RISK MANAGEMENT POLICY
REGENCY FINCORP LIMITED

1. PREAMBLE
Regency Fincorp Limited (“the Company”) is a Non-Banking Financial Company – Non- Deposit Taking (NBFC-ND) classified as a Base Layer NBFC under the Scale Based Regulatory Framework prescribed by the Reserve Bank of India (“RBI”). The Company is
engaged in financial activities that inherently expose it to various forms of risk. Effective management of these risks is fundamental to the Company’s ability to achieve its strategic
objectives, maintain financial soundness, safeguard stakeholder interests, and ensure long-term sustainability. The Company acknowledges that risk management is an integral part of good corporate
governance and prudent business management. The objective of risk management is not to eliminate risk altogether but to identify, assess, monitor, control, and mitigate risks
within acceptable limits while maximizing opportunities for growth and value creation. The Company therefore adopts a structured and enterprise-wide approach towards risk
management that is embedded in its governance framework, operational processes, and decision-making mechanisms. This Policy establishes the principles, framework, governance structure, responsibilities,
and processes through which risks are managed across the organization. It is intended to ensure that all material risks faced by the Company are appropriately recognized and
addressed in a timely and effective manner.

2. OBJECTIVES OF THE POLICY
The primary objective of this Policy is to establish a comprehensive framework for
managing risks across all areas of the Company’s operations. The Policy seeks to ensure that risks are identified at an early stage, evaluated systematically, and managed through appropriate control mechanisms. The Company endeavors to create and maintain a riskaware
culture wherein all employees understand their role in managing risk and protecting the Company’s interests. The Policy further aims to facilitate informed decision-making, strengthen internal
controls, improve operational resilience, ensure regulatory compliance, safeguard assets and reputation, and support sustainable business growth. Through effective
implementation of this Policy, the Company seeks to maintain a balance between risk and reward while remaining aligned with its strategic objectives and risk-bearing capacity.

3. RISK MANAGEMENT PHILOSOPHY
The Company’s risk management philosophy is founded on the principle that prudent risktaking is essential for business growth, but such risks must be understood, measured, and
managed effectively. The Company believes that risks should be considered at every stage of business planning and execution and that responsibility for risk management extends
across all levels of the organization. Risk management is viewed as a continuous and dynamic process rather than a one-time
exercise. The Company recognizes that the business environment is constantly evolving due to changes in economic conditions, regulatory developments, technology
advancements, competitive pressures, and customer expectations. Accordingly, the Company’s risk management framework shall remain adaptive and responsive to emerging risks and opportunities.

4. RISK APPETITE FRAMEWORK
The Board of Directors shall determine and periodically review the Company’s Risk Appetite Framework, which establishes the level and types of risk the Company is willing to assume in pursuit of its business objectives.
The Company maintains a moderate appetite towards credit and business risks associated with its lending operations, provided such risks are supported by adequate underwriting standards, monitoring mechanisms, and risk mitigation measures. At the same time, the
Company maintains a conservative approach towards liquidity risk, capital adequacy risk, compliance risk, operational failures, fraud, cybersecurity incidents, and reputational damage.
The Company shall maintain zero tolerance towards deliberate regulatory violations, unethical conduct, money laundering activities, fraudulent practices, and actions that may
adversely impact its integrity or reputation. The Risk Appetite Framework shall be reviewed periodically in light of business strategy, economic conditions, portfolio performance, and regulatory expectations.

5. THREE LINES OF DEFENCE MODEL
The Company adopts the Three Lines of Defence model to ensure effective risk governance and accountability.
The first line of defence comprises business and operational functions that own and manage risks on a day-to-day basis. These functions are responsible for identifying risks, implementing controls, and ensuring compliance with approved policies and procedures.
The second line of defence comprises management oversight functions responsible for monitoring risk exposures, establishing risk management standards, reviewing compliance, and providing guidance to business units regarding risk mitigation measures.
The third line of defence comprises Internal Audit, which provides independent assurance to the Board and senior management regarding the adequacy and effectiveness of the Company’s risk management framework, governance processes, and internal control systems.

