Stewardship

Integrated Risk Management

Risk Culture and Vision

DFCC Bank PLC (‘Bank’) adopts a comprehensive and well-structured mechanism for assessing, quantifying and managing risk exposures which are material and relevant for its operations within a well-defined risk framework. The articulated set of limits explains the risk appetite of the Bank for all material and relevant risk categories and the risk capital position. Risk management is integrated with strategic, business and financial planning and customer/client transactions, so that business and risk management goals and responsibilities are aligned across the organisation. Risk is managed in a systematic manner by focusing on a group basis as well as managing risk across the enterprise, individual business units, products, services, transactions and across all geographic locations.

Credit risk amounts to the highest quantum of quantifiable risk faced by the Bank based on the currently effective quantification techniques. DFCC Bank PLC’s credit risk accounted for 91% of risk-weighted assets. Additionally, the Bank takes necessary measures to proactively manage operational and market risk as very important risk categories. Operational risk incidents may be with high frequency but low impact or with low frequency but high impact all of which warrant being closely monitored and managed prudently.

The following broad risk categories are in focus:

  • Business risk and strategic risk
  • Credit risk including settlement risk in Treasury and international operations and credit concentration risk
  • Interest rate risk in the banking book and the trading book
  • Liquidity risk
  • Foreign currency risk
  • Equity prices risk
  • Operational risk
  • Legal risk
  • Compliance risk
  • Reputational risk

The Bank’s general policies for risk management are outlined as follows:

  1. The Board of Directors’ responsibility for maintenance of a prudent integrated risk management function in the Bank.
  2. Communication of the risk policies to all relevant employees of the Bank.
  3. Structure of ‘Three Lines of Defence’ in the Bank for management of risks which consists of the risk-assuming functions, independent risk management and compliance functions and the internal and external audit functions.
  4. Ensuring compliance with regulatory requirements and other laws underpinning the risk management and business operations of the Bank.
  5. Centralised integrated risk management function which is independent from the risk assuming functions.
  6. Ensuring internal expertise, capabilities for risk management and ability to absorb unexpected losses when entering into new business, developing products or adopting new strategies.
  7. An assessment of risk exposures on an incremental and portfolio basis when designing and redesigning new products and processes before implementation. Such analysis will include among other areas, business opportunities, target customer requirements, core competencies of the Bank and the competitors and financial viability.
  8. Adoption of the principle of risk-based pricing.
  9. Ensuring that the Board approved target capital requirements, which are more stringent than the minimum regulatory capital requirements, are not compromised. For internal purposes, economic capital is quantified using Basel II recommended guidelines in the Internal Capital Adequacy Assessment Process (ICAAP). A cushion for the regulatory capital over and above the economic capital requirement is maintained to cover for stress losses or losses caused by unquantifiable risks such as strategic risk, liquidity and reputation risk (risk categories which are not in Pillar I of Basel II). Under ICAAP, capital is monitored on a quarterly basis based on certain stress scenarios which are subject to regular review based on macro-level anticipated developments.
  10. Aligning risk management strategy to the Bank’s business strategy.
  11. Ensuring comprehensive, transparent and objective risk disclosures to the Board, corporate management, regulators, shareholders and other stakeholders.
  12. Continuous review of risk management framework and ICAAP to align with Basel II and III recommendations and regulatory guidelines.
  13. Maintenance of internal prudential risk limits based on the risk appetite of the Bank wherever relevant, over and above the required regulatory limits.
  14. Ensuring a prudent risk management culture within the Bank.
  15. Periodic review of risk management policies and practices to be in line with the developments in regulations, business environment and internal environment.

Risk Governance

Approach of ‘Three Lines of Defence’

DFCC Bank PLC advocates strong risk governance applied pragmatically and consistently with a strong emphasis on the concept of ‘Three Lines of Defence’. The governance structure encompasses accountability, responsibility, independence, reporting, communication and transparency, both internally and with our relevant external stakeholders.

The First Line of Defence involves the supervision and monitoring of risk management practices by the business managers, corporate management and executive committees while discharging their responsibilities and accountability for day-to-day management of business operations. Independent risk monitoring, validation, policy review and compliance by the IRMD, the compliance function and periodic monitoring and oversight by the Board Integrated Risk Management Committee (BIRMC) constitute the Second Line of Defence. The Third Line of Defence is provided by the independent check and quality assurance of the internal and external audit functions.

The Bank exhibits an established risk management culture with effective risk management approaches, systems and controls. Policy manuals, internal controls, segregation of duties, clearly demarcated authority limits and internal audit form a part of key risk management tools. The Group Chief Risk Officer (CRO), who is an Executive Vice President functions with direct access to the BIRMC.

Governance Structure for Risk Management in DFCC Bank PLC

The Concept of ‘Three Lines of Defence’ for Integrated Risk Management Function of DFCC Bank PLC

Risk Policies and Guidelines

A set of structured policies and frameworks approved by the BIRMC and the Board forms a key part of the risk governance structure. Integrated Risk Management Framework stipulates, in a broader aspect, the policies, guidelines and organisational structure for the management of overall risk exposures of the Bank in an integrated approach. This framework defines risk integration and the aggregation approaches for different risk categories. In addition, separate policy frameworks detail the practices for management of key specific risk categories such as credit risk, market risk, credit concentration risk, liquidity risk and operational risk. These policy frameworks are reviewed annually and communicated across the Bank.

Respective staff members are required to adhere to the specifications of these frameworks when conducting business transactions.

