Credit risk is the main risk that arises from the Bank’s core operations. It is the potential loss resulting from customers’ failure to meet contractual obligations when they fall due. Credit risk arises from lending operations, granting of loans and advances to the entire gamut of customers. The lending portfolio accounts for 60% of total Bank assets and 88% of the risk-weighted assets. Monitoring the credit risk is a vital aspect of the Bank’s operations since it has a direct bearing on its profitability. Considering the above, the Bank has

continued precautionary measures to ensure prudent lending, analysing various segments of the lending portfolio for signs of deterioration, extending repayment periods for identified borrowers, and managing overlays for risk-elevated sectors. The Bank periodically reviews its risk policies, procedures and practices to ensure they align with the current environment.

Watch–listing

The Bank has established a watch-listing and close monitoring process to identify clients that have demonstrated signs of increased credit risk. The information on frequently watch-listed clients based on overdue exposures and rating downgrades monitored over a period of time, is disseminated to management with a view of taking corrective measures to ensure the quality of the Bank’s loan book.

Clients who show signs of high risk are reported periodically to the Credit Committee. A traffic light system is also in operation to classify clients according to the impact they have on the portfolio.

Industry Analysis

As part of its safeguards, the Bank reviews and analyses trends of clients grouped as industry segments or portfolios. There is a regular cycle of reporting from the IRMD to the BIRMC on client portfolio performance. These reports guide business line managers on credit decisions. IRMD also contributes to the human resource evaluation by arranging for resource persons to conduct training on credit evaluation and credit risk management.

A process to identify stressed industry segments was initiated with the COVID-19 pandemic in 2020. The Bank continues its review processes, considering subsequent challenges arising from macroeconomic headwinds and extreme weather conditions.

Risk Rating

DFCC Bank uses seven rating models for the rating of lending clients. Rating models are based on financial, non-financial, and industry parameters. Risk rating varies from Low Risk (AAA) to Default (D). Pricing of the key products is based on the risk rating of the client.

Movement of Stage 3 ratio

Residual Maturity of Total Advances (Net)

Geographical Distribution

CREDIT RISK MANAGEMENT PROCESS

The Bank’s credit policies which define the credit strategy to be adopted by the Bank are approved by the Board of Directors. The policies are based on CBSL Directions on integrated risk management, Basel recommendations, business practices, and the Bank’s risk appetite. The Board of Directors define the credit objectives, outlining the credit strategy to be adopted at the Bank. Credit risk management provides several guiding directives; identifying target markets and industry sectors, defining risk tolerance limits and recommending control measures to manage concentration risk. Uniformity of practice across the Bank is ensured by standardised formats and clearly documented processes and procedures.

KEY CREDIT RISK MEASUREMENT TOOLS AND REPORTING FREQUENCIES

The following credit risk measurement tools are being used in managing credit risk by the Bank and reported in the stipulated frequencies.

DIMENSIONS FOR ANALYSIS AND MONITORING OF CREDIT CONCENTRATION RISK

*The Herfindahl-Hirschman Index (HHI) is a measure of concentration, calculated by squaring the share of each sector and then summing-up the resulting numbers.

PORTFOLIO RISK

Portfolio Risk Management Unit (PRMU) is responsible for monitoring, identifying, measuring, and mitigating risks across a portfolio of high-volume asset products by leveraging data-driven techniques. Loan performance trends are analysed in detail to detect early warning signals of deterioration, while also identifying low-risk lending opportunities that can be optimised. Tools and techniques such as big data analysis, visualisation, clustering and segmenting and data modelling are used to gain in-depth insights of customer segments covering demographic, geographic and behavioural dimensions. Recommendations are discussed with business units and the relevant stakeholders to implement corrective action.

Based on the Bank’s increased focus given to automation and data analytics, a new project was implemented by obtaining the services of the Credit Information Bureau of Sri Lanka (CRIB) to generate automated alerts for customer monitoring purposes. This helps to identify early warning signals in an efficient manner and initiate proactive action to mitigate risks.

LOAN REVIEW MECHANISM

Loan Review Mechanism (LRM) is currently a regulatory requirement under the CBSL Direction No. 07 of 2011 on Integrated Risk Management. It is an effective tool for constantly evaluating the quality of the loan book and bringing about qualitative improvements in credit functions. The LRM function is carried out by the Loan Review Unit (LRU) of IRMD.

