RISK MANAGEMENT: BUILDING RESILIENCE. SAFEGUARDING THE BUSINESS

ENTERPRISE RISK MANAGEMENT

The Company has a Board-approved Enterprise Risk Management (ERM) policy. Its key components include Credit Risk, ALM Risk, Operational Risk (including Fraud Risk) and other Risks, as depicted below:

Credit Risk

Credit Authorisation Matrix
Prudential Limits
Risk Rating / Risk Scorecards
Risk Pricing
Portfolio Monitoring

ALM Risk

Liquidity Risk
Interest Rate Risk

Operational Risks

People
Process
Systems
External Events
KRI/RCSA/RCM/FRM

Other Risks

Reputation Risk
Compliance and Regulatory Risk
Information Security Risk
Residual Risk

RISK MANAGEMENT FRAMEWORK

The Company has a robust Risk Management framework to identify, measure, manage and mitigate business and opportunities. This framework seeks to create transparency, minimise adverse impact on the business strategy and enhance the Company’s competitive advantage. The Company maintains a risk control matrix that systematically identifies key risks and corresponding controls across various functions.

The Company’s risk management is supervised by the Board of Directors, who have established the Sustainability & Risk Management Committee (SRMC) to ensure effective risk strategy implementation. The SRMC guides the development of policies, procedures, and systems, continuously evaluating their suitability and relevance to evolving business and risk tolerance. Oversight is independently managed by the Chief Risk Officer (CRO), who maintains regular communication with SRMC members. The SRMC is primarily responsible for executing the risk strategy, including the development of policies and systems to identify, measure, monitor, assess, and manage risks effectively.

Risk strategy defines and articulates the approach through which risk management will be used to facilitate the achievement of business / corporate strategy. Risk strategy is aligned with and supports both the development and achievement of corporate strategy. Risk appetite draws from risk strategy and articulates the level of risk the Company is willing and able to accept to pursue its strategic objectives.

RISK APPETITE FRAMEWORK

The Risk Appetite Framework (RAF) sets the Company’s risk profile. It forms part of the process of development and implementation of its strategy and determination of the risks undertaken concerning the risk capacity. Risk strategy and appetite framework are integral components of enterprise-wide risk management framework.

The RAF helps drive risk and governance discussions, informs strategic planning and capital allocation decisions, and reassures regulators, shareholders, and rating agencies that the organisation has a clear understanding and established boundaries for risk it can tolerate. It explicitly defines the boundaries within which management is expected to operate when pursuing the business strategy. The Company has institutionalised Risk Appetite as part of the Board-approved ICAAP policy. The risk appetite framework defines risk appetite parameters and tolerance limits for Capital Position, Profitability, Credit Risk, Concentration Risk, Liquidity Risk, Operational Risk, Compliance Risk, and Interest Rate Risk.

The Company also conducts stress tests covering material risk dimensions to evaluate its vulnerability to unlikely but plausible events or movements in the market conditions that could have an adverse impact on its business operations and overall capital adequacy.

The Board of Directors has the ultimate ownership of ensuring appropriate risk governance and oversight. The Company has various committees in place including executive management which ensures sound risk governance. Roles and responsibilities of key stakeholders who are part of the risk governance framework have been defined as follows.

RISK GOVERNANCE STRUCTURE

Board of Directors

The Board oversees Enterprise Risk Management (ERM), including:

Approving policies on Governance, Risk and Compliance

Seeking regular assurance from Management, internal and external auditors

Board to ensure the system of internal control is operating effectively

The Board of Directors may delegate the risk oversight activity to Audit Committee and/or Sustainability & Risk Management Committee or any other sub-Committee constituted by the Board in this regard.

Sustainability and Risk Management Committee (SRMC)

The Sustainability and Risk Management Committee is a Board-level Committee that provides guidance on establishing a management structure for implementing and reviewing ERM framework, including Credit Risk, Operational Risk, Fraud Risk, ALM Risk, Information Security Risk, and other risks. It provides guidance on the strategies, policies, and supervising implementation thereof ensuring that the risks are being managed in line with defined strategies and policies.

