Risk exists in all aspects of business and the environment in which the Bank operates. The Bank's collective risk management capability and competency supports successful implementation of strategic priorities and enables the development of a sustainable and resilient business that is responsive to the ever-changing environment. In the year 2012, the Bank achieved a significant growth in business ensuring risks were assumed in a considered manner within the risk appetite framework.


Risk management governance structure of the Bank begins with oversight by the Board of Directors. The Board has established the overall risk management framework, which sets strategic direction through policies and procedures for identification, assessment, monitoring, reporting and mitigation of risks. The Integrated Risk Management Committee (IRMC) assists the Board in discharging its duties on risk management.

The risk governance of the Bank is based on three lines of defense calling for accountability, responsibility, transparency and independent reporting.

Integrated Risk Management Committee (IRMC)

Primary purpose of the IRMC is to assist the Board in fulfilling their oversight responsibilities with respect to the operation and effectiveness of risk management and compliance functions. This committee is appointed by the Board of Directors and includes Board Members, the General Manager and the Chief Risk Officer.

The IRMC discharges the following duties :

Oversight of the risk profile and risk management of the business within the context of the Board determined risk appetite.

Making recommendations to the Board concerning the risk appetite and particular risks or risk management practices.

Reviewing strategic plans for mitigation of the material risks faced by the Bank.

Oversight of the implementation and review of risk management and internal compliance and control systems.

Promoting awareness of a risk based culture and achievement of a balance between risk and reward.

At the executive level, risk is overseen by the Chief Risk Officer (CRO), with the assistance of several management committees such as Credit Committee, Asset-Liability Committee (ALCO), Operational Risk Management Executive Committee (ORMEC), IT Steering Committee, Business Continuity Management Steering Committee, Investment Committee, Forged Cheques and Frauds Committee, Foreclosed Property Committee and the Non-Performing Advances Monitoring Committee, which are involved in managing various risks that the Bank is exposed to.

Independent Integrated Risk Management Division (IIRMD) is headed by the CRO, functions as a separate department, independent from the revenue generating Strategic Business Units (SBUs) to provide management focus on specific risk issues prevalent within the business and implement the international best practices & the regulatory guidelines. The Bank is in the process of initiating actions to comply with Advance approaches in risk management.


Credit risk arises from the potential that an obligor is either unwilling to perform on an obligation or its ability to perform such obligation is impaired resulting in an economic loss to the bank. The Bank's credit risk that incurs mainly from lending operations and investment activities, accounts for over 80% of the total risk weighted assets. Hence it has been identified that effective management of credit risk is an essential component of the risk management process and critical to the long-term success of the Bank.

The goal of the Bank's credit risk management is to maximize risk- adjusted rate of return by maintaining credit risk exposures within acceptable parameters.

Overall responsibility of credit risk management lies with the Board and Board approved credit risk management policies and procedures are in place for managing credit risk at both the individual credit and portfolio levels.

The Credit Committee has been delegated with the responsibility for oversight of credit risk. The committee generally meets once a week. However, more frequent meetings may occur to respond timely to potential risk related issues. The Credit Committee:-

Formulates, reviews and revises policies and procedures relating to credit facilities, whilst ensuring compliance with statutory and regulatory requirements.

Approves extension of credits up to its delegated authority limits or makes appropriate recommendations to the Board of Directors.

Reviews the credit limits from time to time with a view to monitor & ensure maintenance of credit and service quality.

Monitors, reviews and renews portfolio exposures & concentration risk and remedial actions in respect of Non Performing Advances.

Bank has established specific credit criteria to define the types and characteristics of its preferred obligors. These criteria would include business track record vis-à-vis industry peers, key financial indicators, target obligor risk grade (where available) and terms and conditions under which the Bank is prepared to extend credit.

Setting of exposure limits for single obligors, groups of related obligors, industries and geographic regions has established through Bank's risk appetite limits.

The Bank has a well-established process for approving new credits and for the renewal of existing credits, which encompasses the following elements.

A system for monitoring the condition of individual credits is in place and potential problem credits are identified and reported to the relevant authorities as and when required.

