expertise, communication channels, etc., aligning with international best practices. As risk management is a collective responsibility of every Bank employee, a clear understanding of the risks faced is crucial. The IRMD provides continuous training and awareness programs, particularly for risk owners, disseminating knowledge and enhancing skills on all aspects related to risk to instill the desired risk culture throughout the organisation.

Policies, procedures, and limits

The Bank has established a comprehensive set of risk management policies covering all managed risks. These policies serve to guide business and support units in risk management, ensuring regulatory compliance, including adherence to the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks, based on the Basel Framework, and subsequent directives from the Central Bank of Sri Lanka (CBSL). By institutionalising the risk knowledge base, these policies aim to reduce bias and subjectivity in risk decisions.

Key documents, such as risk management policies, contribute to defining the Bank’s risk culture by outlining objectives, priorities, processes, and the roles of the Board of Directors and the Management in risk management. The Risk Assessment Statement (RAS) establishes risk limits and is an integral component of the risk management framework. The BIRMC and the Board of Directors review the RAS at least annually, if not more frequently, aligning with regulatory and business requirements.

Considering the regulatory landscape in the countries where it operates, the Bank ensures its overall risk exposure, including international operations, remains within the CBSL’s regulatory framework. Operational guidelines have been issued to facilitate the implementation of the Risk Management Policy and the limits outlined in the RAS. These guidelines provide staff with clarity on the types of facilities, processes, and terms and conditions governing the Bank’s daily operations.

Risk management tools

The Bank employs a combination of qualitative and quantitative tools to identify, measure, manage, and report risks. The selection of the most appropriate tool(s) for managing a specific risk is determined by factors such as the likelihood of occurrence, potential impact, and data availability. Among the tools utilised are Early Warning Systems (EWS), threat analysis, risk policies, risk registers, risk maps, risk dashboards, Risk and Control Self-Assessment (RCSA), Internal Capital Adequacy Assessment Process (ICAAP), diversification strategies, covenants, Social and Environmental Management System (SEMS), workflow-based operational risk management system, insurance, benchmarking against limits, gap analysis, Net Present Value (NPV) analysis, swaps, caps and floors, hedging, risk rating, risk scoring, risk modeling, duration analysis, scenario analysis, marking to market, stress testing, and Value at Risk (VaR) analysis, among others.

Types of risks

The Bank faces a diverse range of both financial and non-financial risks, broadly classified into categories such as credit, market, liquidity, operational, reputational, IT, strategic, social & environmental, and legal risks. The collective impact of these risks determines the overall risk profile of the Bank, which is regularly monitored against the established risk appetite.

The Bank has implemented a robust risk management framework, allowing for the prudent management of these risks. Despite these measures, banks are not entirely immune to the substantial uncertainty stemming from external developments and internal factors, which will persistently influence their risk profiles. Ongoing vigilance and adaptability are essential in navigating the dynamic risk landscape.

External developments may include;

• The outbreak of pandemics
• Movements in macroeconomic variables
• Fragile supply chains
• Sovereign risk destabilising financial markets
• Political instability
• Demographic changes
• Changes in Government fiscal and monetary policies
• Technological advances
• Regulatory developments
• Mounting stakeholder pressures especially for ethical business practices
• Competitor activities
• Unsubstantiated information being circulated on social media and hence, the increased public scrutiny
• A decline in property market valuations giving rise to higher losses on defaulting loans
• Unfounded public perceptions that banks are exploiting customers
• Distressed businesses and individuals
• Downgrading of ratings of the banks and
• Growing sustainability concerns

In addition to restricting the physical mobility of individuals and global trade, these developments have the potential to influence public perceptions, people’s disposable income, demand for banking products and services, the funding mix, interest margins, and the tax obligations of the Bank.

Internal factors may include;

• High staff turnover
• Knowledge and skill gaps among staff members
• Lapses in internal administration
• Deterioration of internal sub-cultures
• Deliberate acts of fraud, cheating, and misappropriation etc.
• Arbitrary decision making
• Inaccurate/insufficient risk reporting
• Inadequacies/misalignments of digitisation
• Strategic misalignments
• Lapses in implementing the risk management framework
• Improper alignment of remuneration to performance and risk
• Incorrect advice offered to customers
• Inaccurate predictions of macroeconomic variables
• Execution gaps in internal processes
• Lack of industrial harmony
• Critical accounting judgments and estimates turning to be inaccurate
• Lack of robust data infrastructure adversely affecting business and operational decisions and
• Subsidiaries and associates not performing up to the expectations of the Bank.
• Challenges in adopting to evolving regulations and compliance requirements

If not effectively managed, these factors have the potential to impact the risk profile of the Bank and lead to reputational damage, hindering the goal of creating sustainable value for all stakeholders. Moreover, the operating environment has become notably more intricate and uncertain due to emerging threats and uncertainties that could disrupt the status quo. This has challenged long-standing assumptions about markets, competition, and fundamental business principles. To address these concerns, the Bank must gain a deeper understanding of its stakeholders and strive for excellence in internal processes execution. The Bank navigates these developments by implementing strategic responses, viewing them as opportunities to distinguish its value proposition for future growth. A concise summary of key risks is provided in Figure 48 on page 241.

These evolving circumstances are progressively heightening the complexity, dynamism, and competitiveness of the operating environment, posing ongoing challenges for risk management. Effectively addressing these risks and adopting a consistent approach to navigate uncertainties are imperative prerequisites for implementing the Bank’s strategy to create value for all stakeholders. Consequently, discussions on risk management took precedence on the agenda in all Board, Board Committee, and Executive Committee meetings of the Bank.

A detailed account of the various types of risks managed by the Bank’s risk management function and the adopted risk mitigation measures is provided below.

Credit risk

Credit risk pertains to the potential financial loss that may occur when a borrower or counterparty fails to fulfill its obligations as per agreed terms. The Bank faces credit risk through both direct lending activities as well as commitments and contingencies. Various factors influence credit risk, including the quality of the lending portfolio, concentration levels, ratings of counterparties with international exposures, and sovereign ratings concerning government exposures. The unprecedented market and supply disruptions, and subsequent socio-economic and political developments prevailed during the year have led to certain consequences. These include obscured credit risk and an increase in risks across various sectors. In response, the Bank has been compelled to explore novel approaches for effectively managing and mitigating credit risk, all while carrying out existing risk management and mitigation processes in a more granular and stringent manner.

The Bank’s total credit risk is made up of counterparty risk, concentration risk, and settlement risk.

Maximum credit risk exposure

Table – 48

	As of December 31, 2023		As of December 31, 2022
	Rs. Bn.	%	Rs. Bn.	%
Net carrying amount of credit exposure:
Cash and cash equivalents	157.819	5.2	149.394	5.4
Placements with central banks and other banks (excluding reserves)	86.248	2.9	95.900	3.5
Financial assets at amortised cost – Loans and advances to Banks		0.0		0.0
Financial assets at amortised cost – Loans and advances to Other Customers	1,176.360	38.9	1,130.442	40.9
Financial assets at amortised cost – Debt and Other financial instruments	649.740	21.5	725.935	26.2
Financial assets measured at fair value through other comprehensive income	287.023	9.5	117.056	4.2
Total (a)	2,357.190		2,218.727
Off-balance sheet maximum exposure:
Lending commitments	157.205	5.2	132.065	4.8
Contingencies	507.169	16.8	415.235	15.0
Total (b)	664.374		547.300
Total of maximum credit exposure (a + b)	3,021.564	100.0	2,766.027	100.0
Gross carrying amount of loans and advances to Other Customers	1,265.559		1,219.667
Stage 3 (credit impaired) loans and advances to Other Customers	143.564		114.739
Impaired loans as a % of gross loans and advances to Other Customers		11.3		9.4
Allowance for impairment – loans and advances to Other Customers	89.199		89.225
Allowance for impairment as a % of gross loans and advances to Other Customers		7.0		7.3
Impairment charge – loans and advances to Other Customers	5.690		21.962

Amidst the socio-economic changes in the country, the maximum credit exposure of the Bank increased from Rs. 2,766.0 Bn. (as of end December 2022) to Rs. 3,021.5 Bn. (as of end December 2023).

In view of the heightened risks mentioned earlier, the financial services industry continued to observe a rising trend in loans and advances to other customers being categorised as Non-Performing Credit Facilities (NPCF). Consequently, the credit-impaired (Stage 3) loans to customers of the Bank increased to Rs. 143.5 Bn. (compared to Rs. 114.7 Bn. as at end 2022), constituting 11.3% (compared to 9.4% in 2022) of the gross loans and advances to other customers. The Bank has made a cumulative impairment provision of Rs. 89.2 Bn. on the loans and advances portfolio as of December 31, 2023 in accordance with the requirements of SLFRS 9.

