Risk governance and management

The Board-approved Risk Appetite Statement (RAS) sets the strategic parameters for risk-taking, defining acceptable risk thresholds and guiding capital allocation decisions. This framework outlines:

• Quantitative risk limits: Preferred asset quality ratios, market risk thresholds, and capital adequacy buffers
• Qualitative risk parameters: The Bank’s stance on reputational, strategic, and compliance risks
• Dynamic risk considerations: Real-time adjustments based on macroeconomic trends and stress-testing outcomes

The RAS is continuously reviewed against emerging market dynamics, regulatory shifts, and stress scenario assessments, ensuring that the Bank remains well-capitalised and resilient under varying economic conditions.

The risk management function provides regular updates to the Management, BIRMC, and the Board through detailed reports, including Key Risk Indicators (KRIs) and a comprehensive Risk Profile Dashboard. These updates enable continuous monitoring of the Bank’s risk profile, ensuring that it remains within the approved risk appetite. Prompt corrective actions are taken to address any deviations, safeguarding the Bank's adherence to established risk limits.

The Bank’s risk profile is anchored in its strong capital adequacy and liquidity positions, which determine its capacity to manage risks effectively. It is characterised by a portfolio of high-quality assets and a stable, diversified funding base across geographies, sectors, products, currencies, sizes, and tenors. A detailed comparison of the risk profile of the Bank’s Sri Lankan operations as of December 31, 2024, and December 31, 2023, against the defined risk appetite and regulatory or Board-approved policies is given below.

Risk profile Table – 50

As at December 31,
Risk category	Key Risk Indicator	Policy parameter	Actual position
			2024	2023
Credit risk:			3.05	5.85
Quality of lending portfolio	Impaired loans Stage 3 ratio (%)	2 – 5
	Impairment (Stage 3) to Stage 3 loans ratio (%)	40 – 45	64.61	43.22
	Weighted average rating score of the overall lending portfolios to be better than ‘6’ (%)	35 – 40	80.35	80.89
Concentration	Loans and advances by product – Highest exposure to be maintained as a percentage of the total loan portfolio (%)	30 – 40	35.01	35.40
	Advances by economic sub sector (using HHI-Herfindahl – Hirschman-index)	0.015 – 0.025	0.0111	0.0136
	Exposures exceeding 5% of the eligible capital (using HHI)	0.05 – 0.10	0.0067	0.0095
	Exposures exceeding 15% of the eligible capital (using HHI)	0.10 – 0.20	0.0054	0.0049
	Exposure to any sub sector out of total loan portfolio to be maintained at (%)	4 – 5	2.74	3.18
	Aggregate of exposures exceeding 15% of the eligible capital (%)	20 – 30	16.88	15.04
Cross border exposure	Rating of the highest exposure of the portfolio on S&P Investment Grade – AAA to BBB-	AA	AAA	AAA
Market risk:			805.25	100.79
Interest rate risk	Interest rate shock: (Impact to NII as a result of 100bps parallel rate shock for LKR and 25bps for FCY) (Rs. Mn.)	Maximum of 2,000
	Maximum repricing gap (RSA/RSL in each maturity bucket – up to one- year period) (Times)	<1-1.5	0.84	0.99
Liquidity risk	Liquidity Coverage Ratio (LCR) for All Currencies (%)	100	454.36	516.27
	Net Stable Funding Ratio (NSFR) (%)	100	187.29	193.70
Foreign exchange risk	Exchange rate shocks on Total FCY exposure (at 1% exchange rate sensitivity) (Rs. Mn.)	750	562.68	602.23
Operational risk	Operational loss tolerance limit (as a percentage of last three years average gross income) (%)	3 – 5	0.504	0.226
Strategic risk:	Capital adequacy ratios:		14.227	11.442
	CET 1 (%)	Over 8.5
	Total capital (%)	Over 14.0	18.142	15.151
	ROE (%)	Over 15.0	22.06	9.78
	Creditworthiness – Fitch Rating	AA(lka)	A(lka)	A(lka)

(RSA – Rate Sensitive Assets, RSL – Rate Sensitive Liabilities)

Credit rating

Fitch Ratings upgraded the National Long-Term Ratings of ten Sri Lankan banks, including our Bank, following the recent sovereign upgrade and the recalibration of the agency’s Sri Lankan National Rating Scale. As part of this process, our Bank’s National Long-Term Rating was upgraded to AA-(lka) from A(lka), effective January 21, 2025. The recalibration of Sri Lanka’s National Rating Scale was prompted by Fitch’s upgrade of Sri Lanka’s Long-Term Local-Currency Issuer Default Rating (IDR) to “CCC+” from “CCC” on December 20, 2024.

This upgrade reflects the Bank’s strong credit fundamentals and resilience amidst a stabilizing macroeconomic environment. The improved sovereign credit profile and recalibrated rating scale have further bolstered the risk profile of the Sri Lankan banking sector. Stable Outlook highlights the Bank’s ability to navigate the current operating environment while maintaining robust financial performance and a solid capital base.

Roadmap for 2025 and beyond

The Bank’s strategic risk outlook for 2025 and beyond is shaped by an evolving economic and regulatory landscape, necessitating a resilient and adaptive risk management framework. The IRMD has outlined three transformative priorities to enhance risk governance and drive sustainable growth:

1. Value addition to decision making through digitisation (i.e. provision of robust risk insights via digital platforms for effective business decision making).
2. Internal customer experience (i.e customer centricity through continuous process improvements).
3. Enhancement of ESCR function into value creation (i.e. forerunner among peers from an ESCR perspective).

By embedding sound risk analytics, fostering a culture of agility, and reinforcing ESG-driven risk frameworks, the Bank is positioning itself for future-ready risk governance that supports its growth and sustainability ambitions.

To achieve these objectives, the IRMD will undertake a series of strategic initiatives designed to strengthen the risk management framework:

• Serving internal customer demands by providing granular risk insights, prioritised through digital platforms.
• Expanding the existing CRR function to transform it to a digitised process to assist line Management and Lending Officers in making swift credit decisions.
• Increased automated operational risk monitoring and operational risk best practices.
• Automated processes for liquidity level monitoring.
• Increasing IT Risk Management coverage to capture the risks associated with emerging technologies.
• Risk leadership to new business models/initiatives of the Bank.
• Inclusion of risk management and governance to the Bank’s equity investment portfolio.
• Risk management of Bank’s digital channels in order to secure customers’ digital journey with the Bank.
• Integrate climate risk governance, scoring, and data-driven disclosures, into Bank’s existing risk management framework to enhance resilience, regulatory compliance, and sustainable growth.

By pursuing these initiatives, the IRMD aims to strengthen its capabilities and deliver on its commitment to proactive risk management. These efforts will enhance resilience to future uncertainties, improve regulatory compliance, and align with the Bank’s vision of fostering sustainable growth in a rapidly changing environment.

The Bank’s Integrated Risk Management Framework (IRMF) is a robust and comprehensive structure designed in accordance with CBSL guidelines and based on the internationally recognised Three Lines Model. This framework delineates the specific roles and responsibilities of various departments within the Bank, ensuring a coordinated and effective approach to managing risks.

The IRMF encompasses all risk exposures through a structured methodology supported by well-defined organisational structures, advanced systems, efficient processes, and globally benchmarked best practices. It provides a systematic approach to identifying, mitigating, and addressing potential risks, uncertainties, and losses faced by the Bank.

By adhering to the Three Lines model, the framework balances operational responsibilities while equipping the Bank with specialised skills and tools to manage risks effectively. The IRMF undergoes an annual review or is updated more frequently as needed to reflect changes in regulatory requirements, operational dynamics, and the evolving risk landscape.

Board of Directors

The Board of Directors functions as the highest governing authority, responsible for formulating the Bank’s strategies and policies, setting objectives, and overseeing executive operations. It holds the ultimate accountability for supervising the risks undertaken by the Bank and its Group entities, ensuring these are effectively identified and managed. (Refer for detailed profiles of the Board of Directors.)

The Board defines the Bank’s risk appetite by maintaining a balance between achieving strategic objectives and managing the risks associated with pursuing those objectives. Oversight responsibilities are delegated to various Board committees, listed on page 197, which are supported by executive-level counterparts. These committees work in close collaboration with the executive management to assess the effectiveness of the Bank’s risk management framework. They regularly report their findings to the Board, offering a comprehensive perspective on the Bank’s risk profile, management actions, and outcomes. This process enables the Board to identify risk exposures, address gaps, and implement mitigation measures in a timely manner.

The Board actively guides executive management to ensure that business strategies and objectives are aligned with the desired risk levels. The leadership and ethical tone set by the Board, combined with its strong corporate culture, are instrumental in managing risks effectively throughout the Bank.

In addition to adhering to the Three Lines Model, the Bank places a strong emphasis on ethical conduct as a core element of risk management. The Bank’s commitment to responsible, transparent, and disciplined business practices is clearly outlined in various policies and frameworks, including the Code of Ethics, Gift Policy, Communication Policy, Credit Policy, Anti-Bribery and Anti-Corruption Policy, and Conduct Risk Management Policy Framework. These documents set clear expectations for all employees to uphold the highest standards of honesty, integrity, and accountability.

The Board also ensures diligent oversight of the risk profiles of all subsidiaries within the Group, in addition to that of the Bank, recognising the potential financial and reputational risks involved. This oversight is conducted in strict compliance with regulatory requirements. (Refer Group structure for the list of subsidiaries.)

Board committees

The Board has established four dedicated committees to support its oversight responsibilities for risk management and to ensure the adequacy and effectiveness of the Bank’s internal control systems. These committees are:

• Board Audit Committee (BAC)
• Board Integrated Risk Management Committee (BIRMC)
• Board Credit Committee (BCC)
• Board Strategy Development Committee (BSDC)

Each committee functions under clearly defined Terms of Reference (ToR) and convenes meetings at predetermined intervals or as required. Through their discussions and evaluations, these committees provide recommendations to the Board on critical areas such as risk appetite, risk profile, strategy, risk management and internal control frameworks, risk policies, limits, and delegated authority.

For detailed information on the composition, Terms of Reference, authority, meeting schedules, attendance, activities undertaken during the year, and other relevant aspects, please refer to the respective committee reports.

Executive committees

The executive management is responsible for implementing strategies and plans as mandated by the Board of Directors while ensuring that the Bank’s risk profile remains within the approved risk appetite. The Executive Integrated Risk Management Committee (EIRMC), composed of members from units overseeing credit risk, market risk, liquidity risk, operational risk, and IT risk, leads this effort. To address specific risk areas comprehensively, the EIRMC is supported by several dedicated committees, facilitating effective risk management across both the First and Second Lines of Defence:

• Asset and Liability Management Committee (ALCO)
• Credit Policy Committee (CPC)
• Executive Committee on Monitoring Non-Performing Credit Facilities (ECMN)
• Information Security Council (ISC)
• Business Continuity Management Steering Committee (BCMSC)
• Executive Sustainability Committee (ESC)
• Recovery Plan Steering Committee (RPSC)

The EIRMC maintains active communication with the BIRMC to ensure that risk management activities align with the IRMF and that risks are managed within established parameters. The Chief Risk Officer (CRO) directly reports to the BIRMC, underscoring the independence of the risk management function. Details regarding the composition of the executive committees can be found in the “Annual Corporate Governance Report” on pages 201 and 203.

The CRO, who heads the IRMD, plays a pivotal role in ensuring risk governance by participating in major risk and control forums, including meetings of the BIRMC, BCC, and BAC. The IRMD is entrusted with independently monitoring the compliance of the First Line of Defence with established policies, procedures, guidelines, and limits. Any deviations are escalated to the relevant executive committees for further action.

Further, the IRMD provides a holistic view of all types of risk, enabling independent risk assessments by the executive committees. The findings and recommendations are shared with Line Managers and Senior Management, fostering effective communication, promoting discussions, and driving necessary actions to mitigate risks and enhance the Bank’s resilience.

