Telephone : + (94) 112 055318,+ (94) 112 058994
Fax : + (94) 112 338290, + (94) 112 320828
E-mail : apbsl@sltnet.lk



Lani Ranwela


The business of banking is about managing risks. Every banker knows it. But very often incidents are reported globally and locally, which make the ordinary public wonder whether bankers really do know. Although the Asian crisis in the ‘90s was caused by the inflation of asset values due to inefficiency of the regulatory systems, the risky lending by banks and financial institutions had led to this asset inflation. This crisis saw several banks which had lax risk management systems and lent extensively to the speculative property sector being left with large bad loans when the bubble burst. Large losses due to loan default is not unknown
even in the local banking sector.

In carrying out their functions banks are exposed to several types of risks. Credit risk, market risk, liquidity risk, operational risk, legal risk and reputation risk are amongst these risks. While banks and other financial institutions have faced difficulties for a multitude of reasons, credit risk is the most common cause of bank failures, causing all regulatory authorities to prescribe minimum standards for credit risk management. The New Basel II Accord had assigned 75% of the weight in capital adequacy requirement, to credit risk. Whilst it is unavoidable that banks may sometimes make mistakes in judgment, for most failed banks the real problems are systemic in nature and rooted in the bank’s credit culture.

What Is Credit Risk ?

Credit risk could be defined as the possibility of losses arising from the diminution in the credit quality of borrowers or counterparties. In a bank losses could arise from a default by customers or counterparties’ inability or unwillingness to meet commitments relating to lending, trading or other financial transactions. Credit risk could arise from the banking book and the trading book and both on or off balance sheet.

It is imperative that every bank should have a sound credit risk management system integrated in to the overall risk management framework. The goal of credit risk management is to maximize a bank’s risk-adjusted rate of return by maintaining credit risk exposure within acceptable parameters. Banks should have a keen awareness to identify, measure, monitor and control credit risk and should have adequate capital to absorb these risks. The shareholders of the banks expect adequate compensation on their investments.

Components of a Good Credit Risk Management System

In a bank, an effective risk management system should comprise of the following components:-

i Credit Policy and strategy
ii Credit Process
iii Organisational structure
iv People
v Culture

Most foreign banks operating in Sri Lanka have well defined credit risk management systems which are closely supervised by their respective Head Offices. Out of the local banks very few may have separate risk management units/structures. With the proposed Basel II Accord, banks are compelled to have a look at their risk management systems.

i. Credit Policy

a. A bank should have a Credit Policy which has been approved by the Board. Credit policy is the foundation on which Credit Risk Management of both portfolio and processes are built. Its aim is to ensure a uniform credit extension to be practiced throughout the bank A Credit Policy serves as the basis for consistent credit risk management throughout the bank through product, segment, geographic and organizational divisions and should apply to all employees at all levels dealing in credit risk. Credit policies which define appropriate behaviour in lending business should support bank’s business strategies. Inter-alia it would lay down the requirements for employees dealing with credit risk, compliance guidelines on risk exposures, policies on collateral and areas to be avoided.

c. Credit Policy approved by the Board should be communicated to all units/ branches engaged in lending activities and personnel responsible for this activity has to be held accountable for adhering to these policies in letter and spirit.

d. The senior management of a bank is responsible for implementing the credit policy approved by the Board.

ii. Credit Strategy

Each bank should develop its own credit risk strategy that establishes the objectives guiding the bank’s credit granting activities and adopt necessary policies/ procedures for conducting of such activities. This strategy should spell out clearly the organisation’s credit appetite and the acceptable level of risk-reward trade off for its activities.

The strategy should include statements indicating bank’s willingness to grant loans in different economic sectors, industrial sectors and geographical locations, if relevant. It would also include decisions to enter different market segments. Credit strategy also should define target markets, risk acceptance criteria, credit origination/maintenance procedure and guidelines for portfolio management.

This strategy would translate into identification of target markets and business sectors, diversification or concentration. It would also take into account the cost of capital in granting credit and cost of bad loans.