Risk Appetite

Risk appetite of the Bank has been defined in the Overall Risk Limits System. It consists of risk limits arising from regulatory requirements, borrowing covenants and internal limits for prudential purposes. The Limits System forms a key part of the risk indicators and covers key risk areas such as credit, interest rate, liquidity, operational, foreign exchange, concentration and risk capital position amongst others. Lending limits cover the industry sectors and geographical regions as part of the prudential internal limits. These limits are monitored monthly and quarterly on a ‘Traffic Light’ system. These risk appetite limits are reviewed at least annually in line with the risk management capacities, business opportunities, business strategy of the Bank and regulatory specifications. Industry sector limits for the lending portfolio considers the inherent diversification within the sub-sectors and the borrowers within broader sectors.

Board Integrated Risk Management Committee (BIRMC)

The BIRMC is a Board sub-committee, which oversees the risk management function and the provisions of Basel II and III implementation as required by the Regulator from time to time in line with Board-approved policies and strategies. The Central Bank has already implemented the liquidity standards (Liquidity Coverage Ratio) under Basel III while the minimum capital requirements including the Capital Conservation Buffer have been implemented on a phased in basis starting from 2017 up to 2019.

The BIRMC functions under the responsibilities set out in the Board-approved Charter for the BIRMC, which incorporates corporate governance requirements for Licensed Commercial Banks issued by the Central Bank of Sri Lanka (CBSL). BIRMC sets the policies for bank-wide risk management including credit risk, market risk, operational risk and liquidity risk. In addition to the Board representatives, the BIRMC consists of the CEO and CRO as members. Further, Heads representing Credit, Finance, Treasury, Information Technology and Operations attend the meeting as invitees. A summary of the responsibilities and functions of the BIRMC is given in the Report on the Board Integrated Risk Management Committee on Committee Reports section of this Annual Report.

Involvement of Management Committees

Management Committees such as the Credit Committee (CC), Asset and Liability Management Committee (ALCO), Operational Risk Management Committee (ORMC), Special Loan Review Committee (SLRC) and Impairment Assessment Committee (IAC) are included in the organisational structure for integrated risk management function. The responsibilities and tasks of these committees are stipulated in the Board approved charters and Terms of Reference (TOR) and the membership of each committee is defined to bring an optimal balance between business and risk management.

Organisational Structure for Integrated Risk Management

The Integrated Risk Management Department (IRMD) is responsible for measuring and monitoring risk at operational levels on an ongoing basis to ensure compliance with the parameters set out by the Board/BIRMC and other executive committees for carrying out the overall risk management function in the Bank. It consists of separate units such as Risk Policy and Modelling, Credit Risk Management and Quality Assurance, Market Risk Monitoring, Operational Risk Management, Risk Quantification, Information Systems Security Risk Monitoring and Treasury Middle Office. IRMD is involved with product or business strategy development or entering into new business lines and gives input from the initial design stage through to the task/process from a risk management perspective.

Key Developments in Risk Management Function During the Period Under Review

Several significant initiatives were undertaken focusing continuously on regulatory developments and reassessing the Bank’s existing risk management policies, guidelines and practices for necessary improvements. In addition to these regulatory specifications, changes in business strategy, industry factors and international best practices were also considered in the improvement process. The following are the key initiatives during the period under review which led to further improvements in the overall integrated risk management function:

Prudential risk limits were reviewed in order to reflect the current risk appetite of the Bank setting new limits wherever necessary. The Bank set new milestones to improve the Advances to Deposits Ratio and CASA Ratio, and targets were set in order to maintain adequate Liquid Asset Ratios.

All the Board approved risk management frameworks, charters and TORs were reviewed during the period especially considering the changes in new regulations and the Bank’s business model.

Periodic validation of the credit rating models was carried out for better discriminatory power, while new scorecards were introduced for retail lending. As part of establishing an independent model validation process, the Bank has engaged the services of a foreign risk management consultancy firm to obtain an independent validation for its corporate banking and leasing rating models. This task was completed during the year and certain recommended improvements have been incorporated for the corporate rating model. Additionally, development of new models are in progress for new business areas the Bank intends to focus more on such as credit cards. A two dimensional scorecard catering to all types of personal financial services was developed during the year, which will replace the standalone models previously used.

The risk reporting process was improved during the period as per the requirements stated in ICAAP framework and the ICAAP document and process was formulated for the amalgamated bank. This involved assessing the required capital level for the Bank covering all types of risks under a certain stress level, forecasting of future capital levels and setting up of appropriate capital targets for the future. Based on the recommendations of the ICAAP process, the Bank issued a subordinated debt in November 2016, which will be eligible for Tier II capital and would also facilitate future planned lending growth and expansion without having undue pressure on total capital.

Treasury Middle Office (TMO) which is functionally segregated from the Treasury Department, directly reports to the Group CRO and monitors the Treasury-related market risk limits. The TMO uses a dashboard that facilitates the timely reporting of Treasury market positions independently to the Management. During the period, the dashboard was further improved to provide timely and more comprehensive information, including information on Government security portfolios, stress testing results and limit positions.

Commencing from 2014 and continuing in 2015, interest margins came under pressure with the sharp drop in the market rates, where lending rates dropped faster than the deposit rates. Scenario analysis and simulations by the ALM unit to assess the expected behaviour of interest margins enabled ALCO to take proactive measures to manage the erosion of margins. Looking at the trends in the market rates, ALCO proactively changed the pricing methods from fixed basis to variable basis, thus enhancing the net interest margins of the Bank in 2016. DFCC Bank PLC, being net asset sensitive to interest rate changes was able to improve the interest margins from mid 2015, with the increase in the market rates.

