Annual Report Of Risk Management - Ujjivan Small Finance Bank

Risk Management

Mitigating Risks Proactively

Q1 of FY 2021-22 saw yet another disruption to the normal course of business on account of the second wave of the COVID-19 pandemic. With the onset of the pandemic in March 2020, the Bank had consciously recalibrated its business and risk strategy to adapt to the ‘new normal’. This strategy was further reviewed against the backdrop of the second wave to account for the adverse impacts likely to be faced by the Bank during the year. The Bank’s Risk Management Committee of the Board (RMCB) assumed the vanguard role to charter a recovery path from the severe impact left by the pandemic.

The Risk Management Committee of the Board (RMCB) works through dedicated teams that monitor credit risks, operational risks, market and liquidity risks, and information security risks. Oversight over all material risks is carried out through regular monitoring of risk indicators, policy management and testing of controls, for their design and effectiveness. Breaches that emerge are evaluated through root cause analysis, and corrective actions are then initiated.

The RMCB fulfills its roles and duties through various management level risk committees such as Credit Risk Management Committee (CRMC), Operational Risk Management Committee (ORMC) , Asset Liability and Market Risk Committee (ALCO) and the Information Security and Business Continuity Management Committee). There is also a management level Risk Management Committee to provide general oversight on risk and compliance related matters. These committees are entrusted with the task to identify measure, mitigate and monitor specific risks.

The hallmark of the Bank’s Risk Management framework is its independence from business sourcing units, with the convergence only occurring at the Board level. This is vital for ensuring autonomy and efficacy.

Internal Capital Adequacy Assessment Process (ICAAP)

The Bank’s Internal Capital Adequacy Assessment Process (ICAAP) takes a structured approach towards the identification, assessment, and management of all risks that may have a materially adverse impact on our business, financial position, and capital adequacy. The ICAAP framework is guided by the Bank’s Board approved ICAAP Policy, which is in line with regulatory expectations. The Bank has enhanced its initial framework for Enterprise Risk Management (ERM) by transitioning from a silo-based risk approach, to a comprehensive and holistic approach to risk management. The framework is designed around the Risk Adjusted Return on Capital (RAROC) based decision-making principle, which is a significant departure from the commonly used accounting-based performance review. Additionally, the Bank has also developed an enterprise-wise dashboard – a summary tool that effectively communicates the structural and contagion impact of material risks on key dimensions, such as capital, asset quality, management, earnings and liquidity.

