Integrated Risk Management

Risk Culture and Vision

DFCC Bank adopts a comprehensive and well-structured mechanism for assessing, quantifying and managing risk exposures which are material and relevant for its operations within a well-defined risk framework. The articulated set of limits explains the risk appetite of the Bank for all material and relevant risk categories and the risk capital position. Risk management is integrated with strategic, business and financial planning and customer/client transactions so that business and risk management goals and responsibilities are aligned across the organisation. Risk is managed in a systematic manner by focusing on a group basis as well as managing risk across the enterprise, individual business units, products, services, transactions and across all geographic locations.

Credit risk amounts to the highest quantum of quantifiable risk faced by the Bank based on the currently effective quantification techniques. In DFCC Bank credit risk accounted for 92% of risk-weighted assets. Additionally, the Bank takes necessary measures to proactively manage operational and market risk as very important risk categories. Operational risk incidents may be with high frequency but low impact or with low frequency but high impact all of which warrant being closely monitored and managed prudently.

Following broad risk categories are in focus:

  • Business risk and strategic risk
  • Credit risk including settlement risk in Treasury and international operations and credit concentration risk
  • Interest rate risk in the banking book and the trading book
  • Liquidity risk
  • Foreign currency risk
  • Equity prices risk
  • Operational risk
  • Legal risk
  • Compliance risk
  • Reputational risk

DFCC Bank’s general policies for risk management are outlined as follows:

  • The Board of Directors’ responsibility for maintenance of a prudent integrated risk management function in DFCC Bank.
  • Communication of the risk policies to all relevant employees of DFCC Bank.
  • Structure of ‘Three Lines of Defence’ in DFCC Bank for management of risks which consists of the risk-assuming functions, independent risk management and compliance functions and the internal and external audit functions.
  • Ensuring compliance with regulatory requirements and other laws underpinning the risk management and business operations of DFCC Bank.
  • Centralised Integrated Risk Management Function which is independent from the risk assuming functions.
  • Ensuring internal expertise, capabilities for risk management and ability to absorb unexpected losses when entering into new business, developing products or adopting new strategies.
  • An assessment of risk exposures on an incremental and portfolio basis when designing and redesigning new products and processes before implementation. Such analysis will include among other areas, business opportunities, target customer requirements, core competencies of the Bank and the competitors and financial viability.
  • Adoption of the principle of risk-based pricing. However, ALCO may consider shifting to market-based pricing approach based on the prevailing market conditions and business strategy.
  • Ensuring that the Board approved target capital requirements, which are more stringent than the minimum regulatory capital requirements, are not compromised. For internal purposes, economic capital is quantified using Basel II recommended guidelines in the Internal Capital Adequacy Assessment Process (ICAAP). A cushion for the regulatory capital over and above the economic capital requirement is maintained to cover for stress losses or losses caused by unquantifiable risks such as strategic risk, liquidity and reputation risk (risk categories which are not in Pillar I of Basel II). Under ICAAP capital is monitored on a quarterly basis based on certain stress scenarios which are subject to regular review based on macro-level anticipated developments.
  • Aligning risk management strategy to DFCC Bank’s business strategy.
  • Ensuring comprehensive, transparent and objective risk disclosures to the Board, Corporate Management, Regulators, Shareholders and Other Stakeholders.
  • Continuous review of risk management framework and ICAAP to align with Basel II and III recommendations and regulatory guidelines.
  • Maintenance of internal prudential risk limits based on the risk appetite of the DFCC Bank wherever relevant, over and above the required regulatory limits.
  • Ensuring a prudent risk management culture within DFCC Bank.
  • Periodic review of risk management policies and practices to be in line with the developments in regulations, business environment and internal environment.

Risk Governance

Approach of ‘Three Lines of Defence’

DFCC Bank advocates strong risk governance applied pragmatically and consistently with a strong emphasis on the concept of ‘Three Lines of Defence’. The governance structure encompasses accountability, responsibility, independence, reporting, communication and transparency, both internally and with our relevant external stakeholders.

The First Line of Defence involves the supervision and monitoring of risk management practices by the business managers, corporate management and executive committees while discharging their responsibilities and accountability for day-to-day management of business operations. Independent risk monitoring, validation, policy review and compliance by the IRMD, the compliance function and periodic monitoring and oversight by the Board Integrated Risk Management Committee (BIRMC) constitute the Second Line of Defence. The Third Line of Defence is provided by the independent check and quality assurance of the internal and external audit functions.

DFCC Bank exhibits an established risk management culture with effective risk management approaches, systems and controls. Policy manuals, internal controls, segregation of duties, clearly demarcated authority limits and internal audit form a part of key risk management tools. The Group Chief Risk Officer (CRO), who is an Executive Vice President functions on a Group basis with direct access to the BIRMC.

Governance Structure for Risk Management in DFCC Bank

The Concept of ‘Three Lines of Defence’ for Integrated Risk Management Function of DFCC Bank

Risk Policies and Guidelines

A set of structured policies and frameworks approved by the BIRMC and the Board forms a key part of the risk governance structure. Integrated Risk Management Framework stipulates, in a broader aspect, the policies, guidelines and organisational structure for the management of overall risk exposures of DFCC Bank in an integrated approach. This framework defines risk integration and the aggregation approaches for different risk categories. In addition, separate policy frameworks detail the practices for management of key specific risk categories such as credit risk, market risk, credit concentration risk, liquidity risk, operational risk. These policy frameworks are communicated across the Bank. Respective staff members are required to adhere to the specifications of these frameworks when conducting business transactions.