IRMD continued to calculate loss ratios for key lending products using historical recovery data in support of impairment assessment under IFRS. IRMD continued to support the pawning business of the Bank through timely studies, research and providing necessary market information to the business. IRMD was actively engaged in arriving at advance rates and interest rates for pawning products while managing the market and credit risk aspects.

As part of the risk management practices, the Bank computed the key credit risk quantification parameters such as Probability of Default (PD), Loss Given Default (LGD) and the loss ratios which are defined and recommended under the Basel II and IFRS. The results indicated improvements in the credit risk rating process, rating models, recovery process and the collateral quality in the Bank.

The credit workflow of the Bank was further improved during the year with the absorption of the Quality Assurance Unit under IRMD. The new workflow ensures that every credit proposal except for centrally processed retail loans is evaluated by an independent authority not connected to business lines, being either the Credit Risk Management Unit (CRMU) or the Quality Assurance Unit (QAU) of IRMD, based on the size of the accommodation and the approving authority.

Having duly recognised the global trend on increasing threats on systems and information security, the Bank increased its focus on IT systems security under its operational risk management practices. Staff awareness programmes on operational risk were held across the Bank on a regional basis especially for the newly appointed Operational Risk Co-ordinating Officers (ORCOs) while assigning specific reporting responsibilities to them. The Bank has strengthened the operational risk incident reporting system by implementing an online reporting mechanism through its intranet. The Bank is in the process of developing a model for Risk and Control Self-Assessment and Key Risk Indicators for operational risks across all functions and departments.

A new unit was formed in 2016 under the Integrated Risk Management Department to proactively manage the information security risk of the Bank. The Operational Risk Management Committee oversees the effectiveness of security initiatives and directs the management of information security risks within the Bank.

Management of Information Systems Security (ISS) Risk Under IRMD

The objectives of ISS risk management are to be compliant with regulatory and contractual requirements, establish best practices and information security governance across the Bank, align information security risk management with the Bank’s corporate risk management objectives and preserve Confidentiality, Integrity and Availability (CIA) requirements in the organisation’s information assets.

The ISS Risk Unit has taken up the following key responsibilities of the Information Security Management process at DFCC Bank PLC:

  • Establish and manage the Information Security Management System (ISMS) based on ISO 27001:2013 security standards
  • Identify security risks related to the Bank’s information assets and propose/implement controls to maintain residual risks at acceptable levels
  • Set and monitor information security KPIs and report the status of the indicators to the Information Security Steering Committee (ISSC) and ORMC
  • Perform trend analysis on information security incidents and reporting, which are regularly reviewed at the ORMC and the BIRMC

The Bank has an established Information Security Management System which provides a systematic approach to managing sensitive company information.
It includes people, processes and information systems by applying a risk management process.

The Bank became certified in ISO/IEC 27001:2013 standards for its IT operations in December 2016. The compliance audit was conducted and accredited by Bureau Veritas in conjunction with UKAS Management Systems.

External Credit Rating

During the period under review, the Bank’s local currency rating of ‘AA-’ was maintained while Fitch Ratings downgraded the outlook from stable to negative.

The Bank continued to maintain its foreign currency credit rating of B+ (stable outlook) by Fitch Ratings and B (stable outlook) assigned by Standard & Poor’s. The sovereign rating of B+ assigned for the Government of Sri Lanka is the benchmark for the foreign currency rating of other institutions within the country.

Credit Risk

Credit risk is the risk of loss to the Bank if a customer or counterparty fails to meet its financial obligations in accordance with agreed terms and conditions. It arises principally from On-Balance Sheet Lending such as loans, leases, trade finance and overdrafts as well as through Off-Balance Sheet products such as guarantees and letters of credit. A deterioration of counterparty credit quality can lead to potential credit-related losses for a bank.Credit risk is the largest component of the quantified risk accounting for 91% of Risk-Weighted Assets of DFCC Bank PLC.

The challenge of credit risk management is to maximise the risk adjusted rate of return by maintaining the credit risk exposure within acceptable levels.

Note: Includes overdrafts, loans, retail and housing loans, credit cards and leases.


Note: Collateral concentration in product categories of loans, ODs and pawning facilities are captured above. Leases, credit cards, investment securities and staff loans are excluded.


Credit Risk Management Process at DFCC Bank PLC

The Bank’s credit policies approved by the Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. The policies are based on CBSL Direction on integrated risk management, Basel recommendations, business practices and risk appetite of the Bank.

Credit risk management guidelines identify target markets and industry sectors, define risk tolerance limits and recommend control measures to manage concentration risk. Standardised formats and clearly documented processes and procedures ensure uniformity of practices across the Bank.

