The Bank supported by its effective risk management framework successfully achieved its highest ever profit in 2023 amidst significant challenges posed by the subdued global economic outlook, geopolitical fragmentation and spillover effects of adverse economic conditions. Debt restructuring, results of the Bank diagnostic exercise and forward looking loan loss provisions have been identified as the areas with potential ramifications.
Dwindling disposable income resultant from high rate of inflation and fiscal consolidation measures continued to impact the debt servicing capacity of the borrowers. As a result of monetary policy easing measures adopted and inflation reaching a single digit since mid 2023 it is expected to ease off the pressure on the balance sheet.
Throughout the year, Bank continued its efforts to refrain from transferring the increasing interest rate impact especially to the existing borrowers in the retail segment. Due to the unprecedented monetary tightening prevailed during the first half, year-on-year contraction in the loan book was observed. However, with the monetary easing since mid 2023 year closed on a growth trajectory.
Gradual normalisation of interest rates of Government securities was observed in the aftermath of the domestic debt optimisation, paving the way to effective transmission of monetary policy. During the second half of 2023 a reduction in the market interest rates was observed in line with the downward adjustment of policy interest rates.
Significant improvement in Bank’s liquidity position was observed in line with market liquidity as a result of reduction of Statutory Reserve Ratio (SRR), CBSL forex absorptions from the market and targeted measures to curtail overreliance on standing facilities.
Despite numerous challenges such as Domestic Debt Optimisation (DDO) and restructuring of State-Owned Enterprises (SOEs), the Bank as the largest contributor to the country’s financial sector, successfully maintained Capital Adequacy and other regulatory ratios well above the limit.
Subsequent segments will explore the importance of the Bank of Ceylon's Risk Management function in navigating through a demanding regulatory, operational landscape while maintaining the Bank's commitment in facilitating inclusive and sustainable growth.
Enterprise Risk Management
(ERM) Framework
The Board approved risk management framework consists of clearly-defined governance structures, policy frameworks and a culture of risk awareness which ensures management of risks across the Bank. Risk management framework provides comprehensive guidelines to identify, measure, mitigate, and report risks in a consistent manner. Risk management framework is regularly reviewed and revised to ensure that it remains relevant, given the increasingly dynamic operating environment.
In response to significant changes to the operating environment and newly- introduced internal processes, the Bank reviewed and updated all policies in 2023. Considering the complexity of the stressed operating environment, the Bank has widened the scope of monitored risks to increase focus on liquidity, interest rate and environmental and social risks.
INDEPENDENT
INTEGRATED
RISK MANAGEMENT
DIVISION (IIRMD)
Objectives
•
Enhance the Bank’s ability to anticipate and mitigate risks effectively while maximising opportunities for growth.
•
Establish common policies and standards for the management and control of all risks.
•
Provide a common language, system and framework to foster a consistent approach to manage risks.
Executive Committee Fraud Risk Management Committee Committee Dealing with Operational
Losses Business Continuity Management
Committee
Information
Security
Corporate Information Security Committee
Risk related Board
Committees
Integrated Risk
Management
Committee (IRMC)
Audit
Committee
Information and
Communication Technology
Committee
General Manager
Board of Directors
First line of defence
Second line of defence
Third line of defence
Business Units
Independent Integrated Risk
Management Division (IIRMD)
Internal
Audit
1
2
3
Risk Appetite, Culture and Management
Credit Risk
Management
Policies
Integrated Risk
Management
Policy
Market Risk
Management
Policies
Group Risk
Management
Policy
Liquidity Risk
Management
Policies
Stress Testing
Policy
Operational Risk
Management
Policies
Integrated Environmental and
Social Management System Policy
Information
Security and IT
Risk Management
Policies
ICAAP Policy
Overseas
Branches Risk
Management
Framework
RISK GOVERNANCE AND OVERSIGHT
The Board of Directors holds ultimate responsibility for managing the Bank’s risks within the defined parameters set out in the risk appetite. The Integrated Risk Management Committee (IRMC) supports the Board in its oversight of risk management and related duties and the Independent Integrated Risk Management Division (IIRMD) ensures that the risk management process is carried out effectively.
Board of Directors
Chief Risk Officer
General Manger
AGM (Credit Risk Management)
AGM (Market Risk and Operational Risk Management)/
Data Protection Officer
Chief Manager
(Market Risk Management)
Chief Manager
(Operational Risk Management)
CISO
Chief Manager
(Credit Risk Management)
Integrated Risk Management Committee
Credit Quality
Assurance
Credit Risk
ESMS
Market Risk
Operational Risk
IS/IT Risk
The three lines of defence mechanism serves as the basis of enterprise-wide risk governance and oversight supported by clear division of responsibilities.
•
Proactive identification, assessment and measuring of risks. The First Line also manages day-to-day transactions and portfolio level risks within the limits specified by the risk appetite framework, related policies and guidelines.
Risk taking and ownership
by business units
First line of defence
1
•
Development and execution of the risk management framework while setting the risk appetite and establishing the risk culture throughout the organisation. Providing guidance and support to the first line of defence and the management on risk-related activities.
Risk management, control and
oversight by the IIRMD
Second line of defence
•
Provides independent and objective assurance to the Board on the effectiveness and adequacy of risk management and internal controls.
Assurance by internal audit
Third line of defence
2 3
RISK MANAGEMENT PROCESS
With clearly delineated roles and responsibilities, well-defined policies, procedures, and processes; the Bank’s ERM framework supports consistent identification and management of risks across business units, functions, and operations.
Comprises of four members of which three are independent
Non-Executive Directors.
