Risk Advisory · Risk Advisory Services
Credit, Operational & IT Risk Reviews
A bank's or NBFC's credit book, its day-to-day operations, and its technology stack are three separate places where the same organisation can quietly build up risk it does not fully see — until a loan portfolio deteriorates faster than provisioning anticipated, a process breakdown lets a control gap through, or a system outage exposes a dependency nobody had mapped.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
A bank's or NBFC's credit book, its day-to-day operations, and its technology stack are three separate places where the same organisation can quietly build up risk it does not fully see — until a loan portfolio deteriorates faster than provisioning anticipated, a process breakdown lets a control gap through, or a system outage exposes a dependency nobody had mapped. Credit, Operational & IT Risk Reviews bring structured, evidence-based assessment to all three domains — calibrated to RBI's supervisory expectations for banks and NBFCs, and to the operational and technology risk exposure that increasingly matters for any sizeable corporate, not just regulated financial entities. At PNPC Global, we have been reviewing credit books, testing operational controls, and assessing IT risk postures since 1986. We do not hand over a generic checklist — we tell you, specifically, where your credit risk models are weak, where your operational controls have gaps, and where your IT environment is exposed, with a remediation plan your Board and your regulator can act on.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Credit, Operational & IT Risk Reviews are a combined but distinct set of assurance and advisory engagements that assess three of the most material risk categories facing banks, NBFCs, and increasingly any credit-extending or technology-dependent corporate. Credit risk review examines the quality of an entity's lending or credit-extension book — appraisal standards, exposure concentration, collateral valuation, provisioning adequacy under Ind AS 109's Expected Credit Loss (ECL) model or RBI's Income Recognition and Asset Classification (IRAC) norms, and early-warning signal effectiveness — to answer whether the credit portfolio's stated risk profile matches its actual risk profile. Operational risk review examines the people, process, and system failures that can cause direct or indirect loss — inadequate segregation of duties, process breakdowns, transaction processing errors, internal fraud vulnerability, and third-party/vendor dependency risk — following the Basel Committee's operational risk taxonomy that RBI has adopted for regulated entities and that is increasingly used as good practice by non-regulated corporates as well. IT risk review examines the technology environment specifically — cybersecurity posture, access controls, data integrity, system availability, disaster recovery readiness, and IT general controls — against frameworks such as RBI's IT Governance, Risk, Controls and Assurance Practices guidelines for regulated entities, ISO 27001 principles, and the compliance obligations arising under the Digital Personal Data Protection Act, 2023.
For banks and NBFCs, these three risk domains are not optional areas of interest — they sit at the core of RBI's supervisory framework. The Reserve Bank of India's Scale Based Regulation (SBR) framework for NBFCs, effective from October 2022, imposes progressively more stringent risk management, governance, and IT risk requirements as an NBFC moves from the Base Layer through Middle, Upper, and Top Layers — including mandatory Risk Management Committees, more rigorous provisioning discipline, and enhanced IT governance for upper-layer entities. RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023) applies to banks, and to NBFCs in the Middle and Upper Layers, mandating a Board-approved IT strategy, a Chief Information Security Officer or equivalent function, defined RTO/RPO for critical systems, and periodic IT risk assessment. Basel III's operational risk capital framework (the Standardised Measurement Approach, which RBI has been progressively aligning Indian bank capital requirements toward) and RBI's own operational risk management guidelines for banks require a structured operational risk framework with loss-event data collection, key risk indicators, and Board-level oversight.
For corporates outside the directly regulated banking and NBFC space, these reviews remain highly relevant in narrower but still material forms: a manufacturing or trading company extending significant trade credit to customers benefits from a credit risk review of its receivables book and customer credit-approval process; any company with material process dependencies — manual approvals, single points of failure, weak segregation of duties in payments or procurement — benefits from an operational risk review; and virtually every company today, given its dependency on ERP systems, customer data, and digital payment rails, benefits from an IT risk review covering access controls, backup and recovery readiness, and cybersecurity exposure, particularly given the compliance obligations and reputational stakes introduced by the DPDP Act, 2023.
These three reviews are deliberately structured as complementary lenses on a single underlying question — where is this organisation's actual risk exposure understated relative to its stated or assumed risk profile — rather than three disconnected audits. A credit risk review that finds under-provisioning often traces back to an operational risk gap in the credit-monitoring process; an operational risk review that finds a control failure in loan disbursement often traces back to an IT risk gap in system access controls. PNPC scopes these engagements individually or as an integrated review depending on the client's regulatory status, risk profile, and Board's specific concerns, and reports findings in a form the Board, the Audit Committee, and — where applicable — RBI's supervisory teams can act on directly.