Credit Risk Culture
  • Credit Risk Management Framework and Credit Policy
  • Governance structure and specific organisational structure for credit risk management
  • IRMD creates awareness of credit risk management through training programmes and experience sharing sessions
Credit Approval Process
  • Structured and standardised credit approval process as documented in the credit manual. The entire gamut of activities involving credit appraisal, documentation, funds disbursement, monitoring performance, restructuring and recovery procedures are described in detail in the manual which is reviewed annually
  • Standardised appraisal formats have been designed for each product type
  • Clearly defined credit workflow ensures segregation of duties among credit originators, independent review and approval authority
  • Delegation of Lending Authority sets out approval limits based on a combination of risk levels, as defined by risk rating and security type, loan size, proposed tenure, borrower and group exposure. IRM’s involvement in independent rating reviews of borrowers above a defined threshold for credit proposals
  • CRO is an observer of the Credit Committee, evaluates credit proposals from a risk perspective
  • Risk-based pricing is practiced at the Bank, any deviations being allowed only for funding through credit lines and where strong justification is made due to business development purposes
Control Measures
  • Negative sectors and special clearance sectors are identified based on the country’s laws and regulations, the Bank’s corporate values and policies and level of risk exposure. Negative sectors are recognised as industry sectors to which lending is disallowed while special clearance sectors are industry sectors and credit products to which the Bank practices caution in lending
  • Exposure limits on single borrower, group exposure, and advisory limits on industry sectors, large group borrowers and selected geographical regions are set by the Board of Directors on recommendation of IRMD
Credit Risk Management
  • Timely identification of problem credits through product-wise and concentration analysis in relation to industries, specific products and geographical locations such as branches/regions/provinces
  • Industry reports/periodical economic analysis provide direction to lending units to identify profitable business sectors to grow the Group’s portfolio and to identify industry-related risk sources and their impact
  • Evaluation of new products from a credit risk perspective
  • Post sanction review of loans within a stipulated time frame is in place in accordance with Loan Review Policy to ensure credit quality is maintained
  • Independent rating review by the Credit Risk Management Unit or the Quality Assurance Unit of IRMD ensures proper identification of credit quality at the time of credit origination and annual credit reviews
Credit Risk Monitoring and Reporting
  • Analysis of total portfolio in terms of NP movement, product distribution, industry sectors, Top 20 exposures, borrower rating distribution, branch-wise portfolio distribution and collateral distribution is carried out periodically and reported to BIRMC
  • Watch listing of clients with significant arrears and receiving feedback from regional offices on recovery action taken to regularise the position and information is disseminated to decision-makers on frequently watch-listed clients and their NP crossovers
  • Reporting quarterly to BIRMC on credit concentration risk positions with regard to regulatory limits such as single borrower and group exposure limits and internal advisory limits on industry sectors, large group borrowers and selected geographical regions as well as exposure based on credit rating grades
  • Monthly reporting on Top Key Risks to BIRMC and the Board
Credit Risk Mitigation
  • Borrower’s ability to pay is the primary source of recovery, whereas collateral acts as the secondary source in the event borrower’s cash inflow is impaired

Market Risk

Market risk is the possibility of losses arising from changes in the value of a financial instrument as a result of changes in market variables such as interest rates, exchange rates, equity prices and commodity prices. As a financial intermediary, the Bank is exposed primarily to the interest rate risk and as an authorised dealer, the commercial banking business is exposed to exchange rate risk on foreign currency portfolio positions. Market risk could impact the Bank mainly in two ways: viz, Loss of cash flows or loss of economic value. Market risk can be looked at in two dimensions; as traded market risk, which is associated with the trading book and non-traded market risk, which is associated with the banking book.

The ALCO oversees the management of both the traded and the non-traded market risks. The Treasury manages the foreign exchange risk with permitted hedging mechanisms. Trends in relevant local as well as international markets are analysed and reported by IRMD and the Treasury to ALCO and BIRMC. The market risks are controlled through various limits. These limits are stipulated by the Group’s Investment Policy, Treasury Manual and Overall Limits System of the Bank.

Treasury Middle Office (TMO) is segregated from the Treasury Front Office (TFO) and Treasury Back Office (TBO) and reports to the CRO. The role of the TMO includes the day-to-day operational function of monitoring and controlling risks assumed in the TFO based on clearly defined limits and controls. Being independent of the dealers, the TMO provides an objective view on front office activities and monitors the limits. TMO has the authority to escalate limit excesses as per delegation of authority to the relevant hierarchy. The Treasury information management system maintained by TMO includes a dashboard that facilitates the timely reporting of Treasury market positions independently to management.

The strengthened Treasury and market risk management practices contribute positively to the overall risk rating of the Bank and efficiency in the overall Treasury operations.

TBO which is reporting to the Head of Finance is responsible for accounting, processing settlements and valuations of all Treasury products and transactions. The Treasury transaction related information is independently submitted by TBO to relevant authorities.

Interest Rate Risk

Interest rate risk can be termed as the risk of loss in the net interest income (earnings perspective) or the net worth (economic value perspective) due to adverse changes in the market interest rates. The Asset and Liability Management (ALM) Unit routinely assesses the Bank’s asset and liability profile in terms of interest rate risk and the trends in costs and yields are reported to ALCO for necessary realignment in the asset and liability structure and the pricing mechanism. ALM performed a number of scenario analysis and simulations on the effect of interest rate changes to the Bank’s interest income during the year, to facilitate pricing decisions taken at ALCO.

Foreign Exchange Rate Risk

Foreign exchange rate risk can be termed as possibility of adverse impact to the Group’s capital or earnings due to fluctuations in the market exchange rates. This risk arises due to holding of assets or liabilities in foreign currencies. Net Open Position (NOP) on foreign currency indicates the level of net foreign currency exposure that has been assumed by the Bank at a point of time. This figure represents the unhedged position of the Bank in all foreign currencies. The Bank accrues foreign currency exposure through purchase and sale of foreign currency from customers in its commercial banking and international trade business and through borrowings and lendings in foreign currency.

The Bank manages the foreign currency risk using a set of tools which includes limits for net unhedged exposures, hedging through forward contracts and hedging through creating offsetting foreign currency assets or liabilities. TMO monitors the end of the day NOP as calculated by the TBO and the NOP movement in relation to the spot movement. The daily inter-bank foreign currency transactions are monitored for consistency with preset limits and any excesses are reported to the management and to BIRMC.