Additionally, due to the sovereign rating downgrade and the ongoing debt restructuring program in relation to Sri Lanka sovereign bonds (SLSBs), the Bank found it necessary to classify its exposure to SLSBs as Stage 2. Consequently, the Bank continued to increase impairment provisions for SLSBs during the year under review, bringing the cumulative provision to 52% or Rs. 95.9 Bn. of the exposure as at end 2023 from 35% or Rs. 68.9 Bn. as of the end of December 2022.

Managing credit risk

The lending portfolio represents 45% of the total assets of the Bank, with credit risk accounting for over 90% of the total risk-weighted assets. Consequently, the Bank places critical emphasis on prudently managing credit risk, extending beyond regulatory compliance. This focus is governed by a Board-approved credit risk management framework encompassing a robust risk governance structure and a comprehensive array of risk management processes. These processes involve policies and procedures, risk assessments, collateral management, credit risk segregation, environmental and social risk management, independent risk verifications, ongoing credit risk monitoring, post-disbursement reviews, guidance to business line managers, knowledge dissemination on credit risk, and internal audit information sharing.

Throughout the year, the EIRMC/BIRMC diligently addressed credit risk management due to the escalation of persistent risks. Vigilant oversight mechanisms were implemented to monitor exposures across three categories – Watchlist, High-risk list, and Exit list – in both Sri Lanka and Bangladesh operations. The top 5 Stage 3 customers in each subsector falling within these categories were under close surveillance. Moreover, leveraging insights from the EWS (Early Waning Signals) system, the movements of exposures and the count of customers categorised as EWS Watch List, Cautious Care, and Intensive Care were meticulously tracked. An effective process involving Lending Officers and the IRMD ensured continuous monitoring of stressed lending assets identified through EWS. IRMD independently reviewed impairment of Individually Significant Customers, on a quarterly basis, with plans underway to enhance this process deploying technology to enhance accuracy and efficiency, in 2024.

During the year under review, the Bank continued to give significant attention to its exposures to the Risk Elevated Industries (REIs) and closely tracked the Expected Credit Loss (ECL) for individually and collectively impaired facilities in both Stage 2 and Stage 3 against the underlying exposures. A separate analysis and a monitoring process were maintained for tourism-related and such other exposures. The Bank closely monitored the top 10 borrowers in each REI category within Stage 2 and Stage 3. Simultaneously, the Bank paid close attention to its exposures to the Government, both in terms of commercial lending and against treasury guarantees, while also closely monitoring the concentration of collateral in its advances.

The Bank has established internal limits encompassing various aspects of credit exposure management, including but not limited to:

• Open credit exposure
• Aggregate credit exposures to corporate borrowers owned and controlled by a single common shareholder or stakeholder
• Related party exposure
• Economic group exposure ratio
• Cross border exposures

The Bank conducts post-disbursement credit reviews for Loans & Overdrafts in accordance with the “Credit Risk Review Policy.” The scope of these reviews aligns with the provisions outlined in the Credit Policy, Lending Guidelines, and the Credit Risk Review Policy. Upon completing the review, the findings are communicated to lending officers, and their responses are subsequently assessed. In addition to routine reviews, particular emphasis is placed on lending units/regions displaying elevated stress levels in terms of substandard lending. Detailed analyses of these units are escalated to the Executive Committees for prompt actions.

Credit health checks for branches and other lending units involve assessments based on the credit evaluation process, account behaviour, risk rating, compliance with guidelines, post-sanction compliance, concentration levels in the Loan Book, recovery efforts, follow-up of Non-Performing Credit Facilities (NPCF), regular examination of problematic advances, credit process adherence, and the reporting system.

Review of credit risk

During the first half of the year under review, the Bank continued to face the aftermath of the challenging operating environment that marked the year 2022, economic difficulties, increased living costs and ongoing import restrictions, to name a few. The prevailing conditions led to heightened stress levels among individuals and businesses, SME sector in particular. However, the Government’s proactive measures, including maintaining reasonable political stability, reaching agreements with the IMF on the Extended Fund Facility, conclusion of the Domestic Debt Optimisation and efforts to attract Foreign Direct Investments (FDIs) and revive tourism, played a role in reviving growth in credit to the private sector and sustaining economic activities at a moderate level in the second half of the year.

Consequently, the Bank exhibited resilience, gradually navigating the impacts of the challenges and making progress. Continuous efforts such as closely monitoring advances subjected to moratoria, implementing plans for facilities coming out of the moratoria, implementing recovery initiatives, intensifying scrutiny in loan appraisals, rationalising credit exposures through in-depth analyses, and undertaking post-sanction monitoring and recovery initiatives, coupled with the early identification of stressed borrowers through Early Warning Signals (EWS), contributed to maintain the credit quality at an acceptable level towards the end of 2023 and the mitigation of potential credit risks. The Bank adopted a cautious approach in creating new credit exposures and managing existing ones, particularly considering the increased social stress amid the country’s economic conditions.

In addition to the robust credit risk management framework guiding the Bank in onboarding new exposures and monitoring existing ones, which significantly contributes to maintaining the quality of the loan book, the Bank remains vigilant and exercises caution in selecting customers, products, industries, segments, and geographies it serves. Continuous monitoring of age analysis and the movement of overdue loans through arrears buckets allowed the Bank to promptly take action, to effectively mitigate default risks during the year.

Concentration risk

The Bank proactively mitigated concentration risk by implementing strategic diversification across various dimensions such as industry sectors, products, counterparties, and geographies. The Risk Assessment Statement (RAS) establishes limits for these segments, ensuring compliance, and monitoring of these exposures is conducted by the Board, Board Integrated Risk Management Committee (BIRMC), Executive Integrated Risk Management Committee (EIRMC), and the Credit Policy Committee (CPC). These committees not only oversee these exposures but also provide recommendations and suggestions for adjustments to defined limits based on emerging trends and developments in the business environment.

Graph 48 provides a breakdown of the portfolio of total loans and advances to other customers based on tenure, aligning with the risk appetite defined by the Bank.

The distribution of Stage 3 credit- impaired loans and advances to other customers in terms of identified industry sectors at the year-end is given in Table 49 on page 245.

Distribution of Stage 3 credit impaired loans and advances to other customers as of December 31, 2023

Table – 49

Industry Category	Stage 3 Loans & Advances Rs.'000	Allowance for Individual Impairment Rs.'000	Allowance for Collective Impairment Rs.'000	ECL Allowance Rs.'000	Amount Written-off Rs.'000
Agriculture, forestry & fishing	12,937,804	3,624,268	2,511,898	6,136,166	142,388
Arts, entertainment & recreation	61,521	14,822	9,593	24,415	671
Construction	10,621,992	4,909,532	1,709,921	6,619,453	15,982
Consumption and others	8,783,879	733,388	2,444,648	3,178,036	111,546
Education	518,364	84,992	100,392	185,384	–
Financial services	1,816,622	1,127,189	79,599	1,206,788	8,059
Health care, social services & support services	1,529,487	76,267	473,853	550,120	3,684
Information technology and communication services	1,452,454	277,247	357,397	634,644	1,429
Infrastructure development	3,188,848	848,659	818,224	1,666,883	607
Lending to overseas entities	8,234,139	752,220	576,289	1,328,509	–
Lending to Ministry of Finance	–	–	–	–	–
Manufacturing	24,279,268	8,652,763	3,369,121	12,021,884	70,465
Professional, scientific & technical activities	1,165,320	75,325	277,562	352,887	5,138
Tourism	29,224,392	8,531,990	2,326,493	10,858,483	7,833
Transportation & storage	3,427,283	1,881,486	427,095	2,308,581	1,755
Wholesale & retail trade	36,322,218	10,551,861	5,592,753	16,144,614	106,836
Total	143,563,591	42,142,009	21,074,838	63,216,847	476,393

Due to the concentration of economic activities and the location of corporates’ registered offices primarily in the Western Province, the Loan Book exhibits a high level of concentration in this particular province (refer to Graph 50).

An analysis of the Bank’s lending portfolio by product (refer to Graph 49) illustrates that the effectiveness of the Bank’s credit policies is evident, with risks being well-diversified across a range of credit products.

The Bank has a relatively high exposure of 36% to long-term loans, which is vigilantly monitored and mitigated through adequate collateral.

Counterparty risk

Counterparty risk management at the Bank is done through established policies, procedures, and limit structures, encompassing single borrower limits and group exposure limits for various products. The Bank has set limits that are more stringent than those mandated by regulators, offering greater flexibility in managing concentration levels related to counterparty exposures.

Loans and advances to the Bank from both local and foreign counterparties are significant contributors to counterparty risk. The Bank monitors these exposures against established product limits at regular intervals, employing a specific set of policies, procedures, and a limit structure. The financial and economic performance of counterparties is rigorously scrutinised throughout the year. For counterparty bank exposures, limits are monitored at frequent intervals, and adjustments are made as needed to reflect the latest information.