When Credit, Operational & IT Risk Reviews are the right engagement
NBFC crossing into the Middle Layer or Upper Layer under RBI's Scale Based Regulation framework, triggering enhanced risk management, IT governance, and Risk Management Committee obligations
Bank or NBFC preparing for an RBI supervisory inspection, or responding to observations already raised by RBI on credit appraisal, provisioning, or IT governance practices
Rising NPA levels, deteriorating asset quality, or a Board/Audit Committee that wants an independent view on whether provisioning under Ind AS 109 ECL or IRAC norms genuinely reflects the credit book's risk
A recent operational loss event — a processing error, an internal fraud, a vendor failure — that has prompted the organisation to ask what other operational control gaps exist beyond the one that surfaced
A cybersecurity incident, near-miss, or a peer-institution breach that has raised Board-level concern about the organisation's own IT risk posture and incident-readiness
Statutory auditor or RBI-appointed auditor raising IT general controls (ITGC) observations that need independent, structured remediation beyond a one-line management response
Preparing for a bank credit rating review, cyber insurance renewal, or lender due diligence that specifically evaluates credit, operational, and IT risk management maturity
Corporate with a material trade-credit book, significant manual process dependencies, or growing reliance on core IT systems, seeking assurance proportionate to that exposure even without a regulatory mandate
M&A due diligence or investment diligence where the acquirer or investor specifically requires an independent credit book quality review and IT risk assessment before closing
When a narrower or different engagement fits better
A confirmed fraud has already occurred and the organisation needs to determine what happened, who was involved, and the financial impact — that calls for a targeted forensic investigation, not a broad risk review
The organisation's need is a full Enterprise Risk Management framework spanning strategic, financial, compliance, and reputational risk categories, of which credit/operational/IT risk are only a subset — an ERM engagement is the better starting point, with these three reviews as a subsequent deeper dive
The immediate requirement is statutory Internal Financial Controls (IFC) testing for the annual audit under Section 143(3)(i) of the Companies Act — that is a defined, narrower scope tied to financial reporting controls specifically, though it overlaps with operational risk review methodology
A very small NBFC in the Base Layer with a simple lending book, no near-term scale-up plans, and straightforward operations — a lighter internal review by existing compliance staff, with periodic external validation, may be proportionate rather than a full three-domain review
The organisation needs business continuity or disaster recovery planning for a specific system or facility — a focused BCP/DR engagement is faster and more targeted than a broader IT risk review, though IT risk review often identifies where BCP/DR gaps exist
IT needs are limited to a one-time penetration test or vulnerability scan — a focused cybersecurity technical assessment by a specialist security firm is more appropriate than a broader IT governance and risk review
Credit, Operational & IT Risk Review vs related risk and assurance engagements
| Feature | Credit Risk Review | Operational Risk Review | IT Risk Review | Forensic Investigation | Statutory IFC Testing |
|---|---|---|---|---|---|
| Primary objective | Assess quality, concentration, and provisioning adequacy of the credit/lending book | Assess people, process, and system failure exposure across business operations | Assess cybersecurity, access control, data integrity, and system resilience | Determine facts, quantum, and parties involved in a suspected or confirmed fraud | Test design and operating effectiveness of financial reporting controls |
| Governing framework | RBI IRAC norms, Ind AS 109 ECL model, RBI SBR framework for NBFCs | RBI operational risk guidelines, Basel operational risk taxonomy | RBI IT Governance, Risk, Controls and Assurance Practices Master Direction; DPDP Act, 2023; ISO 27001 principles | Standards on Forensic Accounting and Investigation (ICAI), Companies Act fraud reporting provisions | Section 134(5)(e) Companies Act, COSO Internal Control Integrated Framework |
| Typical trigger | Rising NPAs, RBI inspection prep, provisioning concerns, portfolio scale-up | Loss event, control gap discovery, process scale-up | Cyber incident, ITGC audit observation, DPDP compliance need | Whistle-blower complaint, detected irregularity, audit red flag | Annual statutory audit cycle |
| Who commissions it | Board, Audit Committee, or RBI supervisory direction | Board, Audit Committee, or Risk Management Committee | Board, CISO function, or Audit Committee | Audit Committee, Board, or in response to a specific complaint | Statutory auditor as part of the annual audit |
| Typical output | Portfolio quality report, provisioning adequacy assessment, concentration analysis, remediation plan | Control gap report, loss-event register, process remediation roadmap | IT risk assessment report, ITGC gap analysis, remediation and governance roadmap | Investigation report with findings, evidence trail, and recommended action | Control matrix, deficiency report, management action plan |
| Mandatory for | Banks and NBFCs under RBI supervision; expected practice for large credit-extending corporates | Banks and NBFCs under RBI operational risk guidelines; good practice for others | Banks and Middle/Upper Layer NBFCs under RBI IT Governance Master Direction; expected practice for most corporates given DPDP Act exposure | Situational — triggered by specific facts, not a recurring statutory cycle | All companies, as part of Board's responsibility under the Companies Act |
| Frequency | Periodic — typically annual or aligned to RBI inspection cycle | Periodic — typically annual, more frequent post loss-event | Periodic — typically annual, with continuous monitoring components | One-time, scoped to the specific matter under investigation | Annual, aligned to statutory audit cycle |
| Relationship to ERM | A deep-dive within the financial/credit risk category of a broader ERM risk universe | A deep-dive within the operational risk category of a broader ERM risk universe | A deep-dive within the technology risk category of a broader ERM risk universe | Typically triggered by a risk that materialised despite the ERM/control framework | A specialised subset of the operational/financial risk category within ERM |
