RISK MANAGEMENT REPORT
Sampath Bank's rating was affirmed by Fitch Ratings (Lanka) Ltd at AA-(lka) with a Stable outlook in January 2025 [31st December 2024: A(lka) Stable]. The rating reflects the Bank's prominent position among the country's top three private commercial banks and its potential to generate and defend business volumes in a gradually improving macro-economy. The rating also incorporated the Bank's exposure to the sovereign through the international debt restructuring programme.
This is the largest risk exposure of the Bank. The Bank's key credit risk indicators as at 31st December 2024 have improved compared with the previous year and performed better than the industry average.
KEY INITIATIVES IMPLEMENTED IN 2024
- Establishing the Board Sustainability Committee
- Documentation of RCP Policy
- Implemented sustainability related risk policies
- Automation of upgrading stage of impairment related to restructured and rescheduled facilities
- Strengthening the procedure on identifying elevated risk industries
- Automation of watch listing of restructured and rescheduled facilities
- In-depth industry analysis to ascertain elevated risk industries
- Quarterly evaluation of exposures below Rs 100 Mn through a sample approach
- Introduction of MTM loss limits for US Treasuries portfolio
- Introducing Counterparty Selection based on external ratings and other relevant parameters
- Consolidation of country limits under Treasury and Export bills to arrive at a holistic view
- System enhancements and process improvements were made to monitor rate reasonableness for PDU deal rates and counterparty settlement limit exposures
- Further strengthening of the loss data collection mechanisms by department/branch-wide training series covering the entire network
- The discontinuation of SLAR as the liquidity ratio and the introduction of LCR and NSFR
- The introduction of LCR and NSFR to the risk appetite limits
- Inclusion of sustainability risk opinions under the ESMS framework
Better than industry earnings ratios reflect the effective management of interest rate risk and exchange rate risk, the Bank’s key market risk exposures and its cost profile.
The Bank’s financial stability is underpinned by robust liquidity and capital adequacy ratios that are consistently well above the minimum regulatory requirements and industry averages. Our prudent approach to managing these key risks reflects our emphasis on maintaining stakeholder trust and confidence.
Other material risks including operational risks, strategic risk, reputation risk and sustainability risks can have substantial financial consequences for the Bank. To effectively manage these risks we employ a comprehensive framework that is based on sound governance, robust internal controls, meticulous compliance and legal functions and rigorous financial reporting processes. A strong risk culture enables a shared commitment to risk awareness and management at all levels of the Bank.
The Bank's financial stability is underpinned by robust liquidity and capital adequacy ratios that are consistently well above the minimum regulatory requirements and industry averages. Our prudent approach to managing the key risks reflects our emphasis on maintaining stakeholder trust and confidence.
- Maintain a data repository which includes borrower details in similar industries, consumer behaviour and trends, industry updates to improve efficiency and effectiveness of risk assessment of credit proposals.
- Monitoring and follow up of the covenants imposed when approving credit facilities and provide periodical reminders/instructions to Business Units for necessary action plans.
- Increase the depth of independent verification of ISL impairment through the oversight of a selected list of customers with forecasted cashflows.
- Implementation of a behavioural score card, a new credit risk rating model to rate borrowers based on customer behaviour for personal borrowers.
- Develop scenarios and score cards for sectors relating to ESG risk.
- Conduct stress testing for ESG risk.
- Enhance the liquidity contingency funding plan to ensure access to adequate funding in times of stress.
- Conduct back-testing for VaR models.
- Develop a comprehensive loss event reporting system by integration of Artificial Intelligence and Automation of anomaly and potential risk event detection.
- Development of a scorecard to incorporate sustainability risks into ICAAP under Pillar II and allocate capital based on the requirement.
RISK MANAGEMENT FRAMEWORK
As a licensed commercial bank regulated by the Central Bank of Sri Lanka, the CBSL mandated Integrated Risk Management (IRM) forms the foundation of Sampath Bank's risk management. The Bank's Integrated Risk Management Framework is approved by its Board of Directors and guides effective risk management within the Bank.
The Bank's Risk Management Policy Framework is anchored on four key pillars and comprises a suite of complementary policies, procedures and protocols that enable the effective management of its principal risks within its risk universe. A summary of the Bank's risk management framework is given below.
1. Risk Governance
Sampath Bank's risk governance structure clarifies the roles and responsibilities for managing risks within the Bank. The Board of Directors collectively holds overall responsibility for managing risks within the Bank and are assisted by several Board sub-committees which operate under the delegated authority of the Board. Additionally, the Board sub-committees provide oversight and guidance to Corporate Management regarding effective implementation of the Bank's Integrated Risk Management Framework which includes the formulation and implementation of the required risk control framework, strengthening risk monitoring and risk reporting systems as well as for driving the Bank-wide risk awareness culture. The Bank's risk governance structure is presented below.
The roles and responsibilities of the Board and Board Sub-Committees are summarised below.
| Roles and Responsibilities | |
|---|---|
| Board of Directors (BOD) | As the apex body for risk oversight within the Bank, the Board is responsible for setting the Bank’s risk strategy and monitoring its implementation. This includes developing the Bank’s risk strategy and related principles, target risk profile, risk appetite limits for each risk category and appropriate risk policies and procedures. This ensures that the Bank’s operations are in alignment with its strategic goals while emphasising a robust control framework for effective risk management at an operational level. |
| Board Sub-Committees | |
| Board Integrated Risk Management Committee (BIRMC) | BIRMC has oversight of the risk management functions of the Bank and reports to the Board on the subject. They also liaise with other Board committees that look at specific aspects of risk assigned to such committees, taking an overall objective and balanced view of how these matters affect the overall risk profile of the Bank. |
| Board Audit Committee (BAC) | The BAC plays a critical role in ensuring the effective functioning of the system of internal controls which is vital for management of operational risks and the integrity of financial reporting which is key to measurement and monitoring of financial risks. |
| Board IT Committee (BITC) | BITC plays a critical role in management of operational risks including cyber risks given the high dependence on IT systems for the effective execution of increasingly digitalised business/value creation model. |
| Board Credit Committee (BCC) | BCC has the responsibility to oversee the credit and lending strategies and objectives of the Bank while maintaining adequate controls over credit risk. |
| Board Treasury Committee (BTC) | BTC plays a key role in management of Market Risk and Investment Risk, maintaining high levels of vigilance over external market factors that impact the Bank. |
| Board Strategic Planning Committee (BSPC) | BSPC is responsible for detailed review of the Bank’s strategy and therefore, looks closely at strategic risks, resource allocation and capital management. |
| Board Related Party Transactions Review Committee (BRPTRC) | This committee plays a key role in Compliance Risk and Reputation Risk as it exercises oversight over related party transactions, ensuring that the Bank complies with the necessary disclosures. |
| Board Sustainability Committee (BSC) | The BSC oversees the development and implementation of the Bank’s sustainability strategy and policies in alignment with the Bank’s Sustainability Related Risks and Opportunities (SRROs) and Climate Related Risks and Opportunities (CRROs). |
| Management-Level Committees | |
| Risk and Compliance Committee (RCC) | The Committee oversees the implementation of the Bank’s risk management strategy and compliance with regulatory requirements and makes recommendations to the Operational Risk Management Committee (ORMC), Corporate Management and the BIRMC. |
| Credit Policy, Risk & Portfolio Review Committee (CPR & PRC) | The CPR&PRC serves as the liaison between the Board Credit Committee (BCC) and Board Integrated Risk Management Committee (BIRMC) to facilitate credit and credit risk management related activities. |
| Model Risk Management Committee (MRMC) | Oversees the model approval and model validation process of the Bank. |
| Assets & Liabilities Management Committee (ALCO) | ALCO is responsible for effectively managing the assets and liabilities of the Bank, optimising its funding mix, effectively managing liquidity and market risks while maximising returns. It is also responsible for liquidity contingency planning. |
| Recovery Plan (RCP) Working Committee | Responsible for overseeing the RCP process and ensuring that a full range of recovery options are identified and available at the disposal of the Bank to deal with shocks to capital, liquidity and all other aspects arising from internal and external stresses. |
| Operational Risk Management Committee (ORMC) | Comprises a cross-functional team of Corporate Management and assists the BIRMC by increasing oversight over operational aspects. Resultantly, this committee serves as the main liaison between the BIRMC and other operational committees. |
| Investment Committee | The Investment Committee is responsible for reviewing, approving and overseeing the implementation of the Bank’s Investment Policy including making and authorising investment decisions, optimising returns on investments, and classification of the investment portfolio. |
| Fraud Risk Management Committee (FRMC) | The FRMC is responsible for the effective management of fraud risk in alignment with the Bank’s Board-approved Anti-Fraud policy. |
| Information Security Committee | This Committee is responsible for designing and driving the Bank’s information security strategy, policies and awareness. |
| Internal Capital Adequacy Assessment Process (ICAAP) Working Committee | The ICAAP Working Committee oversees the ICAAP process and ensures consistent adoption and implementation of the Bank’s Board approved ICAAP Policy. The committee shall review, challenge, and approve methods and approaches of risk assessment under Pillar II. |
| Environmental and Social Management System (ESMS) Implementation Committee | The ESMS Implementation Committee is responsible for integrating and operationalising the Bank’s Environmental and Social Management System (ESMS) within Business Units. |
| Internal Control Over Financial Reporting (ICOFR) Steering Committee | Responsible for ensuring successful compliance with Section 3(8)(ii)(b) of the Banking Act Direction No. 11 of 2007 and assessing the effectiveness of the Internal Control Over Financial Reporting System. Established under the guidance of the Bank’s external auditors. |
| Outsourcing Committee | The Outsourcing Committee oversees and manages risks arising from the Bank’s outsourced functions. |
| Data Dissemination Committee (DDC) | The DDC is responsible for the effective implementation of the Bank’s data governance strategy and building awareness on best practice related to data security and privacy management. The Committee is also responsible for approving, recommending and reviewing the Bank’s protocols regarding the sharing of information with third parties. |
| Procurement Committee | Responsible for the effective management of procurement related risks and include the evaluation and selection of suitable suppliers. |
Sampath Bank adopts the three-lines-of-defence approach to manage risk within the Bank in line with best practices.
