RISK GOVERNANCE FRAMEWORK

As a financial intermediary, the Bank is exposed to various risks, primarily credit risk, market risk, liquidity risk, operational risk, technology risk, cyber risk, compliance risk, legal risk and reputation risk. The Bank is committed to managing material risks and participating in opportunities as part of the strategic approach of risk-calibrated growth in profit before tax excluding treasury.

The Board of Directors of the Bank has oversight of all risks in the Bank with specific Committees of the Board constituted to facilitate focussed oversight. Most Committees are chaired by Independent Directors and there is adequate representation of Independent Directors on each of these Committees. The Board has framed specific mandate for each of these Committees. The proceedings and the decision taken by these Committees are reported to the Board. The policies approved by the Board of Directors or Committees of the Board, from time to time constitute the governing framework within which business activities are undertaken.

Several groups and sub-groups have been constituted to facilitate independent evaluation, monitoring and reporting of risks. These groups function independently of the business groups.

The Risk Management Group is further organised into the Credit Risk Management Group, Market Risk Management Group, Operational Risk Management Group and Information Security Group. The Group is headed by the Chief Risk Officer who reports to the Risk Committee of the Board of Directors. The Bank also has a Financial Crime Prevention Group (FCPG) to oversee/handle fraud prevention, detection, investigation, monitoring, reporting and creating awareness about fraud risk management.

The roles of specific committees of the Board constituted to facilitate focussed oversight of various risks are:

• Credit Committee: Approval of credit proposals as per the authorisation approved by the Board and review of developments in key industrial sectors, non-performing loans, accounts under watch, incremental sanctions, non-fund based exposures, unsecured portfolio, capital market exposures, commercial real estate exposures, retail exposures etc.
• Audit Committee: Provides direction to the audit function and monitors the quality of internal and statutory audit; responsibilities include examining the financial statements and auditors’ report and overseeing the financial reporting process to ensure fairness, sufficiency and credibility of financial statements.
• Information Technology Strategy Committee: Approve strategy for IT and policy documents, ensure that the IT strategy is aligned with business strategy, review performance with reference to IT & IS Key Risk Indicators (KRIs) and conduct periodic review of KRIs to ensure coverage of IT & IS risks, ensure proper balance of IT investments for sustaining the Bank’s growth, oversee the aggregate funding of IT at Bank-level, ascertain if the management has resources to ensure the proper management of IT risks, review contribution of IT to business, oversee the activities of Digital Council, review technology from a future readiness perspective, overseeing key projects progress and critical IT systems performance including review of IT capacity requirements and adequacy and effectiveness of Business Continuity Management and Disaster Recovery, review of special IT initiatives, review cyber risk, consider the RBI inspection report/directives received from time to time by the Bank in the areas of information technology and cybersecurity and to review the compliance of various actionables arising out of such reports/directives as may be deemed necessary from time to time and review deployment of skilled resources within Technology and Information Security function so as to ensure effective and efficient deliveries.
• Risk Committee: Review risk management policies pertaining to credit, market, liquidity, operational, outsourcing, reputation risks, business continuity plan and disaster recovery plan. The functions of the Committee also include setting limits for industry or country, review the Bank’s Enterprise Risk Management Framework, Risk Appetite Framework, Stress Testing Framework, Internal Capital Adequacy Assessment Process and Framework for Capital Allocation. In addition, the Risk Committee reviews the Basel Framework, risk dashboard covering various risks, outsourcing activities. The Committee also reviews the cybersecurity risk assessment. The Bank has put in place an Enterprise Risk Management (ERM) and Risk Appetite Framework (RAF) that articulates the risk appetite and drills the same down into a limit framework for various risk categories under which various business lines operate. In addition to the ERM and RAF, portfolio reviews are carried out and presented to the Credit and Risk Committees as per the approved calendar of reviews. As part of the reviews, the prevalent trends across various economic indicators and their impact on the Bank’s portfolio are presented to the Risk Committee. Industry analysis are also carried out and outcomes are presented to the Credit Committee for review and guidance.

The Internal Audit Group, being the third line of defence, provides independent assurance that the aforesaid independent groups monitoring the risks in the Bank, are operating in line with policies, regulations and internal standards defined for management of the various risks in the Bank.

The Compliance Group, headed by the Group Chief Compliance Officer, oversees regulatory compliance of the Bank, both at the policy and procedures level and at the level of implementation by the respective groups. The Group has unrestricted access to information within the Bank to assess compliance with the regulatory guidelines.