Risk Appetite

Risk appetite of DFCC Bank has been defined in the Overall Risk Limits System. It consists of risk limits arising from regulatory requirements, borrowing covenants and internal limits for prudential purposes. The limit system forms a key part of the key risk indicators and covers key risk areas such as credit, interest rate, liquidity, operational, foreign exchange, concentration and risk capital position amongst others. Lending limits cover the industry sectors and geographical regions as part of the prudential internal limits. These limits are monitored monthly and quarterly on a ‘Traffic Light’ system. These risk appetite limits are reviewed at least annually in line with the risk management capacities, business opportunities, business strategy of the Bank and regulatory specifications. Industry sector limits for the lending portfolio considers the inherent diversification within the sub-sectors and the borrowers within broader sectors.

Organisational Structure for Risk Management

Board Integrated Risk Management Committee (BIRMC)

The BIRMC is a Board sub-committee, which oversees the risk management function and the provisions of Basel II and III implementation as required by the Regulator from time to time in line with Board-approved policies and strategies. The Central Bank has already implemented the liquidity standards (Liquidity Coverage Ratio) under Basel III while the minimum capital requirements including Capital Conservation Buffer and Countercyclical Buffer have been envisaged to be implemented on a phased in basis starting from 2016.

The BIRMC functions under the responsibilities set out in the Board-approved Charter for the BIRMC, which incorporates corporate governance requirements for Licensed Commercial Banks issued by the Central Bank of Sri Lanka (CBSL). BIRMC sets the policy and operations for bank-wide risk management including credit risk, market risk, operational risk and liquidity risk. In addition to the Board representatives, the BIRMC consists of the CEO and CRO as members. Further, Heads representing Credit, Finance, Treasury, Information Technology and Operations attend the meeting as invitees. A summary of the responsibilities and functions of the BIRMC is given in the Report on the Board Integrated Risk Management Committee.

Involvement of Management Committees

Management Committees such as Credit Committees(CC), Asset and Liability Management Committee (ALCO), Operational Risk Management Committee (ORMC), Special Loan Review Committee (SLRC) and Impairment Assessment Committee (IAC) are included in the organisational structure for integrated risk management function. The responsibilities and tasks of these committees are stipulated in the Board approved charters and TORs and the membership of each committee is defined to bring an optimal balance between the business and risk management.

Integrated Risk Management Department (IRMD)

IRMD is responsible for measuring and monitoring risk at operational levels on an ongoing basis to ensure compliance with the parameters set out by the Board/BIRMC and other executive committees for carrying out the overall risk management function in DFCC Bank. It consists of six separate units such as Risk Policy and Modelling, Credit Risk Management, Market Risk Monitoring, Operational Risk Management, Risk Quantification and Treasury Middle Office. IRMD is involved with product or business strategy development or entering into new business lines from the initial design stage through input to the task/process from a risk management perspective. Credit Risk Management Unit of the IRMD carries out an independent review of the credit ratings of all corporates over a minimum threshold and also carries out random examination of other exposures. Treasury Middle Office which is functionally segregated from the Treasury Department, directly reports to the Group CRO and monitors the Treasury-related market risk limits.

Impact of the Amalgamation of DFCC Bank and DFCC Vardhana Bank on the Risk Management Function

As the risk management functions of DFCC Bank and DFCC Vardhana Bank were carried out on a group basis, but reported at entity level, the amalgamation did not have a material impact in terms of monitoring and reporting. The amalgamation has enabled the Bank to bring all customer databases onto a common IT platform.

Key Developments in Risk Management Function during the Period Under Review

During the period under review, several significant initiatives were undertaken paying continuous emphasis on regulatory developments and reassessing DFCC Bank’s existing risk management policies, guidelines and practices for necessary improvements. In addition to these regulatory specifications, changes in business strategy, industry factors and international best practices were also considered during this improvement process. The following are the key initiatives during the period under review which brought improvements to the overall Integrated Risk Management Function:

Prudential risk limits were reviewed in order to reflect the current risk appetite of the Bank.