Market risk refers to the potential for losses arising from adverse movements in the value of financial instruments due to changes in market variables, including interest rates, foreign exchange rates, equity prices, and commodity prices. To control and mitigate market risk, the Bank has established a comprehensive framework of approved limits as stipulated in the Investment Policy, Treasury Middle Office (TMO) Policy, Treasury Manual, and the overall limits management system. Market risk primarily affects the Bank through two channels: adverse impacts on cash flows and reductions in economic value. Market risk is broadly classified into traded market risk, associated with positions in the trading book, and non-traded market risk, associated with exposures in the banking book. The Asset and Liability Committee (ALCO) is responsible for overseeing the management of both traded and non-traded market risks. Effective market risk management is an integral component of the Bank’s overall risk management framework and is critical to ensuring financial stability, safeguarding assets, and supporting the achievement of long-term strategic objectives.

The Treasury manages foreign exchange risk through approved and permitted hedging mechanisms. Developments and trends in relevant domestic and international markets are regularly analysed and reported to the Asset and Liability Committee (ALCO) and the Board Integrated Risk Management Committee (BIRMC) by the Integrated Risk Management Department (IRMD) and the Treasury.

Market risk is quantified and monitored using a comprehensive set of analytical tools, including interest rate sensitivity analysis (modified duration analysis), Value at Risk (VaR), simulation and scenario analysis, stress testing, and mark-to-market valuation of positions.

The Treasury Middle Office (TMO) is responsible for the Bank’s market risk management framework, which comprises the policies, processes, and controls established to identify, assess, monitor, and mitigate potential losses arising from changes in financial market conditions. Market risk encompasses exposures resulting from movements in interest rates, foreign exchange rates, equity prices, and commodity prices. The TMO’s responsibilities include market risk identification and quantification, development and validation of risk measurement models, establishment of risk limits and guidelines, formulation of hedging strategies, ongoing monitoring and reporting, stress testing, regulatory compliance, and advanced analytics, thereby fostering a strong and continuously evolving risk culture across the Bank.

Interest rate risk refers to the potential for adverse impacts on the Bank’s net interest income (earnings perspective) and/or its net worth (economic value perspective) resulting from unfavourable movements in market interest rates. The primary source of interest rate risk is repricing risk, which arises from mismatches in the timing of repricing between interest-sensitive assets and liabilities.

The Bank manages interest rate risk primarily through asset–liability repricing gap analysis, whereby interest-sensitive assets and liabilities are categorised into defined maturity buckets. These repricing gaps are monitored on a regular basis against limits approved by the Board. The Asset and Liability Management (ALM) function continuously evaluates the interest rate characteristics of the Bank’s assets and liabilities, and the outcomes of these assessments are reported to the Asset and Liability Committee (ALCO) for review and, where necessary, corrective action.

Interest rate risk comprises several components, including repricing risk, which results from inherent mismatches between asset and liability repricing schedules; basis risk, which arises from imperfect correlations between different reference rates used for asset yields and liability costs; and yield curve risk, which stems from adverse shifts in the yield curve that may negatively affect the Bank’s earnings and economic value.

Foreign exchange (FX) risk represents the potential for adverse effects on the Bank’s capital or earnings arising from fluctuations in market exchange rates. This risk originates from holding a Net Open Position (NOP), which occurs when the Bank’s foreign currency assets and liabilities are mismatched at any point in time. The NOP quantifies the Bank’s net unhedged exposure across all foreign currencies.

The Bank mitigates FX risk through a range of strategies, including the establishment of limits on net unhedged exposures, the use of forward contracts for hedging purposes, and the offsetting of foreign currency assets and liabilities. Both overall NOP and currency-specific NOP limits are defined and monitored in real time. In addition, the Bank conducts Value-at-Risk (VaR) assessments for FX positions and performs stress testing, with results reported by the Treasury Middle Office (TMO).

Daily interbank FX transactions are closely monitored against predefined limits, and any breaches are promptly escalated to Management and the Board Integrated Risk Management Committee (BIRMC). The Bank has also defined FX forward mismatch negative gap limits for USD and other currencies, ensuring unhedged exposures are actively managed and hedged as appropriate to mitigate market volatility.