Operational Risk Management Committee (ORMC)

ORMC is responsible for the development, implementation, and monitoring of Operational Risk Framework. ORMC shall also review risk profiles, risk assessments, key risk indicators and operational risk events and various risk dashboards.

Credit Risk Management Committee (CRMC)

CRMC is responsible for implementing Credit Risk Management framework across the organisation and monitoring compliance to Credit Risk policy. CRMC also monitors portfolio risk and concentration risk.

Asset Liability Management Committee (ALCO)

ALCO is responsible for the macro-level management of Liquidity and Interest Rate risk. ALCO shall not consider individual cases for decision-making. The role of ALCO is, thus, to formulate and oversee the functioning of ALM in the Company without getting into day-to-day decisionmaking process for raising, or deployment, of resources.

Fraud Risk Management Committee (FRMC)

FRMC oversees matters related to fraud risk in the Company. It reviews and approves people and process related actions in the event of fraud.

Chief Risk Officer (CRO)

The Chief Risk Officer and the Risk team shall be responsible for administration and functioning of Enterprise Risk Management Framework including managing, identifying, evaluating, reporting, and overseeing the internal and external risks to the organisation. The Risk team also works in close association with the Chief Economist of the company to assess any material impact on overall portfolio as well as company’s liquidity position due to change in any macro-economic factors.

Business Executives

Business executives are responsible for helping implement Enterprise Risk Management framework in their respective functions/units. They are also accountable for policy compliance, risk assessments and implementing controls effectively.

KEY RISKS AND MITIGATION STRATEGIES

Credit Risk

Credit risk is the current or prospective risk to earnings and capital arising from an obligor’s failure to meet the terms of contracts for any credit facilities with the lending institution or its failure to honour its obligation.

Mitigation:

The Company has established Risk Management Policies that encompass wholesale and retail business operations, focussing on overseeing credit risk. The Credit Risk Management Committee conducts regular portfolio reviews and engages with management to address emerging risks and highlights any breaches in the risk limits to the SRMC.

For wholesale business, the risk team assesses every loan proposal independently using proprietary risk assessment models. The risk team considers numerous factors, such as historical performance, execution capability, financial strength of the promoter and Company, the competitive landscape in the industry and specific segment, regulatory framework and certainty, impact of macroeconomic changes, etc. while assessing the deal. The security structure is assessed for value, enforceability, and liquidity.

The Credit team takes inputs from the risk management team to arrive at an optimal deal structure. For retail business, the risk management team conducts regular reviews of the retail loan portfolios to identify risk trends. Additionally, it monitors multiple checks, including adherence to regulatory norms for secured and unsecured loans, risk concentration, clear guidelines for establishing programmes elaborating underwriting standards and their governance, the delegation of credit approval powers, and guidelines for the approval process of new products, programmes, and policies as well as amendments to existing programmes & policies.

Operational Risk

Operational risk refers to the potential loss or disruption resulting from inadequate or failed internal processes, people, systems, or external events.

Mitigation:

Operational Risk Management policy provides the structure and techniques that facilitates consistent functioning of Operational Risk Management framework. This Policy is focussed on Operational Risk arising on account of People, Process, Systems, and external events. The Company has an independent Operational Risk Management Team (ORM) which has created framework and review mechanism to identify, assess, monitor, and manage risks through the effective use of detailed framework and processes, internal controls, information technology and fraud monitoring mechanisms as per policy. The Operational Risk Management Committee (ORMC) senior executives is in place to govern the operational risk management activities. The ORM team periodically presents to the ORMC root cause analysis of operational incidents reported to them by various units and monitors key risk indicators and breaches, if any.

Fraud Risk

Fraud risk refers to the potential for intentional deception or dishonest behaviour within an organisation, posing threats to its assets, operations, and reputation.

Mitigation:

Fraud Risk Management policy focusses on prevention, detection, investigation of fraud and actions that Company should take in the event of fraud. A Fraud Risk Management Committee (FRMC) comprising top management representatives is constituted which oversees the matters related to fraud risk, review and approves actions against frauds/perpetrators. The Fraud Risk Management team conducts investigations of various frauds or related concerns and updates the FRMC periodically.

