Managing Risk: An Overview
Managing risk
The risks that the Bank is exposed to can broadly be classified into internal risks which are within the control of the Bank and external risks which are beyond the control of the Bank, both of which are managed through a robust risk management framework. In addition, certain recent global mega trends have emerged with potential to disrupt conventional business models. Banks will not be exempt from such disruption. These emerging risks and uncertainties require strategic responses.
Conventional risks
Internal and external risks that the Bank is exposed to include conventional risks such as credit, market, operational, reputational and legal. Changes in the overall risk profile of the Bank may occur due to changes in these internal and external factors. Internal factors may include lapses in implementing the risk management framework, assumptions about macro-economic variables turning out to be different, execution gaps in internal processes etc., while external factors may include adverse movements in the overall economic or market conditions, political instability, changes in fiscal and monetary policies of the Government, regulatory developments and growing stakeholder pressures. Banks are susceptible to these external developments since they could impact customer spending patterns, demand for loans, prepayment frequency, funding mix, macro-economic variables etc., all leading to erratic fluctuations in results of operations, financial position and cash flows.
A detailed discussion of conventional risks is given in the section on Annex 3: Risk Management Report.
Emerging risks and uncertainties
In addition to the conventional risks referred to above, banks (similar to players in many other industries) are now beset with certain emerging risks and uncertainties too, arising from the unprecedented pace of developments in information and communication technology, digitalisation, exponential technologies, demographic changes, unorthodox competition and the like. These have made the operating environment even more volatile and unpredictable to financial services institutions, resulting in some of the long standing assumptions about markets, competition and even business fundamentals to be less valid today.
The Bank has identified these emerging risks and uncertainties. Being aware of their potentially disruptive nature, the Bank is following up on them with a high degree of enthusiasm. Accordingly, the Bank is aligning its strategies with these developments by leveraging the existing database through analytics. This allows the Bank to better understand the customer and deliver on their expectations while achieving execution excellence in internal processes and thereby reducing costs of operations. The Bank firmly believes that these strategies will help it to differentiate its offering and convert them into opportunities for future growth.
A summary of emerging risks and uncertainties and risk mitigation strategies of the Bank is given below:
Figure – 30
Emerging risks and uncertainties
| Risk/uncertainty |
Risk mitigation |
|
|
| Changing customer behaviour: |
|
| The need for financial services and how such services are availed of are changing rapidly. Customer expectations are high as is the demand for a superior customer experience. The expectations of millennials are now defined by the level of service they receive from innovative tech giants. |
The Bank is cognisant of these demographic changes and is developing its offering to satisfy the user experience that customers, millennials in particular, are demanding. Understanding the customer better, simplifying the customer onboarding process, providing a contextual banking experience with real time information, and innovative new products are some of these initiatives. |
| Talent recruitment and retention: |
|
| With their values, beliefs, expectations and priorities focused on experiences rather than achievements, millennials no longer find the shine in a career in financial services industry. This coupled with potential stagnation in hierarchical structures, banks are finding it difficult to attract and retain new talent for growth and succession. |
Some of the initiatives in this regard include conducting career guidance programmes and offering internship programmes for advanced level students, appreciating the educational/professional qualifications of employees, and actively promoting staff to enrol and obtain such educational/professional qualifications. |
| Digitalisation: |
|
| Banks continue to invest substantial resources in their efforts to digitalise their operations to provide customers with an enhanced experience and achieve execution excellence. Yet, most banks fail to achieve desired levels of integration due to legacy issues. |
Expanding the use of technology and mobile platforms is a must to optimise user experience. With integrated thinking permeating across the organisation, the Bank is making a conscious effort to integrate its offering in all respects –
be it software systems, information, customer service standards, channel optimisation, marketing communication, single client view or regulatory reporting. |
| Cyber threat: |
|
| As reliance on digital technologies is increasing day by day, cyber attacks on financial institutions are also increasing in frequency and intensity. Common incidents include phishing, ransomware, distributed denial of service, data breaches and payment system hacking. |
With due focus and attention on information security, the Bank has made significant investments in systems and processes to protect customer databases and ICT infrastructure from cyber attacks. At the same time, the Bank is leveraging the capabilities of its technology partners to enhance information and cyber security. Raising awareness among employees and customers too is an important step in this regard. |
| Unorthodox competition: |
|
| Innovative fintechs and telcos are responding to increasing customer expectations for speedier, cost effective and contextual digital banking services, posing a challenge to the conventional business models of banks. |