The Bank's comprehensive risk management policy framework is summarised below.
| Integrated Risk Management Policy Framework | |||||
|---|---|---|---|---|---|
Risk Control Architecture
|
|||||
| Credit Risk | Market Risk | Liquidity Risk and Capital Management | Operational Risk | IT Risk | |
|
|
|
|
|
|
STRENGTHENING RISK GOVERNANCE IN 2024
- Implemented sustainability related risk policies.
- Documentation of RCP Policy.
- Established the Board Sustainability Committee.
2. Risk Management Process
Sampath Bank's approach to managing risk follows the below common process with adaptations across key risks to capture their specific characteristics. This process is used to manage all key risks across the Bank including, credit risk, liquidity risk, operational risk, market risk, IT risk, legal risk and reputation risk. The adoption of a formal process for risk management enables the Bank to proactively identify, measure, control, monitor and report key risks across different levels of the Bank. This in turn facilitates stakeholder value creation, protects the Bank's competitive advantage, reinforces financial stability, and builds long term resilience. Responsibility for the execution of the risk management process lies with the Risk Management Unit (RMU).
This is the first step in the risk management process and involves analysing the Bank's risk universe to identify current and potential risks stemming from the internal and external environments that may affect the Bank's strategy and overall risk profile.
The strong risk culture at Sampath Bank involves employees at all levels of the Bank in the risk identification process. A top-down approach led by the Bank's Board of Directors and Board appointed sub-committees identify emerging risks that may affect the Bank's strategy and overall risk profile. Meanwhile, a bottom- up approach undertaken by Business Units and Branch heads and escalated to the Risk Management Unit enables the identification of risks stemming from operations.
This involves assessing the likelihood and severity of identified risks using pre- determined metrics and other quantitative and qualitative measures. The Bank uses a range of tools and techniques to measure the impacts of identified risks. These include, the Risk Matrix, Risk Register, VaR models, financial analysis, maturity of assets and liabilities (MAL) analysis, sensitivity of assets and liabilities (SAL) analysis and stress testing. Stress testing is used to assess the severity of risks under different adverse conditions and the quantitative results are typically combined with expert opinions when arriving at a final assessment. Risk measurement is carried out by the RMU with the support of business units.
This entails applying an appropriate treatment methodology for each assessed risk while carefully balancing risk reward dynamics. Developing risk control and mitigation strategies is a dynamic process and leads to either accepting, transferring, mitigating or avoiding the assessed risk. This entails a range of strategies, including the introduction of new controls, enhancing existing controls, strengthening contingency plans, and periodically reviewing risk appetite limits among others. Responsibility for arriving at an appropriate treatment strategy for each risk lies with the RMU under the guidance and oversight of the Board Integrated Risk Management Committee (BIRMC). The RMU is ably supported by the business units.
Risk monitoring involves verifying that the Bank’s operations adhere to established risk control protocols and enables ongoing awareness of its risk profile. The RMU is responsible for risk monitoring and collaborates closely with business units to facilitate effective control.
Identified, measured, monitored and mitigated risks are reported to the Senior Management, Board Integrated Risk Management Committee (BIRMC) and the Board of Directors, for timely action and follow up by the RMU.
| Regular Risk Reports | Frequency | Reported to |
|---|---|---|
| Risk appetite statements | Monthly | RCC/CPR&PRC/BIRMC |
| Key risk indicators | Quarterly | BIRMC |
| Risk register | Quarterly | BIRMC |
| Group risk reports | Quarterly | BIRMC |
| Stress testing profile | Quarterly | BIRMC |
| Risk and Control Self-Assessment |
|
BIRMC |
| CBSL reporting of high valued loss events | Quarterly | CBSL |
| Operational Risk Weighted Amount under Alternative Standardise Approach | Quarterly | Finance Department |
| Risk Dashboards (Credit/Market/Operations) | Quarterly | BIRMC |
STRENGTHENING THE RISK MANAGEMENT PROCESS IN 2024
- Documentation of procedure on identifying elevated risk industries.
- Automation of watch listing of restructured and rescheduled facilities.
- Introduction of MTM loss limits for US Treasuries portfolio.
- Introducing Counterparty Selection based on external ratings and new additions.
- The introduction of LCR and NSFR to the risk appetite limits.
- Further strengthening of the loss data collection mechanisms by department/ branch-wide training series covering the entire network during the year.
3. Risk Control Architecture
Sampath Bank’s Risk Control Architecture is approved by the Board and benchmarked to international best practices. Key components of the Bank’s Risk Control Architecture are summarised below.
| Sampath Bank’s Risk Control Architecture | |
|---|---|
 Assessment tools |
|
 Internally developed tools |
|
The Bank’s Risk Appetite Statement specifies the type and amount of risk it is willing to accept in pursuing its strategic goals. Sampath Bank’s Risk Appetite Statement is developed considering regulatory limits, covenant limits, external factors and internal prudential limits and is approved by the Board. The RMU monitors the Bank’s operations on an ongoing basis to ensure its alignment with Board-approved Risk Appetite tolerance limits. The RMU presents its findings in this regard to the BIRMC monthly, to facilitate immediate remedial action in the event of any deviations.
The Risk Appetite Statement and specified tolerance limits are reviewed by the BIRMC at least once a year or more frequently if required. Recommended changes are approved by the Board prior to formal incorporation into the Risk Appetite Limit Framework.
The Bank’s key risk appetite parameters and Board approved tolerance limits as at 31st December 2024 are given below.
| Appetite | |||
|---|---|---|---|
| Credit Risk | Credit quality | Impaired loans (stage 3) ratio (net) | <5% |
| Exposure to high grades (A+ to B+) / Total advances | >45% | ||
| Credit concentration | Aggregate exposure (funded + non-funded) to large borrowers (i.e. over 15% of capital) / Total advances (funded + non-funded) | <20% | |
| Aggregate exposure (funded + non-funded) to large borrowers (i.e. over 15% of capital) / Capital base | <2 times | ||
| Related party accommodation / Capital base | <35% | ||
| Top 20 advances exposure / Tier I capital | <4 times | ||
| Top 20 advances exposure / Capital base | <3 times | ||
| Off-shore exposure / Total advances (lending to Bank’s offshore borrowers only) | <7.5% | ||
| Market Risk | Foreign exchange risk | Net open position-overnight limit of the Bank | Subject to change as per CBSL |
| Liquidity risk |
|
Minimum 120% | |
| Net loans to total assets | <75% | ||
| Interest rate risk | Tolerance limit for mark to market (MTM) losses from “FVPL” and “FVOCI” Government Security Portfolios | Rs 750 Mn | |
| Operational risk risk | Risk event types | Internal fraud | Rs 10 Mn |
| External fraud | Rs 10 Mn | ||
| Employment practices and workplace safety | Rs 5 Mn | ||
| Clients, products and business practices | Rs 5 Mn | ||
| Damage to physical assets | Rs 5 Mn | ||
| Business disruptions and system failures | Rs 5 Mn | ||
| Execution delivery and process management | Rs 10 Mn | ||
Effective capital planning and robust capital buffers safeguard a financial institution by providing a cushion to absorb unforeseen losses, prevent insolvency and maintain stability. Consequently, Sampath Bank adopts a proactive approach to capital planning with emphasis on;
- Maintaining sufficient capital to meet minimum regulatory capital requirements.
- Holding sufficient capital to commensurate the risk profile of the Bank.
- Ensuring adequate capital buffers to support the Bank’s strategic objectives.
- Maintaining adequate buffers to absorb unexpected losses arising from various risks and safeguard depositors’ funds.
Sampath Bank’s Board of Directors is responsible for the Bank’s capital management which includes capital planning, monitoring and fulfilling regulatory and Pillar II capital adequacy requirements. The Bank uses a range of tools to ensure adequate capital buffers to support its growth objectives while maintaining stability. These include computing and complying with capital adequacy ratios in line with regulatory requirements and ICAAP among others. The Board approves a comprehensive capital plan annually under the strategic planning process.
3.2.1. Capital Adequacy
Capital adequacy is a key metric used to assess the solvency and stability of a financial institution. The capital adequacy ratio which represents the proportion of a Bank’s capital relative to its risk weighted assets measures a bank’s ability to absorb potential losses arising from credit, market and operational risks during the course of its operations.
Capital adequacy ratios for licensed commercial banks in Sri Lanka are computed based on the Banking Act Direction No. 1 of 2016 and its subsequent amendments which reflect the capital requirements set out under the BASEL III Accord. As a licensed commercial bank, Sampath Bank computes its regulatory capital adequacy ratios in compliance with these regulations. Accordingly, Sampath Bank computes its regulatory capital adequacy ratios under 3 tiers, adopting the Standardised approach for credit risk, Standardised Measurement approach for market risk and Alternative Standardised approach for operational risk.