To further control trading risks, the Bank has implemented cumulative stop-loss and take-profit limits at the individual trader level for the trading book. These limits are integrated into the system’s limits module and monitored in real time, ensuring timely action against adverse movements in exchange rates.

INDIRECT EXPOSURES TO COMMODITY PRICES RISK – GOLD PRICES

The Integrated Risk Management Unit (IRMU) oversees the risks associated with the Bank’s gold portfolio by continuously analysing both international and domestic market price movements and adjusting the Bank’s preferred loan-to-value (LTV) ratios accordingly. In addition, the Bank conducts stress testing on the gold portfolio, with the results reported to the Asset and Liability Committee (ALCO), the Board Integrated Risk Management Committee (BIRMC), and the Board of Directors.

Equity price risk represents the potential for losses in the mark-to-market value of the Bank’s equity portfolio due to declines in market prices. The Bank’s direct exposure arises from equity holdings classified as fair value through profit or loss (FVTPL) and fair value through other comprehensive income (FVOCI), while indirect exposure occurs through the margin lending portfolio when a borrower’s credit risk materialises.

The Bank’s Investment Committee oversees the management of the equity portfolio in accordance with policies and guidelines established by the Board and the Board Integrated Risk Management Committee (BIRMC). Key risk management measures include the establishment of limits for equities used as collateral in loans and margin trading, as well as for the Bank’s own investment and trading portfolios. Portfolio management is further reinforced through rigorous appraisals, prudent market timing, and continuous monitoring of performance relative to market trends. Additionally, the Bank has adopted a risk-based approach by implementing limits tied to the Beta value of individual equities, reflecting their market volatility. These measures collectively ensure that the equity portfolio is managed effectively within the Bank’s overall investment strategy and risk management framework.

The FVTPL portfolio limits are actively monitored in real time by the Treasury Middle Office (TMO) to ensure that the Business Unit takes appropriate actions and that Senior Management is promptly informed of any adverse market movements, along with the supporting justifications.

Liquidity risk refers to the potential inability of the Bank to meet its financial obligations on time and in full, at a reasonable cost. This risk primarily arises from mismatches in the maturities of assets and liabilities. The Bank has established a robust framework for liquidity risk management, complemented by a comprehensive contingency funding plan, to ensure resilience under both normal and stressed conditions.

The Bank’s liquidity risk management process is overseen by the Asset and Liability Committee (ALCO) and includes regular analysis and monitoring of liquidity positions through cash flow analysis, liquidity ratios, and maturity gap assessments, which also serve as key regulatory tools. Any negative mismatches identified within the immediate three-month horizon through cash flow gap statements are managed through available cash, incremental deposits, or committed lines of credit. Stress testing forms an integral part of the liquidity risk framework, enabling the Bank to evaluate potential adverse scenarios and to implement alternative funding strategies swiftly and effectively.

Maintaining a strong credit rating and market reputation enhances the Bank’s ability to access domestic wholesale funding when required. In addition, the Bank leverages the money market for short-term liquidity support at competitive rates. For long-term project financing, the Bank relies on dedicated credit lines, while its growing commercial banking operations emphasise Current Accounts and Savings Accounts (CASA) and term deposits as primary sources of stable funding. Further, the structure, procedures, and governance for Asset and Liability Management are formally defined in the Board-approved ALCO Charter, which is reviewed and updated annually to ensure alignment with evolving regulatory standards and market best practices.

Through this comprehensive approach, the Bank ensures adequate liquidity under both normal and stressed conditions, supports operational and strategic objectives, and maintains confidence among stakeholders, regulators, and market participants.

MEASURING LIQUIDITY

As per the CBSL direction, liquidity can be measured using either the stock approach or the flow approach. The Bank employs a combination of both methodologies to comprehensively assess liquidity risk.

Under the flow approach, the Bank prepares a Maturities of Assets and Liabilities (MAL) statement, categorising all cash inflows and outflows into time bands according to their residual maturities, while treating non-maturity items based on CBSL-recommended and Bank-specific behavioural assumptions. Gap analysis of assets and liabilities highlights cash flow mismatches, providing critical insights for the prudent management of liquidity obligations.