Given the strengths of its capital base, customer relationships, insights from the databases and lower cost of funds, the Bank is in a strong position to overcome any such challenges. At the same time, depending on mutuality of benefits, the Bank may explore avenues to integrate new technology offerings, strategically collaborating or entering into partnerships with such competition. |
| Financial disintermediation: |
|
| Growth in capital markets and electronic exchanges and other developments such as the Internet, crowd funding, fintechs, crypto-currencies, insurance companies, and auto makers are challenging the financial intermediation role of banks in the spheres such as lending and payment services. |
The Bank will expand the use of technology and mobile platforms to offer low-cost solutions to customers that are simple to access and easy to use. |
| Anybody can be a stakeholder: |
|
| The proliferation of the Internet and social media has shifted the communicating power to individuals and communities, making it easier than ever before for anyone to voice their opinion. As a result, anybody can be a stakeholder today and exercise significant influence over the Bank, with potential to damage reputation. |
The Bank has a Board-approved Communication Policy that promotes open and honest communication between the Bank and its various stakeholders, both internal and external. It ensures the flow of accurate, timely and relevant information. In addition, the Bank also has a formal Customer Complaints Handling Policy. The Bank is actively present in all mainstream social media. |
These developments have made the operating environment very complex and dynamic and risk management very challenging. Nevertheless, the effective management of these risks and uncertainties is a sine qua non to the execution of the Bank’s strategy, creating sustainable value for all its stakeholders and making the Bank future ready. Hence, issues relating to risk management are at an all time high in the agenda at all Board and Management Committee meetings of the Bank.
Risk management framework
Risk management is no longer a compliance issue. Hence, as an integral part of the strategy design and execution, the Bank has developed an effective Risk Management Framework (RMF) based on the Three Lines of Defence model. RMF takes into account plausible risks and uncertainties the Bank is exposed to and is underpinned by rigorous organisational structures, systems, processes, procedures and practices.
The Three Lines of Defence model, which is the international standard, enables unique perspectives and specific skills for managing risk. RMF guides the Bank in its day-to-day operations.
The components of the Bank’s RMF include risk governance, well-defined risk capacity, appetite and tolerance levels, risk control self-assessment, infrastructure, and risk culture.
Figure – 32
Risk management framework
| Risk governance |
An independent, accountable governance structure with adequate segregation of duties for the oversight and management of Group-wide risks |
| Capacity, appetite and tolerance |
Capacity is the maximum amount of risk the Bank can assume given the resources at its disposal. Appetite is the types and amounts of risk that the Bank is willing to assume to achieve the strategic goals while tolerance is the types and amounts of risk the Bank is prepared to tolerate. |
| Risk Control Self-Assessment (RCSA) |
This is the process of identifying, assessing, measuring and recording potential risks and related controls to monitor, mitigate and manage risks within the Bank’s risk appetite and tolerance. |
| Infrastructure |
Encompasses both physical and human resources including tools, databases, policies and procedures, and competencies etc. that aid effective risk management. |
| Risk culture |
Starting with the “tone at the top”, this encompasses values, beliefs, knowledge, attitudes and understanding of the employees about risk. |
RMF is reviewed at least annually or more frequently if the circumstances make it necessary, taking into account changes in the regulatory and operating environments.
Risk governance
Risk governance is essentially the application of the principles of good governance to the identification, assessment, treatment, monitoring, reviewing and reporting of risks. It comprises the organisational structure, culture, processes and best practice by which authority is exercised and decisions are made and implemented. It facilitates oversight of and accountability for risk at all levels and across all risk types, enabling a disciplined approach to managing risk.
The organisation of the Bank’s risk governance in terms of the Board of Directors, Board committees, executive functions and executive committees is given in Figure 33 below. Given the highly specialised nature, decision-making on risk management is centralised to a greater extent in several risk management committees.
Board of Directors
The overall responsibility of understanding the risks assumed by the Bank as well as the Group and ensuring that they are appropriately managed is vested with the Board of Directors. The Board discharges this responsibility by exercising its oversight on establishing an integrated risk management framework, facilitating the development of policies and procedures relating to risk in line with the Bank’s strategy, determining the overall risk appetite, approving the capital plan, creating risk awareness and monitoring the risk profile against the risk appetite on an ongoing basis. Apart from the Bank, the Board of Directors gives more emphasis to the three financial services subsidiaries of the Group,
Serendib Finance Limited, Commercial Bank of Maldives Limited and Commex
Sri Lanka S.R.L. Italy. The Board is assisted in its oversight of risk by three Board subcommittees as detailed below.
Board subcommittees
The Board has appointed three Board subcommittees with Board-approved terms of reference for assisting it in discharging its oversight responsibility for risk management. They are:
- Board Audit Committee
- Board Integrated Risk Management Committee
- Board Credit Committee
Details relating to composition, terms of reference, authority, meetings held and attendance etc., of each of these committees are given in the section on How We Govern.