The credit strategy should provide for continuity in approach and also take into account the cyclical aspects of the economy and its impact on the composition / quality of the portfolio. It should be viable in the long run and through various economic cycles.

iii. Organization Structure

A sound organization structure is a pre-requisite for the successful implementation of a credit risk management system. Times have changed when the CEO of the bank had discussed and agreed with the customer to lend money and the credit department was requested to process the loan. In an effective system, the Risk Management function would be independent of the business lines and there should not be any conflict of interest between the Credit Risk Management function and the business origination divisions. A possible structure for a credit risk management function would be as follows:-

Depending on the size of the bank the structure would differ and lending authority would be delegated at different levels. Most of the foreign banks would have the above basic structure. Until recently, most local banks had just one Credit Unit which originated , evaluated and approved loans, with a separate Recoveries Unit.

In any type of structure, the Board of directors should have the ultimate responsibility for management of risks. Board should approve the credit policy and delegate authority to senior management to set the required parameters in limits, guidelines and procedures in setting the liquidity, interest rate, foreign exchange and price risks.

In large banks there will be a Risk Management Committee, which is a Board level sub-committee comprising of CEO and heads of Credit, Market and Operational risks. This committee will devise the policy and strategy for a integrated risk management covering various risks of the bank including credit risk. For this purpose the committee should effectively coordinate between the Credit Committee (CC), the Asset and Liability Management Committee (ALCO) and other risk committees , if any. The smaller banks, including the Sri Lankan banks mostly have separate Credit Committee/s and ALCO which report to the Board . Some banks would have a Board Credit Committee and Board Audit Committee which function as sub- committees of the Board.

In banks that follow the best practices, a Senior Risk Manager who is responsible for the bank- wide risk management function is appointed. This individual and his team are empowered with the responsibility to evaluate the bank-wide risks. This team holds line officers more accountable for the risks under their control. The reward system of the line officers is according to the overall profitability in their individual account portfolios and not on business volumes.

iii. Credit Process

A typical credit process would involve the following steps:-

   Business origination by the different business lines such as Corporate, Retail, Consumer etc., as per their business strategies.

   Transaction management- risk assessment, structuring of facilities, risk rating, internal approval and pricing. These functions would normally be carried out by the business units of a bank.

   Credit Administration – This function is a part of the Risk Management Unit. Its responsibilities would be the implementation of approved facility limits, monitor the security documentation, monitoring of loan covenants, follow up on insurance, stock statements and other related activities.

   Portfolio management – management of the overall bank portfolio and problem loans.

Portfolio management would involve three stages viz:-

1. Limit/reduce credit exposures – placing limits on customer, product, economic, industry and geographical sectors

2. Asset Classification
Apart from the risk rating assigned to each client as per the risk rating system adopted by the bank at the initiation of the relationship, it is necessary to identify in a timely manner any deterioration in the borrower’s standing. This could be due to external factors, changes in management , cash-flow constraints or a number of other criteria which should be construed as warning signals. Although there would be no defaults at this stage, borrowers who give such signals should be “watch listed” and downgraded.

3. Provisioning for losses – Central Bank of Sri Lanka has laid down minimum requirements on classification of Non Performing Assets (NPA) and provisioning for specific losses. Banks are encouraged to make general / judgemental provisions, over and above the minimum requirements.

In the process of managing the credit portfolio, the following proactive measures are taken:-

   Annual review of all existing obligors and a brief semi-annual review of new engagements.

   Periodic reviews of industrial sectors

   Periodic calls, visits to the sites

   Undertake at least quarterly reviews of weak (watch list) clients

   Periodic stock inspections

   Carry out quick portfolio reviews when adverse industry/political/ economical indicators are shown.

   Undertake periodical reviews of the entire portfolio.

   Ensure that all borrowers in the bank have a risk rating

Business lines, Credit Committee/s, Credit Risk department and the Credit Audit Unit would be the main bodies involved in the credit process.

Credit Committee

Each bank, depending on its size will have a Credit Committee/s which would comprise of the CEO, Head of Credit Department, Head of Credit Risk Management Department and relevant business line heads. Some of the functions of the Credit Committee would be as follows, depending on whether the Committee is an approval authority or only has an advisory capacity:-

   Be responsible for implementation of the credit policy/strategy approved by the Board/Board Credit Committee.

   Recommend to the Board for approval, standards for presentation of credit proposals, financial covenants and rating standards.

   Recommend to the Board the delegation of credit authority, limits on large credit exposures, sector exposures, loan review mechanism, risk monitoring, evaluation, pricing of loans, provisioning etc.