The analysis incorporates ratings provided by Fitch Ratings for local banks in Sri Lanka and Credit Ratings Agency in Bangladesh (CRAB) for local banks in Bangladesh. Equivalent CRISL/Alpha ratings are utilised in cases where CRAB ratings are unavailable. Exposure to local banks in Sri Lanka rated AAA to A category accounted for 83% (refer to Graph 51), while 100% of exposure to local banks in Bangladesh consisted of AAA to AA rated counterparties (refer to Graph 52) as at December 31, 2023.

Cross-border risk

This pertains to the risk that the Bank may face challenges in receiving payments from its customers or third parties concerning contractual obligations due to specific actions taken by foreign governments, particularly those related to the convertibility and transferability of foreign currency. Assets exposed to cross-border risk include loans and advances, interest-bearing deposits with other banks, trade and other bills, as well as acceptances, mainly associated with short-term money market activities.

To mitigate the risk associated with over-concentration in cross-border exposures, the Bank has established limit structures. It consistently monitors macroeconomic and market developments in countries where counterparties are located, rigorously evaluates these counterparties, and maintains regular communication with them. Timely actions, such as suspending or revising limits to countries experiencing adverse economic or political developments, are taken.

The Bank restricts its total cross-border exposure to 6% of its total assets (refer to Graph 53). Cross-border exposures encompass various countries, including the UK, the Maldives, India, Hong Kong, Singapore, China etc. 80% of cross-border exposures related to Sri Lankan and Bangladesh operations are to countries rated AAA to BBB-, while 20% are to countries rated below BBB- and those that are unrated (refer to Graph 54).

Market risk

Market risk for a bank refers to the potential adverse impact on its financial position due to fluctuations in financial market conditions. These conditions encompass changes in interest rates, exchange rates, commodity prices, and equity/debt prices, along with their correlations, deviating from the expectations the Bank had when making decisions. The Bank's operations are subject to these variables and correlations in different magnitudes. Market risk encompasses interest rate risk, liquidity risk, foreign currency risk, and equity risk.

Market risk categories

Table – 50

Major market risk category	Risk components	Description	Tools to monitor	Severity	Impact	Exposure
Interest rate		Risk of loss arising from movements or volatility in interest rates
	Re-pricing	Differences in amounts of interest-earning assets and interest-bearing liabilities getting re-priced at the same time or due to timing differences in the fixed rate maturities, and appropriately re-pricing of floating rate assets, liabilities, and off-balance sheet instruments	Re-pricing gap limits and interest rate sensitivity limits	High	Medium	Medium
	Yield curve	Unanticipated changes in shape and the gradient of the yield curve	Rate shocks and reports	High	High	High
	Basis	Differences in the relative movements of rate indices which are used for pricing instruments with similar characteristics	Rate shocks and reports	High	Medium	Medium
Foreign exchange		Possible impact on earnings or capital arising from movements in exchange rates arising out of maturity mismatches in foreign currency positions other than those denominated in base currency, Sri Lankan Rupee (LKR)	Risk tolerance limits for individual currency exposures as well as aggregate exposures within regulatory limits for NOP	High	Medium	Medium
Equity		Possible losses arising from changes in prices and volatilities of individual equities	Mark-to-market calculations are carried out daily for Fair Value Through Profit and Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) portfolios	Low	Low	Negligible
Commodity		Exposures to changes in prices and volatilities of individual commodities	Mark to market calculations	Low	Low	Negligible

Managing market risk

Market risk at the Bank is effectively managed through a Board-approved market risk management framework. This framework consists of a robust risk governance structure and a comprehensive set of risk management processes, including policies, market risk limits, Management Action Triggers (MATs), risk monitoring, and risk assessment.

To assess the impact on the Bank’s Net Interest Income (NII) under stress conditions, scenarios involving a change of 100 – 400 basis points (bps) on LKR and 25 – 100 bps on foreign currency (FCY) over a 12-month period were considered. The Bank also employs the Economic Value of Equity (EVE), a long-term measure of Interest Rate Risk (IRR), to analyse the Bank's value in present market conditions and its sensitivity to changes in market rates. Additionally, the repricing gap of Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) was analysed.

Monitoring of Net Interest Margin (NIM) changes on a monthly basis for both LKR and FCY in Sri Lanka and Bangladesh operations was conducted. The Bank also assessed FX position gains/losses under stress conditions with a 1% up/down exchange rate movement between USD and LKR rates. Furthermore, the impact of Mark To Market (MTM) gains/losses was assessed if interest rates changed by 1% up/down and 2% up/down on the Fair Value Through Profit or Loss (FVTPL) portfolio of LKR Government securities, as well as on the Fair Value Through Other Comprehensive Income (FVTOCI) portfolio.

Opportunity loss of the amortised cost portfolio and the FCY cash flow for the next three months are monitored on an ongoing basis. The Bank also prepares a summary of FCY liquidity gap, which includes funding liquidity against undrawn overdraft limits and the projected loan disbursements for the next three months. Additionally, the Bank assesses funding concentration in terms of tenor and values, top 20 depositors, and based on currency.

Review of market risk

Market risk at the Bank primarily emanates from the Non-Trading Portfolio (Banking Book), constituting 92.22% of the total assets and 93.04% of the total liabilities as of December 31, 2023. The exposure to market risk is mainly attributed to Interest Rate Risk (IRR) and Foreign Exchange (FX) risk, as the Bank has minimal exposure to commodity-related price risk, equity, and debt price risk, accounting for less than 15% of the total risk-weighted exposure for market risk. Further details regarding the Bank's exposure to market risk, analysed by Trading Book and Non-Trading Portfolios (Banking Book), can be found in Note 66.3.1 on page 415.

Market risk portfolio analysis

The gap report is compiled by categorising Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) into different time bands based on maturity (for fixed-rated) or time remaining until their next repricing (for floating-rated). The distribution of savings deposit balances aligns with the results of a behavioural analysis conducted by the Bank and follows the guidelines of the Central Bank of Sri Lanka (CBSL) on overdrafts and credit cards. The Bank's exposure to interest rate volatility is reflected in the gap between RSA and RSL (refer to Table 52).

Interest rate risk (IRR)

Extreme fluctuations in interest rates pose a risk to the Bank, impacting the Net Interest Income (NII) and potentially affecting the value of interest-earning assets, interest-bearing liabilities, and off-balance sheet items. The primary types of Interest Rate Risk (IRR) that the Bank is exposed to include re-pricing risk, yield curve risk, and basis risk.

Sensitivity of projected NII

The Bank conducts regular stress tests on Interest Rate Risk in the Banking Book (IRRBB), incorporating variations in positions and new economic variables, along with both systemic and specific stress scenarios. The change in the value of the Fixed Income Securities (FIS) portfolio in Fair Value Through Profit or Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) categories, resulting from abnormal market movements, is assessed using both Economic Value of Equity (EVE) and Earnings At Risk (EAR) perspectives. The outcomes of stress tests on IRR are carefully analysed to discern the impact of such scenarios on the Bank's profitability and capital.

The impact on Net Interest Income (NII) due to rate shocks on Sri Lankan Rupee (LKR) and foreign currency (FCY) is continuously monitored to gauge the Bank's susceptibility to abrupt changes in interest rates (refer to Table 51).

Sensitivity of NII to rate shocks

Table – 51

	2023		2022
Net Interest Income (NII)	Parallel increase Rs. ’000	Parallel decrease Rs. ’000	Parallel increase Rs. ’000	Parallel decrease Rs. ’000
As at December 31,	100,792	(101,013)	392,200	(392,737)
Average for the period	(18,795)	16,928	369,472	(369,892)
Maximum for the period	276,499	(276,604)	813,181	(813,616)
Minimum for the period	(576,068)	557,037	19,531	(20,281)

Interest rate sensitivity gap analysis of assets and liabilities of the Banking Book as of December 31, 2023 – Bank

Table – 52

Description	0-90 days Rs. ’000	3 to 12 months Rs. ’000	1 to 3 years Rs. ’000	3 to 5 years Rs. ’000	More than 5 years Rs. ’000	Non-sensitive Rs. ’000	Total Rs. ’000
Total financial assets	764,261,482	421,609,515	402,763,670	383,520,242	254,557,257	209,541,436	2,436,253,602
Total financial liabilities	767,224,705	703,454,962	203,742,713	222,809,488	155,944,508	239,581,610	2,292,757,986
Interest rate sensitivity gap	(2,963,223)	(281,845,447)	199,020,957	160,710,754	98,612,749	(30,040,174)	143,495,616
Cumulative gap	(2,963,223)	(284,808,670)	(85,787,713)	74,923,041	173,535,790	143,495,616
RSA/RSL	0.99	0.60	1.98	1.72	1.63

Foreign exchange risk

To mitigate potential losses arising from fluctuations in foreign exchange (FX) rates, the Bank adheres to stringent risk tolerance limits for individual currency exposures as well as aggregate exposures within regulatory limits, ensuring that such losses are minimised and kept within the Bank's risk appetite.

