HomeServicesRisk AdvisoryCredit, Operational & IT Risk Reviews

Risk Advisory · Risk Advisory Services

Credit, Operational & IT Risk Reviews

A bank's or NBFC's credit book, its day-to-day operations, and its technology stack are three separate places where the same organisation can quietly build up risk it does not fully see — until a loan portfolio deteriorates faster than provisioning anticipated, a process breakdown lets a control gap through, or a system outage exposes a dependency nobody had mapped.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

A bank's or NBFC's credit book, its day-to-day operations, and its technology stack are three separate places where the same organisation can quietly build up risk it does not fully see — until a loan portfolio deteriorates faster than provisioning anticipated, a process breakdown lets a control gap through, or a system outage exposes a dependency nobody had mapped. Credit, Operational & IT Risk Reviews bring structured, evidence-based assessment to all three domains — calibrated to RBI's supervisory expectations for banks and NBFCs, and to the operational and technology risk exposure that increasingly matters for any sizeable corporate, not just regulated financial entities. At PNPC Global, we have been reviewing credit books, testing operational controls, and assessing IT risk postures since 1986. We do not hand over a generic checklist — we tell you, specifically, where your credit risk models are weak, where your operational controls have gaps, and where your IT environment is exposed, with a remediation plan your Board and your regulator can act on.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Credit, Operational & IT Risk Reviews is

Credit, Operational & IT Risk Reviews are a combined but distinct set of assurance and advisory engagements that assess three of the most material risk categories facing banks, NBFCs, and increasingly any credit-extending or technology-dependent corporate. Credit risk review examines the quality of an entity's lending or credit-extension book — appraisal standards, exposure concentration, collateral valuation, provisioning adequacy under Ind AS 109's Expected Credit Loss (ECL) model or RBI's Income Recognition and Asset Classification (IRAC) norms, and early-warning signal effectiveness — to answer whether the credit portfolio's stated risk profile matches its actual risk profile. Operational risk review examines the people, process, and system failures that can cause direct or indirect loss — inadequate segregation of duties, process breakdowns, transaction processing errors, internal fraud vulnerability, and third-party/vendor dependency risk — following the Basel Committee's operational risk taxonomy that RBI has adopted for regulated entities and that is increasingly used as good practice by non-regulated corporates as well. IT risk review examines the technology environment specifically — cybersecurity posture, access controls, data integrity, system availability, disaster recovery readiness, and IT general controls — against frameworks such as RBI's IT Governance, Risk, Controls and Assurance Practices guidelines for regulated entities, ISO 27001 principles, and the compliance obligations arising under the Digital Personal Data Protection Act, 2023.

For banks and NBFCs, these three risk domains are not optional areas of interest — they sit at the core of RBI's supervisory framework. The Reserve Bank of India's Scale Based Regulation (SBR) framework for NBFCs, effective from October 2022, imposes progressively more stringent risk management, governance, and IT risk requirements as an NBFC moves from the Base Layer through Middle, Upper, and Top Layers — including mandatory Risk Management Committees, more rigorous provisioning discipline, and enhanced IT governance for upper-layer entities. RBI's Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023) applies to banks, and to NBFCs in the Middle and Upper Layers, mandating a Board-approved IT strategy, a Chief Information Security Officer or equivalent function, defined RTO/RPO for critical systems, and periodic IT risk assessment. Basel III's operational risk capital framework (the Standardised Measurement Approach, which RBI has been progressively aligning Indian bank capital requirements toward) and RBI's own operational risk management guidelines for banks require a structured operational risk framework with loss-event data collection, key risk indicators, and Board-level oversight.

For corporates outside the directly regulated banking and NBFC space, these reviews remain highly relevant in narrower but still material forms: a manufacturing or trading company extending significant trade credit to customers benefits from a credit risk review of its receivables book and customer credit-approval process; any company with material process dependencies — manual approvals, single points of failure, weak segregation of duties in payments or procurement — benefits from an operational risk review; and virtually every company today, given its dependency on ERP systems, customer data, and digital payment rails, benefits from an IT risk review covering access controls, backup and recovery readiness, and cybersecurity exposure, particularly given the compliance obligations and reputational stakes introduced by the DPDP Act, 2023.

These three reviews are deliberately structured as complementary lenses on a single underlying question — where is this organisation's actual risk exposure understated relative to its stated or assumed risk profile — rather than three disconnected audits. A credit risk review that finds under-provisioning often traces back to an operational risk gap in the credit-monitoring process; an operational risk review that finds a control failure in loan disbursement often traces back to an IT risk gap in system access controls. PNPC scopes these engagements individually or as an integrated review depending on the client's regulatory status, risk profile, and Board's specific concerns, and reports findings in a form the Board, the Audit Committee, and — where applicable — RBI's supervisory teams can act on directly.

When Credit, Operational & IT Risk Reviews are the right engagement

NBFC crossing into the Middle Layer or Upper Layer under RBI's Scale Based Regulation framework, triggering enhanced risk management, IT governance, and Risk Management Committee obligations

Bank or NBFC preparing for an RBI supervisory inspection, or responding to observations already raised by RBI on credit appraisal, provisioning, or IT governance practices

Rising NPA levels, deteriorating asset quality, or a Board/Audit Committee that wants an independent view on whether provisioning under Ind AS 109 ECL or IRAC norms genuinely reflects the credit book's risk

A recent operational loss event — a processing error, an internal fraud, a vendor failure — that has prompted the organisation to ask what other operational control gaps exist beyond the one that surfaced

A cybersecurity incident, near-miss, or a peer-institution breach that has raised Board-level concern about the organisation's own IT risk posture and incident-readiness

Statutory auditor or RBI-appointed auditor raising IT general controls (ITGC) observations that need independent, structured remediation beyond a one-line management response

Preparing for a bank credit rating review, cyber insurance renewal, or lender due diligence that specifically evaluates credit, operational, and IT risk management maturity

Corporate with a material trade-credit book, significant manual process dependencies, or growing reliance on core IT systems, seeking assurance proportionate to that exposure even without a regulatory mandate

M&A due diligence or investment diligence where the acquirer or investor specifically requires an independent credit book quality review and IT risk assessment before closing

When a narrower or different engagement fits better

A confirmed fraud has already occurred and the organisation needs to determine what happened, who was involved, and the financial impact — that calls for a targeted forensic investigation, not a broad risk review

