Risk Management Policy

1. Background:

Angel Fincap Private Limited (the “Company”) is a Base Layer Non-Banking Financial Company (NBFC) operating under the regulatory purview of the Reserve Bank of India (RBI). The Company is classified as an Investment and Credit Company.


The Company promotes financial inclusion by offering a diverse range of financial products, including loans against shares and mutual funds, personal loans, and working capital loans, catering primarily to the needs of individual and corporate clients. In addition to its lending activities, the Company also undertakes strategic investments of its investible surplus in securities and related instruments, while ensuring a conservative approach with no public borrowing.


This policy is prepared in line with the requirements prescribed by Reserve Bank of India (Non-Banking Financial Companies - Governance) Directions, 2025 and various RBI notifications / directions ["RBI Regulations"] issued in this regard.

2. Objectives:

The objective of this policy are as follows:

    • To lay down the framework to identify potential risks that could impact the financial health and stability of the company by analyzing internal and external factors affecting operations.

    • To ensure proactive measures are in place to mitigate identified risks effectively, reducing the chances of financial losses or operational disruptions.

    • To create a structured approach for monitoring, reporting, and addressing risks regularly, ensuring timely interventions and course corrections.

    • To maintain regulatory compliance and align with RBI guidelines on risk management practices, safeguarding the company from legal and financial penalties.

    • To protect the interests of stakeholders by ensuring consistent and stable operations through sound risk management frameworks.

    • To enhance decision-making by incorporating risk assessment into business strategies, allowing the company to pursue growth with greater confidence.

    • To promote a culture of risk awareness and responsibility throughout the organization by establishing clear policies and training programs.

3. Scope:

The scope of this Risk Management Policy covers all areas of the company’s operations that are subject to financial, operational, strategic, and compliance risks. It applies to all departments, employees, and stakeholders involved in decision-making processes. The policy addresses key risk categories such as credit risk, interest rate risk, liquidity risk, market risk, operational risk, and reputational risk.


It outlines the processes for identifying, assessing, monitoring, mitigating, and reporting risks. The policy ensures that appropriate controls, frameworks, and governance structures are in place to manage risks effectively. This scope also includes adherence to RBI guidelines and best practices to ensure the stability and growth of the organization.

4. Governance Structure:

Board of Directors

    a. The Board of Directors ensures a robust risk management framework is in place, overseeing its implementation and effectiveness across all functions.

    b. To define and approve the company's overall risk management strategy and ensure it aligns with the company’s business objectives and growth plans.

    c. To approve and monitor Risk Appetite statements and ensures that appropriate mitigation actions are being taken to address emerging risks.

    d. To ensure transparency and accountability by reviewing detailed risk reports and making informed decisions based on risk assessments.

    e. To ensure that the company maintains sufficient capital and liquidity buffers to address potential financial stress or unforeseen events.

    f. To promote a risk-aware culture by supporting the development of policies, processes, and employee training initiatives related to risk management.


Risk Management Committee

    a. The Risk Management Committee (RMC) periodically reviews the risk management policy and propose changes to Board of Directors, to ensure it stays relevant to the company’s business environment and industry changes.

    b. The RMC evaluates the effectiveness of risk management systems, ensuring the implementation of appropriate methodologies, processes, and tools.

    c. It identifies, monitors, and assesses the various risks faced by the company, ensuring appropriate mitigation measures are taken in a timely manner.

    d. The committee regularly reviews risk reports and key findings, ensuring that identified risks are being addressed and managed effectively.

    e. It keeps the Board informed about discussions, recommendations, and actions required to manage risks appropriately.

    f. The RMC shall periodically review and monitor the Risk Appetite Indicators of the company.


The Risk Management Committee may delegate the functions / part of functions to sub-committees / such other departments / persons, as it may deem fit.

5. Risk Appetite:

The company shall integrate a well-defined risk appetite into its operations to guide decision-making and achieve its business objectives. This means determining the level of risk the company is willing to take in areas like lending, liquidity management, and investments in the Risk management Committee / Board and updated from time to time.


By embedding risk appetite into its daily functions, the company ensures that all activities are aligned with its strategic goals and regulatory requirements. This approach helps balance growth with financial stability, ensuring risks remain within acceptable boundaries and protecting the interests of stakeholders.