During the year under review, the USD/LKR exchange rate appreciated by 11.65% (Source: Central Bank of Sri Lanka) Refer to Note 66.3.3 – Exposure to currency risk – non-trading portfolio on page 418 for further details.

Stress testing is conducted on the net open position (NOP) by applying rate shocks ranging from 5% to 25% to estimate the impact on the Bank's profitability and capital adequacy (Refer to Table 56). The impact of a 1% downward change in the exchange rate on the foreign currency position indicated a loss of Rs. 602.23 Mn. as of December 31, 2023 (Refer to Graph 78 for the impact of a 1% upward change in the exchange rate).

Equity price risk

While the Bank's exposure to equity price risk is minimal, daily mark-to-market calculations are performed on Fair Value Through Profit or Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI) portfolios. Additionally, the Bank calculates Value at Risk (VaR) on the equity portfolio. Refer to Note 66.3.4 for a summary of the impact of a 10% shock on equity prices on profit, other comprehensive income (OCI), and equity.

Commodity price risk

The Bank’s exposure to commodity price risk is confined to the fluctuations in the gold price affecting the pawning portfolio. The Bank has adopted lower LTV ratio and regular marking to market valuation of the portfolio as risk mitigants in this regard.

Liquidity risk

Liquidity risk refers to the Bank's potential inability to fulfill on- or off-balance sheet contractual and contingent financial obligations as they become due, without incurring unacceptable losses. Banks face vulnerability to liquidity and solvency issues stemming from mismatches in the maturities of assets and liabilities. Therefore, the key goal of liquidity risk management is to evaluate and ensure the availability of funds needed to meet obligations at the right times, both in normal and stressed conditions.

Liquid assets ratios as of December 31, 2023 are given below:

Statutory liquidity ratios

Table – 53

	2023 %	2022 %
Statutory Liquid Assets Ratio (SLAR)
Consolidated (Sri Lankan Operation)	46.06	35.88
Liquidity Coverage Ratio (LCR)
Rupee	491.61	405.91
All currencies	516.27	293.91
Net Stable Funding Ratio (NSFR)	193.70	173.58

Managing liquidity risk

The Bank employs a comprehensive approach to managing liquidity risk, incorporating policies, procedures, measurement methods, mitigation strategies, stress testing methodologies, and contingency funding arrangements. During the year, the Bank faced an excess liquidity situation, driven by relatively slow credit growth compared to deposit inflow. As depicted in Table 53, managing this excess liquidity posed a challenge, requiring substantial investments in Government securities, both denominated in Sri Lankan Rupees (LKR) and foreign currency (FCY), at optimal yields to minimise adverse effects on profitability.

The Bank made a concerted effort to leverage available opportunities and mitigate the impact of negative carry on specific treasury investments. However, the Bank anticipates a challenging period until the majority of bonds in the portfolio mature over the next 2 to 3 years. A scenario analysis of the magnitude of the negative carry was conducted during the year.

To avoid the risk of potential haircuts and impairment provisioning, the Bank chose to accept the proceeds of maturing USD-denominated Sri Lanka Development Bonds (SLDBs) in Rupees.

The resulting net open position (NOP) created from forex sales was managed by operating within the permanent negative NOP limit.

Additionally, in 2022, the Bank reclassified its bonds (excluding LKR bonds maturing before October 2022) following the guidelines issued by CA Sri Lanka through a Statement of Alternative Treatment (SoAT) on Reclassification of Debt Portfolio. The necessary disclosures have been provided in the interim financials and this Annual Report.

Liquidity risk review

The Asset and Liability Committee (ALCO) routinely monitors the net loans to deposits ratio to ensure that the Bank's asset and liability portfolios are structured to maintain a robust liquidity position. The Net Stable Funding Ratio (NSFR), indicating the stability of funding sources in comparison to granted loans and advances, was consistently maintained well above the policy threshold of 100%. This level is deemed healthy to support the Bank's business model and growth.

The key ratios utilised for liquidity measurement under the stock approach are outlined below:

Key ratios used for measuring liquidity under the stock approach

Table – 54

Liquidity ratios %	As at December 31, 2023	As at December 31, 2022
Loans to customer deposits	0.61	0.64
Net loans to total assets	0.46	0.47
Liquid assets to short-term liabilities	0.68	0.53
Purchased funds to total assets	0.25	0.26
(Large liabilities – Temporary Investments) to (Earning assets – Temporary Investments)	0.27	0.26
Commitment to total loans	0.21	0.15

Maturity gap analysis

The Maturity Gap Analysis of the Bank's assets and liabilities as of December 31, 2023, is detailed in Note 66.2.2(a) to the Financial Statements, found on pages 410 and 411.

This analysis of the maturity of financial assets and liabilities reveals that the Bank has adequate funding available to withstand adverse situations, as per the prescribed behavioural patterns. The examination of the maturity of financial assets and liabilities does not indicate any unfavourable situations, particularly when considering that cash outflows encompass savings deposits. These deposits can be deemed as a quasi-stable source of funds, aligned with the historical behavioural patterns of depositors, as further explained below.

Behavioural analysis on savings accounts

In the absence of a contractual agreement specifying maturity, savings deposits are categorised as non-maturing demand deposits. This product does not have a precise re-pricing frequency, and the Bank adjusts the offered rate on these deposits considering factors such as the re-pricing gap, liquidity, profitability, etc. Given the absence of an exact re-pricing frequency and its lower sensitivity to market interest rates, the segregation of savings products among predefined maturity buckets in the maturity gap report is determined through regular simulations conducted by the Bank, aligning with behavioural studies.

The Bank assesses its liquidity position in all major currencies, both at individual and aggregate levels, to ensure potential risks remain within specified threshold limits. Moreover, the Bank monitors potential liquidity commitments arising from loan disbursements and undrawn overdrafts to ensure sufficient funding sources are available.

Funding diversification by product

The Bank relies primarily on deposits from customers and other borrowings as its main source of funding. Graph 55 presents a product-wise analysis of the Bank's funding diversification as of the end of 2023 and 2022.

Operational risk

Operational risk refers to the potential for losses arising from inadequate or failed internal processes, human errors, system failures, or external events such as natural disasters, social, or political occurrences. It is an inherent aspect of all banking products and processes, and the Bank aims to manage it efficiently. The seven standard criteria used to assess operational risk are execution, delivery and process management, internal frauds, external frauds, employment practices and workplace safety, clients, products and business practices, and damage to physical assets and business, as well as disruption and system failures. It is important to note that operational risk encompasses legal risk but excludes strategic and reputational risk.

Managing operational risk

The Bank implements operational risk management through the establishment of policies, risk assessments, and risk mitigation strategies, including the utilisation of insurance coverage. The Bank also employs procedures for the outsourcing of business activities, manages technology-related risks, formulates comprehensive Business Continuity and Disaster Recovery Plans, fosters a culture of risk awareness across the organisation, conducts stress testing, and closely monitors and reports operational risks.

The policies and procedures concerning the outsourcing of business activities ensure continuous identification and effective management of significant risks associated with outsourcing arrangements. The Bank reports details of all outsourced functions to the CBSL on an annual basis. Before entering into new agreements or renewing existing ones, respective risk owners conduct due diligence tests on outsourced vendors. Additionally, bi-annual review meetings with key IT service providers are conducted to monitor service performance levels and verify adherence to agreements.

The Executive Integrated Risk Management Committee (EIRMC) and the Board Integrated Risk Management Committee (BIRMC) closely oversee and ensure the timely rectification of business disruptions caused by various factors such as network failures line failures, branch-level system failures, incidents like fire or natural disasters, industrial unrest, branch closures due to events like hartals, police curfews, and pandemics.

The Bank underwent an operational risk review of its Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) documents, including an examination of the Disaster Recovery (DR) site. This comprehensive assessment was conducted by the Integrated Risk Management Department (IRMD) in adherence to Section 3 (6) (v) of the Banking Act Direction No. 11 of 2007 on Corporate Governance for Licensed Commercial Banks (LCBs). As mandated by the Direction, the adequacy of preparedness was assessed through an independent review of the Bank's BCP and DRP by the BIRMC.

The Bank successfully implemented a Group-wide Conduct Risk Management Policy Framework. Additionally, an operational loss event database covering the Bank's operational incidents over the past 13 years has been integrated into the Operational Risk Management System (ORMS). Furthermore, the Risk and Control Self-Assessment (RCSA) Framework, originally implemented within the Bank, was extended to other financial entities within the Group, namely CBC Finance Ltd. (CBCF) ,CBC Myanmar Microfinance Ltd. (CBCMM) and Commercial Insurance Brokers Limited (CIBL). This framework empowers each entity to identify, assess, and manage its unique risks while ensuring alignment with the broader risk management objectives of the Group.

