Risk Management
Advancing with Resilience and Process Enhancement
We have a robust risk management framework in place to identify, measure, mitigate, and monitor
material risks across all our functions. Directed by the Risk Management Committee of the Board
(RMCB), we have a well-staffed risk management team led by our Chief Risk Officer (CRO) to implement
the directions of the RMCB and the Board. Dedicated teams within our Bank assess and monitor credit,
operational, market, liquidity, and information security risks. The risk management team primarily
operates from our corporate office and also has a presence in each of the regional offices to
facilitate the implementation of the operational risk framework at a granular level. The hallmark of
our Risk Management function is its independence from business sourcing units, with convergence
occurring only at the Board level.
The RMCB fulfils its roles and duties through various management-level risk committees, such as the
Credit Risk Management Committee (CRMC), Operational Risk Management Committee (ORMC), Asset
Liability and Market Risk Committee (ALCO), and the Information Security and Business Continuity
Management Committee. These committees identify, measure, mitigate, and monitor specific risks.
Additionally, a management-level Risk Management Committee provides general oversight on risk and
compliance-related matters.
Our Risk Management framework is based on a clear understanding of our material risks, disciplined
and well-defined risk assessment and measurement procedures, and continuous monitoring. The policies
and procedures established for this purpose are continuously benchmarked against best practices. We
oversee all material risks through regularly monitoring risk indicators, policy management, and
control testing for design and effectiveness. Breaches and gaps identified are thoroughly analysed
to determine the associated root causes and initiate corrective actions.
Post-COVID-19 pandemic stress was largely alleviated through book
Post-COVID-19 pandemic stress was largely alleviated through book replacement, collections, including technical write off recovery at our Bank level, and write-offs. The presence of floating provisions has provided assurance against systemic risks.
During the year, global economic activity weakened due to the prolonged conflict in Ukraine and aggressive monetary policy actions worldwide. These events, coupled with a general increase in global commodity prices, extended disruptions in the supply chain caused by China's Zero-Covid policy, trade and capital flow dislocations, divergent global monetary policy responses, and volatility in global financial markets, continued to impact inflation and depress global and domestic growth. The consecutive rate hikes by the US Federal Reserve in the past 12-15 months to combat US inflation exposed vulnerabilities in segments that had benefitted from ultra-low rates and surplus liquidity over the past decade. Closer to home, the Reserve Bank of India has also begun withdrawing its accommodative stance to curb inflation by raising policy interest rates by a cumulative 250 basis points, which adversely affects funding costs and interest rate risks in longer-term portfolios. The World Bank has revised its FY 2023-24 GDP forecast to 6.3% from 6.6% (December 2022). Growth is expected to be constrained by slower consumption growth and challenging external conditions. Rising borrowing costs and slower income growth can weigh on private consumption, and government consumption is projected to grow at a slower pace due to the withdrawal of the COVID-19 pandemic-related fiscal support measures. As measured by the Consumer Price Index (CPI), retail inflation eased to 5.66% by March 2023 and is expected to further decline to an average of 5.2% in FY 2023-24, amid easing global commodity prices and some moderation in domestic demand. Although the Monetary Policy Committee decided to keep the repo rate unchanged at 6.50% in its meeting in April 2023, the decision was primarily made to assess the impact of previous rate hikes on the inflation trend. While recent indicators suggest a decline in inflation and the peak of policy rates, the sustainability of these trends can only be confirmed by the second half of FY 2023-24.
We acknowledge the uncertainties in our operating environment and have devised the necessary course corrections and mitigation measures to address them.
by raising policy interest rates by a cumulative 250 basis points, which adversely affects
funding costs and interest rate risks in longer-term portfolios. The World Bank has revised its
FY 2023-24 GDP forecast to 6.3% from 6.6% (December 2022). Growth is expected to be constrained
by slower consumption growth and challenging external conditions. Rising borrowing costs and
slower income growth can weigh on private consumption, and government consumption is projected
to grow at a slower pace due to the withdrawal of the COVID-19 pandemic-related fiscal support
measures. As measured by the Consumer Price Index (CPI), retail inflation eased to 5.66% by
March 2023 and is expected to further decline to an average of 5.2% in FY 2023-24, amid easing
global commodity prices and some moderation in domestic demand. Although the Monetary Policy
Committee decided to keep the repo rate unchanged at 6.50% in its meeting in April 2023, the
decision was primarily made to assess the impact of previous rate hikes on the inflation trend.