Risk Management Framework and Implementation

Credit Risk

Mitigation Measures	Description
Early Warning Systems (EWS)	Monitoring of industry trends, newsfeeds, and policy changes that are relevant to the portfolio quality. Such analysis is a part of macroeconomic risk analysis, and is reported internally at regular intervals. Detailed Key Risk Indicators defined to assess the performance on various parameters, such as Incremental Overdue, PAR30+, PAR90+, early delinquencies, quick mortality, non-starters, and collection performance. Metrics are analysed at various levels, such as branch, state, product, etc. These help in identifying underperforming segments and pockets for corrective actions. For monitoring of its retail portfolio, the Bank has subscribed to various bureau reports that provide real time data on changes in residential and communication details, leverage levels and external repayment track records. These insights are married with the internal performance exhibited, and the resultant insights are used to categorise borrowers, based on inherent risks. For its institutional lending portfolio, the Bank monitors through its EWS framework, which maps data received from financial statements, trends in compliance with loan covenants, external rating reports, and newsfeed, etc. to bring in objectivity in assessing the EWS. The Bank has developed a simple scoring model based on 17 parameters.
Credit Rating Scorecards	Systematic efforts are underway to analyse the Bank's historical data to identify patterns and trends which can be used in business decision making and our rating model/scorecard landscape is accordingly updated. The Bank has developed application scorecards and behavioural models which can be used in decision making, pricing and for computation of default probability. Scorecards and behavioural models are deployed as per relative vintage and materiality of the Credit segment For evaluating the Group Loan portfolio, an application scorecard has been developed using demographic attributes, past repayment track record and bureau-related data. Variables have been selected on the basis of Weight of Evidence and Variance Inflation Factor to develop separate scorecards for fresh and repeat loans. Customers are bucketed on a scale of 1 to 10 in increasing order of risk as per the outputs. These scorecards are embedded in the Bank's Loan Origination System and the ultimate objective is to replace the existing Business Rule Engine (BRE) with score based decisioning. A parallel run is currently on where both BRE and scorecard outputs are used in decision making until such time the scorecards are subject to additional validation. These validation tests will be undertaken by the Bank at regular intervals. Pricing is not linked to the scorecards. A rating model for individual loans portfolio has been designed using similar methodology, with internal data covering attributes like demographics, repayment trends and bureau-related variables. It has been independently validated by the Risk team and approved. The scorecard is embedded in the Bank’s LOS platform and is being used in credit decision making. Likewise, risk-based pricing is also implemented on the basis of scorecard outputs. Since the MSE and Housing loan variants are relatively new in the Bank with fewer data points to undertake any statistical modelling, the Bank has deployed credit rating scorecards at a product level for MSE and on the basis of customer segment level in Housing loans. The parameter selection in demographics such as personal information, income, repayment track record and collateral were made on expert judgement basis. Weights are assigned to each parameter and basis the total score; the customers are bucketed on a rating scale in increasing order of risk. These scorecards were deployed with an objective to build the data based on the critical parameters which can be used in statistical modelling. Due to the onset of the pandemic, the existing data is bound to assess high rates of default than in a normal period. The Bank's Risk team has however performed a qualitative validation and on the basis of outputs, the credit rating outputs are now linked to decision making and pricing.
Expected Credit Loss	The Bank has designed a detailed framework for computing Expected Credit Loss (ECL), which is also used for internal reporting purposes. Models are in place to compute key risk factors such as forward-looking Probability of Default (PD) estimates, Loss Given Default (LGD) and Exposure at Default (EAD). Though adoption of ECL-based provisioning is not yet mandatory, the Bank is well-prepared to move to the next stage in case such a mandate is enforced.
Process Gaps and Enhancements	Revamping of various processes used for credit appraisal that deal with documentation management, loan deviations, exposure norms and new policies or enhancements. Occupation mapping of borrowers is currently underway and is being enhanced to undertake meaningful analysis through correlations between multiple factors like industry/sector and external outcomes.
Industry Insights and Portfolio Analysis	Continuous analysis of all loan portfolios to better predict potential areas of stress in relation to factors like geography, ticket size, branch/clusters, etc. Such analysis has helped the Bank to mitigate impact by setting up limits and caps in exposure. The Bank has also subscribed to various industry dashboards to better benchmark portfolio performance.
Stress Testing	The Bank undertakes comprehensive stress testing of all loan portfolios using sensitivity and scenario analysis. The impact of adverse events on the PAR%, NPA%, provisions and capital adequacy are assessed at regular intervals.
Capital Management	Risk Weighted Assets are computed as per RBI guidelines. The impact on the Capital to Risk Assets Ratio (CRAR) is computed and assessed, and a forward guidance is provided for capital adequacy through our Internal Capital Adequacy and Assessment Process (ICAAP).

OPERATIONAL RISK

Operational Risk is ‘the risk of loss resulting from inadequate or failed internal processes, people, systems or from external events. It excludes strategic and reputational risks but includes legal risks.’ Strategic or reputational risks are second order effect of operational risks. Legal risks include, however is not limited to, exposure to penalties, fines, punitive damages, arising out of supervisory action, civil litigation damages, related legal costs and any private settlements. Operational risk arises due to errors in processes, frauds and unforeseen natural calamities/events. Though the occurrence of such instances could be less, the impact in value terms could be significant.

Measures Taken	Description
Product and Process Reviews	All new products and processes are subject to a mandatory comprehensive review, and modifications/adaptations are made in line with industry’s best practices.
User Acceptance Testing	User Acceptance Testing (UAT) is performed on processes, new product launches, system changes & standard operating processes to identify gaps in the actual deliverable versus that listed in the Business Requirement Document (BRD). The identified gaps are further addressed and closed during the Functional Specification Documentation (FSD) stage before moving to production.
Risk and Control Self-Assessment	Risk and Control Self-Assessment (RCSA) has been instituted for all business processes to identify inherent and residual risks. These tools also help in identifying the efficacy of design and the effectiveness of the controls introduced.
Key Risk Indicators (KRI)	The Bank’s KRI reporting standards have been enhanced, with forty KRIs now defined and monitored as part of the Operational Risk Management Framework. Functional KRIs have been additionally defined for the Branch Banking vertical. The KRIs are analysed on a monthly basis and reports and presented before the management and Board at quarterly intervals.
Loss Data Management	Loss Data Management is in place to record material incidents and to learn from errors and in strengthening existing controls. Incidents are recorded as operational loss and near miss events. This is followed by a root cause analysis (RCA) of critical incidents. The Bank records instances along the RBI defined lines of Operational Risk events and process enhancements are tabled at various committees for further action.
Outsourcing Risks	Progressive risk assessment of key outsourced vendors was completed during the year to ensure that these vendors comply with the minimum requirements prescribed by RBI and also Business Continuity aspects as per internal norms. Gaps, if any are regularly analysed as part of the Risk Assessment (RA) and detailed notes are recorded on each vendor through visits and placed at various forums and committees for further action.
Internal Financial Control (IFC) Testing	The Risk team , along with concerned stakeholders, prepares the Risk and Control Matrices (RCMs). Design, implementation and operating effectiveness of all the controls mentioned in the RCMs (that is, financial and operational controls) are tested annually by the Operational Risk Team on a random sampling basis and covers different regions and timeframes. Critical gaps that emerge are reviewed with concerned functions for upgrading and where necessary, automation of controls.