Executive committees
Executive management executes the approved strategies and plans in accordance with the Board’s mandate on risk taking. Aided by a number of committees (listed below) on specific aspects of risk, these efforts are spearheaded by the Executive Integrated Risk Management Committee. EIRMC co-ordinates communication with the BIRMC and ensures that risk is managed within the defined risk appetite. Details relating to composition of each of these committees are given in the section on How We Govern.
- Asset and Liability Committee
- Credit Policy Committee
- Executive Committee on Monitoring
Non-Performing Advances
- Business Continuity Management Steering Committee
- Information Security Council
Integrated Risk Management Department, provides the risk perspective for these committees to carry out independent risk evaluations and share their findings with the Line Managers and Senior Management to ensure effective communication of material issues and initiate deliberations and necessary action.
Risk appetite
Risk appetite is the types of risk and the aggregate amount of risk that the Bank is prepared to be exposed to at any given point in time. Taking into account the regulatory requirements, capital, funding and liquidity position, strategic objectives and the risk management framework, the Bank has put in place a Risk Appetite Statement which clearly defines the Bank’s risk appetite and the strategic focus.
Risk appetite of the Bank for 2017 and 2016 are given on Table 25.
Table – 25
Risk appetite
| Aspect |
Measure |
Risk Appetite
2017 |
Risk Appetite
2016 |
Performance
within risk appetite |
| Credit risk – Asset quality downgrade |
Gross NPA ratio |
4% – 5% |
4% – 5% |
√ |
| Operational risk |
Operational loss tolerance limit (as a % of last three years average gross income) |
3% – 5% |
3% – 5% |
√ |
| Foreign exchange risk |
Exchange rate shock of 100 bps. |
Maximum of
Rs. 200 Mn. |
Maximum of
Rs. 150 Mn. |
√ |
| Liquidity risk |
Statutory liquid asset ratio to
be more than |
22% |
22% |
√ |
| Interest rate risk |
Repricing gaps up to one year
For one month bucket
Beyond one month bucket |
<2.5 times
<1.5 times |
–
1.5 times |
√
√ |
Risk profile
Risk profile is the actual risk exposures of the Bank across all the risk categories. Aided by a rigorous risk management framework and keeping in mind that it can change under stressed economic conditions, the Bank monitors the risk profile on an ongoing basis to ensure that it is kept within the risk appetite of the Bank. The Bank’s risk profile is characterised by a portfolio of assets and liabilities diversified in terms of geographies, sectors, products and tenors. Its strong capital adequacy and liquidity position define the capacity to assume risk.
Stress testing
As an integral part of the capital, funding and liquidity planning process, the Bank conducts stress tests of its lending portfolio, deposit base and market risk exposures for severe but plausible conditions. Stress scenarios themselves are periodically reviewed and modified to take into account the volatilities in the economic and financial market conditions. Stress testing enables the Bank to assess the potential impact on its income, capital and liquidity.
The Bank’s stress testing framework encompasses a multitude of risks to ascertain resilience levels proactively and enabling the Bank to formulate strategies to overcome plausible threats. Credit Risk being the more prominent risk exposure of a bank, risk associated with high concentration levels to a business segment or a few counterparts could stress income sources due to adverse market movements. In addition, the risk of fall in value of collaterals could take away the buffer in absorbing losses arising out of defaults. The above risks and the downgrading of asset quality in general are considered major stressors that a bank needs to withstand and such parameters, though not limited to same, are being tested with varying degrees of risk to ascertain the ability of the Bank to meet the negative impacts associated with such events. During the year under review, none of the identified credit risk-related stress factors reached a high level of risk (an impact that could result in capital adequacy ratio falling below the threshold level of 11.75% in 2017).
Bank-specific market risk stressors mainly revolve around foreign exchange (FX) rate movements and interest rate movements inherent in the balance sheet structure with the changing dynamics of the market rates. Liquidity stressors are given more prominence under different scenarios stressing substantially on the cash inflows and outflows through severe demand for liquidity. During 2017, none of these stress scenarios also resulted in a high level of risk.
Operational risk scenarios are more or less idiosyncratic in nature. Developed by the Bank, such scenarios run across different risk dimensions such as credit, market and operational pillars. The aggregated results of such stresses indicated manageable levels of risk where the high risk levels were never breached. Thus the Bank demonstrated overall high resilience under various stress levels during the year under review.
For more details on capital planning, please refer the Section on Capital Management.
Further details on the risk management infrastructure, types of risk, risk management framework and risk mitigation measures
are given in Risk Management Report.