The Division operates independently and is headed by the
Chief Risk Officer (CRO)
Responsibil
ities
•
Assist the Board in discharging its oversight responsibilities for risk management.
•
Ensure that appropriate policies and procedures are in place for detection, oversight and analysis of existing and future risks.
•
Ensure the Bank’s risk management activities are aligned with the Bank’s risk appetite.
•
Assess all risks to the Bank on a periodic basis through appropriate risk indicators and management information.
•
Provide strategic guidance on various initiatives undertaken by the Bank towards management and mitigation of credit, market, operational and information security risks of the Bank.
•
Review the Bank’s capital position and future requirements in line with the Internal Capital Adequacy Assessment Process (ICAAP) while identifying and mitigating potential pain points highlighted in stress testing.
•
Review the Bank’s Business Continuity Plan.
•
Re-enforce the culture and awareness of risk management throughout the organisation.
•
Coordinate the organisation’s Enterprise Risk Management system.
•
Responsible for understanding the risks assumed by the Bank and ensure that the risks are appropriately managed.
•
Review the risk profile, envisage future challenges and threats and prioritise action steps to mitigate the potential risks.
•
Determining the Bank’s Risk Appetite, including defining specific key risk indicators, ensuring appropriate monitoring and reporting mechanism in place.
•
Support the business units and inculcate risk culture through continuous training and awareness.
•
Ensuring regulatory compliance to ICAAP, BCP and RCP requirements.
Risk category
Key risk indicator
Regulatory requirement
/policy parameter
Actual
position
31.12.2023
31.12.2022
R1
Credit risk
Asset quality
Net Stage 3 loans ratio (%)
5.07
5.27
Impairment Coverage (Stage 3) Loans ratio (%)
60.44
59.73
Concentration
and exposure
Sector-wise concentration (HHI)
991
999
Geographical concentration
2,031
2,062
R2
Market risk
Net Interest Income (NII) (LKR million)
91,188
126,346
Net Interest Margin (NIM) (%)
2.08
3.10
Price Value Per Basis Point (PVBP) of Treasury Bonds
577,985
75,767
R3
Liquidity risk
Liquid asset ratio (LCY) (%)
20.00
42.80
21.22
Liquid asset ratio (FCY) (%)
20.00
53.63
32.79
Liquidity Coverage Ratio (LCR) (%)
100.00
227.71
122.77
Net Stable Funding Ratio (NSFR) (%)
100.00
145.00
139.00
Credit-Deposit (CD) ratio (%)
63.38
77.58
R4
Strategic risk
Tier 1 Capital Ratio (%)
10.00
12.76
12.41
Total Capital Ratio (%)
14.00
15.84
15.38
Common Equity Tier 1 Ratio (%)
8.50
11.71
11.34
RoE (%)
10.55
14.06
R5
Operational Risk
Operational loss as a percentage of risk appetite (%)
7.00
82.00
THE BANK’S APPROACH TO RISK
MANAGEMENT
Bank of Ceylon’s risk management function centres around an Enterprise Risk Management (ERM) framework that ensures risks are managed within a framework aligned to the Bank’s strategic priorities, organisational culture and corporate governance practices.
The Board approved risk management framework consists of clearly defined governance structures, policy frameworks and a culture of risk awareness which ensures judicious empowerment and the consistent management of risks across the Bank.
The framework provides comprehensive guidelines to identify, measure, mitigate, and report risks in a consistent manner and is regularly reviewed and revised to ensure that it remains relevant given the increasingly dynamic operating environment.
In 2023, the Bank brought forward new systems, processes and protocols in response to the changing and challenging operating environment. Focus was placed on Information Security Risk Management in light of continued digitalisation and adoption of new systems instituted.
The Bank continuously works to improve its Environmental and Social Management System, ensuring it is in line with international best practices, related legal provisions of the country and the Sustainable Finance Initiative of the Central Bank of Sri Lanka (CBSL).
Looking to the future, Bank of Ceylon expects to strengthen baseline security alongside stringent Information Security Risk Management to ensure alignment with the direction of Sri Lanka’s economy and the financial sector.
Risk Appetite and Tolerance Limits
Risk appetite and tolerance limits are used to align business planning and decision making processes in order to ensure pursuit of strategic objectives is within the maximum amount of risk the Bank is willing to accept.
Risk appetite
• Refers to the extent and type
of risk the Bank is willing to take to meet strategic objectives
Risk tolerance
• Describes the level of
uncertainty the Bank will accept and identifies the maximum risk boundary, beyond which the Bank is unwilling to operate
Risk appetite statement of the Bank is continuously monitored and reviewed at least annually, considering the volatilities in capital base, macroeconomic changes, country and counterparty risk, expected business growth and the corporate plan.
Stress testing
The stress testing framework of the Bank has been prepared in line with regulatory guidelines and international best practices, utilising a combination of techniques including macroeconomic and business model stress testing along with sensitivity and scenario analysis. It covers all the material risks such as credit, market, operational, concentration, liquidity, foreign exchange and interest rate under three different stress levels: mild, moderate and severe.
Regular stress testing evaluates potential effects on the Bank’s business and assesses sensitivity of the current and potential risk profile relative to risk appetite. The impact on the profitability, liquidity and capital is assessed, evaluated and reported to the top management and IRMC on a monthly basis and case-by-case basis for effective
decision making. Stress testing also contributes to increase risk awareness across the Bank’s functions and works to safeguard business continuity by means of proactive management. Furthermore, it supports setting up of the risk appetite and tolerance limits, risk identification and control, complementing other risk management tools, development of contingency plans, improving capital and liquidity augmentation in achieving the strategic business objectives. A comprehensive stress testing provides a broader view to the regulator, external rating agencies and Multilateral Development Banks (MDBs) on resilience of the Bank in internal and external stress situations as a Domestic Systemically Important Bank (D-SIB).
