Compliance with Code of Best Practice on Corporate Governance 2023 issued by CA Sri Lanka

The Board meetings are held on a fortnightly basis and special meetings are scheduled as and when the need arises. The schedule of meetings is in place by the beginning of the year and the structure of submitting information to the Board has been agreed upon. Necessary information is submitted as agreed to enable decision-making. During the year under review the Board has been met twenty six (26) times and attendance at meetings is summarised on page 120.

The information listed under this section is discussed at the relevant subcommittees and the Board.

The role and responsibilities of the Board are incorporated in the Board Charter which was last reviewed in the year 2024 with the review of the Corporate Governance Policy of the Bank.

The Bank is regulated as per the Bank of Ceylon Ordinance No. 53 of 1938 and its amendments and the Banking Act No. 30 of 1988 and its amendments and Banking Act no. 24 of 2024. Additionally, directions issued by the Regulators viz., the Central Bank of Sri Lanka, any other regulator where the Bank has its overseas Branches, Securities and Exchange Commission of Sri Lanka and the Colombo Stock Exchange apply to Bank of Ceylon. The Board acts in accordance with the applicable laws.

A Policy on Directors' Access to Independent Professional Advice is in place whereby Directors are able to seek independent professional advice on a needs basis at the Bank's expense. This Policy was reviewed during the year 2024.

The members of the Board have access to the advice and services of the Secretary to the Board/ Secretary, Bank of Ceylon who is an Attorney-at-Law. The Secretary to the Board is held responsible for ensuring that Board procedures are followed and compliance with applicable rules and regulations, directions and statutes and keeping and maintaining minutes and relevant records.

Any question of the removal of the Secretary to the Board/Secretary, Bank of Ceylon is a matter for the full Board. The role of Company Secretary is given on page 118.

The Board of Bank of Ceylon bring independent judgement to bear in discharging their duties and responsibilities on matters relating to the Board including strategy, performance, resource allocation, risk management, compliance and standards of business conduct.

The agenda and Board memoranda are circulated among the Board members seven days prior to the meeting through a secure e-Solution enabling them to dedicate sufficient time before a meeting to review Board memoranda and call for additional information and clarifications. Pre-Board meetings are scheduled when deemed necessary.

Members of the Corporate Management and external experts make presentations to the Board to provide updates, seek approval or guidance on various matters relevant to the Bank's strategic direction, operations, financial performance, risk management and other key areas.

The Board members can individually submit proposals to the Board when they feel that they are in the best interests of the Bank and a resolution can be presented to the Board.

When first appointed to the Board, the Directors undergo an induction programme covering the applicable regulatory requirements, Bank's history, organisational structure, details of subsidiaries and associates, products and services, Directors' responsibilities and are provided with a Board Manual incorporating all the above given in e-form through the Bank's electronic support system.

Directors are encouraged to attend relevant training programmes and are apprised of the latest developments in the Bank and external environment by members of the Corporate Management or through external resource personnel. Directors attended one training programme during the year. The Management made presentations where necessary, to update the Board on the activities of the Bank as well as the changes/updates in the regulatory environment.

The positions of the Chairman and the Chief Executive Officer (referred to as the "General Manager" in the Bank) are held by two separate individuals. The Chairman is a Non-Executive Director. There is a clear division of responsibilities between the Chairman and the General Manager and the Board Charter adopted by the Bank clearly defines these responsibilities.

The Chairman of Bank of Ceylon provides leadership to the Board, preserves order and facilitates the effective discharge of the Board's functions. The agenda for Board meetings is prepared by the Secretary, Bank of Ceylon/Secretary to the Board, based primarily on the memoranda submitted through the General Manager and any other relevant matters proposed by a Director/s. The agenda covers matters relating to performance, environment and strategies, finance and credit, investment, governance and regulations, human resource allocation, information technology, risk management and compliance. Sufficient detailed information on matters included in the agenda is circulated to Directors well ahead of the meetings through a secured e-Solution.

All Directors are informed of their duties and responsibilities (which are enshrined in the Board Charter) and the Board subcommittee structure of the Bank which assists the Board in discharging its responsibilities.

The Board of Bank of Ceylon consists entirely of Non-Executive Directors and they effectively contribute within their respective capabilities, for the benefit of the Bank.

Directors are encouraged to seek information considered necessary to discuss matters on the agenda of meetings and to request inclusion of matters of corporate concern on the agenda.

The views of Directors on issues under consideration are ascertained and a record of such deliberations are reflected in the minutes in detail.

The Directors have sufficient financial acumen and knowledge to guide the Bank which they have acquired through the businesses/ professions in which they are involved and from qualifications held.

The Chairman is an Independent Non-Executive Director. The Board of Bank of Ceylon is always comprised of Non-Executive Directors. Among them, five (05) are independent other than the Treasury Representative. A declaration of independence to ascertain the independence/ non-independence is obtained, which is covered under CSE rules. Going forward this declaration would cover CBSL direction No 05 of 2024 provisions as well.

When Alternate Directors are appointed, it is ensured that they are Non-Executive.