The Compliance Group and the Internal Audit Group report to the Audit Committee of the Board of Directors. The Risk Management, Compliance and Internal Audit Groups have administrative reporting to the Executive Director responsible for Corporate Centre.

With increasing digitisation, ensuring effective management and governance of data has become a critical business enabler. To further strengthen data quality, data standardisation and governance around data, a Chief Data Officer (CDO) was appointed in fiscal 2023. The role of the CDO includes creating the governance and processes around data generation and processing and compliance with regulations for customer data captured by the Bank. The CDO is also responsible for implementation of the Bank’s Data Governance Policy.

CYBERSECURITY GOVERNANCE

Cyber risk management forms an integral part of the Bank’s enterprise risk management framework. The Bank is committed and working towards aligning itself with the changing threat landscape and has a dedicated team for cyber/information risk management.

Our cybersecurity governance encompasses management oversight at various levels with the ultimate responsibility assumed by the Board of Directors. Regular updates are provided by the Information Security Group (ISG) of the Bank.

The Executive Committees have diverse crossfunctional members and well-defined terms of reference. Proceedings of these Committees are reported to the IT Strategy Committee. Additionally, the Bank has multiple Key Risk Indicators (KRIs) /dashboard to review system stability, continuity and availability and network uptime. The Bank also has a well-defined Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures. These policies have been designed by drawing from several standards and regulations including the RBI Cyber Security Framework, National Critical Information Infrastructure Protection Centre (NCIIPC) Guidelines for Protection, Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the SEBI Cyber Security and Resilience Framework for Stock Brokers/Depository participants, IRDA Guidelines on Information and Cyber Security for insurers, Unusual Cyber Security Incidents framework. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of some other jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated. The Bank has a 24x7 Security Operation Centre for monitoring and surveillance of information technology systems. Considering the criticality and vitality of data protection, we have deployed a Data Leakage/Loss Prevention system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails, and web gateways. The Bank’s Data Centre and Security Operations Centre are ISO 27001 certified.

PARTICIPATION IN EXTERNAL CYBERATTACK SIMULATIONS

The Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. Business continuity and recovery drills are conducted to assess the Bank’s ability and readiness to combat disasters, to ensure continuity of critical business processes at an acceptable level and limit the impact of the disaster on people, processes and infrastructure. The Bank periodically conducts cyber maturity assessments through a third-party, which is a comprehensive risk assessment of the cybersecurity posture of the Bank.

The Bank believes in providing services to its customers in the safest and in a secure manner, keeping in mind that protection of data of its customers is as important as providing quality banking services across the spectrum. The Bank also undertakes campaigns to create awareness among customers on security aspects while banking through digital channels.

In view of rapid digitisation and growing cyber threats it is very critical to respond quickly and effectively when security incidents occur. The Bank has a dedicated Cybersecurity Incident Response Team (CSIRT) to respond security incidents following a well documented Incident Response Plan. Further, the Bank has a Disaster Recovery (DR) plan to ensure continuity of critical services to customers and availability of identified critical systems during significant disruptions. In the event of a disaster, the Bank endeavours to resume business and operations to an acceptable level as per the Recovery Time Objectives (RTOs) for the application. The efficacy of the DR plan is established through periodic DR drills.

There were no material incidents of security breaches or data loss during fiscal 2024.

ENVIRONMENTAL, SOCIAL AND GOVERNANCE (ESG)

During fiscal 2024, the Bank’s focus was on strengthening its sustainability practices and integrating ESG principles in its operations and strategy. Managing the Bank’s environmental impact and effective governance practices were key drivers of various initiatives undertaken during the year. The ESG Steering Committee, comprising functional heads across the Bank, continued to provide guidance and oversight on the ESG-related action plan for the year. The Risk Committee and the Board reviewed material ESG matters during fiscal 2024, and were provided updates on progress made on various ESG-related initiatives at the Bank. The Board-approved ESG Policy was reviewed and updated largely to reflect the progress made by the Bank during the year.

ESG RATINGS

The ESG practices of the Bank are evaluated by external rating agencies like Sustainalytics and MSCI. The improvement in the Bank’s ESG ratings is evidence of the progress being made across various areas. The ESG score by Sustainalytics improved from 23.9 to 22.5 within the Medium Risk category during fiscal 2024. MSCI rating is maintained at A during the year. The rating from CDP Worldwide is at C, which is the same as the Asian regional average.