The Bank performs regular credit reviews to verify that credits are granted in accordance with Bank's credit policies and to provide an independent judgment of asset quality. A comprehensive review is carried out at least annually and more frequent updates are carried out for "watch list" exposures. Bank's risk management policy describes administration of "watch list" credits in detail.

All credit exposures are properly and promptly graded to reflect Bank's assessment of the borrower's credit strength. The Bank uses a criteria for grading which is sound and consistent with regulatory guidelines.

An internal risk rating system assigns a credit risk rating to borrowers which reflects their risk profile and likelihood of loss. Also it enables to have a clear understanding of the overall risk profile of the Bank's credit portfolio.

The internal risk rating system developed by IIRMD is used to evaluate risk profile of corporate borrowers and it categorizes all credits into various risk grades. The distribution of borrowers across the risk grades is summarized below:

Risk ratings are assigned at the inception of lending and updated at least annually. However, Bank reviews ratings as and when adverse events occur.

IIRMD has developed credit scoring models used in consumer lending to deliver cost effective, efficient service to retail customers.

Concentration Risk

The Bank monitors credit risk on a portfolio basis to manage concentration risk. Concentration risk in credit portfolios arises due to uneven distribution of loans and advances to individual borrowers (single / name concentration) or to industries and geographical regions (sector concentration).

The Bank's loan portfolio is diversified across different industries and geographical regions.

The significant concentration of the two illustrations is mainly due to exposure to the government and state owned enterprises.

The Bank has established appropriate limits to maintain concentration risk at an acceptable level and significant concentrations are reported to the Board and senior management for review.

Asset Quality

Despite the adverse weather conditions, slow economic growth and increase in interest rates, the Bank managed to contain NPA level within the risk appetite of the Bank.

Risk Based Pricing

The risk based pricing methodology adopted by the bank places the necessary emphasis on the relationship between risk and return. This would discipline and promote consistency in asset pricing and avoid a disproportionate share of under-priced risks.

Further information on credit risk management and measurement is included in Note 59 to the Financial Statements.


Market risk is the exposure to an adverse change in the market value of Bank's positions in financial instruments caused by changes in market variables. Bank maintains positions in foreign exchange, equity, debt securities and very minute positions in gold. The main sources of risk are foreign exchange rates, equity prices, interest rates and commodity prices.

Market Risk Management is an independent function that works in close partnership with the business segments to identify and monitor market risks throughout the Bank and to define market risk policies and procedures. The Bank manages the risk in its trading and non-trading portfolios through a comprehensive market risk management framework which includes market limits, risk appetite limits, value-at-risk (VaR) limits, stress testing and sensitivity analysis.

The Bank's market risk management objectives are to:

Ensure the Bank optimizes the risk-reward relationship while not exposing the Bank to unacceptable losses outside of its risk appetite

Facilitate efficient risk-reward decision making

Reduce volatility in operating performance

Understand and control market risk through robust measurement, reporting and oversight

Ensure that the capital charge for market risk is within the prudential levels

Provide transparency into the Bank's market risk profile for senior management, Board of Directors and regulators

The overall responsibility in market risk management lies with the Board. Market & Liquidity risk management policy governs the market risk management framework of the Bank.

The Bank uses a range of complementary technical approaches to measure and control market risk including: Daily Value at Risk (DVaR), Price Value per Basis Point (PVBP), Duration and Stress Testing. DVaR is an estimate of the maximum potential loss that can arise from unfavourable market movements within a certain confidence level, if the current positions were to be held unchanged for one business day.

When arriving at DVaR , following are taken into account:

Historical simulation uses the most recent 370 days of past data to generate possible future market moves, but the past may not be a good indicator of the future;

The one-day time horizon does not fully capture the market risk of positions that cannot be closed out or hedged within one-day.

DVaR does not indicate the potential loss beyond the 99th percentile.

In recognition of VaR's limitations Bank augments VaR with stress testing to evaluate the potential impact on portfolio values of more extreme, though plausible, events or movements in market variables.

