The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject). Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides.
There are many issues and considerations in embedding effective risk management in financial services businesses. At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making. This may result in recommendations for senior management.
On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons. Firstly, the rationale for covering certain business areas or aspects would not be evident. Secondly, there may be overlaps with the areas reviewed by Internal Audit.
The answer is not to restrict the engagement between businesses and the CRO’s team. Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.
A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover. For example, it would not be sensible to cover just one business area, even if that is the main source of risk.
The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas. The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.
The Board (or a Risk Committee) should review the proposed programme of risk reviews. Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape. The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year. The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.
Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development. Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.