The organisation's need is a full Enterprise Risk Management framework spanning strategic, financial, compliance, and reputational risk categories, of which credit/operational/IT risk are only a subset — an ERM engagement is the better starting point, with these three reviews as a subsequent deeper dive

The immediate requirement is statutory Internal Financial Controls (IFC) testing for the annual audit under Section 143(3)(i) of the Companies Act — that is a defined, narrower scope tied to financial reporting controls specifically, though it overlaps with operational risk review methodology

A very small NBFC in the Base Layer with a simple lending book, no near-term scale-up plans, and straightforward operations — a lighter internal review by existing compliance staff, with periodic external validation, may be proportionate rather than a full three-domain review

The organisation needs business continuity or disaster recovery planning for a specific system or facility — a focused BCP/DR engagement is faster and more targeted than a broader IT risk review, though IT risk review often identifies where BCP/DR gaps exist

IT needs are limited to a one-time penetration test or vulnerability scan — a focused cybersecurity technical assessment by a specialist security firm is more appropriate than a broader IT governance and risk review

Structure Comparison

Credit, Operational & IT Risk Review vs related risk and assurance engagements

FeatureCredit Risk ReviewOperational Risk ReviewIT Risk ReviewForensic InvestigationStatutory IFC Testing
Primary objectiveAssess quality, concentration, and provisioning adequacy of the credit/lending bookAssess people, process, and system failure exposure across business operationsAssess cybersecurity, access control, data integrity, and system resilienceDetermine facts, quantum, and parties involved in a suspected or confirmed fraudTest design and operating effectiveness of financial reporting controls
Governing frameworkRBI IRAC norms, Ind AS 109 ECL model, RBI SBR framework for NBFCsRBI operational risk guidelines, Basel operational risk taxonomyRBI IT Governance, Risk, Controls and Assurance Practices Master Direction; DPDP Act, 2023; ISO 27001 principlesStandards on Forensic Accounting and Investigation (ICAI), Companies Act fraud reporting provisionsSection 134(5)(e) Companies Act, COSO Internal Control Integrated Framework
Typical triggerRising NPAs, RBI inspection prep, provisioning concerns, portfolio scale-upLoss event, control gap discovery, process scale-upCyber incident, ITGC audit observation, DPDP compliance needWhistle-blower complaint, detected irregularity, audit red flagAnnual statutory audit cycle
Who commissions itBoard, Audit Committee, or RBI supervisory directionBoard, Audit Committee, or Risk Management CommitteeBoard, CISO function, or Audit CommitteeAudit Committee, Board, or in response to a specific complaintStatutory auditor as part of the annual audit
Typical outputPortfolio quality report, provisioning adequacy assessment, concentration analysis, remediation planControl gap report, loss-event register, process remediation roadmapIT risk assessment report, ITGC gap analysis, remediation and governance roadmapInvestigation report with findings, evidence trail, and recommended actionControl matrix, deficiency report, management action plan
Mandatory forBanks and NBFCs under RBI supervision; expected practice for large credit-extending corporatesBanks and NBFCs under RBI operational risk guidelines; good practice for othersBanks and Middle/Upper Layer NBFCs under RBI IT Governance Master Direction; expected practice for most corporates given DPDP Act exposureSituational — triggered by specific facts, not a recurring statutory cycleAll companies, as part of Board's responsibility under the Companies Act
FrequencyPeriodic — typically annual or aligned to RBI inspection cyclePeriodic — typically annual, more frequent post loss-eventPeriodic — typically annual, with continuous monitoring componentsOne-time, scoped to the specific matter under investigationAnnual, aligned to statutory audit cycle
Relationship to ERMA deep-dive within the financial/credit risk category of a broader ERM risk universeA deep-dive within the operational risk category of a broader ERM risk universeA deep-dive within the technology risk category of a broader ERM risk universeTypically triggered by a risk that materialised despite the ERM/control frameworkA specialised subset of the operational/financial risk category within ERM

These three reviews are frequently commissioned together for banks and NBFCs because RBI's supervisory framework expects an integrated view of credit, operational, and IT risk maturity — but each can also be scoped independently based on the specific concern driving the engagement. The right combination and depth for your organisation should be confirmed with a practising CA based on your regulatory status, risk profile, and Board's priorities.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Scoping & Regulatory Applicability AssessmentWe first establish which of the three domains — credit, operational, IT — genuinely need review given your regulatory status (bank, NBFC layer under RBI's Scale Based Regulation, or non-regulated corporate), and whether the engagement should be integrated or run as separate scoped reviews. We do not default to a one-size-fits-all bundle when a client's actual exposure calls for a narrower or differently weighted scope.Week 1
2Data & Documentation RequestA structured, domain-specific document request — loan book data and appraisal files for credit risk, process maps and incident logs for operational risk, IT asset registers and access logs for IT risk — issued upfront so the fieldwork phase is not repeatedly interrupted by ad hoc document chasing, which is the single biggest cause of engagement delay we see from other providers.Week 1–2
3Credit Risk — Portfolio Sampling & Appraisal ReviewFor credit risk scope: a risk-based (not purely random) sample of the loan/credit book, weighted toward higher-value exposures, recent originations, and any accounts showing early-warning stress signals, reviewed against the entity's own credit policy and RBI's IRAC/Ind AS 109 provisioning norms — checking whether appraisal, sanctioning, and monitoring actually followed the documented policy, not just whether a policy exists.Week 2–4
4Credit Risk — Concentration & Provisioning Adequacy AnalysisSector, borrower-group, and geography concentration analysis against internal limits and RBI's large exposure framework where applicable, combined with an independent recalculation of ECL/IRAC provisioning on a sample basis to assess whether the entity's own provisioning is understated relative to actual portfolio risk — a step generic reviewers frequently skip in favour of simply confirming a provisioning policy exists.Week 3–5
5Operational Risk — Process Walkthroughs & Control TestingWalkthroughs of the highest-risk operational processes — loan disbursement, cash/treasury operations, procurement, payroll, vendor onboarding — with actual transaction testing against the control design, not just interviews about how the process is supposed to work. Segregation-of-duties gaps, manual override frequency, and exception-handling discipline are specifically assessed.Week 3–6
6Operational Risk — Loss Event & Near-Miss Register ReviewReview of any existing operational loss-event log, incident register, or internal audit findings history to identify recurring control themes, combined with structured interviews to surface near-misses that were resolved informally and never formally logged — these near-misses are often the earliest warning of a systemic control gap.Week 4–6
7IT Risk — Governance & Policy ReviewAssessment of the Board-approved IT strategy (or its absence), IT risk management policy, CISO or equivalent function, and whether IT governance meets RBI's Master Direction requirements for applicable entities — this governance layer is frequently missing entirely at NBFCs that have scaled quickly without formalising IT oversight.Week 4–5
8IT Risk — Access Control & IT General Controls (ITGC) TestingTesting of user access provisioning and de-provisioning, privileged access management, segregation of duties within core banking/lending systems, change management discipline, and backup/recovery evidence — sampled against actual system logs, not management's description of the control environment.Week 5–7
9IT Risk — Cybersecurity Posture & DPDP Readiness AssessmentA structured cybersecurity risk assessment covering network security, endpoint protection, incident response readiness, and third-party/vendor IT risk, combined with a DPDP Act, 2023 compliance gap assessment covering consent management, data breach notification readiness, and data processor agreements — increasingly a Board-level concern independent of RBI applicability.Week 6–8
10Cross-Domain Findings CorrelationFindings across the three domains are deliberately cross-referenced — a credit provisioning gap traced to a weak early-warning monitoring process, an operational control failure traced to an IT access control gap — because the most material risks are often visible only when the three lenses are combined, which is precisely what a single-domain review misses.Week 7–8
11Draft Report, Risk Rating & Management ResponseA structured draft report with findings individually risk-rated (High/Medium/Low or the entity's own rating convention), root-cause analysis rather than surface-level symptom description, and a formal management response cycle before finalisation — ensuring findings are accurate and actionable rather than disputed after the fact.Week 8–9
12Remediation Roadmap & Ownership AssignmentEvery finding is paired with a specific, named-owner remediation action and a realistic target date — not a generic 'management to strengthen controls' recommendation that provides no accountability trail for the next review cycle or for RBI supervisory follow-up.Week 9
13Board / Audit Committee / Risk Committee PresentationFindings and the remediation roadmap presented directly to the Board, Audit Committee, or Risk Management Committee — in the format and level of detail that committee actually needs to discharge its oversight responsibility, with PNPC available to field questions directly rather than leaving the client to interpret a written report alone.Week 9–10
14Follow-Up Remediation VerificationA scoped follow-up review — typically 3–6 months after the initial report — to verify that committed remediation actions have actually been implemented, not just marked closed in a tracker. This closes the loop that many one-time reviews leave open.3–6 months post-report

