{"id":7442,"date":"2026-04-13T13:39:47","date_gmt":"2026-04-13T13:39:47","guid":{"rendered":"https:\/\/www.theirmindia.org\/blog\/?p=7442"},"modified":"2026-04-13T13:39:47","modified_gmt":"2026-04-13T13:39:47","slug":"elevating-operational-risk-management-in-indias-banking-sector","status":"publish","type":"post","link":"https:\/\/www.theirmindia.org\/blog\/elevating-operational-risk-management-in-indias-banking-sector\/","title":{"rendered":"Elevating Operational Risk Management in India’s Banking Sector"},"content":{"rendered":"

\"Getting<\/a><\/p>\n

This article is the transcript of IRM India’s What’s The Risk?\u00ae episode telecast on CNBCTV18. The <\/span>What’s The Risk?\u00ae<\/b><\/a> initiative by IRM India Affiliate decodes risks and opportunities across diverse sectors with an objective of elevating the importance of risk intelligence and <\/span>enterprise risk management<\/b><\/a> (ERM) as a skill, profession and business enabler.<\/span><\/p>\n

Voiceover<\/b>: Institute of Risk Management India Affiliate presents Elevating Operational Risk Management in India’s Banking Sector.<\/span><\/p>\n

Hersh Shah:<\/b><\/p>\n

Pursuit of business growth is important, but it should never come at the expense of taking unacceptable risks. This was a statement made by the Reserve Bank of India, Governor, Mr. Shaktikanta Das, reinforcing the idea that robust risk mitigation is essential for ensuring the long-term success and resilience of both a regulated entity and the overall financial system. Now, operational risk, a critical component of risk management, has become more significant as financial institutions expand their operations and adopt new technologies. The regulator’s focus on this area with a series of mandates highlights the need for banks and NBFCs to strengthen their risk controls, especially in the face of evolving threats such as artificial intelligence, climate change, geopolitical conflicts, third-party dependencies, and even supply chain disruptions. Now, the compounding challenge is also the difficulty in quantifying these risks, unlike a high-risk loan which can lead to specific, measurable financial loss within the lending function. Issues like a damaging customer service mishap can have far-reaching effects, impacting revenue streams across the organisation for years to come. With this in mind, here\u2019s welcoming you all to today’s panel discussion on Elevating Operational Risk Management in India’s Banking Sector by the <\/span>Institute of Risk Management India Affiliate<\/b><\/a>. As the world’s leading certifying body in ERM exams across 140 countries, the What’s the Risk?\u00ae initiative underscores our unwavering commitment to driving <\/span>thought leadership<\/b><\/a> in every sector and discipline. Joining me in the fourth episode today are Amit Talgeri, Group Chief Risk Officer, Axis Bank, Sanchita Mustauphy, Chief Risk Officer, Aditya Birla Capital, Ashwini Kumar Choudhary, Group Chief Risk Officer, Union Bank of India and Subash Narayanan, Managing Director and Chief Risk Officer, DBS Bank India Limited. <\/span>Amit Talgeri <\/b>(Group Chief Risk Officer, Axis Bank), let’s start the conversation with you. Why don’t you talk about operational resilience and the entire evolution of operational risk management in India, especially with the role of RBI?<\/span><\/p>\n

Amit Talgeri:<\/b><\/p>\n

Operation risk (OR) involves failure of internal practices around systems, processes, technology, and people, also external events. Prior to 2001, there were no specific areas of risk around operations risk which were kind of identified. It’s only in 2001 when the Basel Committee on Banking Supervision actually identified operations risk as a core and a critical area of risk separately. Then subsequently, there have been multiple areas where operations risk has got further policised in a sense. In 2004, Basel 2 introduced for the first time elements around operations risk capital that banks needed to keep. There were multiple parameters that were introduced, basic indicator approach to the advanced approaches etc. Then of course, in the post 2008 global financial crisis while the entire focus was on credit risk and market risk, there were elements of operations risk which also were kind of put together in terms of strengthening the entire operations risk framework. Subsequently in multiple years, there have also been evolution in terms of simplifying, standardising, and more importantly integrating it with operations risk. In 2021, there were papers around operations resilience, and if I were to kind of fast forward to see, in the Indian context, the regulator has also been implementing some of these regulations as a part of our day-to-day banking and financial services institutions\u2019 operations. What’s also happened is that over a period of time, there have been multiple areas of operations risk that have come to the fore, specifically around vendor, customer, we’ve seen outsourcing come as a big one, and then of course, there’s cyber. If I were to kind of really look at each of those specifically, there is the whole area around customer complaints, mis-selling, with increasing digitisation, the advent of adoption of internet, mobile banking technology, system downtime has become key areas of what we call operations risk. Finally, with the multiple areas of outsourcing that we are doing, outsourcing risk has also become a very key indicator in terms of operations risk.<\/span><\/p>\n

