Thursday Apr 23, 2026
Thursday Apr 23, 2026
Thursday, 23 April 2026 02:53 - - {{hitsCtrl.values.hits}}
Even the most sophisticated governance structures, when overseen with an indifferent or half-hearted approach, cannot compensate for weak operational discipline. If fundamental accounting controls, reconciliation processes, and transaction monitoring systems are bypassed, irregularities may go undetected until they evolve into systemic problems. In such circumstances, Boards, auditors, and regulators are forced into a reactive rather than preventive role
This article follows my earlier commentary on the recent bank fraud that has unsettled several stakeholders in Sri Lanka’s financial sector. Many readers subsequently raised questions and sought further clarification on governance and control implications. The issue merits revisiting because the structural lessons extend well beyond a single institution or event. While investigations continue, one point is becoming increasingly clear: what occurred was not merely the result of sophisticated deception. It reflects a breakdown in basic internal controls, management and CEO oversight, and non-executive oversight (albeit exercised through Board Subcommittees).
Trust
Banking, more than most industries, is built on trust. Depositors place their savings in banks expecting that robust systems, strong governance, and disciplined management will safeguard their funds. At the heart of this trust lies a simple but critical foundation — sound internal controls and proportional oversight, with integrity and vigilance at all levels. It is easy to write this on paper after an event. But it is a journey that must be completed simply because banks deal with public money and livelihoods. These controls ensure transactions are properly recorded, reconciliations are completed on time, exposures are monitored, and irregularities detected early. When these mechanisms weaken or are ignored, the entire risk management framework erodes. The key lesson to me ; This fraud underscores that operational risk can be as damaging as market, governance, or credit risk. Control failures—such as inadequate segregation of duties and the absence of independent verification—are preventable. Banks must therefore treat operational risk with the same level of rigor and discipline applied to other financial risks.
Banking is, at its core, the disciplined management of risk. To leverage risk while dispensing with flagged mitigants is not boldness; it is an accident waiting to happen. The Chief Executive Officer and senior executives carry the operational responsibility of ensuring that internal controls, accounting standards, and risk management systems function effectively. They are compensated precisely to maintain these safeguards. When fundamental accounting practices and control procedures fail, the cause is not an unavoidable risk event but a failure of operational leadership. They are, in the truest sense, the first and most critical line of defence. Yet the consequences rarely stop with management.
Bank Boards — which by regulation meet monthly and rely heavily on information provided by management and reviewed by technically competent Board Subcommittees — inevitably find themselves drawn into the fallout, and rightly so. Directors exercise oversight through Board meetings and Subcommittees: the Audit, Integrated Risk, Related Party Transaction, Nominations and Governance, and HR and Remuneration Committees. These bodies sit outside the executive function and operate as advisory and recommending committees to the Board on matters within their respective mandates. Despite this structural separation, when serious lapses occur, the reputational and regulatory consequences land in the lap of the Board — even though directors are strictly told to play a non-executive role and compensated accordingly.
The recent episode should prompt a harder question about what we actually expect of bank directors — and whether the profession is delivering it. For the Audit and Integrated Risk Committees in particular, a quarterly cadence is not governance; it is the appearance of governance
Governance
The governance architecture of banks is intentionally designed with multiple layers of defence. Executive management forms the first line, the Integrated Risk function the second, and Internal Audit the third. The Board is the statutory body to which all three lines are accountable: it provides direction and oversight but does not itself constitute a control function. External parties — the Central Bank of Sri Lanka, independent external auditors, and other regulators — are counterparties to the bank’s governance framework, not components of it. Their independent validation supplements, but does not substitute, the bank’s own internal obligations. Regulatory supervision and inspections by the Central Bank serve as an additional safeguard for the stability of the financial system. However, even the most sophisticated governance structures, when overseen with an indifferent or half-hearted approach, cannot compensate for weak operational discipline. If fundamental accounting controls, reconciliation processes, and transaction monitoring systems are bypassed, irregularities may go undetected until they evolve into systemic problems. In such circumstances, Boards, auditors, and regulators are forced into a reactive rather than preventive role.