  • Periodic validation of the credit rating models was carried out for better discriminatory power while new scorecards were introduced for other categories. As part of establishing an independent model validation process, the Bank has engaged the services of a foreign risk management consultancy firm to obtain an independent validation for its corporate banking and leasing rating models.
  • The previous year saw the Credit portfolio segmentation which categorises the borrowers in a methodical manner being introduced across DFCC Bank and DFCC Vardhana Bank. During the concluding period, the segmentation process was pursued further, ensuring that loan clients of the Banks, pre and post merger, are subjected to segmentation. This categorisation is important in several aspects for credit risk management. Application of rating models is customised for differing borrower segments while depth and breadth of credit appraisals can vary based on borrower segments. This borrower segmentation is a prerequisite for DFCC Bank to obtain regulatory capital advantage from lending to SME and retail segments.
  • IRMD as an independent unit detached from the business units, established close monitoring and watch listing of clients whereby arrears positions in loans are closely monitored to identify recurring incidents, possible trends inherent to business units/regions and/or industry segments with the view of minimising probable default risk incidents.
  • Risk reporting process was improved during the period as per the requirements stated in ICAAP framework.
  • Treasury Middle Office (TMO) uses a dashboard that facilitates the timely reporting of Treasury market positions independently to the management. During the period, the dashboard was further improved with more and timely information including information on Government security portfolios, stress testing results and limit positions.
  • The Bank commenced computation and monitoring of the Liquidity Coverage Ratio (LCR) under Basel III as per the guidelines issued by the CBSL and implemented from April 2015. On a pre and post-amalgamation basis, DFCC Bank comfortably complied with the minimum requirements.
  • From 2014, interest margins came under pressure with the sharp drop in the market rates, where lending rates dropped faster than the deposits rates. Scenario analysis and simulations by the ALM unit to assess the expected behaviour of interest margins enabled ALCO to take proactive measures to manage the erosion of margins. DFCC Bank, being net asset sensitive to interest rate changes was able to improve the interest margins from mid 2015, with the marginal increase in the market rates.
  • IRMD continued to calculate Loss Ratios for key lending products using historical recovery data in support of impairment assessment under IFRS. During 2014, a review on the Loss Ratio Methodology was conducted in line with the historical evidence. The methodology was refined to incorporate the cash flow patterns and recovery experience of impaired assets of the Bank.
  • IRMD continued to support the pawning business of the Bank through timely studies, research and providing necessary market information to the business. IRMD was actively engaged with the business of arriving at advance rates and interest rates for pawning products while managing the market and credit risk aspects.
  • As part of the risk management practices, the Bank computed the key credit risk quantification parameters such as Probability of Default (PD), Loss Given Default (LGD) and the Loss Ratios which are defined and recommended under the Basel II and IFRS. The results indicated improvements in the credit risk rating process, rating models, recovery process and the collateral quality in DFCC Bank.
  • DFCC Bank realigned the credit work flow in order to ensure that every credit proposal sent for approval is independently evaluated. The new work flow ensures that every credit proposal is independently evaluated by either the Quality Assurance Unit (QAU) or the IRMD based on the region/origination unit and approving authority.
  • Having duly recognised the global trend on increasing threats on system and information security, the Bank paid increased attention to IT systems security under its operational risk management practices.
  • All the Board approved Charters and TORs were reviewed during the period especially considering the changes required at the time of the amalgamation.

DFCC Bank’s External Credit Rating

During the period under review, the DFCC Bank’s local currency rating of ‘AA-’ was maintained while Fitch Ratings has affirmed that the rating of DFCC Bank PLC is unaffected by the merger of DFCC Bank and DVB, because DFCC Bank’s rating was already based on the consolidated credit profile. The increased significance of Group’s commercial banking business segment is a result of its business diversification strategy to bring earnings growth while managing the excessive dependence on the project lending business.

The Bank also continued to maintain its foreign currency credit rating of B+ (stable outlook) by Fitch Ratings and B (stable outlook) assigned by Standard & Poor’s. The sovereign rating of BB- assigned for the Government of Sri Lanka is the benchmark for the foreign currency rating of other institutions within the country.

Credit Risk

Credit risk is the risk of loss to the Bank if a customer or counterparty fails to meet its financial obligations in accordance with agreed terms and conditions. It arises principally from On-Balance Sheet lending such as loans, leases, trade finance and overdrafts as well as through Off-Balance Sheet products such as guarantees and letters of credit. A deterioration of counterparty credit quality can lead to potential credit-related losses for a bank. Credit risk is the largest component of the quantified risk accounting for 92% of Risk-Weighted Assets at DFCC Bank.

Along with the innumerable business opportunities that the larger merged entity is likely to get it is also likely to face increased credit risk events. The challenge of credit risk management is to maximise the risk adjusted rate of return by maintaining the credit risk exposure within acceptable levels.

Credit Risk Management Process at DFCC Bank

The DFCC Bank’s Credit Policies approved by the Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. The policies are based on CBSL Direction on Integrated Risk Management, Basel recommendations, business practices of DFCC Bank and former DFCC Vardhana Bank and risk appetite of DFCC Bank.

Credit risk management guidelines identify target markets and industry sectors, define risk tolerance limits and recommend control measures to manage concentration risk. Standardised formats and clearly documented processes and procedures ensure uniformity of practices across DFCC Bank.

Credit Risk Culture

  • Credit Risk Management Framework and Credit Policy
  • Governance structure and specific organisational structure for credit risk management
  • IRMD creates awareness of credit risk management through training programmes and experience sharing sessions

Credit Approval Process

  • Structured and standardised credit approval process as documented in credit manuals. The entire gamut of activities involving credit appraisal, documentation, funds disbursement, monitoring performance, restructuring and recovery procedure are described in detail in these manuals which are reviewed annually
  • Standardised appraisal formats have been designed for each product type
  • Clearly defined credit workflow ensures segregation of duties among credit originators, independent review and approval authority
  • Delegation of Lending Authority sets out approval limits based on a combination of risk level, as defined by risk rating and security type, and loan size, proposed tenure, borrower and group exposure, IRM’s involvement in independent rating reviews of borrowers above a defined threshold for credit proposals
  • GCRO is a member of the Credit Committee, evaluates credit proposals from a risk perspective
  • Risk based pricing is practiced at DFCC Bank, any deviations being allowed only for funding through credit lines and where strong justification is made due to business development purposes

Control Measures

  • Negative sectors and special clearance sectors are identified based on the country’s laws and regulations, DFCC Bank’s corporate values and policies and level of risk exposure. Negative sectors are recognised as industry sectors to which lending is disallowed while special clearance sectors are industry sectors and credit products to which DFCC Bank practices caution in lending
  • Exposure limits on single borrower, group exposure, and advisory limits on industry sectors, large group borrowers and selected geographical regions are set by the Board of Directors on recommendation of IRMD

