Risk Governance and Management Framework

ICICI Bank aims to enforce a strong risk and compliance culture and to further that aim, the Board approved the Risk and Compliance Culture Policy in fiscal 2022. The policy consists of several guiding principles and aspects for effective implementation of these principles. The Bank has identified the following five guiding principles for risk and compliance culture across the organisation:

The effective implementation of the policy includes a governance framework with roles and responsibilities of the Board, MD & CEO and Executive Directors and the Risk and Compliance Culture Council. All employees are encouraged to align with the guiding principles while conducting their activities.

We conduct periodic training sessions and send information mailers, as part of the knowledge-enhancement and awareness initiatives, for employees on a regular basis. The Bank is committed to constantly reviewing its governance practices and frameworks, with a focus on staying updated and responsive to the dynamic and evolving landscape and acting in the best interest of all stakeholders.

We have adopted a proactive approach towards identifying, evaluating, and managing risks related to the Bank's activities and risks that could arise due to unprecedented events. As a financial intermediary, we are largely exposed to credit risk, market risk, liquidity risk, operational risk, technological risk, compliance risk, legal risk, and reputation risk. Besides these, we also consider and recognise the importance of environmental, social and governance risks.

The Board of Directors of the Bank has an overall oversight of all the risks that ICICI Bank is exposed to. Specific Committees have been set up with respect to different risks to ensure focused oversight of each risk. Each committee has adequate representation of independent directors and must follow certain mandates as specified by the Board. The proceedings and the decisions taken by these Committees are reported to the Board. The policies approved by the Board of Directors or Committees of the Board from time to time guide the governing framework for each risk and overall operational framework for our business activities.

The roles of specific committees of the Board constituted to facilitate focused oversight of various risks are:

Credit Committee: Review of developments in key industrial sectors, major credit portfolios and approval of credit proposals as per the authorisation approved by the Board.

Audit Committee: Provides direction to the audit function and monitors the quality of internal and statutory audit; responsibilities include examining the financial statements and auditors’ report and overseeing the financial reporting process to ensure fairness, sufficiency, and credibility of financial statements.

Information Technology Strategy Committee: It approves strategy for IT and related policy documents to ensure that the IT strategy is aligned with business strategy. It also reviews IT risks, ensures proper balance of IT investments for sustaining the Bank's growth, oversees the aggregate funding of IT at Bank-level, ascertains if the management has resources to ensure the proper management of IT risks, reviews contribution of IT to business, oversees the activities of Digital Council, reviews technology from a future readiness perspective, oversees progress in key projects' and performance of critical IT systems performance and reviews special IT initiatives.

Risk Committee: It reviews risk management policies pertaining to credit, market, liquidity, operational, outsourcing, reputation risks, business continuity plan and disaster recovery plan and approves Broker Empanelment Policy and any amendments thereto.

The Committee also:

Sets limits on any industry or country.

Reviews the Enterprise Risk Management Framework, Risk Appetite Framework, Stress Testing Framework, Internal Capital Adequacy Assessment Process, and framework for capital allocation.

Reviews the status of Basel II and Basel III implementation, risk dashboard covering various risks, outsourcing activities, and the activities of the Asset Liability Management Committee.

In addition, it has oversight on risks of subsidiaries covered under the Group Risk Management Framework. The Committee also carries out Cyber Security risk assessment.

ICICI Bank also has a group, namely, Financial Crime Prevention Group (FCPG), overseeing/handling the fraud prevention, detection, investigation, monitoring, reporting and awareness creation functions.

The Bank has developed a Risk Appetite Framework (RAF) Statement and an Enterprise Risk Management (ERM) framework. These frameworks articulate the risk appetite of the Bank and consolidate it into a limit guidance for various risk categories. The Audit Committee supervises the implementation of the Group AML Policy framework.

In addition to the ERM and RAF, portfolio reviews are carried out and presented to the Credit and Risk Committees as per the approved calendar of reviews. As a part of the reviews, the prevalent trends across various economic indicators and their impact on the Bank’s portfolio are presented to the Risk Committee. Industry analysis and reviews are also carried out and presented to the Credit Committee.

The Internal Capital Adequacy Assessment Process (ICAAP) encompasses capital planning for a four-year time horizon, assessment of material risks and the relationship between risk and capital. The capital management framework is complemented by the risk management framework, which covers the policies, processes, methodologies, and frameworks established for the management of material risks. Stress testing, which is a key aspect of the ICAAP and the risk management framework, provides an insight on the impact of extreme but plausible scenarios on the Bank’s risk profile and capital position.

Apart from the Board Committees, there are several independent groups and subgroups across the banks responsible for independent evaluation, monitoring and reporting of various risks. The functioning of these groups is independent of the business groups/ subgroups, have no business targets and are responsible for giving unbiased inputs. They are required to coordinate with representatives of the business units for the implementation of our risk management policies and methodologies.

The Risk Management Group is further organised into Credit Risk Management Group, Market Risk Management Group, Operational Risk Management Group, and Information Security Group. The Group is headed by the Chief Risk Officer and reports to the Risk Committee of the Board of Directors.

The Compliance Group, headed by the Group Chief Compliance Officer, oversees regulatory compliance of the Bank, both at the policy/procedures level and at the level of implementation by the respective groups. The Group has unrestricted access to information within the Bank to assess the compliance to the regulatory guidelines.

The Internal Audit Group, being the third line of defence, provides independent assurance that the aforesaid independent groups monitoring the risks in the Bank, are operating in line with policies, regulations and internal standards defined for management of the various risks in the Bank.

The Compliance Group and the Internal Audit Group report to the Audit Committee of the Board of Directors. The Risk Management, Compliance and Internal Audit Groups have administrative reporting to the Executive Director, responsible for Corporate Centre.

To read more on key risks and mitigants in fiscal 2022, please refer pages 43-45 of ICICI Bank’s Annual Report 2021-22.