   Pre-clear large/unusual credit proposals

   Approval of credit under its authority

Risk Management Department

Ideally a bank should have an independent credit risk department, which would be responsible for the following functions:-

   Control and monitor credit risk on a bank-wide basis within the limits/ parameters set by the Board/ Credit Committee.

   Lay down risk assessment systems, monitor quality of loan/investment portfolio, identify problem loans, monitor the use of risk rating system and loan reviews.

   This unit also should monitor and assess the external factors which would have an impact on the portfolio and take pro-active measures to mitigate these risks and keep the Credit Committee/Board informed of impending risks

   Present periodic portfolio reviews to the Board.

Depending on the size of the bank and the diversity, the structure may vary from bank to bank.

Credit Audit Unit

Working parallel to the Internal Audit Unit, this unit has to function independently and the reporting line is direct to the Board/Audit Committee through the CEO. Its functions would be to carry out periodic audits to ensure that credit policy, guidelines and procedures are adhered to. It would further make recommendations to improve existing systems & procedures.

iv. People

Selection of the staff for the entire process is as important as having a well thought out structure. The Relationship Managers who initiate the business need to have the correct attitude and drive. Whilst it is their function to market business which fall within the purview of the credit policy and target market, they should be adequately trained to identify and evaluate the risks. As they are rewarded according to the profitability of their respective portfolios, they are responsible the for timely identification and mitigation of any risk that could end up in loss situations. A continuous upgrading of skills is mandatory to keep a motivated staff and to maintain a quality portfolio.

v. Credit Culture

Most of the successfully established banks globally have recognized that asset growth for the sake of growth does not necessarily bring shareholder value and that setting asset targets without an awareness of returns not commensurate with risks is disastrous to a bank. The kind of problems that indicate distortion in a bank’s credit culture could be summarized as below :-

   Related party dealings – An over extension of credit to directors, parties related to directors and large shareholders.

   Compromise of credit principles - where loans with undue risks and unsatisfactory terms are granted with full knowledge due to pressure from related parties, competitor pressures or personal conflicts of interest.

   Anxiety over income – Usually the loan portfolio is the key revenue generating asset in a bank. When business lines are pressurized to achieve targets, there is a tendency to compromise accepted norms of good lending principles and loans may be extended with the hope that the risks identified may not be realized.

   Incomplete credit information - In order to ascertain the borrower’s repayment capacity, a complete analysis of the financial condition, market position, industry data is vital. An analysis of the purpose of the loan, use of borrowed funds and source of repayment together with continuous supervision supported by documented call visits is mandatory information
in managing a loan.

   Complacency and Name lending – Lack of adequate supervision of long standing familiar borrowers or known names in the market , dependence on oral information rather than reliable and complete financial data or an optimistic interpretation of apparent weaknesses in view of the survival of adverse situations in the past. Further banks may ignore warning signals regarding borrowers, economy, industry, supply chains or any other unfavourable development affecting the borrower, without taking appropriate action by either considering a re-structure or enforcing repayment agreements such as legal action in a timely manner.

   Lack of Supervision – Insufficient supervision results in lack of knowledge about the borrower’s affairs over the lifetime of the loan. External conditions may have changed the borrower’s conditions and may have affected his repayment capacity. When funding working capital requirement, constant supervision on Company’s cash -flows through their current accounts, monitoring of timely settlement of short term loans is mandatory

   Technical incompetence – deficiency in the knowledge of credit officers in evaluation of credit and interpretation of financial/other information. There should be continuous training and upgrade of skills of the officers engaged in handling of loan facilities.

   Poor selection criteria of risks – these would typically be the following:-

- extension of credit with initially sound financial risk to a level beyond the reasonable repayment capacity of the borrower.

- absence of a clearly identified target market – annually bank should study the economic environment , assess opportunities / threats and identify a target market.

- loans to companies operating in economically distressed areas or industries

- loans granted without adequate security margins or against collaterals which are difficult to enforce.

As in any other culture, credit culture should be in the hearts and minds of the people concerned rather than in policies, memos and other systems, although these too are important.

New Basel II Accord and Credit Risk Management

The aim of the new Basel II Accord is to ensure that bank regulatory authorities world over fully recognize the impact of risk on the capital requirements . Under the prevailing 1988 Accord (BIS), the following formula is applicable to Risk Weighted Assets(RWA):-

- 100% risk weight is assigned to cash loans granted to Corporates.
- 20% risk weight is attached to loans guaranteed by OECD banks .