Credit Risk Management

  • Timely identification of problem credits through product-wise and concentration analysis in relation to industries, specific products and geographical locations such as branches/regions/provinces
  • Industry reports/periodical economic analysis provide direction to lending units to identify profitable business sectors to grow the Group’s portfolio and to identify industry related risk sources and their impact
  • Evaluation of new products from a credit risk perspective
  • Post sanction review of loans within stipulated time frame is in place in accordance with Loan Review Policy to ensure credit quality is maintained
  • Independent rating review by Credit Risk Management Unit of IRMD ensures proper identification of credit quality at the time of credit origination and annual credit reviews

Credit Risk Monitoring and Reporting

  • Analysis of total portfolio in terms of NP movement, product distribution, industry sectors, Top 20 exposures, borrower rating distribution, region-wise portfolio distribution, collateral distribution is carried out periodically and reporting to BIRMC
  • Watchlisting of significant arrears clients and receiving feedback from regional offices on recovery action taken to regularise the position
  • Monitoring of potentially high risk advances of significant value, booked at branches and new advances where IRMD has instructed the business units to exercise extra caution
  • Reporting quarterly to BIRMC on credit concentration risk positions with regards to regulatory limits such as single borrower and group exposure limits and internal advisory limits on industry sectors, large group borrowers and selected geographical regions as well as exposure based on credit rating grades
  • Monthly reporting on Top Key Risks to BIRMC and the Board

Credit Risk Mitigation

  • Borrower’s ability to pay is the primary source of recovery, whereas collateral acts as the secondary source in the event borrower’s cash inflow is impaired

Market Risk

Market risk is the possibility of losses arising from changes in the value of a financial instrument as a result of changes in market variables such as interest rates, exchange rates, equity prices and commodity prices. As a financial intermediary the Bank is exposed primarily to the interest rate risk and as an authorised dealer, commercial banking business is exposed to the exchange rate risk on foreign currency portfolio positions.

Market risk could impact DFCC Bank mainly in two ways; viz., loss of cash flows or loss of economic value. Market risk can be looked at in two dimensions; as traded market risk, which is associated with the trading book and non-traded market risk, which is associated with the banking book.

The ALCO oversees the management of both the traded and the non-traded market risks. The Treasury manages the foreign exchange risk with permitted hedging mechanisms. Trends in relevant local as well as international markets are analysed and reported by IRMD and the Treasury to ALCO and BIRMC. The market risks are controlled through various limits. These limits are stipulated by the Group’s Investment Policy, Treasury Manual and Policy, and limits system of DFCC Bank.

Treasury Middle Office (TMO) is segregated from the Treasury Front Office (TFO) and Treasury Back Office (TBO) and reports to the CRO. The role of the TMO includes the day-to-day operational function of monitoring and controlling risks assumed in the TFO and TBO based on clearly defined limits and controls. Being independent of the dealers, the TMO provides an objective view on Front Office activities and monitors the limits. TMO has the authority to escalate limit excesses as per delegation of authority to the relevant hierarchy. The Treasury information management system maintained by TMO includes a dashboard that facilitates the timely reporting of Treasury market positions independently to management.

The strengthened Treasury and market risk management practices contribute positively to the overall risk rating of the Group and efficiency in the overall Treasury operations.

TBO which is reporting to Head of Finance is responsible for accounting, processing settlements and valuations of all Treasury products and transactions. The Treasury transactions related information is independently submitted by TBO to relevant authorities.

Interest Rate Risk

Interest rate risk can be termed as the risk of loss in the net interest income (earnings perspective) or the net worth (economic value perspective) due to adverse changes in the market interest rates. ALM unit routinely assesses the Bank’s asset and liability profile in terms of interest rate risk and the trends in costs and yields are reported to ALCO for necessary realignment in the asset and liability structure and the pricing mechanism. ALM performed a number of scenario analysis and simulations on the effect of interest rate changes to the Bank’s interest income during the period to facilitate pricing decisions taken at ALCO. The ALM function is planned to be transferred to the Finance Department subsequent to the amalgamation of the Banks.

Foreign Exchange Rate Risk

Foreign exchange rate risk can be termed as possibility of adverse impact to the Group’s capital or earnings due to fluctuations in the market exchange rates. This risk arises due to holding of assets or liabilities in foreign currencies. Net Open Position (NOP) on foreign currency indicates the level of net foreign currency exposure that has been assumed by the Bank at a point of time. This figure represents the unhedged position of the Bank in all the foreign currencies. The Bank accrues foreign currency exposure through purchase and sale of foreign currency from customers in its commercial banking and international trade business and through borrowings and lendings in foreign currency.

DFCC Bank manages the foreign currency risk using a set of tools which includes limits for net unhedged exposures, hedging through forward contracts and hedging through creating offsetting foreign currency asset or liability. TMO monitors the end of the day NOP as calculated by the TBO, and the NOP movement in relation to the spot movement. The daily inter-bank foreign currency transactions are monitored for consistency with preset limits and any excesses are reported to the management and to BIRMC. The unhedged foreign currency exposure of the Bank is closely monitored and necessary steps are taken to hedge in accordance with the market volatilities.

In October 2013, the Bank issued its debut foreign currency international bond of USD 100 million with an original maturity of 5 years. The Bank actively manages the exchange risk arising from this transaction.

Indirect Exposures to Commodity Prices Risk – Gold Prices

DFCC Bank’s pawning portfolio amounted to LKR 1,532 million at 31 December 2015, which was only 0.6% of total assets.

