Risk Assurance: The Challenge Ahead

I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.

By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.

The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:

• the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
• the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.

Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.

I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.

Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:

• internal audit functions already provide assurance about the overall control environment;
• from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.

In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.

I would be interested to hear your thoughts.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Risk Management Lessons From the Co-op Bank's Demise

One of the fallouts from the financial crisis in the UK was the demise of the Co-op Bank as part of the Co-operative movement.  The UK regulators (the PRA and the FCA) investigated the causes of the bank’s demise and issued simultaneous enforcement notices earlier this year (here and here).  The key failures identified by the regulators are summarised in Box 1. 

One of the key points for the press was the regulators decision to waive any financial penalties, reflecting the financial conditions of the Coop Bank.  However, from a risk management perspective, the enforcement notice represents an interesting catalogue of lessons in risk management for both banks and insurers: 

1.  Risks and business strategy go hand in hand.  It is difficult to manage risks effectively in the absence of a clear and comprehensive strategy for key lines of business. 

2.  A ‘cautious’ risk appetite statement is not enough.  Business decisions still must be evidenced as ‘cautious’ in practice even if this happens on a qualitative basis. 

3. The remit of the risk function includes valuations and accounting decisions.  This is particularly relevant in terms of the challenge and governance to (changes to) assumptions associated with discretionary features about valuation e.g. about the timing of redemption of capital instruments.   

4.  Policies are more than documents.   Compliance with policies must be evidenced.  A complex and changing business reality cannot be captured through prescriptive policies.  Certain discretions must be factored into decision making processes.  The risk oversight should cover how those discretions are applied in practice.   

5.   An open and cooperative relationship with the regulators is not just about issues.  It includes updating the supervisor regarding concerns about the position of senior individuals leading to intended changes.

6.  An effective risk culture is an outcome of business decisions about risk.  This was one of the concerns of the regulators.  The regulator’s articulation of an effective risk culture is interesting: ‘A culture in which accepted orthodoxies are challenged, action is taken to address risks on a timely basis and risk and control functions carry real weight is likely to support prudent management.’  In a nutshell, a risk culture is not end in itself but the means to support prudent management.

The enforcement notice mentions other issues regarding the shortcomings of the risk management oversight and internal audit. 

Finally, it is worth noting that the period of time formally considered by the regulators stretches from July 2009 – weeks before the Co-op Bank’s merger with the Britannia Building Society – to December 2013 – when it ceases to be a wholly owned subsidiary of the Co-op Group.   I don’t think the shortcomings just materialised in July 2009. 

This suggests that the perceived connection between responses to the financial crisis and strengthening risk management may not have been as widespread as it might have seemed.  The shortcomings are clearly serious and while they may not be critical when taken individually or addressed within a short period of time, it is the cumulative impact that had the effect of bringing the Co-op bank's demise.    

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page Enforcement Cases of Crescendo ERM blog.

Pragmatic Implementation of ERM in Financial Services - the Internal Audit Perspective

I wrote in a previous post (here) about a pragmatic approach to implement ERM in financial services.

This was partly about recognising the practical implications of what is often said that ERM is a journey rather than a destination.  The suggestions made included assessing regularly the effectiveness of the ERM system to inform future improvements and that internal audit teams be tasked with that assessment, given their independence from the business and risk function. 

Someone suggested that I look up the report of a commission established by the UK's Chartered Institute of Internal Auditors to consider the effectiveness of internal audit in financial services (here).

I was pleasantly surprised to read one of the recommendations:  “Internal Audit should include within its scope an assessment of the adequacy and effectiveness of the Risk Management …” (page 8 of the report).

It is interesting that while the Chartered Institute of Internal Auditors and I were looking at this from different perspectives – assurance and implementation, respectively – we both ended up with the same conclusion about the importance of assessing how ERM is operating in practice. 

Leaving this aside, the report is worth reading to see in practice how risk considerations are affecting other parts of a financial services business.  Wearing my economics hat, I particularly liked the Committee’s recognition that mandating 'best practice' of application would not be appropriate (page 5).  Indeed, there is a cost-benefit consideration for each financial services business which should shape how these guidelines are complied.  Requiring best practice simply rules out this cost-benefit consideration, which can be more beneficial in the long-term.