The agenda and Board/ Subcommittee memoranda required for a Board/subcommittee meeting are provided to Directors through the available e-Solution seven days prior to the meeting for them to review the memoranda in advance and come up with questions and discussion points and to request for additional information, if necessary. Pre-Board meetings are arranged where necessary to clarify matters and to facilitate the smooth functioning of the Board meetings.

The members of the Corporate Management are available if the Directors wish to obtain further information or for any clarification.

Board meeting minutes are made available to the Directors within 10 days from the meeting.

Appointments to the Board are made by the Government of Sri Lanka, through the Minister under whose purview the Bank falls. The requisite regulatory requirements relating to appointment of new Directors are complied with. There is an internal policy in place with regard to the appointment of Directors which has been shared with the relevant Ministry.

The Nomination and Corporate Governance Committee comprised of three (03) Non-Executive Directors in 2024 and among them two (02) are independent including the Chairman. On being proposed to the Board, their fit and propriety is being assessed by the members of the Committee in terms of Direction no. 3(6) (iv) (d) of the Banking Act Direction No. 11 of 2007 issued by the Central Bank of Sri Lanka.

The Bank has a Succession Plan for the Corporate Management including for the General Manager which has been revised during the year.

Appointments to the Board are made by the shareholder as stated in A.7 above. The information pertaining to the new Directors are published in the website of the Bank, media and announced to the Colombo Stock Exchange.

Report on the Nomination and Corporate Governance Committee indicates the activities performed by the Committee given on pages 138 and 139.

Every Director appointed shall hold office for a period of three years, unless he is removed from office earlier or he vacates his office in terms of the Bank of Ceylon Ordinance No. 53 of 1938 and its amendments. In either case, he is eligible to be reappointed.

An appointed Director may resign from his directorship by a letter addressed to the Minister under whose purview the Bank falls and any Director who vacates office by ending the term is eligible for Re-appointment. If it is due to a special reason, it is expected to be indicated in their resignation letter.

Please refer details on appointments and resignations of Directors given on Page no 121.

An annual self-evaluation of its own performance is undertaken by the Board and Board subcommittees to ensure that Board's and that of its subcommittees' responsibilities are satisfactorily discharged. The collective outcome is reviewed and addressed by the Board. The members of the Board subcommittees collectively evaluated the performance of the subcommittees for effectiveness and efficiency.

The following information pertaining to Directors are included in the Annual Report:

Profiles of the Directors covering name, qualifications, nature of expertise and whether Executive/ Non-Executive are indicated on pages 26 to 29.

Directors' Interest in contracts with the Bank on page 173.

Remuneration paid to Directors in Note 17 to the Financial Statements on page 218.

Related party information indicated on pages 314 to 319 Directorships in other companies indicated on page 173.

Membership of subcommittees and the number of Board and subcommittee meetings attended during the year are indicated on page 120.

The performance evaluation of the General Manager is carried out annually based on the targets set at the commencement of the fiscal year in line with Strategic Plan by the Human Resources and Remuneration Committee and the final report is submitted to the Board.

There is a formal Remuneration Policy in place for the Chairman and Board of Directors (all Non-Executive) which was reviewed and revised in 2024. The above policy is formulated based on the circulars issued by the Government, the shareholder, from time to time and other applicable legislation. No Director is involved in deciding his/ her remuneration.

The remuneration of Directors is decided based on the circulars issued by the Government, the shareholder, from time to time and other applicable legislation.

The Bank's Human Resources and Remuneration Committee accordingly has no role in deciding the remuneration of Directors. (It however recommends the remuneration of Senior Executives.)

Details of remuneration paid to the Board as a whole is indicated on page 218.

The composition of the Human Resources and Remuneration Committee appears on page 136.

The Compensation to KMP is given on page 315.

The Government of Sri Lanka being the sole shareholder of the Bank, the Bank's communication with the shareholder happens in various forms. A Government representative (an officer from the Ministry of Finance) is on the Board, directly representing the shareholder and the Annual Report is placed before the Parliament of Sri Lanka and is open to question by the Parliament.

Board approved Communication Policy is in place. Major issues and concerns of the shareholder viz. Government of Sri Lanka are discussed during the Board meetings with the participation of the direct Government representative on the Board and is elevated to the Ministry or higher levels as may be necessary. The Communication Policy in place guides the Bank on effective communication with internal and external stakeholders and was reviewed during the year under review.

There were no transactions that were entered into by the Directors which would materially affect the Bank's performance, its net asset base or related party transactions during the year other than what is disclosed under Notes to the Financial Statements on pages 314 to 319.

All measures are taken to ensure that the Annual Report presents a balanced assessment of the Bank's financial position, performance, business model, governance structure, risk management, internal controls and challenges, opportunities and prospects in an easily comprehensible manner.

The Bank's Financial Statements presented in the Annual Report are balanced, understandable and prepared in accordance with the relevant laws and regulations with any deviation being clearly explained and portrays a true and fair view.

It also ensures that a balanced and understandable assessment extends to interim and other price-sensitive public reports and reports to regulators, as well as to information required to be presented to meet statutory requirements.