Liquidity Risk

Liquidity Risk refers to the risk that the entity will be unable to meet its obligations as they become due, because of an inability to liquidate assets or obtain adequate funding (referred to as “funding liquidity risk”) or cannot easily unwind or offset specific exposures without significantly lowering market prices because of inadequate market depth or market disruptions (“market liquidity risk”).

Mitigation:

Asset Liability Management (ALM) policy of the Company defines the framework for liquidity risk management. Within the ALM organisation, Asset-Liability Management Committee (ALCO) comprising Senior functionaries is responsible for ensuring adherence to the internal and regulatory limits for liquidity risk and deciding the business strategy of the Company (on the assets and liabilities sides) in line with the Company’s budget and decided risk management objectives.

Interest Rate Risk

Interest Rate Risk in a Banking Book refers to the current or prospective risk to earnings and capital arising from adverse movements in interest rates affecting the banking book assets, liabilities, and off-balance-sheet positions.

Mitigation:

The Asset Liability Management (ALM) policy of the company defines the framework for interest rate risk management. The Company prepares & monitors Interest Rate Gap Statement which outlines the difference (or gap) between the interest rate-sensitive assets and liabilities held by the institution within specified time horizons for the purpose of Interest Rate Risk Monitoring. ALCO actively reviews the interest rate risk and ensures that interest rate gaps are maintained as per ALCO’s interest rate view. Further, the Company performs “what-if scenario” analysis assessing the impact of the change in interest rate on the net interest income and reports to ALCO.

Compliance Risk

Compliance risk is an organisation’s potential exposure to legal penalties, financial forfeiture, and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies, or prescribed best practices.

Mitigation:

The Company has a dedicated compliance team headed by the Chief compliance officer. The compliance function actively tracks and reviews compliance with regulatory guidelines. There is a continuous engagement between the compliance & the risk team on various matters pertaining to risk arising on account of adherence to regulatory guidelines. The Company identifies compliance risk to be a material risk in its ICAAP Policy and an assessment framework has been established to monitor the level of compliance risk.

Reputation Risk

Reputational risk is the risk arising from negative perception on the part of customers, counterparties, shareholders, investors, debtholders, market analysts, other relevant parties or regulators that can adversely affect a company’s ability to maintain existing or establish new business relationships and continued access to sources of funding.

Mitigation:

The Company strives to enhance its reputation by delivering exceptional customer experiences, providing a diverse array of products and services, and continuously reinforcing its grievance-handling mechanism. The Company maintains regular communication with various stakeholders through appropriate engagement mechanisms to address any concerns they may have.

The Company identifies reputation risk to be a material risk in its ICAAP Policy and an assessment framework has been established to monitor the level of reputation risk. The Company through a scorecard-based approach monitors various parameters across key dimensions including legal & compliance, customer service, media, investor, employee, and management to assess the level of reputation risk it faces and proactively takes measures to mitigate them.

INTERNAL CONTROLS AND THEIR ADEQUACY

The Company has robust internal controls and processes across all its business lines and support functions. These controls are tailored to the complexity and nature of the company’s operations.

Three Lines of Defence (LOD):

The Company follows a risk management framework known as the “Three Lines of Defence”.

First Line of Defence: Management and process owners take primary responsibility for risks associated with daily activities. They implement controls, develop internal policies, supervise policy execution by employees, and closely monitor risk factors.

Second Line of Defence: The risk management and compliance functions oversee the company’s risk management programme. They monitor policy implementation and ensure adherence to established guidelines.

Third Line of Defence: Internal Audit operates independently from the first two lines. The Head of Internal Audit reports directly to the Audit Committee of the Board.

RISK-BASED INTERNAL AUDIT (RBIA):

The Company has adopted the RBIA methodology, which aligns with the Company’s overall risk management framework. The Internal Audit function provides independent and objective assurance regarding the design, quality, and operational effectiveness of internal controls, risk management practices, and governancerelated systems and processes as represented by management.

Internal Audit

The Internal Audit function has undertaken audits across all lines of business including retail branch network audits, centralised audits, business audits, concurrent audits, and special reviews. Learning from these audits have helped the management in improving the adherence to the policies, processes, and regulatory guidelines and strengthening the control environment.