6. Key Risk Appetite Indicators:

In order to measure and monitor in a quantitative manner, the company shall establish KRAI in the RMC. KRAI is derived by studying the various policies approved by the board and identifying the key parameters, which is critical in meeting the risk policies and objectives of the company. The adherence to these KRAIs would be monitored on a quarterly basis by the RMC. Any breaches would be escalated to the Board and appropriate measures would be taken to address the same. As a good practice, an Early Warning Signal (EWS), would be given to the Board if the actual measured KRAI parameter is more than 90% of the threshold range provided herewith.


A detailed determination of EWS against the KRAI shall be highlighted in the RMC / board and updated from time to time.

7. Risk Management Procedures:

7.1. Risk Identification

Risk identification is the process of recognizing and understanding potential risks that may affect the company’s operations, financial health, and strategic objectives. By proactively identifying risks, the company can take timely measures to mitigate their impact and ensure stable and sustainable growth. Effective risk identification involves continuously monitoring internal processes, market trends, and external factors that may pose threats. The company shall embed risk identification practices into its daily operations to maintain resilience and regulatory compliance.


The following functions shall be implemented to ensure comprehensive risk identification:

    a. The company will conduct periodic risk assessments across all departments to identify potential risks related to credit, liquidity, market conditions, and operations.

    b. By analysing financial data, customer trends, and market conditions, the company will proactively identify emerging risks and potential vulnerabilities.

    c. Regular internal audits and external reviews will help uncover operational gaps, compliance issues, or inefficiencies that may pose risks to the company.

    d. The company will establish channels for employees and stakeholders to report observed risks or irregularities, encouraging a culture of risk awareness.

    e. The company will use scenario analysis and stress testing to identify risks that could arise under adverse market conditions or operational disruptions.

    f. Document identified risks in a risk register, detailing the nature of each risk, potential impact, frequency of the risk and the source of the risk.


7.2. Risk Definition and Basic Mitigation measures


Credit Risk

Credit risk arises from the possibility that a borrower may default or fail to repay the loan as per the agreed terms. Such defaults can directly impact the Company’s income, profitability, and overall financial stability. As the Company is engaged in providing loans against shares and mutual funds, any delay or non-repayment by borrowers can lead to potential credit losses.


The Company shall maintain robust credit appraisal and approval processes to assess the repayment capacity of borrowers before sanctioning loans. The company share define the Credit assessment parameters in the credit policy and implement using technology to the great extent. Continuous monitoring of loan accounts shall be undertaken to identify early warning signals of stress or default. In case of non-payment, prompt recovery and enforcement actions shall be initiated as per the defined procedures, and adequate provisioning shall be maintained in accordance with regulatory norms.


Market Risk

Market risk refers to the potential for losses arising from adverse movements in market variables such as equity prices, interest rates, or liquidity conditions. Since the Company’s lending portfolio is secured against market-linked instruments like shares and mutual funds, a sudden decline in market value can impact collateral adequacy and profitability. Additionally, investments made in securities are also exposed to fluctuations in market prices.


The Company shall monitor market trends, indices, and price volatility on a continuous basis. It shall apply prudent LTV ratios, define margin call triggers, and maintain a process for immediate liquidation of collateral in case of significant market downturns. Investment decisions shall be made after evaluating market conditions and in compliance with the internal investment policy.


Valuation Risk

Valuation risk arises when the fair value of the pledged shares or mutual fund units does not accurately reflect their realizable market value, often due to incorrect pricing feeds, valuation delays, or concentration in illiquid securities. This can result in underestimation of exposure and inadequate collateral coverage.


The Company shall implement a robust mark-to-market mechanism for all pledged securities and investments. Valuation data shall be sourced from reliable and independent market feeds on a daily basis using technology. Any deviation or discrepancy beyond a defined threshold shall be escalated immediately. Regular system checks and periodic validation of valuation models shall be carried out by the Risk and Operations teams.


Liquidity Risk

Liquidity risk refers to the Company’s inability to meet its financial obligations as they fall due, without incurring unacceptable losses. The company’s liquidity is primarily supported through borrowings, and therefore any disruption in access to funding, adverse market conditions, refinancing constraints, market stress or delayed recoveries from borrowers can temporarily affect liquidity positions.


