Home / Insights / Risk Management
Risk Management March 2026 12 min read

The Chief Risk Officer (CRO) Function in UCBs: RBI Mandate, Role, Reporting Structure, and Risk Governance Framework

Comprehensive guide to the CRO mandate for UCBs with ₹5,000 crore+ assets — RBI requirements, independent reporting, risk appetite framework, and inspection focus areas.

Across RBI enforcement actions in the co-operative banking space, recurring themes include governance gaps, concentration risk breaches, and weak risk oversight. In many cases, the underlying issue isn’t a complex technical rule—it’s the absence of structured, independent risk challenge reaching the Board in time.

For UCBs with asset size of ₹5,000 crore or above, this oversight gap now has a mandated solution: the Chief Risk Officer function. Yet despite the regulatory mandate being in place since 2021, many qualifying UCBs continue to struggle with implementation—delayed appointments, CROs burdened with dual responsibilities, risk committees that meet perfunctorily, and risk MIS that fails to inform board decisions.

The RBI (Urban Co-operative Banks – Governance) Directions, 2025, effective November 28, 2025, have significantly tightened these requirements. UCB boards that treat the CRO function as a checkbox exercise now face heightened inspection scrutiny and potential supervisory action.

This guide provides UCB CEOs, Board members, and Compliance Heads a definitive resource on establishing and operationalizing an effective CRO function—one that satisfies regulatory requirements while genuinely strengthening your institution's risk resilience.

The Regulatory Foundation: RBI's CRO Mandate for UCBs

Origin and Evolution of the Requirement

RBI first mandated CRO appointment for qualifying UCBs through circular DOR.CRE(DIR).REC.26/21.04.103/2021-22 dated June 25, 2021. This directive established the foundational requirements:

  • Applicability threshold: UCBs with asset size of ₹5,000 crore or above (measured as on March 31 of the preceding year)
  • Appointment timeline: Within six months of crossing the threshold
  • Qualification requirements: Senior official with demonstrated risk management expertise
  • Tenure protection: Fixed tenure defined by the Board
  • Independence mandate: Board-defined independent role, free from business line influence

The Master Circular on Board of Directors – UCBs (RBI/2025-26/07, DoR.HGG.GOV.No.1/18.10.010/2025-26 dated April 1, 2025) reinforced this by mandating the constitution of a Risk Management Committee of the Board (RMCB) for all UCBs meeting the ₹5,000 crore threshold.

The 2025 Governance Directions: Enhanced Independence Requirements

The RBI (Urban Co-operative Banks – Governance) Directions, 2025 (RBI/DOR/2025-26/273, DOR.GOV.REC.No.192/18-10-014/2025-26, November 28, 2025) introduced critical enhancements that address the operational gaps RBI inspectors have repeatedly identified:

RequirementPre-2025 Position2025 Directions
Dual hattingDiscouraged but not explicitly prohibited**Explicitly prohibited**—CRO cannot simultaneously serve as CEO, COO, or CFO
Board accessRecommendedMandatory quarterly meetings with Board/RMCB **without MD/CEO present** (if CRO reports to MD/CEO)
Removal protectionBoard approval requiredBoard approval required **plus** mandatory reporting to RBI Regional Office
Business targetsShould not have**Cannot have** business targets or report to business verticals

These aren't semantic distinctions. The shift from "should not" to "cannot" reflects RBI's enforcement posture—particularly given the sector's NPA trajectory. While gross NPA ratios have improved from 12.1% (March 2021) to 6.1% (March 2025), large borrower GNPAs remain elevated at 8.9%, indicating concentrated credit risk that independent oversight should have flagged earlier.

CRO Role and Responsibilities: Beyond Compliance Monitoring

The CRO function in UCBs extends well beyond traditional compliance monitoring. The role is architected to provide the Board with an integrated view of institutional risk—connecting strategy, appetite, exposure, and capital in a coherent framework.