Equity Prices Risk

Equity prices risk is the risk of losses in the marked-to-market equity portfolio, due to the decline in the market prices. The direct exposure to the equity prices risk by the Bank arises from the trading and available-for-sale equity portfolios. Indirect exposure to equity prices risk arises through the margin lending portfolio of DFCC Bank in the event of crystallisation of credit risk of margin borrowers. The Investment Committee of DFCC Bank is responsible for managing equity portfolio in line with the policies and the guidelines set out by the Board and the BIRMC. Allocation of limits for equities taken as collateral for loans and margin trading activities of customers and for our investment/trading portfolio forms part of the tools for managing the equity portfolio. Rigorous appraisal, proper market timing and close monitoring of the portfolio performance in relation to the market performance facilitate the management of the equity portfolio within the framework of investment strategy and the risk policy. DFCC Bank’s long-term investment horizon for equity investments smoothens out the adverse implications of the short-term market volatilities while enabling the Group to reap optimal benefits from the selected securities in the portfolio. Part of the Bank’s investment portfolio is also outsourced to well established and reputed investment management companies through a stringent evaluation process.

The indirect exposure to equity prices risk arising from margin lending of DFCC Bank is managed through the specific margin trading policy framework under the supervision of the Credit Committee. Each margin lending customer is carefully appraised for his track record with the Bank and the financial strength to meet margin calls, if needed, while the equity exposure arising in terms of collateral is assessed under a structured process set out in the Margin Trading Policy before the origination of the facility. Fundamentals of the lodged shares, market liquidity of the share and the diversification of the portfolio are considered as part of the assessment. Margin lending is governed by proper documentation and daily monitoring and management reporting as specified in the Margin Trading Policy.

Liquidity Risk

Liquidity risk is the risk of not having sufficient funds to meet financial obligations in time and in full, at a reasonable cost. Liquidity risk arises from mismatched maturities of assets and liabilities. DFCC Bank has a well set out framework for liquidity risk management and a contingency funding plan. The liquidity risk management process includes regular analysis and monitoring of the liquidity position by ALCO and maintenance of market accessibility. Regular cash flow forecasts, liquidity ratios and maturity gap analysis are used as analytical tools by the ALCO. Any negative mismatches up to the next quarter revealed through cash flow gap statements are matched against cash availability either through incremental deposits or committed lines of credit. Whilst comfortably meeting the regulatory requirements relating to liquidity, for internal monitoring purposes, the Bank takes into consideration the liquidity of each eligible instrument relating to the market at a given point in time as well as undrawn commitments to borrowers when stress testing its liquidity position. The maintenance of a strong credit rating [AA- (LKA)] and reputation in the market enable the DFCC Bank to access domestic wholesale funds. For short-term liquidity support the Bank also has access to the money market at competitive rates.

The CBSL Direction No. 7 of 2011 specifies that liquidity can be measured through stock or flow approaches. Under the stock approach, liquidity is measured in terms of key ratios which portray the liquidity in the balance sheet. Under the flow approach banks should prepare a statement of maturities of assets and liabilities placing all cash inflows and outflows in the time bands according to their residual time to maturity in major currencies. DFCC Bank primarily used the flow approach in measuring and managing liquidity risk, until amalgamation while DVB used both the flow and stock approaches and the Bank will continue to adopt both the methods in combination to assess liquidity risk in the future. In line with the long-term project financing business, the Bank focuses on long-term funding through dedicated credit lines while its commercial banking business focuses on Current and Savings Accounts (CASA) and Term Deposits as the key source of funding for its lending.

The structure and procedures for asset and liability management at the Bank have been clearly set out in the Board approved ALCO Charter, which is reviewed on an annual basis.

In October 2014, the Central Bank issued consultative guidelines for implementation of the minimum liquidity standards (Liquidity Coverage Ratio) under Basel III, which was implemented from April 2015. Accordingly, banks will be required to maintain an adequate level of unencumbered High Quality Liquid Assets (HQLAs) that can be easily and readily converted into cash to meet their liquidity needs for a 30 calendar day time horizon under a significantly severe liquidity stress scenario. The computations of LCR performed for DFCC Bank, DVB and at Group level indicated that the Banks were comfortably in compliance with the Basel III minimum requirements having sufficient High Quality Liquid Assets well in excess of the minimum requirements specified by the Central Bank (The minimum requirement is 60% of HQLAs to be maintained over the immediate 30-day net cash outflow for the year 2015).

Operational Risk

Operational risk is defined as the potential risk of loss resulting from inadequate or failed internal processes, people, systems and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or from external events such as natural disasters, terrorism, theft or even political instability. The objective of DFCC Bank is to manage, control and mitigate operational risk in a cost effective manner consistent with the Bank’s risk appetite. The Bank has ensured an escalated level of rigor in operational risk management approaches for sensitive areas of its operations.

The Operational Risk Management Committee (ORMC) oversees and directs the management of operational risk of the Bank at an operational level with facilitation from the Operational Risk Management Unit of the IRMD. Active representation of the relevant departments and units of the Bank has been ensured in the process of operational risk management through the Operational Risk Coordination Officers.

Segregation of duties with demarcated authority limits, internal and external audit, strict monitoring facilitated by the technology platform and back-up facilities for information are the fundamental tools of operational risk management. Audit findings and management responses are forwarded to the Board’s Audit sub-committee for their examination. Effective internal control systems, supervision by the Board, senior management and the line managers forms part of ‘First Line of Defence’ for operational risk management at DFCC Bank. The Bank demands high level of technical skills, professionalism and ethical conduct from its staff and these serve as insulators for many operational risk factors.