The stock approach measures liquidity through key ratios that reflect the liquidity position of the balance sheet. The Bank regularly monitors these ratios, ensuring that liquidity indicators remain well above regulatory minimums throughout the year.

In line with Basel III minimum liquidity standards, the Liquidity Coverage Ratio (LCR) requires banks to maintain an adequate stock of unencumbered High-Quality Liquid Assets (HQLAs) that can be readily converted to cash to meet liquidity needs over a 30-calendar day horizon under severe stress scenarios. The Bank’s LCR computations indicate full compliance with Basel III requirements, maintaining HQLAs comfortably in excess of the minimum levels prescribed by the Central Bank of Sri Lanka (CBSL) throughout the year.

The Net Stable Funding Ratio (NSFR) guidelines issued by CBSL are intended to mitigate long-term funding risk by ensuring that banks maintain a stable funding profile relative to the composition of their assets and off-balance sheet exposures. The Bank consistently monitors its NSFR position to ensure alignment with these regulatory requirements.

The Bank maintains a comprehensive Contingency Funding Plan (CFP) to guide liquidity management under stressed conditions across a range of scenarios. The CFP outlines strategies for monitoring assets and liabilities, adjusting pricing policies, and revising growth strategies to prevent liquidity crises. As part of this framework, ALCO evaluates a set of internal and external early warning indicators through a monthly Liquidity Risk Matrix, assessing scenarios from low to extremely high liquidity risk and recommending proactive mitigation strategies.

For high-risk scenarios, the liquidity contingency management team comprising the Chief Executive Officer, Head of Treasury, Chief Risk Officer, Business Unit Heads, and other senior ALCO members reviews and implements appropriate action plans. During the year, the CFP was further enhanced by updating Bank-specific and market-specific Liquidity Risk Indicators (LRIs), strengthening the Bank’s ability to monitor and respond effectively to potential liquidity challenges. The Bank did not encounter any high liquidity risk events during the year.

Key Liquidity Risk Measurement Tools and Reporting Frequencies

LIQUIDITY RATIOS UNDER STOCK APPROACH

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems, and external events. It covers a wide area ranging from losses arising from fraudulent activities, unauthorised trade or account activities, human errors, omissions, inefficiencies in reporting, technology failures or external events such as natural disasters, cyberattacks, terrorism, theft, political instability and extraordinary events such as the COVID-19 pandemic. The Bank endeavours to manage, control and mitigate operational risk in an effective manner consistent with the Bank’s risk appetite.

The Operational Risk Management Committee (ORMC) oversees and directs the management of the operational risk of the Bank with facilitation from the Operational Risk Management Unit (ORMU) of the Integrated Risk Management Department (IRMD). Active representation of the relevant departments and units of the Bank ensures the process of operational risk management through Operational Risk Coordination Officers (ORCOs). Segregation of duties with demarcated authority limits, internal and external audits, strict monitoring facilitated by the technology platform and backup facilities for information are the fundamental tools of operational risk management.

The following are other key aspects of the operational risk management process at DFCC Bank.

• Conduct Risk and Control Self-Assessment (RCSA) and monitor Key Risk Indicators (KRIs) for the functions under defined threshold limits using a “Traffic Light” system across identified business units and drive continuous improvement.
• Maintain an internal operational risk incident reporting process and carry out an independent analysis of the incidents by IRMD to verify the root causes and recognise necessary improvements in the systems, processes, and procedures.
• Trend analysis on operational risk incidents and review at the Operational Risk SubCommittee (ORSC) on a monthly basis and once in two months in Operational Risk Management Committee (ORMC).
• Review the downtime of the critical systems and analyse the root causes. The risk and business impact are then evaluated. Corrective measures are implemented immediately when tolerance thresholds are not met.
• Review of HR attrition and exit interview comments in detail and evaluate at the ORMC from an operational risk perspective.
• The Service Excellence Unit submits monthly and quarterly complaint reports to the ORSC, and IRMD analyses these reports to identify any systemic issues.
• Conduct product and process reviews to identify operational risks and recommend improvements to products and related processes.
• Evaluate the operational risks associated with any new product and process developments.
• Maintain comprehensive internal and external loss databases to proactively monitor operational risks.
• Oversee Business Continuity Planning and Disaster Recovery (DR) processes and review the results of DR drills conducted in the Bank to provide recommendations for future improvements.
• Conduct Fraud Risk Management Committee (FRMC) meetings periodically to identify potential fraud risks that might impact the Bank and recommend timely remedial actions and control enhancements.

