The Bank has a strong risk management framework in place to identify, mitigate and monitor material risks across all its functions. Directed by the Risk Management Committee of the Board (RMCB), the Bank has an adequately staffed risk management team led by its Chief Risk Officer (CRO), to implement the directions of the Board.
There are dedicated teams to assess and monitor credit risks, operational risks, market and liquidity risks and information security risks.
The RMCB fulfils its roles and duties through various management level risk committees such as Credit Risk Management Committee (CRMC), Operational Risk Management Committee (ORMC) and Asset Liability and Market Risk Committee (ALCO and the Information Security and Business Continuity Management Committee). These committees are entrusted with the task to identify measure, mitigate and monitor various risks.
March, 2020 saw a disruption in the normal course of business on account of the nation-wide lockdown due to the COVID-19 pandemic. Except for some essential services and activities, the rest of India’s $2.9 Trillion economy remained shuttered during the lockdown period. As the economy was gradually reopened, the Bank had also modified its various risk management frameworks commensurate with risks in the external environment. With the onset of the pandemic, the Bank had undertaken a slew of measures to mitigate the risks in the areas of business continuity, health of customers and personnel, credit and information security areas.
Some of the key measures initiated by the Bank during the year were as follows:
| Area | Key measures undertaken |
|---|---|
| Credit Risk |
|
| Operational Risk |
|
| Information Security |
|
| Market Risk and ALM |
|
In addition, the Bank had also undertaken the following measures to combat the pandemic:
1 Refer COVID-19 – Regulatory Package issued vide RBI/2019-20/186 DOR.No.BP.BC.47/21.04.048/2019-20 dated March 27, 2020
2 Refer COVID-19 – Regulatory Package issued vide RBI/2019-20/244 DOR.No.BP.BC.71/21.04.048/2019-20 dated May 23, 2020.
3 Refer Resolution Framework for COVID-19-related Stress vide RBI/2020-21/16 DOR.No.BP.BC/3/21.04.048/2020-21 dated August 6, 2020
4 Resolution Framework – 2.0: Resolution of COVID-19 related stress of Individuals and Small Businesses and Resolution Framework 2.0 – Resolution of
COVID-19 related stress of Micro, Small and Medium Enterprises (MSMEs)
| Area | Treatment measures |
|---|---|
| Early Warning Systems (EWS) | Branch level scorecards were enhanced to assess the performance on various parameters such as Incremental Overdue, error rates, Non-starter cases, collection performance etc. The Bank has also incorporated external factors in addition to internal EWS parameters to have better early monitoring and to take proactive measures. For all verticals, the Bank has subscribed to various bureau reports to provide real time data on changes in credit scores, change in residential and communication details and leverage etc, as part of monitoring activities. These insights are factored into the EWS framework which helps in categorising borrowers on the basis of inherent risks. |
| Credit rating scorecards |
Designed and successfully launched risk rating scorecards for microfinance, MSE, housing loan and rural banking portfolios. These scorecards are designed to provide an objective and unbiased assessment on potential customers, duly factoring their personal income, repayment track records and collateral aspects (for secured loans). The Bank has also introduced an internal rating model for its institutional lending portfolio. The scorecards will be back-tested, validated and calibrated at regular intervals. For other verticals, the Bank has commenced development of risk rating scorecards to increase objectivity in lending practices. These scorecards are expected to be in place in the ensuing financial year. |
| Expected credit loss |
The Bank has in place a detailed framework for computing Expected Credit Loss (ECL) as per the Ind-AS requirements and also for internal reporting purposes. Models are in place to compute key risk factors such as Probability of Default (PD), Loss Given Default (LGD) and Exposure at Default (EAD). The Bank has also regularly incorporated additional management overlays in its PD and LGD computation models as and when necessary to make it forward looking and to reflect the inherent stress caused by pandemic. |
| Process gaps and enhancements |
Revamped various processes in credit appraisal w.r.t documentation management, loan deviations, exposure norms, and new policies or enhancements to name a few. Occupation mapping of borrowers is currently being enhanced to undertake meaningful industry/sector analysis and corroborate with external outcomes. |
| Industry insights and portfolio analysis |
Continuous analysis of all loan portfolios to identify potential areas of stress on the basis of geography, ticket size, branch/clusters etc. Such analysis has helped the Bank to set mitigants in the form of limits and caps in exposure. |
| Stress testing | Bank undertakes comprehensive stress testing of all loan portfolios using sensitivity and scenario analysis. The impact of adverse events on the PAR%, NPA%, provisions and capital adequacy are assessed at regular intervals. |
| Natural disasters | The Bank has undertaken various programmes for customer outreach and communication, social development programmes, changes in underwriting/credit policies and additional provisioning as risk mitigation measures in states affected by natural disasters. |
| Area | Treatment measures |
|---|---|
| Product and process reviews | All new products and processes (including enhancements) are subject to a mandatory comprehensive review. The Bank continuously reviews and enhances its key processes to adapt to industry best practices.amework which helps in categorising borrowers on the basis of inherent risks. |
| User acceptance testing |