IIRMD reports to various levels of management on the market risk exposures through regular and ad- hoc reports. A daily market risk report summarizes the Bank's market risk exposures and compares it against preset exposure limits. This daily report is presented to the CRO and other appropriate managers for review.

Interest Rate Risk

Interest rate risk is the potential volatility in Bank's Net Interest Income caused by changes in market interest rates. Bank's overall goal is to manage interest rate sensitivity so that movements in interest rates do not adversely affect Net Interest Income. Interest rate risk represents the most significant market risk exposure to Bank's financial instruments. The Bank's interest rate sensitive portfolio consists mainly of government securities.

Following chart shows the Government Securities trading portfolio maturity analysis as at 31st December 2012.

The Bank uses PVBP and Duration techniques to assess the interest rate risk which is calculated on weekly basis and communicated to various levels of management. Duration and PVBP tables show the position of interest rate risk as at 31st December 2012.

Liquidity Risk

The Bank considers Liquidity risk as one of the major risks. Being the largest commercial bank in the country with the largest asset base, the Bank plays a pivotal role in the economy.

The Asset & Liability management Committee (ALCO) is primarily responsible for the management of liquidity in accordance with the Board approved Asset and Liability Management (ALM) Policy of the Bank. ALCO comprises of key corporate management members chaired by the General Manager. During the year 2012, twenty ALCO meetings were held and important decisions were taken to manage liquidity and interest rate risk. Bank's funding plan was reviewed monthly and remedial measures were proposed to rectify any material deviations, which might lead to a stress liquidity situation. ALM unit together with IIRMD manage the liquidity and interest rate risk of the Bank to optimize the profitability and liquidity of the Bank.

The Bank has set up many funding channels through correspondent banks and always maintains high quality liquid assets such as government bonds to meet liquidity requirements. Further periodic stress tests are carried out to determine the effects of specific as well as extreme events. Maturity gap analysis helps the Bank to identify the mismatches in the assets and liability profile thus enabling funding decisions to be made. Maturity gap analysis as at 31st December 2012 is presented in note 54 to the financial statements. Key liquidity ratios are also monitored for prudent management of liquidity risk.

Foreign Exchange Risk

Foreign exchange risk is the current or prospective risk to earnings and capital that arises from adverse movements in foreign exchange rates which affect the value of Bank's foreign exchange positions. The Bank keeps foreign exchange positions to facilitate client business and hardly for speculative purposes. Bank aims to avoid net currency positions and has on average maintained low positions over the 2012.

The Bank monitors foreign exchange risk through counterparty limits, money market limits, risk appetite limits and VaR measurements. IIRMD assures that any limit exceptions are duly reported and approved by the relevant higher authorities.

Forex VaR table shows the position of the overnight VaR under a 99% confidence interval as at year end.

Equity Risk

Equity risk arises due to changes in prices of securities which may adversely affect the Bank's financial position. The Bank has equity exposures in both primary and secondary market as part of its trading activity, which is conducted in accordance with its investment policy. Investment policy sets forth prudent limits on the Bank's market exposures as well as exposures to individual securities within the overall limit. The investment policy also manages the concentration risk in the equity portfolio by limiting the overall size of industry specific portfolios, with a maximum upper limit, as well as various other restrictive industry and customer concentration limits.

Equity securities held by the Bank are valued daily on a mark-to-market basis and the IIRMD monitors the Bank's equity portfolio value and the loss limits on daily basis in addition to the VaR computations.

The Bank is committed to maintaining a well-diversified trading investment portfolio to capture the diversification benefits. Following chart shows sector wise exposure of the Bank's trading equity portfolio as at 31st December 2012.

VaR for equity risk is measured on daily basis and reported to appropriate levels of management and the Board. The above chart shows the development of overnight equity VaR for 2012 against the mark-to-market profit & loss of the equity trading portfolio:


Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or external events. This includes legal risk, but excludes strategic risk and reputation risk.

The primary objective of operational risk management (ORM) is to ensure that operational risks are identified, assessed and mitigated to acceptable levels while allowing for the achievement of business and strategic goals.