Realistic timeline for a full integrated Credit, Operational & IT Risk Review: 8–10 weeks from scoping to Board presentation for a single-entity bank or NBFC of moderate size and complexity. A single-domain review (credit only, or IT only) typically takes 4–6 weeks. Larger, multi-branch, or multi-entity organisations, or those with limited existing documentation, should expect a longer timeline. Follow-up verification review is a separate, shorter engagement typically 3–6 months later.

Document Checklist
Corporate, Regulatory & Governance Documents

Certificate of Incorporation, RBI Certificate of Registration (for NBFCs) or banking licence, and current classification under RBI's Scale Based Regulation layer, if applicable

Board and Committee composition, including Risk Management Committee, Audit Committee, and IT Strategy Committee terms of reference where constituted

Board-approved credit policy, operational risk policy, and IT risk/security policy documents, along with the date of last review

Minutes of the last 4–6 Board, Risk Committee, and Audit Committee meetings, particularly any prior discussion of credit quality, operational losses, or IT/cyber incidents

Any prior RBI inspection report, supervisory letter, or observations, and the entity's response and remediation status

Credit Risk — Portfolio & Appraisal Records

Loan/credit book data extract — borrower-wise exposure, sanction date, security/collateral details, current classification (Standard/SMA/NPA), and provisioning held

Credit appraisal policy, sanctioning authority matrix, and a sample of complete loan files across ticket sizes and vintages

Portfolio concentration reports — by sector, borrower group, geography, and product — against internal exposure limits

Ind AS 109 ECL model documentation and assumptions, or IRAC classification working papers, for the most recent reporting period

Early-warning signal (EWS) framework documentation and the current list of accounts flagged under it

Operational Risk — Process & Incident Records

Standard Operating Procedures (SOPs) for key processes — loan disbursement, cash/treasury handling, procurement, payroll, vendor onboarding

Delegation of Authority (DOA) matrix and evidence of segregation of duties across critical transaction cycles

Operational loss event register or incident log, if maintained, covering at least the past 2–3 years

Internal audit reports for the most recent 2–3 cycles, with particular attention to repeat findings

Details of any material vendor/outsourcing arrangements and the outsourcing risk assessment performed, if any, particularly for arrangements falling under RBI's outsourcing guidelines

IT Risk — Systems, Access & Security Records

IT asset register — core banking/lending system, ERP, key applications, and hosting environment (on-premise/cloud) details

User access list for critical systems with role mapping, and evidence of periodic access review/recertification

Change management log for the past 6–12 months, showing approval trail for production changes

Backup, disaster recovery, and business continuity documentation, including last tested Recovery Time Objective (RTO) and Recovery Point Objective (RPO) evidence

Cybersecurity policy, incident response plan, and record of any security incidents, near-misses, or vulnerability assessment/penetration test reports in the past 12–24 months

Data privacy documentation and processor/vendor agreements relevant to Digital Personal Data Protection Act, 2023 compliance

Financial & Compliance Records

Latest audited financial statements and, for banks/NBFCs, the latest regulatory returns filed with RBI

Statutory auditor's management letter and any IT general controls (ITGC) or internal control observations from the most recent audit

Details of any litigation, customer complaints, or regulatory correspondence relating to credit practices, operational failures, or data/IT incidents in the past 3 years

Insurance policy schedule, including cyber insurance coverage if held, and any recent claims

Prior Risk & Assurance Work

Any existing Enterprise Risk Management framework, risk register, or risk appetite statement covering credit, operational, or IT risk categories

Prior credit risk, operational risk, or IT risk review reports, whether performed internally or by a third party, along with remediation status

Board or management self-assessment against RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction, if performed

Any prior forensic investigation reports or fraud incident reports, where relevant to understanding recurring operational or IT control themes