Risk management involves the critical responsibility of identifying, assessing, controlling, and mitigating risks. This includes developing and implementing risk mitigation strategies, monitoring Early Warning Signals (EWS), estimating potential future losses, and taking proactive measures to manage or transfer risks effectively. The Bank’s risk management framework (depicted in Figure 51) serves as a guide for designing and executing risk management strategies, policies, and procedures, ensuring alignment with the strategic priorities outlined in the Bank’s Corporate Plan and its defined risk appetite.

To enhance its risk detection and management capabilities, the Bank has made significant investments in developing a robust infrastructure. This infrastructure includes foundational resources such as policies, procedures, guidelines, circulars, limits, software platforms, risk assessment tools, databases, and expertise. Additionally, the Bank has implemented risk dashboards and predictive modeling capabilities to support real-time monitoring and decision-making. These elements are complemented by incident response mechanisms, advanced data analytics, and streamlined communication channels, all aligned with international best practices to ensure the effectiveness of risk management processes.

This infrastructure establishes the foundation for applying specific risk management tools, enabling the Bank to proactively identify, assess, and manage risks while ensuring regulatory compliance and operational resilience.

Recognising that risk management is a shared responsibility across the organisation, the Bank emphasises the importance of equipping all employees with a clear understanding of the risks they may encounter. The IRMD plays a key role in fostering a strong risk culture by providing continuous training and awareness programs. These initiatives focus particularly on risk owners, offering knowledge and skill-building opportunities to ensure that all employees are well-prepared to address risks effectively and contribute to the Bank’s overall resilience.

Policies, procedures, and limits

The Bank has implemented a comprehensive suite of risk management policies that address all managed risks, ensuring robust governance and regulatory compliance. These policies provide clear guidance to business and support units on managing risks effectively and adhering to regulatory requirements, including the Banking Act Direction No. 07 of 2011 – Integrated Risk Management Framework for Licensed Commercial Banks, developed in alignment with the Basel Framework, as well as subsequent directives issued by the CBSL.

By institutionalising a structured knowledge base, these policies aim to minimise bias and subjectivity in risk-related decision-making. Core documents, such as risk management policies, play a critical role in shaping the Bank’s risk culture by clearly defining objectives, priorities, processes, and the roles and responsibilities of the Board of Directors and the Management in risk governance.

The Risk Appetite Statement (RAS) is a key element of the Bank’s risk management framework, establishing the limits within which risks must be managed. The RAS is reviewed and updated by the BIRMC and the Board of Directors at least annually or more frequently, in line with evolving regulatory and business requirements.

To ensure the Bank’s overall risk exposure, including that of its international operations, aligns with CBSL’s regulatory framework, the Bank considers the regulatory landscapes in all jurisdictions where it operates. Operational guidelines are issued to facilitate the implementation of the Risk Management Policy and ensure compliance with the limits outlined in the RAS. These guidelines provide employees with detailed instructions on the types of facilities, processes, and terms and conditions that govern the Bank’s daily operations.

Risk management tools

Building on its comprehensive infrastructure, the Bank employs a diverse range of qualitative and quantitative tools to identify, measure, manage, and report risks effectively. These tools are tailored to address specific risks based on factors such as the likelihood of occurrence, potential impact, and data availability.

Key tools utilised by the Bank include EWS, threat analysis, risk policies, risk registers, risk maps, and RCSA. These tools are complemented by advanced frameworks like the ICAAP, workflow-based operational risk management systems, and the Environmental and Social Management System (ESMS).

To enhance risk quantification and mitigation, the Bank employs diversification strategies, insurance, benchmarking, gap analysis, and Net Present Value (NPV) analysis. Additionally, advanced products such as SWAPs, Caps and Floors, hedging and techniques like risk scoring, stress-testing, duration analysis, Value at Risk (VaR) assessments , and scenario analysis are integral to managing market and credit risks.

These tools and techniques collectively ensure that risks across all dimensions of the Bank’s operations are managed effectively within the parameters of its risk appetite and governance frameworks.

The Bank is exposed to a wide spectrum of financial and non-financial risks, which are broadly categorised into credit, market, liquidity, operational, reputational, IT, strategic, environmental and social, and legal risks. Collectively, these risks define the Bank's overall risk profile, which is consistently monitored against the established risk appetite. To prudently manage these risks, the Bank has implemented a comprehensive risk management framework. However, despite these measures, external and internal factors continue to introduce substantial uncertainty, requiring constant vigilance and adaptability to navigate an evolving risk landscape.

External factors

• Macroeconomic and political risks: Fluctuations in macroeconomic variables, political instability, changes in fiscal and monetary policies, sovereign risk destabilising financial markets, demographic shifts.
• Market and trade risks: Fragile supply chains, pandemics, sustainability concerns, competitive pressures, declining property valuations, credit rating downgrades.
• Technological and regulatory risks: Technological advancements, regulatory developments, stakeholder demand for ethical practices.
• Reputational risks: Social media misinformation, heightened public scrutiny, unfounded perceptions of banks exploiting customers.
• Contagion Risk : Interconnectedness of banking ecosystem, companies, economies that can have cascaded impact on the business sustainability.

Internal factors

• Workforce and culture: High staff turnover, knowledge and skill gaps, industrial disharmony, deterioration in internal sub-cultures.
• Governance and strategy: Arbitrary decision-making, misalignment of strategy, lapses in risk framework implementation, inaccurate macroeconomic predictions, improper alignment of remuneration to performance and risk.
• Process and Data Risks: Execution gaps, weak data infrastructure hindering decision-making, inadequate digitization, inaccuracies in risk reporting, acts of fraud, misappropriation, or unethical behaviour.
• Customer and strategy risks: Provision of incorrect advice to customers, strategic misalignments, underperformance of group companies.

Navigating in an increasingly complex environment

The Bank operates in an environment marked by increasing complexity and uncertainty, driven by emerging threats and challenges to traditional assumptions about markets, competition, and fundamental business principles. To address these challenges, the Bank emphasises on:

1. Gaining a deeper understanding of stakeholder needs.
2. Ensuring excellence in internal process execution.
3. Leveraging strategic responses to risks as opportunities to enhance its value proposition and foster future growth.

These efforts ensure that discussions on risk management remain a top priority in all Board, Board Committee, and Executive Committee meetings. A summary of key risks is given in Figure 52 on page 262.

By adopting a consistent approach to risk management and addressing uncertainties effectively, the Bank strives to implement its strategy to deliver value for all stakeholders. A detailed account of the various types of risks managed by the Bank and the corresponding mitigation measures is given below.

Credit risk

Credit risk refers to the potential financial loss arising from a borrower or counterparty’s failure to meet their contractual obligations. The Bank is exposed to credit risk through its direct lending activities as well as commitments and contingencies. The extent of credit risk is influenced by several factors, including the quality and the diversification of the lending portfolio, the concentration of exposures, the credit ratings of counterparties with international exposure, and sovereign ratings related to government exposures.

The marked improvement in the macroeconomic and operating environment during the year, driven by stabilising socio-economic and political conditions, contributed to an enhancement in overall asset quality across the financial sector. This positive shift has provided the Bank with opportunities to refine its credit risk management practices. While challenges persist in certain sectors, the Bank has leveraged the improved conditions to adopt forward-looking strategies for managing and mitigating credit risk, ensuring a balanced and resilient approach to risk management.

The Bank’s total credit risk is composed of three key elements: counterparty risk, concentration risk, and settlement risk. These components are monitored and managed under the Bank’s comprehensive risk management framework to ensure a proactive and resilient approach to credit risk mitigation.

Maximum credit risk exposure Table – 51

As at December 31,	2024	2023
	Rs. Bn.	%	Rs. Bn.	%
Net carrying amount of credit exposure:
Cash and cash equivalents	86.848	2.6	157.819	5.2
Placements with central banks and other banks (excluding reserves)	104.901	3.2	86.248	2.9
Financial assets at amortised cost – Loans and advances to Banks
Financial assets at amortised cost – Loans and advances to Other Customers	1,384.524	42.1	1,176.360	38.9
Financial assets at amortised cost – Debt and other financial instruments	667.709	20.3	649.740	21.5
Financial assets measured at fair value through other comprehensive income	301.584	9.2	287.023	9.5
Total (a)	2.545.566		2,357.190
Off-balance sheet maximum exposure:
Lending commitments	196.131	6.0	157.205	5.2
Contingencies	546.359	16.6	507.169	16.8
Total (b)	742.490		664.374
Total of maximum credit exposure (a + b)	3,288.056	100.0	3,021.564	100.00
Gross carrying amount of loans and advances to Other Customers	1,486.900		1,265.559
Stage 3 (credit impaired) loans and advances to Other Customers	127.738		143.564
Impaired loans as a % of gross loans and advances to Other Customers		8.6		11.3
Allowance for impairment – loans and advances to Other Customers	102.376		89.199
Allowance for impairment as a % of gross loans and advances to Other Customers		6.9		7.0
Impairment charge – loans and advances to Other Customers	22.816		5.690

Amidst the improving socio-economic conditions in the country, the maximum credit exposure of the Bank increased to Rs. 3,288.06 Bn. as of December 31, 2024 (compared to Rs. 3,021.56 Bn. as of December 31, 2023).

With the improving macroeconomic environment, the financial services industry witnessed a relative stabilization in the trend of loans and advances categorised as Non-Performing Credit Facilities (NPCF). Consequently, the credit-impaired (Stage 3) loans and advances to customers of the Bank stood at Rs. 127.74 Bn. as of December 31, 2024 (compared to Rs. 143.56 Bn. in 2023), constituting 8.6% of gross loans and advances to customers (compared to 11.3% in 2023). The Bank has made a cumulative impairment provision of Rs. 102.38 Bn. on the loans and advances portfolio as of December 31, 2024, in accordance with the requirements of SLFRS 9 (compared to Rs. 89.2 Bn. in 2023).

Additionally, following the successful completion of the debt restructuring program related to Sri Lanka International Sovereign Bonds (SLISBs), the Bank derecognised the existing bonds and reversed the full impairment provision previously held against them. New bonds issued as part of the restructuring were subsequently recognised, with the required provisions for impairment and day-one loss accounted for in accordance with applicable standards.

Managing credit risk

The lending portfolio constituted 53.3% of the Bank’s total assets as at December 31, 2024, with credit risk accounting for over 88.12% of the total risk-weighted assets. Recognising this significant exposure, the Bank places utmost importance on prudently managing credit risk, going beyond regulatory compliance. This focus is governed by a Board-approved credit risk management framework, encompassing a robust governance structure and a comprehensive suite of risk management processes. These include policies and procedures, risk assessments, collateral management, credit risk segregation, environmental and social risk management, independent verifications, ongoing monitoring, post-disbursement reviews, guidance to business managers, credit risk knowledge dissemination, and the integration of internal audit information.

During 2024, supported by the improved socio-economic environment, the EIRMC/BIRMC continued to address credit risk management with diligent oversight mechanisms. The top 5 Stage 3 customers in each subsector remained under close surveillance. Leveraging insights from the EWS system, the Bank meticulously tracked the movements of exposures and the number of customers categorised as EWS Watch List, Cautious Care, and Intensive Care. Continuous monitoring of stressed lending assets identified through EWS was conducted in collaboration with Lending Officers and the IRMD. The IRMD independently reviewed impairment of Individually Significant Customers quarterly, with plans underway to enhance this process further through technology for improved accuracy and efficiency in 2025.

Despite the improved macroeconomic conditions, the Bank continued to maintain significant attention on its exposures to REIs while closely monitoring the Expected Credit Loss (ECL) for individually and collectively impaired facilities in Stage 2 and Stage 3 categories. Separate analyses and monitoring processes were undertaken for tourism-related and other exposures, with the top 10 borrowers in each REI category within Stage 2 and Stage 3 under close observation. The Bank also paid close attention to its exposures to the Government, both in terms of commercial lending and treasury guarantees, while tracking the concentration of collateral in its advances.

