11. Risk register
A risk register for an SME WC + co-lending NBFC. Probability and impact are illustrative; tune to your actual exposure. Each risk lists the system feature required to support its controls — these feed into the implementation backlog.
Legend
Section titled “Legend”- Prob:
High /Medium /Low. - Impact:
High /Medium /Low.
R01 — Credit risk (NPA above plan)
Section titled “R01 — Credit risk (NPA above plan)”- Prob: M | Impact: H
- EWS: monthly bucket roll-rate; vintage drift; sector-cluster downgrades.
- Preventive: tight underwriting; segment caps; champion-challenger.
- Detective: daily classification; weekly cohort review.
- Corrective: tighten policy; pause sector; provision additionally.
- System feature: vintage / cohort analytics, EWS engine, policy update workflow.
R02 — Fraud (identity / document / collusion)
Section titled “R02 — Fraud (identity / document / collusion)”- Prob: M | Impact: H
- EWS: device fingerprint anomalies; cluster of declines; DSA pattern.
- Preventive: device intel; sanctions / PEP; tampering detection; consortium feeds.
- Detective: fraud scorecard; recurring pattern detection.
- Corrective: blacklist update; DSA termination; recovery action.
- System feature: fraud scorecard, device intel, consortium feed integration.
R03 — Operational risk (process failure)
Section titled “R03 — Operational risk (process failure)”- Prob: M | Impact: M
- EWS: KPI deviation; incident rate.
- Preventive: SOPs; maker-checker; automation.
- Detective: ops dashboards; daily exception queues.
- Corrective: incident response; SOP revision.
- System feature: workflow engine, exception queues, incident management.
R04 — Regulatory non-compliance
Section titled “R04 — Regulatory non-compliance”- Prob: M | Impact: H
- EWS: missed-deadline alerts; new circular not implemented; audit finding.
- Preventive: compliance calendar; legal review of new products.
- Detective: internal audit; reg pulse monitoring.
- Corrective: remediate + report; board update.
- System feature: compliance calendar tooling, audit-log integrity, returns automation.
R05 — Data privacy breach
Section titled “R05 — Data privacy breach”- Prob: L | Impact: H
- EWS: access-log anomalies; unauthorised exports.
- Preventive: RBAC; PII tokenisation; encryption.
- Detective: SIEM; DLP; access reviews.
- Corrective: breach response per DPDP; notify Board + Data Principals.
- System feature: PII vault, access logs, DLP, breach response runbook.
R06 — Cybersecurity incident
Section titled “R06 — Cybersecurity incident”- Prob: M | Impact: H
- EWS: anomalous activity; vulnerability alerts; intelligence feeds.
- Preventive: hardening; patch SLA; least privilege; pen test.
- Detective: SIEM; SOC; threat hunting.
- Corrective: incident response per IT MD; RBI report within
6 h. - System feature: SIEM, vulnerability mgmt, IR runbook.
R07 — Vendor failure (single point)
Section titled “R07 — Vendor failure (single point)”- Prob: M | Impact: H
- EWS: vendor SLA degradation; outage trend.
- Preventive: multi-vendor for critical primitives; vendor risk reviews.
- Detective: vendor performance dashboard.
- Corrective: failover; SLA negotiation; replace.
- System feature: vendor master, multi-vendor routing, performance dashboard.
R08 — Co-lender pullback
Section titled “R08 — Co-lender pullback”- Prob: M | Impact: H
- EWS: partner reduces approvals; ratio shifts.
- Preventive: multi-partner; written agreement terms; SLA management.
- Detective: weekly partner performance review.
- Corrective: shift to own book or alternate partner; partner re-engagement.
- System feature: multi-partner allocation, partner-level analytics.
R09 — Collections misconduct
Section titled “R09 — Collections misconduct”- Prob: M | Impact: H (reputation + reg)
- EWS: customer complaints; agent flag.
- Preventive: agent training; FPC compliance; recording mandatory.
- Detective: call sampling QA; visit-photo audit; complaint analysis.
- Corrective: agent action; agency termination; apology + compensation.
- System feature: agent master, call recording, visit-photo audit, complaint workflow.
R10 — Model risk (scorecard drift)
Section titled “R10 — Model risk (scorecard drift)”- Prob: L (at MVP rule-based) → M (model-based) | Impact: M
- EWS: PSI drift; calibration loss.
- Preventive: champion-challenger; staged rollout.
- Detective: model monitoring dashboard.
- Corrective: model retraining or rollback.
- System feature: feature store, model registry, monitoring dashboard.
R11 — Concentration risk
Section titled “R11 — Concentration risk”- Prob: M | Impact: H
- EWS: caps approached; sector / partner / channel / borrower concentration metrics.
- Preventive: caps; periodic review.
- Detective: real-time monitoring; quarterly review.
- Corrective: pause; redirect; reduce exposure.
- System feature: exposure dashboard, real-time cap check.
R12 — Liquidity risk
Section titled “R12 — Liquidity risk”- Prob: L | Impact: H
- EWS: cash-position trend; commitment gap.
- Preventive: liquidity buffer; ALM; committed lines.
- Detective: daily cash report; ALM report.