These three reviews are frequently commissioned together for banks and NBFCs because RBI's supervisory framework expects an integrated view of credit, operational, and IT risk maturity — but each can also be scoped independently based on the specific concern driving the engagement. The right combination and depth for your organisation should be confirmed with a practising CA based on your regulatory status, risk profile, and Board's priorities.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Scoping & Regulatory Applicability Assessment | We first establish which of the three domains — credit, operational, IT — genuinely need review given your regulatory status (bank, NBFC layer under RBI's Scale Based Regulation, or non-regulated corporate), and whether the engagement should be integrated or run as separate scoped reviews. We do not default to a one-size-fits-all bundle when a client's actual exposure calls for a narrower or differently weighted scope. | Week 1 |
| 2 | Data & Documentation Request | A structured, domain-specific document request — loan book data and appraisal files for credit risk, process maps and incident logs for operational risk, IT asset registers and access logs for IT risk — issued upfront so the fieldwork phase is not repeatedly interrupted by ad hoc document chasing, which is the single biggest cause of engagement delay we see from other providers. | Week 1–2 |
| 3 | Credit Risk — Portfolio Sampling & Appraisal Review | For credit risk scope: a risk-based (not purely random) sample of the loan/credit book, weighted toward higher-value exposures, recent originations, and any accounts showing early-warning stress signals, reviewed against the entity's own credit policy and RBI's IRAC/Ind AS 109 provisioning norms — checking whether appraisal, sanctioning, and monitoring actually followed the documented policy, not just whether a policy exists. | Week 2–4 |
| 4 | Credit Risk — Concentration & Provisioning Adequacy Analysis | Sector, borrower-group, and geography concentration analysis against internal limits and RBI's large exposure framework where applicable, combined with an independent recalculation of ECL/IRAC provisioning on a sample basis to assess whether the entity's own provisioning is understated relative to actual portfolio risk — a step generic reviewers frequently skip in favour of simply confirming a provisioning policy exists. | Week 3–5 |
| 5 | Operational Risk — Process Walkthroughs & Control Testing | Walkthroughs of the highest-risk operational processes — loan disbursement, cash/treasury operations, procurement, payroll, vendor onboarding — with actual transaction testing against the control design, not just interviews about how the process is supposed to work. Segregation-of-duties gaps, manual override frequency, and exception-handling discipline are specifically assessed. | Week 3–6 |
| 6 | Operational Risk — Loss Event & Near-Miss Register Review | Review of any existing operational loss-event log, incident register, or internal audit findings history to identify recurring control themes, combined with structured interviews to surface near-misses that were resolved informally and never formally logged — these near-misses are often the earliest warning of a systemic control gap. | Week 4–6 |
| 7 | IT Risk — Governance & Policy Review | Assessment of the Board-approved IT strategy (or its absence), IT risk management policy, CISO or equivalent function, and whether IT governance meets RBI's Master Direction requirements for applicable entities — this governance layer is frequently missing entirely at NBFCs that have scaled quickly without formalising IT oversight. | Week 4–5 |
| 8 | IT Risk — Access Control & IT General Controls (ITGC) Testing | Testing of user access provisioning and de-provisioning, privileged access management, segregation of duties within core banking/lending systems, change management discipline, and backup/recovery evidence — sampled against actual system logs, not management's description of the control environment. | Week 5–7 |
| 9 | IT Risk — Cybersecurity Posture & DPDP Readiness Assessment | A structured cybersecurity risk assessment covering network security, endpoint protection, incident response readiness, and third-party/vendor IT risk, combined with a DPDP Act, 2023 compliance gap assessment covering consent management, data breach notification readiness, and data processor agreements — increasingly a Board-level concern independent of RBI applicability. | Week 6–8 |
| 10 | Cross-Domain Findings Correlation | Findings across the three domains are deliberately cross-referenced — a credit provisioning gap traced to a weak early-warning monitoring process, an operational control failure traced to an IT access control gap — because the most material risks are often visible only when the three lenses are combined, which is precisely what a single-domain review misses. | Week 7–8 |
| 11 | Draft Report, Risk Rating & Management Response | A structured draft report with findings individually risk-rated (High/Medium/Low or the entity's own rating convention), root-cause analysis rather than surface-level symptom description, and a formal management response cycle before finalisation — ensuring findings are accurate and actionable rather than disputed after the fact. | Week 8–9 |
| 12 | Remediation Roadmap & Ownership Assignment | Every finding is paired with a specific, named-owner remediation action and a realistic target date — not a generic 'management to strengthen controls' recommendation that provides no accountability trail for the next review cycle or for RBI supervisory follow-up. | Week 9 |
| 13 | Board / Audit Committee / Risk Committee Presentation | Findings and the remediation roadmap presented directly to the Board, Audit Committee, or Risk Management Committee — in the format and level of detail that committee actually needs to discharge its oversight responsibility, with PNPC available to field questions directly rather than leaving the client to interpret a written report alone. | Week 9–10 |
| 14 | Follow-Up Remediation Verification | A scoped follow-up review — typically 3–6 months after the initial report — to verify that committed remediation actions have actually been implemented, not just marked closed in a tracker. This closes the loop that many one-time reviews leave open. | 3–6 months post-report |
Realistic timeline for a full integrated Credit, Operational & IT Risk Review: 8–10 weeks from scoping to Board presentation for a single-entity bank or NBFC of moderate size and complexity. A single-domain review (credit only, or IT only) typically takes 4–6 weeks. Larger, multi-branch, or multi-entity organisations, or those with limited existing documentation, should expect a longer timeline. Follow-up verification review is a separate, shorter engagement typically 3–6 months later.