The unhedged foreign currency exposure of the Bank is closely monitored and necessary steps are taken to hedge in accordance with the market volatilities. In October 2013, the Bank issued its debut foreign currency international bond of USD 100 million with an original maturity of five years. The Bank actively manages the exchange risk arising from a minor part of this transaction where a majority has been hedged with the Central Bank.

DFCC Bank has obtained approval from the Central Bank for its foreign currency borrowings and credit lines as per regulatory requirements. The Bank has commenced planning and evaluating options available for the repayment of the international bond due in 2018.

Indirect Exposures to Commodity Prices Risk – Gold Prices

The Bank’s pawning portfolio amounted to LKR 2,110 million as at 31 December 2016, which was only 0.73% of total assets. The Market Risk Management Unit manages the risk emanating from Gold through constant analysis of the international and local market prices and adjusting the Bank’s preferred Loan to Value (LTV) ratio.

Equity Prices Risk

Equity prices risk is the risk of losses in the marked-to-market equity portfolio, due to the decline in the market prices. The direct exposure to the equity price risk by the Bank arises from the trading and available-for-sale equity portfolios. Indirect exposure to equity price risk arises through the margin lending portfolio of the Bank in the event of crystallisation of margin borrowers credit risk. The Investment Committee of the Bank is responsible for managing equity portfolio in line with the policies and the guidelines set out by the Board and the BIRMC. Allocation of limits for equities taken as collateral for loans and margin trading activities of customers and for the Bank’s investment/trading portfolio forms part of the tools for managing the equity portfolio. Rigorous appraisal, proper market timing and close monitoring of the portfolio performance in relation to the market performance facilitate the management of the equity portfolio within the framework of investment strategy and the risk policy.

Liquidity Risk

Liquidity risk is the risk of not having sufficient funds to meet financial obligations in time and in full, at a reasonable cost. Liquidity risk arises from mismatched maturities of assets and liabilities. The Bank has a well set out framework for liquidity risk management and a contingency funding plan. The liquidity risk management process includes regular analysis and monitoring of the liquidity position by ALCO and maintenance of market accessibility. Regular cash flow forecasts, liquidity ratios and maturity gap analysis are used as analytical tools by the ALCO. Any negative mismatches up to the next quarter revealed through cash flow gap statements are matched against cash availability either through incremental deposits or committed lines of credit. Whilst comfortably meeting the regulatory requirements relating to liquidity, for internal monitoring purposes, the Bank takes into consideration the liquidity of each eligible instrument relating to the market at a given point in time as well as undrawn commitments to borrowers when stress testing its liquidity position. The maintenance of a strong credit rating and reputation in the market enables the Bank to access domestic wholesale funds. For short-term liquidity support the Bank also has access to the money market at competitive rates.

The CBSL Direction No. 07 of 2011 specifies that liquidity can be measured through stock or flow approaches. Under the stock approach, liquidity is measured in terms of key ratios which portray the liquidity in the Balance Sheet. Under the flow approach banks should prepare a statement of maturities of assets and liabilities placing all cash inflows and outflows in the time bands according to their residual time to maturity in major currencies. The Bank has adopted both methods in combination to assess liquidity risk. In line with the long-term project financing business, the Bank focuses on long-term funding through dedicated credit lines while its commercial banking business focuses on Current and Savings Accounts (CASA) and Term Deposits as the key source of funding for its lending. The structure and procedures for Asset and Liability Management at the Bank have been clearly set out in the Board approved ALCO Charter, which is reviewed on an annual basis.

The minimum liquidity standards (Liquidity Coverage Ratio) under Basel III was implemented from April 2015. Accordingly, banks were required to maintain an adequate level of unencumbered High Quality Liquid Assets (HQLAs) that can be easily and readily converted into cash to meet their liquidity needs for a 30-calendar day time horizon under a significantly severe liquidity stress scenario. The computations of LCR performed for the Bank indicated that the Bank was comfortably in compliance with the Basel III minimum requirement, shaving sufficient High Quality Liquid Assets well in excess of the minimum requirements specified by the Central Bank. (The minimum requirement is 70% of HQLAs to be maintained over the immediate 30-day net cash outflow for the year 2016.)

Operational Risk

Operational risk is defined as the potential risk of loss resulting from inadequate or failed internal processes, people, systems and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or from external events such as natural disasters, terrorism, theft or even political instability. The objective of the Bank is to manage, control and mitigate operational risk in a cost effective manner consistent with the Bank’s risk appetite. The Bank has ensured an escalated level of rigor in operational risk management approaches for sensitive areas of its operations.

The Operational Risk Management Committee oversees and directs the management of operational risk of the Bank at an operational level with facilitation from the Operational Risk Management Unit of the IRMD. Active representation of the relevant departments and units of the Bank has been ensured in the process of operational risk management through the Operational Risk Co-ordination Officers.

Segregation of duties with demarcated authority limits, internal and external audit, strict monitoring facilitated by the technology platform and back-up facilities for information are the fundamental tools of Operational Risk Management. Audit findings and management responses are forwarded to the Board’s Audit sub-committee for their examination. Effective internal control systems, supervision by the Board, Senior Management and the line managers forms part of ‘First Line of Defence’ for operational risk management at DFCC Bank PLC. The Bank demands high level of technical skills, professionalism and ethical conduct from its staff and these serve as insulators for many operational risk factors.