In order to effectively and efficiently deliver its core purposes, the Bank has a comprehensive operational risk management framework which ensures:

all staff taking responsibility and ownership for managing the operational risk inherent in their day to day work

promoting and embedding a risk conscious culture throughout the Bank

proactive and consistent in the identification, assessment, mitigation, monitoring and reporting of the operational risk

ORM policies define the principles, minimum standards and the ORM tools for the Bank.

The Bank considers inculcating a risk culture is paramount to the effective management of operational risk. A strong operational risk culture is evident when the individuals at all levels of the Bank are aware of the inherent risks and are dedicated to manage them within approved risk appetite.

The Bank creates a risk conscious environment through promoting an operational risk culture:

of effective integration of ORM into day-to-day business decisions

where risk awareness is supported through exercise of appropriate judgment in the identification and management of risk

through not only complying with the law, regulations, delegated authorities and other compliance requirements but also extending to doing what is right

The Bank performs number of risk analysis, which contributes into the ORM strategy and planning process by using number of techniques.

Key Risk Indicators (KRI) are defined as statistics and/or metrics, often financials, which can provide insight into a bank's risk position.

KRI are used to alert the Bank's impending problems in a timely fashion. They allow monitoring of the Bank's control culture as well as the operational risk profile and trigger risk mitigating actions.

Within the KRI program, data is captured at a granular level allowing for business environment monitoring and facilitating the forward-looking management.

The Bank captures and monitors island wide branch level KRI and reports to different management levels and the IRMC on quarterly basis.

Risk and Control Self Assessment (RCSA) is a methodology involves in reviewing and assessing the operational risk across the Bank as well as the internal controls designed to manage those risks.

The Bank uses a bottom-up approach in conducting RCSA process. This process is carried out on a periodic basis, in the areas with high risk potential to take risk mitigating measures, and to resolve the identified issues.

The reporting mechanism of the "operational loss events" and "events disrupting business" enable detailed analysis and timely information to the management and the IRMC.

Systematic risk analysis, root cause analysis and lessons learnt exercise are conducted for internal loss events as a preventive measure to reduce recurrence.

Analysis of external loss events occurring in the banking industry is performed to identify inherent areas of risk and to define appropriate risk mitigating actions.

The Bank has set internal alert levels for operational loss events at policy level.

Bank conducts scenario analysis and stress testing on internal and external loss information to analyse the impact of the extreme situations on the capital, profitability and liquidity.

Further, the Bank maintains a comprehensive operational loss data base using the eight by seven matrix (i.e. risk event type and business line) to support calculations under Loss Distribution Approach (LDA).

Given below a frequency and severity of operational risk events occurred within the past two years.

Operational Risk Mitigation

The Bank is facing an environment marked by growing globalization and consolidation, rising customer expectations as well as the emergence of increasingly complex products, increasing regulatory requirements, uprising technological innovation, mounting competition and automation. This has increased the probability of failure or mistakes from the operations point of view, resulting in increased focus on taking appropriate risk mitigating actions.

The Bank uses following model to mitigate operational risk of different magnitude.

Due to the heterogeneous nature of operational risk in certain cases it cannot be fully mitigated. In such cases operational risk is mitigated following

the "as low as reasonably possible" principle by balancing the cost of mitigation with the benefits thereof and formally accepting the residual risk. The Bank also avoids those events where the benefit is less than the cost of risk with necessary approvals.

Bank has a strong internal system which is a key component in minimizing operational risk. Further the following policies, processes are introduced by the Bank to minimise the operational risk:

Information System Security

It is essential for a Bank to ensure that information is secured from destruction, corruption, unauthorized access and breach of confidentiality, whether accidental or deliberate.

Secured communication is needed for both the Bank and its stakeholders to benefit from the advancements that are empowering the Bank.

The Bank has a Board approved Information Security Policy, procedures and guidelines developed based on ISO 27001 Standard. The management direction and support for the implementation of information security initiatives are provided by the Corporate Information Security Committee (CISC) headed by the General Manager.

