Risk Management And Internal Control Policy

Effective risk management is fundamental to being able to generate sustainable profits and is thus an important aspect of the financial and operational management of Central Finance Company PLC (CF). This policy outlines the framework for risk management and internal control at CF to ensure compliance with the regulatory requirements of the Central Bank of Sri Lanka (CBSL). It aims to establish a robust risk management culture, promote sound practices for identifying, assessing, monitoring, controlling and reporting of potential risks to protect the interests of stakeholders.

This policy applies to all employees at all levels and grades and the Board of Directors of CF. It covers the direction for the management of all types of risks, including credit risk, market risk, operational risk, liquidity risk, operational risk, strategic risk, compliance risk and technology risk.

• Identify, assess, monitor, and manage risks effectively.
• Ensure compliance with CBSL regulations and other applicable laws.
• Protect the Company’s assets and reputation.
• Promote a risk-aware culture within the organization.
• Provide assurance to stakeholders about the Company’s risk management practices.

The risk management culture sets the tone for managing risk by all the stakeholders within the risk management framework. The Company intends to achieve an internal environment where:

• The Company is consistently operating within the Board approved ‘risk appetite’ in pursuit of strategic objectives.
• The operating policies approved by the Board provide guidelines on how to manage various risks throughout the Company and all employees are aware and committed to embrace the risk management framework and seek to continuously improve the way in which risks are managed.
• The developments in the external environment that might impact the internal risk management culture are closely monitored and acted upon.

5.1 Risk Governance Structure
Roles and responsibilities for risk management at CF is structured according to a three lines of defence model. Each line of defence describes a specific set of responsibilities for managing and controlling risks.

Committee/Officer	Role and Responsibility
Board of Directors	Responsible for overseeing the risk management framework and ensuring its effectiveness. Thus, the Board approves risk management policies and procedures, set risk appetite and ensure alignment of risk and business strategy.
Managing Director and Corporate Management	Perceive the emerging risks that could affect strategic goals to ensure that the overall risk profile of the Company remains within the specified limits as approved by the Board.
Board Integrated Risk Management Committee	A Board sub-committee consisting of Non-Executive Directors to manage the overall adequacy and effectiveness of the risk management framework. Responsible for reviewing risk management policies, strategies and the overall risk profile of the Company.
Board Audit Committee	Assist the Board to fulfil its stewardship responsibilities by overseeing and reviewing the effectiveness of the Company’s internal control and risk management systems.
Chief Risk Officer	Leads the risk management function, reports to the Board Integrated Risk Management Committee (BIRMC) and ensures the implementation of risk management policies and procedures.
Compliance Officer	Responsible for ensuring compliance with laws, regulations, directions, rules, regulatory guidelines and approved policies on the business operations.
Chief Information Security Officer	Leads the information security unit and conducts independent monitoring of the Company’s IT risk profile using various tools and techniques and reports to the BIRMC.
Head of Internal Audit	Provides independent assurance on the effectiveness of the risk management framework and internal controls.

 

Senior Management Level Committees

• Assets and Liabilities Management Committee: Actively manage liquidity and market risk whilst complying with the regulatory requirements to maximize the risk adjusted returns to shareholders over medium to long term.
• Credit Committee: Evaluate and approve or decline all types of credit facilities under the purview of the committee, supervise and monitor the lending operations of the Company including credit quality, review and make appropriate recommendations for credit policy.
• Information Security Committee: Maintain information security posture at optimal levels in alignment with organizational strategy and seek compliance with regulations while providing recommendations regarding all information-security related aspects of the Company.
• Investment Committee: Oversee treasury operations in alignment with the investment policy to optimize returns while maintaining adequate liquidity levels.

5.2 Risk Management Policies and Procedures

5.2.1 Risk Appetite

Risk Appetite refers to the broad types and maximum amount of risk the Company is willing to accept in order to meet its business goals and objectives. The Risk Appetite Statement is recommended by the BIRMC and reviewed and approved by the Board of Directors annually.

5.2.2 Risk Management Related Policies and Procedures

The other policies, key documents and guidelines on risk management of the Company includes the following;

• • Credit Risk Management Policy
  • Liquidity Management Policy
  • Market Risk Management Policy
  • Investment Policy
  • Operational Loss Events Policy
  • Stress Testing Framework
  • Information Security Policy
  • Impairment Policy and Procedure
  • Disaster Recovery Plan
  • Business Continuity Policy

5.3 Risk Management Process

 

5.3.1 Risk Identification

• Conduct regular environmental scans to detect potential internal and external risks.
• Evaluate the possible risk sources.
• Use both top down and bottom up approaches to ensure risk identification is undertaken by employees at all levels.

5.3.2 Risk Assessment

• Use qualitative and quantitative methods to assess the impact and likelihood of identified risks.
• Maintain a risk register to document and track risks.
• Perform stress tests to evaluate the impact of remote but plausible adverse events.

5.3.3 Risk Mitigation

• Develop and implement risk mitigation strategies and action plans.
• Use insurance, hedging, and other risk transfer mechanisms where appropriate.
• Continuously monitor the effectiveness of risk mitigation measures.

5.3.4 Risk Monitoring and Reporting

• Implement risk indicators and thresholds to monitor risk exposures.
• Regularly review risk reports at the management and Board levels.
• Ensure timely and accurate reporting of risk information to the regulator and other stakeholders.

6.1 Control Environment

• Establish a strong control environment with a commitment to integrity and ethical values.
• Ensure the competency of employees and provide them with appropriate training.
• Promote a culture of accountability and transparency.

6.2 Control Activities

• Implement policies and procedures to ensure effective internal controls.
• Segregate duties to prevent conflicts of interest and reduce the risk of errors or fraud.
• Conduct regular reconciliations, verifications, and reviews of transactions and processes.

6.3 Information and Communication

• Ensure timely and accurate flow of information across the organization.
• Maintain comprehensive and reliable information systems.
• Communicate internal control policies and procedures to all employees.

6.4 Monitoring and Review

• Conduct regular internal audits to evaluate the effectiveness of internal controls.
• Address any deficiencies identified through audits or other reviews promptly.
• Internal control policies and procedures are reviewed and updated periodically, with updates provided to the Audit Committee on regular basis.

This policy is approved by the Board of Directors of CF and shall be effective from September 01, 2024.

This policy shall be reviewed and updated annually or as required to ensure its continued relevance and effectiveness. Any changes to this policy must be approved by the Board of Directors.