LIQUIDITY AND MARKET RISK

Measures Taken	Description
Trading Book Management	Duration based limits, Value at Risk based limits and open position limits are defined and monitored internally. These trading limits are monitored on a real time basis by the Middle Office. Any isolated instance/s of breach in limit is immediately brought to the notice of stakeholders and remedial measures are taken.
Behavioural Analysis	The Bank undertook a detailed behavioural analysis of maturity and prematurity trends in Retail and Bulk deposits. Basis the outcome, tolerance levels are internally defined for Weighted Average Maturity and prematurities. Breaches in thresholds are analysed for corrective measures.
Liquidity Management	The Bank computes and monitors key ratios such as Liquidity Coverage Ratio, Net Stable Funding Ratio, Structural Liquidity Statement, cash/funding gap analysis etc. Thresholds are monitored on daily/fortnightly basis as applicable and breaches are escalated as per internal policy norms for corrective actions.

Information Security

The Bank operates in a highly dynamic threat environment and has taken several measures to ensure the complete safety of customer transactions, with zero chances of breaches and data compromise. State-ofthe-art security technologies encompassing Artificial Intelligence, Machine Learning, Data Lake and User Behavior Analysis have been deployed as a part of our infrastructure backend and at our Security Operations Centre, and potential threats are monitored 24X7. A detailed, Board-approved Information Security Policy is also in place. A comprehensive strategy encompassing people, process and technology is constantly reviewed in the light of emerging threats, the security requirements of the business and best practices. The 24x7 Cyber Security Operations Centre identifies potential incidents and takes the requisite action to respond, recover, learn from such incidents and prevent recurrence.

The Bank regularly participates in Cyber Drills conducted by the Institute of Development and Research on Banking Technology (IDRBT), and conducts periodic Disaster Recovery drills for its technology infrastructure to ensure the availability of critical services in the event of a disaster. In order to keep abreast of the security best practices, the Bank participates in meetings conducted by various external forums and Data Security Council of India.

Risk Management during the Pandemic

The second wave of the pandemic caused further disruption to business in the first quarter of FY 2021-22. With the onset of the pandemic in March 2020, the Bank had consciously recalibrated its business and risk strategy to adopt to the ‘new normal’. This strategy was further reviewed against the backdrop of the second wave to account for the adverse impacts likely to be faced by the Bank during the year. At the strategic level, the Bank built its turnaround plan on the following broad themes:

Stabilisation of slippages in portfolio and some recovery in Q2 through completion of Resolution Framework 2.0 and overhaul of the collection strategy for the remaining financial year.
Robust recovery in Q3 with some growth through a ‘100 days plan’ specifically focusing on collections and restarting disbursements in segments which were less affected by the pandemic.
Robust growth in Q4 through a second ‘100 days plan’ with an aim to achieve pre-pandemic levels across all areas.

Floating Provision: One of the first decisions taken by the Bank was the creation of a Floating Provision amounting to ₹250 Crores as early as the quarter ended June 2021. Usually, ‘floating provisions’ are created by banks during stable, revenue-generating times. However, the pandemic had exposed vulnerabilities to event risks, and the Bank took the bold decision of creating a floating provision, though shortterm profitability was adversely affected. This provision now provides cover against future instances of stress affecting credit behaviour.

Resolution Framework 2.0: Another key decision taken by the Bank was implementing the Resolution Framework 2.0* which was as per the directions of the RBI issued during the second wave of the pandemic, to safeguard against potential stress, with applicability across those credit facilities / investment exposure to borrowers who were classified as ‘Standard’ by the Bank as on March 31, 2021. The Bank updated its restructuring policy in line with the new directions and an option to restructure under RF 2.0 was provided to ~3.76 Lakhs loan customers amounting to ₹943 Crores in the microfinance segment. Two new credit offerings in line with the Emergency Credit Line and Guarantee Scheme (ECLGS) viz. ECLGS 1.0 and ECLGS 1.0 extension scheme were also rolled out by the Bank in July 2021 and November 2021 respectively in line with the directives from government of India as a relief to pandemic hit customer segments. In the recent budget announcement, the government has now extended this scheme up to March 2023. The Bank will continue to provide credit assistance under this scheme in the ensuing year to avail the benefit of the guarantee.

