RISK GOVERNANCE FRAMEWORK

With a focus on responsible and sustainable growth, the Bank continuously endeavours to maintain effective governance, a strong risk culture and robust enterprise risk management framework.

As a financial intermediary, the Bank is exposed to various risks, primarily credit risk, market risk, liquidity risk, operational risk, technology risk, cyber risk, compliance risk, legal risk and reputation risk. The Bank is committed to managing material risks and participating in opportunities as part of the strategic approach of risk-calibrated growth in core operating profit less provisions.

The Board of Directors of the Bank has oversight of all risks in the Bank with specific Committees of the Board constituted to facilitate focussed oversight. Most Committees are chaired by Independent Directors and there is adequate representation of Independent Directors on each of these Committees. The Board has framed specific mandate for each of these Committees. The proceedings and the decision taken by these Committees are reported to the Board. The policies approved by the Board of Directors or Committees of the Board, from time to time constitute the governing framework within which business activities are undertaken.

The roles of specific committees of the Board constituted to facilitate focussed oversight of various risks are:

Credit Committee

Review of developments in key industrial sectors, major credit portfolios and approval of credit proposals as per the authorisation approved by the Board.

Audit Committee

Provides direction to the audit function and monitors the quality of internal and statutory audit; responsibilities include examining the financial statements and auditors’ report and overseeing the financial reporting process to ensure fairness, sufficiency and credibility of financial statements.

Information Technology Strategy Committee

Approve strategy for IT and policy documents, ensure that the IT strategy is aligned with business strategy, review IT risks, ensure proper balance of IT investments for sustaining the Bank's growth, oversee the aggregate funding of IT at Bank-level, ascertain if the management has resources to ensure the proper management of IT risks, review contribution of IT to business, oversee the activities of Digital Council, review technology from a future readiness perspective, overseeing key projects progress and critical IT systems performance and the review of special IT initiatives.

Risk Committee

Review risk management policies pertaining to credit, market, liquidity, operational, outsourcing, reputation risks, business continuity plan and disaster recovery plan and approve Broker Empanelment Policy and any amendments thereto. The functions of the Committee also include setting limits for industry or country exposures, review the Bank's Enterprise Risk Management Framework, Risk Appetite Framework, Stress Testing Framework, Internal Capital Adequacy Assessment Process and Framework for Capital Allocation; review the status of Basel implementation, risk dashboard covering various risks, outsourcing activities and the activities of the Asset Liability Management Committee. The Committee has oversight on risks of subsidiaries covered under the Group Risk Management Framework. The Committee also reviews the cybersecurity risk assessment.

The Bank also has a Financial Crime Prevention Group (FCPG) to oversee/handle fraud prevention, detection, investigation, monitoring, reporting and creating awareness about fraud risk management.

The Bank has put in place an Enterprise Risk Management (ERM) and Risk Appetite Framework (RAF) that articulates the risk appetite and drills down the same into a limit framework for various risk categories under which various business lines operate. In addition to the ERM and RAF, portfolio reviews are carried out and presented to the Credit and Risk Committees as per the approved calendar of reviews. As part of the reviews, the prevalent trends across various economic indicators and their impact on the Bank’s portfolio are presented to the Risk Committee. Industry analysis are also carried out and outcomes are presented to the Credit Committee for review and guidance.

The Internal Capital Adequacy Assessment Process (ICAAP) encompasses capital planning for a four-year time horizon, assessment of material risks and the relationship between risk and capital. The capital management framework is complemented by the risk management framework, which covers the policies, processes, methodologies and frameworks established for the management of material risks. Stress testing, which is a key aspect of the ICAAP and the risk management framework, provides an insight on the impact of extreme but plausible scenarios on the Bank’s risk profile and capital position.

Several groups and sub-groups have been constituted to facilitate independent evaluation, monitoring and reporting of risks. These groups function independently of the business groups.

The Risk Management Group is further organised into the Credit Risk Management Group, Market Risk Management Group, Operational Risk Management Group and Information Security Group. The Group is headed by the Chief Risk Officer who reports to the Risk Committee of the Board of Directors.

The Compliance Group, headed by the Group Chief Compliance Officer, oversees regulatory compliance of the Bank, both at the policy and procedures level and at the level of implementation by the respective groups. The Group has unrestricted access to information within the Bank to assess compliance with the regulatory guidelines.