6. RISK GOVERNANCE STRUCTURE
The Company shall maintain a robust risk governance framework to ensure effective oversight, management, monitoring, and reporting of risks across the organization. The framework shall establish clear accountability and responsibilities at various levels of the
organization and shall ensure that risk management remains an integral part of strategic planning, decision-making, and day-to-day business operations.
6.1 Board of Directors
The Board of Directors shall have the ultimate responsibility for oversight of the Company's
risk management framework. The Board shall approve the Risk Management Policy, establish the Company's risk appetite, review significant risk exposures, and ensure that
appropriate systems, controls, policies, and reporting mechanisms are established for effective risk management.
The Board shall periodically review the adequacy and effectiveness of the Company's risk management framework and ensure that material risks are identified, assessed, monitored, and mitigated in a timely manner. The Board shall also provide strategic
direction regarding risk governance and ensure that the Company's business activities remain aligned with its risk appetite and long-term objectives.
6.2 Risk Management Committee
The Company shall constitute a Risk Management Committee ("RMC") in accordance with applicable laws, regulatory requirements, and directions issued by the Reserve Bank of
India from time to time. The Committee shall function as a Board-level oversight mechanism and shall assist the Board of Directors in discharging its responsibilities relating to risk governance and risk management. 
The Risk Management Committee shall be responsible for overseeing the implementation and effectiveness of the Company's Enterprise Risk Management Framework and ensuring that material risks are identified, assessed, monitored, managed, mitigated, and reported
appropriately throughout the organization. The Committee shall periodically review the Company's overall risk profile and evaluate its
exposure to various categories of risks including, but not limited to, credit risk, liquidity risk, operational risk, compliance risk, legal risk, information technology risk, cyber
security risk, fraud risk, reputational risk, strategic risk, outsourcing risk, environmental, social and governance (ESG) risks, business continuity risks, and any other material risks
that may impact the Company's business, financial condition, operations, or reputation. The Committee shall review the adequacy and effectiveness of the Company's risk
management policies, internal control systems, risk mitigation measures, business continuity arrangements, disaster recovery mechanisms, stress testing framework, assetliability
management practices, early warning signal framework, risk appetite framework, and key risk indicators. The Committee shall ensure that appropriate systems and controls
are established for timely identification and management of emerging risks. The Committee shall periodically review risk assessment reports, internal audit findings,
compliance reports, stress testing results, operational loss reports, fraud reports, and other risk-related information submitted by the management. The Committee shall evaluate the effectiveness of corrective actions implemented by management and may
recommend additional safeguards and controls wherever necessary. The Committee shall review significant risk incidents, policy breaches, control failures, regulatory observations, cyber security incidents, and other events that may materially
affect the Company's risk profile and shall recommend appropriate remedial actions to the management and the Board.
The Committee shall periodically review the Company's Risk Appetite Framework and recommend modifications to the Board whenever required due to changes in business strategy, market conditions, economic environment, regulatory developments, or the Company's risk-bearing capacity.
The Committee shall advise the Board on risk strategy, risk governance, risk appetite, and
risk management practices and shall ensure that business activities remain aligned with the risk appetite approved by the Board. The Committee shall also promote a culture of
risk awareness throughout the organization and encourage proactive identification and management of risks at all levels. The composition, powers, functions, quorum, frequency of meetings, and terms of
reference of the Risk Management Committee shall be determined by the Board of Directors and reviewed from time to time in accordance with applicable laws, regulatory requirements, and the Company's governance framework.
The Risk Management Committee shall meet at such intervals as may be considered necessary for the effective discharge of its responsibilities and shall maintain proper
records of its deliberations, recommendations, and decisions.
6.3 Senior Management
Senior Management shall be responsible for implementing the Risk Management Policy and ensuring that the risk management framework approved by the Board is effectively
integrated into the Company's day-to-day operations.
Senior Management shall identify significant risks within their respective areas of responsibility, establish appropriate control mechanisms, monitor risk exposures,
implement mitigation measures, and ensure timely reporting of material risk events to the Risk Management Committee and the Board of Directors.
Management shall also be responsible for fostering a culture of accountability, transparency, and risk awareness throughout the organization and ensuring compliance
with approved policies and regulatory requirements.