The Bank’s Business Continuity Plan is in place as a contingency control measure and deals with natural/other catastrophes. The Bank carries out at least two disaster recovery drills every year. The loss of physical assets is mitigated through insurance.

The following are other key aspects of the operational risk management process in DFCC Bank:

  • Monitoring of the Key Risk Indicators (KRIs) for the departments/functions under the defined threshold limits using a traffic light system.
  • Operational risk incident reporting system and the independent analysis of the incidents by IRMD, and recognising necessary improvements in the systems, processes and procedures.
  • Trend analysis on operational risk incidents and review at the ORMC and the BIRMC.
  • Review of downtime of the critical systems and assess the reasons. The necessary risk and business impact is evaluated. Rectification measures are introduced once the tolerance levels are compromised.
  • Review of HR attrition and exit interview comments in detail including a trend analysis with the involvement of the IRMD. The key findings of the analysis are evaluated at the ORMC and the BIRMC in an operational risk perspective.
  • Establishment of Whistle Blowing process.
  • Establishment of the complaint management process of the Bank under the Board approved complaints management policy. IRMD periodically evaluates on the effectiveness of the complaints management process and reports to the ORMC and the BIRMC.

Reputation Risk

Reputation risk is the risk of losing public trust or tarnishing of the DFCC Bank’s image in the public eye. It could arise from environmental, social, regulatory or operational risk factors. Events that could lead to reputation risk events are closely monitored, utilising an early warning system that includes inputs from frontline staff, media reports and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank’s business have been promulgated through internal communication and training, a specific policy was established to take action in case of an event which hinders the reputation. DFCC Bank has zero tolerance for knowingly engaging in any business, activity or association where foreseeable reputational damage has not been considered and mitigated. While there is a level of risk in every aspect of business activity, appropriate consideration of potential harm to the Bank’s good name is a part of all business decisions. The complaints management process and the Whistle Blowing process of the Bank include a set of key tools to recognise and manage reputation risk.

Business Risk

Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank’s medium term strategic plan and annual business plan form a strategic road map for sustainable growth. Continuous competitor and customer analysis, and monitoring of the macroeconomic environment enable the Bank to formulate its strategies for growth and business risk management. The processes such as Planning, ALM, IT and Product Development in coordination with business functions facilitate the management of business risk through recognition, measurement and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.

Legal Risk

Legal risk arises from unenforceable transactions in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis, and a thorough understanding of, and adherence to, related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure.

In the event of a legal risk factor, the legal unit of DFCC Bank takes immediate action to address and mitigate these risks. External legal advice is obtained or Counsel retained when required.

Compliance Risk

Compliance risk can be termed as the risk of legal or regulatory sanctions, financial losses or damages to the reputation of the Bank as a result of its failure to comply with all applicable laws, regulations, Codes of Conduct and Standards of good practice. The Bank ensures the effective compliance policies and procedures are followed and appropriate corrective actions are taken to rectify any breaches of laws, rules and standards if and when identified. A robust compliance culture has been established within DFCC Bank with processes and work flows designed with the required checks and balances to facilitate compliance. The compliance function works closely with the business and operational units to ensure the consistent management of compliance risk. Compliance is a key area of focus during the process of new product development and review. Head of compliance submits quarterly reports on the compliance status to the BIRMC and the Board to enable oversight to be exercised with the added safeguard of being subject to internal audit. A culture of compliance permeates all levels of DFCC Bank.

Anti-Money Laundering (AML)/CombatingTerrorist Financing (CTF)

In response to international best practices, global standards on AML and CTF, Sri Lanka has enacted laws relating to AML and CTF. Further, the Financial Intelligence Unit, under the purview of the Central Bank, has issued rules for Know Your Customer (KYC), and Customer Due Diligence (CDD) to identify and report suspicious transactions. DFCC Bank has taken necessary measures to implement these regulatory and legislative requirements for AML and CTF. The steps taken in this respect include customer identification and verification, maintenance of records, ascertaining sources of funds, monitoring and maintenance of AML/CTF programmes. The customers of DFCC Bank are subject to KYC/CDD measures.

Business Continuity Management

The Business Continuity Plan (BCP) of DFCC Bank ensures timely recovery of critical operations that are required to meet stakeholder needs based on identified disruptions categorised into various severity levels. BCP has been designed to minimise risk to human resources and to enable the resumption of critical operations within reasonable time frames with minimum disruption to customer service and payment settlement systems. The BCP site, which is located in a suburb of Colombo, is prepared in line with the BCP Guidelines issued by the Central Bank and is tested regularly to establish its effectiveness. Training is carried out to ensure that all staff is fully aware of their role within the BCP.

The DFCC Group’s Risk Capital Position and Financial Flexibility

The Group adopts a proactive approach to ensure satisfactory risk capital level throughout its operations. In line with its historical practice and the capital targets, the Group aims to maintain its risk capital position higher than the regulatory minimum requirements of 5% for Tier I and 10% for Total Capital. The risk capital position of the DFCC Group demonstrates the following key features:

DFCC Group Capital Adequacy Ratios

Under Simple Approaches of Basel II

Parameter Tier I % Total Capital %
Minimum regulatory requirement 5 10
DFCC Group capital position
- 31 March 2010 26.2 23.1
- 31 March 2011 28.0 26.9
- 31 March 2012 21.0 19.9
- 31 March 2013 20.8 19.3
- 31 March 2014 18.7 17.2
- 31 March 2015 17.7 16.6
- 31 December 2015 15.4 15.3

  • DFCC Group maintains a healthy risk capital position based on the local regulatory guidelines. The capital position as at 31 December 2015, demonstrates a cushion of about 10.39% and 5.32%, respectively, for Tier I and total capital over the minimum regulatory requirements.
  • The Group’s Tier I capital is higher than the total capital ratio, which reflects that its capital base mainly consists of equity capital, which has the higher risk absorption capacity.
  • Higher Tier I capital ratio, relative to the total capital ratio, ensures that Group carries flexibility for capital augmentation through mobilising qualifying Tier II capital, without a fresh issue of shares and without adversely impacting ROE, in case of a future portfolio growth or new business diversification.