- Corrective: drawdown; emergency funding.
- System feature: ALM module, daily cash report.
R13 — ALM mismatch
Section titled “R13 — ALM mismatch”- Prob: M | Impact: M
- EWS: bucket gap analysis.
- Preventive: ALM policy; matched funding.
- Detective: monthly ALM.
- Corrective: re-balance funding.
- System feature: ALM tool.
R14 — Reputational risk
Section titled “R14 — Reputational risk”- Prob: M | Impact: H
- EWS: social media monitoring; complaint volume; press mentions.
- Preventive: communication discipline; conservative claims.
- Detective: media / social monitoring.
- Corrective: response plan; PR.
- System feature: complaint dashboard; social monitor; PR runbook.
R15 — DSA / channel fraud
Section titled “R15 — DSA / channel fraud”- Prob: M | Impact: M
- EWS: spike in applications per DSA; quality drop.
- Preventive: DSA onboarding diligence; per-DSA caps.
- Detective: DSA performance dashboard.
- Corrective: DSA suspension; clawback.
- System feature: channel hierarchy + analytics; clawback workflow.
R16 — Document fraud (manufactured P&L, fake invoices)
Section titled “R16 — Document fraud (manufactured P&L, fake invoices)”- Prob: M | Impact: M
- EWS: BSA tampering flag; invoice IRN fail; reconciliation divergence.
- Preventive: AA-first; e-invoice check; multi-source recon.
- Detective: forensics; cross-source recon.
- Corrective: decline; flag.
- System feature: tampering detector; IRN check; recon dashboards.
R17 — GST fraud (turnover inflation)
Section titled “R17 — GST fraud (turnover inflation)”- Prob: M | Impact: M
- EWS: GST vs bank divergence; GST suspension; tax-liability anomalies.
- Preventive: GST × bank reconciliation rule; threshold-based REFER.
- Detective: ongoing GST status monitoring; periodic re-pull.
- Corrective: pause; investigate.
- System feature: GST recon + monitoring.
R18 — Bank-statement manipulation
Section titled “R18 — Bank-statement manipulation”- Prob: L (with AA) → M (PDF only) | Impact: M
- EWS: vendor flag.
- Preventive: AA-first; vendor with tampering detection.
- Detective: vendor flag review.
- Corrective: decline.
- System feature: BSA vendor with tampering detection.
R19 — Loan stacking
Section titled “R19 — Loan stacking”- Prob: M | Impact: M
- EWS: bureau enquiry velocity; BSA-detected EMI vs bureau-reported.
- Preventive: bureau pull; AA periodic refresh.
- Detective: cross-check at sanction and renewal.
- Corrective: decline / lower limit.
- System feature: pull + recon.
R20 — Evergreening
Section titled “R20 — Evergreening”- Prob: L (with discipline) | Impact: H
- EWS: restructuring rate; upgrade rate; cure rate suspiciously high.
- Preventive: IRACP discipline; restructuring requires explicit approval; upgrade only on full clearance.
- Detective: portfolio analytics on restructure / upgrade patterns.
- Corrective: audit; tighten policy.
- System feature: restructure workflow; upgrade-on-full-clearance enforcement.
R21 — Adverse selection (after fee / price changes)
Section titled “R21 — Adverse selection (after fee / price changes)”- Prob: M | Impact: M
- EWS: shifting borrower mix; channel-level quality drop.
- Preventive: champion-challenger before broad rollout.
- Detective: cohort analytics.
- Corrective: reverse change; tighten policy.
- System feature: cohort analytics; champion-challenger.
R22 — Capital availability risk
Section titled “R22 — Capital availability risk”- Prob: M | Impact: H
- EWS: investor cycle; CRAR trend.
- Preventive: maintain investor relationships; multiple debt lines.
- Detective: CRAR monthly.
- Corrective: raise; pause growth.
- System feature: CRAR tracker.
R23 — Technology downtime
Section titled “R23 — Technology downtime”- Prob: M | Impact: M
- EWS: anomaly alerts; vendor incidents.
- Preventive: multi-AZ; DR; failover.
- Detective: observability stack.
- Corrective: incident response; comms.
- System feature: observability, DR runbook.
R24 — Reconciliation failure (sustained)
Section titled “R24 — Reconciliation failure (sustained)”- Prob: M | Impact: M
- EWS: exception backlog rising.
- Preventive: clean integrations; idempotency.
- Detective: daily recon dashboards.
- Corrective: clear backlog; root-cause.
- System feature: recon engine; exception queue.
R25 — Talent attrition (key roles)
Section titled “R25 — Talent attrition (key roles)”- Prob: M | Impact: M
- EWS: engagement / attrition early signals.
- Preventive: comp benchmarking; succession; documentation.
- Detective: engagement surveys; exit interviews.
- Corrective: hire; redistribute.
- System feature: HR tooling; documentation discipline.
How to use this register
Section titled “How to use this register”- Quarterly review by Risk Committee.
- Each risk mapped to a control owner.
- EWS drive operational alerts where automatable.
- System features drive engineering backlog priority.
- Risks added / retired as business evolves.
For risk-related compliance see Section 2.