While recent indicators suggest a decline in inflation and the peak of policy rates, the
sustainability of these trends can only be confirmed by the second half of FY 2023-24.
We acknowledge the uncertainties in our operating environment and have devised the necessary
course corrections and mitigation measures to address them.
Risk Management Framework and Implementation - Key Enhancements
Credit Risk
Area
- Early Warning Systems (EWS)
- Credit Rating Scorecards
- Expected Credit Loss
- Collection Productivity Trackers
- Credit Risk Monitoring Unit (CRMU)
- Industry Insights and Portfolio Analysis
- Stress Testing
- Capital Management
Treatment Measures
At a macro level, we closely
monitor
industry trends, news feeds, policy changes, and other factors that may impact the
quality of our portfolio. This analysis is part of our Level 1 Early Warning System
(EWS) framework, which focusses on macroeconomic risk analysis and is reported
internally at regular intervals.
We define Detailed Key Risk Indicators (Level 2 triggers) to assess performance on
various parameters such as Incremental Overdue, PAR30+, PAR90+, Early Delinquencies,
Quick Mortality, Non-Starters and Collection Performance. These metrics are analysed
at
different levels such as branch, state, and product, enabling us to identify
underperforming segments and areas that require corrective actions.
At the borrower level, as part of our Level 3 EWS triggers, we have utilised our
internal capabilities to automate early warning signals based on unique behavioural
patterns exhibited by borrowers. These triggers and exception lists are developed in
compliance with RBI guidelines on EWS. The automated exception reports enable
real-time
monitoring of problematic accounts, allowing us to take corrective action early on.
We
plan to enhance our monitoring mechanism for these triggers through a system-based
solution. This mechanism will help us classify borrowers as ‘Accounts Under Watch
(AUW)’
or ‘Red Flagged Accounts (RFA)’ and assist in the identification of fraud cases.
For our institutional lending portfolio, we have implemented an EWS framework
incorporating data from financial statements, compliance with loan covenants,
external
rating reports, newsfeeds, and other relevant sources. During the year, we have
further
improved our approach by separating the EWS and AUW frameworks. We also intend to
put in
place a software platform for conducting EWS assessments for our institutional
lending
portfolio.
Since our inception, our rating model and
scorecard landscape have evolved significantly. We have invested considerable effort
in
analysing historical data to identify patterns and trends that can inform our
business
decisions. As a result, we have developed application scorecards and behavioural
models
that aid in decision-making and the calculation of default probabilities. The
priority
given to deploying these scorecards and models is based on the relative vintage and
materiality of the credit segment.
Currently, we are enhancing the existing regression-based scorecard for our Group
Loan
portfolio to incorporate post-COVID-19 pandemic behaviour. While our ultimate goal
is to
replace the existing Business Rule Engine (BRE) with score-based decision-making, we
plan to conduct a parallel run and undertake the transition only after multiple
rounds
of out-of-sample validation. Once validated, these scorecards will be integrated
into
our Loan Origination System for usage.
Similarly, we have designed a rating model for our Individual Loans portfolio using
internal data that encompasses attributes such as demographic information, repayment
trends, and bureau-related variables. The variables were selected based on Weight of
Evidence and Variance Inflation Factor analysis. The Risk team has independently
validated this scorecard and found it satisfactory. It is now embedded in our Loan
Origination System (LOS) platform and is used in credit decision-making. Risk-based
pricing is also implemented based on the output of the scorecard.
Given that the MSME and Housing loan variants are relatively new in our Bank and
have
limited data points for statistical modelling, we have deployed credit rating
scorecards
at the product level for MSME Loans and at the customer segment level for Housing
Loans.
These scorecards were deployed to build data based on critical parameters that can
be
used for statistical modelling. The selection of parameters in demographics, such as
personal information, income, repayment track record, and collateral, was based on
expert judgment. Weights are assigned to each parameter, and based on the total
score,
customers are categorised on a rating scale in increasing order of risk. Due to the
impact of the COVID-19 pandemic, the existing data is expected to reflect higher
default
rates compared to a normal period. However, our Risk team has performed a
qualitative
validation, and based on the outputs, the credit rating results are now linked to
decision-making and pricing.
We have implemented a comprehensive framework for
calculating Expected Credit Loss (ECL) in accordance with the Ind-AS requirements
and
for internal reporting purposes. Our framework includes models to compute key risk
factors such as forward-looking Probability of Default (PD) Estimates, Loss Given
Default (LGD), and Exposure at Default (EAD). While we are currently not mandated by
the
Regulator to adopt ECL-based provisioning, we are prepared to transition into the
new
regime as and when it is made mandatory by the Regulator.