Capital Adequacy Management

Capital adequacy measures the adequacy of the Group’s aggregate capital in relation to the risk it assumes. The capital adequacy of the Group has been computed under the following approaches of Basel II which are currently effective in the local banking industry.

  • Standardised approach for credit risk
  • Standardised approach for market risk
  • Basic Indicator approach for operational risk

Graph below shows DFCC Group’s capital allocation and available capital buffer as at 31 December 2015, based on the quantified risk as per the applicable regulatory guidelines. Out of the regulatory risk capital (total capital) available as at 31 December, credit risk accounts to 59.8% of the total capital while the available capital buffer is 34.7%.

Risk-Weighted Assets of DFCC Bank on a Solo and a Group Basis

Risk-weighted assets (quantified risk category as per the CBSL Guidelines) 31 December 2015 31 March 2015 31 March 2014
Bank Group Bank Group Bank Group
Credit risk 169,201 169,547 86,158 150,641 73,852 125,745
Market risk 1,218 1,218 2,655 2,720 2,896 3,069
Operational risk 14,395 14,385 7,637 14,034 7,575 13,172
Total 184,814 185,150 96,450 167,395 84,323 141,986

Further, DFCC Bank develops an ICAAP report which is in compliance with Pillar II of the Basel II framework. It focuses on formulating a mechanism to assess the Bank’s capital requirement covering all relevant risk and stress conditions in a futuristic perspective in line with the level of assumed risk exposures through its business operations. This ICAAP formulates the Bank’s capital targets, capital management objectives and capital augmentation plans. It evaluates the capital adequacy covering both Pillar I and Pillar II risks as well.

Financial Flexibility in the DFCC Group’s Capital Structure

Apart from the strong capital position reported on-balance sheet, the Group maintains a financial flexibility through the stored value in it its equity investment portfolio. The unrealised capital gain of the listed equity portfolio is included in the Fair Value Reserve and is currently not taken into consideration in the capital adequacy computation based on regulatory specifications.

Local Supervisory Background

Banking Supervision Department of the Central Bank of Sri Lanka (CBSL) has taken steps to strengthen the risk management aspects of the licensed banks in Sri Lanka by enforcing certain regulations, specifications, guidelines and recommendations from time to time, which are in line with the Basel II and Basel III recommendations. The following regulatory specifications are particularly crucial;

  • CBSL Direction No. 10 of 2007 on Maintenance of capital adequacy ratios. In this Direction, specifications were issued for the licensed banks to quantify and maintain the capital adequacy in line with the Basel II Standardized Approach for credit risk and market risk and Basic Indicator Approach for operational risk.
  • CBSL Direction No. 11 of 2007 on the Corporate Governance of Licensed Banks in Sri Lanka. In this Direction, the licensed banks are required to form a Board subcommittee on Integrated Risk Management with a defined scope of responsibilities.
  • CBSL Direction No. 7 of 2011 on Integrated Risk Management Frameworks of Licensed Banks issued in October 2011. This specifies the requirement for Integrated Risk Management Framework for the banks and issued specific guidelines for the structure, quantification and management of risk on an
    integrated approach.
  • CBSL Direction No. 5 of 2013 – Supervisory Review Process (Pillar 2 of Basel II) for Licensed Commercial Banks and the Licensed Specialised Banks.
  • CBSL Guidelines issued on 31 March 2014 on quantification of operational risk under the Standardised Approach of Basel II. Under this approach, the gross income of the banks will be recognised in 8 different business lines and different alpha factors (prescribed by the Basel II) will be applicable to quantify the operational risk exposures.
  • In October 2014, CBSL issued consultative guidelines for implementation of the minimum liquidity standards (Liquidity Coverage Ratio to be maintained by the banks) under Basel III. These guidelines were implemented from April 2015 through the CBSL Direction No 1 of 2015 on Liquidity Coverage Ratio under Basel III Liquidity Standards for LCBs and LSBs
  • Guidelines on Stress Testing of Licensed Commercial Banks and Licensed Specialised Banks were released by Bank Supervision Department in September 2014. The new direction has given recommendations for various sensitivity and stress test scenarios to be carried out to determine credit, exchange rate, interest rate, equity, liquidity, operational and other risks.
  • The regulation issued by CBSL in December 2014, requires LCBs and LSBs to increase their Core capital (equity capital) to LKR 10 billion and LKR 5 billion respectively, commencing 1 January 2016. This new CBSL direction will have no impact on DFCC Group.
  • Further consultative guidelines on implementation of Basel III, Minimum Capital Requirements and Leverage Ratio have been issued in June 2015. This Consultation Paper provided the proposed framework to implement the Basel III Minimum Capital Requirements across the banking sector with a view to further improving the quantity and quality of capital.