The Bank's IT Steering Committee acts as a consultative forum that can effectively address the strategic needs in relation to Information Technology. This forum is also a mechanism to track the progress of IT initiatives, identify risks and formulate strategies to mitigate the same.

Business Continuity Plan

A key function of risk management is to ensure the continuity of business across the Bank by managing crisis situations. The Business Continuity Policy defines the intent of the management to establish a Business Continuity Plan (BCP) to counteract interruptions to business activities. The objective is to protect the critical products and services from the effects of business disruptions due to major failures, incident or disasters and timely resumption of these critical processes.

The BCP defines scope, appropriate responsibilities, purpose, authority and relationships to ensure business continuity in all critical business divisions. It also includes the approach to Business Continuity adopted by the Bank.

As a key requirement of Bank's BCP, a comprehensive Disaster Recovery Center is in place outside city limits with alternate arrangements to facilitate continuing key operations in the event of various pre-defined scenarios.

Business Continuity Coordinating Unit is responsible for governance and oversight of the Bank's business continuity, and tracks, monitors and ensures compliance with documented policies. It ensures that all business units develop 'unit business continuity capabilities' for their respective functions. Three test runs were successfully completed within the year under review.

IIRMD oversees the functioning of the BCP and reports to the ORMEC and the IRMC on regular basis.


The Bank uses risk transfer strategy to mitigate high severity risk from non– controllable sources. Risk transfer is a means of exchanging unknown financial impact of specified events for a known financial cost.

The Bank uses Insurance as a risk transfer strategy. Ceybank Insurance Services Unit of the Bank assess the risk involved in various banking operations and obtain insurance covers from state owned insurance service providers.

The Bank's indemnity policy provides a comprehensive cover against risks arising from banking operations. In addition, the Bank uses property insurance to transfer the risk of damages to physical assets from natural disasters and other hazards.


After comprehensive evaluation of service providers, the Bank outsources certain functions to reduce cost and to compensate for a lack of expertise or resources. The outsourcing functions are covered through robust contracts or service level agreements that ensure a clear allocation of responsibilities between external service providers and the Bank.

Legal Risk

Legal risk falls within the definition of operational risk. It arises due to legal implications of failed systems, people, processes or external events. The Banks legal department consists of experienced and compliant legal officers. The responsibility of executing legal actions on behalf of the Bank is vested with the Legal Department.

The Chief Legal Officer assists the ORMEC in addressing legal implications of the Banks operational risk issues.


Strategic risk is the possibility that the Bank may face financial losses as a consequence of managerial imperfections or incorrect determination of strategic goals and objectives.

The Bank's strategic direction is well articulated in the corporate plan and a robust mechanism is in place to ensure the congruence of the actual performance with the strategic direction.

Having identified the significance of strategic risk in the risk profile, the Bank has established a procedure through ICAAP (Internal Capital Adequacy Assessment Process) to assess strategic risk using a five parameter scorecard based model. The IRMC monitors the strategic risk on continuous basis.


Reputation risk is the current and prospective impact on profitability and capital arising from negative public opinion.

In a volatile global marketplace, where media coverage is almost simultaneous across the world, reputation is a key source of competitive advantage. The trust and confidence are understood to be the key business drivers, for banks which deal with public money.

As the premier bank in the country, the Bank has identified the importance of safeguarding its reputation and considers it as the mirror of Bank's trust mark.

The Bank is therefore dedicated to managing reputation risk by promoting strong corporate governance and risk management practices at all levels of the organization, by understanding how different aspects of its business activities affect stakeholders, through effective communication and complying with current laws and regulations.

According to the definition under Basel II guidelines, reputation risk is addressed under Pillar II ICAAP framework. The Bank uses a scorecard approach to assess the reputation risk on half yearly basis.


The primary objective of Capital Management is to ensure maintenance of minimum regulatory capital requirement. The Bank ensures that adequate capital has been allocated to achieve strategic objectives and within the risk appetite of the Bank.

As at 31st December 2012, Bank maintains a Tier I ratio of 8.26% and Tier I plus Tire II ratio of 11.45% which is above the CBSL minimum regulatory capital requirement.