The Bank performs the User Acceptance Testing (UAT) to identify gaps in the actual deliverable versus that which was proposed in the Business Requirement Document (BRD). These gaps are further addressed and closed during the Functional Specification Document (FSD) stage before moving to production. |
| Risk and control self-assessment |
The Bank has initiated RCSA for various business processes to identify inherent and residual risks. There is a time bound plan to close the open issues as observed during RCSA and an update is provided to ORMC and RMC-Board at regular intervals. |
| Key risk indicators |
The Bank has defined 18 KRIs at an organisation level as part of the Operational Risk Management Framework. These KRIs are analysed on monthly basis and a comprehensive report is submitted to the Operational Risk Management Committee (ORMC) and Board at quarterly intervals with action plan for closure of open issues. |
| Loss data management |
Loss Data Management is in place to record material incidents and to learn from errors and in strengthening existing controls. Incidents are recorded as operational loss and near miss events. This is followed by a Root Cause Analysis (RCA) for critical incidents. The Bank records instances along the Basel defined lines of Operational Risk events and process enhancements are tabled at various committees for further action. |
| Operational risk scorecards |
An internal scoring mechanism is in place to capture all risk parameters at a granular level within the Bank i.e. branch level. The scorecard includes all facets of branch operations: Microbanking, Housing and MSE loans, liabilities and other branch related parameters. Branches are categorised as High, Medium or Low risk based on these assessments on monthly basis. |
| Outsourcing risk |
Progressive risk assessment of key outsourced vendors was completed during the year to ensure that these vendors comply with the minimum requirements prescribed by RBI and also Business Continuity aspects as per internal norms. Detailed notes were recorded on the risk assessment done for each vendor through visits and were placed at various forums and committees for further action. |
| Internal Financial Control (IFC) testing |
This is an annual exercise done by the Operational Risk team. The team, along with concerned stakeholders, prepares and enhances Risk & Control Matrices (RCMs). The financial and operational controls in these RCMs are then put to test by collecting samples from across the review period and from different regions, and are then evaluated for success or failure of the control effectiveness. The critical gaps observed during such testing are discussed with concerned functions for upgrading controls which may include automation of the controls. |
| Area | Treatment measures |
|---|---|
| Behavioural analysis | Enhanced behavioural analysis of cash flows, especially for CASA balances using Value at Risk (VaR) based approaches to identify potential mismatches. The behaviour-based outflows are now computed in parallel to regulatory requirements. |
| Trading book management | Duration based limits, Value at Risk based limits and open position limits etc. are introduced. These trading limits are monitored on a real time basis by the Middle Office. Any isolated instance of breach in limit is brought to the notice of stakeholders and remedial measures are taken. |
The Bank has a structured management framework in the Internal Capital Adequacy Assessment Process (ICAAP) to identify, assess and manage all risks that may have a material adverse impact on its business/financial position/capital adequacy. The ICAAP framework is guided by the Bank’s Board approved ICAAP Policy. The Bank has enhanced its initial framework for Enterprise Risk Management (ERM) which sought to move away from silo-based risk approach to a comprehensive and holistic approach to risk management. The framework is designed around Risk Adjusted Return on Capital (RAROC) based decision making; a significant departure from the commonly used accounting-based performance review.
On a regular basis, the Bank disseminates information for creating awareness among employees on the importance of data-security along with emphasis on the requirements to protect the customer’s data. Awareness emails regarding the data loss prevention, smart phone security and how the assets given to employees are supposed to be safeguarded by them, are part of cyber security awareness creation.
We take cognisance of the increased importance of Data Security. With business continuity management being a critical aspect, the Bank has adhered to intelligence and best practices suggested from the various regulators, organisations like CERT-IN, DSCI and NIST among others to ensure data security. During the year, that Bank had focused on:
We have also enhanced our incident management and cyber crisis management plan to deal with incidents and potential cyber crisis. There is also a policy governing the acceptable usage of information and system assets and policy to ensure continuity of business operations in the event of a disaster.
Given the dynamic nature of risks that we face, we periodically assess the risks and develops strategies to ensure that risks are mitigated to an acceptable level. Being technology-oriented, most of the risks are technological in nature and thus the Bank has invested heavily in security technologies. A 24x7 Cyber Security Operations Centre has been established to detect and contain security anomalies. This Cyber SOC is also responsible to actively monitor emerging threats based on intelligence gathering. The Bank has developed a comprehensive awareness program wherein employees are trained during on-boarding, periodic phishing simulations are carried out and awareness mailers are broadcast to both employees and customers. Recent awareness emails pertaining to frauds based on COVID-19 vaccination, spam COVID-19 calls were circulated intending to spread awareness among the Ujjivan 60 employees and keep them abreast of the pertinent COVID-19 frauds.
Annual Report 2020-21