The Bank has established internal limits to manage credit exposure effectively, including but not limited to:

• Open credit exposure
• Aggregate credit exposures to corporate borrowers owned or controlled by a single common shareholder or stakeholder
• Related party exposures
• Economic group exposure ratios
• Cross-border exposures

Post-disbursement credit reviews for loans and overdrafts were conducted in line with the “Credit Risk Review Policy”. These reviews aligned with the provisions outlined in the Credit Policy and Lending Guidelines. Findings were communicated to Lending Officers, whose responses were subsequently assessed. Particular attention was given to lending units or regions with elevated stress levels, with detailed analyses escalated to the Executive Committees for prompt action.

Credit health checks for branches and other lending units assessed various parameters, including credit evaluation processes, account behaviour, risk ratings, compliance with guidelines, post-sanction compliance, concentration levels in the Loan Book, recovery efforts, follow up on NPCF, examination of problematic advances, adherence to credit processes, and the reporting system.

Review of credit risk

The notable turnaround in the operating environment during the year contributed to the revival of credit growth in the private sector and supported moderate economic activity. The Bank demonstrated resilience during this recovery period and managed to secure a proportionately higher share of this growth when the loan book grew by 17.49%. At the same time, there was a notable improvement in asset quality too as evidenced by the gross Stage 3 loans and advances ratio falling to 8.6% by year end compared to 11.3% a year ago.

The robust credit risk management framework guided the Bank in onboarding new exposures and monitoring the quality of the loan book, ensuring the selection of customers, products, industries, and geographies aligned with the Bank’s risk appetite. Strategic initiatives implemented during the year to mitigate credit risks and maintain credit quality are detailed in the Report of the Board Integrated Risk Management Committee on pages 218 to 220.

Concentration risk

The Bank actively mitigates concentration risk through strategic diversification across various dimensions, including industry sectors, products, counterparties, and geographies. The RAS has established specific limits for these segments, ensuring compliance, and exposure monitoring is conducted by the CPC, the EIRMC, the BIRMC and the Board. These committees not only oversee concentration risk exposures but also provide recommendations and propose adjustments to defined limits in response to emerging trends and changes in the business environment.

During the year, the CBSL issued new Directions on large exposures for licensed banks as a macroprudential measure to mitigate systemic risks arising from potential credit concentration. These Directions aim to enhance the safety and soundness of the banking sector and preserve public confidence. One key provision under these Directions requires that, effective January 1, 2026, the maximum limit on large exposures to an individual borrower or a group of connected borrowers must not exceed 25% of the licensed bank’s Tier I capital at any given time.

In response to this regulatory requirement, the Bank extensively deliberated at both the executive and Board committee levels on the measures needed to ensure compliance with the new exposure caps. These discussions emphasised the importance of timely and proactive adjustments to the Bank’s credit exposure strategies to meet the requirements while maintaining a balanced and diversified portfolio.

For a detailed view of the Bank’s exposure management, Graph 48 illustrates the composition of the portfolio of total loans and advances to other customers by tenure, in alignment with the Bank’s defined risk appetite and regulatory guidelines.

Distribution of Stage 3 credit impaired loans and advances to other customers Table – 52

As at December 31, 2024
Industry Category	Stage 3 Loans & Advances Rs.'000	Cumulative provision for Individual Impairment Rs.'000	Cumulative provision for Collective Impairment Rs.'000	Cumulative provision for Expected Credit Loss Rs.'000	Amount Written-off Rs.'000
Agriculture, forestry & fishing	11,137,842	7,249,194	1,281,116	8,530,310	147,608
Arts, entertainment & recreation	30,128	16,914	3,242	20,156	126
Construction	12,573,601	5,629,673	1,340,459	6,970,132	2,951,489
Consumption and others	5,720,517	1,085,751	1,838,578	2,924,329	168,813
Education	441,492	54,181	186,091	240,272	462
Financial services	1,467,574	1,339,133	45,391	1,384,524	10
Health care, social services & support services	2,380,888	1,446,459	167,080	1,613,539	16,418
Information technology and communication services	1,357,264	782,722	107,740	890,462	10,590
Infrastructure development	2,686,972	1,608,457	316,291	1,924,748	199,714
Lending to overseas entities	10,941,400	7,755,263	894,861	8,650,124	0
Manufacturing	21,726,476	13,564,193	2,063,106	15,627,299	723,271
Professional, scientific & technical activities	1,056,700	285,836	214,547	500,383	20,36
Tourism	21,525,864	10,454,967	1,266,557	11,7215,24	33,401
Transportation & storage	2,212,953	1,340,823	223,821	1,564,644	11,096,49
Wholesale & retail trade	32,478,280	18,323,036	3,838,016	22,161,052	202,155
Total	127,737,951	70,936,602	13,786,896	84,723,498	5,565,742

An analysis of the Bank’s lending portfolio by product (refer to Graph 49) demonstrates the effectiveness of the Bank’s credit policies, ensuring a well-diversified risk distribution across various credit products.

The Bank has a relatively high exposure of 36.8% to long-term loans, which is carefully monitored and effectively mitigated through the provision of adequate collateral.

Counterparty risk

The Bank manages counterparty risk through well-defined policies, procedures, and limit structures, including large exposure thresholds and group exposure limits across various products. The Bank has implemented limits that are more stringent than those mandated by regulators, providing enhanced flexibility in managing concentration levels associated with counterparty exposures.

Loans and advances to the Bank from both local and foreign counterparties represent a significant component of counterparty risk. These exposures are closely monitored against established product limits at regular intervals, with dedicated policies, procedures, and limit structures guiding their management.

The financial and economic performance of counterparties is rigorously assessed throughout the year. For exposures to counterparty banks, limits are reviewed and monitored frequently, with adjustments made as necessary to align with the most current information available.

The Bank utilises ratings provided by Fitch Ratings for local banks in Sri Lanka and Credit Ratings Agency Bangladesh (CRAB) for local banks in Bangladesh. Where CRAB ratings are unavailable, equivalent CRISL/Alpha ratings are used. As of December 31, 2024, 97% of the Bank’s exposure to local banks in Sri Lanka was rated in the AAA to A category (refer to Graph 51), while 100% of the exposure to local banks in Bangladesh consisted of AAA to AA-rated counterparties (refer to Graph 52).

Cross-border risk

Cross-border risk refers to the potential challenges the Bank may face in receiving payments from customers or third parties due to actions taken by foreign governments, particularly those impacting the convertibility and transferability of foreign currency. Assets exposed to cross-border risk primarily include loans and advances (including exposures acquired through risk participation agreements), interest-bearing deposits with other banks, trade and other bills, and acceptances, which are largely linked to short-term money market activities.

To mitigate risks associated with over-concentration in cross-border exposures, the Bank has established a robust limit structure. It continuously monitors macroeconomic and market conditions in the countries where counterparties are located, rigorously evaluates counterparties, and maintains regular communication with them. When adverse economic or political developments arise in specific countries, the Bank takes timely actions, such as suspending or revising limits, to safeguard its exposures.

The Bank limits its total cross-border exposure to 8% of its total assets (refer to Graph 53). Cross-border exposures span several countries, including the UK, the Maldives, India, Hong Kong, Singapore, and China. Of the Bank’s cross-border exposures related to Sri Lankan and Bangladesh operations, 84.44% are to countries rated AAA to BBB-, while 15.56% are to countries rated below BBB- or unrated (refer to Graph 54).

Market risk

Market risk refers to the potential adverse effects on a bank’s financial position arising from fluctuations in financial market conditions. These conditions include changes in interest rates, exchange rates, commodity prices, equity and debt prices, and the correlations between these variables. Deviations from the assumptions made during decision-making can lead to unexpected financial impacts. The Bank's operations are influenced by these variables and their interdependencies to varying degrees.

Market risk comprises several components, including interest rate risk, liquidity risk, foreign currency risk, and equity risk.

Market risk categories Table – 53

Major market risk category	Risk components	Description	Tools to monitor	Severity	Impact	Exposure
Interest rate		Risk of loss arising from movements or volatility in interest rates
	Re-pricing	Differences in amounts of interest-earning assets and interest-bearing liabilities getting re-priced at the same time or due to timing differences in the fixed rate maturities, and appropriately re-pricing of floating rate assets, liabilities, and off-balance sheet instruments	Re-pricing gap limits and interest rate sensitivity limits	High	Medium	Medium
	Yield curve	Unanticipated changes in shape and the gradient of the yield curve	Rate shocks and reports	High	High	High
	Basis	Differences in the relative movements of rate indices which are used for pricing instruments with similar characteristics	Rate shocks and reports	High	Medium	Medium
Foreign exchange		Possible impact on earnings or capital arising from movements in exchange rates arising out of maturity mismatches in foreign currency positions other than those denominated in base currency, Sri Lankan Rupee (LKR)	Risk tolerance limits for individual currency exposures as well as aggregate exposures	Medium	Medium	Medium
Equity		Possible losses arising from changes in prices and volatilities of individual equities	Mark-to-market calculations are carried out daily for Fair Value Through Profit and Loss (FVTPL) and Fair Value Through Other	Low	Low	Negligible
Commodity		Exposures to changes in prices and volatilities of individual commodities	Mark to market calculations	Low	Low	Negligible

Managing market risk

The Bank effectively manages market risk through a Board-approved market risk management framework. This framework incorporates a robust governance structure and comprehensive risk management processes, including policies, market risk limits, Management Action Triggers (MATs), ongoing risk monitoring, and detailed risk assessments.

To evaluate the impact on the Bank’s Net Interest Income (NII) under stress conditions, scenario analyses were conducted, simulating changes of 100 – 400 basis points (bps) for LKR and 25 – 100 bps for foreign currency (FCY) over a 12-month horizon. Additionally, the Bank employs the Economic Value of Equity (EVE), a long-term measure of Interest Rate Risk (IRR), to analyse its sensitivity to market rate changes and assess its value under current market conditions. The repricing gap between Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) was also reviewed.

Monitoring changes in Net Interest Margin (NIM) for both LKR and FCY on a monthly basis in Sri Lanka and Bangladesh operations remained a key focus area. Stress tests were conducted to evaluate FX position gains/losses under a 5% up/down movement in the exchange rate between USD and LKR. The Bank also assessed the impact of Mark-to-Market (MTM) gains or losses for the Fair Value Through Profit or Loss (FVTPL) portfolio of LKR Government securities and the Fair Value Through Other Comprehensive Income (FVTOCI) portfolio under interest rate changes of 1% up/down and 2% up/down.

Ongoing monitoring of opportunity losses in the amortised cost portfolio and FCY cash flow projections for the next three months was conducted to enhance risk preparedness. The Bank also maintained a summary of the FCY liquidity gap, incorporating funding liquidity against undrawn overdraft limits and anticipated loan disbursements for the following three months. Moreover, funding concentration was evaluated by tenor, value, top 20 depositors, and currency to ensure effective liquidity management.

Review of market risk

The Bank’s market risk primarily arises from interest sensitive Non-Trading Portfolio (Banking Book), which accounted for 88.02% of total assets and 88.99% of total liabilities as of December 31, 2024. The majority of the market risk exposure is attributed to Interest Rate Risk (IRR) and Foreign Exchange (FX) risk, with a minimal exposure to commodity price risk, equity price risk, and debt price risk. These latter components collectively account for less than 5% of the total risk-weighted exposure for market risk.

Further details on the Bank's market risk exposure, including an analysis of the Trading Book and Non-Trading Portfolio (Banking Book), are provided in Note 66.3.1

Market risk portfolio analysis

The gap report is prepared by categorising Rate Sensitive Assets (RSA) and Rate Sensitive Liabilities (RSL) into various time bands based on their maturity (for fixed-rate instruments) or the time remaining until their next repricing (for floating-rate instruments). The distribution of savings deposit balances is aligned with the results of a behavioural analysis conducted by the Bank and adheres to the guidelines issued by the CBSL for overdrafts and credit cards.