Certificate of Incorporation, RBI Certificate of Registration (for NBFCs) or banking licence, and current classification under RBI's Scale Based Regulation layer, if applicable
Board and Committee composition, including Risk Management Committee, Audit Committee, and IT Strategy Committee terms of reference where constituted
Board-approved credit policy, operational risk policy, and IT risk/security policy documents, along with the date of last review
Minutes of the last 4–6 Board, Risk Committee, and Audit Committee meetings, particularly any prior discussion of credit quality, operational losses, or IT/cyber incidents
Any prior RBI inspection report, supervisory letter, or observations, and the entity's response and remediation status
Loan/credit book data extract — borrower-wise exposure, sanction date, security/collateral details, current classification (Standard/SMA/NPA), and provisioning held
Credit appraisal policy, sanctioning authority matrix, and a sample of complete loan files across ticket sizes and vintages
Portfolio concentration reports — by sector, borrower group, geography, and product — against internal exposure limits
Ind AS 109 ECL model documentation and assumptions, or IRAC classification working papers, for the most recent reporting period
Early-warning signal (EWS) framework documentation and the current list of accounts flagged under it
Standard Operating Procedures (SOPs) for key processes — loan disbursement, cash/treasury handling, procurement, payroll, vendor onboarding
Delegation of Authority (DOA) matrix and evidence of segregation of duties across critical transaction cycles
Operational loss event register or incident log, if maintained, covering at least the past 2–3 years
Internal audit reports for the most recent 2–3 cycles, with particular attention to repeat findings
Details of any material vendor/outsourcing arrangements and the outsourcing risk assessment performed, if any, particularly for arrangements falling under RBI's outsourcing guidelines
IT asset register — core banking/lending system, ERP, key applications, and hosting environment (on-premise/cloud) details
User access list for critical systems with role mapping, and evidence of periodic access review/recertification
Change management log for the past 6–12 months, showing approval trail for production changes
Backup, disaster recovery, and business continuity documentation, including last tested Recovery Time Objective (RTO) and Recovery Point Objective (RPO) evidence
Cybersecurity policy, incident response plan, and record of any security incidents, near-misses, or vulnerability assessment/penetration test reports in the past 12–24 months
Data privacy documentation and processor/vendor agreements relevant to Digital Personal Data Protection Act, 2023 compliance
Latest audited financial statements and, for banks/NBFCs, the latest regulatory returns filed with RBI
Statutory auditor's management letter and any IT general controls (ITGC) or internal control observations from the most recent audit
Details of any litigation, customer complaints, or regulatory correspondence relating to credit practices, operational failures, or data/IT incidents in the past 3 years
Insurance policy schedule, including cyber insurance coverage if held, and any recent claims
Any existing Enterprise Risk Management framework, risk register, or risk appetite statement covering credit, operational, or IT risk categories
Prior credit risk, operational risk, or IT risk review reports, whether performed internally or by a third party, along with remediation status
Board or management self-assessment against RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction, if performed
Any prior forensic investigation reports or fraud incident reports, where relevant to understanding recurring operational or IT control themes
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Regulatory Threshold Assessment (Ongoing) | NBFC asset size growth or new banking/NBFC licence | Continuous monitoring of applicability under RBI's Scale Based Regulation layers and the IT Governance Master Direction, so governance obligations are anticipated before the threshold is actually crossed, not discovered afterward. | Crossing into Middle or Upper Layer without pre-built governance structures — leaving the entity non-compliant from the day the threshold is crossed, exposed to RBI supervisory action. |
| First Integrated Review (Baseline) | Board or RBI-prompted decision to establish independent risk assurance | Full credit, operational, and IT risk review establishing a documented baseline — findings risk-rated, root-caused, and paired with a remediation roadmap with named owners and target dates. | No independent baseline exists — the Board relies entirely on management's own assessment of risk quality, with no external validation until an external event (RBI inspection, loss event) forces the issue. |
| Remediation Execution (Month 1–6 post-review) | Findings accepted by the Board/Audit Committee | Structured tracking of remediation actions against committed timelines, with PNPC available for advisory support on control redesign, provisioning methodology correction, or IT governance build-out as remediation is executed. | Findings agreed in principle but never actually remediated — the same gaps resurface at the next review or, worse, at the next RBI inspection, undermining credibility with the regulator. |
| Follow-Up Verification (Month 3–6) | Remediation deadlines reached | An independent follow-up review verifying that remediation actions were genuinely implemented — tested, not just marked closed in a tracker — closing the loop that self-certified remediation cannot credibly close on its own. | Remediation marked complete internally without independent verification — a false sense of resolution that surfaces as a repeat finding, damaging credibility with auditors, RBI, or the Board. |
| Annual Refresh Cycle | Financial year-end / RBI inspection cycle | Formal annual refresh of all three risk domains, incorporating portfolio growth, new operational processes, system changes, and emerging cyber threats — ensuring the risk review stays current rather than reflecting a point-in-time snapshot that ages quickly. | A stale risk assessment that no longer reflects actual portfolio composition or IT environment — creates a governance gap that becomes visible precisely when an RBI inspection or credit rating review occurs. |
| Portfolio Stress Event | Rising NPAs, sector downturn, concentrated exposure deterioration | Focused, accelerated credit risk deep-dive — re-testing provisioning adequacy, early-warning signal effectiveness, and concentration exposure against the stress scenario actually unfolding, rather than waiting for the next scheduled annual cycle. | Provisioning that lags actual portfolio deterioration — understated NPAs and provisioning discovered by the statutory auditor or RBI rather than proactively by the entity, with reputational and regulatory consequences. |
| Operational Loss or IT Incident | Fraud discovery, processing failure, cyber incident, near-miss | Rapid post-event root-cause review — distinguishing this from a full forensic investigation where facts are already known — focused on whether the control or IT gap that allowed the event is isolated or systemic, and what else in the same control family needs re-testing. | The same control gap recurs in a different form because only the specific symptom was addressed, not the underlying systemic weakness — repeat incidents erode Board, investor, and regulatory confidence. |
| M&A / Investment Diligence | Acquisition, investment round, or lender due diligence | Scoped credit book quality review and IT risk assessment specifically structured for the diligence timeline and the acquirer/investor/lender's specific concerns, delivered as a standalone diligence report distinct from the entity's own periodic risk review. | Credit quality or IT risk issues surfacing for the first time during the counterparty's own due diligence — causing valuation adjustments, deal delays, or in some cases deal collapse. |
What exactly do Credit, Operational & IT Risk Reviews cover, in plain terms?