This framework does not adequately relate credit risk with Capital Requirement. For instance the capital requirement for a loan to a AAA client would be the same as for a CCC rated Corporate., Hence a credit rating was not mandatory, though several banks globally and most local banks adopted internal risk rating systems at varying degrees of sophistication for different reasons ranging from pricing, determination of delegation of authority for lending purposes and provisioning requirements.

With the proposed Basel II Accord, capital adequacy calculation is still based on RWA. However, the capital requirement for cash loans would depend on the credit risk of the borrower. Accordingly capital requirement for a AAA client would now be lower than for a CCC client. RWA for a OECD bank guaranteed

loan depends on credit risk of the guaranteed bank. This requirement has made Credit rating of borrowers mandatory.

Importance of Credit Rating

As the concept of the new Basel II Accord revolves round risk weight to different risk categories, Risk Rating systems will have an important place in the framework of a credit risk management system. The Basel II recommends three levels of rating systems as indicated below:-

Methodology Rating Method
Standardized Approach External Credit Rating Agencies
Internal Based Approach (IRB)- Foundation Internal Risk Scoring Model
Internal Ratings Based Approach- Advanced Internal Risk Scoring Model

Adopting the IRB entails sophisticated rating models which in turn will require large investments in technology. Central Bank of Sri Lanka has opted to adopt the standardized approach in the process of moving towards meeting Basel II requirements. Given the immaturity of the local market where only a few Corporates have ratings given by the single rating agency in Sri Lanka i.e. Fitch Ratings Lanka (Pvt Ltd., banks would be required to apply the risk weight applicable to non-rated borrowers. i.e. 100%

Risk Based Pricing and Risk Adjusted Return on Capital (RAROC)

The main purpose of having a risk adjusted pricing model is to ensure optimum allocation of capital and earn adequate return on the allocated capital. Inaccurate pricing results in adverse selection of assets and non-achievement of the desired return on capital. Although this concept is not new to most international banks, most other banks are still involved in cut throat competition, in the absence of pricing models. This practice of loan pricing without considering the risk - reward parameters will result in inefficient allocation of capital which in effect destroys the shareholder value in a bank.

RAROC is a risk-adjusted profitability measurement and management framework for measuring risk-adjusted financial performance and for providing a consistent view of profitability across business lines in a bank. RAROC is defined as the ratio of risk-adjusted return to economic capital. The use of risk-based capital strengthens the risk management discipline within business lines, as the methodologies employed quantify the level of risk within each business line and attribute capital accordingly. This process assists in achieving controlled growth and returns commensurate with the risk taken.

Despite its advantages, the use of this model is limited as many banks still have poorly developed information systems, that it cannot be successfully integrated for the moment.


Despite the rapid transformation in the banking sector, where the traditional interest income derived from lending is changing to fee- based income/ business through innovative ancillary products and services, lending will continue to be the core income source for most banks . Hence managing credit risk effectively will continue to be an important area which warrants the attention of banks and supervisory authorities. The new Basel II Accord is a step in this direction.


Analyzing Banking Risk – A Framework for Assessing Corporate Governance and Financial Risk Management by Hennis van Greuning & Sonja Brajovic Bratanovic

  Lani Ranwala
Lani Ranwala presently serves as Head of Risk Management and Control – Commercial Banking, at NDB Bank Ltd. She is a
Fellow of the Chartered Institute of Management Accountants, UK.

Prior to the current position, she has served as Compliance
Officer and Manager - Credit Audit at the National Development Bank.

Lani commenced her banking career at Bank of Ceylon and has worked in the areas of International Trade, Project Finance, SME lending, Corporate Banking and Treasury. She later worked at Deutsche Bank, Colombo for 14 years and held positions of Head of Credit Risk Control, Deputy Head – Corporate Banking and Head of Financial Institutions. She has also functioned as a Senior Relationship Manager at Deutsche Bank. She has undergone extensive training overseas in Corporate Finance and Risk Management, including familiarization assignments at Deutsche Bank’s Regional Head Office in Singapore.

     Copyright © 2004 - 2013 by Concept & Development By
     Association of Professional Bankers - Sri Lanka I-WEB SOLUTIONS