The Bank's exposure to interest rate volatility is represented by the gap between RSA and RSL, as illustrated in Table 55.

Interest Rate Risk (IRR)

Significant fluctuations in interest rates pose a critical risk to the Bank, as they can directly impact its Net Interest Income (NII) and the economic value of interest-earning assets, interest-bearing liabilities, and off-balance sheet items. Interest rate volatility may lead to unexpected changes in income and valuations, potentially affecting the Bank’s financial stability and profitability.

The primary types of Interest Rate Risk (IRR) the Bank is exposed to include:

• Repricing risk:Arises from differences in the timing of rate changes for assets and liabilities. This mismatch in the repricing schedules may lead to a decline in interest income or an increase in interest expense, adversely affecting NII.
• Yield curve risk:Occurs when changes in interest rates affect the slope and shape of the yield curve, which may impact the valuation of fixed-income instruments and the Bank’s balance sheet.
• Basis risk:Emerges when there are variations in the relationship between different interest rate benchmarks or indices, leading to discrepancies in the pricing of assets and liabilities.

Managing IRR is a key component of the Bank’s overall risk management framework. The Bank actively monitors interest rate movements and their potential impact, employing tools such as gap analysis, sensitivity analysis, and stress-testing to assess exposure and implement appropriate mitigation strategies. These measures enable the Bank to minimise the adverse effects of interest rate volatility while optimising its risk-adjusted returns.

Sensitivity of Net Interest Income to rate shocks Table – 54

	2024	2023
Net Interest Income (NII)	Parallel increase Rs. ’000	Parallel decrease Rs. ’000	Parallel increase Rs. ’000	Parallel decrease Rs. ’000
As at December 31,	805,254	(806,045)	100,792	(101,013)
Average for the period	830,956	(831,385)	(18,795)	16,928
Maximum profit/(loss) for the period	1,461,243	(1,461,840)	276,499	(276,604)
Minimum profit/(loss) for the period	152,547	(152,674)	(576,068)	557,037

 

Interest rate sensitivity gap analysis of assets and liabilities of the Banking Book Table – 55

As at December 31, 2024 – Bank
Description	0-90 days Rs. ’000	3 to 12 months Rs. ’000	1 to 3 years Rs. ’000	3 to 5 years Rs. ’000	More than 5 years Rs. ’000	Non-sensitive Rs. ’000	Total Rs. ’000
Total financial assets	692,439,066	470,261,258	531,518,432	438,535,282	322,779,332	158,791,765	2,614,325,135
Total financial liabilities	828,924,800	743,437,128	269,870,915	217,954,555	177,688,111	204,449,268	2,442,324,777
Interest rate sensitivity gap	(136,485,734)	(273,175,870)	261,647,517	220,580,727	145,091,221	(45,657,503)	172,000,358
Cumulative gap	(136,485,734)	(409,661,604)	(148,014,087)	72,566,640	217,657,861	172,000,358
RSA/RSL	0.84	0.63	1.97	2.01	1.82	0.78	1.07

Sensitivity of projected NII

The Bank conducts regular stress-testing on Interest Rate Risk in the Banking Book (IRRBB) to evaluate its exposure to potential rate fluctuations. These tests incorporate variations in balance sheet positions, new economic variables, and a range of systemic and specific stress scenarios, ensuring that the Bank is well-prepared to manage the potential impact of adverse market movements on its profitability and financial stability.

The sensitivity of the Fixed Income Securities (FIS) portfolio, categorised under Fair Value Through Profit or Loss (FVTPL) and Fair Value Through Other Comprehensive Income (FVOCI), is assessed through stress-testing. The Bank evaluates the changes in value caused by abnormal market fluctuations using both the Economic Value of Equity (EVE) and Earnings at Risk (EAR) perspectives, generating valuable insights into how interest rate shocks affect the Bank's long-term equity value and short-term profitability.

In addition to portfolio-level analysis, the Bank continuously monitors the potential impact of interest rate shocks on Net Interest Income (NII) for both Sri Lankan Rupee (LKR) and foreign currency (FCY) exposures, helping the Bank to gauge its susceptibility to abrupt interest rate changes and the formulation of risk mitigation strategies to maintain a stable income stream.

The results of these stress tests are rigorously analysed to identify potential vulnerabilities, allowing the Bank to implement timely corrective actions and enhance its resilience to interest rate fluctuations. Detailed findings from these analyses, including projected NII sensitivities, are presented in Table 54 for further reference.

Foreign exchange risk

To mitigate potential losses stemming from fluctuations in foreign exchange (FX) rates, the Bank follows stringent risk tolerance limits for individual currency exposures and aggregate exposures. These limits are maintained within regulatory boundaries, ensuring that FX losses are minimised and remain well within the Bank’s defined risk appetite.

From December 31, 2023 to December 27, 2024, the USD/LKR exchange rate appreciated by 10.1% (Source: Central Bank of Sri Lanka,). Further details on the Bank’s exposure to currency risk in the non-trading portfolio can be found in Note 66.3.3 on page 455.

Stress-testing of the Net Open Position (NOP) is regularly performed by applying exchange rate shocks ranging from 5% to 25% to evaluate the potential impact on the Bank’s profitability and capital adequacy. As of December 31, 2024, a 5% downward movement in the exchange rate, even with the remote chance of occurrence, indicated a potential loss of Rs. 2,813 Mn. (Refer to Graph 82 on page 456 for the impact of a 5% upward change in the exchange rate). Detailed results of these stress tests are provided in Table 62.

Equity price risk

Although the Bank’s exposure to equity price risk remains minimal, daily mark-to-market calculations are performed for the Fair Value Through Profit or Loss (FVTPL) and the Fair Value Through Other Comprehensive Income (FVOCI) portfolios. Additionally, the Bank calculates the Value at Risk (VaR) for its equity portfolio to assess potential losses under adverse market conditions.

For further details, refer to Note 66.3.4 on page 456, which provides a summary of the impact of a 10% shock on equity prices on profit, other comprehensive income (OCI), and equity.

Commodity price risk

The Bank’s exposure to commodity price risk is primarily linked to fluctuations in gold prices, which impact its pawning portfolio. To mitigate this risk, the Bank has implemented a lower Loan-to-Value (LTV) ratio and conducts regular mark-to-market valuations of the portfolio to ensure effective risk management.

Liquidity risk

Liquidity risk arises from the potential inability of the Bank to meet its contractual and contingent financial obligations, on or off balance sheet, as they become due, without incurring unacceptable losses. Banks are inherently exposed to liquidity and solvency challenges resulting from mismatches in the maturities of assets and liabilities.

The primary objective of liquidity risk management is to assess and ensure the availability of adequate funds to meet these obligations promptly, under both normal operating conditions and periods of stress.

Liquid assets ratios as of December 31, 2024 are given below:

Regulatory liquidity ratios Table – 56

As at December 31,	2024 %	2023 %
Liquidity Coverage Ratio (LCR)
Rupee	529.20	491.61
All currencies	454.36	516.27
Net Stable Funding Ratio (NSFR)	187.29	193.70

Managing liquidity risk

The Bank adopts a comprehensive approach to managing liquidity risk, encompassing policies, procedures, measurement techniques, mitigation strategies, stress-testing methodologies, and contingency funding arrangements. Throughout most of the year, the Bank maintained excess liquidity levels. However, with credit growth gaining momentum in the latter half of the year, the Advances to Deposits & Refinance ratio improved to 66% by year-end compared to 61% at the beginning of the year. This improvement reflects the Bank’s ability to efficiently utilise its liquidity to support business growth.

The Bank continued to make substantial investments in LKR-denominated Government securities and FCY-denominated US Treasuries at optimal yields, effectively minimising potential adverse impacts on profitability. Furthermore, the negative carry experienced on specific treasury investments in prior years turned positive during the year as a result of the maturity of the underlying instruments and subsequent reinvestments at more favourable rates.

In December 2024, the Bank participated in the Ministry of Finance’s invitation to exchange its holdings of International Sovereign Bonds (ISBs). The Bank opted for the local offer, wherein 30% of the settlement was done in LKR. This move alleviated potential foreign exchange outflow pressures, positively contributing to liquidity management within the domestic financial system.

The resulting NOP created from forex sales was effectively managed within the permanent negative NOP limit prescribed by the CBSL. This proactive approach ensured that the Bank’s foreign currency exposures remained well within regulatory and internal thresholds, thereby safeguarding its liquidity position throughout the transition.

Liquidity risk review

The ALCO closely monitors the net loans-to-deposits ratio to ensure that the Bank’s asset and liability portfolios are structured to maintain a strong liquidity position. Throughout the year, the NSFR, which reflects the stability of funding sources relative to the Bank’s loans and advances, was consistently maintained well above the policy threshold of 100%. This healthy level of funding stability effectively supports the Bank’s business model and growth objectives.

The key ratios used for liquidity measurement under the stock approach are detailed below:

Key ratios used for measuring liquidity under the stock approach Table – 57

As at December 31,
Liquidity ratios	2024	2023
Loans to customer deposits	0.66	0.61
Net loans to total assets	0.50	0.46
Purchased funds to total assets	0.24	0.25
(Large liabilities – Temporary Investments) to (Earning assets – Temporary Investments)	0.26	0.27
Commitment to total loans	0.24	0.21

Maturity gap analysis

The Maturity Gap Analysis of the Bank’s assets and liabilities as of December 31, 2024, is detailed in Note 66.2.2 (a) to the Financial Statements, given on pages 446 and 447.

This analysis provides insights into the maturity structure of financial assets and liabilities, demonstrating that the Bank has sufficient funding capacity to navigate adverse scenarios in line with prescribed behavioural patterns. The assessment does not indicate any liquidity concerns, particularly considering the composition of cash outflows, which include savings deposits. These deposits are considered a quasi-stable funding source, consistent with the historical behavioural patterns of depositors, as elaborated below.

Behavioural analysis on savings accounts

In the absence of a contractual maturity agreement, savings deposits are classified as non-maturing demand deposits. These deposits lack a defined re-pricing frequency, and the Bank periodically adjusts the offered rates based on factors such as the re-pricing gap, liquidity requirements, and profitability considerations. Due to their lower sensitivity to market interest rate changes, the allocation of savings products across predefined maturity buckets in the maturity gap report is determined through simulations and behavioural studies conducted by the Bank.

To ensure liquidity adequacy, the Bank evaluates its liquidity position across all major currencies, both individually and in aggregate, ensuring that potential risks remain within specified threshold limits. Further, the Bank closely monitors potential liquidity commitments arising from loan disbursements and undrawn overdrafts, ensuring the availability of sufficient funding sources to meet these obligations.

Funding diversification by product

The Bank primarily relies on customer deposits and other borrowings as its principal sources of funding. A product-wise analysis of the Bank’s funding diversification as of the end of 2024 and 2023 is presented in Graph 55.

Operational risk

Operational risk refers to the potential for losses resulting from inadequate or failed internal processes, human errors, system malfunctions, or external events such as natural disasters, and social or political occurrences. As an inherent component of all banking products and processes, the Bank remains committed to managing operational risk effectively.

The assessment of operational risk is based on seven standard criteria: execution, delivery, and process management; internal fraud; external fraud; employment practices and workplace safety; clients, products, and business practices; damage to physical assets; and business disruption and system failures.

It is important to note that while operational risk includes legal risk, it does not encompass strategic or reputational risk.

Managing operational risk

The Bank employs a comprehensive operational risk management framework, incorporating policies, risk assessments, and mitigation strategies, supported by insurance coverage. The Bank also manages operational risk through structured procedures for outsourcing business activities, mitigation of technology-related risks, development of robust Business Continuity and Disaster Recovery Plans, stress-testing, fostering a culture of risk awareness across the organisation, and regular monitoring and reporting of operational risks.