We significantly changed the PD pooling logics in our Retail Loans during the year
and
introduced work-out LGDs for the MSME and Housing segments. Additionally, the RBI
issued
a Discussion Paper on the transition to the ECL based Approach, and we have ensured
that
our existing models comply with the minimum requirements set by the Regulator
The COVID-19 pandemic had intensified default risk, particularly in our unsecured book. To mitigate this impact, we scaled up our collection infrastructure and increased personnel by onboarding off-roll employees. As an ongoing monitoring mechanism, we have now introduced productivity trackers at the officer level, aligned with predefined benchmarks. These trackers are vital for tracking low performance across different levels, including officer, district, state, and loan quantum. In the coming year, we plan to leverage our internal capabilities to automate exception reporting for real-time tracking.
Our risk team has established an independent Credit Risk Monitoring Unit (CRMU) to enhance risk oversight and identify any lapses in credit appraisal standards. This sub-unit analyses Quick Mortality cases in-depth and identifies their root causes. The CRMU collaborates with the Health Council (HC) to implement corrective actions and make recommendations for initiating Staff Accountability as needed.
We continuously analyse all loan portfolios to identify potential areas of stress based on factors such as geography, ticket size, branches and clusters, among others. This analysis enables us to implement mitigating measures, such as setting limits and caps on exposure. Additionally, we have subscribed to various industry dashboards to benchmark our portfolio performance against industry standards
.We thoroughly test all loan portfolios using
sensitivity and scenario analysis. This allows us to assess the impact of adverse
events
on parameters such as PAR%, NPA%, provisions, and capital adequacy. We regularly
evaluate these impacts to ensure effective risk management.
In line with growing concerns over climate change, we have also started
incorporating
assessments of climate-induced physical risks into our stress testing framework.
These
assessments are benchmarked against scenarios provided by the Network for Greening
the
Financial System (NGFS). Initially, the focus is on short-term horizon assessments.
As
climate risk is still evolving, we are committed to ongoing incremental enhancements
to
our framework based on emerging best practices.
We compute our Risk-Weighted Assets in accordance with the guidelines provided by the Reserve Bank of India (RBI). We assess the impact on the Capital to Risk Assets Ratio (CRAR) and provide forward guidance on capital adequacy through our Internal Capital Adequacy and Assessment Process (ICAAP).
Operational Risk
Area
- Product and Process Reviews
- User Acceptance Testing
- Risk and Control Self-Assessment
- Key Risk Indicators (KRI)
- Loss Data Management
- Outsourcing Risk
- Internal Financial Control (IFC) Testing
Treatment Measures
All new products and processes, including enhancements, undergo mandatory comprehensive reviews. We continuously review and enhance our key processes to align with industry best practices
We conduct User Acceptance Testing (UAT) to identify any gaps between the actual deliverable and the proposed specifications outlined in the Business Requirement Document (BRD). These gaps are addressed and resolved during the Functional Specification Documentation (FSD) stage before the system moves into production.
We have implemented Risk and Control Self-Assessment (RCSA) across all our business processes to identify both inherent and residual risks. These tools also assist in evaluating the design and effectiveness of the controls that have been implemented. In the past year, we successfully transitioned ownership of RCSA to the First Line of Defence (FLOD) in five departments
During the year under review, we made significant improvements to our Key Risk Indicators (KRIs) reporting standards. We have now internally defined and regularly monitor 40 KRIs at an organisational level as part of our Operational Risk Management Framework. Additionally, we have established functional KRIs specifically for the Branch Banking vertical. Furthermore, customised KRI dashboards have been implemented in the Housing, MicroBanking, and Digital Banking verticals. These KRIs are analysed monthly, and a comprehensive report is submitted to the management and board every quarter. The report includes an action plan for addressing any open issues identified.
We have implemented a Loss Data Management system to effectively capture and learn from material incidents, errors, and strengthen existing controls. Incidents are categorised as operational losses or near-miss events, and a Root Cause Analysis (RCA) is conducted for critical incidents. These instances are recorded in line with the operational risk events defined by the RBI, and process enhancements are proposed and discussed at various committees for further action. As part of our efforts to improve this process, we have engaged a vendor to implement a system that will facilitate the capture, reporting, and analysis of incidents and associated losses.