Core Functional Responsibilities

1. Risk Identification and Assessment Architecture

The CRO is responsible for building systems that proactively identify risks across credit, market, operational, and liquidity dimensions before they crystallize into losses. This includes:

  • Establishing early warning indicators for credit deterioration
  • Monitoring concentration risks against regulatory and internal limits
  • Tracking liquidity positions against stress scenarios
  • Identifying operational vulnerabilities in process and technology

2. Risk Appetite Development and Monitoring

Perhaps the CRO's most strategic responsibility is translating Board-approved strategy into quantified risk limits. This involves:

  • Developing the Risk Appetite Statement (RAS) for Board approval
  • Setting monitorable limits for key risk categories (sector exposure, borrower concentration, liquidity ratios)
  • Establishing escalation triggers when limits approach breach thresholds
  • Ensuring alignment between business planning and risk capacity

3. Credit Product and Portfolio Oversight

The CRO's involvement in credit extends beyond policy to active engagement:

  • Vetting new credit products for embedded risks before launch
  • Advisory or decision-making role in high-value credit committees
  • Where the CRO is a voting member of credit committees, joint accountability for decisions applies
  • Independent review of credit proposals above defined thresholds

4. Risk MIS and Board Reporting

The CRO owns the risk information architecture that enables Board oversight:

  • Designing dashboards that surface material risks with appropriate granularity
  • Preparing quarterly risk reviews covering large borrowal accounts, NPAs, concentration positions
  • Monthly reporting on funds management, overdues, and emerging risks
  • Exception reporting when limits are breached or triggers activated

What the CRO Cannot Do

Equally important are the boundaries on the CRO's role:

  • No business targets: The CRO cannot be held accountable for loan disbursement, deposit mobilization, or similar metrics
  • No reporting to business heads: The CRO reports to MD/CEO, Board, or RMCB—never to business vertical heads
  • No dual hatting: The CRO cannot simultaneously hold CEO, COO, or CFO responsibilities
  • No dilution through additional charges: Boards must resist the temptation to burden the CRO with unrelated operational responsibilities

Reporting Structure: Getting Board Access Right

The reporting structure for the CRO is deliberately designed to ensure independence while maintaining operational connectivity. RBI provides two acceptable configurations:

Option 1: Direct Reporting to Board/RMCB

This structure provides maximum independence but requires careful attention to day-to-day operational integration:

Board of Directors
        ↓
   RMCB (Board Sub-Committee)
        ↓
      CRO
        ↓
Risk Management Team

Option 2: Reporting to MD/CEO with Safeguards

This more common structure maintains operational efficiency but requires specific safeguards mandated by the 2025 Directions:

Board of Directors
        ↓
   MD/CEO  ←---- Quarterly meeting with RMCB (without MD/CEO)
        ↓                    ↑
      CRO  ──────────────────→
        ↓
Risk Management Team

The critical safeguard: quarterly meetings between CRO and Board/RMCB without the MD/CEO present. This isn't optional—it's a regulatory requirement that RBI inspectors specifically verify.

Protection Against Removal

Both structures incorporate tenure protection:

  • Board approval mandatory for any premature removal or transfer
  • Mandatory reporting to RBI Regional Office for any such removal/transfer
  • CRO cannot be reassigned to business roles as a consequence of raising uncomfortable risk concerns

Building an Effective Risk Appetite Framework

A robust Risk Appetite Framework (RAF) translates the UCB's strategic objectives into quantified risk parameters that can be monitored and enforced. For UCBs, this framework must address the specific risk concentrations that have historically caused failures in the sector.

Components of an Effective UCB Risk Appetite Framework

1. Risk Appetite Statement (RAS)

The Board-approved RAS should articulate:

  • The UCB's overall risk tolerance (conservative, moderate, growth-oriented)
  • Qualitative boundaries (e.g., "We will not take positions in complex derivatives")
  • Quantitative limits for key risk categories

2. Quantified Risk Limits

Risk CategoryTypical MetricsRegulatory Reference
**Credit Concentration**Single borrower exposure as % of capital funds; Group exposure limitsRBI exposure norms
**Sector Concentration**Maximum exposure to any single sector (real estate, traders, etc.)Internal policy, informed by concentration penalty experience
**Large Borrower Exposure**Aggregate exposure to borrowers above thresholdLarge borrower monitoring requirements
**Liquidity Risk**SLR maintenance, LCR (where applicable), funding concentrationLiquidity coverage requirements
**Capital Adequacy**CRAR with buffer above regulatory minimumPCA trigger levels
**Asset Quality**Gross and net NPA thresholdsPCA trigger: Net NPA ≥6%

3. Escalation Triggers

Define multiple levels of response:

  • Amber triggers: When metrics approach 80-90% of limits—enhanced monitoring, CRO review
  • Red triggers: When metrics approach or breach limits—immediate escalation to RMCB, corrective action planning
  • Board triggers: Material breaches requiring Board attention within defined timeframes

Alignment with PCA Framework

UCBs in Tier 2-4 categories must align their RAF with the Prompt Corrective Action (PCA) framework effective April 1, 2025. The PCA triggers provide minimum thresholds that the internal RAF should improve upon:

PCA TriggerThresholdInternal Limit (Suggested Buffer)
CRAR breachBelow regulatory minimumMaintain 200bps+ buffer
Net NPA≥6%Internal limit at 4-4.5%
ProfitabilityConsecutive lossesEarly action at declining ROA trend

Risk MIS for UCB Boards: Information That Enables Decisions

The RBI Governance Directions specify a calendar of risk-related items that boards must review. The CRO owns the MIS architecture that makes this review meaningful rather than perfunctory.