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Regulatory Threshold Assessment (Ongoing)NBFC asset size growth or new banking/NBFC licenceContinuous monitoring of applicability under RBI's Scale Based Regulation layers and the IT Governance Master Direction, so governance obligations are anticipated before the threshold is actually crossed, not discovered afterward.Crossing into Middle or Upper Layer without pre-built governance structures — leaving the entity non-compliant from the day the threshold is crossed, exposed to RBI supervisory action.
First Integrated Review (Baseline)Board or RBI-prompted decision to establish independent risk assuranceFull credit, operational, and IT risk review establishing a documented baseline — findings risk-rated, root-caused, and paired with a remediation roadmap with named owners and target dates.No independent baseline exists — the Board relies entirely on management's own assessment of risk quality, with no external validation until an external event (RBI inspection, loss event) forces the issue.
Remediation Execution (Month 1–6 post-review)Findings accepted by the Board/Audit CommitteeStructured tracking of remediation actions against committed timelines, with PNPC available for advisory support on control redesign, provisioning methodology correction, or IT governance build-out as remediation is executed.Findings agreed in principle but never actually remediated — the same gaps resurface at the next review or, worse, at the next RBI inspection, undermining credibility with the regulator.
Follow-Up Verification (Month 3–6)Remediation deadlines reachedAn independent follow-up review verifying that remediation actions were genuinely implemented — tested, not just marked closed in a tracker — closing the loop that self-certified remediation cannot credibly close on its own.Remediation marked complete internally without independent verification — a false sense of resolution that surfaces as a repeat finding, damaging credibility with auditors, RBI, or the Board.
Annual Refresh CycleFinancial year-end / RBI inspection cycleFormal annual refresh of all three risk domains, incorporating portfolio growth, new operational processes, system changes, and emerging cyber threats — ensuring the risk review stays current rather than reflecting a point-in-time snapshot that ages quickly.A stale risk assessment that no longer reflects actual portfolio composition or IT environment — creates a governance gap that becomes visible precisely when an RBI inspection or credit rating review occurs.
Portfolio Stress EventRising NPAs, sector downturn, concentrated exposure deteriorationFocused, accelerated credit risk deep-dive — re-testing provisioning adequacy, early-warning signal effectiveness, and concentration exposure against the stress scenario actually unfolding, rather than waiting for the next scheduled annual cycle.Provisioning that lags actual portfolio deterioration — understated NPAs and provisioning discovered by the statutory auditor or RBI rather than proactively by the entity, with reputational and regulatory consequences.
Operational Loss or IT IncidentFraud discovery, processing failure, cyber incident, near-missRapid post-event root-cause review — distinguishing this from a full forensic investigation where facts are already known — focused on whether the control or IT gap that allowed the event is isolated or systemic, and what else in the same control family needs re-testing.The same control gap recurs in a different form because only the specific symptom was addressed, not the underlying systemic weakness — repeat incidents erode Board, investor, and regulatory confidence.
M&A / Investment DiligenceAcquisition, investment round, or lender due diligenceScoped credit book quality review and IT risk assessment specifically structured for the diligence timeline and the acquirer/investor/lender's specific concerns, delivered as a standalone diligence report distinct from the entity's own periodic risk review.Credit quality or IT risk issues surfacing for the first time during the counterparty's own due diligence — causing valuation adjustments, deal delays, or in some cases deal collapse.
Frequently asked
What exactly do Credit, Operational & IT Risk Reviews cover, in plain terms?

Three related but distinct questions. Credit risk review asks: is the loan/credit book actually as healthy as it appears, and is provisioning adequate for the risk actually present? Operational risk review asks: where could a process, people, or control failure cause a direct financial or reputational loss, and are those gaps currently open? IT risk review asks: is the technology environment — access controls, data security, system resilience — adequately protected, governed, and compliant with current data protection law? PNPC scopes these individually or together depending on your regulatory status and specific concern.

Practitioner noteThe most valuable finding in an integrated review is almost always the connection between domains — a credit provisioning gap that traces back to a weak monitoring process, which traces back to inadequate system access controls. A single-domain review structurally cannot surface that chain.
Is this review mandatory for our organisation, or is it discretionary?

For banks and NBFCs, elements of this review are effectively mandatory through RBI's supervisory framework: NBFCs in the Middle and Upper Layers under the Scale Based Regulation framework must meet enhanced risk management and IT governance requirements, and RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction applies directly to banks and Middle/Upper Layer NBFCs. For a non-regulated corporate, there is no single statute mandating this exact review, but a material trade-credit book, significant process dependencies, or meaningful IT/data exposure make it a genuinely prudent, increasingly expected practice — particularly given DPDP Act, 2023 obligations that apply regardless of sector.

Practitioner noteWe check applicability precisely against your RBI registration category and SBR layer before scoping — an NBFC in the Base Layer has materially lighter obligations than one that has scaled into the Middle Layer, and we do not recommend Upper-Layer-grade rigour to a Base Layer entity that does not yet need it.
What is RBI's Scale Based Regulation (SBR) framework and how does it affect our review scope?

SBR, effective from October 2022, classifies NBFCs into four layers — Base, Middle, Upper, and Top — based on size, activity, and perceived riskiness, with progressively more stringent governance, risk management, and capital requirements at each higher layer. Upper Layer NBFCs face requirements closer to those applicable to banks, including mandatory Board-level Risk Management Committee constitution, more rigorous IT governance, and enhanced disclosure. The layer your NBFC currently sits in — and how close it is to crossing into the next layer — directly determines how rigorous a credit, operational, and IT risk review needs to be, and how soon.

Practitioner noteWe specifically flag layer-transition risk for growing NBFC clients — crossing from Middle to Upper Layer, for example, triggers new governance obligations that need lead time to build properly, not a scramble after the classification changes.
What is the difference between IRAC norms and the Ind AS 109 ECL model for provisioning?

IRAC (Income Recognition and Asset Classification) norms are RBI's traditional, incurred-loss-based framework classifying advances as Standard, Sub-Standard, Doubtful, or Loss, with prescribed minimum provisioning percentages for each category. Ind AS 109's Expected Credit Loss (ECL) model, applicable to NBFCs that have adopted Ind AS, is a forward-looking framework requiring provisioning based on probability-weighted expected losses over the life of the exposure, factoring in macroeconomic forward-looking information — generally producing higher, more risk-sensitive provisioning than IRAC in a deteriorating credit environment. RBI has indicated its intent to move banks toward an ECL-based framework as well, though implementation timelines have been extended; NBFCs on Ind AS already apply ECL.

