The role of a Chief Risk Officer (CRO) and her team in the context
of a three-lines-of-defence model in financial services can be best described,
in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).
Consistent with that, financial services supervisors in the UK and EU
refer to the oversight role that the CRO's team provides.
There are many issues and considerations in embedding
effective risk management in financial services businesses. At one level, oversight requires the CRO’s
team to develop the appropriate engagement with the business to provide
support, to challenge and to ensure that risk management features ultimately in
decision making. This may result in
recommendations for senior management.
On its own, this is unlikely to be adequate to evidence
appropriate and effective oversight for two reasons. Firstly, the rationale for covering certain
business areas or aspects would not be evident. Secondly, there may be overlaps with the
areas reviewed by Internal Audit.
The answer is not to restrict the engagement between businesses
and the CRO’s team. Instead, the CRO
should put in place a programme of risk review which is coordinated with
Internal Audit to avoid overlaps or underlaps.
A structured programme of risk reviews requires
consideration of the risks to which the business is exposed and their
materiality, as well as business cover.
For example, it would not be sensible to cover just one business area,
even if that is the main source of risk.
The key aspect of the development of a programme of risk
reviews is identifying a number of potential reviews that map into a grid of
risks, materiality and business areas.
The list of reviews is then whittled down in discussions with the CRO
and the leadership team to a programme that is consistent with the scale of the
business and the maturity of the CRO’s team.
The Board (or a Risk Committee) should review the proposed
programme of risk reviews. Some
businesses require a combined submission from Internal Audit and the CRO to
identify a complete assurance landscape.
The CRO’s team should then plan the reviews, including setting out terms
of reference agreed upon with the business and delivering them throughout the
year. The CRO should also provide
regular reports to the Board about the findings of the various reviews and
management delivery of recommendations.
Overall, a programme of risk reviews complements Internal
Audit’s activities because of the involvement of the CRO’s team on a real time
basis in key business processes such as
business planning and product development.
Experience suggests that overlaps with Internal Audit can be
avoided and that performing these reviews enables the CRO team to get even
closer to the business and embed risk management ― ‘to protect and
enable’.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.