We conducted regular risk assessments of our key outsourced vendors throughout the year to verify their compliance with the minimum requirements set by the RBI and to assess their adherence to our internal business continuity norms. Any identified gaps were thoroughly analysed as part of the Risk Assessment (RA) process, and detailed notes on each vendor were documented through site visits. These findings were presented at various forums and committees to determine appropriate actions.
The team and stakeholders prepare and enhance Risk and Control Matrices (RCMs). The design, implementation, and operating effectiveness of all controls mentioned in the RCMs, including financial and operational controls, are annually tested by the Operational Risk Team. They select samples based on risk categories, covering different regions and the review period. Any critical gaps identified during testing are discussed with the relevant functions to upgrade controls, potentially through automation.
Liquidity and Market Risk
Area
- Trading Book Management
- Behavioural Analysis
- Funding Mismatches under Stressed Scenarios
- Liquidity Management
Treatment Measures
We regularly monitor various risk and loss limits, including duration, PV01, stop loss, counterparty exposure, and borrowing and lending limits. In the event of any isolated breach of these limits, we promptly notify the relevant stakeholders and take necessary remedial measures.
We updated our behavioural analysis of maturity and pre-maturity trends in Retail and Bulk deposits. Based on the outcome, tolerance levels were revised for pre-maturity rates. Breaches in thresholds are analysed for corrective measures.
During the year, we conducted a comprehensive stress test on our cash flow statements, considering various stress scenarios. The results of this analysis were evaluated to assess the adequacy of liquidity buffers within our Bank and they were suitably incorporated into our Contingency Funding Plan.
We calculate and monitor important ratios, including the Liquidity Coverage Ratio, Net Stable Funding Ratio, Structural Liquidity Statement, and cash/funding gap analysis. We regularly review these ratios against established thresholds, either daily or fortnightly as appropriate. In the event of any breaches, we follow our internal policy norms to escalate the issue and take the necessary corrective actions.
We have implemented a structured management framework, the Internal Capital Adequacy Assessment
Process (ICAAP). This framework enables us to identify, assess, and manage all risks that could
significantly negatively impact our business, financial position, and capital adequacy. Our
ICAAP framework is guided by a board-approved policy that aligns with regulatory expectations.
We have improved our Enterprise Risk Management (ERM) framework to enhance our risk management
practices further. The transition to integrated risk management enables us to move away from a
silo-based approach to risk management and adopt a more comprehensive and holistic approach.
Additionally, we have enhanced our enterprise-wide dashboard, which now includes a Bank
Performance Index (BPI). The BPI provides a 360-degree performance assessment, covering aspects
such as strategy, financials, risk and compliance, and internal controls. The performance
measured by the BPI is linked to our risk appetite framework, ensuring alignment between
performance and risk management objectives.
Information Security
With the ever-increasing global threat landscape, we, as an organisation, recognise the significance of a robust information security structure and have implemented defence-in-depth technologies to safeguard the interests of our customers. Our bank has meticulously orchestrated the deployment of each tool to ensure that no acts by malicious intruders go undetected. The key elements and the teams working in a chain fashion for managing information security risks are as follows:
- Risk Assessment and Management: We conduct regular risk assessments to identify potential vulnerabilities and threats to our Bank.
- Policies and Procedures: We have implemented robust information security policies and procedures that guide every individual working in the organisation towards secure practices.
- Security Awareness and Training: Recognising employees' crucial role in maintaining information security, we invest in regular training and awareness programmes. These initiatives educate our workforce about emerging threats, such as phishing attacks and social engineering techniques, and promote security best practices.
- Red Team: We maintain an independent group of experts who simulate real-world attacks to identify vulnerabilities. Through this approach, we gain valuable insights that help enhance the organisation's security posture..
- Blue Team: Our 24/7 Security Operations Centre (SOC) team is responsible for detecting and analysing potential incidents and taking the necessary actions to respond effectively.
- GRC Team: We have a dedicated Governance, Risk, and Compliance (GRC) team to ensure the effective management of regulatory requirements, risks, and operational controls.
Information Security
As an organisation, we understand that information security is an ongoing requirement that
necessitates continuous involvement, improvement, and adaptation in the face of an
ever-increasing threat landscape.
To stay prepared, we actively participated in cyber drills organised by the Institute of
Development and Research on Banking Technology (IDRBT). Additionally, periodic disaster recovery
drills are conducted for our technology infrastructure to ensure the availability of critical
services in the event of a disaster.
Rather than taking a reactive approach, we adopted a proactive stance towards information
security.