Policies and procedures related to outsourcing ensure the continuous identification and effective management of risks associated with external arrangements. The Bank provides detailed reports on all outsourced functions to the CBSL annually. Due diligence is rigorously conducted by risk owners before entering into or renewing agreements with vendors. Regular bi-annual review meetings with key IT service providers are conducted to evaluate performance and adherence to service agreements.

The EIRMC and the BIRMC closely monitor and address business disruptions caused by various factors, including network outages, branch system failures, natural disasters, fire, industrial unrest, hartals, police curfews, and pandemics, ensuring timely corrective actions.

During the year, the Bank underwent a comprehensive operational risk review of its Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), including an assessment of its Disaster Recovery site. This review was conducted by the IRMD in accordance with Section 6.5 (m) of the Banking Act Direction No. 05 of 2024 on Corporate Governance for Licensed Banks. Independent assessments of the BCP and DRP by the BIRMC ensured the adequacy of the Bank's preparedness for potential operational disruptions.

The Bank successfully implemented a Group-wide Conduct Risk Management Policy Framework. Additionally, an operational loss event database covering the Bank’s operational incidents over the past 14 years has been integrated into the Operational Risk Management System (ORMS). Furthermore, the RCSA Framework, originally implemented within the Bank, was extended to all other financial entities within the Group. This framework empowers each entity to identify, assess, and manage its unique risks while ensuring alignment with the broader risk management objectives of the Group.

Business continuity management

The Bank’s Business Continuity Management (BCM) framework integrates a comprehensive range of activities, including business continuity planning, disaster recovery, crisis management, incident management, emergency management, and contingency planning. This framework underscores the Bank's commitment to delivering uninterrupted services to all stakeholders by ensuring minimal disruption during unforeseen events such as man-made, natural, or technical disasters and enabling a swift resumption of operations.

The BCM framework encompasses various key components: program initiation and management, risk evaluation and business impact analysis, development of business continuity strategies, emergency preparedness and response, implementation of business continuity plans, awareness building and training, business continuity plan exercises, regular audits and maintenance, and crisis communication with external agencies.

To align with global best practices in Business Continuity and Disaster Recovery, the Bank has partnered with external consultants to obtain ISO 22301:2019 certification, enhancing its resilience and preparedness. This underscores its commitment to operational excellence and long term sustainability. Additionally, a high-availability secondary setup for core banking and other critical systems was introduced to strengthen the Bank’s IT system recovery capabilities, enhancing redundancy and reliability.

In June 2024, the Bank conducted a comprehensive BCP exercise, extending beyond the current CBSL requirement of one working day to span 03 months. During the exercise, all application functionalities were meticulously tested before rollback, ensuring minimal disruptions. The rigorous and thorough testing of disaster recovery capabilities reflects the Bank’s growing maturity and commitment to operational resilience.

The success of this extended BCP exercise reinforces the Bank’s proactive approach to safeguarding its operations, protecting customer access, and ensuring preparedness for potential disruptions. By continuously refining its BCM framework and implementing advanced recovery measures, the Bank remains focused on maintaining service excellence and operational stability for all stakeholders.

Review of operational risk

The Bank maintains a low appetite for operational risk, with clearly defined tolerance levels for significant operational risk losses. These thresholds are based on multiple factors, including historical loss data, budgets and forecasts, the Bank’s overall performance, and the adequacy of its existing systems and controls. To ensure effective monitoring, the following thresholds have been established using audited financial statements:

• Alert level:3% of the average gross income over the past three years
• Maximum level:5% of the average gross income over the past three years

Operational losses for the financial year 2024 remained below the internal alert level, at 0.50% of the average audited gross income for the past three years. This outcome reflects the Bank’s decade-long track record of maintaining operational losses well below the alert threshold. This consistent performance underscores the Bank’s strong governance structures, effective risk management processes, and the leadership commitment to operational risk control, as set by the “tone at the top.” Graph 56 provides a detailed analysis of operational risk losses incurred in 2024 across various business lines and categories.

A review of losses incurred during 2024, categorised according to Basel II-defined business lines, reveals that 85.06% of financial impact losses were attributable to the “Retail Banking” business line, followed by 11.21% under “Payment and Settlement” and 3.73% under “Trading & Sales”. Losses linked to other business lines remained minimal.

Graphs 57 and 58 present a comparative analysis of operational losses reported in 2024 and 2023 across each Basel II-defined loss event type. These visuals provide insights into both the frequency of occurrences and the corresponding monetary impacts, offering a comprehensive perspective on the Bank’s operational risk profile.

Operational losses by number of events

As is typical in operational risk patterns, the Bank’s losses in 2024 primarily consisted of high-frequency, low-impact events, particularly under the “Execution, Delivery, and Process Management” category. These losses were predominantly related to the Bank's extensive service delivery network, which spans over 1,000 touchpoints across Sri Lanka and Bangladesh, with cash handling and ATM operations being the most impacted. Notably, events with monetary values below Rs. 100,000 accounted for more than 92% of the total loss events during the year. Furthermore, when compared to the sheer volume of transactions processed, the ratio of loss events to total transactions remained impressively low at just 0.0060%.

Throughout the year, the Bank further reinforced its Anti-Money Laundering (AML) compliance initiatives by integrating advanced audit mechanisms to monitor transactions, ensuring strict adherence to Know Your Customer (KYC) requirements. These improvements further underscore the Bank’s commitment to maintaining a robust compliance framework.

In terms of financial value, the losses incurred in 2024 were distributed across key categories, including Execution, Delivery, and Process Management; Business Disruptions & System Failures; Damage to Physical Assets; External Frauds; and Internal Frauds. While these losses were predominantly driven by a limited number of specific incidents, the Bank successfully mitigated their financial impact through timely recoveries and rectifications. To prevent recurrence, the Bank introduced targeted process improvements and fortified its control environment.

The operational risk capital allocation for 2024, calculated under the Alternative Standardised Approach per Basel III, amounted to Rs. 82.20 Bn. Remarkably, net losses (after accounting for recoveries) constituted only 0.087% of this allocation, reflecting the effectiveness of the Bank’s operational risk management framework and robust internal controls.

IT risk

IT risk encompasses the business risks associated with the use, ownership, operation, and strategic adoption of information technology within the Bank. As a critical subset of operational risk, IT risk manifests through various channels, such as system interruptions or failures, errors, fraud enabled by system vulnerabilities, cyberattacks, technological obsolescence, and the competitive pressure of keeping pace with advancements in technology. IT risks broadly cover governance structures, system availability, access controls, threat management, change management, physical and environmental security, and disaster recovery and business continuity planning.

Given the complex and unpredictable nature of IT risks, their effective management remains a challenging yet paramount task for the Bank. Recognising these challenges, the Bank has prioritised IT risk management, particularly focusing on implementing robust cyber security strategies. Substantial investments in cyber security enhancements have enabled the Bank to integrate new technologies and business innovations securely while safeguarding both institutional and customer data from sophisticated cyber threats.

IT Risk Management Framework

The Bank’s IT Risk Management Framework, implemented through the IT Risk Unit within the IRMD, ensures a structured approach to IT risk governance. This includes robust policies, processes, and advanced technical capabilities to identify, assess, and mitigate significant IT risks. The IT Risk Management Policy, operating in synergy with the Operational Risk Management Policy and the Information Security Policy, establishes a comprehensive system for managing IT and information security risks across the Bank.

A core component of the framework is the Risk Control Self-Assessment (RCSA), which enables the proactive identification and assessment of IT risks. Independent IT risk reviews conducted by the IT Risk Unit, alongside audits, incident analyses, and data from internal and external loss events, contribute to the holistic evaluation of IT risk.

Risk mitigation measures

The Bank employs a multi-layered approach to IT risk mitigation, implementing controls across data, applications, devices, and networks to ensure robust, end-to-end security. This multi-layered system enhances the Bank’s ability to detect, prevent, respond to, and recover from cyber threats effectively. Key units within the Bank have achieved globally recognised certifications, including ISO/IEC 27001:2013 for Information Security Management Systems (ISMS) and PCI DSS certification, ensuring the confidentiality, integrity, and availability of data and systems. The Bank remains on track to achieve full certification for all 350 banking units by 2025.

Cyber security and compliance

Cyber security remains a strategic focus, with initiatives including the rollout of Baseline Security Standards (BSS) across the Bank’s branch network and head office. These measures align with the regulatory expectations of the CBSL, underlining the Bank’s commitment to enhancing information and cyber security governance. Annual independent audits conducted by ISO 27001 ISMS external auditors and PCI DSS Qualified Security Assessors further reinforce the Bank’s adherence to global best practices.

Monitoring IT risk

Continuous, independent monitoring of the Bank’s IT risk profile is conducted using Key IT Risk Indicators (KIRIs). These indicators, supported by trend analyses, identify high-risk or emerging issues, enabling the Bank to take prompt and effective corrective actions. Areas monitored include information security incidents and system performance metrics, ensuring timely responses to mitigate risks.

Talent retention and operational resilience

Staff turnover, a persistent concern in the IT domain, was proactively addressed during the year. The Bank introduced a special grading system and market-aligned salary adjustments for IT professionals to attract and retain talent. Despite increased business volumes and operational complexity, the number of major IT-related incidents remained stable, reflecting the robustness of the Bank’s IT infrastructure and risk management capabilities. All major operational risk events, including those related to IT, underwent thorough reviews, with mitigatory actions implemented promptly.

Key achievements and future plans

• Continued investments in cyber security enhancements.
• Expansion of the Bank’s ISMS certification to cover all units by 2025.
• Implementation of advanced IT risk mitigation measures across technological layers.
• Enhanced talent retention strategies to sustain operational excellence.
• Alignment with CBSL directives to fortify IT risk governance.

By integrating cutting-edge technology with a strong governance framework, the Bank continues to bolster its resilience against IT risks, ensuring secure, efficient, and uninterrupted services for its stakeholders.

Sustainability and climate-related risks, including Environmental and Social (E&S) risks, are pivotal components of the Bank's risk management strategy. These risks stem from a wide range of ESG factors that directly or indirectly influence the Bank’s operations, lending activities, reputation, and long-term viability. By addressing these interconnected risks, the Bank reinforces its commitment to responsible banking and positions itself as a leader in sustainable development.

The Bank recognises that sustainability risks not only pose challenges but also provide opportunities for innovation, growth, and resilience. Incorporating ESG considerations into decision-making and operational practices strengthens the Bank's ability to create value for all stakeholders while aligning with global sustainability goals, such as the United Nations’ Sustainable Development Goals (SDGs) and the Paris Agreement.

Key risk areas

The Bank has categorised sustainability and climate-related risks into three primary domains to ensure comprehensive identification and management:

Environmental risks

• Climate-related risks:
• Physical risks:

– Acute events such as floods, hurricanes, and droughts

– Chronic changes such as rising sea levels, temperature variations, and shifting rainfall patterns

– Impact on assets, infrastructure, and supply chains, affecting borrowers’ financial stability and the Bank's operational continuity

• Transition risks

– Policy changes such as carbon taxes, emission reduction targets, and environmental regulations

– Market dynamics, including shifts in consumer preferences towards sustainable products and technologies

– Reputational risks linked to perceived inaction on climate change the Bank and/or borrowers

• Resource depletion and biodiversity loss
• Pollution including air, water, soil contamination, and greenhouse gas emissions

Social risks

• Unfair labour practices, including forced and child labour
• Occupational health and safety hazards
• Community displacement and cultural heritage loss due to project financing
• Discrimination, lack of diversity, and inequitable access to resources
• Reputational risks arising from borrower practices that fail to meet ethical or social expectations

Governance risks

• Bribery and corruption, unethical business conduct, and financial crimes
• Information security breaches and inadequate IT governance
• Poor compliance with international frameworks and regulatory standards

Integrated framework for sustainability and climate risk management

The Bank’s approach to managing these risks is guided by its comprehensive Sustainability Framework. This framework aligns with international best practices, including the IFC Performance Standards and the SLFRS S1 & S2. Supporting systems and policies include:

1. Environmental and Social Management System (ESMS):

• A systematic mechanism to assess and mitigate E&S risks across lending activities, operations, and stakeholder engagements
• Incorporates tools for identifying and addressing potential risks at every stage of the project lifecycle

1.1 Environmental and Social Risk Management Policy:

• Outlines principles for sustainable development, including environmental protection, social equity, and ethical governance
• Defines risk assessment processes, mitigation measures, and criteria for excluded activities

1.2 Environmental and Social Risk Assessment and Management Procedure:

Defines risk assessment and management processes: criteria for excluded activities, environmental and social risks screening, pre-defined thresholds for due diligence, mitigation measures/corrective action plans for material risks, and process for monitoring compliance to corrective actions.