Other Measures: Forward guidance gained prominence within the Bank and delinquency levels, slippages and incremental credit costs were monitored at fortnightly intervals, with findings looped back to collection strategies. The Early Warning Signal (EWS) framework was enhanced to provide proactive insights on default probability at the portfolio and customer levels. Feedback mechanism on these EWS triggers was strengthened. Portfolio performance of every loan segment was analysed from different dimensions to gain comprehensive insights, which in turn, helped prioritise collection efforts.

Business Continuity Risks: Attrition rates across key verticals shot up during the year due to extraordinary increase in pandemic induced work-related stress. Detailed review was undertaken and comprehensive enhancements covering remuneration, talent management, personnel development and recognition programs were initiated. In August 2021, with the change in guard at the top leadership levels, the Bank saw a brief phase of subdued activities. While attrition till this point had been largely restricted to lower and middle management grades, the change of guard at the helm exacerbated attrition in key positions at senior levels. The Bank, under the directions from the regulator, was directly managed by a ‘Special Committee of Directors (SCOD)’, which was a select group of independent directors. To counter the emerging business continuity risks, several incentives were designed and rolled out – a special Employee Stock Option Scheme (ESOP), special housing and vehicle loans schemes at flat ROI of 4.99% and career progression plan among others.

At the senior level, the Bank could successfully fill the positions that had fallen vacant, and new executives took over as Chief Information Officer, Head of Digital Banking, Chief Financial Officer and Head of Internal Audit and maintained continuity in operations. Capable personnel with strong leadership skills were identified internally and elevated to other remaining positions.

A Quick Response Team (QRT) was constituted for monitoring and supervising banking operations soon after the onset of the pandemic and continues as the core group to initiate action in a contingency. It also provides updates to the top management regularly.

100 Days Plan: Following the changes at the leadership level, the Bank launched a detailed ‘100 Days Plan’ to identify urgent areas of improvement and assist in ramping up of disbursements, collections and strategic/policy level changes. The performance of the plan was monitored on a weekly basis, at the branch and cluster level. Consequently, the Bank was able to demonstrate a substantial increase in its business volumes and achieved the highest ever quarterly disbursement in Q3 of FY 2021-22 of ~₹4,809 Crores. Substantial reduction in GNPA was also achieved – from 11.8% in September 2021 to 9.8% in December 2021, with improved profitability (a Q3 FY22 loss of ₹34 Crores compared to losses of ₹274 Crores in Q3 FY21).

To consolidate these gains, a second 100-day plan was formulated to further augment disbursements and improve staff productivity. As a part of this exercise, a deep-dive analysis was undertaken on portfolio segments to identify pockets of stress based on product variants, ticket size, customer segments and geographical location. Where patterns of stress were observed, the Bank temporarily discontinued fresh disbursements and focused on collection efforts. Fresh disbursements were allowed only after meeting pre-specified thresholds in delinquency and other key performance indicators. As a result of the second 100 days plan, disbursements in Q4FY22, exceeded the quarter-on-quarter numbers and peaked at ₹4,870 Crores while GNPA further reduced to ₹1,284 Crores (or 7.1% of gross advances).

Improving Liquidity Profile: The consecutive quarterly losses coupled with the reputation impact of change in guard warranted an equal attention and monitoring of the liquidity profile within the Bank. Taking special measures to shore up the Bank’s liquidity profile was thus the need of the hour. To reduce reliance on bulk deposits and augment retail deposit share, the Bank launched special schemes under the ‘Platina Deposit’ brand. Forward guidance on the liquidity position was overtly factored into the disbursement plan. Disbursements were calibrated with abundant caution and undertaken only after a detailed review of the inflow/outflow of funds, trends observed in maturity, pre-maturity and instances of maturity bunching. The Bank also executed IBPC and securitisation transactions to further augment its liquidity position and enabled operations only with ample liquidity levels maintained. A significant portion of the fund inflows were utilised for maintaining High Quality Liquid Assets (HQLA) to shore up the Bank’s Liquidity Coverage Ratio and maintain these above the regulatory threshold of 100% and the Bank’s internal tolerance levels.

All these concerted efforts bore fruit, leading to a positive turnaround in Q4FY22, as the Bank posted a quarterly PAT of ₹127 Crores. The lessons from the pandemic have been well integrated into our regular operations and the Bank has emerged stronger and more resilient than before.

*Refer RBI guidelines on Resolution Framework – 2.0: Resolution of COVID-19 related stress of Individuals and Small Businesses and Resolution Framework 2.0 – Resolution of COVID-19 related stress of Micro, Small and Medium Enterprises (MSMEs)