Quarterly Board Review Items

Per the Governance Directions calendar:

  • Position on large borrowal accounts (concentration risk assessment)
  • NPA position with movement analysis (migration, recoveries, slippage)
  • Sector-wise exposure and trends
  • Risk appetite utilization against limits
  • Credit quality indicators and early warning signals

Monthly Monitoring Items

  • Funds management position (liquidity status)
  • Overdue position with aging analysis
  • Investment portfolio valuation and risk
  • Operational risk incidents and control status

What Makes Effective Risk MIS

Many UCBs produce voluminous data that obscures rather than illuminates risk. Effective Risk MIS for Board consumption should:

  1. Lead with exceptions: Highlight breaches, near-breaches, and adverse movements—not routine confirmations
  2. Show trends, not just positions: Three-quarter trend lines reveal trajectory better than point-in-time data
  3. Connect to strategy: Show how current risk position aligns with strategic intent and capital capacity
  4. Enable challenge: Provide sufficient detail for informed Board questioning
  5. Distinguish internal from regulatory limits: Show both, as internal limits should be tighter

    6. CRO Function Implementation: Action Checklist for UCBs

    For UCBs at or Above ₹5,000 Crore Assets

    • CRO Appointment

    - [ ] Designated individual with risk management qualifications appointed

    - [ ] Fixed tenure specified in appointment terms

    - [ ] Reporting line clearly established (to MD/CEO or directly to Board/RMCB)

    - [ ] No dual hatting with CEO/COO/CFO roles confirmed in writing

    - [ ] Removal procedure documented (Board approval + RBI notification)

    • RMCB Constitution

    - [ ] Risk Management Committee of Board formally constituted

    - [ ] RMCB composition includes directors with relevant risk expertise

    - [ ] RMCB charter defines scope, frequency, and authority

    - [ ] Quarterly RMCB meetings scheduled in Board calendar

    • Independence Safeguards

    - [ ] Quarterly CRO-RMCB meetings without MD/CEO (if CRO reports to MD/CEO) scheduled

    - [ ] CRO has no business targets—confirmed in appointment terms

    - [ ] CRO does not report to any business vertical head

    - [ ] Board policy on CRO independence documented and approved

    • Risk Appetite Framework

    - [ ] Risk Appetite Statement developed and Board-approved

    - [ ] Quantified limits established for credit concentration, sector exposure, liquidity, capital

    - [ ] Escalation triggers defined (amber, red, Board)

    - [ ] Annual review cycle established

    • Risk MIS

    - [ ] Quarterly Board pack includes all mandated risk items

    - [ ] Monthly monitoring reports operational

    - [ ] Exception-based reporting format implemented

    - [ ] Large borrowal account review integrated

    For UCBs Between ₹500-5,000 Crore Assets

    • Risk management policies documented and Board-approved
    • Risk monitoring integrated into Board reporting (even without formal RMCB)
    • RBIA (Risk-Based Internal Audit) implemented per March 2022 deadline
    • Compliance monitoring for concentration norms operational
    • Succession planning for CRO function when threshold crossed

    For UCBs Below ₹500 Crore Assets

    • Basics prioritized: concurrent audit, NPA monitoring, statutory compliance
    • Concentration risk reviewed even without formal CRO mandate
    • Professional directors onboarded (where applicable, except salary earners' UCBs)
    • Exposure norm compliance monitored to avoid penalty risk

    What RBI Inspectors Will Specifically Look For

    Understanding inspection focus areas helps UCBs prepare meaningfully rather than cosmetically. Based on recent inspection patterns and regulatory emphasis, expect detailed scrutiny of:

    CRO Function Compliance

    • Qualifications verification: Does the CRO have demonstrable risk management background, or is this a redeployed operations head?
    • Independence testing: Evidence that CRO has raised concerns that conflict with business interest—and what happened thereafter
    • Dual hatting check: Detailed review of CRO's other responsibilities—including informal additional charges
    • Reporting line verification: Minutes of quarterly CRO-RMCB meetings; attendance records showing MD/CEO absence
    • Removal history: Any instances of CRO reassignment and whether proper procedures followed

    RMCB Functioning

    • Meeting frequency: Are quarterly meetings actually happening per schedule?
    • Attendance quality: Are members attending? Are they asking questions? (Minutes should reflect substantive discussion)
    • Action item tracking: Do RMCB decisions get implemented? What's the closure rate?
    • Agenda adequacy: Are all mandated items being reviewed?