As at 31st December 2024, the Bank maintained a robust capital position as presented below.
| Capital ratio | As at 31st December 2024 | As at 31st December 2023 | |
|---|---|---|---|
| Common equity Tier I (CET I) capital | Rs Mn | 131,766 | 118,531 |
| Tier I capital | Rs Mn | 131,766 | 118,531 |
| Total capital | Rs Mn | 152,522 | 141,854 |
| Total risk weighted assets | Rs Mn | 786,841 | 725,130 |
| Risk weighted assets for credit risk | Rs Mn | 704,994 | 653,698 |
| Risk weighted assets for market risk | Rs Mn | 4,464 | 1,873 |
| Risk weighted assets for operational risk | Rs Mn | 77,383 | 69,560 |
| Regulatory minimum common equity Tier I (CET I) capital ratio | % | 7.00 | 7.00 |
| Common equity Tier I (CET I) capital ratio | % | 16.75 | 16.35 |
| Regulatory minimum Tier I ratio | % | 8.50 | 8.50 |
| Bank’s Tier I capital ratio | % | 16.75 | 16.35 |
| Regulatory minimum total capital ratio | % | 12.50 | 12.50 |
| Bank’s total capital ratio | % | 19.38 | 19.56 |
The graph below shows the Bank’s allocation of capital across the three major risk categories as at 31st December 2024 based on risk quantification in accordance with the applicable regulatory guidelines.
3.2.2. Leverage Ratio
The BASEL III leverage ratio is an important capital adequacy tool used to assess a bank’s leverage and financial stability. Regulatory limits imposed on this ratio constrain a bank’s ability to expand its asset base through leverage. As Tier 1 capital represents the most loss absorbing form of capital, it serves as a crucial indicator of a bank's financial health, particularly during periods of economic stress. Sampath Bank reported a healthy leverage ratio of 7.24% as at 31st December 2024 (2023: 6.39%), well over the regulatory minimum of 3%.
Stress testing is a vital part of the Bank’s risk control architecture. It enables impact assessment on liquidity and capital under a range of “what if” scenarios and the development of robust contingency strategies. Stress Testing is carried out in accordance with the Bank’s comprehensive Stress Testing Policy which sets out the framework and procedures to be followed. The Bank’s Stress Testing Policy is aligned with the BASEL III’s Pillar I and Pillar II requirements and therefore serves as an integral part of the Bank’s ICAAP. The RMU is responsible for carrying out stress testing and the results are reported to the BIRMC and the Board, informing their decisions on risk limits, capital allocations for various risks and managing risk exposures and developing appropriate contingency plans in response to adverse circumstances.
The RMU conducts quarterly stress testing encompassing over 24 stress scenarios across all major risk types. Sensitivity analysis is usually conducted for individual risk types while scenario analysis is conducted for combined, integrated and macro-economic stress tests based on underlying assumptions and parameters. Stress testing is carried out more frequently if the external environment is rapidly evolving. A risk register is prepared on a quarterly basis covering over 750 risk factors and a dashboard summarising the level of risk associated with each risk type is prepared and reported to the BIRMC on a quarterly basis.
The Bank carries out the ICAAP annually in compliance with CBSL's Banking Act Direction No. 1 of 2016 and subsequent amendments. This involves an internal assessment of the Bank's capital requirements tailored to its own specific risk exposures and considers a range of risk types that include those that are not captured or not fully captured under Pillar 1 of BASEL III. Qualitative and quantitative risk assessments are performed to identify and assess material risks not fully captured under regulatory capital and include liquidity risk, credit concentration risk, reputation risk, compliance risk, strategic risk and technology risk among others.
Sampath Bank's ICAAP is guided by its ICAAP policy which outlines the ICAAP governance structure, process for internal capital assessment and types of risks to be considered. It also considers earnings, balance sheet and risk forecasts under expected and adverse economic and market conditions when projecting the Bank's future capital and liquidity needs.
Stress testing is carried out periodically to assess implications for the Bank's balance sheet, earnings, regulatory capital and liquidity under a range of stress scenarios.
In 2024, the ICAAP process was further enhanced through the inclusion of a detailed analysis of the Bank's main risk exposures and the identification of risk levels. Moreover, cross-border risk assessment was strengthened through the inclusion of a settlement risk assessment and the incorporation of additional sub risks. Capital targets/projections at Group level were also incorporated into the ICAAP document 2024.
Stress testing in 2024 focused on following Stress testing parameters:
| Risk | Stress Tests |
|---|---|
| Credit risk |
|
| Credit concentration risk |
|
| Foreign exchange risk |
|
| Interest rate risk |
|
| Liquidity risk |
|
| Operational risk |
|
| Integrated risk |
|
4. Risk Awareness Culture
The effectiveness of the IRM Framework relies on a shared commitment to risk awareness and management at all levels of the Bank, encompassing the three lines of defence. At Sampath Bank, effective risk culture is driven by strong Board-level commitment and leadership. Continuous training and capacity building initiatives are implemented across all levels of the Bank under the oversight of the RMU to embed a strong risk focus in the performance of their roles and responsibilities. Policy frameworks are also regularly reinforced to promote their consistent application in daily operations. Internal audit and post-incident reviews further strengthen the risk culture at Sampath Bank.
During the year, the RMU conducted 28 risk related training programmes for employees at different levels of the Bank, while the RMU participated in 50 internal and external workshops to keep abreast of the latest developments in the external environment and effective risk management.
5. Overview of Principal Risks
The principal risks impacting the operations of Sampath Bank have been summarised below and key mitigation strategies implemented during the year under review have been summarised below.
| Credit Risk | Market Risk | Liquidity Risk | Operational Risk | Integrated Risks | Sustainability Risk | |
|---|---|---|---|---|---|---|
| Description | The risk of financial losses to the Bank, if a borrower or counterparty to a financial instrument fails to meet its contractual obligations. | Potential losses arising from adverse movements in financial markets which lie outside the control of the Bank that affect the value of its assets and liabilities. | The non-availability of adequate liquid funds for institutions to honour its contractual and contingent financial obligations as and when they fall due without incurring undesirable losses. | Losses stemming from inadequate or failed internal processes, people and systems or from external events such as natural disasters, social or political events. | Encompasses potential negative impacts to the Bank’s performance and prospects owing to internal and external risk factors i.e. ineffective strategic decisions and damage to the Bank’s reputation and industry standing on Bank and Group basis. | Potential financial losses and/or reputational damage arising from the mismanagement of environmental, social and governance factors. |
| Components |
|
|
|
|
|
|
| Change in Magnitude from Risk Monitoring |  |
|
|
 |
|
|
| Risk Monitoring |
|
|
|
|
|
|
| Mitigation Actions |
|
|
|
|
|
|
| Way Forward | Prudent lending balancing risk-reward dynamics. | Maintain vigilance of uncertainties developing across the markets while maintaining alignment with international standards for forex risk management. | Strengthen liquidity risk monitoring and management further. | Robust monitoring of operational risk and enhance the internal control environment. | Adapt the Bank’s strategic objectives with the developments in the external environment while strengthening its reputation among stakeholders. | Implement an ESG risk assessment for the loan portfolio and incorporate a sustainability risk assessment to the ICAAP and make capital allocations if required. |
| Capital Allocated |  |
 |
 |
 |
 |
 |
6. Credit Risk
Credit risk is the Bank’s largest risk exposure and stems primarily from its loans and advances and investments in debt securities. Assets exposed to credit risk amounted to Rs 1,785 Bn as at end-2024 and was equivalent to 99% of total assets. Credit risk also accounted for 89.6% of total risk weighted assets as at end-2024. Therefore, managing this risk effectively is a high priority for the Bank and is carried out through a robust credit risk management framework within the boundaries of its risk appetite.
Credit risk is the risk of financial losses to the Bank, if a borrower or counterparty to a financial instrument fails to meet its contractual obligations.
A prudent lending strategy balancing risks and rewards.
- Default risk
- Credit concentration risk
While credit facility reforms are improving asset quality and capital buffers, private credit growth which is essential for the banking sector's recovery, is cautiously expanding as lending rates adjust.
| Key Risk Indicators | |||
|---|---|---|---|
| 31st December 2024 | 31st December 2023 | Banking Sector as at 31st December 2024 | |
| Impaired loans (Stage 3) ratio (%) | 4.69 | 5.87 | 6.00 |
| Stage 3 impairment to Stage 3 loans ratio (%) | 60.08 | 57.80 | 54.10 |
| Total impairment on loans as a % of gross loans and advances | 10.83 | 13.78 | 8.50 |
| Total net advances to total assets (%) | 48.4 | 49.1 | 51.7 |
| Cost of risk (%) | 0.31 | 2.04 | |
Maximum exposure and net exposure (net of fair value of any collateral held) to credit risk by class of financial asset before netting off impairment for expected credit losses in 2024.
- The Credit Risk Management Policy was reviewed and updated to support prudent lending given the uncertainties in the macro-economic environment.
- The ‘Directive on Obtaining Risk Opinion from Credit Risk Management’ was reviewed during the year with a view to improving asset quality and proactively manage credit risk.
- Automation of upgrading stage of impairment related to restructured and rescheduled facilities.
