Standard Chartered’s Yohan Samarakkody, Chief Risk Officer (CRO) & Head of Operational Risk, Sri Lanka, shares insights into how risk leadership, traditionally a gatekeeper role, is evolving in a volatile global and local environment. From embedding proactive frameworks and cyber resilience to navigating regulatory pressure and horizon risks, CROs are helping banks shift from reactive stances to forward-looking strategies that integrate risk into core business and transformation agendas. Samarakkody also shares how Standard Chartered is equipped to help Sri Lanka manage global uncertainties and local challenges.
How is the role of the Chief Risk Officer evolving in the face of rising macroeconomic volatility, both globally and in Sri Lanka?
In today’s turbulent environment, where black swan events are no longer rare, the role of the CRO in the banking sector has become increasingly critical and complex. CROs are now expected to take a front-footed approach to managing interconnected and evolving risks. These include geopolitical tensions, trade wars that disrupt supply chains, sovereign defaults, climate risks, global pandemics, rising cyber threats, complex regulations, and an increase in financial crime.
As a result, CROs are being called upon to go beyond traditional frameworks and assume broader strategic leadership roles. Historically, CROs have acted as gatekeepers, focusing on credit, market, and operational risk. Today, they are expected to be strategic partners in shaping corporate plans, driving digital transformation, and supporting sustainability initiatives.
In Sri Lanka, the operating environment has been repeatedly stress-tested since 2019, through the Easter attacks, the COVID-19 pandemic, and the 2022 sovereign debt default. These events triggered profound economic instability, including currency depreciation, foreign currency shortages, and inflation, which in turn led to elevated levels of non-performing assets across the banking sector.
This reality has forced a shift in the risk governance approach. Static models are no longer sufficient. CROs now require dynamic forecasting tools that interpret volatile macroeconomic signals and shifting market conditions. The aim is to deliver forward-looking insights that support proactive risk identification, assessment, mitigation, and monitoring.
It is also essential to embed a proactive risk culture across the bank. Risk management must be a collaborative effort between the first line of defence, which includes business units, and the second line, led by the risk function.
What are the most pressing operational risks financial institutions in Sri Lanka face today, and how are they changing?
After a prolonged period of stress, both macroeconomic and operational, Sri Lanka has entered a phase of economic recovery and stabilization. This shift has also transformed how financial institutions approach operational risk. Traditionally centred on internal processes, inefficiencies, and human error, operational risk management has become more outward-looking. It now addresses dynamic external threats, including systemic risks, cybercrime, geopolitical tensions, regulatory expectations, and the impact of digital transformation.
Given this, Sri Lankan financial institutions must invest in robust technology infrastructure to mitigate digital vulnerabilities and cybersecurity threats. The lockdowns during the COVID-19 pandemic accelerated digitization across the sector, but this has also expanded exposure to cyber threats. Financial institutions now face increasingly sophisticated attacks, including phishing, business email compromise (BEC), and ransomware. With digital transformation gaining momentum, data breaches have also become more frequent.
To address these risks, the Central Bank of Sri Lanka introduced Direction No. 16 of 2021, which outlines a regulatory framework for managing technology risks and enhancing resilience. It mandates real-time threat monitoring and improved cybersecurity practices among licensed banks.
At the same time, economic hardship has heightened the risk of both internal and external fraud. Local banks must now monitor fraud risks across loan origination, collections, and customer data management. This requires greater governance, investment in data analytics, and behavioural monitoring to detect and contain such risks.
As banks focus more on core operations and cost management, there is greater reliance on outsourcing and remote services. This includes third-party vendors handling IT services, customer support, and document processing. Any lapse in vendor control can expose banks to reputational, regulatory, and operational risk. The Central Bank is increasing its focus on third-party risk assessments, prompting banks to enhance due diligence and oversight.
Physical disruptions such as power outages, political instability, and climate-related risks have also reinforced the need for strong operational resilience. Business Continuity Planning (BCP) and Recovery and Resolution Planning (RRP) must now be treated as strategic priorities. This includes investing in multi-site operations, cloud-based backups, and scenario-based planning.
To effectively manage the growing complexity of operational risk, local financial institutions must adopt a forward-looking, risk-aware culture that is embedded across both the first and second lines of defence.
How should banks balance regulatory compliance with agility in a fast-changing risk landscape?
Globally, central banks are tightening regulatory oversight, increasing surveillance of financial institutions, markets, and digital assets. This trend aims to manage systemic risks and reinforce the stability and independence of the financial sector. In Sri Lanka, the regulatory landscape is also becoming increasingly complex, marked by stricter scrutiny of Know Your Customer (KYC), Anti-Money Laundering (AML), and Financial Crime Compliance (FCC), as well as the implementation of Basel III, foreign exchange controls, reducing the large exposure thresholds, and stronger governance expectations.
Although the Sri Lankan economy has shown resilience in recovering from the triple crisis, it remains volatile and fragile. In this context, striking a balance between regulatory compliance and agility in a rapidly evolving risk environment is a key challenge. Non-compliance can lead to both regulatory penalties and reputational damage.
To navigate this environment, banks must invest in technology for automation and real-time monitoring of FCC and AML compliance. A dynamic compliance culture is essential, where regulations are accurately interpreted, proactive engagement with regulators is maintained, and timely gap analyses are conducted to ensure regulatory expectations are met. Compliance risk must be jointly owned by both the first and second lines of defence, supported by robust policies and procedures.