Operational risk reporting

The Bank has improved its operational risk incident reporting system over time by creating an increased level of awareness among the employees with regard to operational risks and the importance of timely incident reporting. A total of 329 incidents were reported in 2025. Reporting is carried out by Operational Risk Coordination Officers (ORCO), and relevant authorised staff to the Operational Risk Management Unit (ORMU) on operational risk related incidents, that took place at their respective branches, departments and units. The operational risk incidents reported in 2025 based on the event type are provided in the graph below.

OPERATIONAL RISK INCIDENTS

Risk and control self-assessments (rcsas) and key risk indicators (kris)

Monitoring of Risk and Control Self-Assessments (RCSAs) and Key Risk Indicators (KRIs) in key functions of the Bank is carried out as a measure to allow the early detection of operational risks before actual failure occurs. Currently, IRMD monitors 76 departments/units and 133 branches for the KRI, and in 2025, new RCSAs and KRIs were developed for five units. KRI and RCSA reporting require departments to conduct assessments within predefined periodic cycles.

Each department will assess risks based on impact and likelihood of occurrence in KRI reporting while controls are assessed based on control design and control performance in the RCSA evaluation.

INSURANCE AS A RISK MITIGANT

Insurance policies are obtained to transfer the risk of low frequency and high severity losses, which may occur as a result of events such as fire, theft, fraud, natural disasters, errors and omissions. Insurance plays a key role as an operational risk mitigant in the banking context due to the financial impact that any single event could trigger. Insurance policies in force covering losses arising from the undermentioned assets/processes include; cash and cash equivalents, pawned articles, premises and other fixed assets, public liability, employee infidelity, negligence, personal accidents and workmen’s compensation, losses from counterfeit, forged, fraudulently altered, stolen cards and associated legal expenses.

Outsourcing of business functions

Outsourcing occurs when the Bank uses another party to perform non-core banking functions that the Bank itself would have traditionally undertaken. This enables the Bank to concentrate more on its core banking activities while having outside experts take care of the non-core functions. When outsourcing to a party, the Bank undertakes due diligence tests on the companies concerned, such as credibility and ability of the owners, BCP arrangements, technical and skilled workforce capability, and financial strength.

Furthermore, the Bank conducts comprehensive outsourced and third-party security, compliance, and operational assessments to ensure the sustainability. The Bank also considers whether a function is suitable for outsourcing; current outsourced activities include the archival of documents, certain IT operations, cash operations management and selected recovery functions.

The Bank is concerned and committed to ensuring that the outsourced parties continue to uphold and extend a high standard of customer care and service excellence. The Bank employs a range of monitoring and risk-mitigation methods to ensure that risks associated with outsourced arrangements are effectively identified, assessed, and managed.

KEY OPERATIONAL RISK MEASUREMENT TOOLS AND REPORTING FREQUENCIES

TECHNOLOGY AND INFORMATION SECURITY RISK MANAGEMENT

Technology and Information Security Risk Management (TISRM) is dedicated to managing risks associated with information technology while evaluating threats to the Confidentiality, Integrity, and Availability (CIA) of the Bank’s information assets. Our established Information Security Management System (ISMS) provides a systematic approach to safeguarding sensitive data through a comprehensive integration of people, processes, and technology controls. Reflecting our long-term commitment, the Bank’s ISMS has maintained ISO 27001 certification since 2016, and we are currently transitioning our frameworks to align with the latest ISO 27001:2022 standards.

In an era of continually evolving cyber threats, Information Security Risk Management is treated as an ongoing process of identification, assessment, and response. The primary objective of TISRM is to ensure rigorous compliance with regulatory and contractual requirements – specifically the CBSL Direction on Technology Resilience and the Personal Data Protection Act (PDPA) – while aligning security risk management with the Bank’s broader corporate objectives.