2. Climate Risk Management Framework (to be implemented in 2025)

• Aims to systematically identify, assess, and manage climate-related risks at both the portfolio and project levels
• Emphasises integrating climate considerations into existing risk management processes

Impact of sustainability and climate-related risks

The Bank acknowledges that inadequate management of these risks could result in:

• Financial impacts: Loan defaults, increased credit risk, asset devaluation, and higher operational costs due to climate-related disruptions.
• Reputational damage: Loss of stakeholder trust due to perceived inaction or association with unsustainable practices.
• Legal and regulatory consequences: Penalties, lawsuits, or enforcement actions resulting from non-compliance with sustainability-related regulations.

List of climate related risks is given in the Tables 58 and 59 on pages 276 and 277 and the climate related opportunities in the Table 60 on page 278.

**In line with the requirements specified under SLFRS S2, a preliminarily level assessment has been carried out by the Bank. However, this assessment will be further improved through the Bank’s continuous commitment by investing on climate data capabilities and climate risk management.

• Climate-related risks:

Climate change can have widespread and significant impacts across sectors and geographies, potentially affecting the financial system. The identified climate related risks are categorised into three different time buckets in line with their synchronisation with the Bank’s financial and capital budgets, as listed below:

• Short term (ST): 0-1 year
• Medium term (MT): 1-5 years
• Long term (LT): 5-30 years

As the crystallisation of climate related risks of the Bank’s portfolios, through macro and micro transmission channels, emerged through traditional risk categories such as credit risk, market risk, operational risk and reputational risk etc., Climate risk itself is treated as a risk driver.

Climate related Physical Risks Table – 58

Category	Climate Related Risk driver	Time Horizon	Impact on Business Model	Direct/ Indirect Impact	Principal Risk category to the Bank	Strategy & Decisions (adaptation/mitigation)
Acute	Extreme weather events (floods, storms, landslides)	ST, MT	Disruption of business operations of the Bank Infrastructure damage, service disruptions, Decreasing Supplies, increased operational costs, Adaptation costs	Direct	Operational Risk, Reputation Risk	Disaster preparedness, Business Continuity planning, budget allocations for repair work and structural reinforcements, Digital Transformation to Remote Services -enhancing digital banking services to ensure customers can access banking services even during physical disruptions.
		ST, MT	Disruption Borrowers’ business operations Infrastructure damage, service disruptions, Decreasing Supplies, increased operational costs, Adaptation costs leading to Increased loan defaults, collateral devaluation	Indirect	Credit Risk	Incorporating physical climate risks into the credit evaluations, insurance coverage, Diversify the loan portfolio across different sectors and geographic areas,
Chronic	Sea-level rise	LT	Damage to business premises in coastal belt	Direct	Operational Risk Reputation Risk	budget allocations for structural reinforcements, Relocation plans,
		LT	Damage to borrower’s business premises in coastal belt	Indirect	Credit Risk, Operational Risk	Regularly assess and adjust the loan and investment portfolio to minimise exposure to sectors vulnerable to climate impacts
	Rising temperatures	MT, LT	Business disruptions, Heat waves can strain cooling systems for data centers, increasing the risk of outages or data loss, affect human health, leading to heat-related illnesses, Reduce labour productivity	Indirect	Operational Risk Reputation Risk,	budget allocations for backup systems, Business Continuity plans, employee support programs

Climate related Transition Risks Table – 59

Climate Transition risk driver	Description	Time Horizon	Impact on Business Model	Direct/Indirect Impact	Principal Risk	Strategy & Decision Making
Policy & Legal	Requirement of de-carbonization of loan portfolio	MT, LT	Loss of revenue from clients with high carbon intensity	Direct	Strategic Risk	Green financing, loan tenure adjustments, Support customers in their transition to a net zero economy,
	Absence of carbon pricing policies	MT	Missed innovation opportunities	Direct	Strategic Risk	Alignment with national policies and climate strategies and Nationally Determined Contributions (NDC)
	EU Carbon Border Adjustment Mechanism (CBAM)	MT, LT	Increased credit risk for export clients	Indirect	Credit Risk	Transitional finance, climate stress-testing
Reputation	Bank’s reputation affected by slow transition	MT, LT	investor concerns, Loss of customers	Direct	Reputational Risk	Proactive climate strategies, scenario planning, report on progress in supporting the green transition to Bank’s stakeholders
	Funding clients slow to adapt	MT, LT	Higher costs, slow adoption of sustainable processors	Direct	Credit Risk Market Risk Reputational Risk	Climate-focused lending policies, ESG alignment, Build resilience by embedding climate risk impacts in decision making processes
Market	Shifts in consumer preferences toward sustainable technologies	MT, LT	Impact industries dependent on traditional, carbon-intensive technologies, Market share loss to competitors, may result in stranded assets, Decline in equity prices of carbon-intensive firms	Direct	Credit risk Market Risk	Digital transformation, sustainable banking products Diversification, green investments, Monitoring macroeconomic conditions, strategic alignment

Climate related Opportunities Table – 60

Category	Opportunity Description	Time Horizon	Business Impact	Strategy & Decision Making
Working towards making the Bank operations Net zero aligning with country plans and targets	Energy efficiency & resource optimization	ST, MT, LT	Cost reduction, improved efficiency, Reduced carbon footprint, National policy alignment and regulatory compliance,	Incentives for energy-saving innovations, employee KPIs linked to reducing carbon footprint
	Renewable energy transition	ST, MT, LT		Renewable installations targets, investing in carbon credit schemes
	Financing to Sustainable businesses and Circular Economy	ST, MT, LT	Market expansion, enhanced ESG profile with market reputation, National policy and NDC alignment and regulatory compliance Positive Impact on market share of the Bank.	Targets in corporate plan, Green financing targets(financing to the activities eligible under the climate mitigation criteria given in Green Finance Taxonomy of Sri Lanka) , digital banking expansion
Bank investments for Enhancing climate adaptive capacity and resilience of communities and ecosystems.	Financing to climate adaptation projects and companies engaged in climate resilience	ST, MT, LT	Market expansion, align with country's National Adaptation Plan (NAP) for Climate Change Impacts, Positive Impact on market share of the Bank.	Targets in corporate plan, Green financing targets(financing to the activities eligible under the climate adaptation criteria given in Green Finance Taxonomy of Sri Lanka)

There will be opportunities available for the Bank, arising from the global transition to a low-carbon economy, which will involve scaling up zero or near-zero emitting technologies and supporting emissions reductions in high-emitting and hard-to-abate sectors, amid the global journey to minimise the worst effects of climate change.

Banks have several opportunities due to climate adaptation, ranging from financial products to risk management strategies. Climate adaptation finance is becoming a growing market, especially as businesses and governments invest in resilience against physical climate risks.

Proactive risk management measures related to ESCR

The Bank employs a multi-faceted approach to manage sustainability and climate-related risks effectively:

1. Risk identification and assessment:

• Comprehensive due diligence for all lending activities, incorporating ESG and climate risk evaluations.
• Detailed climate risk assessments, including the identification of physical and transition risks, supported by scenario analysis and stress-testing.
• Use of internationally recognised metrics such as Scope 1, Scope 2, and if applicable, Scope 3 greenhouse gas emissions to quantify climate-related impacts.

2. Risk mitigation:

• Avoiding financing for activities deemed illegal or unsustainable, such as projects involving unsustainable resource extraction/utilization, forced labour, destruction of critical habitats, destruction of cultural heritage or trade in banned substances.
• Partnering with borrowers to improve their ESG practices through capacity building, technical assistance, and alignment with global standards.
• Strengthening the Bank’s internal operations to reflect its sustainability values, including adopting energy-efficient technologies and reducing its carbon footprint.

3. Monitoring and reporting:

• Regular monitoring of borrower compliance with E&S requirements, supported by annual performance reviews and real-time tracking tools.
• Quarterly reporting of climate and E&S risk metrics to the Board and management committees, ensuring transparency and accountability.
• Use of risk dashboards to visualise and analyse the Bank’s overall risk exposure across products, portfolios, and geographies.

4. Governance and oversight:

• Active oversight by the Board of Directors, ensuring alignment with regulatory standards and international best practices.
• Integration of climate considerations into governance structures such as the EIRMC and the BIRMC.
• Establishment of a Climate Risk Workgroup to drive the development and implementation of climate strategies.

During the year 2024, the E&S risk screening outcome is given in Graph 59.

	Category A – Projects with High environmental and/or social risks.
	Category B – Projects with Medium environmental and/or social risks
	Category C – Projects with Low environmental and/or social risks projects

Legal risk

Legal risk is recognised as a critical element of operational risk, encompassing potential exposure to adverse outcomes arising from issues such as inaccurately drafted contracts, improper execution of agreements, absence of written agreements, or inadequately structured contracts. These risks may lead to significant consequences, including regulatory reprimands, fines, penalties, punitive damages from supervisory actions, or the financial and reputational costs of private settlements.

The Bank adopts a proactive and structured approach to managing legal risk by ensuring that all relevant regulations are thoroughly considered and adhered to in its dealings with individuals, institutions, and other entities. This is achieved through comprehensive documentation and robust risk mitigation strategies. To further mitigate legal risks, the Bank has established and maintains an effective framework for verifying the conformity of its operations and agreements with applicable laws and regulations.

This proactive approach not only aims to prevent breaches of rules and regulations but also minimises the likelihood and impact of legal risks associated with the Bank’s activities. By aligning its legal risk management practices with industry best practices and regulatory expectations, the Bank reinforces its commitment to maintaining operational resilience and safeguarding stakeholder interests.

Compliance and regulatory risk

Compliance and regulatory risk encompass the potential exposure of the Bank to adverse outcomes resulting from non-compliance with applicable laws, rules, regulations, and codes of conduct. Such non-compliance could result in regulatory penalties, financial losses, business disruptions, and reputational damage. To address this, the Bank has instituted a robust compliance framework, anchored by a dedicated compliance function that directly reports to the Board of Directors. The framework is guided by a comprehensive Compliance Policy that systematically identifies, monitors, and mitigates compliance risks.

Complementing this framework, the Bank's culture and Code of Ethics play an integral role in fostering accountability and mitigating compliance risks.

The Bank is committed to maintaining a strong culture of compliance across its operations, ensuring alignment with all relevant regulations and industry standards. To strengthen its regulatory compliance capabilities, the Bank has implemented several key measures:

• Incorporating regulatory developments: Ensuring timely integration of new regulatory requirements into internal policies, procedures, and controls.
• Enhanced transaction monitoring: Introducing advanced scenarios to better monitor and identify unusual activities.
• Compliance program reviews: Conducting regular reviews to ensure the relevance and effectiveness of the compliance framework.
• Compliance audits: Performing comprehensive audits across 139 branches, business units and financial subsidiaries to ensure adherence to policies.
• Risk analysis and control implementation: Systematically analysing compliance risks and implementing tailored controls to address identified gaps.
• Staff training: Providing ongoing training programs to enhance staff awareness and competency in compliance matters.
• Independent verification: Conducting periodic verifications of the compliance function by the Inspection Department to ensure robust oversight and accountability.