It is also crucial to integrate compliance into strategic and corporate planning, aligning regulatory expectations with business objectives. This fosters a shift from reactive to proactive compliance, enabling anticipation of regulatory developments. The Central Bank’s Large Exposure Direction, effective 1 January 2026, is a case in point. It reduces the maximum accommodation threshold from 30-40% of total capital to 25% of Tier 1 capital, in line with regional norms.
What shifts are you seeing in cyber and digital risk exposure, and how are you addressing them?
With growing urgency around digital transformation, increased cloud adoption, the expansion of digital assets, hybrid work models, and more sophisticated threat actors, digital and cyber security risk has become inherent and ever-evolving in the banking industry. It is the most dynamic risk, driven by the speed of change. Monitoring this risk requires a proactive approach to identification, assessment, control, and oversight.
Banks must embed a dynamic cyber risk culture across both the first and second lines of defence. This culture should be supported by real-time intelligence to spot emerging threats and adaptive security capabilities that evolve in step with cyber risks. A breach in cybersecurity not only results in financial loss but can also trigger non-financial risks, such as reputational damage and regulatory consequences, which affect customer trust and institutional resilience.
As part of an emerging market, the Sri Lankan banking sector is particularly vulnerable to advanced cyber threats. Threat actors are increasingly targeting customer data, direct-to-bank channels, mobile banking platforms, and digital onboarding systems. At Standard Chartered Sri Lanka, we leverage the group’s substantial investments in cybersecurity. In my role as CRO, I ensure regular penetration testing in coordination with Information & Cyber Security (ICS) teams, encourage phishing simulations for staff, and promote ongoing awareness campaigns to maintain a secure environment. These efforts aim to strengthen the human firewall and reduce cyber risk across the organization.
What does moving from reactive to proactive risk management look like in practice at Standard Chartered?
In a period of constant change and increasingly short disruption cycles, financial institutions cannot rely on approaches designed to manage yesterday’s risks. Reactive risk management is inadequate when risks evolve dynamically, and historical patterns no longer repeat predictably. Effective risk management today requires identifying, assessing, mitigating, and proactively monitoring risks to ensure optimal outcomes.
To navigate this environment, Standard Chartered has embedded a proactive risk management approach into its Enterprise Risk Management Framework (ERMF), designed to address fast-evolving and increasingly interconnected risks. The ERMF outlines nine principal risk types, comprising three financial and six non-financial risks, and sets out the governance required to manage them. It is approved by the Board of Directors at the group level and is owned by all verticals across the bank, including both the first and second lines of defence. This framework defines the bank’s risk appetite and anchors it in strategic decision-making.
The ERMF also fosters a collective risk culture. Risk management is not the sole responsibility of the second line of defence. Relationship managers, product partners, and operational staff in the first line are empowered to identify and escalate risks proactively. Shared ownership of the framework strengthens risk awareness across the bank and promotes collaborative management rather than siloed responses.
In addition, Standard Chartered continues to invest in data and risk analytics. The rollout of SC GPT, a GenAI-powered tool, supports efficient and proactive risk measurement, recording, and reporting. This enhances real-time risk intelligence, helping the bank detect early signs of credit deterioration, operational anomalies, and other emerging threats.
Which horizon risks are shaping your risk outlook for the next 12 to 18 months? How is Standard Chartered Sri Lanka preparing for these?
Over the next 12 to 18 months, Sri Lanka’s financial sector will navigate a challenging risk landscape shaped by local and global macroeconomic shifts. Domestically, while the country has rebounded from the 2022 crisis under the IMF’s Extended Fund Facility, achieving some fiscal consolidation and exchange rate stability, the environment still remains fragile. Structural weaknesses, including high public debt, weak tax revenues, and elevated fiscal expenditure, continue to pose significant risks.
With the IMF’s fourth review still pending board approval at the time of drafting this response, the key question is whether Sri Lanka can meet the reform benchmarks necessary to complete the 48-month $3 billion EFF programme. At the same time, the banking sector is grappling with elevated non-performing loans, with stage 3 loans at 12.7% of total loans as of April 2025. The CBSL’s Large Exposure Direction, effective from January 1, 2026, will tighten lending capacity by capping exposures at 25% of Tier 1 capital.
Externally, Sri Lankan exports face headwinds from the United States’ 44% reciprocal tariffs, among the highest imposed. Though currently on a 90-day pause, if these tariffs remain unchanged, it will severely impact exports, particularly apparel, with knock-on effects on reserves and the LKR. The government’s current low-interest rate policy aims to spur growth, but sustained high global rates, especially in the US and Europe, could deter FDI and put further pressure on the currency.
Geopolitical tensions in Ukraine, Gaza, and South Asia also pose a threat to stability. These dynamics could impact the country’s credit rating and constrain access to external funding, while also affecting remittances and tourism, which are vulnerable to global economic downturns.
In this context, we continue to monitor credit risk across both retail and wholesale portfolios closely. Scenario-based stress testing remains core to our approach, alongside vigilance on AML and FCC risks, using group-wide capabilities to ensure compliance with evolving regulations. Despite the challenges, Standard Chartered Sri Lanka maintains its AAA Fitch rating, supported by a robust capital buffer built over the past five years to absorb potential shocks.