RISK MANAGEMENT POLICY

1. PREAMBLE

Ramchandra Leasing and Finance Limited (“the Company”), as an NBFC-ICC ND-NSI operating under the regulatory framework prescribed by the Reserve Bank of India, recognises that sound, proactive and comprehensive risk management is not merely a regulatory expectation but a fundamental prerequisite for the stability, sustainability, and integrity of its operations.

The Company acknowledges that its business model, involving the extension of financial credit, inherently exposes it to varying types of risks—credit, operational, market, liquidity, technology, cybersecurity, reputational, strategic, legal and compliance risks. This Policy establishes the overarching principles, internal structures, processes, systems and controls through which the Company identifies, measures, monitors, manages and mitigates such risks, ensuring that its operations remain prudent, transparent, compliant and resilient across economic cycles.

This Policy is structured to ensure alignment with the Master Direction – NBFC – Scale Based Regulation (SBR), 2023, the wider regulatory architecture applicable to NBFC-ICC ND-NSI entities, and recognised riskmanagement best practices adopted within the financial services sector.

2. OBJECTIVE AND SCOPE OF THE RISK MANAGEMENT FRAMEWORK

The primary objective of this Policy is to establish a well-defined, enterprise-wide risk management framework capable of supporting informed decision-making, protecting the Company’s financial health, safeguarding customer interests, and ensuring long-term operational continuity.

The Policy governs all risks—quantitative and qualitative, financial and non-financial—across all business segments, branches, outsourced operations, digital platforms, LSP engagements, and any operational ecosystem directly or indirectly associated with the Company.

It ensures that risks are managed holistically and systematically, with clear governance lines, transparent accountability, and regular Board-level oversight.

3. GOVERNANCE STRUCTURE AND OVERSIGHT RESPONSIBILITIES

TELEFAX. 0265 - 3268100

CIN. L65910GJ1993PLC018912

Email. rlandfl@gmail.com

Web. www.ramchandrafinance.in

Regd. Office. 201, Rudra Plaza Complex, Dandia Bazar Main Road, Dandia Bazar, Vadodara - 390 001

Branch. Ashok Stores, Khot Chawi, L.T. Road, Opp. Goyal Shopping Centre. Borivali (W), Mumbai - 400092.

Risk management at the Company operates under the ultimate authority of the Board of Directors, which is responsible for defining the Company’s risk appetite, approving the risk management framework, and ensuring that adequate internal controls, reporting structures, and oversight mechanisms are in place.

Senior management, under guidance of the Board, is responsible for embedding risk-awareness across business functions, ensuring that risk mitigation systems operate efficiently, and that deviations, breaches or emerging vulnerabilities are immediately escalated.

A dedicated Compliance function, together with Internal Audit and operational leadership, supervises adherence to regulatory norms, monitors operational risks, reviews credit underwriting practices, and ensures alignment with RBI’s risk governance expectations. The Company follows a “three-lines-of-defence” structure, ensuring segregation of business, risk oversight, and independent audit.

As mandated under Regulation 4(2)(f) and Regulation 17 of SEBI (LODR) Regulations, 2015, the Board shall ensure that the Company maintains a sound risk management framework, including internal controls, ICFR, ethical standards, compliance culture and effective oversight of management.

4. CREDIT RISK MANAGEMENT

Credit risk represents the most significant category of risk for an NBFC-ICC. The Company therefore maintains rigorous credit assessment systems, underwriting standards, and portfolio monitoring processes designed to evaluate the repayment capacity, creditworthiness, behavioural patterns, and financial stability of customers.

The Company undertakes due diligence of all borrowers, validates KYC in compliance with RBI’s KYC Master Direction, analyses bureau information, assesses debt exposure, and adopts internal scoring or rule-based decision-making mechanisms.

Post-sanction monitoring includes review of repayment behaviour, stress indicators, delinquency movements, and portfolio-level risk metrics. The Company maintains provisioning, write-off and NPA recognition norms fully aligned with RBI’s prudential requirements.

Credit risk arising from digital lending operations and LSP-based sourcing is treated with equal seriousness, with enhanced scrutiny on fraud detection, identity verification, field verifications, and prevention of impersonation or synthetic identity-related fraud.

5. OPERATIONAL RISK MANAGEMENT

The Company recognises operational risk as a consequence of failures in internal processes, systems, people, outsourced activities or external disruptions. The Policy mandates strong internal controls, digitised workflows, access restrictions, maker–checker protocols, audit trails, training systems, and clear delegation of authority.