The Bank’s current TISRM strategy focuses on the following key activities:

• Regulatory and Statutory Alignment: Continuously maturing the ISMS by adopting the latest CBSL Regulatory Frameworks and ensuring all data processing activities are strictly governed by the Personal Data Protection Act (PDPA).
• Third-Party and Supply Chain Resilience: Conducting comprehensive security and Business Continuity Planning (BCP) assessments for all outsourced and third-party service providers. This ensures that external partners adhere to the Bank’s high standards of operational resilience and data privacy, maintaining supply chain sustainability.
• Dynamic Policy Governance: Improving information security policies and procedures to reflect the dynamic threat landscape and new regulatory mandates.
• Proactive Threat Mitigation: Performing continuous risk assessments and internal vulnerability testing to ensure technology-related residual risks remain within the Bank’s risk appetite.
• Active Monitoring and Incident Response: Reviewing security KPIs and reporting status to the Operational Risk Management Committee, while performing trend analysis on the Bank’s cybersecurity posture to minimise incident impact.
• Community and Stakeholder Vigilance: Proactively identifying scams and emerging security threats, not only to protect the Bank’s infrastructure but also to safeguard our customers and the wider community.
• Culture of Security: Ensuring robust information security awareness is provided to staff, the Board of Directors, and the public to promote security best practices and the early detection of incidents.
• Physical and Technical Integration: Monitoring multiple aspects of technology use, including physical security and the safety of technical components within banking operations.

INFORMATION SYSTEMS SECURITY

The establishment of a separate Chief Information Security Officer (CISO) office within the Bank is a strategic initiative aimed at strengthening the information security framework in accordance with the governance requirements set forth by the CBSL. This initiative ensures the robust management of information security risks, aligning with regulatory expectations and industry best practices.

The CBSL mandates that all licensed banks establish an independent CISO function to oversee the Bank’s information security strategy, policies, and risk management. The CISO office operates autonomously from IT operations, ensuring that security oversight remains impartial and objective. The Bank’s compliance with these directives is demonstrated through the appointment of a dedicated CISO reporting directly to the Deputy Chief Executive Officer (DCEO), development and enforcement of a comprehensive Information Security Policy (ISP), implementation of CBSL-mandated controls for cybersecurity risk assessment, monitoring, and mitigation, and regular reporting to the management committees on security threats and incidents. Additional milestones include the achievement of ISO/IEC 27001 certification since 2016, demonstrating Bank’s commitment to global security standards, and the latest versions of ISO 27001 and PCI DSS certifications were also obtained during 2025. It is planned to obtain the latest versions of ISO 27035 and ISO 20000 by 2026. Further, the Bank has planned to align the data governance structures in accordance with Sri Lanka’s Personal Data Protection Act (PDPA) ensuring customer rights in terms of data protection.

To enhance the Bank’s resilience against cyber threats, CISO office has undertaken several responsibilities, including conducting security risk assessments, ensuring adherence to regulatory standards, conducting employee awareness programmes, maintaining an incident response plan, monitoring vendor security, and implementing advanced threat detection systems.

During the past year, the CISO office has made significant progress in enhancing the Bank’s cybersecurity posture. Key achievements include the implementation of a Security Operations Centre (SOC) for continuous threat monitoring, conducting penetration testing and vulnerability assessments, establishing a Cybersecurity Incident Management Framework, strengthening collaboration with the financial sector National Cybersecurity Agency and obtaining the PCI DSS certification in 2025.

While substantial progress has been made, challenges remain, including evolving cyber threats, resource constraints, and increased regulatory expectations. Moving forward, the CISO office aims to further automate security monitoring, enhance AI-driven threat detection, expand security awareness training, and strengthen collaboration with law enforcement.

The establishment of a separate CISO office has significantly contributed to fortifying the Bank’s information security governance. By aligning with CBSL regulations and global best practices, DFCC Bank is committed to continuously enhancing cybersecurity resilience, ensuring the protection of customer data and maintaining stakeholder trust.