Hersh Shah:<\/b><\/p>\n

We’ve been successful in tackling the pandemic, even lessons from the 2008-09 financial crisis, but going forward, I think the level of preparedness needs to be enhanced across the financial sector. So, what are some of the unknown unknowns that you think Banks and NBFCs both need to be prepared for?<\/span><\/p>\n

Amit Talgeri:<\/b><\/p>\n

Digital Risk is becoming a very, very big element. Today, we’ve seen the advent of sheer volume of transactions which are coming through the banking system. Transaction monitoring, digital fraud is one big area related to operations risk. The second is the upcoming data privacy laws. You could see a big change, in terms of the way data is stored, protected, and more importantly used. Finally, there is cyber risk, clearly that’s the unknown unknown. There is a lot that we can do as a part of cyber risk but there will always be elements where we need to kind of reinforce our parameters.<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

Sanchita Mustauphy <\/b>(Chief Risk Officer, Aditya Birla Capital), building on what Amit said, based on your experience, how do you think NBFCs are evolving on the entire <\/span>operational risk management<\/b><\/a> framework looking at third party, business continuity, and disaster recovery?<\/span><\/p>\n

Sanchita Mustauphy:<\/b><\/p>\n

The whole digital framework of the Bank and NBFCs have grown significantly, which has led to increase in the operational risk. So, it is important that we review our operational risk framework and the regulator has also come up with the regulatory guidelines regarding the operational risk framework and resilience framework. Now, if you look at it, they have identified three pillars. Pillar I is about adopt and implement, Pillar II is about resilience, and Pillar III is about learnings. If you look at Pillar I, it’s purely about change management, it’s about the roles and responsibilities of senior management, it’s about how a risk management framework of operation risk should be there, but Pillar II talks significantly about cyber risk framework, it talks about vulnerability assessment, penetration testing so as to ensure that there’s no gap and there’s no threat in between which could be vulnerable to any incident happening. Then, it talks about bringing in interconnection between BCP (Business Continuity Planning)<\/span> and DR (Disaster Recovery) such that all the cyber risk incidents are built-up into the planning of the BCP and DR. A DR playbook is to be ready and it should identify what constitutes a DR, a DR threat and DR testing incident, and then we need to have a detailed RPO (Recovery Point Objective) and RTO (Recovery Time Objective)<\/span> being defined which should be looking into the gaps which are there in case of any testing and how to go back and check and mitigate those gaps and the RC (Root Cause) around that. So, it is important that we look into the cyber risk policy and the resilience framework that the vendor has and how strong is the cyber risk posture. We need to continuously monitor and review it and put a framework or model around it so that we are identifying the categories of vendors accordingly, and the <\/span>materiality, <\/span>the importance into our line of business. So, there are significant programs which need to be developed around the system, and also, we need to see how we can bring the changes and adoptability into the system through RCAs and learnings which could be derived out of the BCP, DR, cyber risk framework, the different vulnerability testing, etc.<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

Ashwini Kumar Choudhary <\/b>(Group Chief Risk Officer, Union Bank of India), you’re representing the public sector on today’s panel. Are you seeing any specific operational risk for public sector banks, and since most of the public sector banks come with legacy systems, how are you implementing operational risk management across the organisation?<\/span><\/p>\n