- The Post-Credit Risk Monitoring Procedure was reviewed to reflect process improvements made to strengthen the effectiveness and efficiency of post-credit risk management.
- Documentation of procedure on identifying elevated risk industries.
- Automation of watch listing of restructured and rescheduled facilities.
The Bank has implemented a well-structured and robust credit risk management framework which guides the Bank’s Board, Risk Committees and RMU in effectively managing its credit risk. The Bank’s Credit Policy and the Credit Operations Manual together provide direction to risk owners (the first line of defence) by defining principles including delegation of lending authority, client selection and due diligence in line with the Bank’s risk appetite. This is further supported by internal procedures and directives and monitoring and reporting protocols. A summary of the Bank’s credit risk management framework is given below.
| Credit Risk Management Framework | ||
|---|---|---|
 |
Policies, Directives & Procedures | |
| Credit Risk Management Policy | ||
| Credit Policy | ||
| Credit Operations Manual | ||
| Directive on obtaining risk opinions from Credit Risk Management Unit | ||
| Procedure on Post-Credit Monitoring | ||
 |
Risk Management Tools | |
| Early warning signals/Watch listing | ||
| Borrower/Group rating | ||
| Risk based pricing | ||
| Stress testing | ||
 |
Risk Monitoring and Reporting Protocols and Frequency | |
| Loan review mechanism – ongoing basis | ||
| Sector/product-wise exposures – monthly | ||
| Geographical distribution – monthly | ||
| Risk appetite limits for credit risk – monthly | ||
| Credit risk heat map/dashboard – monthly | ||
| Monitoring the review status of facilities/borrowers – monthly | ||
| Review of risk rating status of borrowers – ongoing basis | ||
| Analysis of risk elevated industries – quarterly | ||
| Monitoring the status of expired overdrafts – monthly | ||
| Monitoring the status of security register maintenance – monthly | ||
| Analysis of watch listed customers – half yearly | ||
| Stress testing on credit risk and credit concentration risk – quarterly | ||
| Analysis of advance portfolio – annually | ||
| Analysis of Bank’s exposure to 30 largest groups/customers – annually | ||
The stage 3 impairment to stage 3 loans ratio increased during the year reflective of prudent provisioning.
The Bank's impaired loans (stage 3) ratio improved in 2024, reflective of its prudent approach to managing credit risk.
Sampath Bank has a robust and well- structured credit management process for assessing the credit worthiness of borrowers and monitoring loan repayments. Within this process, credit approval is the vital first step in minimising default risk and the Bank adopts rigorous criteria for client assessment, client selection in line with its risk appetite and clearly defined delegation of lending authority. The Bank also uses a range of credit indicators, tools and monitoring protocols to proactively monitor repayments and identify the potential implications of emerging risks.
During the year under review, numerous initiatives were implemented to strengthen the credit risk management process in alignment with prevailing conditions in the operating environment. Key strategies and initiatives implemented during the year that positively contributed towards the improvement in asset quality are summarised below.
- Amendments to procedure on obtaining risk opinions on facility proposals routed through the RMU to enhance asset quality amidst uncertainty.
- Obtaining the Managing Director's approval was made compulsory for credit proposals not recommended by RMU.
-
Strengthened the credit risk
assessment process by:
- In-depth industry analysis to ascertain elevated risk industries.
- Root cause analysis on new facilities classified as stage 3.
- Quarterly evaluation of exposures below Rs 100 Mn through a sample approach.
- Ongoing training and knowledge sharing across all levels of the Bank regarding the latest credit risk developments, forecasts, shifts in borrower ratings and borrower watchlists, common lapses in credit proposals and the impairment process among others.
- Updated the Risk Dashboard (bi- annually) and prepared the Risk Magazine (quarterly) to enable timely information to the management and business units.
- Identification of stressed customers during the loan assessment process and refer them for post credit monitoring through the Loan Review Mechanism.
- Quarterly financial analysis of Sampath Bank subsidiaries.
- Implemented a special format to carry out interim review of facilities to expedite the process.
- Controls on individual Delegated Authority levels to approve restructure of facilities repeatedly.
- Carry out business visits and advise on risk mitigating strategies.
- Monitoring of covenants imposed by CRMU in Risk Opinions and sharing same with Business Units, requesting for proper actions plans for any deviations.
- ESG risk management in lending
activities:
- Implemented an Environmental and Social Risk Management system for Bank’s lending activities.
- Assessment/evaluation of Environmental and Social Risk for advances over a predetermined threshold and all project loans. These assessments were captured in the risk opinions.
- The business activities of the borrowers are categorised under four different risk categories based on predetermined criteria of the environmental and social risk categorisation tool.
-
Strengthened the monitoring and
review processes within the Bank by:
- Reviewing credit risk appetite limits, geographical prudential limits and internal sector limits to reflect prevailing local and global macro-economic conditions. These were monitored monthly to identify deviations.
- Preparing credit risk heat maps and dashboards on a monthly basis to monitor shifts in credit risk profile.
- Monthly monitoring of review of borrower rating.
- Monitoring the status of expired overdrafts and security register maintenance.
- Monitoring the review status of facilities and borrowers.
- Improving month-end reports through the inclusion of additional parameters.
- Monitoring of loan covenants identified when conducting Loan Review Mechanism and take remedial action when deviations were noted.
- Bi-annual analysis of the watch- listed borrower portfolio.
- Annual in-depth assessment of the loan portfolio including geographical distribution, sector analysis, trends in sector wise loan growth, stage 3 portfolio, stage-wise composition of the total portfolio and region/ department-wise distribution of the loan portfolio.
- Enhanced the scope of the Loan Review Mechanism by monitoring of customers identified as high-risk during pre-credit evaluation and during evaluation of customers with large exposures.
- Documentation of a procedure for identifying elevated risk industries to improve and standardise the quarterly industry risk assessment.
- Independent review of the Individually Significant Loans (ISL) impairment by the RMU in line with CBSL requirements. Key information required for the efficient and effective selection of ISL customers was also uploaded to the SLFRS system.
- The stage upgrade of restructured facilities was automated to enhance the efficiency and effectiveness of the process as well as to improve the quality of the Bank’s impairment provision.
- Watch listing of restructured and rescheduled facilities were automated to enhance efficiency and effectiveness.
- Analytical procedures to evaluate the Bank’s largest borrowers were enhanced to reflect key risks. Dashboards were developed to visualise these risks.
- The internal rating system was further developed to enable the uploading of documents as documentary evidence and the implementation of a time frame for document submission and verification.
- Ongoing training related to impairment and post credit risk management functions at business unit level.
Credit concentration risk arises when a significant proportion of a Bank’s loan portfolio is concentrated in a specific industry, geographic segment, product or borrower. If the concentrated segment faces challenges such as industry-specific issues, borrower defaults, or geographic events, it can disproportionately affect the Bank’s overall financial health and stability
Sampath Bank ensures its loan portfolio is well-diversified across various industries, geographic regions, borrowers and products to reduce the impact of a single borrower, industry or geographic area experiencing financial stress. Board approved risk appetite limits have been established to control the exposure to any particular segments or borrower while continuous monitoring by the RMU ensures operational alignment with the specified risk appetite limits. Detailed analysis is conducted on an ongoing basis to proactively identify risk elevated industries and manage the Bank’s exposure accordingly. Regular stress testing is carried out to ascertain the impact of adverse events on the credit portfolio, proactively identify potential risks and develop mitigation strategies.
Sampath Bank’s loan portfolio is diversified across a wide range of products minimising concentrated exposure to any product.
Sampath Bank’s loan portfolio is concentrated within the Western Province due to considerable economic activity and a large customer base.
Pre-credit
- Maintain a data repository which includes borrower details in similar industries, consumer behaviour and trends, industry updates to improve the efficiency and effectiveness of risk assessment of credit proposals.
- Ongoing training and development to maintain a prudent risk management culture.
Post-credit
- Increase the depth of independent verification of ISL impairment through a selected list of customers with forecasted cashflows.
- Enhancement of the Loan Review Summaries (LRS) mechanism to include status follow-ups on issues raised by the RMU until completion.
- Implementation of a behavioural score card, a new credit risk rating model to rate borrowers based on customer behaviour for retail borrowers.
- Establish an early warning/trigger limit for credit risk appetite limit framework.
The ongoing efforts of the Recoveries Department continued to support the effective management of credit risk at Sampath Bank in 2024. Proactive efforts of the Unit in 2024 mitigated some of the challenges posed by the suspension of parate execution by CBSL from 21st April 2024 to 31st March 2025. Key initiatives implemented by the Recoveries Department in 2024 are summarised below.
KEY DEVELOPMENTS IN 2024
- Strengthening collaborations with recovery and legal firms to facilitate swifter legal action, restructuring of stage 3 loans, and the identification of untraceable borrowers.
- Established three new units to manage the disposal of acquired assets, closely monitor the recovery of stage 3 loans below Rs 5 Mn, and stage 3 leasing facilities.
- Improved coordination among the Legal Department, Business Revival Unit and Risk Management Unit to enhance the efficiency of the recovery process.
- Leveraged technology through the implementation of the Delinquency Management System, automation of stress portfolio reports and data analytics to streamline processes, strengthen monitoring and facilitate swifter recovery.
Recognising the impact of successive challenges on the SME sector in recent years, the scope of the Business Revival Unit (BRU) was expanded during the year under review. This also enabled the Bank to comply with the CBSL regulations that required all banks to set up a dedicated Business Revival Unit to assist in reviving viable businesses impacted by extraordinary macroeconomic challenges faced by the country in recent years.