Reputational risk is the risk of losing public trust or the Bank’s image being tarnished in the public eye. It could arise from environmental, social, regulatory, or operational risk factors. Events that could lead to reputational risk are closely monitored, through an early warning system that includes inputs from frontline staff, media reports, and internal and external market survey results. Though all policies and standards relating to the conduct of the Bank’s business have been promulgated through internal communication and training, a specific framework was established to take action in case of an event that may affect the Bank’s reputation. The Bank completely eschews knowingly engaging in any business, activity, or association where foreseeable reputational damage has not been considered and mitigated. The complaint management process and the whistle-blowing process of the Bank encompass a set of key tools to recognise and manage reputational risk. Based on the operational risk incidents and customer complaints, any risks that could lead to reputational damage are presented to the Senior Management and escalated to Board level and the Bank takes suitable measures to mitigate and control such risks.

Business risk is the risk of deterioration in earnings due to the loss of market share, changes in the cost structure and adverse changes in industry or macroeconomic conditions. The Bank’s medium-term strategic plan and annual business plan form a strategic road map for sustainable growth. Continuous competitor and customer analysis and monitoring of the macroeconomic environment enable the Bank to formulate its strategies for growth and business risk management. Processes such as Planning, ALM, IT and Product Development, in collaboration with business functions, facilitate business risk management through recognition, measurement, and implementation of tasks. Business risk relating to customers is assessed in the credit rating process and is priced accordingly.

Legal risk arises from transactions unenforceable in a court of law or the failure to successfully defend legal action instituted against the Bank. Legal risk management commences from prior analysis, thorough understanding and adherence to related legislation by the staff. Necessary precautions are taken at the design stage of transactions to minimise legal risk exposure. In the event of a legal risk factor, the Legal Unit of the Bank takes immediate action to address and mitigate these risks. External legal advice is obtained, or counsel retained when required.

The Bank’s compliance programme encompasses all policies and procedures in managing its compliance risks: regulatory, reputational, operational, and legal. It ensures the Bank’s compliance with applicable laws, regulations, guidelines, and standards of good practice. Non-compliances could result in financial penalties and damaged reputation. As the Second Line of Defence, the compliance function plays a key role in the Bank’s risk management function. The compliance function of the Bank is structured effectively to manage the dynamic requirements posed by the national and international regulations and to address the risks associated with money laundering, financing of terrorism, and other compliance risks. Unwavering direction from the top has immensely helped to create a sound compliance culture within the Bank and implement compliance strategies in a healthy manner. The Bank has a robust screening and compliance monitoring system to monitor transactions and activities, and is increasingly leveraging advanced technologies such as data analytics to strengthen early identification of emerging risks and enable proactive risk management.

The compliance function conducts regular reviews and assessments to ensure the Bank’s adherence to regulatory requirements, identify gaps, and promptly address any issues found. Continuous employee training on governing regulations is being conducted to ensure staff adherence to compliance requirements at all levels of the Bank. The Bank’s compliance function closely works with regulatory bodies and key stakeholders in the banking industry to ensure smooth operation, while maintaining agility to adapt to evolving regulatory landscapes through technology-enabled insights and forward-looking strategies.

BUSINESS CONTINUITY MANAGEMENT

A key objective of the Bank is resilience and continuity of its operations. The Bank has established a Business Continuity Management System (BCMS) and a BCP to ensure timely recovery of critical operations that are required to meet stakeholder needs, based on identified possible disruptions categorised into various severity levels. The BCMS has been designed to minimise risk to human and other resources and to enable the resumption of critical operations within reasonable time frames specified according to Recovery Time Objectives (RTOs), with minimum disruption to customer services and payment and settlement systems.

The Bank conducts periodic DR drills. These DR drills are subject to independent validation by the Internal Audit Department. A report on the effectiveness of the drill is submitted to the BIRMC/Board and also to CBSL with the Board’s observations. Learnings and improvements to DR activities are discussed and implemented through the BCSC and the BIRMC. Training and drills are carried out with the participation of employees which makes them aware of their role within the BCP.

DFCC Bank is well on its way to obtaining ISO 22301 certification for its Business Continuity Management System by 2025.

Key initiatives driving this include:

• Comprehensive risk assessment
• Enhanced preparedness
• Stakeholder engagement via comprehensive business impact assessments
• Training and awareness
• Adherence to global standards

These efforts reflect the Bank’s proactive approach to safeguarding its operations, building stakeholder confidence, and positioning itself as a leader in operational resilience within the industry. The anticipated ISO certification further cements the Bank’s standing as a trusted and reliable partner in the financial ecosystem.