Historically, many bank Boards have concentrated attention on credit risk — understandably so, since lending remains the core activity of commercial banks. Governance and regulatory compliance have also received increasing focus in recent years. Yet operational control risks and market risks have often received what might be described as stepmotherly treatment. These risks may appear less dramatic than credit losses, but when control systems fail, their consequences can be equally damaging and devastating.
This fraud underscores that operational risk can be as damaging as market, governance, or credit risk. Banking is, at its core, the disciplined management of risk
Expectations of a Bank Director
The recent episode should prompt a harder question about what we actually expect of bank directors — and whether the profession is delivering it. Skills, experience, and subject-matter competence are necessary but not sufficient. A director who brings all of these to the boardroom but does not invest the time and energy the role demands contributes far less than their credentials suggest. Names hyped in the media do not matter. Regulatory minimums set a floor, not a standard. The oversight scope of a Board Subcommittee — spanning audit findings, risk dashboards, whistle-blower matters, compliance checklists, credit and procurement proposals, related party declarations, and technology and information security reports — cannot be discharged credibly in four annual meetings. For the Audit and Integrated Risk Committees in particular, a quarterly cadence is not governance; it is the appearance of governance.
The events at the bank at the centre of this episode illustrate the point with uncomfortable precision. A fraud routed through internal accounts over an extended period was structured in smaller transactions specifically to avoid detection thresholds. It escalated from an initial disclosure of Rs. 380 million to a confirmed loss of Rs. 13.2 billion within days. The bank’s own Chief Executive acknowledged publicly that “there should have been more probing questions.” Parliament’s Committee on Public Finance subsequently flagged lapses in corporate governance, supervisory shortcomings, and delays in the reporting of material information. This is what infrequent, insufficiently probing committee oversight produces in a licenced bank — controls on paper, scrutiny absent in practice. Directors must therefore be willing, not merely able, to give their time. That means meeting more frequently than the regulatory minimum requires; questioning executive recommendations with rigour rather than deference; and being prepared to stand against proposals that carry unacceptable risk to the institution, even when doing so is uncomfortable. A Board that rubber-stamps management recommendations — however well-credentialled its members — is not exercising governance. It is providing cover.
When fundamental accounting practices and control procedures fail, the cause is not an unavoidable risk event but a failure of operational leadership. They are, in the truest sense, the first and most critical line of defence. Yet the consequences rarely stop with management
Director selection
This has practical implications for how directors are selected, remunerated, and held to account when they fail. The duty of care carries personal liability implications for Non-Executive Directors under the Companies Act No. 7 of 2007 and the recently enhanced CSE Listing Rules penalty regime. That standard is not aspirational — it is enforceable. The penalty landscape has escalated significantly, with personal director liability now attracting penalties of up to Rs. 1 million and, in extreme cases, imprisonment. Directors should approach their roles with this reality firmly in mind. There is a further consequence worth noting. Incidents of this nature inevitably raise concerns about director liability and accountability. If directors face disproportionate exposure for failures rooted in operational management — failures they lacked the information or meeting frequency to detect — attracting high-quality independent board talent will become increasingly difficult, if not impossible. The financial system depends on experienced professionals willing to bring their expertise and judgement to board oversight. That willingness must be met with governance structures that make meaningful oversight possible.
Conclusion
Ultimately, the strength of a bank is not measured by the sophistication of its governance structures or the names on the board, but by the discipline with which its fundamentals are maintained. Sound accounting, robust internal controls, and accountable management are the true first line of defence. When these basics are firmly in place, institutions remain resilient. When neglected, no volume of regulation or oversight can fully contain the damage. The same principle applies to the Board. Good directors are not defined solely by what they know or say publicly — they are defined by what they are willing to do with that knowledge: meeting as often as the work demands, interrogating what is placed before them, and exercising independent judgement even when it is unwelcome. Sri Lanka’s banking sector would do well to absorb that lesson before the next episode.
References
https://www.ft.lk/opinion/Future-proofing-Sri-Lanka-s-banking-sector-Building-resilience-against-shocks/14-790722
https://www.investopedia.com/terms/b/baringsbank.asp