Three related but distinct questions. Credit risk review asks: is the loan/credit book actually as healthy as it appears, and is provisioning adequate for the risk actually present? Operational risk review asks: where could a process, people, or control failure cause a direct financial or reputational loss, and are those gaps currently open? IT risk review asks: is the technology environment — access controls, data security, system resilience — adequately protected, governed, and compliant with current data protection law? PNPC scopes these individually or together depending on your regulatory status and specific concern.
Is this review mandatory for our organisation, or is it discretionary?
For banks and NBFCs, elements of this review are effectively mandatory through RBI's supervisory framework: NBFCs in the Middle and Upper Layers under the Scale Based Regulation framework must meet enhanced risk management and IT governance requirements, and RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction applies directly to banks and Middle/Upper Layer NBFCs. For a non-regulated corporate, there is no single statute mandating this exact review, but a material trade-credit book, significant process dependencies, or meaningful IT/data exposure make it a genuinely prudent, increasingly expected practice — particularly given DPDP Act, 2023 obligations that apply regardless of sector.
What is RBI's Scale Based Regulation (SBR) framework and how does it affect our review scope?
SBR, effective from October 2022, classifies NBFCs into four layers — Base, Middle, Upper, and Top — based on size, activity, and perceived riskiness, with progressively more stringent governance, risk management, and capital requirements at each higher layer. Upper Layer NBFCs face requirements closer to those applicable to banks, including mandatory Board-level Risk Management Committee constitution, more rigorous IT governance, and enhanced disclosure. The layer your NBFC currently sits in — and how close it is to crossing into the next layer — directly determines how rigorous a credit, operational, and IT risk review needs to be, and how soon.
What is the difference between IRAC norms and the Ind AS 109 ECL model for provisioning?
IRAC (Income Recognition and Asset Classification) norms are RBI's traditional, incurred-loss-based framework classifying advances as Standard, Sub-Standard, Doubtful, or Loss, with prescribed minimum provisioning percentages for each category. Ind AS 109's Expected Credit Loss (ECL) model, applicable to NBFCs that have adopted Ind AS, is a forward-looking framework requiring provisioning based on probability-weighted expected losses over the life of the exposure, factoring in macroeconomic forward-looking information — generally producing higher, more risk-sensitive provisioning than IRAC in a deteriorating credit environment. RBI has indicated its intent to move banks toward an ECL-based framework as well, though implementation timelines have been extended; NBFCs on Ind AS already apply ECL.
How do you actually test whether provisioning is adequate — isn't that just checking a formula?
No — we independently recalculate provisioning on a risk-based sample of accounts using the entity's own stated methodology and assumptions, then separately stress-test those assumptions against actual portfolio performance (roll-rates, recovery experience, collateral realisation history) to assess whether the assumptions themselves are defensible, not just whether the formula was applied correctly. A mathematically correct ECL calculation built on unrealistically optimistic assumptions still understates real risk.
What counts as 'operational risk' — can you give concrete examples?
Operational risk covers loss arising from inadequate or failed internal processes, people, and systems, or from external events — excluding credit and market risk. Concrete examples: a payment released without the required dual approval due to a workflow override, a key-person dependency where only one employee understands a critical reconciliation process, a vendor failing to deliver a critical service with no contingency plan, a data entry error in loan disbursement that goes undetected for months, or an internal fraud enabled by inadequate segregation of duties between transaction initiation and approval.
What is segregation of duties and why does it come up so often in operational risk reviews?
Segregation of duties is the control principle that no single individual should be able to both initiate and approve a transaction, or both execute and reconcile it, without independent oversight — reducing the risk of undetected error or fraud. It comes up constantly because it is one of the most foundational operational controls, yet is also one of the most commonly compromised as organisations scale quickly, add system access without revisiting role design, or rely on informal trust rather than system-enforced controls.
What does an IT risk review actually examine, and how is it different from a cybersecurity penetration test?
A penetration test is a narrow, technical exercise simulating an attacker attempting to breach specific systems — valuable, but scoped to technical vulnerabilities. An IT risk review is broader: it examines IT governance (is there a Board-approved IT strategy and risk-owning function), access controls, change management discipline, data backup and disaster recovery readiness, vendor/third-party IT risk, and regulatory compliance posture (RBI IT Governance Master Direction, DPDP Act) — of which technical vulnerability is only one component. Many organisations with a clean penetration test result still have material IT governance and access control gaps.
How does the Digital Personal Data Protection Act, 2023 factor into an IT risk review?