The Bank proactively assessed businesses with potential for revival and such customers were provided with advice on both financial as well as non-financial initiatives/remedial action that could be taken for business revival.
Promoting Borrower Recovery and Repayment
Aligning with both the regulatory requirements of Circular No. 2 of 2024 - Guidelines for the Establishment of Business Revival Units in Licensed Banks and the Bank’s own commitment to support business recovery, Sampath Bank expanded the scope of its Business Revival Unit (BRU) in 2024 and strengthened its governance structure.
Accordingly, the BRU was positioned under a Deputy General Manager and a Chief Manager with experience in both retail and corporate credit. These senior officers of the Bank report directly to the Managing Director, enabling the strategic alignment of the BRU’s activities with the Bank’s risk management framework while facilitating the revival of viable businesses. The Board Credit Committee reviews the performance of the BRU on a quarterly basis.
The role of the BRU is two-fold,
- Support business recovery and revival via financial assistance and re-structure/re-scheduling of facilities.
- Financial advisory services which include,
- Identifying and directing entities towards asset disposal as relevant, downsizing non-viable operations and concentrating on activities in which entities have core competencies, market share and/or profitability.
- Promoting financial discipline with covenants carefully explained to customers to highlight their potential long term benefits.
- Sharing market intelligence, connecting with relevant authorities for advice on business activities etc.
During the year under review, 66 new customers carrying an aggregate exposure of Rs 53.3 Bn were undertaken for revival or strategic exit by the BRU which facilitated restructure, reschedule and/or recovery of stressed exposures.
With the intervention, support and negotiations of BRU, Rs 5.2 Bn of recoveries were made during the year, whilst Rs 1.0 Bn of exposures were upgraded to the next stage based on recovery performance during 2024.
In addition, BRU provided direct intervention/negotiations in terms of advisory services to business units of the Bank to facilitate restructuring/rescheduling or recovery of exposures aggregating to Rs 19.9 Bn during 2024.
Given the strong potential for business revival in the tourism sector, the BRU placed increased emphasis on this sector during the year under review. This included directly handling eligible exposures as well as proactively engaging with willing customers through the branch network and corporate banking departments.
- To expand the reach of BRU as well as support and supplement the Relief Banking Unit setup as per the CBSL Circular 01 of 2025.
- Support businesses to revive with opportunities being created with market revival.
7. Liquidity Risk
Effective liquidity risk management is of vital importance to the Bank’s financial stability. By ensuring adequate liquid buffers for the timely fulfilment of obligations, we maintained a strong reputation and continued to build upon the confidence of our stakeholders. Our prudent approach to managing liquidity also enabled us to effectively navigate the economic uncertainties that prevailed during the year under review, mitigating risks to both the Bank and the broader financial system.
Liquidity Risk is the non- availability of adequate liquid funds for institutions to honour its contractual and contingent financial obligations as and when they fall due without incurring unacceptable losses.
Maintained sufficient levels of liquidity that comfortably exceeded regulatory minimum requirements, while enabling the achievement of the Bank’s lending objectives.
- Funding liquidity
- Market liquidity
- Bank maintained liquidity ratios well above regulatory requirements.
- Subdued demand for credit resulted in surplus funds necessitating the consideration of alternate investment avenues. Hence, the Bank assessed various avenues for investment and invested in US Treasuries and looked at lending through syndicates etc.
Regulatory Developments
CBSL discontinued the use of the Statutory Liquid Asset Ratio (SLAR) as a measure of a financial institution’s liquidity risk during the year under review.
| Key Risk Indicators | |||
|---|---|---|---|
| Regulatory Minimum Requirement | 31st December 2024 | 31st December 2023 | |
| Liquidity coverage ratio (LCR) – Rupee (%) | 100.00 | 340.11 | 453.16 |
| Liquidity coverage ratio (LCR) – all currencies (%) | 100.00 | 307.36 | 312.47 |
| Net stable funding ratio (NSFR) (%) | 100.00 | 198.66 | 184.20 |
The Treasury Department manages the Bank’s liquidity risk with the objective of ensuring that funding commitments and deposit withdrawals can be met when due, while complying with minimum regulatory requirements and maintaining cost-effective market access. The Bank’s liquidity strategy is operationalised through the Board approved ALCO policy and Liquidity Management Policy under the oversight of the Bank’s Asset and Liability Management Committee (ALCO).
| Department/Committee | Responsibilities |
|---|---|
| ALCO | Provides oversight to the implementation of the Bank’s liquidity strategy by monitoring liquidity risk, setting limits, triggers and guidelines, reviewing contractual and behavioural maturity of assets and liabilities, key liquidity ratios and monthly liquidity forecasts and gaps, and evaluating mitigation strategies for effective liquidity risk management. |
| Treasury Department | Forecasting the Bank’s liquidity requirements, monitoring regulatory compliance and implementing strategies to maintain adequate liquidity levels. |
| Risk Management Department | Monitoring liquidity risk, developing mitigation strategies, policies and procedures, stress testing to evaluate the Bank’s preparedness for stressed situations, and continuous monitoring of regulatory and risk appetite limits for liquidity risk. |
Sampath Bank relies on deposit mobilisation as its primary source of funding. Deposits are mobilised from retail, commercial and wholesale clients. To complement these deposits, Bank Treasury actively pursues additional funding avenues both domestically and internationally which includes institutional borrowings and debt instruments.
The Bank adopts the stock and flow approach to measure and manage liquidity risk in line with international best practices. This involves computing and balancing a Bank’s static liquidity position and its dynamic cash inflows and outflows to maintain adequate liquidity levels. The stock approach is used to ascertain the Bank’s static liquidity position by computing a range of balance sheet ratios and comparing it against its risk appetite. The flow approach is used to forecast and manage the dynamic inflow and outflow of funds at a range of points in time enabling the Bank to track cashflow mismatches over a range of specified time periods. The combination of the stock and flow approach enables the Bank to effectively ascertain short- term liquidity needs, emerging liquidity risks and proactively manage liquidity buffers. To ensure sufficient funds to meet obligations in a timely manner, approved treasury limits are tracked in real time through the Treasury limit monitoring system and deviations are reported to the management for review and approval.
The Bank has a robust system in place to manage liquidity and ensure compliance with treasury limits.
Stress testing continued to be an integral part of liquidity risk management at Sampath Bank during 2024. The approved parameters pertaining to the Liquidity Coverage Ratio were stress tested quarterly considering the prevailing economic environment and reported to the BIRMC.
The Bank also has a contingency funding plan in place to address crisis situations. It provides the framework to manage critical situations that lead to liquidity constraints that disrupt the daily operations of the Bank.
NEW DEVELOPMENTS IN 2024
- The Liquidity Coverage Ratio and Net Stable Funding Ratio were included in the Risk Appetite Statement in alignment with the discontinuation of the SLAR as a regulatory liquidity measure by the CBSL.
- The stressed Liquidity Coverage Ratio was incorporated as a trigger tool in the contingency funding plan as it provides a more accurate assessment of future cashflows while maintaining alignment with the regulatory development.
- Increasing the frequency and detail of liquidity monitoring and reporting.
- Enhance the contingency funding plan to ensure access to adequate funding in times of stress.
8. Market Risk
As a financial institution, our operations are exposed to market risk, primarily through interest rate and exchange rate fluctuations. These external factors can materially impact profitability and capital by affecting valuations of asset and liability portfolios. We maintain vigilance on emerging market risks and continuously adapt our strategies to manage and mitigate these exposures, effectively balancing profitability and the long-term stability within our established risk appetite.
Market risk refers to potential losses arising from adverse movements in financial markets which lie outside the control of the Bank that affect the value of its assets and liabilities.
A vigilant approach to the prevailing uncertainties enabling swift responses to emerging risks while capitalising on opportunities.
- Interest rate risk
- Foreign exchange risk
Market risk remained significant in 2024, given fluctuations in the exchange rate, and a declining interest rate environment.
The Bank performed well despite a declining market interest rates environment.
| Key Risk Indicators | |||
|---|---|---|---|
| 31st December 2024 | 31st December 2023 | Banking Sector as at 31st December 2024 | |
| Interest income to interest expense (%) | 178 | 155 | 169 |
| Net interest margin (%) | 4.90 | 5.16 | 4.30 |
Bank's Interest Rate Risk Mitigation Strategy
The Bank adopted a comprehensive approach to managing interest rate risk in 2024 which involved prudent monitoring of decreasing interest rate scenarios, and futuristic asset-liability management decisions. This enabled to carry out responsive strategies to adapt to market changes. These efforts have positioned the Bank favourably amidst fluctuating economic conditions.
Bank's Exchange Rate Risk Mitigation Strategy
The Bank's approach to foreign exchange rate risk mitigation in 2024 was mainly focused through careful monitoring of currency fluctuations and strategically maintaining exposures. This helped the Bank to move forward without undue exchange losses and further positioned future stability amidst ongoing economic uncertainties in Sri Lanka.
Sampath Bank’s Market Risk Management Unit (MRMU) under the oversight of the Board and the BIRMC is responsible for conducting market risk management activities. The MRMU monitors market risk in alignment with the Bank’s comprehensive Market Risk Management Policy framework. It also uses a range of quantitative statistical tools including Value at Risk (VaR) and Present Value Basis Points (PVBP) to manage market risk effectively. This enables a balance between risk and returns, reduces volatility and supports transparent reporting of the Bank’s market risk profile to Corporate Management, the Board and Regulators. Both VaR and PVBP are essential tools and provide insights into potential losses and price sensitivities, respectively.