These initiatives collectively reflect the Bank's unwavering commitment to regulatory compliance and the proactive management of compliance and regulatory risks. By maintaining rigorous standards and fostering a compliance-focused culture, the Bank ensures the safeguarding of its operations, reputation, and stakeholder trust.

Strategic risk

Strategic risk in banking pertains to the challenges arising from ineffective strategic decisions, misalignment with market dynamics, or the inability to adapt to rapidly changing competitive and economic environments. Such risks can lead to erosion of market share, compromised financial performance, and failure to achieve long-term strategic goals.

The Bank adopts a proactive approach to managing strategic risk, integrating risk evaluation into its corporate planning and budgeting processes. These processes are closely aligned with the Bank’s vision, mission, and risk appetite to ensure consistency and resilience in strategic decision-making.

To quantify and monitor strategic risk, the Bank employs a robust scorecard-based qualitative model, which is harmonised with the ICAAP. This model considers multiple dimensions, such as the Bank’s size, sophistication, operational complexity, and the nature of its business. Key factors evaluated within this model include:

• Capital adequacy: Ensuring sufficient capital buffers to support growth while managing risks.
• Earnings volatility: Analysing revenue streams to minimise fluctuations and maintain financial stability.
• Shareholder value creation: Monitoring initiatives that align with shareholder expectations and deliver long-term value.

The model assigns weightages to these criteria, and scores are allocated based on performance against these metrics. This structured methodology enables the Bank to identify areas requiring improvement and implement targeted actions to mitigate potential strategic risks.

Reputational risk

Reputational risk in banking pertains to the potential negative impact on earnings, assets, liabilities, or brand equity resulting from adverse stakeholder perceptions of the Bank’s business practices, activities, or financial health. Recognising its broad and interconnected nature, the Bank acknowledges that reputational risk can arise from various operational and strategic business risks, requiring proactive and multifaceted management. The rise of digital platforms and social media has significantly increased the Bank's exposure to reputational risks, amplifying the speed and scale of stakeholder reactions.

The Bank adopts a robust, integrated approach to managing reputational risk, embedding its management into the existing systems and controls designed for credit, market, and operational risks. This is further supported by a comprehensive suite of policies and frameworks, including:

• Code of conduct: Ensures ethical practices are consistently upheld across all operations.
• Anti-Bribery and Anti-Corruption Policy: Reinforces the Bank's commitment to transparency and integrity.
• Conduct Risk Management Policy Framework: Focuses on embedding ethical conduct into daily operations.
• Communication Policy: Manages external and internal communications to maintain clarity, consistency, and alignment with the Bank's values.
• Business ethics guidelines: Promote responsible decision-making and ethical interactions with stakeholders.

Employees are encouraged to internalise and adhere to these policies, fostering a culture of integrity and accountability that underpins the Bank's reputation.

To monitor and assess reputational risk, the Bank employs a comprehensive scorecard methodology aligned with the ICAAP. This structured framework evaluates various dimensions of reputational risk, enabling the Bank to proactively identify vulnerabilities and implement timely mitigation strategies. Additionally, the implementation of a Group Reputational Risk Management Policy framework formalises the governance of reputational risks across the organisation.

Through these proactive measures, the Bank safeguards its reputation while reinforcing stakeholder trust, ensuring its long-term sustainability and competitive positioning in a dynamic business environment.

Conduct risk

As a trusted financial institution, the Bank recognises that public trust and confidence are fundamental to its success and sustainability. This underscores the importance of aligning the Bank's interests with those of its customers, ensuring fair and ethical outcomes in all interactions.

Conduct risk arises from various factors such as unfair business practices, professional misconduct, ethical lapses, operational inefficiencies, bribery and corruption, compliance failures, and weaknesses in governance. These issues can erode customer confidence and compromise the Bank’s reputation. Fully aware of these risks, the Bank has implemented a comprehensive approach to ensure proper conduct and fair outcomes for all stakeholders.

The Bank’s customer-centric approach focuses on fostering a culture of integrity, transparency, and accountability through the following key practices:

• Accountability: Emphasising individual and organisational responsibility for actions and decisions, ensuring alignment with customers' best interests.
• Remuneration structures: Designing compensation systems that discourage unethical behaviour while promoting fair and responsible practices.
• Compliance with laws and regulations: Upholding not only the legal requirements but also the spirit of regulations, adhering to the highest standards of compliance.
• Learning culture: Building a continuous learning environment where employees are educated on ethical conduct, compliance expectations, and industry best practices.
• Transparency: Enhancing operational and decision-making transparency to provide clear, concise, and accurate information to customers and stakeholders.
• Public disclosures: Maintaining open communication through timely, relevant, and accurate disclosures to foster public trust.
• Service level agreements (SLAs): Establishing and rigorously adhering to SLAs to ensure efficient and reliable service delivery.
• Customer complaint handling: Developing a robust, fair, and prompt process for addressing customer complaints to enhance satisfaction and trust.
• Customer engagement: Actively seeking customer feedback to better understand their needs and concerns, continuously refining products and services to meet expectations.

To monitor and assess conduct risk, the Bank employs a comprehensive scorecard methodology aligned with the ICAAP. This structured framework evaluates multiple dimensions of conduct risk, enabling the Bank to proactively identify vulnerabilities and implement timely mitigation strategies. Furthermore, the implementation of a Group Conduct Risk Management Policy framework formalises the governance of conduct risks across the organisation, reinforcing a robust risk management culture. This framework serves as a comprehensive guide to managing conduct risk and upholding high standards of behaviour and integrity within the organisation.

Contagion risk

Contagion risk, also referred to as systemic risk, is a significant concern in the banking sector, arising from the interconnected nature of global financial systems. It denotes the potential for financial stress or shocks in one country, market, industry, or counterparty to spill over and trigger disturbances or defaults across others. Such cascading effects can amplify existing vulnerabilities, resulting in widespread disruptions.

The implications of contagion risk are profound, often manifesting as financial volatility, destabilisation of financial systems, and broader economic consequences. The COVID-19 pandemic exemplified how a global health crisis can ignite financial contagion, disrupting markets and economies worldwide. Similarly, geopolitical tensions, trade conflicts, and currency crises are potential triggers that could escalate into contagion events.

To mitigate contagion risk, the Bank employs proactive monitoring and robust risk management practices. Key initiatives include:

• Identifying risk-elevated industries: Systematic monitoring of sectors and regions prone to economic stress, leveraging the EWS system. This system utilises comprehensive internal data sources to flag potential vulnerabilities early.
• Scenario analysis and stress-testing: Conducting regular scenario analyses to anticipate potential contagion scenarios and their impact on the Bank’s operations and capital adequacy.
• Risk mitigation strategies: Developing targeted action plans to address identified risks, including measures to contain potential spillover effects and strengthen resilience.
• Monitoring cross-market linkages: Assessing the interconnectedness between markets, industries, and counterparties to identify and limit vulnerabilities.
• Enhanced strategic planning: Incorporating contingency plans into broader strategic frameworks to ensure readiness for systemic disruptions.

The Bank also places emphasis on fostering operational resilience by maintaining strong capital buffers, liquidity reserves, and risk governance frameworks. This ensures that the Bank is well-positioned to manage contagion risk effectively while safeguarding the interests of its stakeholders.

Given the ongoing uncertainties in the global economic landscape, the Bank remains vigilant in its approach to contagion risk. Continuous risk assessments, dynamic monitoring, and adaptive strategies are integral to mitigating potential systemic threats, preserving financial stability, and supporting sustainable growth.

Model risk

Model risk, a critical subset of operational risk, pertains to the potential for adverse outcomes arising from the failure or inaccuracy of financial models used by the Bank. These models, which integrate statistical, economic, financial, and mathematical theories, techniques, and assumptions, are instrumental in processing data and generating quantitative estimates for managing a variety of risks. When models malfunction or produce inaccurate results, they can undermine decision-making and adversely impact the Bank's performance and risk profile.

Model risk can emerge from a multitude of factors, including programming errors, incorrect data inputs, flawed technical designs, inappropriate model assumptions, and misinterpretations of model outputs. Given the pivotal role these models play in shaping strategic and risk management decisions, effective management of model risk is indispensable to maintaining the Bank’s resilience and operational efficiency.

The Bank maintains a streamlined framework for managing model risk through several key measures. These include comprehensive testing protocols, stringent governance policies, and independent model reviews.

Comprehensive Testing: Validation procedures are employed to ensure the accuracy and reliability of all financial models. These procedures encompass testing for potential errors, validation of underlying assumptions, and verification of model output consistency with expected results.

Stringent Governance Policies: The Bank adheres to established governance policies and frameworks governing the development, validation, and application of financial models. These policies define standards and procedures designed to ensure model integrity.

Independent Model Reviews: Independent reviews are conducted to provide an objective assessment of model effectiveness and accuracy. These reviews, performed by external experts or internal specialised teams, aim to identify potential weaknesses or areas for enhancement.

Through the implementation of these risk management practices, the Bank seeks to minimise the probability of model failure and enhance the reliability of its quantitative risk estimates. This proactive approach ensures that the models employed contribute to sound decision-making and support the effective management of diverse risk exposures.

Bribery and corruption-related risks

The Bank takes a firm stance against bribery and corruption, recognising their illegality and potential to harm its reputation, operational integrity, and stakeholder trust. Addressing these risks is a priority for the Bank, supported by a robust framework of policies and guidelines that foster transparency, accountability, and ethical conduct across all levels of the organisation.

To mitigate bribery and corruption-related risks, the Bank has implemented the following measures:

• Anti-Bribery and Anti-Corruption Policy: The Bank’s Board-approved Anti-Bribery and Anti-Corruption Policy outlines clear principles for identifying, preventing, and countering bribery and corruption. The policy sets explicit expectations regarding employee conduct related to bribery, kickbacks, commissions, and other corrupt practices. Accessible to the public via the Bank’s official website and available on the intranet for employees, this policy underscores the Bank’s zero-tolerance stance and commitment to ethical governance. (Link: https://www.combank.lk/info/file/91/anti-bribery-and-anti-corruption-policy)
• Whistleblowers Charter: A Whistleblowers Charter is in place to protect and encourage employees to report suspected bribery, corruption, or other unethical behaviour. By providing anonymity and safeguarding whistleblowers from retaliation, the Bank ensures accountability and reinforces trust within the organisation.
• Guidelines on gifts and favours: The Bank has established detailed guidelines regarding the acceptance and offering of gifts, favours, or any form of illegal gratification. These guidelines also govern fundraising activities and personal affiliations with customers and suppliers, as outlined in the Code of Ethics and administrative circulars. This measure seeks to eliminate potential conflicts of interest and deter situations that could lead to unethical practices.
• Code of Ethics: As part of its commitment to the 10th Principle of the UN Global Compact, the Bank’s Code of Ethics emphasises combating corruption in all forms. Employees are expected to avoid abuse of power for personal gain, refrain from soliciting or accepting gifts, and ensure they and the Bank maintain integrity. Furthermore, employees are prohibited from offering bribes or illegal incentives to secure business for the Bank, reinforcing the Bank's commitment to fairness and ethical business practices.
• Prohibition on political contributions: The Bank strictly prohibits any form of political contributions, as stated explicitly in the Anti-Bribery and Anti-Corruption Policy. This ensures impartiality and prevents any potential misuse of resources or influence in political activities.
• Training and awareness: Regular training programs are conducted to raise awareness among employees about the Code of Ethics, Whistleblowers Charter, and incident-specific scenarios. These sessions are designed to equip staff with the knowledge and skills required to identify and prevent corruption-related risks.

By embedding these measures into its operations and fostering a culture of transparency, accountability, and ethical conduct, the Bank is committed to mitigating bribery and corruption risks.

This proactive approach not only aligns with regulatory expectations but also strengthens stakeholder confidence in the Bank's commitment to integrity and ethical business practices.