Practitioner noteThe single most common finding in our credit risk reviews of Ind AS NBFCs is an ECL model with reasonable-looking methodology on paper but weak, poorly evidenced macroeconomic overlay assumptions — the model looks sophisticated but the actual provisioning number is not meaningfully more accurate than a simpler approach would produce.
How do you actually test whether provisioning is adequate — isn't that just checking a formula?

No — we independently recalculate provisioning on a risk-based sample of accounts using the entity's own stated methodology and assumptions, then separately stress-test those assumptions against actual portfolio performance (roll-rates, recovery experience, collateral realisation history) to assess whether the assumptions themselves are defensible, not just whether the formula was applied correctly. A mathematically correct ECL calculation built on unrealistically optimistic assumptions still understates real risk.

Practitioner noteWe specifically test collateral valuation currency — a common gap is provisioning models that assume collateral values from origination remain current years later, without any revaluation discipline, materially understating loss-given-default in a downturn.
What counts as 'operational risk' — can you give concrete examples?

Operational risk covers loss arising from inadequate or failed internal processes, people, and systems, or from external events — excluding credit and market risk. Concrete examples: a payment released without the required dual approval due to a workflow override, a key-person dependency where only one employee understands a critical reconciliation process, a vendor failing to deliver a critical service with no contingency plan, a data entry error in loan disbursement that goes undetected for months, or an internal fraud enabled by inadequate segregation of duties between transaction initiation and approval.

Practitioner noteWe consistently find that the highest-value operational risk findings come from walking through actual transactions end-to-end rather than reviewing the SOP document in isolation — the documented process and the actual practised process diverge more often than management expects.
What is segregation of duties and why does it come up so often in operational risk reviews?

Segregation of duties is the control principle that no single individual should be able to both initiate and approve a transaction, or both execute and reconcile it, without independent oversight — reducing the risk of undetected error or fraud. It comes up constantly because it is one of the most foundational operational controls, yet is also one of the most commonly compromised as organisations scale quickly, add system access without revisiting role design, or rely on informal trust rather than system-enforced controls.

Practitioner noteSystem-level segregation of duties is more reliable than policy-level segregation — a documented policy saying two people must approve a payment is far weaker than a system configuration that physically prevents the same user ID from both initiating and approving. We test the system configuration directly, not just the policy document.
What does an IT risk review actually examine, and how is it different from a cybersecurity penetration test?

A penetration test is a narrow, technical exercise simulating an attacker attempting to breach specific systems — valuable, but scoped to technical vulnerabilities. An IT risk review is broader: it examines IT governance (is there a Board-approved IT strategy and risk-owning function), access controls, change management discipline, data backup and disaster recovery readiness, vendor/third-party IT risk, and regulatory compliance posture (RBI IT Governance Master Direction, DPDP Act) — of which technical vulnerability is only one component. Many organisations with a clean penetration test result still have material IT governance and access control gaps.

Practitioner noteWe frequently recommend a penetration test as a complementary, specialist engagement alongside our IT risk review rather than performing it ourselves — it requires different, more specialised technical tooling than a governance and controls review, and we are transparent about that boundary.
How does the Digital Personal Data Protection Act, 2023 factor into an IT risk review?

The DPDP Act, 2023 creates specific obligations around lawful processing of personal data, consent management, data breach notification, data principal rights, and significant penalties for non-compliance — all of which materially expand the scope of what a current IT risk review needs to assess beyond traditional cybersecurity and access control testing. We specifically assess consent mechanisms, data processor agreements, breach notification readiness, and data retention practices as part of the IT risk review, with rules and compliance timelines being operationalised progressively by the government.

Practitioner noteMany organisations still treat DPDP compliance as a separate legal exercise handled by outside counsel, disconnected from the IT risk review. We deliberately integrate the two, because the technical controls needed for DPDP compliance — access logging, data minimisation, breach detection — are the same controls an IT risk review should already be testing.
We are a corporate, not a bank or NBFC. Do we still need this review?

It depends on your specific exposure rather than regulatory status alone. If you extend material trade credit to customers, a credit risk review of your receivables book and credit-approval process is worthwhile regardless of RBI applicability. If you have significant manual process dependencies — payments, procurement, payroll — an operational risk review adds real value. And given that virtually every business today depends on ERP systems, customer data, and digital payment infrastructure, an IT risk review covering access controls and DPDP compliance readiness is increasingly a prudent baseline rather than a regulated-entity-only exercise.

Practitioner noteWe scope these reviews proportionately for corporates — a mid-sized trading company does not need bank-grade rigour, but a lighter-touch version of the same methodology consistently surfaces gaps founders did not know existed, particularly around IT access controls.
How long does a full integrated review take?

For a single-entity bank or NBFC of moderate size and complexity, a realistic timeline from scoping through Board presentation is 8–10 weeks. A single-domain review — credit risk only, or IT risk only — typically takes 4–6 weeks. Larger, multi-branch organisations, or those with limited existing documentation and process maps, should expect a longer timeline. A follow-up remediation verification review, typically conducted 3–6 months after the initial report, is a separate and shorter engagement.

Practitioner noteWe resist compressing the fieldwork and sampling phase to hit an aggressive deadline — a rushed portfolio sample or a superficial process walkthrough is the most common reason a review misses the finding that actually mattered.
What does this engagement typically cost?

Cost depends materially on portfolio size, number of branches/locations, IT system complexity, and whether the engagement covers all three domains or a single domain. PNPC agrees a fixed, written scope and fee before any engagement begins, distinguishing the initial review phase from any follow-up remediation verification review, so the client knows exactly what is included at each stage.

Practitioner noteWe deliberately do not quote a headline number without first understanding scope — a credit-only review of a small NBFC and a full integrated review of a multi-branch Upper Layer NBFC are simply not comparable pieces of work.
Who typically commissions this review internally — the CFO, the CRO, or the Board directly?

Most commonly the Board or the Risk Management Committee/Audit Committee commissions the review directly, given its independent assurance nature, though the CFO, Chief Risk Officer, or Head of Internal Audit is usually the primary internal coordination point for scoping and document access. For entities without a dedicated CRO, the CFO or Company Secretary typically fills that coordination role.

Practitioner noteWe prefer the engagement to be formally commissioned by the Audit Committee or Risk Committee rather than solely by operational management being reviewed — it preserves the independence of the findings and avoids any perception that scope was narrowed to avoid uncomfortable results.
Does PNPC perform the credit portfolio sample review on every single loan, or a sample?