In light of the changes in the operating environment, adequacy and frequency of stress tests, shock levels and assumptions were critically reviewed and changes were incorporated as required.
The Bank proactively and comprehensively evaluated the impact of debt restructuring (haircut on investment securities, both domestic and foreign) under different scenarios and different stress levels given the non-availability of specific conditions. Further impact of possible restructuring of State-Owned Enterprises (SOEs) and the impact emanating from the Bank diagnostic exercise are stresses amongst the full range of stress testing scenarios. The resultant impact of such analysis comforts the Bank's decision-making process, that enabled revisiting and revising of pricing mechanism, adequate impairment provisioning for potential risks and searching for alternative funding avenues.
The Bank’s stress testing reports have been presented to the regulators and external funding agencies who have provided a satisfactory response on the outcome of our stress tests.
RISKS AND OPPORTUNITIES
RISK CULTURE
The Bank’s risk culture starts with leadership, with senior management setting the tone from the top by demonstrating a commitment to risk management, compliance, and ethical conduct. The robust risk culture promotes risk awareness and education at all levels of the Bank, ensuring that employees understand their roles and responsibilities in managing risk effectively.
Training programmes, workshops, and communication initiatives in the areas of strong credit culture, E&S risk management, information security, market and operational risk management helped to raise awareness on risk management practices, regulatory requirements and emerging risks within the industry complementing the first line of defense.
The risk culture extends beyond the boundaries of the Bank to encompass interactions with all stakeholders, including regulators, investors, customers and counterparties. Building trust, transparency and credibility with external stakeholders through ethical conduct, regulatory compliance and responsible risk management practices enhance the Bank’s reputation and resilience while sustaining long-term value creation.
Capital management and Internal
Capital Adequacy Assessment
Process (ICAAP)
Proactive management of the capital position, capital mix and capital allocation is a crucial aspect of risk management in order to safeguard the Bank’s financial position and reputation not withstanding the capital requirements set as per the regulations. The Bank’s approach to capital management is driven by its strategic objectives and is aligned with the Pillar II requirements.
The Internal Capital Adequacy Assessment Process and Recovery Plan (ICAAP and RCP) Steering Committee is responsible for assessing and managing the risks associated with the Bank’s capital management and developing the capital augmentation plan.
The Bank focused on strengthening capital buffers through internal capital generation and through the issuance of listed BASEL III compliant Tier 2 debentures (LKR 10 billion), considering the recapitalisation needs arising with the domestic debt optimisation, restructuring of foreign currency exposures of SOEs and forward-looking impact assessments despite the current comfortable level of capital position and buffers.
Recovery Plan (RCP)
The Recovery Plan provides the framework for Bank’s governance, identification of credible options to survive a range of severe but plausible stress scenarios arise from institution- specific stresses, market-wide stresses, or a combination of both and sets out the plan for profitability, liquidity and capital management arrangements while improving the risk profile and ensuring the business continuity. RCP causes a predetermined escalation and information process up to top management within the Bank and its supervisory authority in a trigger situation. ICAAP and RCP committee is the executive committee responsible for implementation and execution of the recovery plan in the Bank.
The RCP is integrated with the Bank’s
•
Strategic, risk management and business decision making processes
•
Capital and funding planning, stress testing approaches and business continuity planning
•
Capital and liquidity assessments
•
Risk data aggregation and risk reporting
Under RCP, triggers and early warning indicators are set based on the capital, liquidity, profitability, asset quality and market & macroeconomic indicators. The Risk indicators set as alerts and triggers are monitored regularly and the precautionary actions are taken before a trigger occurs. However, the breaching of a trigger at any time will activate the Recovery Plan of the Bank.
Given the stress on Net Interest Margin (NIM) of the Bank during the year 2023, the ICAAP and RCP Steering Committee activated range of recovery options resulting in gradual improvement in the ratio under the scrutiny of the regulator. Therefore, a comprehensive RCP plays a pivotal role in restoring the financial position and market confidence in Bank's resilience following an adverse shock which will ensure interest of all the stakeholders are safeguarded.
Risk reporting
Under the challenging operating environment which prevailed during the year, risk reporting to the Board via Integrated Risk Management Committee further strengthened with measures taken to improve the processes of providing timely, accurate and comprehensive risk information. Special emphasis was placed on credit, liquidity, operational, interest rate risk and information security related risks, risk interdependencies, and potential risk mitigation strategies.
Broad analysis and reporting of emerging risks on regular basis and submission of comprehensive monthly risk report, comprising risk dashboards to the IRMC, strengthened the risk management oversight.
The Bank provides quantitative and qualitative disclosures in line with the BASEL III requirements as specified by the regulator through the Annual Report, website and printed media in order to provide a meaningful assessment of risks confronted by the Bank.
KEY DEVELOPMENTS IN 2023
CREDIT RISK
Bank utilised its risk management framework in line with three lines of defense model to manage and mitigate credit risk successfully during the year. Emphasis was on the strengthening first line of defense, maintaining asset quality, supporting the business growth in line with the Bank’s risk appetite.
GOVERNANCE
The Board holds apex responsibility in ensuring the Bank's credit risk exposures are managed within the defined risk appetite. The IRMC is responsible for implementing Bank's credit risk management framework while supporting the Board in its oversight to credit risk management related duties.
