Banks Are Stronger, But Operational Risks Are Mounting

India’s banking sector is in its strongest shape in years. Capital buffers are high, bad loans are at record lows, and profitability remains steady. As of December 2024, the capital adequacy ratio stood at 16.4%, gross non-performing assets had fallen to 2.4%, and return on assets reached 1.37%. These are not just numbers. They reflect a hard-won recovery built on reforms, recapitalisation, and improved risk discipline.

Yet beneath this surface strength lies a newer, less visible vulnerability. As banks digitise at scale and embed themselves in broader tech ecosystems, they are increasingly exposed to operational risks. These include not just internal errors or process failures, but disruptions arising from external dependencies, third-party vendors, and a complex web of digital infrastructure.

Operational risk is not new. But its sources and severity have evolved dramatically in recent years. Previously, such risks were mostly associated with internal fraud, clerical mistakes, or breakdowns in back-office processes. Today, the frontline of operational risk lies elsewhere: in software outages, cyber intrusions, data leaks, and the failure of vendor systems that banks do not directly control. Unlike credit or market risk, these can erupt without warning and escalate fast.

India’s banks now operate in a digitally dense environment. The scale and speed of services, especially in retail banking, depend heavily on an extended network of technology partners. Core banking modules, cloud servers, application programming interfaces, digital onboarding platforms, payment gateways, data analytics engines are often run or maintained by third parties. While this has helped improve efficiency and customer reach, it has also expanded the attack surface.

A misconfigured server or delayed patch update can cause downtime. A breach in a data analytics tool can expose sensitive customer information. A glitch in a payments partner’s system can delay transactions or affect settlements. These incidents may not originate within a bank, but the reputational and regulatory consequences inevitably land at its door.

The Digital Personal Data Protection Act, 2023, has further raised the stakes. Banks are now accountable for any compromise in the personal data they handle, even if it results from a lapse on the part of a third-party service provider. This shift makes third-party risk a strategic issue, not just a compliance concern.

Despite this, many banks still rely on periodic vendor audits or contract clauses to manage risk. These are no longer sufficient. What is needed is continuous, real-time oversight of vendor operations. Banks must map their digital dependencies, dynamically monitor partner controls, and establish contingency protocols for external disruptions. In a connected world, the weakest link can destabilise even the most resilient institution.

Talent vacuum
Another growing vulnerability stems from people. As Indian banks expand their digital footprint, the skills needed to manage the associated risks are in short supply. Cybersecurity, risk analytics, AI governance, compliance with evolving regulations—each of these areas now requires deep, domain expertise. Yet most banks continue to face staff shortages, high attrition in control functions, and gaps in succession planning.

This talent vacuum creates blind spots. Without adequately trained personnel, early signs of system stress can go undetected. Incidents can be misdiagnosed or escalated slowly. Technology investments may be made without a full understanding of their implications for operational risk.

In the race to automate and digitise, human capital cannot be treated as an afterthought. Banks must invest in upskilling, institutionalise knowledge-sharing mechanisms, and collaborate with universities and industry bodies to build future-ready teams. Governance frameworks must also evolve to reflect these realities. Risk management can no longer operate in silos, it must be embedded across functions—from product teams to customer service, from IT to marketing—so that everyone plays a role in detecting and mitigating threats.

Even more critically, risk culture must evolve. Institutions that treat operational risk as a regulatory chore will find themselves increasingly vulnerable. What is needed is ownership. Risk awareness must become instinctive, not procedural. And that transformation starts at the top.

Boards and senior management must go beyond reviewing dashboards. They must demand rigorous testing, simulations, and stress scenarios that include digital disruptions. Traditional frameworks must be updated to include cyber readiness, system recovery protocols, and vendor continuity planning. Static controls are no longer enough. Banks need dynamic tools—heatmaps, early warning systems, internal incident reporting channels, and regular technology audits that feed into decision-making.

Operational risk must be managed proactively, not reactively. And it must be seen not as an IT issue, but as an enterprise-wide priority that shapes customer confidence, regulatory trust, and market reputation.

Every bank will need a calibrated strategy based on its size, structure, and digital architecture. What works for a public sector bank may not suit a cloud-native private lender. Yet, there are universal priorities that cut across models: vendor risk management, business continuity planning, cyber hygiene, and human capital investment. These are no longer optional. They are foundational to stability in a digital economy.

India’s banks are well placed to expand their role in a fast-growing economy. But resilience must be multidimensional. A sound balance sheet is only part of the picture. In a hyperconnected world, operational risk is systemic risk. Managing it with urgency and foresight will mark be the difference between strength on paper and strength in practice.