A risk-based sample, not a full-portfolio review — full-portfolio testing is rarely proportionate or necessary to assess systemic quality. The sample is weighted toward higher-value exposures, recent originations (where appraisal discipline is most current), and accounts already showing early-warning stress signals, since these are where provisioning and appraisal weaknesses are most likely to be material. Sample size and stratification are agreed with the client and, where relevant, calibrated to what an RBI inspection team would typically expect to see tested.

Practitioner noteWe are transparent about sample methodology in the final report — a Board or RBI reviewer should be able to see exactly how the sample was constructed and why, not just the resulting findings.
What is an Early Warning Signal (EWS) framework and why does it matter to a credit risk review?

An EWS framework is a set of defined indicators — payment delays, bounced cheques, adverse credit bureau movement, declining account turnover, sector-level stress signals — designed to flag a credit exposure showing early signs of stress before it formally slips into a lower asset classification. A well-functioning EWS framework allows proactive engagement with a stressed borrower and earlier provisioning recognition; a weak or non-existent one means asset quality deterioration is discovered only when it has already progressed to NPA classification, by which point recovery options are more limited.

Practitioner noteWe specifically test whether EWS-flagged accounts actually receive differentiated monitoring and follow-up, not just whether the flag exists in a report that nobody acts on — a dashboard that flags risk without triggering action provides false comfort.
What are IT General Controls (ITGC) and why do they matter beyond the statutory audit?

ITGCs are the foundational controls over an IT environment that support the reliability of application-level controls and data — access management, change management, IT operations (backup, job scheduling), and program development controls. Statutory auditors test ITGCs specifically to determine how much reliance they can place on system-generated financial data. Beyond the audit context, weak ITGCs — particularly around access provisioning and change management — are frequently the root cause of both operational risk incidents and cybersecurity exposure, which is why IT risk review tests them more broadly than an audit-scoped ITGC review would.

Practitioner noteA very common finding: user access rights that were never revoked after an employee's role change or exit. This single gap simultaneously creates a statutory ITGC deficiency, an operational segregation-of-duties risk, and a cybersecurity exposure — one root cause, three consequences.
Can this review help with our cyber insurance renewal?

Yes. Insurers increasingly require, or price more favourably based on, evidence of the applicant's risk management maturity — documented IT governance, access controls, incident response readiness, and backup/recovery testing. An IT risk review report and its remediation roadmap can materially support the underwriting conversation and, in our experience, has helped clients secure improved terms upon renewal after addressing identified gaps.

Practitioner noteWe recommend timing an IT risk review to precede a cyber insurance renewal by at least 6–8 weeks, giving enough time to remediate the more straightforward findings before the insurer's own underwriting review, rather than presenting unremediated gaps at renewal time.
How does this review relate to a full Enterprise Risk Management (ERM) framework?

Credit, operational, and IT risk are three of the risk categories within a comprehensive ERM risk universe, alongside strategic, financial, compliance, and reputational risk. Where an ERM framework already exists, this review serves as a deeper, more technically rigorous assessment within those three specific categories, feeding its findings back into the broader risk register. Where no ERM framework exists yet, this review can stand alone, or serve as a natural starting point that later expands into a full ERM build once the organisation sees the value of structured risk assessment in these three material domains.

Practitioner noteWe often sequence engagements this way for growing NBFCs — start with a credit, operational, and IT risk review given its direct regulatory relevance, then expand into a full ERM framework once the organisation and its Board are ready for the broader governance commitment.
What happens if the review finds a serious, immediate risk during fieldwork — do we wait for the final report?

No. PNPC escalates any finding assessed as an immediate, material risk — a live fraud indicator, a critical unpatched security vulnerability, or a provisioning gap severe enough to affect the entity's regulatory capital position — directly and promptly to the Audit Committee or Board Chair, rather than holding it for the scheduled final report presentation. The final report still documents the finding formally, but urgent risks are not left to sit until the standard reporting cycle.

Practitioner noteWe agree an escalation protocol with the client at the start of every engagement — who gets contacted, how quickly, and through what channel — precisely so there is no ambiguity if fieldwork surfaces something that cannot wait.
Do you provide remediation implementation support, or only the findings report?

Both models are available and are scoped separately. Many clients engage PNPC for the review and findings report as a defined project, then handle remediation internally with PNPC available for ad hoc advisory support on specific fixes — provisioning methodology correction, control redesign, IT governance policy drafting. Other clients, particularly those without deep in-house risk or IT governance expertise, prefer PNPC to remain actively involved through remediation execution and the follow-up verification review.

Practitioner noteWe scope this explicitly upfront rather than assuming — a client who expects hands-on remediation support and receives only a report, or vice versa, ends up disappointed regardless of the quality of the underlying work.
How does RBI's Master Direction on IT Governance apply specifically to NBFCs, and which layers does it cover?

RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023) applies to banks and to NBFCs in the Middle and Upper Layers under the Scale Based Regulation framework — Base Layer NBFCs are not directly bound by its detailed requirements, though adopting proportionate elements of it as good practice is prudent given how quickly an NBFC can scale into the Middle Layer. The Direction requires a Board-approved IT strategy, a dedicated IT function with appropriate governance, defined RTO/RPO for critical systems, and structured IT risk assessment.

Practitioner noteWe flag this proactively to Base Layer NBFC clients showing rapid growth — building IT governance structures ahead of the Middle Layer threshold, rather than scrambling once the classification changes, avoids a compressed and costlier compliance sprint.
Can PNPC support this review for a group with both Indian and UAE entities?

Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with lending, operational, or IT infrastructure spanning both jurisdictions, we build a consolidated view that accounts for cross-border considerations — UAE Central Bank regulatory requirements for any UAE-licensed finance entity, cross-border data flow implications under both DPDP Act and applicable UAE data protection law, and group-level operational risk that can propagate between entities — rather than two disconnected, single-jurisdiction reviews.

Practitioner noteCross-border credit and IT risk correlation is a genuinely underserved area — most advisory firms operate in only one jurisdiction and cannot see how a vendor or system dependency shared across entities creates a single point of failure for the whole group. Our presence in both allows a coherent, group-level view.
What is the difference between this review and what our statutory auditor already does?

