Cultivating a risk culture

Bank of Baroda strengthens governance and fosters trust using SAS® Governance and Compliance Manager

Changing the culture of a large corporation is like turning a massive ship. It takes a while to change course, but when that happens, it can have a big impact on the organization in the long term.

Globally, banks are finding that a mixture of regulations and customer expectations is causing them to adjust direction and strategy. Recent high-profile regulatory breaches and misconduct mean regulators are demanding that they tighten internal controls and reduce risk. So banks are working to adhere not only to the letter of the law but also to its spirit. And that means evolving their risk culture.

Our previous loss event data collection processes was manual and took three months, so reporting was performed only twice a year. Now our loss data reporting takes 15 days, and we’ll ultimately be able to reduce it to just a couple of days.

Bhaskar Sharma
Deputy General Manager of Risk Management

Bank of Baroda, which operates in 25 countries, turned to SAS Governance and Compliance Manager to strengthen its risk program. Using this solution, the India-based bank introduced a comprehensive operational risk framework for more efficient regulatory compliance. The main areas of focus enable collaboration among staff, enhance customer confidence and build a positive image.

Obtaining more control over risk exposure

Bank of Baroda knew that building a stronger risk program was more than processes and technologies. To be effective, the entire organization needed to embrace and adopt a new strategy.

“We wanted to establish a risk culture in which employees have a solid understanding of the risk involved in their business processes and related activities,” says Bhaskar Sharma, Deputy General Manager of Risk Management at the Bank of Baroda.

The bank rolled out the SAS solution across thousands of branches as well as its corporate and administrative offices. Since then, thousands of employees in various roles and locations have received risk training. Employees analyze their functions and activities from a risk perspective, then identify gaps in control. “Because information about risks and controls is now stored in a central repository, we have an integrated view of operational risk across our processes, products and systems,” Sharma explains.

By tracking key risk indicators (KRIs), Bank of Baroda has more control over its risk exposure. The bank identified 31 key risks and monitors 16 KRIs. SAS helps the bank extract relevant information from a wide range of bank systems at predefined intervals. Management dashboards track risks and inform departments if specific KRIs are out of tolerance.


Achieving greater efficiency and more timely compliance

A more efficient loss event data collection process means the bank can conduct risk analysis more frequently and establish corrective measures to mitigate risks and comply with regulations. “Our previous loss data collection processes was manual and took three months, so reporting was performed only twice a year,” explains Sharma. “Now our loss data reporting takes 15 days, and we’ll ultimately be able to reduce it to just a couple of days.”

Before deploying SAS Governance and Compliance Manager, regional and zone offices used tools such as Microsoft Excel to collect and analyze loss event data and RCSA (risks and control self-assessment) data across the organization. Because each group modified their data entry templates, data was rarely in a standardized format. These inconsistent data silos required extra time to compile data, remove inconsistencies and create reports for management.

With SAS, Bank of Baroda has established a working risk culture throughout its global organization, which it will continue to build as the company grows. The SAS Enterprise GRC solution helps the bank monitor its operations more effectively and apply the same standards to all of its branches.

“Our robust operational risk framework has given us the ability to profile and mitigate risks while instilling greater customer confidence in our operations,” Sharma says. “Ultimately, we’re in a better position to make well-informed decisions about our risk exposure. And we’re doing all of this in a way to help us meet our customers’ needs.”


  • Introduce an operational risk framework.
  • Eliminate time-consuming, manual processes for collecting and collating loss event data.
  • Develop a risk management culture.



  • Instituted better risk management practices through a comprehensive operational risk framework.
  • Reduced time required for loss event data collection and reporting from three months to 15 days, enabling more frequent risk assessments and proactive risk mitigation.
  • Established a risk culture that spans thousands of employees, numerous departments and offices.
The results illustrated in this article are specific to the particular situations, business models, data input, and computing environments described herein. Each SAS customer’s experience is unique based on business and technical variables and all statements must be considered non-typical. Actual savings, results, and performance characteristics will vary depending on individual customer configurations and conditions. SAS does not guarantee or represent that every customer will achieve similar results. The only warranties for SAS products and services are those that are set forth in the express warranty statements in the written agreement for such products and services. Nothing herein should be construed as constituting an additional warranty. Customers have shared their successes with SAS as part of an agreed-upon contractual exchange or project success summarization following a successful implementation of SAS software. Brand and product names are trademarks of their respective companies.