VaR is a statistical technique used to measure the potential loss in a portfolio over a specified period. The historical simulation method is used for Market Risk VaR calculations, which uses historical market data over a pre-defined period and apply the outcome to the current portfolio.
A summary of the Bank’s market risk management framework is given below.
| Market Risk Management Framework | ||
|---|---|---|
|
Policies, Directives & Procedures | |
| Market Risk Management Policy | ||
| Investment Policy | ||
| Treasury Policy and Procedure Guideline for Treasury Operations | ||
| Code of Conduct for Treasury Operations | ||
| Treasury Manual | ||
|
Risk Management Tools | |
| Present Value Basis Points Analysis | ||
| Stress Testing and Scenario Analysis | ||
| Value at Risk (VaR) | ||
| Sensitivity Analysis for Market Risk Exposures | ||
|
Risk Monitoring and Reporting Protocols and Frequency | |
| Monitoring of Board-approved Limit Framework as per CBSL Requirements and Reporting Any Limit Exceptions to BIRMC or Board Treasury Committee (BTC) | ||
| Market Developments, Trends and MIS | ||
| Profitability Analysis of the Foreign Exchange Portfolio through the Revaluation Process | ||
| Stress Testing on Interest Rate Risk, Foreign Exchange Risk and Equity Risk Encompassing Changing Positions and New Economic Variables | ||
| Modified Duration on T-Bill, T-Bond, US Treasuries, SLISB and Debenture Portfolios | ||
| Monitoring of Yield Curve Risk and Repricing Risk Covering Trading Book and Banking Book | ||
| Mark-to-Market of the Equity Portfolio | ||
| Market Risk Dashboard to BIRMC | ||
| Submission of Management Reports to BIRMC Covering Interest Rate Risk and Foreign Exchange Risk | ||
NEW DEVELOPMENTS IN 2024
- Review of the Bank’s Market Risk Management Policy to align with current market practices, and regulatory requirements, as per recommendations of external consultants.
- TFO limits were reviewed twice
during the year resulting in,
- Appropriate limit enhancements and increased limits for existing dealers.
- Establishment of new limits for new dealers.
- Introduction of new control limits for the investment portfolio in line with the Bank’s capital position.
- Introducing limits related to US Treasury investments following a comprehensive review of the US market and relative performance assessment of alternative markets.
- Limits on VaR, Mark to Market (MTM) limits on the T-bills/T-bonds portfolio and SLISB portfolio, and PVBP were reviewed, and recommendations were submitted to the BIRMC.
- Systems were enhanced to monitor rate reasonableness for PDU deal rates and counterparty settlement limit exposures, resulting in a more user-friendly system report.
- In-depth review of the Treasury Manual, in collaboration with TBO, TFO and two external consultants.
8.1.1. Management of Interest Rate Risk
The Bank manages its interest rate risk by;
- Closely monitoring the Yield Curve and respond accordingly.
- Re-pricing its assets and liabilities accordingly.
These principles are operationalised through a formal policy framework and a set of prudential limits as well as VaR assessments, Duration and Maturity Gap Analysis, PVBP and Stress Testing.
NEW DEVELOPMENTS IN 2024
MTM limits were introduced for investments in US Treasuries based on analysis of historical trends and future projections of the Federal Funds Rate.
8.1.2. Management of Foreign Exchange Rate Risk
The Bank manages its foreign exchange rate risk in line with industry best practices and alignment with international standards including the BIS FX Global Code. Key strategies in place to manage foreign exchange rate risk include;
- Strictly adhering to CBSL guidelines and the Board approved limit framework for managing the Net Open Position (NOP).
- Daily monitoring of stop loss limits and maximum limits for individual dealers for foreign currency trading.
- Closely monitoring rate movements, counterparty limits, currency-wise and aggregate exposures of the foreign currency portfolio.
- Quarterly stress testing to ascertain the Bank’s foreign exchange position under stressed conditions.
- Regular training and development of staff.
NEW DEVELOPMENTS IN 2024
- In-depth review and update of the Bank’s counterparty selection and limit setting process, incorporating changes in guidelines. This was conducted under the oversight of the BTC.
- Developed Board-approved country limits for trade services and treasury. Adherence to specified limits is monitored by the RMU through an automated system report developed by the Data Warehouse Unit in collaboration with Treasury, Risk and Trade Services Departments. This has enabled the Bank to enhance prudence related to cross-border risk.
- During the year under review, staff attended a training programme conducted by the Sri Lanka Forex Association on the BIS FX Global Code.
As at end-2024, the Sri Lankan Rupee appreciated 9.5% against the USD. On this backdrop, Sampath Bank effectively managed its NOP in adherence with CBSL regulatory limits and the Bank’s risk appetite statement.
- Conduct back-testing for VaR models.
- Maintain alignment with best practices in foreign exchange risk management, including adherence with the BIS FX Global Code, and thereby strengthening market integrity and transparency.
9. Operational Risk
Operational risk is inherent to all banking products, processes and systems and the Bank invests significant resources to manage it effectively. The Bank’s operational risk management framework focuses on proactively identifying, assessing and mitigating risks that arise from the Bank’s daily operations. This not only safeguards the Bank’s assets and reputation but also enhances its ability to achieve long-term success in a complex and dynamic operating environment.
Operational risk is the risk of losses stemming from inadequate or failed internal processes, people and systems or from external events such as natural disasters, social or political events.
Stringent monitoring enabling early detection and prevention of potential threats while strengthening resilience of its technology risk management framework.
Banking Act Direction No. 05 of 2024 on Corporate Governance for Licensed Banks was issued by CBSL, with a view to strengthening the corporate governance processes, enhancing the overall stability of the banking sector and the financial system.
- Legal/regulatory risk
- Financial crimes/fraud risk
- Information Technology and Information Security risk
- Model risk
- Business continuity management
- Recovery planning
The operating context encompasses the internal and external factors that influence how risks arise and are managed within an organisation. Effective operational risk management aligns with the organisation’s strategy and risk appetite, addressing risks from process failures, system issues, human errors, and external events to protect the organisation’s assets and reputation.
| Key Risk Indicators | |
|---|---|
| Total number of ATM breakdowns per ATM due to hardware or software failure, cash low situations, communication errors and power issues | Number of Bank’s insurance policies expired and not renewed at the end of the quarter |
| CCTV breakdowns reported per quarter, per ATM location | Number of outsourced ATM management agreements not renewed during the quarter and cash loading/maintenance operating without a formal contract |
| Number of staff resignations in the grade of Executive I and above | |
The Bank has a robust governance framework in place to proactively and effectively manage operational risk.
| Responsibilities Related to Managing Operational Risk | |
|---|---|
| Board Sub-Committees | |
| BIRMC | Oversight of operational risk management. |
| Management Level Committees | |
| Operational Risk Management Committee (ORMC) | Identification and monitoring of operational issues and ensuring prompt rectification. This committee is chaired by the Managing Director. |
| Risk and Compliance Committee (RCC) | Monitoring and analysis of loss events to develop and recommend mitigation strategies. |
| Fraud Risk Management Committee (FRMC) | Provides guidance and oversight to ensure the Bank has effective measures in place to prevent, detect and respond to fraud, protecting the Bank’s assets and reputation. |
| Departments | |
| Operational Risk Management Unit | Implementing the Bank’s operational risk management strategy and monitoring compliance. |
Sampath Bank's operational risk management framework guides the activities of all those involved in managing operational risk and is designed to enable proactive management of operational risk, build resilience, protect stakeholders and achieve its strategic objectives
| Operational Risk Management Framework | ||
|---|---|---|
|
Policies, Directives & Procedures | |
| Operational Risk Management policy | ||
| Policy on mapping the Bank’s business activities into BASEL business lines | ||
| Anti-fraud policy | ||
| Legal risk management policy | ||
| Policy on temporary dispensation of Board approved policies (Policy on management of policy overrides) | ||
| Pillar III disclosure policy | ||
| Model risk management policy | ||
| Procedure on appointing and responsibilities of risk agent | ||
| Procedure on contracts and agreements to be executed by the Bank | ||
| Procedure on internal loss event data reporting | ||
| Procedure on responsibilities and framework for administration of policies, procedures and directives | ||
| Procedure on risk and control self-assessments and key risk indicators | ||
| Procedure on risk management in new product documents/ concept papers | ||
|
Risk Management Tools | |
| Risk and control self-assessment (RCSA) | ||
| Business Continuity and Disaster Recovery Plan | ||
| Operational risk capital charge calculation under alternative standardised approach (ASA) | ||
| Root cause analysis | ||
| Analysis of loss events | ||
| Operational risk stress testing | ||
| Risk and control self-assessments (RCSA) for IT related business units and IT related 3rd party suppliers | ||
|
Risk Monitoring and Reporting Protocols and Frequency | |
| Monitoring of the risk appetite for operational risk | ||
| Monitoring of key risk indicators (KRIs) | ||
| CBSL reporting of high valued actual losses | ||
Key aspects of operational risk management at Sampath Bank include,
- Identification of operational risks across all business lines and functions and assessment of likelihood and impact of risks using a range of tools and methodologies including RCSA, scenario analysis and stress testing.