The statutory auditor's primary objective is an opinion on whether the financial statements present a true and fair view, which includes testing ITGCs and internal financial controls specifically to the extent they affect financial reporting reliability — a narrower, financial-statement-focused lens. Credit, Operational & IT Risk Review is a broader, forward-looking management assurance exercise — assessing portfolio quality and provisioning adequacy beyond audit sampling thresholds, operational risk beyond financial-reporting-relevant processes, and IT risk beyond ITGCs relevant to the audit — designed to inform Board and RBI-facing risk management, not primarily to support an audit opinion.

Practitioner noteWe coordinate with the statutory auditor where PNPC is not also the statutory auditor for a client, sharing relevant findings (with client consent) to avoid duplicated fieldwork and to ensure the auditor's own risk assessment benefits from our deeper-dive testing.
How does PNPC handle findings that reveal a potential regulatory breach, not just a control gap?

Where fieldwork surfaces something that appears to be an actual regulatory breach — for example, provisioning materially below RBI's prescribed minimum, or an exposure limit breach — rather than simply a control weakness, PNPC flags this distinctly and promptly to the Board/Audit Committee, with a clear factual basis, so the entity can assess its own disclosure and remediation obligations with appropriate legal input alongside our findings. We do not make the disclosure decision on the client's behalf, but we ensure the Board has the facts promptly and clearly.

Practitioner noteWe are deliberate about the distinction between 'this control could be stronger' and 'this appears to already be a breach requiring urgent attention' — conflating the two in a report dilutes the urgency of genuine breaches and can leave a Board under-informed on what needs immediate action.
Is a single review enough, or should this be a recurring engagement?

A single review establishes a valuable baseline, but credit portfolios, operational processes, and IT environments all change continuously — new products, new systems, new vendors, evolving cyber threats. Most clients in regulated categories (banks, Middle/Upper Layer NBFCs) benefit from an annual cycle, aligned to the financial year-end and any RBI inspection cadence, with lighter-touch interim reviews for specific domains if a material change occurs (a new core banking system, a significant portfolio shift) between annual cycles.

Practitioner noteWe advise against treating this as a purely reactive, one-time exercise triggered only by a problem — the organisations that get the most value run it as a standing annual discipline, because it consistently catches emerging issues before they become the problem that would otherwise trigger a reactive review.
What is the single most common finding across the credit, operational, and IT domains?

Documented policy that does not match actual practice. Nearly every organisation we review has a credit policy, an operational SOP, and an IT security policy that reads well on paper — the recurring gap is between what the policy says should happen and what our testing shows actually happens: appraisal shortcuts under commercial pressure, manual overrides of segregation-of-duties controls, and access rights that were never revoked after role changes. The policy exists; the discipline of following it consistently does not.

Practitioner noteThis is why we insist on transaction-level testing and system-log verification rather than relying on policy documents and management interviews alone — the gap between stated policy and actual practice is precisely what a checklist-based review misses and a testing-based review catches.
Can this review be used to support a bank credit rating or lender relationship?

Yes. A structured, independently performed risk review — particularly one covering credit portfolio quality and provisioning adequacy — can support conversations with lenders and rating agencies who are themselves assessing the entity's credit and risk management maturity as part of their own rating or lending decision. We are candid, however, that the review's purpose is genuine risk assessment, not producing a favourable document for external presentation — findings are reported factually regardless of how they may be received externally.

Practitioner noteClients occasionally ask whether findings can be softened for external presentation purposes. We do not do this — the value of the report to a lender or rating agency depends entirely on its being a genuine, independent assessment, and that credibility is what makes it useful in the first place.
Does PNPC also perform statutory or internal audit for the same client, and does that create a conflict?

Where PNPC also serves as internal auditor or statutory auditor for a client, we manage independence carefully — RBI and ICAI guidelines govern the boundaries of what the same firm can perform for a regulated entity, and we structure engagement teams and scope accordingly, including using separate engagement teams where independence rules require it. We discuss this explicitly with clients during scoping, rather than assuming no conflict exists.

Practitioner noteFor banks and larger NBFCs in particular, we proactively flag where regulatory independence requirements may mean PNPC cannot perform both the statutory audit and this risk review — better to identify that at scoping than to discover it as an issue after fieldwork has begun.
What is 'concentration risk' in a credit portfolio, and how do you measure it?

Concentration risk is the exposure an entity carries when its credit book is disproportionately weighted toward a single borrower, borrower group, sector, or geography — meaning a single adverse event can impact a large share of the portfolio at once. We measure it against the entity's own internal exposure limits (if defined) and, for larger NBFCs, against RBI's large exposure framework where applicable, breaking the portfolio down by top-N borrower groups, sector-wise exposure as a percentage of net worth, and geographic clustering, particularly for entities with a regional lending focus.

Practitioner noteWe frequently find NBFCs with well-diversified borrower counts but hidden sector concentration — hundreds of small borrowers who are all, for example, dependent on a single agricultural crop cycle or a single local industry. Borrower-count diversification alone does not eliminate concentration risk.
What is the role of collateral valuation in a credit risk review, and how often should collateral be revalued?

Collateral valuation directly affects Loss Given Default (LGD) assumptions in provisioning models and the practical recoverability of an exposure if it turns delinquent. There is no single statutory revaluation frequency applicable to all lenders, but RBI guidance and prudent practice generally call for periodic revaluation — more frequently for volatile asset classes like unlisted equity or certain movable assets, less frequently for stable asset classes like registered immovable property — with a clear, Board-approved revaluation policy rather than an ad hoc or purely origination-date valuation relied upon indefinitely.

Practitioner noteWe test whether the entity's provisioning model actually uses current collateral values or silently continues to use origination-date valuations years later — this is one of the most consequential and most commonly missed gaps we find, because it quietly understates LGD across the entire secured portfolio.
Can a small or mid-sized corporate (not a bank or NBFC) get a scaled-down version of this review?

Yes, and this is a common and proportionate engagement. For a corporate with a material trade-credit book, we scope a focused review of the customer credit-approval process, receivables ageing and provisioning against Ind AS 109 (which applies to trade receivables for entities on Ind AS as well), and customer concentration — without the RBI-specific regulatory testing that applies only to banks and NBFCs. Operational and IT risk review scope is similarly right-sized to the corporate's actual process and system complexity.

Practitioner noteWe are explicit with corporate clients that a scaled-down review is not a lesser-quality review — it is the same testing discipline applied to a narrower, proportionate scope, which is exactly what a growing business actually needs rather than a bank-grade engagement it does not.
What is a 'root-cause' finding versus a 'symptom' finding, and why does PNPC insist on the distinction?