The DPDP Act, 2023 creates specific obligations around lawful processing of personal data, consent management, data breach notification, data principal rights, and significant penalties for non-compliance — all of which materially expand the scope of what a current IT risk review needs to assess beyond traditional cybersecurity and access control testing. We specifically assess consent mechanisms, data processor agreements, breach notification readiness, and data retention practices as part of the IT risk review, with rules and compliance timelines being operationalised progressively by the government.
We are a corporate, not a bank or NBFC. Do we still need this review?
It depends on your specific exposure rather than regulatory status alone. If you extend material trade credit to customers, a credit risk review of your receivables book and credit-approval process is worthwhile regardless of RBI applicability. If you have significant manual process dependencies — payments, procurement, payroll — an operational risk review adds real value. And given that virtually every business today depends on ERP systems, customer data, and digital payment infrastructure, an IT risk review covering access controls and DPDP compliance readiness is increasingly a prudent baseline rather than a regulated-entity-only exercise.
How long does a full integrated review take?
For a single-entity bank or NBFC of moderate size and complexity, a realistic timeline from scoping through Board presentation is 8–10 weeks. A single-domain review — credit risk only, or IT risk only — typically takes 4–6 weeks. Larger, multi-branch organisations, or those with limited existing documentation and process maps, should expect a longer timeline. A follow-up remediation verification review, typically conducted 3–6 months after the initial report, is a separate and shorter engagement.
What does this engagement typically cost?
Cost depends materially on portfolio size, number of branches/locations, IT system complexity, and whether the engagement covers all three domains or a single domain. PNPC agrees a fixed, written scope and fee before any engagement begins, distinguishing the initial review phase from any follow-up remediation verification review, so the client knows exactly what is included at each stage.
Who typically commissions this review internally — the CFO, the CRO, or the Board directly?
Most commonly the Board or the Risk Management Committee/Audit Committee commissions the review directly, given its independent assurance nature, though the CFO, Chief Risk Officer, or Head of Internal Audit is usually the primary internal coordination point for scoping and document access. For entities without a dedicated CRO, the CFO or Company Secretary typically fills that coordination role.
Does PNPC perform the credit portfolio sample review on every single loan, or a sample?
A risk-based sample, not a full-portfolio review — full-portfolio testing is rarely proportionate or necessary to assess systemic quality. The sample is weighted toward higher-value exposures, recent originations (where appraisal discipline is most current), and accounts already showing early-warning stress signals, since these are where provisioning and appraisal weaknesses are most likely to be material. Sample size and stratification are agreed with the client and, where relevant, calibrated to what an RBI inspection team would typically expect to see tested.
What is an Early Warning Signal (EWS) framework and why does it matter to a credit risk review?
An EWS framework is a set of defined indicators — payment delays, bounced cheques, adverse credit bureau movement, declining account turnover, sector-level stress signals — designed to flag a credit exposure showing early signs of stress before it formally slips into a lower asset classification. A well-functioning EWS framework allows proactive engagement with a stressed borrower and earlier provisioning recognition; a weak or non-existent one means asset quality deterioration is discovered only when it has already progressed to NPA classification, by which point recovery options are more limited.
What are IT General Controls (ITGC) and why do they matter beyond the statutory audit?
ITGCs are the foundational controls over an IT environment that support the reliability of application-level controls and data — access management, change management, IT operations (backup, job scheduling), and program development controls. Statutory auditors test ITGCs specifically to determine how much reliance they can place on system-generated financial data. Beyond the audit context, weak ITGCs — particularly around access provisioning and change management — are frequently the root cause of both operational risk incidents and cybersecurity exposure, which is why IT risk review tests them more broadly than an audit-scoped ITGC review would.
Can this review help with our cyber insurance renewal?
Yes. Insurers increasingly require, or price more favourably based on, evidence of the applicant's risk management maturity — documented IT governance, access controls, incident response readiness, and backup/recovery testing. An IT risk review report and its remediation roadmap can materially support the underwriting conversation and, in our experience, has helped clients secure improved terms upon renewal after addressing identified gaps.
How does this review relate to a full Enterprise Risk Management (ERM) framework?
Credit, operational, and IT risk are three of the risk categories within a comprehensive ERM risk universe, alongside strategic, financial, compliance, and reputational risk. Where an ERM framework already exists, this review serves as a deeper, more technically rigorous assessment within those three specific categories, feeding its findings back into the broader risk register. Where no ERM framework exists yet, this review can stand alone, or serve as a natural starting point that later expands into a full ERM build once the organisation sees the value of structured risk assessment in these three material domains.
What happens if the review finds a serious, immediate risk during fieldwork — do we wait for the final report?
No. PNPC escalates any finding assessed as an immediate, material risk — a live fraud indicator, a critical unpatched security vulnerability, or a provisioning gap severe enough to affect the entity's regulatory capital position — directly and promptly to the Audit Committee or Board Chair, rather than holding it for the scheduled final report presentation. The final report still documents the finding formally, but urgent risks are not left to sit until the standard reporting cycle.
Do you provide remediation implementation support, or only the findings report?
Both models are available and are scoped separately. Many clients engage PNPC for the review and findings report as a defined project, then handle remediation internally with PNPC available for ad hoc advisory support on specific fixes — provisioning methodology correction, control redesign, IT governance policy drafting. Other clients, particularly those without deep in-house risk or IT governance expertise, prefer PNPC to remain actively involved through remediation execution and the follow-up verification review.
How does RBI's Master Direction on IT Governance apply specifically to NBFCs, and which layers does it cover?
RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023) applies to banks and to NBFCs in the Middle and Upper Layers under the Scale Based Regulation framework — Base Layer NBFCs are not directly bound by its detailed requirements, though adopting proportionate elements of it as good practice is prudent given how quickly an NBFC can scale into the Middle Layer. The Direction requires a Board-approved IT strategy, a dedicated IT function with appropriate governance, defined RTO/RPO for critical systems, and structured IT risk assessment.
Can PNPC support this review for a group with both Indian and UAE entities?
Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with lending, operational, or IT infrastructure spanning both jurisdictions, we build a consolidated view that accounts for cross-border considerations — UAE Central Bank regulatory requirements for any UAE-licensed finance entity, cross-border data flow implications under both DPDP Act and applicable UAE data protection law, and group-level operational risk that can propagate between entities — rather than two disconnected, single-jurisdiction reviews.
What is the difference between this review and what our statutory auditor already does?
The statutory auditor's primary objective is an opinion on whether the financial statements present a true and fair view, which includes testing ITGCs and internal financial controls specifically to the extent they affect financial reporting reliability — a narrower, financial-statement-focused lens. Credit, Operational & IT Risk Review is a broader, forward-looking management assurance exercise — assessing portfolio quality and provisioning adequacy beyond audit sampling thresholds, operational risk beyond financial-reporting-relevant processes, and IT risk beyond ITGCs relevant to the audit — designed to inform Board and RBI-facing risk management, not primarily to support an audit opinion.
How does PNPC handle findings that reveal a potential regulatory breach, not just a control gap?
Where fieldwork surfaces something that appears to be an actual regulatory breach — for example, provisioning materially below RBI's prescribed minimum, or an exposure limit breach — rather than simply a control weakness, PNPC flags this distinctly and promptly to the Board/Audit Committee, with a clear factual basis, so the entity can assess its own disclosure and remediation obligations with appropriate legal input alongside our findings. We do not make the disclosure decision on the client's behalf, but we ensure the Board has the facts promptly and clearly.
Is a single review enough, or should this be a recurring engagement?
A single review establishes a valuable baseline, but credit portfolios, operational processes, and IT environments all change continuously — new products, new systems, new vendors, evolving cyber threats. Most clients in regulated categories (banks, Middle/Upper Layer NBFCs) benefit from an annual cycle, aligned to the financial year-end and any RBI inspection cadence, with lighter-touch interim reviews for specific domains if a material change occurs (a new core banking system, a significant portfolio shift) between annual cycles.
What is the single most common finding across the credit, operational, and IT domains?
Documented policy that does not match actual practice. Nearly every organisation we review has a credit policy, an operational SOP, and an IT security policy that reads well on paper — the recurring gap is between what the policy says should happen and what our testing shows actually happens: appraisal shortcuts under commercial pressure, manual overrides of segregation-of-duties controls, and access rights that were never revoked after role changes. The policy exists; the discipline of following it consistently does not.
Can this review be used to support a bank credit rating or lender relationship?
Yes. A structured, independently performed risk review — particularly one covering credit portfolio quality and provisioning adequacy — can support conversations with lenders and rating agencies who are themselves assessing the entity's credit and risk management maturity as part of their own rating or lending decision. We are candid, however, that the review's purpose is genuine risk assessment, not producing a favourable document for external presentation — findings are reported factually regardless of how they may be received externally.
Does PNPC also perform statutory or internal audit for the same client, and does that create a conflict?
Where PNPC also serves as internal auditor or statutory auditor for a client, we manage independence carefully — RBI and ICAI guidelines govern the boundaries of what the same firm can perform for a regulated entity, and we structure engagement teams and scope accordingly, including using separate engagement teams where independence rules require it. We discuss this explicitly with clients during scoping, rather than assuming no conflict exists.
What is 'concentration risk' in a credit portfolio, and how do you measure it?
Concentration risk is the exposure an entity carries when its credit book is disproportionately weighted toward a single borrower, borrower group, sector, or geography — meaning a single adverse event can impact a large share of the portfolio at once. We measure it against the entity's own internal exposure limits (if defined) and, for larger NBFCs, against RBI's large exposure framework where applicable, breaking the portfolio down by top-N borrower groups, sector-wise exposure as a percentage of net worth, and geographic clustering, particularly for entities with a regional lending focus.
What is the role of collateral valuation in a credit risk review, and how often should collateral be revalued?
Collateral valuation directly affects Loss Given Default (LGD) assumptions in provisioning models and the practical recoverability of an exposure if it turns delinquent. There is no single statutory revaluation frequency applicable to all lenders, but RBI guidance and prudent practice generally call for periodic revaluation — more frequently for volatile asset classes like unlisted equity or certain movable assets, less frequently for stable asset classes like registered immovable property — with a clear, Board-approved revaluation policy rather than an ad hoc or purely origination-date valuation relied upon indefinitely.
Can a small or mid-sized corporate (not a bank or NBFC) get a scaled-down version of this review?
Yes, and this is a common and proportionate engagement. For a corporate with a material trade-credit book, we scope a focused review of the customer credit-approval process, receivables ageing and provisioning against Ind AS 109 (which applies to trade receivables for entities on Ind AS as well), and customer concentration — without the RBI-specific regulatory testing that applies only to banks and NBFCs. Operational and IT risk review scope is similarly right-sized to the corporate's actual process and system complexity.
What is a 'root-cause' finding versus a 'symptom' finding, and why does PNPC insist on the distinction?