Credit Committee
Credit Risk Management Unit
•
Formulating, reviewing, and implementing credit risk appetite limits
•
Approving/recommending credit proposals within authorised limits
•
Ensuring regulatory compliance in the Bank's risk policies and guidelines
•
Recommending credit related policies
•
Monitoring risk concentrations
Provides independent review of the first line of defence. Manages and oversees Bank-wide credit risk management
Carries out periodic post-sanctioning review of large credit exposures
Identifies and manages the Bank’s exposure to the environmental and social risks of its
lending portfolio
Credit Quality Assurance Unit
ESMS Unit
POLICY FRAMEWORK AND METHODOLOGIES
Pre-credit sanctioning
Post-credit monitoring
Credit risk management framework
The Bank's comprehensive Credit Risk Management Policy mandates the following pre- credit sanctioning and post-credit monitoring mechanisms
•
Structured credit appraisal mechanisms and defined credit criteria
•
Multiple levels of approval authority and independent review by CRO
•
Limits for credit risk categories such as default, concentration and counterparty
•
Retail scorecards and borrower rating models
•
Risk based pricing
•
Regulatory limits
•
Ongoing and robust credit review
•
Portfolio evaluation
•
Proactive engagement with customers in identifying requirements and stresses
•
Stress testing and scenario analyses
•
Monitoring watch list exposures
•
Ensuring loan review mechanism by Credit Quality Assurance Unit
•
Early warning signals
•
Supported the revival and resumption of economic activities.
•
Successful Bank-wide rollout of the Environment and Social risk assessment in lending activities.
•
Strengthened the process of post sanctioning review through credit quality assurance units.
•
Comprehensive review of credit risk management policies.
ESMS
The Bank successfully rolled out its Environment and Social risk assessment guidelines in line with its Integrated Environmental and Social Management System Policy, which outlines the procedures for identifying, assessing and managing environmental and social risks of financial transactions. While supporting the growth of products to promote sustainable green financing and financial inclusion, the Bank’s ESMS entwined with ESG considerations, ensures that its lending activities and operations are environmentally and socially responsible and compatible with the applicable regulatory environmental and social standards, country regulations as well as globally recognised best practices.
In support of Sri Lanka’s Sustainable Finance Roadmap, BoC identifies and evaluates associated climate related risks and green financing activities in its lending portfolio. With the focus of promoting sustainable and environmentally friendly infrastructure to customers, the Bank through Environmental and Social Due Diligence (ESDD) procedures, identifies opportunities that could contribute to greener and more sustainable economy in Sri Lanka.
RISKS AND OPPORTUNITIES
Opportunities
Enhance financial intermediation
Create a robust ecosystem that efficiently channels funds, manages risks, and supports economic growth.
Improve green financing
Develop green finance products and lending portfolio which supports sustainable development while addressing climate challenges.
Increasing exposure to the private
sector
Further diversify Bank's portfolio while supporting the economic growth of the country.
GEOGRAPHICAL CONCENTRATION
%
4.1%
1.4%
0.5%
3.2%
0.4%
0.1%
3.3%
5.2%
3.9%
9.3%
60.1%
42.1%
2.9%
3.3%
4.2%
3.7%
2.0%
2.3%
4.1% 4.0%
•
Westen Province
•
Overseas Branches
•
Offshore Banking
•
Uva Province
•
Sabaragamuwa Province
•
North Western Province
•
North Central Province
•
Eastern Province
•
Northern Province
•
Central Province
•
Southern Province
•
Corporate
•
Metro
•
Pettah
•
Head Office
•
Card Centre
•
Islamic Banking
•
Western Province North
•
Western Province South
•
Western Province Central
COLLATERAL
CONCENTRATION
%
4.1%
1.7%
7.3% 1.2%
28.4%
4.2%
53.1%
•
Cash
•
Gold
•
GoSL Securities/Guarantees
•
Movables
•
Property
•
Others
•
Unsecured
RATING GRADE-WISE
DISTRIBUTION
%
11%
89%
•
AAA to BB
•
B and Below
CROSS BORDER EXPOSURE
OF THE BANK
%
93.4%
1.7%
0.7%
0.3% 1.1%
0.1%
2.7%
6.6%
•
UK
•
India
•
USA
•
Other Countries
•
Seychelles
•
Maldives
•
Other Assets
•
Cross border
Assets
SECTOR
CONCENTRATION
%
11.0%
3.5%
16.1%
2.4% 2.0%
40.3%
9.8%
5.2% 6.5% 3.2%
•
Agriculture and Fisheries
•
Banks, Financial, Insurance and Business Services
•
Hotels, Travels and Services
•
Housing, Construction and Infrastructure
•
Manufacturing
•
Commercial Trade
•
Sovereign and Direct Government
•
Transportation and Logistics Services
•
Other Commercial Services
•
Consumption and other
Improve asset quality through revival
and rehabilitation
Providing support to businesses to withstand negative impacts of the economic conditions in the aftermath of the pandemic.
Process improvement through digital
adoption
Enhance credit management process via evolving digital adoption.
Facilitate economic development
financing key sectors
Supporting more inclusive and resilient growth of country's economy utilising the Bank's financial strength to facilitate capital allocation for key sectors.
RISKS AND OPPORTUNITIES
PRODUCT-WISE
CONCENTRATION
%
7.8%
3.0%
28.0%
1.2%
0.3% 15.4%
24.4%
3.0%
4.7%
0.7%
6.6%
1.1%
3.4%
0.4%
•
Trade Finance
•
Ran Surakum
•
Leasing
•
Staff Loans
•
Loans under Schemes
•
Overdrafts
•
Credit Cards
•
Housing Loans
•
Foreign Currency Loans Others
•
Term Loans
•
BoC Personal Loans
•
Pledge Loans
•
Money Market Loans
•
Loans Others
MARKET RISK
Market risk is the adverse variation around expectation and arises due to negative movement in variables such as interest rates, exchange rates, share prices and commodity prices. Market risk arises through the banking book and the trading book and comprises the following:
Risk type
Management tools and indicators
Interest Rate Risk
(IRR) – arising from
the Bank’s trading
and non-trading
books
•
Maturity mismatches, interest rate gaps and Price Value per Basis Point (PVBP) are monitored on a consistent basis.