The company has put in place a Liquidity Risk Management Policy and ALM framework to deal with the risk which includes measures such as maintain an adequate liquidity buffer, monitor cash flow positions regularly, and maintain a maturity-wise Asset Liability Management (ALM) statement. It shall ensure that sufficient high-quality liquid assets are available to meet short-term obligations and maintain contingency funding plans to address unexpected liquidity gaps. Finance team will ensure availability of liquidity and maintenance of Asset Liability Mismatches with the thresholds as per the Policy/Framework. Risk Management team will maintain oversight on Liquidity and ALM through daily/periodic reports.


Concentration Risk

Concentration risk arises when the Company’s exposure is heavily skewed toward a particular borrower, group, sector, or type of security. In LAS/LAMF operations, this could lead to significant losses if a specific client defaults or a particular scrip declines sharply in value.


The Company shall diversify its loan portfolio across multiple borrowers, groups, and types of securities. Internal exposure limits shall be defined as part of Risk Appetite framework as a percentage of the Company’s total assets or AUM for single borrowers, groups, and sectors or exposure on a single script or scripts of a group. The Risk Management function shall periodically review and report any breaches or high concentration levels to the RMC and Board.


IT Risk

IT risk arises from inadequate or failure of system or cyber threats that may disrupt business operations. For the Company, this includes errors in data processing, documentation lapses, valuation inaccuracies, or delays in margin calls related to pledged securities. As the Company is engaged in digital lending, it is also exposed to technology-related risks such as system downtime, data breaches, unauthorized access, and cyberattacks that may compromise the confidentiality, integrity, or availability of critical information and services.


The Company shall establish strong internal controls and process checklists supported by robust IT infrastructure and cybersecurity measures. It shall implement adequate access controls, data encryption, and regular system audits to safeguard sensitive information. Employee training on information security and operational protocols shall be conducted periodically. The Company shall maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure minimal disruption in the event of process or system failures, and all IT systems shall comply with the RBI’s guidelines on IT governance and outsourcing of digital services.


Compliance and Regulatory Risk

Compliance risk arises from failure to adhere to applicable laws, regulations, and RBI directions governing NBFCs. Given that the Company operates as a Base Layer NBFC–ICC, non-compliance with prudential norms, fair practices code, or KYC/AML guidelines could lead to penalties, restrictions, and reputational harm.


The Company shall maintain an updated compliance framework and ensure that all regulatory filings, disclosures, and returns are submitted accurately and on time. A Compliance Officer shall oversee regulatory adherence, while internal audits shall review and report deviations. Any changes in RBI or SEBI regulations shall be promptly incorporated into company policies and procedures.


Reputational Risk

Reputational risk is the potential loss resulting from negative public perception, regulatory action, or client dissatisfaction. For an NBFC providing LAS/LAMF, reputational risk may arise from non-transparent pricing, delays in release of securities after loan closure, or lapses in customer service or grievance redressal.


The Company shall uphold transparency, fairness, and ethical practices in all client dealings. A defined Fair Practices Code and Grievance Redressal Mechanism shall be implemented to address customer concerns promptly. Communication with stakeholders shall be accurate and consistent, and all marketing or public disclosures shall be reviewed for accuracy and compliance.


Operational Risk Management and Operational Resilience

Operational Risk: Risk of loss due to inadequate internal processes, people, systems, or external events. It's inherent in all financial products and activities.


Operational Resilience: The ability to deliver critical functions despite disruptions. It involves identifying threats, mitigating risks, responding to disruptions, recovering, and learning from them


Operational Risk Management and Operational Resilience has been built on three pillars which are as follows:

    a. Prepare and Protect

    b. Build Resilience

    c. Learn and Adapt


The company has adopted a separate policy framework for operational risk management based on above criteria and as prescribed in RBI regulations.


7.3. Risk Categorization

For effective management and monitoring, all identified risks shall be categorized based on their potential impact (effect) on the Company’s business objectives and the likelihood (frequency) of their occurrence. This categorization assists in prioritizing risks and determining the level of control and oversight required. The Company shall adopt a three-tier risk rating structure as under:


High Risk: These are risks that may have a major or critical impact on the Company’s financial soundness, capital adequacy, or reputation. Such risks have a high likelihood of occurrence and could significantly affect business continuity, compliance status, or profitability if not managed effectively. Immediate attention and mitigation plans are required, with close monitoring by senior management and periodic reporting to the RMC and Board.