Operational risks arising from outsourced functions—such as tele calling, collections, documentation, verification and digital onboarding—are governed by the Company’s Outsourcing Policy and are subject to continuous oversight, periodic audit and legally enforceable contractual safeguards.

The Company emphasises fraud prevention, internal vigilance, MIS-driven exception reporting, and well-defined escalation mechanisms for operational irregularities, data breaches, or process lapses.

The Audit Committee, in line with Regulation 18 of SEBI (LODR) Regulations, shall oversee the Company’s financial risk management, internal control systems, fraud risk, operational risk exposures, and the effectiveness of the internal audit function.

Any material risk observations identified by Internal Audit or Statutory Auditors shall be reviewed by the Audit Committee and escalated to the Board.

6. TECHNOLOGY RISK AND CYBERSECURITY CONTROLS

Given the increasing role of digital infrastructure, the Company recognises technology risk as a core risk category. The Company adopts secure systems, updated software, encrypted interfaces, endpoint protection, controlled access rights, and rigorous vendor-management standards

Cybersecurity practices are implemented in accordance with RBI's digital lending architecture and applicable IT security norms. Systems handling customer data are protected against intrusion, malware, data leakage or unauthorised access, with real-time monitoring and incident-response protocols in place.

The Company ensures that LSPs, DLAs and technology partners adhere to equivalent cybersecurity standards, particularly where customer onboarding or loan servicing is conducted through digital platforms.

7. LIQUIDITY AND FUNDING RISK MANAGEMENT

The Company maintains prudent liquidity buffers, diversified funding relationships, and monitoring systems for cash flows, repayment schedules and maturity mismatches. Although the Company is an NBFC-ICC ND-NSI, liquidity discipline remains essential.

The Company maintains strong MIS systems to track collections, outflows, commitments, interest obligations, and operational expenses. Stress testing is periodically performed to evaluate liquidity resilience under adverse scenarios, ensuring preparedness to fulfil obligations without jeopardising solvency or customer confidence.

8. COMPLIANCE AND REGULATORY RISK

Regulatory risk arises from non-compliance or delayed compliance with RBI guidelines, statutory requirements or other legal obligations.

The Company maintains a structured compliance framework ensuring timely and complete reporting, adherence to prudential norms, correct maintenance of statutory registers and returns, and accurate implementation of all circulars and notifications issued by the RBI, MCA, Income Tax Department, FIU-India and other authorities. .

Compliance gaps are escalated promptly to senior management and the Board, with remedial measures instituted without delay.

9. REPUTATIONAL AND CONDUCT RISK

Reputational risk may arise from misconduct, unfair customer treatment, data breaches, regulatory violations, or unethical behaviour by employees or outsourced agents.

The Company ensures that employees and service providers adhere strictly to the Fair Practices Code, Collection Policy, Outsourcing Policy and customer-conduct standards mandated by RBI. Any behaviour capable of impairing customer trust or damaging the Company’s reputation is addressed with zero-tolerance and immediate corrective action.

10. Portfolio Monitoring, MIS and Reporting

A robust MIS framework supports timely identification and analysis of risks across functions. Reports relating to delinquency trends, credit quality, operational breaches, fraud attempts, customer grievances, compliance exceptions, and digital-channel irregularities are generated and reviewed regularly by senior management and the Board.

Periodic portfolio reviews ensure that emerging risk patterns are identified promptly and mitigated through policy adjustments, tightening of underwriting standards, or enhanced monitoring.

Risk management reports, including credit quality, delinquency trends, fraud analytics, cybersecurity alerts and compliance exceptions, shall be periodically presented to the Risk Management Committee, Audit Committee and the Board, as applicable.

11. BUSINESS CONTINUITY AND DISASTER RECOVERY

The Company maintains contingency plans ensuring continued operations in the event of system failures, cyber incidents, physical disruptions, or natural calamities.

Service providers performing critical outsourced functions are required to maintain similar Business Continuity and Disaster Recovery capabilities, and the Company retains the right to review or test such capabilities periodically.

12. REVIEW AND AMENDMENT OF THE POLICY

This Policy shall be reviewed annually, or earlier were necessitated by supervisory observations, operational developments or amendments to RBI’s regulatory framework. The revised Policy shall take effect only upon approval by the Board of Directors.

As a listed NBFC, the Company shall include risk management disclosures in the Board’s Report and Management Discussion & Analysis (MD&A) section of the Annual Report, in compliance with Regulation 34 of SEBI (LODR) Regulations.