•
Implications of changes in macroeconomic conditions are assessed through regular stress testing.
•
Stress testing on interest rate movements
Foreign exchange
risk – stemming from
foreign currency
denoted transactions
•
Forex transactions are governed by stringent internal policies, including approval mechanisms, external regulatory guidelines and limits set by the Bank and the regulator.
•
Internally, a comprehensive limit structure, comprising Value at Risk (VaR) limits and volume limits for open positions of both individual and aggregate currency exposures, are used to manage vulnerabilities.
•
Stress testing on plausible forex risk scenarios.
Equity risk – losses
from volatilities in
equity prices
•
A dedicated investment committee is in place to ensure that the Bank’s investment decisions are in line with the Board’s expectations on risk-return dynamics.
•
The market risk division ensures the limit structure is in place for proper management of the equity portfolio.
•
Comprehensive stress testing.
GOVERNANCE
The Board provides directions with respect to market risk management framework and oversees that all aspects of market risk is managed. As Board level subcommittee, IRMC supports the Board in its oversight of risk management and related duties.
The Asset and Liability Committee (ALCO) and investment committee holds the responsibility of managing the Bank’s market risk and makes recommendations to the IRMC.
Market risk refers
to the potential
for financial losses
arising from adverse
movements in
market variables such
as interest rates,
foreign exchange
rates, equity prices,
commodity prices,
and other relevant
financial indicators.
Asset and Liability Management
Committee (ALCO)
Treasury Middle Office/Market Risk
Management Unit
•
Analysing market risk associated with financial markets and recommending mitigation actions
•
Recommending and approving market risk limits within delegated authority
•
Overseeing various enterprise-wide market risk exposures
•
Recommending the appropriate pricing structure
The middle office at IIRMD independently reviews the treasury operations.
The middle office functions of treasury operations are governed primarily through market risk management policies and limit management framework.
POLICY FRAMEWORK AND METHODOLOGIES
Market risk management framework
The Bank's market risk management framework recognises the importance of robust risk management practices and is based on clearly defined governance structure, strategies, risk mitigating tools and procedures to identify, quantify, measure and manage market risk.
Key elements of the Bank's market risk management function
Market risk policies
Risk limits
Risk monitoring
The Market risk policy framework comprises the following:
•
Market risk management policy
•
Limit management framework
•
Foreign exchange risk management policy
•
Middle office operations manual
Policies are reviewed and updated regularly by the Board in view of changing dynamics in the operating landscape.
Risk limits are set for treasury and investment related activities including foreign currency open position limits, counterparty limits, stop loss limits and dealer limits.
The Board holds ultimate responsibility for this exercise and is supported by the ALCO.
Limits are regularly reviewed and updated by the IIRMD (with input from the ALCO) in line with market developments.
Market risk is monitored through a range of indicators including interest margins, foreign currency exposures, equity exposures, and funding requirements.
The monitoring mechanism is supported by tools such as value at risk, price value per basis point, duration, gap analysis, stress testing, sensitivity analysis, limits, and net open positions.
KEY DEVELOPMENTS IN 2023
•
Implemented additional monitoring mechanisms for Treasury Operations.
Expanded the monitoring domain by incorporating several additional risk parameters to improve the effectiveness of monitoring mechanism and enrich the reporting. The following risk parameters were included into daily monitoring procedure:
1
Off market exchange rates
2
Forward exchange contracts
mismatch limits
3
Intraday open position limit
4
Pre-settlement risk limits of
fixed income securities with counterparties
Daily risk report was enriched with those additional risk parameters, in order to enhance the scope of the reporting to the management.
•
Provided risk insights to improve the Net Interest Margin (NIM) of the Bank.
The following areas were broadly addressed to improve the NIM of the Bank.
1
Adjustment of interest rates
in line with policy rates and structure of the assets and liabilities
2
Focusing the Net Interest
Income of FCY assets and liabilities
3
Reduction of non-interest
earning assets
4
Use of variable rates
mechanisms for improving NIM
5
Finding new hedging methods
to curtail interest rates risk
6
Improvement of CASA
Opportunities
•
Bank foresees some opportunities to improve the liquidity and profitability using new trends in the market space. Specifically, with reducing interest rates scenario and gradual improvement of foreign exchange liquidity in the economy. Bank has the opportunity to align its mechanisms of Asset and Liability Management to have a better margins with reducing interest rates and better exchange gains through increased foreign exchange transactions like exports, imports and retail foreign exchange conversions.
RISKS AND OPPORTUNITIES
MATURITY ANALYSIS OF ASSETS AND LIABILITIES - DECEMBER 2023
SENSITIVITY ANALYSIS OF ASSETS AND LIABILITIES DECEMBER 2023
•
GAP %
•
Rate sensitive liabilities %
•
Rate sensitive assets %
-5.00%
0
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
Over 5 Years
4-5 Years 3-4 Years 2-3 Years 1-2 Years
6-12 Months
3-6 Months 1-3 Months
Upto 1 Month
%
PVBP T Bond
LKR
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
Jan.
23
Feb.
23
Mar.
23
Apr.
23
May.