Business continuity management

The Business Continuity Management (BCM) framework at the Bank encompasses a range of activities, including business continuity, disaster recovery, crisis management, incident management, emergency management, and contingency planning. This framework is designed to uphold the Bank's commitment to serving all stakeholders, ensuring minimal interruptions during unforeseen disruptions to business activities caused by man-made, natural, or technical disasters, and facilitating a swift resumption of operations.

The BCM's scope involves program initiation and management, risk evaluation, and business impact analysis, the development of business continuity strategies, emergency preparedness and response, implementation of business continuity plans, awareness building and training, business continuity plan exercises, audit and maintenance, and crisis communications and coordination with external agencies.

In 2018, the Bank revamped its Business Continuity Plan (BCP) in consultation with an external BCP expert, aligning it with industry best practices. The IT Disaster Recovery Plan, a crucial component of the BCP, underwent review and approval by the Board of Directors. To enhance IT system recovery capabilities, a secondary high-availability set-up was introduced for core banking and other critical systems, improving redundancy.

A BCP exercise (working day) was carried out in June 2023, which was conducted over a period of four months, beyond the current CBSL requirement of one working day. This extended duration ensured thorough testing of the Bank's disaster recovery capabilities following the installation of a new DR machine and a production machine upgrade. All application functionalities were rigorously tested before rollback, minimising disruptions throughout the exercise. The success of this extended BCP exercise demonstrates the Bank's growing maturity and commitment to preparedness. This commitment proactively safeguards the Bank's operations and customer access in the event of unforeseen disruptions.

Review of operational risk

The Bank maintains a low appetite for operational risk and has established tolerance levels for significant operational risk losses. These thresholds are determined based on various factors such as historical loss data, budgets and forecasts, the Bank’s performance, and the effectiveness of existing systems and controls. For monitoring purposes, the following thresholds have been set, utilising audited financial statements:

• Alert level: 3% of the average gross income for the past three years
• Maximum level: 5% of the average gross income for the past three years

Operational losses for the financial year 2023 were reported to be below the internal alert level, standing at 0.226% of the average audited gross income for the past three years. The Bank has consistently maintained operational losses below the alert level for the past decade. This track record reflects the commitment set at the "tone at the top," the effectiveness of governance structures, and the robustness of processes and procedures in place to manage operational risk. Graph 56 provides an analysis of operational risk losses incurred by the Bank in 2023 across various business lines/categories.Upon analysing the losses incurred in 2023 categorised under the Basel II defined business lines, it becomes apparent that the majority (76%) of losses with financial impact are attributed to the "Retail Banking” business line. Followed by the losses reported under the "Trading & Sales" (18%) and "Payments & Settlement" (6%) business lines. Losses related to other business lines continued to remain negligible.

Graphs 57 and 58 provide a comparative representation of operational losses reported during 2023 and 2022 for each Basel II loss event type. The graphs depict both the number of occurrences and the corresponding values for a comprehensive analysis.

Losses by number of events

Consistent with typical operational risk patterns, the majority of losses incurred by the Bank in 2023 comprised high-frequency/low financial impact events, primarily falling under the "Execution, Delivery, and Process Management" loss category. These lower-value events were predominantly associated with the Bank's service delivery network, encompassing over 1,000 points across Sri Lanka and Bangladesh, particularly in cash and ATM operations. Events with monetary values below Rs. 100,000 accounted for more than 88.17% of the total loss events for the year. Additionally, when comparing the number of loss events to the volume of transactions performed during the year, the ratio stood at a mere 0.0048%.

The Bank continued to enhance its anti-money laundering (AML) compliance, incorporating new audit reports to monitor transactions and ensure adherence to Know Your Customer (KYC) requirements throughout the year.

The values of losses incurred by the Bank in the year were primarily categorised under Execution, Delivery, and Process Management, Damage to Physical Assets, External Frauds, Business Disruptions & System Failures and Internal Frauds. These losses for the year were primarily driven by a limited number of events in these five categories, most of which the Bank managed to resolve through subsequent recovery/rectification with minimal financial impact. Moreover, the Bank introduced necessary process improvements to prevent recurrence. The capital allocation for operational risk in 2023 under the Alternative Standardised Approach per Basel III is Rs. 79.858 Bn., while the net losses, after discounting subsequent recoveries, amount to only 0.091% of this capital allocation. This trend of remarkably low levels of operational risk losses underscores the effectiveness of the Bank's operational risk management framework and internal control environment.

IT risk

IT risk represents the business risk associated with the utilisation, ownership, operation, involvement, influence, and adoption of information technology within an organisation. This category constitutes a significant component of operational risk, encompassing various IT-related events such as system interruptions/failures, errors, frauds facilitated by system manipulations, cyberattacks, obsolescence in applications, and the risk of falling behind competitors in terms of technology adoption. IT risks cover governance aspects, critical system availability, access control, threat management, change management, physical and environmental security, as well as disaster recovery and business continuity planning.

Given the inherent uncertainty regarding the frequency and magnitude of IT-related risks, managing IT risk poses considerable challenges. Consequently, the Bank has assigned top priority to address IT risk, with a particular emphasis on cyber security strategies. The Bank continuously invests in cyber security improvements, focusing on securely enabling new technology and business initiatives while maintaining a persistent commitment to protecting both the Bank and its customers from cyber threats.

The IT Risk Unit within the IRMD is tasked with implementing the Bank's IT risk management framework. This involves ensuring the presence of an appropriate governance framework, policies, processes, and technical capabilities to effectively manage all significant IT risks. The IT Risk Management Policy, aligned with the Operational Risk Management Policy, complements the Information Security Policy. Together, these policies and related processes aim to enhance risk management and improve information security across the Bank.

The Risk Control Self-Assessment (RCSA) stands as a fundamental tool for identifying and assessing IT risks, with the IT Risk Unit conducting independent IT risk reviews aligned with the operational risk management process's established structure. Outcomes from these independent assessments, along with audit findings, analysis of information security incidents, and internal and external loss data, contribute to the identification and assessment of IT risks.

Mitigating IT risk involves prioritising, evaluating, and implementing risk-reducing controls or treatment techniques recommended through the risk identification and assessment process. The Bank has implemented a multi-layered control approach across various technological layers, including data, applications, devices, and networks. This approach ensures robust end-to-end protection while enhancing capabilities for detecting, preventing, responding to, and recovering from cyber threats. Critical units of the Bank have obtained certifications under globally recognised standards for Information Security Management System (ISMS), specifically ISO/IEC 27001:2013, and Payment Card Industry Data Security Standard (PCI DSS). Both certifications focus on ensuring the confidentiality, integrity, and availability of data and information. The Bank is on track to achieve full certification covering all 350 banking units by 2025. The ISMS undergoes annual independent validation by ISO 27001 ISMS external auditors and Qualified Security Assessors of the PCI Council.

The Bank has maintained its commitment to investing in information security, aligning with CBSL directions, and placing a heightened focus on information and cyber security. The rollout of Baseline Security Standards (BSS) across the branch network and head office signifies efforts to enhance information security governance. Specific initiatives related to this investment can
be found in the "Key risk management initiatives in 2023" section on pages 233 and 234 of this report.

Continuous, independent monitoring of the Bank's IT risk profile is conducted by the IT Risk Unit using various tools and techniques, including Key IT Risk Indicators (KIRIs). The KIRI review process involves monitoring indicators such as information security-related incidents, supported by trend analyses that highlight high-risk or emerging issues, enabling prompt action to address them.

Staff turnover continued to remain a concern in 2023, prompting the Bank to devise strategies to address the issue. The Bank implemented a special grading system for IT staff and adjusted salaries for IT professionals to align with market rates. The Bank has also proactively identified the root causes of major incidents related to IT Operations during the year. Despite the growth in business volumes and operations, the number of major IT-related incidents has remained consistent over the past decade. The mitigatory actions taken for all major operational risk events, including IT-related incidents, were closely reviewed. Monthly monitoring is conducted for various indicators under each of the broader categories of IT risk.

Social and Environmental Risk

Introduction – Leading with Sustainability and Managing S&E Risks

For the Bank, sustainability transcends mere rhetoric; it constitutes the cornerstone of our operations. Guided by our Board-approved Social and Environmental (S&E) Policy, we demonstrate an unwavering commitment to S&E risk management.

S&E risks are the potential negative impacts an entity's activities can have on the people and the environment. These risks can be diverse, ranging from pollution and resource depletion to unfair labour practices and community displacement. Proactively identifying, assessing, and mitigating these risks, can contribute to a more sustainable future for all.

For banks, the social and environmental risks associated with lending activities are generally much greater than those stemming from their own operations. This is due to the diversity of the borrowers, changing regulatory landscape, limited control over the S&E practices of the borrowers and particularly borrowers with international operations, and third-party S&E assessments and monitoring reports, with less reliability and comprehensiveness.