Ashwini Kumar Choudhary:<\/b><\/p>\n

For different products and processes, we have something fully automated, something partially automated, and something even manual, so managing the entire change process is a big task for the bank. At every point in time, there will be some change with respect to adoption of new processes, automation of some processes, and moving from manual to automation, and during this process, you need to manage the entire activity properly. You need to ensure that there is no disruption in the activity which is going on, plus whatever change management you are adopting, those are very smooth. You have done proper back testing, you have applied all the logics, so it does not create any problem once you have gone for automation. So, you need to invest a lot of time into the review of people, processes and systems, because unless you review entire products and processes, you will not be able to identify the risk associated with this. So, this is a continuous journey, and at all points in time, we need to keep on reviewing these processes and adopt changes. And with the legacy system, a lot of issues also come up. For example, there will be issues with respect to dormant accounts, inactive accounts, how do you operationalise those accounts?, what are the processes we are going to follow?, because these are more vulnerable to any fraud. A number of inoperative accounts will be there in the system. How do you use them? How do you ensure that any vulnerability can be mitigated while operating these accounts? So, managing all these things becomes very important.<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

So, what are some of the measures you’re taking to make sure that operational risk management is successful in a public sector ecosystem?<\/span><\/p>\n

Ashwini Kumar Choudhary:<\/b><\/p>\n

Yeah. We are making investments into the digitisation of processes. A number of processes are getting automated, so that’s a big task, and we are at the same time also trying to centralise some of the activities, which reduces the risk which comes from decentralisation of activity or manual process. We are making investments in training and grooming our own people, that’s a continuous journey.<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

I’m sure that’s also part of the overall risk culture building.<\/span><\/p>\n

Ashwini Kumar Choudhary:<\/b><\/p>\n

Yeah. We are spreading risk culture, we are ensuring communication across various verticals, various verticals of assurance functions, along with various business units. So, continuous communication, messaging from the top, through this, we are trying to spread risk awareness, risk culture. That is definitely helping us.<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

Okay. <\/span>And finally, <\/span>Subash Narayanan <\/b>(Managing Director and Chief Risk Officer, DBS Bank India Limited), turning to you. The Institute of Operational Risk, which is now part of the IRM, has always released several guides around OR Governance, OR resilience, risk control self-testing, and there are many other international standards and frameworks. So, coming from a multinational bank, what is your recommendation in terms of international frameworks and standards that India’s banking sector should look at?\u00a0<\/span><\/p>\n

Subash Narayanan:<\/b><\/p>\n

To me, what is important is when you are operating across countries, how do you make sure the bank is able to achieve the level of risk culture, the level of operational resilience, which can work for you? So, that is where I think the international framework comes in. Interestingly, if you look at what has come out in the recent RBI circular about operational resilience, people used to talk about operational risk, now the resilience has come in, and this is the same trend we are seeing in terms of HKMA (Hong Kong Monetary Authority) circulars or <\/span>MAS<\/span> (Monetary Authority of Singapore)<\/span> circulars, so there is a coming convergence of all of the regulators in terms of their approach. What the international frameworks also then gives you is the experience people have had in dealing with some of these risks. Some market may be ahead in certain implementation. I would say India is probably way ahead of some of the other markets in terms of intake. What are the challenges we face from digital fraud? I’m sure other markets can learn from us. But then how do you share that without disclosing from a confidentiality, data secrecy perspective, and that’s where some of the organisations like IRM come in, where they can give guidance in terms of how these risks have been looked at and what can be done. To me, one other important benefit of these frameworks is that each organisation has its own risk appetite threshold. This will help you benchmark to see where you are, and in line with your internal organisation threshold, decide what level of controls you want to pick. I mean, that to me is a very important one in terms of customer service, balancing your profits, balancing your risk, right. So, in life it’s never easy but how do you make sure you get the right mix and that varies from bank to bank, and that’s where some of these governance frameworks, the ideas give you how you want to benchmark.\u00a0<\/span><\/p>\n

Hersh Shah:\u00a0<\/b><\/p>\n

Alright, we’re going to take a short break, but we’ll be right back with this esteemed panel to explore the geopolitical challenges risk related to financial inclusion and fintech, and the role of ESG in operational risk management. Be right back.<\/span><\/p>\n