I
wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with
a few people in banking and consulting about it, and to reflect further on the
subject.
By
way of background, my working definition of risk assurance is a structured
activity undertaken by the risk function (second line) which is aimed at
evidencing that risk management is embedded in the business. Feel free to
comment on this definition.
The
important thing about risk assurance is that it matters because it contributes
to shifting (or to maintaining, if you wish) the appropriate risk culture in
the business. What do I mean by this? I hope we can all agree that the
appropriate risk culture in financial services is one that includes the
following:
- the
business takes into account risks in decision making and can evidence
that, including compliance with regulatory requirements; and
- the
risk function provides the parameters for taking into account risk in
decision making (risk appetite framework, stress testing, etc) and
aggregate risks.
Truly
achieving that is a challenging journey that takes time. Many insurers and
banks started the risk management journey as a result of regulatory
requirements—Solvency 2 or Basel. In practice, this has meant that sometimes
risk functions have taken up activities like approvals that belong to business
functions. Risk assurance will generate evidence about how risk management
operates in practice. It will also help to shift the focus of the risk function—and,
in turn, the business—in the appropriate direction.
I
have worked with a number of clients to implement programmes of risk assurance.
Interestingly, these engagements have turned out to be rather different because
they must reflect the starting point for the business. In one case, the risk
function was well resourced, and the focus was planning. In another case, the
focus was a combination of up-skilling and evidencing through pilot risk
reviews that the activity can add value.
Leaving
aside the considerations associated with implementation, it is important that
there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated
assurance’. This reflects two simple observations:
- internal
audit functions already provide assurance about the overall control
environment;
- from a
Board perspective, assurance is assurance, regardless of which team/line
of defence provides it.
In
other words, the aim would be to develop a risk-based assurance plan which
covers deliverables by 2LOD and 3LOD in such a way that the Board can
understand where independent assurance has been provided.
I
would be interested to hear your thoughts.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.
No comments:
Post a Comment