The following are other key aspects of the operational risk management process at DFCC Bank PLC:

  • Monitoring of Risk and Control-Self Assessments (RCSA) and Key Risk Indicators (KRIs) for the functions under defined threshold limits using a ‘Traffic Light’ system
  • Operational risk incident reporting system and independent analysis of the incidents by IRMD, and recognising necessary improvements in the systems, processes and procedures
  • Trend analysis on operational risk incidents and review at the ORMC and the BIRMC
  • Review of downtime of the critical systems and assessment of the reasons. The necessary risk and business impact is evaluated. Rectification measures are introduced when the tolerance levels are compromised
  • Review of HR attrition and exit interview comments in detail including a trend analysis with the involvement of the IRMD. The key findings of the analysis are evaluated at the ORMC and the BIRMC in an operational risk perspective
  • Reporting on grievances and investigation reports on Whistleblowing to ORMC
  • Establishment of the Bank’s complaint management process under the Board approved Complaints Management Policy. IRMD analyses the complaints received to identify any systematic issues and reports to ORMC
  • Conduct product and process reviews in order to identify the operational risks and recommend changes to the product and related processes
  • Evaluate the operational risks associated with any new product developments

Reputational Risk

Reputational risk is the risk of losing public trust or tarnishing of the Bank’s image in the public eye. It could arise from environmental, social, regulatory or operational risk factors. Events that could lead to reputational risk are closely monitored, utilising an early warning system that includes inputs from frontline staff, media reports and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank’s business have been promulgated through internal communication and training, a specific policy was established to take action in case of an event which hinders the reputation. The Bank has zero tolerance for knowingly engaging in any business, activity or association where foreseeable reputational damage has not been considered and mitigated. While there is a level of risk in every aspect of business activity, appropriate consideration of potential harm to the Bank’s good name is a part of all business decisions. The complaint management process and the Whistleblowing process of the Bank include a set of key tools to recognise and manage reputational risk.

Business Risk

Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank’s medium term-strategic plan and annual business plan form a strategic road map for sustainable growth. Continuous competitor and customer analysis and monitoring of the macroeconomic environment enables the Bank to formulate its strategies for growth and business risk management. Processes such as Planning, ALM, IT and Product Development in collaboration with business functions facilitate the management of business risk through recognition, measurement and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.

Legal Risk

Legal risk arises from unenforceable transactions in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis, and a thorough understanding of, and adherence to related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure.

In the event of a legal risk factor, the legal unit of the Bank takes immediate action to address and mitigate these risks. External legal advice is obtained or Counsel retained when required.

Compliance Risk

Compliance risk can be termed as the risk of legal or regulatory sanctions, financial losses or damage to the reputation of the Bank as a result of its failure to comply with all applicable laws, regulations, Codes of Conduct and standards of good practice. The Bank ensures that effective compliance policies and procedures are followed and appropriate corrective actions are taken to rectify any breaches of laws, rules and standards as and when identified. A robust compliance culture has been established within the Bank with processes and work flows designed with the required checks and balances to facilitate compliance. The compliance function works closely with the business and operational units to ensure consistent management of compliance risk.

Compliance is a key area of focus during the process of new product development and review. The Head of Compliance submits quarterly reports on the compliance status to BIRMC and the Board, to enable oversight to be exercised with the added safeguard of being subject to internal audit. A culture of compliance permeates all levels of the Bank with regular training and knowledge sharing provided by internal as well as external experts in the area.

Anti-Money Laundering (AML)/Combating Terrorist Financing (CTF)

In response to international best practices and global standards, Sri Lanka has enacted laws relating to AML and CTF. Further, the Financial Intelligence Unit, under the purview of the Central Bank, has issued rules for the Know Your Customer (KYC) and Customer Due Diligence (CDD) processes, to identify and report suspicious transactions. The Bank has taken necessary measures to implement these regulatory and legislative requirements for AML and CTF. The steps taken in this regard include customer identification and verification, maintenance of records, ascertaining sources of funds, monitoring and maintenance of AML/CTF programmes. The customers of the Bank are subject to appropriate KYC/CDD measures.

Business Continuity Management

The Business Continuity Plan (BCP) of the Bank ensures timely recovery of critical operations that are required to meet stakeholder needs based on identified disruptions categorised into various severity levels. BCP has been designed to minimise risk to human resources and to enable the resumption of critical operations within reasonable time frames with minimum disruption to customer service and payment settlement systems. The DR site, which is located in a suburb of Colombo is prepared in line with the BCP Guidelines issued by the Central Bank and is tested regularly to establish its effectiveness. Training is carried out to ensure that employees are fully aware of their role within the BCP.

DFCC Bank’s Risk Capital Position and Financial Flexibility

The Bank adopts a proactive approach to ensure satisfactory risk capital level throughout its operations. In line with its historical practice and the capital targets, the Bank aims to maintain its risk capital position higher than the regulatory minimum requirements of 5% for Tier I and 10% for Total Capital under Basel II.

As at 31 December 2016, DFCC Bank PLC maintains a healthy risk capital position of 13.62%. core capital ratio and 17.09% total capital ratio based on the local regulatory guidelines. This demonstrates a cushion of about 8.62% and 7.09%, respectively, for Tier I and total capital over the minimum regulatory requirements

Capital Adequacy Management

Capital adequacy measures the adequacy of the Bank’s aggregate capital in relation to the risk it assumes. The capital adequacy of the Bank has been computed under the following approaches of Basel II which are currently effective in the local banking industry:

  • Standardised approach for credit risk
  • Standardised approach for market risk
  • Basic Indicator approach for operational risk

The graph below shows the Bank’s capital allocation and available capital buffer as at 31 December 2016, based on the quantified risk as per the applicable regulatory guidelines. Out of the regulatory risk capital (total capital) available as at 31 December, capital allocation for credit risk is 53.39% of the total capital while the available capital buffer is 41.49%.