Covering all types of risk in a comprehensive manner across all business lines is a big challenge. The Basel II accord has introduced a framework to capture risks which were not taken into consideration under pillar I. This alternative approach is known as the Internal Capital Adequacy Assessment Process (ICAAP) which conducts capital assessment depending on the total risk level of the Bank.


ICAAP, documents in detail the inherent risks both pillar I and II, in the banking business, sets out controls and mitigations that a bank uses in respect of the risk and capital profile.

Considering the nature, size and complexity of the operation, the Bank carries out capital assessment process to understand the optimum capital level required to meet unforeseen contingencies.

The ICAAP process is governed by two principle requirements for the Bank

to have an internal capital adequacy process and strategy linked to their capital levels

to hold capital in excess of the regulatory minimum

To adhere with the above principles, the Bank has put in place policies and processes to measure, monitor and report all material risks & ensure the Bank can survive under severe conditions without exhausting resources and capital.

Stress Testing

Stress testing is an integrated test that shows to varying degrees whether a bank can withstand unforeseen scenarios of varying severity under adverse economic, political and physical changes to the environment, which it operates.

The stresses and scenarios are used to consider whether the capital is sufficient for the business to meet its financial adequacy targets.

The stress-testing framework of the Bank covers number of different types of tests:

Stresses to business assumptions

Stresses to credit exposures

Stresses to market movements and interest rates

Stresses to liquidity

Significant macro-economic or operational events which may affect earnings, capital and liquidity

The Bank uses three levels of severity for each scenario. Depending on how big the credit, market and operational losses be, the Bank defines the levels of severity as mild, moderate and worst. Results obtained from stress testing provide the management and the Board with a clear perspective of the potential risks.


The Bank treats compliance as part of its voluntary duty towards the betterment of the country and the society. Apart from the legal and regulatory requirements in the area of compliance, the Bank is committed to strictly observe banking ethics and standards to fulfill its social responsibility.

The lessons learned from the financial crisis that emerged one after the other, have transformed the compliance framework more rigid for financial institutions irrespective of their location. The international Banking community is exploring all the avenues to immune the banking system against the socially harmful activities such as Money Laundering, Terrorist Financing and Drug trafficking etc. in order to protect the global financial system against further crisis.

The Bank, being internationally active and the holder of major share in cross border transactions of the country, is fully committed to comply with the efforts of the international banking community.

Compliance is adherence to laws, regulations, regularity guidelines, internal control, standards and code of conduct in matters concerning observing proper standards and ethics of market conduct, approved policies in all areas of operations and dealing with matters such as prevention of money laundering and combating terrorist financing etc.

Compliance Risk and Compliance Functions

Compliance risk is the current and prospective risk of impairment of Bank's integrity leading to damage the Bank's reputation, legal or regulatory sanction or financial loss due to non compliance. The Bank has taken maximum efforts to have the compliance risk at its bare minimum degree.

The compliance functions at the Bank are performed to comply with all relevant laws, regulations and guidelines etc. inclusive of Convention on the suppression of Terrorist Financing Act – No. 25 of 2005, Prevention of Money Laundering (PMLA) Act – No. 5 of 2006, Financial Transaction Reporting (FTRA) Act – No. 6 of 2006 and Customer Charter of Licensed Banks issued by the Central Bank of Sri Lanka. The Bank's well defined compliance functions, systems and procedures adopted in extracting and transmitting data to regulatory authorities, sensitiveness to environment activities and the good coordination and relationship maintained with the regulatory authorities facilitate to achieve the ultimate goal of being fully compliant.

Establishment of Independent Compliance Department

The effectiveness of the compliance functions depend on the independency of the Compliance department. Further, the business expansion of the Bank has extended the dimensions of business volume and products which in turn prompt the requirement of strengthening of compliance department to cater the workload. In view of these facts, the Corporate Management of the Bank decided to bring the compliance department under a purview of a separate Assistant General Manager. Accordingly the compliance unit was transformed into Compliance department in August 2012 and is being handled by the Assistant General Manager (Compliance).