7. ENTERPRISE RISK MANAGEMENT FRAMEWORK
The Company shall maintain an enterprise-wide risk management framework that enables systematic identification, assessment, measurement, monitoring, reporting, and mitigation of risks. Risk identification shall be carried out on a continuous basis through
management reviews, business assessments, internal audits, compliance reviews,
portfolio monitoring exercises, and environmental scanning. Once identified, risks shall be evaluated based on their likelihood of occurrence and potential impact on the Company’s financial position, operational effectiveness,
regulatory compliance, strategic objectives, and reputation. Appropriate controls and mitigation measures shall then be implemented to reduce residual risks to acceptable levels. The effectiveness of such controls shall be reviewed periodically through monitoring activities, internal audits, management reviews, and Committee oversight.

8. RISK MATRIX
For the purpose of risk assessment, the Company shall maintain a Risk Matrix that
categorizes risks based on their likelihood and impact. Risks shall generally be classified as Low, Moderate, High, or Critical. Likelihood shall be assessed considering the probability of occurrence, historical
experience, and prevailing business conditions. Impact shall be assessed considering financial loss, operational disruption, regulatory consequences, reputational implications, and customer impact. The Risk Matrix shall serve as a tool for prioritization of risk mitigation efforts and allocation of management resources.

9. KEY RISK INDICATORS (KRIs)
The Company shall establish Key Risk Indicators for monitoring material risks across business functions. KRIs shall act as early warning tools and assist management in
identifying adverse trends before they result in significant losses or disruptions. Illustrative KRIs may include portfolio delinquency ratios, collection efficiency levels, borrower concentration levels, liquidity coverage indicators, regulatory compliance
exceptions, customer complaints, employee attrition rates, cybersecurity incidents, operational loss events, and audit observations. Thresholds for KRIs shall be determined by management and reviewed periodically. Breaches of established thresholds shall be reported to the appropriate authority for
corrective action.

10. CREDIT RISK MANAGEMENT
Credit risk represents the most significant risk faced by the Company in the course of its
lending activities. The Company shall maintain prudent underwriting standards and robust credit appraisal mechanisms to ensure that lending decisions are based on adequate assessment of borrowers’ repayment capacity, financial condition, business prospects, and credit history.
The Company shall seek to diversify its credit portfolio to avoid excessive concentration in any particular borrower, sector, geographic region, or product segment. Continuous monitoring of loan accounts shall be undertaken to identify signs of stress, deterioration in repayment capacity, or adverse changes in borrower circumstances. 
Portfolio quality indicators shall be reviewed periodically by management and the Risk
Management Committee.

11. EARLY WARNING SIGNAL FRAMEWORK
The Company shall maintain a structured Early Warning Signal (“EWS”) framework to facilitate timely identification of stress in borrower accounts and business operations.
Indicators such as delayed repayments, recurring cheque dishonours, deterioration in financial performance, adverse credit bureau reports, legal proceedings, significant decline in business turnover, restructuring requests, and negative market information shall be monitored regularly.
Where early warning signals are observed, enhanced monitoring, corrective measures, recovery actions, or other appropriate interventions shall be undertaken to minimize potential losses.

12. ASSET LIABILITY MANAGEMENT AND LIQUIDITY RISK
The Company recognizes that prudent liquidity management is critical for maintaining
financial stability and meeting obligations as they fall due. The Company shall therefore maintain an Asset Liability Management framework commensurate with the size and complexity of its operations. Management shall periodically review maturity profiles of assets and liabilities, funding
concentrations, liquidity buffers, and projected cash flows. The objective shall be to minimize liquidity mismatches and ensure availability of sufficient funds under both normal and stressed conditions. The Company shall maintain adequate liquidity reserves and funding arrangements to
address unforeseen liquidity pressures.