23
Jun.
23
Jul.
23
Aug.
23
Sep.
23
Oct.
23
Nov.
23
Dec.
23
•
T bond
PVBP T bond limit
LIQUIDITY RISK
Liquidity risk involves potential losses to earnings and/or capital due to inability to meet the Bank’s financial obligations as and when they are due. The Bank’s liquidity risk management framework ensures the effective management of day-to-day liquidity risk and Bank's resilience in facing unexpected liquidity crisis conditions.
Asset and Liability Management Committee (ALCO)
•
Consistent monitoring of the liquidity profile to ensure compliance to regulatory requirements and internal targets
•
Formulating a contingency liquidity plan
•
Exploring avenues of bridging liquidity shortfalls and alternative funding arrangements
•
Recommending relevant risk appetite limits
•
Evaluating stress testing and making recommendations
POLICY FRAMEWORK AND METHODOLOGIES
Liquidity risk management framework
Liquidity policies
Liquidity measurement
Contingency Funding Plan
Policies such as Liquidity Risk Management and Asset and Liability Management provide guidance on mechanisms, tools, and stress testing methodologies that are to be adopted in managing liquidity risk exposures.
Flow approach: Assessment of projected/ actual inflows and outflows in time buckets.
Fund approach: Measures liquidity position through liquid assets ratio, liquidity coverage ratio, net stable funding ratio and credit to deposit ratio etc.
The plan defines specific triggers and action plans with responsibilities to ensure business continuity in the event of liquidity stress.
GOVERNANCE
The Board oversees the establishment and approval and reviewing of liquidity management strategies, policies and procedures while its delegated subcommittee, the IRMC supporting the Board in its oversight of liquidity risk management.
The Asset and Liability Management Committee (ALCO) as the responsible management committee for monitoring and managing the liquidity risk of the Bank, carries out the required evaluations and makes recommendations to the IRMC on the relevant risk appetite limits.
KEY DEVELOPMENTS IN 2023
•
Recorded a significant increase in the foreign currency liquidity position mainly as a result of the migrant worker remittances.
•
Stringent Management of Foreign Currency liquidity through prioritised payments.
•
Improving CASA
Opportunities
•
With gradual improvement of FCY liquidity in the market, the Bank has opportunities of mobilising FCY deposits at low cost
•
With gradual recovery of the economy create more borrowing opportunities to handle liquidity stress situations
•
Contingent Funding Plan of the Bank will help to ease the liquidity stresses
UNENCUMBERED SECURITIES
LKR
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
•
2023
•
2022
OPERATIONAL RISK
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events such as natural disasters. The Bank’s operational risk management is guided by the operational risk management framework which supports the identification, measurement, management, monitoring and reporting of material operational risks.
GOVERNANCE
The Board is primarily responsible for ensuring effective management of operational risk within the Bank. The IRMC is responsible for implementing the Bank's operational risk management framework while supporting the Board through oversight on operational risk management related duties.
Risk identification and management is done through the Operational Risk Management Executive Committee (ORMEC) and provincial operational risk management committee. The ORMEC along with the fraud risk management committee and the operational risk management unit report to the IRMC.
Operational Risk Management
Executive Committee (ORMEC)
Fraud Risk Management
Committee (FRMC)
Operational
Risk Management Unit
Key responsibilities
•
Assists the IRMC
to discharge its
statutory duties and
its responsibilities in
relation to operational
risk management of the
Bank
•
Operational risk strategy
and policy development
and review
•
Monitor and ensure that
appropriate operational
risk management
framework is in place
•
Discuss and recommend
suitable controls/
mitigant for managing
operational risk
•
Ensuring a mechanism is in place to record
operational loss events
and near misses, and
ensuring that action is
taken within reasonable
time
•
Formulation of
coherent and
consistent responses
to developments in the
external operational
environment
•
Coordinated responses
to interdepartmental
and inter business units
•
Review and approve
the development
and implementation
of operational risk
methodologies and
tools
Key responsibilities
•
Identify the systemic
gaps if any that
facilitated perpetration
of the fraud and
recommend measures
to plug the same
•
Identify the reasons for
delay in detection of
risk, if any, reporting to
top management of the
Bank
•
Ensure that staff accountability is
examined at all levels in
all the cases of frauds
and staff side action, if
required, is completed
quickly without loss of
time
•
Monitor progress of
Bank/ CID/ Police
Investigation, and
Recovery position
•
Review the efficiency
of the remedial action
taken to prevent
recurrence of frauds,
such as strengthening of
internal controls
•
Recommend any other
measures as may be
considered relevant to
strengthen preventive
measures against frauds
Key responsibilities
•
Co-ordinating and managing all the
operational risk activities
of the Bank and working
towards achievement
of the stated goals and
objectives
•
Formulating all the
operational risk related
policies and ensuring
their review as per
timelines
•
Implementing tools
related to operational
risk management such
as Risk and Control Self- Assessment (RCSA), Key
Risk Indicators (KRIs),
Loss Data Management
etc., and working
towards the goals of
improved controls and
lower risk
•
Product/ process
reviews for operational
risk mitigation
•
Co-ordinates with the HR department to
ensure regular trainings
are provided to the
Bank’s employees to generate awareness
about operational risk
manag
ement
RISKS AND OPPORTUNITIES
Tools and mechanisms
Policy framework
Risk identification and
measurement
Reporting and monitoring
Key policies include:
•
Operational Risk
Management Policy
•
Fraud Risk Management Policy
These are clearly set out guidelines on responsibilities, tools, and procedures in the identification, assessment, mitigation and monitoring of operational risks.