The bank has complied with all the currently applicable risk related regulatory requirements in addition to the internal requirements as given in the table below:

Risk Category Impact Key Risk Indicators Statutory/ Internal Limit Position as at 31.12.2015
Integrated Risk Management An adequate level of capital is required to absorb unexpected losses without affecting the Bank’s stability.
(Total capital as a percentage of total
risk-weighted assets)
Capital Adequacy Ratio
(Core capital as a percentage of total risk-weighted asset)
Regulatory Complied
Capital Adequacy Ratio
(Total capital as a percentage of total risk-weighted asset)
Regulatory Complied
Capital Adequacy Ratio
(Tier I as a percentage of total risk-weighted assets) (Total capital as a percentage of total risk-weighted assets)
Internal Complied
Concentration/Credit Risk Management When the credit portfolio is concentrated to a few borrowers or a few groups of borrowers with large exposures,there is a high risk of a substantial loss due to failure of one such borrower. Single Borrower Limit – Individual
(Amount of accommodation granted to any single company, public corporation, firm, association of persons or an individual/capital base)
Regulatory Complied
Single Borrower limit – Group Regulatory Complied
Aggregate large accommodation (Sum of total of the outstanding amount of accommodation granted to customers whose accommodation exceeds 15% of the capital base/outstanding amount of accommodation granted by the Bank to total customers excluding the Government of Sri Lanka) Regulatory Complied
Aggregate limits for related parties (Accommodation to related parties as per the CBSL Direction/Regulatory Capital) Internal Complied
Exposure to agriculture sector (As per the CBSL Direction) Regulatory Complied
Exposure to each industry sector (On-Balance Sheet exposure to each industry as a percentage of total Lending Portfolio) Internal Complied
Exposure to selected regions (On-Balance Sheet exposure to the regions as a percentage of the Total Lending Portfolio) Internal Complied
Leases Portfolio (On-Balance Sheet exposure to the leasing product as a percentage of Total Lending Portfolio Plus Securities Portfolio) Internal Complied
Exposure to GOSL Internal Complied
Non-Performing Ratio Internal Complied
Industry HHI Internal Complied
Maximum expected loss limits for each product line Internal Complied
Loan & OD – Exposure in BB and below grades Internal Complied
Loan & OD – Exposure in B and below grades Internal Complied
Leasing – Exposure in BB and below grades Internal Complied
Leasing – Exposure in B and below grades Internal Complied
Target Rating-wise PDs and provisions Internal Complied
Margin trading (Aggregate exposure of margin loans extended/total loans and advances) Internal Complied
Liquidity Risk Management If adequate liquidity is not maintained, the Bank will be unable to fund the Bank’s commitments and planned assets growth without incurring costs or losses. Liquid Asset Ratio for DBU (Average Monthly liquid assets/
total monthly liabilities)
Regulatory Complied
Liquid Asset Ratio for FCBU Regulatory Complied
Liquidity Coverage Ratio (All Currencies & Rupee only) Regulatory Complied
Market Risk Management Forex Net Open Long Position Regulatory Complied
Forex Net Open Short Position Regulatory Complied
Limit for counter party Off-Balance Sheet Market Risk Internal Complied
Net interbank borrowing exposure Internal Complied
Limit for settlement risk arising from market risk Internal Complied
Max holding period for trading portfolio Internal Complied
Treasury trading securities portfolio Internal Complied
Investment Risk Equity exposure – Individual (Equity Investment in a private OR public company/Capital fund of the Bank) Regulatory Complied
Equity exposure – Individual (Equity investment in a private OR public company/Paid-up capital of the Company) Regulatory Complied
Aggregate equity exposure in public companies (Aggregate amount of equity investments in public companies/capital fund of the Bank) Regulatory Complied
Aggregate equity exposure in private companies (Aggregate amount of equity investments in private companies/capital fund of the Bank) Regulatory Complied
Aggregate equity exposure in private and public companies
(Total investments in private and public companies/capital fund of the bank)
Regulatory Complied
Equity exposure (Equity exposure as a percentage of Total Lending Portfolio plus Securities Portfolio) Internal Complied
Equity exposure in each sector Internal Complied
Single equity exposure Internal Complied
Operational Efficiency Cost to income ratio (Solo) – Operational Cost/Operational Income Internal Complied
Operational Risk Adequately placed policies, processes, and systems will ensure and mitigate against excessive risks arising. This will result in the stability of the Bank. Reputation risk of the Bank and Group (Zero risk appetite) Internal Complied
Significant regulatory breaches (Zero risk appetite) Internal Complied
Inability to recover from business disruptions over and above the Recovery Time Objectives (RTO) as defined in the BCP of the Bank (Zero risk appetite) Internal Complied
Mis-selling of financial products and services
(Zero risk appetite)
Internal Complied
Failure to undertake risk-based customer due diligence
(Zero risk appetite)
Internal Complied
Internal fraud (Zero tolerance for losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or bank policy, excluding diversity/discrimination events, which involves at least one internal party). Internal Complied
External fraud (Very low appetite for losses due to act of a type intended to defraud misappropriate property or circumvent laws, by a third party) Internal Complied
Employee practices and workplace safety (Zero appetite for losses arising from acts inconsistent with employment, health or safety laws or agreements from payment of personal injury claims or from diversity/discrimination events) Internal Complied
Client products and business practices (Zero risk appetite for losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product). Internal Complied
Damage to physical assets (Very low appetite for loss arising
from loss or damage to physical assets from natural disaster or other events).
Internal Complied
Business disruption and systems failures (Very low appetite for business disruptions/system failures for more than 30 minutes during service hours). Internal Complied
Execution, delivery and process management (Very low appetite for losses from failed transaction processing or process management). Internal Complied