- Prompt recording and reporting of operational risk events through the loss events reporting system. Data analysis to identify root causes and trends, to facilitate the enhancement of operational processes and controls to prevent the recurrence of similar events.
- Key Risk Indicators are used to track potential risk exposures in real time. These indicators provide early warning signs allowing the Bank to take pre- emptive action before risks materialise as significant threats.
- Regular monitoring ensures the Bank's operations are within the defined risk appetite.
- Overlook the reviewing of directives, policies and procedures to ensure correct guidelines are followed when preparing the same.
- Implementation of risk mitigation strategies including strengthening operational controls, enhancing process efficiency, staff training, automation of risk management processes and adequate insurance coverage to protect against unforeseen operational losses.
- Adherence to all laws, regulations and guidelines of the CBSL and other regulatory bodies.
- Regular audits and compliance checks are conducted to ensure all operational activities fully comply with regulatory requirements.
- Fostering a strong risk culture across the Bank through regular training programmes, workshops and awareness campaigns.
NEW DEVELOPMENTS IN 2024
- Enhanced digital infrastructure to ensure robust banking services and mitigate service disruptions.
- Upgraded the internet banking platform to enhance convenience and security
for customers.
- New security features including advanced encryption technology and multi- factor authentication.
- New convenience-related features including a new interface optimised for ease of use enabling customers to complete their banking activities more efficiently.
- IT KRIs were enhanced in line with the Technology Risk guidelines.
- IT risk appetite and tolerance limits have been set for selected KRIs.
-
Develop a comprehensive loss event reporting system to significantly enhance
the Bank’s ability to identify, analyse and respond to operational risks. This will
include,
- Integration of Artificial Intelligence to enable more efficient data collection, pattern recognition and predictive analysis.
- Automation of anomaly and potential risk event detection, faster and more accurate reporting.
- IT related departments to ensure that the controls laid are accurate and effective as reflected through self-assessments.
IT Risk
Effectively managing the Bank’s IT risk falls under the BIRMC and BITC at Board level and the ORMC & RCC at Management Level. The IT Risk Unit of the RMU is responsible for monitoring the implementation of the Bank’s IT Risk Management strategy and ensuring compliance.
The Bank adopts a 360-degree approach in securely commissioning of new technology and business initiatives while maintaining focus on protecting the Bank and its customers from cyber/ technology threats. The IT Risk Unit of the RMU independently monitors the Bank’s IT risk profile using an array of tools and techniques including IT Key Risk Indicators and Risk & Control Self- Assessment, etc. The IT Key Risk Indicators review process involves monitoring multiple risk indicators including information security related incidents and conducting trend analysis to identify high risk or emerging risks. The RCSA process collates information from IT risk and is reviewed by the IT Risk Unit in line with established procedures in the operational risk management process, audit findings, analysis of information security incidents, internal and external loss data among others. Results of these exercises are reported to BIRMC enabling timely formulation and implementation of mitigation strategies.
The IT Risk Unit also actively participated in the Bank’s Business Continuity Planning and Disaster Recovery exercise and provided an independent review of the process.
IT risk refers specifically to disruption to the normal course of business either due to failure of hardware and software systems or the lack of adequate IT Infrastructure.
Information security risk occurs as a result of internal and/or external breach of the Bank’s data/systems.
NEW DEVELOPMENTS IN 2024
- Full compliance with the requirements of the Banking Act Direction No. 16 of 2021 on Technology Risk Management and Resilience.
- Developed a Technology Risk Framework using IT KRIs.
- Established the Technology Risk Appetite and Tolerance Limits.
- Conducted a RCSA for third party service providers.
- Conducted specialised training on IT risk management for staff.
Information Security Risk Management
Sampath Bank has implemented a robust information security risk management framework to mitigate the evolving cyber threats associated with the increasing reliance on digital platforms. This proactive approach aims to safeguard sensitive customer data, protect operational continuity and maintain the Bank’s reputation, strengthening long term resilience.
Alignment with Global and Local Best Practices
- ISO 27001:2022 Information Security Standard Certification
- Payment Card Industry Data Security Standard (PCI DSS v4.0) certification
- CBSL’s Baseline Security Standards for Licensed Commercial Banks
- Banking Act Direction No. 16 of 2021 on Technology Risk Management and Resilience
Information Security Policy Framework of the Bank
- Acceptable usage
- Cardholder data management
- Policy on information security
| Responsibilities Related to Information Security Risk Management | |
|---|---|
| Board Sub-Committees | |
| Board IT Committee |
|
| Management Level Committees | |
| Information Security Committee |
|
| Data Dissemination Committee |
|
| Departments | |
| IT Risk Team of the RMU |
|
Procedures to operationalise the Bank’s information security risk management strategy are summarised below.
| Procedure | Frequency | Actions Implemented | Responsibility |
|---|---|---|---|
| Annual information security risk assessment | Annual | A thorough Bank-wide assessment covering all departments, branches and various physical and digital touchpoints. | Information Security Department |
| Vulnerability Assessment and Penetration Testing (VAPT) | Periodic | Numerous phishing simulations of different intensities were executed to assess the threat level to the staff and potential risks to the business. | Information Security Department |
| Training and development for staff | Periodic | To ensure staff are up-to-date regarding the latest developments related to cyber security management. | Information Security Department |
| Customer awareness campaigns | Periodic | An e-mail and SMS campaign (with tri-lingual messaging) was conducted to raise customer awareness of cyber security threats. | Information Security Department |
In the year ahead, the Bank plans to strengthen its information security resilience by enhancing incident response, compliance, risk management and security assessments. This involves,
- Compliance with CBSL directives and governance requirements through ongoing monitoring and timely implementation of security requirements.
- Regular security assessment and compliance audits to ensure adherence to ISO 27001, PCI DSS, and industry best practices.
- Enhance data protection measures with DLP solutions, access reviews and classification controls to prevent data breaches.
- Proactive Threat and Vulnerability Management via penetration testing, phishing, and attack surface monitoring.
- Security awareness and training to strengthen staff and customer readiness against cyber threats.
Legal/regulatory risk refers to potential losses arising from the failure to comply with statutory or regulatory requirements or the misinterpretation of regulations or due to uncertainties arising from legal action. Losses can include fines, penalties or punitive damages imposed by the regulator as well as legal settlement costs.
The Bank is firmly committed to complying fully and in a timely manner with all laws and regulations imposed by regulatory authorities across its operations. Sampath Bank’s Board and Board Committees diligently track the regulatory landscape to promote early adoption and full compliance with all new laws and regulations. The Bank’s Compliance Department carries out routine due diligence to ensure the Bank’s compliance with all prevailing laws and regulations and also proactively monitors for emerging regulatory changes, reinforcing the Bank’s commitment to full compliance. The Department focuses on increasing awareness on regulations by conducting training programmes. The Bank assesses its legal/regulatory risks utilising a comprehensive scorecard and allocates capital under ICAAP, if required.
Model risk is the potential for financial losses arising from inaccurate or misleading outputs produced by financial models. Model failures can occur due to programming errors, incorrect data, technical errors and misinterpretation of model output.
Managing model risk is crucial for the Bank as the reliable assessment of several key risks including credit risk, market risk and capital management rely on complex models that incorporate statistical, economic, financial and mathematical methodologies. Accordingly, model risk management is overseen by the Model Risk Management Committee and is governed by the Model Risk Management Policy and Model Validation Policy.
The key principles of the Bank’s model risk management process include,
- Alignment with CBSL directions, the BASEL framework/guidelines and directions as and when published by the regulator.
- Maintaining clear definitions and records/details for all models.
- Creation of a robust life cycle governance process for model development, implementation and usage.
- Rigorous model validation and independent reviews as appropriate.
The Bank has a robust Business Continuity Plan (BCP) in place to build resilience and safeguard business continuity.
While obtaining the Board approval for updated BCP annually, the BCP is reviewed regularly to ensure adequacy, effectiveness and relevance of business recovery strategies in the context of prevailing operating conditions. Due diligence of the BCP falls under the purview of the BCP Steering Committee which is headed by the BCP Director.
System simulations were carried out periodically while critical functions were tested quarterly at both disaster recovery sites. Random disaster recovery drills were also conducted where all banking functions were operated through the disaster recovery servers continuously for a long time period to verify proper functioning of disaster recovery servers and sites and familiarising the team. This also provided the team with a comprehensive overview of the Bank’s disaster recovery practices.
The Bank also conducted the annual evacuation drill and required training such as first aid, evacuation in collaboration with the Fire Service Department in November 2024. The entire head office was evacuated within a satisfactory period of time with the assistance of designated fire wardens (BCP coordinators) of the Bank.
Sampath Bank has established a fully-fledged Recovery Plan (RCP) in accordance with the Banking Act Direction No. 09 of 2021 - Recovery Plans for Licensed Commercial Banks and Licensed Specialised Banks. The RCP has been reviewed annually since its initiation in 2022 in line with regulatory requirements. Periodic review of the Recovery Plan falls under the purview of the Recovery Plan Working Committee.
The Bank’s RCP has been developed in the context of its business model, risk profile, scale and complexity of operations and its interconnectedness with the overall banking system of the country. It captures a full range of credible and flexible recovery options available to the Bank to address a range of shocks (including capital and liquidity shocks) that may arise from institution specific stress, market wide stress or a combination of both.