Risk and Control Self Assessment (RCSA) framework of the Bank enable identification of operational risks that may arise from business objectives, products and services and operational procedures. The control effectiveness over those risk is evaluated, tested and monitored for critical business units.
Key risk indicators, internal loss data incident reporting and root cause analysis are also used to evaluate exposure to operational risks.
The IRMC and the Board are regularly updated on operational risk events/ losses and control failures.
The Bank also maintains a database of operational losses and incidents allowing identification of trends in operational risks and root causes. As an organisation-wide risk exposure, the Bank strives to nurture a risk conscious culture by encouraging employees to share knowledge.
Mitigation
1
Robust internal control structure
2
Business Continuity Plans for all critical business units and support functions
3
State-of-the-art disaster recovery centre
4
Comprehensive insurance cover
5
Ongoing process evaluation for improvements
6
Creating a culture of risk awareness
KEY DEVELOPMENTS IN 2023
•
Reinforced the risk assessment process of overseas branches through introduction of a comprehensive questionnaire to ensure that an appropriate Operational Risk Management Framework is in place under the course of continuous endeavors of IIRMD to proactively identify and mitigate potential risks across Bank’s global operations.
•
Improved process controls through
Risk and Control Self-Assessment (RCSA) in critical units in the Bank
which ensures a single standard
for risk and control that facilitates
management oversight, optimises
resource utilisation and meets the
regulatory requirements.
•
Reviewed and improved the checklist of the Branch risk assessment which complement the effective functioning of the provincial ORMC.
•
Provided a risk perspective when introducing a new product/process and review existing products/ processes.
•
Effective usage of ‘tvBOC’ to carryout awareness programmes to all levels of staff especially to Managers and Internal Control
Officers focusing on arresting loss events.
•
Revamping Bank-wide circulars: A special task is carried out by the BPRP unit with the feedback and analysis from IIRMD and other stakeholders to refurbish the Bank- wide circulars as a Bank with over eight-decade history.
Opportunities
• Initiation of projects to drive
automation:
Automation of monitoring mechanism will collect around the clock data and fill into reports automatically that enables comprehensive analysis and identification of issues in the processes that have not been noticed before. This also helps to remove the vast majority of human error from processes.
• Improved control environment
Improved control environment ensures that the processes are not just compliant but also efficient specially in the journey of digital transformation. Internal circulars are a highly-effective way to communicate with employees and revamping of Bank-wide circulars will streamline the internal control mechanism throughout the Bank.
• Training and awareness
Effectively functioning training department, well-equipped centralised training institute and a Bank-owned internal TV channel complement the employee development in many ways. Enhancing of employee productivity and improving the Bank’s culture are amongst continuous efforts to strengthen work performance and a controlled operational environment.
POLICY FRAMEWORK AND METHODOLOGIES
RISKS AND OPPORTUNITIES
LOSS EVENT TYPE
DISTRIBUTION FOR YEAR 2023
%
1%
61%
14%
15%
•
Execution, Delivery and Process Management
•
External Fraud
•
Clients, Product and Business Practices
•
Internal Fraud
•
Business Disruption and System Failures
9%
RISK APPETITE VS ACTUAL
LOSSES AND PROVISIONS
LKR million
0
200
400
600
800
1,000
1,200
1,400
Risk Appetite
Jan.
23
Mar.
23
Jun.
23
Sep.
23
Dec.
23
Losses written off and Provisions made
INFORMATION SECURITY
AND TECHNOLOGY RISK
Information Security and Technology Risk involves the risk of loss or theft of information, data and money, or potential service disruption stemming from the adoption of IT within the Bank. Cyberattacks, phishing scams, and ransomware incidents are on the rise, posing significant challenges to IT infrastructure, customer data security, and operational resilience. Having understood the criticality of proactively addressing these threats, the Bank continued to invest in updating its digital defences.
KEY DEVELOPMENTS IN 2023
•
In addition to the Information Security Policy that was already in place, the Bank introduced and implemented the Cyber Security Policy
•
Commenced implementation of the COBIT 2019 Framework under the leadership of the Chief Risk Officer. We are the first bank in Sri Lanka to adopt this globally accepted IT governance framework, which will align existing frameworks and processes with the Bank’s overall strategy and strengthen the governance of information security, compliance and risk management
•
Completed risks assessments in alignment with ISO 27001
GOVERNANCE
Corporate Information Security
Committee (CISC)
•
Provide management direction and support for the Information Security (IS) initiatives
•
Ensure the establishment of the Information Security objectives and plans in line with business objectives
•
Ensure the application of processes and procedures specified in the Information Security Policy (ISP)
•
Review and communicate the information security plans and programmes to maintain information security awareness in BoC
•
Provide direction to the CISO
•
Oversee all aspects related to security operations and drive overall information security in BoC
Information Security Unit -
Key Activities
•
Development, maintenance and implementation of the ISP of the Bank and overseas branches
•
Comprehensive risk assessments on overall operations and products
•
Management of Information Security
incidents
•
Improvements to the current information security infrastructure
•
Compliance with legal/regulatory requirements /standards
•
Strengthen Information Security awareness of employees and customers through various channels
•
Being resourceful in procurement related meetings to ensure that products are in compliance with the Bank’s security requirements
IT Risk Unit - Key Activities
•
Assess the risk of system requirements, newly-developed systems and changes done for existing systems
•
Development, maintenance, and implementation of IT Risk Policy of the Bank including overseas branches
•
Strengthening IT Governance
Policies
•
Information Security Policy
•
Cyber Security Policy
•
Vulnerability Management Policy
•
IT Risk Management Policy
•
Overseas Branches Cyber Security Policies, IT Risk Management Policies and Information Security Policies
STRATEGIC RISK
This involves the potential losses arising from the possible flaws in the Bank’s future business plans and the possibilities of strategies being inadequate. Formulating proper response plans to refine the Bank’s strategy to suit the changes in the business environment is essential for management of strategic risk.