    Risk Appetite and MIS

    • Risk Appetite Statement: Does it exist? Is it Board-approved? Is it more than boilerplate?
    • Limit utilization: Are limits being monitored? Are breaches being flagged and escalated?
    • MIS quality: Does the Board receive information that enables risk oversight, or just data dumps?
    • Credit risk policies: Related-party lending controls, valuation standards, whistleblowing mechanisms (per Credit Risk Management Amendments 2026, effective April 1, 2026)

    PCA-Related Parameters

    For Tier 2-4 UCBs post-April 1, 2025:

    • CRAR position and trend (potential trigger)
    • Net NPA ratio trajectory (≥6% triggers PCA)
    • Profitability trend (consecutive losses trigger)
    • Capital planning adequacy if approaching trigger levels

    Housekeeping and Control Environment

    Inspectors connect CRO effectiveness to broader control environment:

    • Unreconciled entries in inter-branch, suspense, sundry accounts
    • Fraud reporting timeliness and follow-up adequacy
    • Internal audit compliance (RBIA implementation for ≥₹500 crore UCBs)
    • KYC risk categorization and review effectiveness

    Preparing for Credit Risk Management Changes (2026)

    The Credit Risk Management Amendments 2026, effective April 1, 2026, introduce additional requirements that the CRO function must address:

    Board-Approved Policies Required For:

    • Related-party lending with enhanced safeguards
    • Collateral valuation standards and revaluation frequency
    • Whistleblowing mechanisms for credit risk concerns

    Non-Conforming Exposures:

    • Existing exposures that don't meet new standards require Board-approved run-off plans
    • CRO should assess current portfolio for non-conforming positions
    • Timeline for conformance or reduction must be established

    Practical Implication: UCBs should not wait until April 2026 to begin compliance. The CRO should initiate gap assessment by Q3 2025, enabling phased implementation.

    Building Institutional Capability Beyond Compliance

    The CRO function, properly implemented, transforms how UCBs understand and manage risk. But too many UCBs treat it as a regulatory imposition rather than an institutional capability.

    Consider the trajectory: UCB gross NPAs have improved from 12.1% to 6.1% over four years—but large borrower NPAs remain at 8.9%, indicating that concentrated credit risk continues to be the sector's vulnerability. An effective CRO function—with genuine independence, real-time MIS, and meaningful RMCB engagement—would have flagged these concentrations before they deteriorated.

    The UCBs that treat CRO implementation as a governance investment rather than a compliance exercise will be better positioned—not just for inspections, but for sustainable growth in an increasingly competitive and regulated environment.

    NexlyAdvisory: Specialist Support for UCB Risk Governance

    At NexlyAdvisory, we work exclusively with Urban Cooperative Banks on governance, compliance, and risk management. Our team combines deep regulatory expertise with practical understanding of UCB operations—we know what inspectors look for because we've helped dozens of UCBs prepare for and respond to inspections.

    Our CRO function support includes:

    • Gap assessment against 2025 Governance Directions requirements
    • Risk Appetite Framework development tailored to your UCB's size and strategy
    • Risk MIS design that enables meaningful Board oversight
    • RMCB effectiveness reviews with practical improvement recommendations
    • Pre-inspection readiness assessments focused on risk governance

    Whether you're implementing the CRO function for the first time or strengthening existing arrangements, our advisory approach is pragmatic: we help you build capability that satisfies regulators while genuinely strengthening your institution.

    To discuss your UCB's CRO function requirements, contact NexlyAdvisory for a confidential consultation.

    NexlyAdvisory is India's specialist advisory firm for Urban Cooperative Banks, providing governance, compliance, and risk management services. This article is for informational purposes and does not constitute legal or regulatory advice. UCBs should consult their legal counsel and review original RBI circulars for compliance decisions.

    Need help with risk management at your UCB?

    NexlyAdvisory provides specialist advisory and the AEGIS platform exclusively for Urban Cooperative Banks. Book a free 30-minute consultation to discuss your specific situation.

    Book a Free Consultation