Thus, the Bank has duly prioritised mitigating the potentially larger social and environmental risks associated with its lending activities while managing S&E risks within its own operations. This is done through a proactive, comprehensive approach that integrates sustainability into all aspects of lending decisions, risk management, and stakeholder engagement.

S&E risks that may affect Commercial Bank of Ceylon PLC can be broadly categorised as:

Management of S&E risks

Proactive management of these risks is central to the Bank’s long-term sustainability and success. By integrating responsible practices into its lending activities, the Bank aims to contribute to a healthier environment and stronger communities, fostering a secure foundation for future growth.

This involves;

• Maintaining a robust S&E risk management framework aligned with local regulations and applicable international standards like IFC Performance Standards.
• Integrating S&E considerations into all lending decisions through due diligence and risk assessment.
• Monitoring borrowers’ S&E performance and enforcing agreed-upon mitigation measures.
• Supporting borrowers in improving their S&E practices through capacity building and technical assistance as applicable.

The Bank’s dedicated Social and Environmental Management System (SEMS) serves as a comprehensive line of defense, employing policies, procedures, assessment tools, and expert personnel. This proactive approach helps to identify, evaluate, and manage potential S&E risks, mitigating their impact on the communities and the environment, and safeguarding long-term sustainability not only for stakeholders but also for the Bank itself.

Criteria used to gauge the S&E risks includes;

• Compliance to National S&E Regulations
• Pre-defined List of S&E Banned Activities
• Compliance to fundamental ILO Conventions
• Applicable IFC Performance Standards

The Bank has identified a list of activities that are illegal /banned according to the country’s law or which violate international conventions, treaties or agreements ratified by country of operation such as “Production of or trade in pharmaceuticals, pesticides and herbicides, ozone depleting substances subject to international phase-outs or bans”, “Trans-boundary movements of hazardous waste prohibited under Basel Convention”, “Trade in wildlife or production of or trade in wildlife products regulated under national law and international conventions”, “Unsustainable fishing methods”, “production or activities involving forced labour or child labour”, “Destruction of critical habitats and protected areas”, “Production or activities impacting indigenous people/land” “Trade in Chemical, Biological, Nuclear and Radiological weapons” etc. and the Bank does not finance these activities at all times.

The Bank implements a comprehensive Social and Environmental (S&E) due diligence process for loan proposals. This rigorous approach encompasses document review, site visits, stakeholder engagement, and an assessment of the borrower's S&E risk management framework. Identified concerns and potential improvement opportunities are formally documented within an action plan, which becomes a legally binding component of the loan agreement.

The depth of this due diligence process is tailored to the specific risk profile of each project. This may range from a thorough review of relevant documentation to extensive on-site inspections and detailed stakeholder consultations. Additionally, stringent compliance checks are performed to ensure adherence to the Bank's banned activities list.

All facilities above a pre-determined threshold value are re-evaluated by the Integrated Risk Management Department. Additionally, third party independent experts are consulted when and where necessary, to carry out Social and Environmental Due Diligence of complex projects in order to ensure systematic identification and assessment of environmental and social risks associated with a proposed transaction. This process helps the Bank to identify the “Corrective Actions'' that are necessary to eliminate/ mitigate the significant social and environmental risks. It is considered as part of the credit approval process and appropriately formalised through conditions and covenants, thereby reducing the Bank's exposure to potential S&E risks associated with a borrower’s operations/project.

Robust Social and Environmental Management System (SEMS) of the Bank assigns clear roles and responsibilities for S&E risk management. From governance and oversight to daily practices, everyone plays a part. Lending staff undergoes comprehensive training on SEMS, IFC Performance Standards, and identifying environmental, health, and safety concerns during site visits.

The Bank continuously reviews and updates its S&E risk management system (SEMS) incorporating regulatory changes and developments as well as stakeholder requirements.

Monitoring, Supporting, and Sustainable Practices

The Bank closely monitors portfolios for borrowers' compliance with its S&E requirements. Annual reporting on S&E risk management performance is mandatory.

The Board of Directors and Senior Management are fully committed to overseeing this Social and Environmental Risk Appetite. The Bank ensures that commitment to sustainability is embedded in organisational strategy, decision-making processes, and risk management framework.

During the year 2023, the S&E risk screening outcome is as follows;

Legal risk

Legal risk is acknowledged as an integral component of operational risk, encompassing the exposure to adverse effects arising from inaccurately drafted contracts, their execution, the absence of written agreements, or inadequate agreements. This risk extends to potential consequences such as reprimands, fines, penalties, punitive damages resulting from supervisory actions, and the cost of private settlements.

The Bank proactively manages legal risk by ensuring that all applicable regulations are fully considered in its relations and contracts with individuals and institutions involved in business relationships with the Bank. This risk mitigation strategy is supported by the necessary documentation. To prevent breaches of rules and regulations, the Bank establishes and maintains an effective system for verifying the conformity of operations with relevant regulations. This proactive approach aims to minimise the likelihood and impact of legal risks associated with the Bank's activities.

Compliance and regulatory risk

Compliance and regulatory risk refer to the potential risk faced by the Bank due to non-compliance with applicable laws, rules, regulations, and codes of conduct. This non-compliance could lead to regulatory fines, financial losses, disruptions to business activities, and reputational damage. To systematically assess and manage this risk, the Bank has established a compliance function that reports directly to the Board of Directors. A comprehensive Compliance Policy outlines how the Bank identifies, monitors, and manages compliance risks in a structured manner. The Bank's culture and the Code of Ethics also play a crucial role in mitigating this risk.

The Bank fosters a strong culture of compliance, ensuring that its entire operation aligns with prevailing regulations. A series of measures have been implemented to reinforce regulatory compliance requirements and ensure effective monitoring, testing, reporting, and verification of compliance with risk mitigation activities across the Bank. These measures include:

• Incorporating new regulatory developments into internal policies, procedures, and controls.
• Introducing new scenarios for transaction monitoring.
• Regularly reviewing the Bank's Compliance program.
• Conducting Compliance Audits for over 140 branches/business units.
• Analysing Compliance risk and implementing effective controls to address identified shortcomings.
• Providing necessary training to staff members.
• Conducting periodic independent verifications of compliance function by Inspection Department

These initiatives collectively contribute to the Bank's commitment to regulatory compliance and risk management.

Strategic risk

Strategic risk in banking is associated with strategic decisions and the potential inability of the Bank to adapt to evolving market dynamics, leading to a loss of market share and the failure to achieve strategic goals. The Bank manages strategic risk through its corporate planning and budgeting processes, critically evaluating their alignment with the Bank's vision, mission, and risk appetite.

To measure and monitor strategic risk, the Bank employs a detailed scorecard-based qualitative model aligned with the Internal Capital Adequacy Assessment Process (ICAAP). This approach considers various variables such as the Bank's size, sophistication, nature, and complexity of operations. The model highlights areas that require attention to mitigate potential strategic risks. Assessment of strategic risk involves factors like capital adequacy, earnings volatility, shareholder value, etc. The criteria are assigned suitable weightages, and scores are allocated against these weights.

This systematic approach enables the Bank to proactively identify, assess, and address strategic risks, ensuring that its strategic decisions align with its overall objectives and risk tolerance.

Reputational risk

Reputational risk in banking refers to the potential adverse impact on earnings, assets, liabilities, or brand value resulting from negative stakeholder perceptions of the Bank's business practices, activities, and financial position. The Bank recognises that reputational risk is influenced by a wide range of other business risks related to the conduct of the Bank, and it must be actively managed. The proliferation of social media has further expanded the stakeholder base and increased the sources of reputational risk.

The Bank adopts a comprehensive approach to managing reputational risk, integrating it into the systems and controls established for other risk types such as credit, market, and operational risk. This approach is supported by various policies, including the code of conduct, Anti-Bribery and Anti-Corruption Policy, Conduct Risk Management Policy Framework, Communication Policy, and business ethics that prohibit unethical behaviour. Employees are encouraged to adhere to these policies, promoting ethical conduct in all aspects of their work.

To measure and monitor reputational risk, the Bank employs a detailed scorecard under the Internal Capital Adequacy Assessment Process (ICAAP). This scorecard-based approach provides a structured framework for assessing reputational risk, helping the Bank proactively identify and address potential issues that could impact its reputation. The implementation of the Group Reputational Risk Management Policy framework further formalises these efforts.

Conduct risk

As an organisation that relies on public trust and confidence, the Bank acknowledges the importance of aligning its interests with those of its customers for success and sustainability. Various factors, such as unfair business practices, professional misbehaviour, ethical lapses, inefficient operations, bribery and corruption, compliance failures, and governance weaknesses, can dent customer confidence in the Bank. Fully cognisant of this, the Bank places significant emphasis on proper conduct and fair outcomes for customers.