A symptom finding describes what went wrong in a specific instance — for example, 'a loan was disbursed without complete KYC documentation.' A root-cause finding explains why it was possible — for example, 'the loan origination system does not block disbursement when a mandatory KYC field is incomplete, and no compensating manual check exists.' Remediating only the symptom (correcting that one file) leaves the underlying gap open for the next transaction; remediating the root cause (a system control or compensating check) prevents recurrence across the whole portfolio.
How does PNPC handle client confidentiality given the sensitivity of credit and IT data reviewed?
All data accessed during the review — borrower-level credit information, system access credentials context, incident details — is handled under the engagement's confidentiality terms, accessed only by the assigned engagement team, and retained only as long as necessary to support the review and any follow-up verification. Where the review touches personal data within the scope of the Digital Personal Data Protection Act, 2023, we apply data-minimisation principles in our own working papers, extracting only what is needed for testing rather than retaining full data sets beyond what the engagement requires.
If we already had an internal audit this year, do we still need a separate risk review?
It depends on what the internal audit actually covered and how it was scoped. Internal audit typically tests a broader annual plan across many process areas at a defined depth, often rotating focus areas year to year, whereas a dedicated Credit, Operational & IT Risk Review goes deeper specifically into these three domains, with credit portfolio sampling and provisioning recalculation, IT governance assessment against RBI's Master Direction, and cross-domain correlation that a general internal audit plan may not have scoped this cycle. We review the internal audit's scope and findings first to avoid duplicating work, and focus this review on genuine gaps.
What happens after the follow-up verification review — is that the end of the engagement?
Not necessarily. Some clients conclude the engagement after follow-up verification confirms remediation, planning to commission the next full review at the next annual cycle. Others transition to a lighter-touch ongoing advisory arrangement — periodic check-ins on emerging risk areas, ad hoc review of new products or systems before launch, and support preparing for the next RBI inspection cycle — rather than a hard stop between one-off engagements.
How PNPC's Credit, Operational & IT Risk Review compares to alternatives
| Feature | Generic Consulting Checklist | In-House Risk/Audit Team Only | PNPC Global |
|---|---|---|---|
| Credit sampling methodology | Often a fixed percentage sample with no risk weighting | Depends on internal team's credit expertise and independence from the lending function | Risk-based sample weighted to high-value, recent, and EWS-flagged exposures, tested against RBI IRAC/Ind AS 109 methodology |
| Regulatory grounding | General references to 'RBI guidelines' without SBR-layer-specific mapping | Variable — depends on internal team's regulatory currency and RBI update tracking | Direct mapping to current RBI Scale Based Regulation layer obligations and IT Governance Master Direction requirements |
| Cross-domain correlation | Credit, operational, and IT typically reviewed as entirely separate, disconnected exercises | Depends on coordination across internal functions, often informal or absent | Findings deliberately cross-referenced across all three domains to surface root causes that a single-domain review misses |
| Testing depth | Interview-based, policy-document review with limited transaction testing | Varies with internal team bandwidth and independence from the areas under review | Transaction-level testing, system-log verification, and independent provisioning recalculation, not just policy review |
| Escalation protocol | Findings held until final report regardless of urgency | Depends on internal reporting lines and comfort escalating to the Board | Immediate escalation of material, urgent findings directly to the Audit Committee or Board Chair, ahead of the final report |
| Follow-up verification | One-time deliverable, remediation tracking left entirely to the client | Depends on internal team continuity and independence from remediation ownership | Independent follow-up verification review 3–6 months later, testing whether remediation actually happened |
| Cross-border capability | Single-jurisdiction focus, typically India-only | Limited to internal team's jurisdictional exposure | Consolidated India-UAE group risk view from offices in both jurisdictions |
What the PNPC package includes
- 01
Scoping and regulatory applicability assessment against your RBI Scale Based Regulation layer and IT Governance Master Direction requirements
- 02
Risk-based credit portfolio sampling and appraisal file review against your credit policy and RBI IRAC/Ind AS 109 provisioning norms
- 03
Independent recalculation of provisioning adequacy on a sample basis, including collateral valuation currency and EWS framework effectiveness testing
- 04
Operational risk process walkthroughs with actual transaction testing — not interview-only assessment — across your highest-risk business processes
- 05
Segregation-of-duties and Delegation of Authority testing at the system-configuration level, not just the policy-document level
- 06
IT governance review against RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction, including CISO function and Board IT strategy assessment
- 07
IT General Controls (ITGC) testing — access provisioning, change management, backup/recovery — sampled against actual system logs
- 08
Cybersecurity posture assessment and Digital Personal Data Protection Act, 2023 compliance gap review
- 09
Cross-domain findings correlation identifying root causes visible only when credit, operational, and IT findings are combined
- 10
Risk-rated findings report with root-cause analysis and a formal management response cycle before finalisation
- 11
Remediation roadmap with named owners and target dates for every finding — not generic recommendations
- 12
Board, Audit Committee, or Risk Management Committee presentation, with PNPC available to field questions directly
- 13
Independent follow-up remediation verification review, typically 3–6 months after the initial report
- 14
Consolidated India-UAE group risk view for clients with cross-border operations, coordinated from Chennai, Bangalore, Hyderabad, and Dubai
A risk review that only checks whether a policy exists tells you nothing about whether your credit book, your operations, or your systems are actually safe. Talk to PNPC Global about a review that tests what actually happens — and gives your Board and your regulator a remediation plan they can trust.