The Bank remains steadfast in adhering to Basel requirements while employing sophisticated internal models as outlined in the ICAAP framework. ICAAP serves as a cornerstone of the Bank's risk and capital management strategy, enabling a comprehensive assessment of its risk profile, stress-testing key risk drivers, and determining internal capital adequacy requirements. By implementing internal limits that are often more stringent than regulatory thresholds, the Bank proactively identifies early warning signals to ensure robust capital adequacy.

Role of ICAAP in capital management

ICAAP is integral to the Bank's supervisory review process, providing a holistic evaluation of capital requirements in alignment with its future business strategies. This framework seamlessly integrates the Bank’s strategic focus, risk management initiatives, and capital planning, ensuring that these elements are harmonised to support sustainable growth.

The process is enriched by inputs from multiple levels of the organisation, including Senior Management, Management Committees, Board Committees, and the Board of Directors. It incorporates a forward-looking perspective, evaluating the risks of capital inadequacy under stressed scenarios to bolster the Bank's resilience against potential vulnerabilities.

Optimising capital and risk management

In addition to ensuring capital adequacy, ICAAP underpins profit optimisation by enabling proactive decision-making on current and potential exposures. By leveraging stress-testing and scenario analysis, the Bank identifies vulnerabilities and focuses on managing both the qualitative and quantitative dimensions of reputational and strategic risks. These critical aspects, which extend beyond the scope of Pillar I under Basel III, reflect the Bank's commitment to comprehensive risk management.

Compliance and prudence in capital adequacy

The Bank consistently complies with both regulatory and prudential capital adequacy requirements, demonstrating a proactive approach to maintaining financial stability. Its loyal shareholder base, combined with consistently strong profitability, positions the Bank well to meet its capital needs over the long term. This ensures not only sufficient coverage for all material risks but also supports the Bank's growth ambitions, particularly as a Domestic Systemically Important Bank (D-SIB).

Ensuring resilience and strategic expansion

As a D-SIB, the Bank recognises its critical role in maintaining systemic stability within the financial ecosystem. ICAAP enhances its ability to sustain adequate capital buffers while pursuing expansion initiatives, enabling the Bank to remain resilient in the face of evolving market dynamics. Through its robust capital management framework, the Bank is well-prepared to address emerging challenges and seize growth opportunities, ensuring long-term value creation for its stakeholders.

Basel III minimum capital requirements and buffers

The Banking Act Direction No. 01 of 2016 mandated all licensed commercial banks to comply with the capital requirements under the Basel III framework starting July 1, 2017. This directive outlined a phased timeline for progressively raising minimum capital ratios, culminating in full implementation by January 1, 2019. Notably, the framework also introduced a Higher Loss Absorbency (HLA) component for Domestic Systemically Important Banks (D-SIBs), reflecting their critical role in financial system stability.

The Bank’s capital status as of December 31, 2024, significantly surpasses the minimum requirements prescribed by the CBSL effective January 1, 2019. This underscores the Bank's strong capital position, robust financial stability, and resilience, even amidst ongoing economic challenges. The Bank's ability to consistently meet and exceed these stringent regulatory thresholds demonstrates its commitment to maintaining a solid capital foundation.

Targeted and actual Capital Adequacy Ratios Table – 61

As at December 31,			2024	2023
Capital ratios	Regulatory minimum %	Goal (internal requirement) %	%	%
CET 1	8.500	>8.500	14.227	11.442
HLA	1.500	>1.500
Tier I	10.000	>10.000	14.227	11.442
Total	14.000	>14.000	18.142	15.151

ICAAP and capital planning

The Bank leverages the ICAAP to periodically assess its capital requirements over a five-year horizon. This process enables the development of proactive capital augmentation plans, which are reviewed by the CBSL for alignment with regulatory expectations. The successful issuance of Basel III-compliant debentures, a rights issue of shares, and the prudent retention of profits have significantly bolstered the Bank’s capital adequacy, elevating it comfortably above minimum requirements throughout the year.

Basel Workgroup and strategic alignment

To ensure robust capital adequacy in alignment with its strategic objectives, the Bank has established a dedicated Basel Workgroup comprising representatives from key business and support units. This workgroup actively assesses the Bank’s capital position, taking into account the evolving regulatory and economic landscape. While ICAAP provides the foundation for these assessments, the Basel Workgroup continuously refines its approach, offering actionable recommendations to the ALCO. These insights cover a range of aspects, including current and future capital requirements, anticipated capital expenditure, and optimal capital levels, ensuring that the Bank remains well-prepared to address both existing and emerging challenges.

Capital as a cornerstone of resilience

Recognising the capital-intensive nature of the banking industry, the Bank places significant emphasis on maintaining an optimal capital structure. It benefits from a dedicated shareholder base with a long-term perspective, supported by prudent dividend policies and the strategic retention of profits. These efforts have fostered shareholder loyalty while strengthening the Bank’s financial foundation.

The Bank actively seeks ways to optimise capital allocation, ensuring judicious utilisation for day-to-day operations while retaining the flexibility to explore external sources for capital enhancement when necessary. This balanced approach provides the Bank with the agility to support growth initiatives and navigate market uncertainties effectively.

Maintaining a sound capital buffer

The Bank’s current capital buffer is considered adequate to support its growth plans and to withstand stress scenarios in the market. However, it remains vigilant, proactively assessing its capital position to adapt to changing conditions. This disciplined approach ensures sustained stakeholder confidence and positions the Bank as a trusted and resilient institution in the financial sector. By aligning its strategic objectives with a robust capital management framework, the Bank continues to uphold its commitment to financial stability, resilience, and long-term value creation.

Stress-testing

Stress-testing is a vital component of the Bank’s ICAAP under Pillar II, enabling the Bank to evaluate the potential impact of severe yet plausible shocks on its major risk exposures. By subjecting its risk profile to these stress scenarios, the Bank gains valuable insights into the resilience of its capital, funding, liquidity, and earnings, both in the present and for future projections.

This process plays a dual role, not only assessing the resilience of the Bank under adverse conditions but also contributing to strategic planning. Within the ICAAP framework, stress-testing informs key aspects of risk management, capital planning, and liquidity strategies.

These include:

• Setting risk appetite triggers and risk tolerance limits.
• Reviewing and adjusting limits to mitigate risks.
• Restricting or reducing exposures as necessary.
• Implementing hedging strategies.
• Developing contingency plans to address varying degrees of stressed conditions.

Stress-testing also serves as an important communication tool, demonstrating the Bank’s preparedness and resilience under adverse scenarios to both internal and external stakeholders.

Governance and methodologies

The Bank has established a robust governance framework for stress-testing, clearly defining the responsibilities and methodologies for conducting stress tests at various levels, including the Bank as a whole, specific business lines and individual risk types.

The methodologies employed include:

• Scenario analysis: Assessing the impact of predefined adverse scenarios on the Bank’s performance
• Sensitivity analysis: Measuring the Bank’s vulnerability to changes in specific risk factors
• Reverse stress-testing: Identifying scenarios that could result in the Bank's business model becoming unviable

This comprehensive approach ensures a deeper understanding of the potential impacts of various stress scenarios.

Impact on CAR at minor, moderate and severe stress levels Table – 62

As at December 31,		2024			2023
Particulars	Description	Minor	Moderate	Severe	Minor	Moderate	Severe
		%	%	%	%	%	%
Credit risk – asset quality downgrade	Increasing the direct non-performing facilities over the direct performing facilities for the entire portfolio(1)	-0.39	-0.94	-1.51	-0.55	-1.54	-2.33
Operational risk	Impact of; Top five operational losses during last five years Average of yearly operational risk losses during last three years whichever is higher	-0.03	-0.07	-0.15	-0.03	-0.08	-0.17
Foreign exchange risk	Percentage shock in the exchange rates for the Bank and the Maldives operations (gross positions in each Book without netting)	-0.18	-0.22	-0.34	-0.13	-0.39	-0.65
Liquidity risk (LKR) –	Withdrawal of percentage of the clients, banks and other banking institution deposits from the Bank within a period of three months Rollover of loans to a period greater than three months	-0.18	-0.43	-0.75	-0.14	-0.33	-0.61
Interest rate risk – EAR and EVE (LKR) – Sri Lanka	To assess the long-term impact of changes in interest rates on Bank’s EVE through changes in the economic value of its assets and liabilities and to assess the immediate impact of changes in interest rates on Bank’s earnings through changes in its net interest income	-1.42	-2.16	-6.25	-0.72	-2.08	-4.63

(1) Stress scenarios are based on SLFRS-9 guidelines and staging of credit facilities pursuant to the Banking Act Direction No. 13 of 2021.

Scope and risk coverage

The stress-testing framework evaluates material risks such as:

• Credit risk
• Credit concentration risk
• Operational risk
• Liquidity risk
• Foreign exchange (FX) risk
• Interest rate risk in the banking book (IRRBB) using Economic Value of Equity (EVE) and Earnings at Risk (EAR) perspectives
• Stress levels are categorised into three tiers based on their impact on capital:
• Minor risk: Where deterioration in capital remains within policy-level requirements
• Moderate risk: A deterioration of up to 1% of capital adequacy
• Severe risk: A deterioration that breaches the statutory minimum capital level, necessitating immediate attention from the Board of Directors and Senior Management

Proactive risk management and reporting

The results of stress-testing are reported quarterly to the EIRMC and the BIRMC. This enables timely and informed decision-making, ensuring that the Bank remains agile and resilient in the face of adverse scenarios. Stress-testing outcomes are also used to guide risk tolerance levels, refine strategy, and foster a proactive risk management culture across the organisation.

Furthermore, stress-testing results help the Bank develop effective communication strategies, providing a comprehensive overview of its risk landscape under hypothetical stress scenarios. This transparency reinforces confidence among stakeholders regarding the Bank’s stability and resilience.

Extracts from the most recent stress-testing results are presented in Table 62 on page 283, offering further insights into the Bank’s resilience under stressed conditions.

Monitoring and reporting

The risk management function at the Bank plays a pivotal role in identifying, measuring, monitoring, and reporting risks across the organisation. To maintain the highest standards of efficiency and expertise, staff members within this function undergo regular training and upskilling, ensuring they remain proficient in the latest risk management practices and methodologies. This skilled workforce is complemented by state-of-the-art IT systems, which enable seamless data extraction, analysis, and scenario modeling. Together, these resources equip the risk management team to manage and oversee the Bank’s risk exposures effectively.

The Bank generates regular and ad-hoc reports on KRIs and risk matrices for both the Bank and its subsidiaries. These reports are meticulously reviewed by Senior Management, Executive Committees, Board Committees, and ultimately, the Board of Directors. The actionable insights provided by these reports are instrumental in evaluating risks, aligning them with the Bank’s strategic objectives, and providing a solid foundation for informed decision-making.

Comprehensive risk insights

The reports provide detailed, multi-dimensional insights into the Bank’s risk exposures, including:

• Aggregate risk measures segmented by products, portfolios, tenures, and geographies.
• Comparative analyses against agreed-upon policy parameters, ensuring the Bank adheres to its defined risk appetite.
• Trend analysis to identify emerging risks and anticipate potential vulnerabilities.

This holistic view of the Bank’s risk landscape facilitates strategic decision-making and ensures that the organisation remains resilient in the face of changing market dynamics. By understanding the sensitivities and interdependencies of the risks undertaken, the Bank can confidently navigate complex risk environments while upholding its commitment to stakeholders.

The Bank’s commitment to robust monitoring and reporting frameworks underscores its proactive approach to risk management, fostering transparency, accountability, and alignment with its long-term objectives.

Basel III – Market discipline

Refer Annex 2 on pages 491 to 503 for the minimum disclosure requirements under Pillar III as per the Banking Act Direction No. 01 of 2016.

Refer pages 502 and 503 on Annex 2 for the D-SIB Assessment Exercise disclosed as required by the Banking Act Direction No. 10 of 2019.