The Bank adopts a customer-centric approach that encompasses multiple aspects, including:

• Accountability: Holding individuals accountable for their actions and decisions, ensuring that they align with the best interests of customers.
• Remuneration Structures: Designing compensation systems that encourage fair and ethical behaviour, discouraging practices that may lead to conduct risk.
• Compliance with Laws and Regulations: Ensuring compliance not only in letter but also in spirit, with a commitment to upholding the highest standards of legal and regulatory adherence.
• Learning Culture: Fostering a culture of continuous learning, where employees are educated on ethical behaviour, compliance requirements, and best practices.
• Transparency: Promoting transparency in operations and decision-making processes, providing clear information to customers and stakeholders.
• Public Disclosures: Providing relevant and timely disclosures to the public, fostering trust through open communication.
• Service Level Agreements (SLAs): Establishing and adhering to SLAs to ensure the timely and efficient delivery of services to customers.
• Customer Complaint Handling Procedure: Implementing a robust procedure for handling customer complaints promptly and fairly.
• Customer Engagement: Actively engaging with customers to understand their needs, expectations, and concerns, incorporating their feedback into the improvement of products and services.

To strengthen its commitment to ethical conduct and customer-centric practices, the Bank developed and adopted a Board-approved Conduct Risk Management Policy Framework covering the entire Group in 2022. This framework serves as a guide for managing conduct risk and upholding high standards of behaviour and integrity across the organisation.

Contagion risk

Contagion risk, also known as systemic risk, is a critical concern in the banking sector, and it refers to the potential spillover effects of financial stress or shocks in one country, market, industry, or counterparty, impacting others and causing disturbances or defaults. This risk arises due to the highly interconnected nature of global financial systems and cross-market linkages. A shock in one area can lead to a domino effect, affecting multiple countries, markets, industries, or counterparties, amplifying existing stresses and causing significant disruptions.

The impact of a contagion risk event can be severe, leading to financial volatility, damage to financial systems, and broader economic consequences. The COVID-19 pandemic serves as an example of how a health crisis can trigger financial contagion, affecting global markets and economies.

To address contagion risk, the Bank recognises the need to take additional steps to identify and monitor risk-elevated industries and potential distress among customers, and regions. This monitoring is conducted through the Early Warning Signals (EWS) system, utilising internal data sources. The goal is to proactively identify areas of heightened risk and implement measures to limit the potential impact on the Bank's operations.

Given the ongoing uncertainties related to the pandemic and the path to economic recovery, the Bank is committed to staying vigilant and responsive to potential contagion risks. This involves continuous risk assessment, scenario analysis, and strategic planning to navigate through challenging conditions and safeguard the stability of the financial system.

Model Risk

Model risk is a subset of operational risk that specifically refers to the risk associated with the failure or inaccuracy of financial models used by the Bank. Financial models employ statistical, economic, financial, and mathematical theories, techniques, and assumptions to process data and generate quantitative estimates for managing various risks. When these models fail or produce inaccurate results, it can lead to adverse outcomes for the Bank.

Model risk can arise from various factors, including programming errors, incorrect data input, technical issues, and misinterpretation of model outputs. Given the critical role that models play in decision-making processes, especially in risk management, it is essential to actively manage and mitigate model risk.

The Bank employs several measures to manage model risk effectively:

• Extensive Testing: Rigorous testing procedures are implemented to validate the accuracy and reliability of financial models. This includes testing for potential errors, validating assumptions, and ensuring that the model's outputs align with expected results.
• Robust Governance Policies: The Bank establishes and adheres to robust governance policies and frameworks that govern the development, validation, and use of financial models. These policies define the standards and procedures that must be followed to ensure the integrity of the models.
• Independent Reviews: Independent reviews are conducted to provide an unbiased assessment of the models' effectiveness and accuracy. External experts or internal teams with expertise in model validation may perform these reviews to identify potential issues or areas for improvement.

By implementing these risk management practices, the Bank aims to minimise the likelihood of model failures and enhance the overall reliability of its quantitative estimates for risk management purposes. This proactive approach helps ensure that the models used by the Bank contribute to sound decision-making and support the effective management of various risks.

Bribery and corruption-related risks

The Bank emphasises a strong stance against bribery and corruption, considering them illegal and damaging to its reputation. To address these risks, the Bank has implemented the following measures:

• Anti-Bribery and Anti-Corruption Policy: The Bank has a Board-approved Anti-Bribery and Anti-Corruption Policy that outlines principles for countering bribery and corruption. This policy serves as a guide for employees, setting expectations regarding their conduct in relation to bribery, kickbacks, commissions, and corruption. The Anti-Bribery and Anti-Corruption Policy is made accessible in the Bank’s official website at https://www.combank.lk/info/file/91/anti-bribery-and-anti-corruption-policy. It has also been hosted in the intranet of the Bank for the benefit of the employees.
• Whistleblowers Charter: The Bank has a Whistleblowers Charter in place, providing guidelines and protection for employees who report any instances of bribery, corruption, or other unethical behaviour within the organisation. This encourages a culture of accountability and transparency.
• Guidelines on Gifts and Favours: The Bank has guidelines regarding the acceptance and offering of gifts or other illegal gratification, as well as the collection of funds or obtaining undue favours from customers and suppliers, holding a Directorship/being a Partner/Shareholder in private companies enumerated in the Code of Ethics and administrative circulars. These guidelines align with the Code of Ethics and aim to prevent situations that may lead to bribery or corruption.
• Code of Ethics: In implementing the Code of Ethics and affirming its commitment to the 10th Principle of the UN Global Compact, the Bank expects all employees to adhere to the Code that emphasises the importance of fighting corruption, avoiding abuse of power for personal gain (financial or otherwise), refraining from soliciting or accepting gifts, and ensuring that employees and the Bank are not compromised. No employee of the Bank should offer any bribe or other illegal gratification in order to obtain business for the Bank.
• Political Contributions: The Bank does not make any political contributions. The Anti-Bribery and Anti-Corruption Policy explicitly prohibits any form of political contributions.
• Training and Awareness - The Bank conducts continuous training and awareness programs to educate staff on Code of Ethics, Whistleblowers Charter and incident-based discussions.

By implementing these measures and fostering a culture of ethical conduct, transparency, and accountability, the Bank aims to mitigate the risks associated with bribery and corruption and uphold its commitment to ethical business practices.

Sustainability risks

The Bank recognises sustainability risks as potential challenges arising from its failure to identify and manage risks related to various aspects in line with its policies, guidelines, commitments, and ambitions. These risks encompass a broad spectrum which include environmental factors such as climate-related concerns, carbon emissions and energy efficiency, social issues pertaining to human rights, diversity, equity & inclusion and community relations, governance factors such as bribery & corruption, ethical conduct of business and even financial crimes, information and IT security. It is acknowledged that sustainability risks may intersect with and influence other risks described earlier. Conversely, incorporation of environmental, social and governance (ESG) considerations and broader sustainability issues into strategy and day-to-day operations will demonstrate good corporate citizenship and support long term value creation.

Hence, to formalise its approach to sustainability and to ensure that the Bank takes a holistic approach to it, the Bank has adopted a Sustainability Framework. This framework, along with the Social and Environmental Management System (SEMS) and the Social & Environmental Policy, guides the Bank in addressing sustainability risks. The Bank recognises that shortcomings in managing these aspects could lead to adverse consequences, impacting the institution financially, reputationally, and legally.

The Sustainability Framework, SEMS and Social & Environmental Policy are instrumental in shaping the Bank's operations and ensuring that it adheres to sustainable practices. By placing due attention on sustainability, the Bank aims not only to mitigate risks but also to build public confidence and enhance relationships with stakeholders. In managing sustainability-related risks, the Bank relies on established systems and processes, aligning its practices with the broader goals of responsible and sustainable banking.

Capital Adequacy and ICAAP Framework

The Bank adheres to Basel requirements and utilises internal models as stipulated in the Internal Capital Adequacy Assessment Process (ICAAP) framework. ICAAP is a comprehensive framework that enables the Bank to assess its risk profile, stress test risk drivers, and determine internal capital adequacy requirements. Internal limits, often more stringent than regulatory requirements, are implemented to provide early warnings regarding capital adequacy.

ICAAP plays a pivotal role in supporting the supervisory review process, offering valuable insights for evaluating the required capital in alignment with the Bank's future business plans. It facilitates the integration of strategic focus and risk management plans with the capital plan, incorporating inputs from various levels within the organisation, including Senior Management, Management Committees, Board Committees, and the Board itself. The process also considers the potential risks associated with capital inadequacy under stressed conditions, ensuring a holistic and forward-looking approach to capital management.

In addition to its role in assessing capital adequacy, the Internal Capital Adequacy Assessment Process (ICAAP) also serves to support profit optimisation through proactive decision-making on both current and potential exposures. The process involves measuring vulnerabilities through stress testing and scenario-based analysis, enabling the Bank to identify areas that may require attention in managing both qualitative and quantitative aspects of reputational and strategic risks. Notably, these aspects are not covered under Pillar I of Basel III.