Capital Adequacy Ratio and Risk-Weighted Assets of DFCC Bank PLC on a Solo and Group Basis Under Basel II and Basel III

Quantified as per the CBSL Guidelines 31 December 2016 31 December 2015
Bank Group Bank Group
Credit Risk Weighted Assets (LKR million) 194,737 195,094 169,201 169,547
Market Risk Weighted Assets (LKR million) 3,169 3,169 1,218 1,218
Operational Risk Weighted Assets (LKR million) 15,512 16,252 14,395 14,385
Total Risk Weighted Assets (LKR million) 213,418 214,515 184,814 185,150
Tier I Capital Adequacy Ratio – Basel II 13.62% 14.60% 14.26% 15.39%
Total Capital Adequacy Ratio – Basel II 17.09% 17.47% 14.88% 15.32%
CETI Capital Adequacy Ratio – Basel III 13.80% 15.43%
Total Tier I Capital Adequacy Ratio – Basel III 13.80% 15.43%
Total Capital Adequacy Ratio – Basel III 18.11% 19.72%

Basel II Capital guidelines will be revoked by CBSL with the implementation of Basel III guidelines by mid 2017.

Further, the Bank develops an ICAAP report which is in compliance with Pillar II of the Basel II framework. It focuses on formulating a mechanism to assess the Bank’s capital requirement covering all relevant risks and stress conditions in a futuristic perspective in line with the level of assumed risk exposures through its business operations. This ICAAP formulates the Bank’s capital targets, capital management objectives and capital augmentation plans. It evaluates the capital adequacy covering both Pillar I and Pillar II risks as well.

The capital forecast performed under the ICAAP process has indicated the ability of the Bank to maintain a comfortable level of capital cushion in the next few years.

Financial Flexibility in the DFCC Group’s Capital Structure

Apart from the strong capital position reported On-Balance Sheet, the Group maintains financial flexibility through the stored value in its equity investment portfolio. The unrealised capital gain of the listed equity portfolio is included in the Fair Value Reserve and is currently not taken into consideration in the capital adequacy computation under Basel II based on regulatory specifications.

Local Supervisory Background

The Banking Supervision Department of CBSL has taken steps to strengthen the risk management aspects of the licensed banks in Sri Lanka by enforcing certain regulations, specifications, guidelines and recommendations from time to time, which are in line with the Basel II and Basel III recommendations. The following regulatory specifications are particularly important:

  1. CBSL Direction No. 10 of 2007 on maintenance of capital adequacy ratios. In this Direction, specifications were issued for licensed banks to quantify and maintain the capital adequacy in line with the Basel II Standardised Approach for credit risk and market risk and Basic Indicator Approach for operational risk
  2. CBSL Direction No. 11 of 2007 on the Corporate Governance of Licensed Banks in Sri Lanka. In this Direction, licensed banks are required to form a Board sub-committee on Integrated Risk Management with a defined scope of responsibilities
  3. CBSL Direction No. 7 of 2011 on Integrated Risk Management Frameworks of Licensed Banks issued in October 2011. This specifies the requirement for Integrated Risk Management Frameworks for banks and includes specific guidelines for the structure, quantification and management of risks taking an integrated approach
  4. CBSL Direction No. 5 of 2013 – Supervisory Review Process (Pillar II of Basel II) for Licensed Commercial Banks and Licensed Specialised Banks
  5. CBSL Guidelines issued on 31 March 2014 on quantification of operational risk under the Standardised Approach of Basel II. Under this approach, the gross income of banks will be recognised in eight different business lines, and different alpha factors (prescribed by the Basel II) will be applicable to quantify the operational risk exposures
  6. In October 2014, CBSL issued consultative guidelines for implementation of the minimum liquidity standards (Liquidity Coverage Ratio to be maintained by banks) under Basel III. These guidelines were implemented from April 2015 through the CBSL Direction No 1 of 2015 on Liquidity Coverage Ratio under Basel III Liquidity Standards for LCBs and LSBs
  7. Guidelines on Stress Testing of Licensed Commercial Banks and Licensed Specialised Banks were released by the Bank Supervision Department in September 2014. The new direction has given recommendations for various sensitivity and stress test scenarios to be carried out to determine credit, exchange rate, interest rate, equity, liquidity, operational and other risks
  8. The regulation issued by CBSL in December 2014, requires Licensed Commercial Banks and Licensed Specialised Banks to increase their core capital (equity capital) to LKR 10 billion and LKR 5 billion respectively, commencing 1 January 2016. This new CBSL direction did not have an impact on DFCC Group
  9. Consultative guidelines on implementation of Basel III, Minimum Capital Requirements and Leverage Ratio have been issued in June 2015. This consultation paper provided the proposed framework to implement the Basel III Minimum Capital Requirements across the banking sector with a view to further improving the quantity and quality of capital. Further, a second consultative paper was issued in November 2016 specifying requirements under all three pillars and having regard to the comments received from the banks on the first consultation paper. Accordingly, The Basel III capital regulations will continue to be based on the three mutually reinforcing pillars introduced under Basel II, i.e., minimum capital requirement, supervisory review process and market discipline, which are planned to be implemented on a phased manner by 2019. These requirements will be in force with effect from July 2017 as per Direction No. 1 of 2016.