The Chief Financial Officer and the General Manager of the Bank give a statement indicating that the financial statements provide a true and fair view of the state of affairs of the Bank of Ceylon and its Group. The Financial Statements are reviewed and deliberated by the Board Audit Committee before recommending to the Board for its approval for publication.

For the purpose of fulfilling the disclosure requirements, the following statements are included in the Annual Report – Annual Report of the Directors on the State of Affairs of the Bank on pages 168 and 172.

Directors' Statement on Internal Control over Financial Reporting on pages 174 and 175 Management Discussion and Analysis under Financial Review pages 66 and 72.

Report on Related Party Transactions of the Key Management Personnel and their Close Family Members appearing on pages 314 and 319.

Statement of Directors' Responsibility for Financial Reporting on page 177. Report of the Auditor General on pages 178 to 182.

Management Discussion and Analysis under Financial Review on pages 66 to 72.

The Board is responsible for determining the nature and extent of the principal risks that it is willing to take in achieving its strategic objectives and the Board Integrated Risk Management Committee is there to facilitate the Board in fulfilling its oversight responsibilities in regard to the existence, operation and effectiveness of the risk management programmes, policies and practices employed by the Bank to manage various types of risks, including compliance programmes.

There is a Risk Management framework to identify, assess, monitor and manage risks with clear delegation of responsibilities to ensure its effectiveness in supporting achievements of the strategic, operational and financial objectives of the Bank.

The Board Audit Committee assists the Board in achieving the objective of the Bank's system of internal controls including operational, financial and compliance among other responsibilities of the Committee.

The Board monitors the Bank's risk management and internal control systems through the Integrated Risk Management Committee and Audit Committee respectively and carries out a review of the said Committees' effectiveness annually.

Bank of Ceylon has a well-equipped Internal Audit Department to carry out the internal audit function of the Bank. The Auditor General is the External Auditor of the Bank.

The annual statutory audit is carried out by National Audit Office or appointed qualified independent auditor under the supervision of the Auditor General.

The Board Audit Committee comprised exclusively of Non-Executive Directors during the year under review. The Chairman of the Committee during the year under review was an Independent Non- Executive Director. The Chairman and the members of the Audit Committee had relevant experience in financial reporting and control. The changes in the Audit Committee during the year are indicated in the Audit Committee Report on pages 131 and 132.

The Board Audit Committee assists the Bank's Board in fulfilling its oversight responsibilities.

The Board Audit Committee ensures the carrying out of the reviews of the processes and effectiveness of risk management and internal controls and audit reports are submitted to the Committee. The role and responsibilities of the Audit Committee are disclosed in the Audit Committee Report appearing on pages 131 and 132 of this Annual Report.

The Audit Committee has a written Terms of Reference which clearly defines its role and responsibilities and it was reviewed during the year. The activities performed by the Committee during the year under review appear on pages 131 and 132 of this Annual Report.

IRMC oversee the risk culture, risk appetite, risk identification and classification, rating and management of risk. The Committee composition and the activities carried out during the year are indicated in pages 133 and 135.

The Bank has a Board approved policy on related party transactions in place covering related parties, their transactions and restrictions on offering more favourable treatment to related parties in order for the Board members to avoid any conflict of interest in this regard.

The newly established Board Related Party Transactions Review Committee, consists of a minimum of three (3) non-executive directors, out of which two are independent directors as defined by the CSE Listing Rules. One meeting was held during the last quarter of the year 2024.

The Report on the Related Party Transactions of the Key Management Personnel and their Close Family Members appear on page 142 of this Annual Report.

The Bank maintains a Code of Ethics for the employees of the Bank and a separate Code of Business Conduct and Ethics for the Directors and an acknowledgement is obtained for affirmation of compliance with the Codes. A Whistleblower Policy is in place which enables prompt reporting of illegal and fraudulent reporting. These policies were reviewed during the year.

The Corporate Governance Report which is appearing on pages 113 to 130 discloses the extent to which the Bank adheres to established principles and practices of corporate governance. Compliance with the provisions of the Code of Best Practice on Corporate Governance is indicated in this report.

The Government of Sri Lanka is the sole shareholder of the Bank.

The Bank has a process in place to identify as to how the Bank's business model, IT devices within and outside the Bank can connect to the Bank's network to send and receive information and the consequent Cybersecurity risks that may affect the business.

A Board approved Information Security Policy is in place which provides the management with direction and support to ensure protection of the Bank's information assets.

In addition, the Integrated Risk Management Committee assists the Board in ensuring that the Bank is protected from Cybersecurity threats by recommending and following up on vulnerability assessments and reporting to the Board. Processes to identify and manage Cybersecurity risks are included in the Risk Management Report of this Annual Report on pages 143 to 166.

The Bank has appointed a Chief Information Security Officer, in order to implement the Cybersecurity Risk Management Policy.

The Board Information and Communication Technology Committee assists the Board of Directors in fulfilling its oversight responsibilities related to information and communication technology and provides appropriate advice and recommendations to facilitate decision-making by the Board in regard to Cybersecurity measures amongst others.