13. OPERATIONAL RISK MANAGEMENT
Operational risk may arise from inadequate processes, human error, system failures, fraud, external events, or deficiencies in internal controls. The Company shall seek to mitigate operational risks through well-documented policies, standard operating
procedures, segregation of duties, authorization controls, maker-checker mechanisms, employee training programs, and technology-enabled monitoring systems.
Management shall periodically review operational incidents and implement corrective measures to strengthen internal controls and prevent recurrence.

14. INFORMATION TECHNOLOGY AND CYBER SECURITY RISK
Technology has become integral to the Company’s operations and service delivery. The Company therefore recognizes cybersecurity and information security as critical
components of its risk management framework. Appropriate safeguards shall be implemented to protect information assets against unauthorized access, data breaches, cyber-attacks, malware, ransomware, and system
disruptions. Periodic vulnerability assessments, access reviews, data backup procedures, and incident response mechanisms shall be maintained to enhance cyber resilience.

15. FRAUD RISK MANAGEMENT
The Company shall maintain a strong control environment aimed at preventing, detecting,
and responding to fraudulent activities. Fraud risk management shall be supported by internal controls, whistle blower mechanisms, periodic audits, employee awareness programs, due diligence procedures, and investigation protocols. All fraud incidents shall be reported, investigated, and addressed in accordance with
applicable laws, internal policies, and regulatory requirements.

16. AML, KYC AND FINANCIAL CRIME RISK
The Company shall maintain robust systems for compliance with Anti-Money Laundering (AML), Know Your Customer (KYC), Prevention of Money Laundering Act (PMLA), and related regulatory requirements.
Appropriate customer due diligence procedures shall be followed prior to onboarding customers. Transactions shall be monitored for suspicious activity, and reporting
obligations shall be fulfilled in accordance with applicable regulations. The Company shall adopt a zero-tolerance approach towards money laundering, terrorist financing, and financial crimes.

17. OUTSOURCING RISK MANAGEMENT
Where business activities or support functions are outsourced to third-party service providers, the Company shall ensure that such arrangements do not adversely affect  customer interests, operational efficiency, regulatory compliance, or data security. 
Appropriate due diligence shall be undertaken prior to engaging service providers, and periodic performance reviews shall be conducted to assess service quality and risk exposures.

18. RELATED PARTY RISK MANAGEMENT
Transactions with related parties shall be undertaken in accordance with applicable provisions of the Companies Act, RBI regulations, and approved Company policies. Such transactions shall be conducted on an arm’s length basis and in the ordinary course of
business wherever applicable. The Company shall ensure adequate oversight to prevent conflicts of interest and safeguard stakeholder interests.

19. ESG AND CLIMATE RISK
The Company recognizes that environmental, social, and governance factors are increasingly influencing business sustainability and stakeholder expectations. While the Company’s current scale of operations may not expose it to significant climate-related
risks, management shall remain vigilant to emerging ESG risks and regulatory developments in this area. Consideration shall be given to environmental and social factors while evaluating significant business decisions and strategic initiatives.

20. STRESS TESTING FRAMEWORK
The Company shall conduct periodic stress testing exercises to assess its resilience under
adverse scenarios. Stress tests shall evaluate the potential impact of economic downturns, rising defaults, liquidity shocks, increased funding costs, regulatory changes, market disruptions, and operational incidents. Results of stress testing exercises shall be reviewed by the Risk Management Committee
and used in strategic planning, capital management, and contingency preparedness.

21. BUSINESS CONTINUITY AND DISASTER RECOVERY
The Company shall maintain appropriate Business Continuity and Disaster Recovery arrangements to ensure continuity of critical operations during emergencies arising from natural disasters, cyber incidents, infrastructure failures, pandemics, or other disruptive events.
Periodic testing and review of continuity arrangements shall be undertaken to ensure operational readiness.

22. REVIEW OF POLICY
This Policy shall be reviewed annually or earlier if necessitated by changes in the Company’s business model, risk profile, regulatory framework, or operational environment. Any amendments to the Policy shall be subject to approval by the Board of Directors.

23. EFFECTIVE DATE
This Policy shall become effective from the date of approval by the Board of Directors of Regency Fincorp Limited and shall remain in force until modified, amended, or replaced by
the Board.