Assessment of Integrated Risk

The Bank has complied with all the currently applicable risk-related internal requirements in addition to the regulatory requirements as shown in the table below:

Risk Category Impact Key Risk Indicators Statutory/Internal Limit Position as at 31 Dec. 2016
Integrated Risk Management An adequate level of capital is required to absorb unexpected losses without affecting the Bank’s stability. (Total capital as a percentage of total risk-weighted assets) Capital Adequacy Ratio (Core capital as a percentage of total risk-weighted assets) Regulatory Complied
Capital Adequacy Ratio (Total capital as a percentage of total risk-weighted assets) Regulatory Complied
Capital Adequacy Ratio (Tier I as a percentage of total risk-weighted assets) (Total capital as a percentage of total risk-weighted assets) Internal Complied
Concentration/Credit Risk Management When the credit portfolio is concentrated to a few borrowers or a few groups of borrowers with large exposures, there is a high risk of a substantial loss due to failure of one such borrower. Single Borrower Limit – Individual (Amount of accommodation granted to any single company, public corporation, firm, association of persons or an individual/capital base) Regulatory Complied
Single Borrower Limit – Group Regulatory Complied
Aggregate large accommodation (Sum of the total outstanding amount of accommodation granted to customers whose accommodation exceeds 15% of the capital base/outstanding amount of accommodation granted by the Bank to total customers excluding the Government of Sri Lanka) Regulatory Complied
Aggregate limits for related parties (Accommodation to related parties as per the CBSL Direction/Regulatory Capital) Internal Complied
Exposure to agriculture sector (As per CBSL Direction) Regulatory Complied
Exposure to each industry sector (On-Balance Sheet exposure to each industry as a percentage of total Lending Portfolio) Internal Complied
Exposure to selected regions (On-Balance Sheet exposure to the regions as a percentage of the Total Lending Portfolio) Internal Complied
Leases Portfolio (On-Balance Sheet exposure to the leasing product as a percentage of Total Lending Portfolio Plus Securities Portfolio) Internal Complied
Exposure to GOSL Internal Complied
Non-Performing Ratio Internal Complied
Industry HHI Internal Complied
Maximum expected loss limits for each product line Internal Complied
Loan and OD – Exposure in BB and below grades Internal Complied
Loan and OD – Exposure in B and below grades Internal Complied
Leasing – Exposure in BB and below grades Internal Complied
Leasing – Exposure in B and below grades Internal Complied
Target rating-wise PDs and provisions Internal Complied
Margin trading (Aggregate exposure of margin loans extended/total loans and advances) Internal Complied
Liquidity Risk Management If adequate liquidity is not maintained, the Bank will be unable to fund the Bank’s commitments and planned assets growth without incurring costs or losses. Liquid Asset Ratio for DBU (Average monthly liquid assets/total monthly liabilities) Regulatory Complied
Liquid Asset Ratio for FCBU Regulatory Complied
Liquidity Coverage Ratio (All currencies and Rupee only) Regulatory Complied
Market Risk Management Forex Net Open Long Position Regulatory Complied
Forex Net Open Short Position Regulatory Complied
Limit for counterparty Off-Balance Sheet Market Risk Internal Complied
Net interbank borrowing exposure Internal Complied
Limit for settlement risk arising from market risk Internal Complied
Max holding period for trading portfolio Internal Complied
Treasury trading securities portfolio Internal Complied
Investment Risk Equity exposure – Individual (Equity investment in a private OR public company/Capital funds of the Bank) Regulatory Complied
Equity exposure – Individual (Equity investment in a private OR public company/Paid-up capital of the Company) Regulatory Complied
Aggregate equity exposure in public companies (Aggregate amount of equity investments in public companies/capital funds of the Bank) Regulatory Complied
Aggregate equity exposure in private companies (Aggregate amount of equity investments in private companies/capital funds of the Bank) Regulatory Complied
Aggregate equity exposure in private and public companies
(Total investments in private and public companies/capital funds of the Bank)
Regulatory Complied
Equity exposure (Equity exposure as a percentage of Total Lending Portfolio plus Securities Portfolio) Internal Complied
Equity exposure in each sector Internal Complied
Single equity exposure Internal Complied
Operational Efficiency Cost to income ratio (Solo) – Operational Cost/Operational Income Internal Complied
Operational Risk Adequately placed policies, processes and systems will ensure and mitigate against excessive risks arising. This will result in the stability of the Bank. Reputation risk of the Bank and Group (Zero risk appetite) Internal Complied
Significant regulatory breaches (Zero risk appetite) Internal Complied
Inability to recover from business disruptions over and above the Recovery Time Objectives (RTO) as defined in the BCP of the Bank (Zero risk appetite) Internal Complied
Mis-selling of financial products and services (Zero risk appetite) Internal Complied
Failure to undertake risk-based customer due diligence
(Zero risk appetite)
Internal Complied
Internal fraud (Zero tolerance for losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or bank policy, excluding diversity/discrimination events, which involves at least one internal party) Internal Complied
External fraud (Very low appetite for losses due to act of a type intended to defraud misappropriate property or circumvent laws, by a third party) Internal Complied
Employee practices and workplace safety (Zero appetite for losses arising from acts inconsistent with employment, health or safety laws or agreements from payment of personal injury claims, or from diversity/discrimination events) Internal Complied
Client products and business practices (Zero risk appetite for losses arising from an unintentional or negligent failure to meet
a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product)
Internal Complied
Damage to physical assets (Very low appetite for loss arising from loss or damage to physical assets from natural disaster or other events) Internal Complied
Business disruption and systems failures (Very low appetite for business disruptions/system failures for more than 30 minutes during service hours) Internal Complied
Execution, delivery and process management (Very low appetite for losses from failed transaction processing or process management) Internal Complied