A symptom finding describes what went wrong in a specific instance — for example, 'a loan was disbursed without complete KYC documentation.' A root-cause finding explains why it was possible — for example, 'the loan origination system does not block disbursement when a mandatory KYC field is incomplete, and no compensating manual check exists.' Remediating only the symptom (correcting that one file) leaves the underlying gap open for the next transaction; remediating the root cause (a system control or compensating check) prevents recurrence across the whole portfolio.

Practitioner noteWe deliberately structure every finding in the report with both the specific instance evidence and the root-cause explanation — a Board or RBI reviewer should be able to see not just what happened, but why the control framework allowed it to happen.
How does PNPC handle client confidentiality given the sensitivity of credit and IT data reviewed?

All data accessed during the review — borrower-level credit information, system access credentials context, incident details — is handled under the engagement's confidentiality terms, accessed only by the assigned engagement team, and retained only as long as necessary to support the review and any follow-up verification. Where the review touches personal data within the scope of the Digital Personal Data Protection Act, 2023, we apply data-minimisation principles in our own working papers, extracting only what is needed for testing rather than retaining full data sets beyond what the engagement requires.

Practitioner noteWe agree data handling and access protocols with the client's IT/compliance function before fieldwork begins, particularly for on-site or remote access to live production systems — this is a standard part of our engagement setup, not an afterthought.
If we already had an internal audit this year, do we still need a separate risk review?

It depends on what the internal audit actually covered and how it was scoped. Internal audit typically tests a broader annual plan across many process areas at a defined depth, often rotating focus areas year to year, whereas a dedicated Credit, Operational & IT Risk Review goes deeper specifically into these three domains, with credit portfolio sampling and provisioning recalculation, IT governance assessment against RBI's Master Direction, and cross-domain correlation that a general internal audit plan may not have scoped this cycle. We review the internal audit's scope and findings first to avoid duplicating work, and focus this review on genuine gaps.

Practitioner noteWe routinely find that internal audit's annual plan allocated only limited hours to credit portfolio testing or IT governance specifically — not because internal audit is inadequate, but because its broader mandate necessarily spreads coverage thinner across many areas than a dedicated deep-dive review can.
What happens after the follow-up verification review — is that the end of the engagement?

Not necessarily. Some clients conclude the engagement after follow-up verification confirms remediation, planning to commission the next full review at the next annual cycle. Others transition to a lighter-touch ongoing advisory arrangement — periodic check-ins on emerging risk areas, ad hoc review of new products or systems before launch, and support preparing for the next RBI inspection cycle — rather than a hard stop between one-off engagements.

Practitioner noteWe find clients get the most sustained value from treating this as a recurring annual discipline with PNPC as a continuing risk advisory partner, rather than a series of disconnected, re-scoped-from-scratch engagements each year.
Why PNPC Global

How PNPC's Credit, Operational & IT Risk Review compares to alternatives

FeatureGeneric Consulting ChecklistIn-House Risk/Audit Team OnlyPNPC Global
Credit sampling methodologyOften a fixed percentage sample with no risk weightingDepends on internal team's credit expertise and independence from the lending functionRisk-based sample weighted to high-value, recent, and EWS-flagged exposures, tested against RBI IRAC/Ind AS 109 methodology
Regulatory groundingGeneral references to 'RBI guidelines' without SBR-layer-specific mappingVariable — depends on internal team's regulatory currency and RBI update trackingDirect mapping to current RBI Scale Based Regulation layer obligations and IT Governance Master Direction requirements
Cross-domain correlationCredit, operational, and IT typically reviewed as entirely separate, disconnected exercisesDepends on coordination across internal functions, often informal or absentFindings deliberately cross-referenced across all three domains to surface root causes that a single-domain review misses
Testing depthInterview-based, policy-document review with limited transaction testingVaries with internal team bandwidth and independence from the areas under reviewTransaction-level testing, system-log verification, and independent provisioning recalculation, not just policy review
Escalation protocolFindings held until final report regardless of urgencyDepends on internal reporting lines and comfort escalating to the BoardImmediate escalation of material, urgent findings directly to the Audit Committee or Board Chair, ahead of the final report
Follow-up verificationOne-time deliverable, remediation tracking left entirely to the clientDepends on internal team continuity and independence from remediation ownershipIndependent follow-up verification review 3–6 months later, testing whether remediation actually happened
Cross-border capabilitySingle-jurisdiction focus, typically India-onlyLimited to internal team's jurisdictional exposureConsolidated India-UAE group risk view from offices in both jurisdictions

What the PNPC package includes

  1. 01

    Scoping and regulatory applicability assessment against your RBI Scale Based Regulation layer and IT Governance Master Direction requirements

  2. 02

    Risk-based credit portfolio sampling and appraisal file review against your credit policy and RBI IRAC/Ind AS 109 provisioning norms

  3. 03

    Independent recalculation of provisioning adequacy on a sample basis, including collateral valuation currency and EWS framework effectiveness testing

  4. 04

    Operational risk process walkthroughs with actual transaction testing — not interview-only assessment — across your highest-risk business processes

  5. 05

    Segregation-of-duties and Delegation of Authority testing at the system-configuration level, not just the policy-document level

  6. 06

    IT governance review against RBI's IT Governance, Risk, Controls and Assurance Practices Master Direction, including CISO function and Board IT strategy assessment

  7. 07

    IT General Controls (ITGC) testing — access provisioning, change management, backup/recovery — sampled against actual system logs

  8. 08

    Cybersecurity posture assessment and Digital Personal Data Protection Act, 2023 compliance gap review

  9. 09

    Cross-domain findings correlation identifying root causes visible only when credit, operational, and IT findings are combined

  10. 10

    Risk-rated findings report with root-cause analysis and a formal management response cycle before finalisation

  11. 11

    Remediation roadmap with named owners and target dates for every finding — not generic recommendations

  12. 12

    Board, Audit Committee, or Risk Management Committee presentation, with PNPC available to field questions directly

  13. 13

    Independent follow-up remediation verification review, typically 3–6 months after the initial report

  14. 14

    Consolidated India-UAE group risk view for clients with cross-border operations, coordinated from Chennai, Bangalore, Hyderabad, and Dubai

A risk review that only checks whether a policy exists tells you nothing about whether your credit book, your operations, or your systems are actually safe. Talk to PNPC Global about a review that tests what actually happens — and gives your Board and your regulator a remediation plan they can trust.

← Back to Risk Advisory
Talk to a CA