Medium Risk: These risks may have a moderate impact on business performance or objectives and may occur occasionally. While they may not threaten the Company’s viability, they can affect operations, earnings, or compliance if left unaddressed. Continuous monitoring and implementation of preventive or corrective measures by the concerned functional heads. Escalation to senior management as necessary.


Low Risk: These risks are expected to have minimal or negligible impact on the Company and are less likely to occur. They can generally be managed through routine internal controls and standard operating procedures. Regular monitoring and inclusion in periodic risk review reports to ensure they remain within acceptable tolerance limits.


The categorization shall be periodically reviewed to ensure it reflects changes in the Company’s business model, risk profile, and external environment.


7.4. Risk Assessment and Measurement

Risk assessment is the process of evaluating potential risks that could impact the company’s financial stability, operations, and strategic objectives. By assessing risks, the company shall understand their likelihood and potential impact, enabling it to take informed actions to mitigate or manage these risks effectively. The company shall integrate the following risk assessment and measurement practices into its operations to ensure continuous monitoring and control of risks. The following steps shall be embedded by the company in its operations for risk assessment and measurement:

    a. Use financial data, statistical models, and expert judgment to measure risks related to credit, liquidity, market conditions, and operations.

    b. Implement risk scoring frameworks to categorize risks based on their likelihood and potential impact on the company’s operations.

    c. Conduct stress tests and scenario analyses to evaluate the company’s resilience to adverse economic conditions and unexpected events.

    d. Develop and track KRIs to monitor risk levels and identify potential risk breaches early for prompt corrective action.

    e. Schedule periodic reviews of identified risks and assessments to ensure the company stays responsive to evolving business and market conditions.


7.5. Specific Risk Mitigation Strategies

Risk mitigation strategies are the actions and measures taken to reduce the likelihood or impact of potential risks on the company. These strategies focus on minimizing exposure to identified risks through control measures, contingency planning, and regular monitoring. The company shall implement a combination of preventive, corrective, and proactive approaches to manage risks effectively. By developing clear protocols, maintaining liquidity buffers, and staying compliant with regulations, the company shall ensure that it can respond quickly to challenges and safeguard its financial stability and reputation.

    a. Implementing control measures to reduce the likelihood and impact of identified risks, such as diversifying investments or limiting credit exposure.

    b. Developing contingency plans and maintaining liquidity buffers to ensure the company can manage unexpected disruptions or financial stress.

    c. Establishing clear protocols for responding to risks, including escalation procedures and responsibilities for corrective actions.

    d. Regularly reviewing and updating risk management strategies to ensure they remain relevant and effective in addressing new and emerging risks.

    e. Training employees and stakeholders on risk management practices to promote a culture of awareness and proactive risk handling.

    f. Ensuring compliance with regulatory guidelines and industry best practices to minimize legal and reputational risks.

8. Reporting and Monitoring:

The risks identified shall be reported to the Risk Management Committee on periodic basis, and unfavourable deviations of the company’s actual risk to the acceptable risk appetite shall be addressed.


The Risk Management Committee shall ensure effective monitoring mechanism with utilisation of MIS systems, on an ongoing basis. Further, a summary report on the risks identified and addressed along with instances requiring attention shall be submitted to the Risk Management Committee on quarterly basis. In case of any major deviations / findings, the same shall also be brought to the notice of the Board of Directors.


The Board of Directors shall, on an annual basis, review the risk management process, and material instances of deviations.

9. Exception Handling:

The policy shall always be updated with extant regulatory provisions. However, in case of conflict between the Policy and regulations, the regulatory provisions shall always supersede the policy.


The updated policy shall be adhered at all the times and exceptions if any to the policy shall be approved by the board of directors after recording a reason in writing.

10. Adoption, Effective Date and Review:

This policy has been adopted vide resolution of the Board of Directors of the Company dated ______________. This policy shall be applicable organization wide with effect from _____________. This policy shall be reviewed by the Board of Directors on at least an Annual basis.