The strategic direction of the Bank provided by its overarching vision and mission, articulated in BoC’s corporate plan with specific measurable time- bound targets. The Bank’s strategic plan is developed under the guidance of Board of Directors and the involvement of the Corporate Management and Executive Management team taking into consideration the changes in the operating context and stakeholder needs. Continued monitoring of performance is carried out against defined targets and comprehensive scorecards are used to measure strategic risk exposures.
KEY DEVELOPMENTS IN 2023
•
The Strategic Plan (SP) of the Bank was developed for five year time horizon intensifying the strategic direction and enabling the Bank to formulate a wide- ranging plan for accomplishing objectives of its stakeholders. A special committee appointed by the corporate strategic review committee studied the changes for repositioning the business model of the bank for next five years.
Opportunities
•
The gradual recovery of the economy complemented by the monetary policy easing will enable the counterparties to meet their debt obligations meeting Bank's asset quality targets. With the continuous support by the International Monetary Fund (IMF) in rebuilding the economy and restructuring process the recapitalisation targets will be achieved.
Opportunities
•
Establish a data protection unit to strengthen the IT governance framework
•
Partner with fintechs and value- added service providers to expand our product range and customer reach
•
Align processes and frameworks with the internationally recognised COBIT 2019 framework
HUMAN RESOURCE RISK
Continued challenging economic environment and socio-political conditions poses a pressure on the human capital of the Bank resultant high staff turnover and challenged talent acquisition. In this context, the Bank placed heavy emphasis on employee well-being, training and development as well as recognising and rewarding performance to strengthen and equip the Bank’s employees to function at their optimum.
KEY DEVELOPMENTS IN 2023
•
The Bank managed the talent acquisition through new recruitments of management trainees and staff assistants
•
Introduction of new human resource related policy frameworks and reviewing of existing policies to accommodate the changing requirements of the human capital management
•
Continuous employee development programmes
•
The pilot run on distance working has been a success within the Bank enabling flexible working hours without compromising the service level
•
Flexibility in employee dress code is also a key milestone in the human capital management history
•
Appointed a Data Protection Officer in line with the enactment of the Privacy Data Protection Act No. 9 of 2022
•
Conducted rigorous information security awareness and training
REGULATORY AND
COMPLIANCE RISK
Regulatory and compliance risk arises from the failure to comply with laws, regulations, and industry standards governing banking activities. In 2023, the Bank continued to navigate a complex regulatory environment, including prudential regulations, Anti- Money Laundering (AML) requirements, consumer protection laws, and international standards through close and proactive engagement with regulators. A dedicated Compliance Unit monitors all compliance with guidelines and regulations. A comprehensive compliance policy governs the compliance risk management. Continuous island-wide training and awareness programmes and onsite compliance assessments including overseas branches ensure effective management of regulatory and compliance risk.
KEY DEVELOPMENTS IN 2023
•
Implemented system developments for compliance reporting requirements
•
Carried out island-wide training programmes
•
Onsite compliance assessment
CLIMATE RISK
Climate-related risks including natural disasters and failure to implement long- term climate adaptations and solutions, are among some of the key risks faced by the Bank and its stakeholders. Addressing climate risk requires us to integrate climate considerations into our risk management frameworks, strategic planning processes, and decision- making practices. This includes assessing and disclosing climate-related risks and opportunities, implementing risk mitigation strategies, and engaging with stakeholders to promote sustainable finance and resilience-building efforts. By proactively managing climate risk, BoC aims to enhance its resilience, protect financial interests, and contribute to the transition to a low-carbon, climate- resilient economy.
A dedicated unit has been set up under the CFO, and an AGM has been appointed to manage the ESG aspect of the Bank. Board approved policies and procedures have also been implemented in terms of climate risk management. Extending the Bank commitment along the value chain, the Bank carries out prudent and careful evaluation of credit facilities above LKR 25 million to grant environmental and social clearance in compliance with the ESG principles of the Bank.
KEY DEVELOPMENTS IN 2023
•
Converted 52 branches to solar energy. All Bank owned buildings are to be converted by 2024.
•
Successful island-wide roll-out of the Environmental and Social Management System (ESMS) to assess environmental and social risks of the lending portfolio of the Bank.
•
Carried out training programmes on ESMS to develop a holistic approach to investment analysis, which incorporates environmental and social consideration.
Opportunities
•
Introduce sustainable lending products
•
Strengthen correspondent banking relationships with international funding agencies
LEGAL AND
REPUTATIONAL RISK
Legal and reputational risk entails potential losses to earnings and reputational damage arising from non- compliance with regulatory/statutory provisions, uncertainty due to legal actions, or uncertainty in the applicability or interpretation of relevant laws or regulation applicable to the Bank and negative perception of the stakeholders on Bank's financial and operation position.
RISKS AND OPPORTUNITIES
Opportunities
•
The continuous effort on complying with the Sustainability Road Map of CBSL, the Bank carries out environmental-friendly Corporate Social Responsibility (CSR) projects which will enhance the reputation of the Bank.
KEY DEVELOPMENTS IN 2023
•
Strengthen the customer complaint handling process through establishment of a separate customer complaint handling unit.
•
Increased usage of social media has widened the vulnerability to reputation risk. The establishment of a separate unit for social media response handling has contributed successfully in managing negative response on Bank on social media.