Environmental, Social and Governance (ESG) risks are recognised as material risk drivers that can significantly influence the Bank's financial position, financial performance and long term resilience in line with the sustainability related disclosure standards, SLFRS S1 and SLFRS S2, the Bank integrates SRROs into its Integrated Risk Management Framework (IRMF), ensuring ESG considerations are treated as cross-cutting risk drivers rather than standalone sustainability topics.

Key ESG risks relevant to overall risk management include climate-related risks, regulatory changes, reputational risks, and social factors. The Bank recognises the growing importance of ESG factors in maintaining financial stability and effective risk management and has therefore integrated several risk mitigation measures into its credit evaluation process. A dedicated team with specialised expertise in ESG is tasked with assessing large loan facilities to identify potential ESG-related risks. These identified risks are then incorporated into the overall credit evaluation.

Climate-related and natural capital risks are recognised as key ESG risk drivers due to their potential impact on borrowers, collateral values and overall portfolio performance. Physical risks such as extreme weather events, floods and landslides may disrupt economic activity and increase credit risk, while transition risks arise from policy shifts, evolving customer preferences and exposure to carbon-intensive sectors without adequate transition planning.

Additionally, climate risk is carefully considered when evaluating the risk profile of a client’s business operations. The Bank has already implemented a process to monitor borrowers who may be facing stress due to external challenges, including ESG factors.

Furthermore, the Bank is actively working on the development of advanced systems to identify ESG risks associated with both the client’s business operations and the mortgage securities pledged to the Bank. These systems are aimed at enhancing the Bank’s ability to assess and manage ESG risks effectively and proactively.

In alignment with global best practices, the Bank is committed to enhancing its risk assessment framework by integrating ESG considerations into its stress testing processes and capital requirements. Accordingly, the Bank has considered all material ESG risks for Pillar II assessment under the capital requirements for licensed banks.

These exercises test how well capital, earnings, liquidity and asset quality hold up under severe but realistic ESG-related scenarios, including physical and transition risks. The results guide risk-appetite setting, mitigation actions, ICAAP and overall governance of sustainability-related risks.

The Bank’s ESG risk framework also considers environmental dependencies and ecosystem vulnerabilities, recognising that biodiversity loss and environmental degradation can affect financial stability through indirect channels. This integrated approach links stewardship, natural capital and financial risk management.

ESG risks are monitored through portfolio analytics, dashboards and periodic reviews reported to management and the Board. Key indicators include risk categorisation and ESG incidents. Site visits are carried out by the ESG risk staff to ensure E&S compliance by clients. Disclosures follow SLFRS sustainability-related reporting requirements to ensure transparent governance, strategy, risk management, metrics and targets.

Capacity-building and ongoing improvements to risk methodologies help embed ESG risks into mainstream financial risk management, strengthening the Bank’s stewardship role and long-term resilience.

Integrating ESG risks into the IRM framework demonstrates the Bank’s commitment to managing sustainability-related risks that influence long-term performance. By embedding ESG factors into governance, assessment, capital planning and portfolio monitoring, the Bank enhances its ability to anticipate emerging risks, support responsible financing and align growth with evolving environmental and social expectations.

The Bank has been conducting stress testing on a regular basis. Stress tests are conducted according to the stress testing policy that is aligned with international best practices and regulatory guidelines. The Bank covers a wide range of stress tests that check the resilience of the Bank’s capital and liquidity. The policy describes the purpose of stress testing and the governance structure, methodology for formulating stress tests, frequencies, assumptions, tolerance limits and remedial action. Stress testing and scenario analysis have played a significant role in the Bank’s risk mitigation efforts. Stress testing has provided a dynamic platform to assess “what if” scenarios and to provide the Bank with an assessment of areas to improve.

The outcome of the stress testing process is monitored carefully, and remedial actions are taken and used by the Bank as a tool to supplement other risk management approaches. During 2025, the stress scenarios were updated to accommodate new regulatory requirements and to be more relevant in the current economic landscape.