NEW DEVELOPMENTS IN 2024
- The RCP was strengthened by enhancing the requirements to be included under the recovery options.
- Recovery options for business continuity planning and adverse court decisions were further elaborated.
- The Bank’s insurance policy framework was identified as a supporting tool to assist in a crisis situation alongside the business continuity plan.
- The RCP policy was developed to strengthen the framework.
Integrated risk management is the discipline of assessing and managing risks holistically and considering inter- relationships among risks faced by an institution. This is conducted in line with the Integrated Risk Management Policy. The Board reviewed the policy during the year under review and updated to capture the prevailing conditions in the operating environment as well as industry best practices.
Internal drivers and external sources of each risk have been identified and captured in the Risk Register to reflect the risk profile of the Bank. Further, a risk matrix is being prepared to capture emerging risks on a prudent basis and submitted to BIRMC/ Board.
NEW DEVELOPMENTS IN 2024
- With the aim of standardising the Risk Register, the formulating methodology was enhanced and the process manual was updated accordingly.
- Macro-economic/integrated stress testing was carried out to assess the capital adequacy position of the Bank under severe but plausible hypothetical crisis scenarios. Stress testing scenarios were reviewed based on the current macro-economic conditions.
- Interbank comparisons were carried out to ascertain the Bank’s position within the industry with regard to numerous criteria.
Strategic risk refers to the potential negative impact to the Bank’s performance and prospects owing to ineffective strategic decisions resulting in the failure to capitalise on business opportunities and/ or take action against potential threats.
Sampath Bank’s strategic risk management process is guided by the Board approved Strategic Risk Management Policy which outlines a structured approach to strategic planning and monitoring.
The responsibility of effectively managing the Bank’s strategic risk lies with its Board of Directors. The Board sets out the Bank’s strategy annually, with clearly defined short, medium and long term goals aligned with its vision and core values. The strategic plan is then cascaded down to operational level targets through the Board approved annual budget. Targets set out in the budget are communicated to senior management who are responsible for developing aligned business unit goals and cascading these objectives to employees.
The Strategic Planning Department reviews actual performance against the budget on a monthly basis and reports their findings to the Board. In the event of deviations, remedial action to realign performance with the plan is also recommended. The Strategic Planning Department also monitors developments in the external environment to identify opportunities and threats, informing strategic adjustments and the re-alignment of the Bank’s capabilities. In 2023, the Bank developed a new, comprehensive, 5-year strategic plan incorporating the expertise of a leading global consultancy firm. This resulted in the development of a new vision, purpose statement, and strategy for the Bank. During the year under review, strategic risk assessments were conducted in both quantitative and qualitative dimensions using a scorecard to compute capital allocation for Strategic Risk, under the ICAAP. Further, strategic risk is also assessed in the Risk Register and the Risk Matrix.
Link to strategy
Reputational risk relates to damage to the Bank’s reputation and industry standing caused by errors in judgement including but not limited to violations of business ethics, non-compliance, customer service lapses or operating deficiencies, or by failures leading to loss of stakeholder confidence in the Bank.
Over 37 years of operations, the Bank has established a strong market position as a leading licensed commercial bank in Sri Lanka through effective leadership, robust risk management, a long-term strategic focus, ethical conduct and a commitment to financial inclusion and corporate responsibility. Therefore, the Bank places strong emphasis on safeguarding its reputation, maintaining its brand image and effectively managing reputation risk.
Reputation risk at Sampath Bank is managed in line with the Bank’s Board- approved Reputation Risk Management Policy. The Bank’s Chief Risk Officer and the Chief Compliance Officer collaborate closely with the Corporate Management including the Senior DGM - Marketing, Customer Care & Card Centre, BCP Director and Business Line Heads to safeguard the Bank’s reputation and to ensure brand building activities are in alignment with established policies and procedures.
Reputation risk management within the Bank also includes active stakeholder engagement to identify potential concerns. Feedback is obtained regularly from operational level staff to anticipate potential risks to reputation. The Bank also proactively monitors traditional media and social media for potential threats to its reputation. A formal procedure for handling and monitoring social media comments, inquiries, posts and complaints is also in place. Furthermore, the Bank operates a 24/7 Customer Care Centre to address customer issues, concerns and complaints swiftly and promptly.
The availability of a Code of Ethics, Anti-bribery and Anti-corruption policy, Communication policy, and Whistleblowing policy applicable to all employees ensure that corporate values and expectations of conduct are clearly communicated throughout the Bank and prevents unethical behaviour.
The Bank is cognisant of the importance of brand building activities in strengthening its reputation within the industry. Therefore, the Bank conducts a brand health study every two years to determine areas that could adversely impact its reputation. Care is also exercised to ensure all brand building activities and marketing communications are aligned with the Bank’s vision and corporate values.
A scorecard is used to assess Reputation Risk drivers to calculate the additional capital requirement under ICAAP process. Regular assessment of Reputational risk is carried out under the Risk Register and the Risk Matrix.
Link to capital
Group risk refers to potential financial losses to the entire Group due to risks stemming from one or more of its subsidiaries.
During the year under review, the Bank resumed assessing Group risk in line with the CBSL requirements. The Bank reviewed the Group Risk Management Policy and established a mechanism for monitoring the risk management process of subsidiaries within the Sampath Bank Group. The RMU conducted a Group Risk Analysis and an in-depth financial analysis of all subsidiaries and findings were reported to the BIRMC. Group risk was deemed low during the year under review.
The primary responsibility of overseeing and managing the risk of each subsidiary lies with its Board. As the parent company the Board/BIRMC of the Bank has the oversight responsibility of monitoring risk at subsidiary companies. The risk management divisions of the each subsidiary forward risk management review reports including the key risk concerns to the Risk Management Department of the Bank. These reports are used to identify the key risks faced by each entity, measures taken to manage or mitigate the risks and are reviewed by the Risk Management Department of the Bank and tabled at the BIRMC meetings as group risk reports.
Sustainability risk relates to potential financial losses and/ or reputational damage arising from the mismanagement of Environmental, Social and Governance (ESG) factors.
The Bank adopts a holistic approach to managing its sustainability risks across its value chain, considering both operational sustainability risks and those stemming from its credit portfolio with the goal of promoting the long-term sustainability of its operations. Accordingly, the Bank has adopted measures to reduce the environmental impacts of its operations by implementing resource efficiency strategies, reducing waste, actively monitoring its carbon footprint and engaging in biodiversity conservation initiatives. Furthermore, impactful community development programmes, ethical business practices and progressive HR practices continue to strengthen its social license to operate.
The Bank is strengthening its systems and processes for identifying, measuring, monitoring and managing sustainability related risks and opportunities. External consultants have been engaged to support this transition while governance structures have been strengthened in readiness.
Further, the Bank is in preparation for alignment with the reporting requirements of SLFRS Sustainability Disclosure Standards in line with the prescribed target dates.
As a Bank, we recognise that financed emissions are a significant part of the Bank’s carbon footprint and the strengthening of processes takes this into account as we seek to steer the portfolio to support the country’s transition to a low carbon economy. During the year under review, the Bank strengthened managing sustainability risks within its credit portfolio as described below.
NEW DEVELOPMENTS IN 2024
- The Bank established an Environmental and Social Risk Management System to effectively manage sustainability risks related to its lending activities during the year under review.
- This entailed the establishment of;
- A Board-approved ESMS policy
- A published ESMS procedure
- The ESMS policy is aligned with
regulatory requirements and
international best practices including,
- CBSL’s Banking Act Direction No. 05 of 2022
- IFC’s performance standards
- United Nation’s Sustainable Development Goals
- All credit proposals that are deemed high risk are submitted to the RMU for environmental and social risk assessments and recommendations.
- To support effective implementation
of its ESMS policy, the Bank invested
significantly to achieve the following;
- Build capacity through physical and online trainings for staff in the RMU, Credit Policy Committee and Internal Audit Department.
- Sustainability and climate risk alerts were sent within the Bank to keep all business units informed of identified climate risks including adverse weather events.
- Knowledge sharing across the Bank through e-flyers.
- The Bank’s ESMS policy and
procedures,
- Applies to advances over a predetermined threshold and all projects loans excluding consumption loans and schematised facilities.
- Layouts the categorisation of applicable facilities using the Environmental and Social Risk Categorisation Tool, which has been developed internally based on the Central Environmental Authority’s prescribed activity list for environmental approvals and/or environmental protection licenses.
- Using this tool, the Bank categorises applicable credit facilities under four risk categories as follows.
| Category | Selection Criteria |
|---|---|
 |
Activities expected to have significant adverse environmental and/or social impacts that are diverse, irreversible or unprecedented |
 |
Activities expected to have substantial adverse environmental and/or social impacts |
 |
Activities expected to have limited adverse social and/or environmental impacts that can be readily addressed through mitigation measures |
 |
Activities expected to have minimal or no adverse environmental and/or social impacts |
-
Ongoing efforts to comply with the requirements of the Banking Act Direction
No. 05 of 2022, which includes,
- Implementation of an ESG risk assessment on the loan portfolio.
- Develop scenario analysis and stress testing models for identified shocks, assess its impact on capital and incorporate it into ICAAP.
- Development of a scorecard to incorporate sustainability risks into ICAAP under Pillar II and allocate capital accordingly if required.
- Ongoing efforts to identify the Bank’s sustainability related and climate related risks and opportunities and disclose in line with the requirements of the SLFRS Sustainability Disclosure Standards S1 and S2.