The Reputation Management Forum, comprising executive director and leadership members, oversees reputation risk assessment at the Bank.The Forum has adopted a framework for conducting periodic reviews and ensuring adequate processes and systems to identify, assess and manage reputation related risks. This includes evaluating key risk indicators and events like complaints, frauds, media news flow, legal matters, and others that could potentially pose a reputation risk. There are also response mechanisms in place for managing reputation related issues. The risk and control assessment is presented to the Board Risk Committee on a quarterly basis.

The Internal Audit Group, being the third line of defence, provides independent assurance that the aforesaid independent groups monitoring the risks in the Bank, are operating in line with policies, regulations and internal standards defined for management of the various risks in the Bank.

The Compliance Group and the Internal Audit Group report to the Audit Committee of the Board of Directors. The Risk Management, Compliance and Internal Audit Groups have administrative reporting to the Executive Director responsible for Corporate Centre.

With increasing digitisation, ensuring effective management and governance of data has become a critical business enabler. To further strengthen data quality, data standardisation and governance around data, a Chief Data Officer (CDO) was appointed in fiscal 2023. The role of the CDO includes creating the governance and processes around data generation and processing and compliance with regulations across all aspects of its operations. The CDO is also responsible for implementation of the Bank's Data Governance Policy.

CYBERSECURITY GOVERNANCE

Cyber risks form an integral part of the Bank’s enterprise risk management framework. The Bank is committed to work towards aligning itself with the changing threat landscape and has a dedicated team for cyber/ information risk management. There is robust oversight by the Board, and takes regular updates from the Information Security Group (ISG) of the Bank. A monthly risk-based detailed CISO dashboard capturing the various Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) associated with SOC operations and offences summary for the month is prepared which is reviewed by the CISO and the CRO.

The Bank has an information and cybersecurity governance framework consisting of leadership, organisational structures and processes that help us in mitigation of growing cybersecurity threats. Our cybersecurity governance encompasses management oversight at various levels with the ultimate responsibility assumed by the Board of Directors.

The Executive Committees have diverse cross-functional members and well-defined terms of reference. Proceedings of these Committees are reported to the IT Strategy Committee. Additionally, the Bank has multiple KRIs/dashboard to review system stability, continuity and availability and network uptime. The Bank also has a well-defined Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures. These policies have been designed by drawing from several standards and regulations including the RBI Cyber Security Framework, NCIIPC Guidelines for Protection, FFIEC Cybersecurity Assessment Tool, the SEBI Cyber Security and Resilience Framework for Stock Brokers/Depository participants, IRDA Guidelines on Information and Cyber Security for insurers, Unusual Cyber Security Incidents framework. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of some other jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated. The Bank’s Data Centre is ISO 27001¹ certified.

The Bank has a Disaster Recovery plan to ensure continuity of critical services to customers and availability of identified critical systems during significant disruptions. In the event of a disaster, the Bank endeavours to resume business and operations to an acceptable level as per the Recovery Time Objectives (RTOs) for the application. The efficacy of the DR plan is established through periodic DR drills.

PARTICIPATION IN EXTERNAL CYBERATTACK SIMULATIONS

The Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. Business continuity and recovery drills are conducted to assess the Bank’s ability and readiness to combat disasters, to ensure continuity of critical business processes at an acceptable level and limit the impact of the disaster on people, processes and infrastructure. The Bank periodically conducts cyber maturity assessments through a third-party, which is a comprehensive risk assessment of the cybersecurity posture of the Bank. The last such assessment and benchmarking with global banks was undertaken in fiscal 2022, and the Bank’s cyber posture was at par with global banks.

The Bank believes in providing services to its customers in the safest and in a secure manner keeping in mind that protection of data of its customers is as important as providing quality banking services across the spectrum. The Bank also undertakes campaigns to create awareness among customers on security aspects while banking through digital channels.

There were no material incidents of security breaches or data loss during fiscal 2023.

ENVIRONMENTAL, SOCIAL AND GOVERNANCE (ESG)

The Risk Committee and the Board reviewed material ESG matters during fiscal 2023, and were provided updates on progress made on various ESG-related initiatives at the Bank. The Board-approved ESG Policy was reviewed and updated largely to reflect the progress on ESG made by the Bank during fiscal 2023 and the requirements under the SEBI-mandated Business Responsibility and Sustainability Report (BRSR).

ESG RATINGS

The improvement in the Bank’s ESG ratings by external agencies is evidence of the progress being made across various areas. The ESG rating by MSCI improved from BBB to A and the ESG score by Sustainalytics improved from High Risk to Medium Risk category. During fiscal 2023, the Bank responded to the climate change questionnaire by CDP Worldwide for the first time. The Bank received a rating of C, which was same as the Asian regional average.