Integrated Risk Management Committee Report

Committee Composition 2024

The Composition of the Committee from 01.01.2024:

With the ending of the tenure of Major General (Rtd.) G A Chandrasiri vsv as an Independent Non Executive Director of Bank of Ceylon on 07.01.2024 the remaining three Directors constituted the Committee and with the appointment of Mr Jehaan Ismail as an Independent Non Executive Director to the Board of Bank of Ceylon on 07.02.2024, the Committee reconstituted. From 19.02.2024 as follows:

On 03.04.2024 the Committee reconstituted as follows with the cessation of Mr Ronald C Perera as an Independent Non Executive Chairman/ Director on 13.03.2024 and with the appointment of Mr Jayamin Pelpola as an Independent

Non Executive Director to the Board of Bank of Ceylon on 22.02.2024:

With the cessation of Mr R M P Rathnayake as a Non Independent Non-Executive Ex-officio Director from 06.11.2024 following his retirement from his position as Deputy Secretary to the Treasury on 05.11.2024 and with the resignation of Mr Naresh Abeyesekera on 13.11.2024, and with the appointment of Dr. Kapila Senanayake, Non Independent Non-Executive Ex-officio Director on 14.11.2024 The committee was reconstituted as follows: Form 05.11.2024:

Form 18.12.2024:

The present Committee is as follows with the reappointment of the Mr R M P Rathnayake and the appointment of Mr Kavinda M L de Zoyse as Independent Non-Executive Directors to the Board of Bank of Ceylon on 20.12.2024 are 04.11.2024 respectively.

Meetings held in 2024: 06
(Attendance given on page 120 of this Report)

Role of Committee

The Terms of Reference (TOR) of the Integrated Risk Management Committee are governed by the Committee Charter, approved and adopted by the Board.

The Committee also ensures that the scope and coverage of its functions addresses the requirements of the Banking Act Direction No. 05 of 2024 on "Corporate Governance for Licensed Banks in Sri Lanka.

This includes reviewing and/ or recommending the following which are identified in the Charter of the Integrated Risk Management Committee:

• Policies, procedures and Management Committee Charters relating to risk management and compliance.
• Risk limits and policies that establish appetite for credit, market, liquidity, operational, information security and other risks, as recommended by the Chief Risk Officer.
• Adequacy and effectiveness of all Management level committees to address specific risks and to manage those risks within quantitative and qualitative risk limits as specified by the Committee.
• Risk management reports on the risk profile of the Bank including overseas branches and subsidiaries, as well as current market and regulatory risks and actions undertaken to identify, measure, monitor and control such risks.
• Corrective action to mitigate the effects of specific risks in case such risks are beyond the prudent levels decided by the Committee on the basis of the Bank's policies and regulatory and supervisory requirements.
• Adequacy and effectiveness of risk identification, measurement, monitoring and mitigation relating to

credit, market, liquidity, operational, Information Security and compliance risks.

Principal Focus

To assist the Board in fulfilling its oversight responsibilities for all aspects of risk management. In this connection the Committee ensures the existence, operation and effectiveness of the Risk Management framework and assesses and reviews credit, market, liquidity, operational, Information Security and strategic risks through appropriate risk indicators and management information. The committee further focuses on establishment of a compliance function to assess the Bank's compliance with laws, regulations, regulatory guidelines and approved policies on all areas of business operations.

Medium of Reporting

The proceedings of the Integrated Risk Management Committee meetings are tabled and ratified at the Board meetings and Board approval obtained thereof.

Areas of Focus and Activities in 2024

Risk limits – Reviewed the Risk appetite limits and Continuously monitored the exceptions to the Committee approved Risk Appetite of the Bank through risk reports submitted by the Risk Management Division. The exceptions to the limit management framework established at the Bank were strictly monitored with course of action proposed by the management to validate the suitability of them.

Policies and procedures - All policies related to risk, including foreign branch policies were recommended to the Board with relevant changes requested by either business or regulatory needs for the approval of the Board. Reviewed and revised the Terms of Reference of all Management level Committees dealing with specific risks or some aspects of risk. Effectiveness of all management level

Committees of the Bank were evaluated against its respective objective to ensure that they remain and carry out its tasks according to the mandate of each committee.

Liquidity

• Special focus was given to the restructuring of the exposures to the government including restructuring of International Sovereign Bond (ISBs) along with the Foreign Debt Restructuring (FDR) programme and successfully finalised the process.
• Inline with the gradual recovery of the economy, the Bank was able to build strong liquidity level in terms of rupee and foreign currency owing to the timely taken strategic decisions.

Asset quality - Year under review called for special attention on deteriorating credit quality levels given the challenging economic position faced by the country amidst gradual recovery of the economy. Deliberations on asset quality were multifaceted. A comprehensive plan to curtail increasing non-performing advances were formulated while monitoring the credit quality through the credit quality units with strict monitoring and regular reporting. Special emphasis on revival of underperforming segments and customers were focused with a view to arresting deterioration of credit quality.

Compliance - Assessed the compliance risk issues emphasised in the branch network as well as the divisions and suggested suitable strategies to mitigate same. Committee continuously monitored the progress of the implementation of the goAML, which is the regulatory reporting platform required by the regulator.

• Comprehensive risk reviews of subsidiaries were done to ascertain its risk profile and necessary recommendations were made to ensure that they remain as per the risk mandate of the Bank.

Internal Capital Adequacy Assessment Process (ICAAP) and Recovery Plan

• Reviewed and recommended the ICAAP of the Bank of Ceylon group with a view to maintaining adequate capital levels to accommodate Pillar II risks and withstand any unforeseen but plausible events which were highlighted in the stress testing process of the Bank.
• Subsequent follow ups on alert and trigger events were discussed in detail with remedial actions taken by the management.
• The capital augmentation plan of the Bank was revised and alternative sources of capital were identified to bridge the gap that could be raised from the Debt Optimisation programme of the government of Sri Lanka including Domestic Debt Restructuring (DDR) and Foreign Debt Restructuring (FDR) and asset quality review by the independent consultant.

ESMS initiatives – Identifying and managing environmental and social risks associated with credit facilities, ensuring responsible financing. Through ESMS, we are committed to promoting sustainable growth and safeguarding the environment and society.

Information security/ IT Risk – The implementation of robust information security and IT Risk management measures to ensure seamless banking experience to the customers while ensuring confidentiality, integrity and availability of sensitive data has been the highest priority.

Data protection – Data protection officer has been deployed and a dedicated data protection unit has been established to ensure the data and information of all the stake holders are safeguarded as per the newly enforced Data Protection guidelines.

Conclusion

It is noteworthy that the Integrated Risk Management Committee successfully completed its functions for the year, having thoroughly assessed and mitigated risks across various domains, ensured compliance with regulatory standards, and fostered a robust risk aware culture throughout the organisation.

The Committee remains steadfast in its commitment to safeguarding the Bank of Ceylon's financial integrity. The comprehensive risk mitigation strategies, coupled with proactive measures and risk aware culture position the Bank resilient to navigate challenges ahead. The Committee would collaborate, adapt and grow and be resilient in the pursuit of sustainable growth in an ever-evolving banking landscape.

The annual evaluation of the committee was carried out.

Mr R M P Rathnayake,

Chairman,

Integrated Risk Management Committee

24 February 2025