The Bank maintains compliance with both regulatory and prudential requirements for capital adequacy. Thanks to a loyal shareholder base and profitable operations, the Bank is well-positioned to meet its capital requirements in the long term. This ensures sufficient coverage for material risks and supports the Bank's expansion initiatives, particularly as a Domestic Systemically Important Bank (D-SIB).

Basel III minimum capital requirements and buffers

The Banking Act Direction No. 01 of 2016 mandated licensed commercial banks to adhere to the capital requirements outlined in Basel III starting from July 1, 2017. The directive established specific timelines for progressively elevating minimum capital ratios, with full implementation slated for January 1, 2019. This framework also included a Higher Loss Absorbency component for Domestic Systemically Important Banks (D-SIBs). However, in response to the exceptional circumstances brought about by the COVID-19 pandemic, the Central Bank of Sri Lanka (CBSL) permitted D-SIBs to utilise their Capital Conservation Buffers, allowing for a drawdown of 100 basis points in 2022.

Target and actual capital

Table – 55

Capital ratios	Regulatory minimum %	Goal (internal requirement) %	2023 %	2022 %
CET 1	8.500	>8.500	11.442	11.389
AT - 1	1.500	>1.500
Tier I	10.000	>10.000	11.442	11.389
Total	14.000	>14.000	15.151	14.657

The comparison of the Bank's capital status as of December 31, 2023, with the minimum capital requirement stipulated by the Central Bank of Sri Lanka (CBSL) effective from January 1, 2019, underscores the robust capital strength of the Bank. This comparison serves as evidence of the Bank's capacity to meet and exceed the stringent regulatory requirements imposed by the CBSL, even in the face of ongoing economic challenges.

The Internal Capital Adequacy Assessment Process (ICAAP) enables the Bank to conduct periodic assessments of its capital requirements for the ensuing five years, develop plans to augment capital based on the evaluation, and submitted same for review by the Central Bank of Sri Lanka (CBSL). Unforeseen developments, such as increased impairment provisioning and a substantial rise in risk-weighted assets due to the depreciation of the Rupee against foreign currencies, led the Bank to draw down the Capital Conservation Buffer in 2022. However, the issuances of Basel III-compliant, Tier II, Listed, Rated, Unsecured, Subordinated, Redeemable debentures, along with profits generated have since enabled the Bank to restore its capital adequacy to a level above the minimum requirements.

The Bank has established a "Basel Workgroup" comprising members from various business and support units. This workgroup is tasked with assessing capital adequacy in alignment with the Bank's strategic direction. While the Internal Capital Adequacy Assessment Process (ICAAP) serves as a foundational element for this assessment, the Basel Workgroup is committed to continuous improvement, considering the evolving landscape in different areas. The group provides recommendations to the Asset Liability Committee (ALCO), offering insights on current and future capital requirements, assessments based on anticipated capital expenditure, and desirable capital levels, among other aspects.

In the capital-intensive banking business, the Bank recognises the significance of capital. The institution benefits from a dedicated shareholder base that holds a long-term perspective on the Bank. Prudent dividend policies and the retention of profits over the years contribute to this loyalty. To achieve an optimised level of capital allocation, the Bank consistently seeks ways to improve the judicious allocation of capital for its day-to-day operations. While recognising the challenges associated with raising capital from external sources, the Bank does not exclude this option as a sustainable means to enhance capital in the long run. The Bank expresses confidence in its current capital buffer, considering it adequate to support growth plans and withstand stressed market conditions. However, the Bank remains vigilant and does not become complacent with the current comfort levels, aiming to uphold stakeholder confidence through maintaining sound capital buffer levels.

Stress testing

Conducting stress tests is an integral part of the Internal Capital Adequacy Assessment Process (ICAAP) under Pillar II. The Bank performs stress tests periodically, subjecting its major risk exposures to severe yet plausible shocks. The purpose is to assess the sensitivity of the current and future risk profile in relation to risk appetite and to understand the impact on the resilience of capital, funding, liquidity, and earnings.

Stress testing not only supports assessment of the resilience of the Bank but also plays a role in strategic planning. Within the framework of ICAAP, stress testing informs various aspects of risk, capital and liquidity management. This includes setting risk appetite triggers and risk tolerance limits, mitigating risks by reviewing and adjusting limits, restricting or reducing exposures, and implementing hedging strategies where appropriate. Additionally, stress testing facilitates the development of risk mitigation or contingency plans across a spectrum of stressed conditions. Moreover, it supports communication with both internal and external stakeholders regarding the Bank's preparedness and resilience under adverse scenarios.

The Bank has established a governance framework for stress testing that outlines the responsibilities and approaches for conducting stress testing activities at various levels, including the Bank, business lines, and different risk types. The stress testing techniques employed encompass scenario analysis, sensitivity analysis, and reverse stress testing, allowing the Bank to assess and understand the potential impact of various stress scenarios.

This framework covers material risks such as credit risk, credit concentration risk, operational risk, liquidity risk, foreign exchange (FX) risk, and interest rate risk in the banking book (IRRBB) using both Economic Value of Equity (EVE) and Earnings at Risk (EAR) perspectives. The Bank evaluates stress levels categorised as Minor, Moderate, and Severe, considering the resulting impact on capital. If stress tests indicate a deterioration in capital that does not breach policy-level requirements, it is classified as Minor risk. A deterioration of up to 1% is considered Moderate risk. If the impact leads to capital falling below the statutory minimum, it is classified as Severe risk, requiring immediate attention of the Board and the management.

Stress testing serves as an effective communication tool, providing a comprehensive view of all risks faced by the Bank in hypothetical stress scenarios. The outcomes of stress testing are reported quarterly to the Executive Integrated Risk Management Committee (EIRMC) and the Board Integrated Risk Management Committee (BIRMC), enabling proactive decision-making. The stress testing results are instrumental in guiding risk tolerance and strategy while fostering a proactive risk management approach.

Extracts from the stress testing results are presented in Table 56 for reference.

Impact on CAR at minor, moderate and severe stress levels

Table – 56

Particulars	Description	2023			2022
		Minor %	Moderate %	Severe %	Minor %	Moderate %	Severe %
Credit risk – asset quality downgrade	Increase in the direct non-performing facilities over the direct performing facilities for the entire portfolio(1)	-0.55	-1.54	-2.33	-0.42	-1.16	-1.76
Operational risk	Impact of; 1. Top five operational losses during last five years 2. Average of yearly operational risk losses during last three years whichever is higher	-0.03	-0.08	-0.17	-0.04	-0.09	-0.19
Foreign exchange risk	Percentage shock in the exchange rates for the Bank and Maldives operations (gross positions in each Book without netting)	-0.13	-0.39	-0.65	-0.21	-0.39	-0.59
Liquidity risk (LKR) –	1. Withdrawal of percentage of the clients, banks and other banking institution deposits from the Bank within a period of three months 2. Rollover of loans to a period greater than three months	-0.14	-0.33	-0.61	-0.03	-0.12	-0.25
Interest rate risk – EAR and EVE (LKR) –Sri Lanka	To assess the long-term impact of changes in interest rates on Bank’s EVE through changes in the economic value of its assets and liabilities and to assess the immediate impact of changes in interest rates on Bank’s earnings through changes in its net interest income	-0.72%	-2.08	-4.63	-1.18	-1.69	-1.95

(1) Stress scenarios are based on SLFRS-9 guidelines and staging of credit facilities pursuant to the Banking Act Direction No. 13 of 2021.

Monitoring and reporting

The risk management function at the Bank plays a crucial role in identifying, measuring, monitoring, and reporting risks. The staff members within this function undergo regular training to enhance their skills, and they are supported by advanced IT systems that facilitate data extraction, analysis, and scenario modeling. This combination of skilled personnel and technological tools ensures that the risk management team is well-equipped to fulfill its responsibilities effectively.

The team generates regular and ad-hoc reports on Key Risk Indicators (KRIs) and risk matrices for both the Bank and its subsidiaries. These reports are then reviewed by Senior Management, Executive and Board Committees, and the Board. The insights provided by these reports are instrumental in evaluating risks and providing strategic direction to the Bank.

The reports offer comprehensive information on aggregate risk measures across various dimensions, including products, portfolios, tenures, and geographies. This information is then compared to agreed-upon policy parameters, offering a clear representation of the risk profile and sensitivities of the risks undertaken by both the Bank and the entire Group. This holistic view aids in strategic decision-making and ensures that the organisation has a thorough understanding of its risk landscape.

Basel III – Market Discipline

Refer Annex 2 for the minimum disclosure requirements under Pillar III as per the Banking Act Direction No. 01 of 2016.

Refer Annex 2 for the D-SIB Assessment Exercise disclosed as required by the Banking Act Direction No. 10 of 2019.