International Association of Risk and Compliance Professionals (IARCP)
http://www.risk-compliance-association.com
Every Monday
Top 10 risk and compliance management related news stories and world events
Do you want to receive (at not cost) every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You can register at:
http://www.risk-compliance-association.com/Top_10_Risk_Compliance_Management_Stories_Events.html
Receive the New Member Orientation Newsletters
You will have the opportunity to learn (at not cost) what members registered before you have already learned. Understand better risk and compliance management, projects, careers, challenges and opportunities.
You can register at:
http://www.risk-compliance-association.com/New_Member_Orientation_Newsletters.html
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Risk management presentation June 10 2013
1. P a g e | 1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
It was2 a.m. and I wasreadyto sleep, but I also
wantedtocheck my emails another time.
Yes,I have readthefamous book ―The4-Hour
Workweek‖ byTimothyFerriss, but I disagreewith
him, soI havedecided to dotheopposite: Tocheck emails more
frequently. Sorry Tim.
Oneof the first emailswasan important one: RedAlert, China occupies
thePublic CompanyAccounting Oversight Board.
Therewaseven apicture!
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
2. P a g e | 2
What?
I know that China implementsa ChineseSarbanes-Oxley… but what is
that now?
I read in thepicture that PCAOB JamesR.Doty “
”
What?IsJamesR. Dotywell?
Fortunately, Jamesisverywell. Therewasnoredalert.One ofmy
friends, John, and attorney, sent me this email.
Read more about
at number 7 of our list
below.
Thefollowingmorning, I received another email.
Title:―Forecastingisthe art of saying what will happen, and then
explainingwhyit didn't ‖
Message:I hate you. Our bossisfollowingyour stresstesting
recommendations. LaoTzu hassaid that thosewhohave knowledge
don't predict. Thosewhopredict, don't have knowledge.
Signature:Terminator
Terminator?
ArnoldSchwarzenegger, didyou send thisemail?
Who?LaoTzu?TheChineseagain?
I replied!
―DearArnold (orother Terminator),
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
3. P a g e | 3
It is not me! It isBaseliii that asksfor a forward-lookingperspective!
Basel iii requiresstresstesting.And, wehave a crystal ball in risk
management:The recommendationsof the Financial StabilityBoard
(FSB).‖
Therecommendations…
Whoreadstheserecommendations?Soimportant ... I have ledsome
classessinceJanuary, nobody readsFSB.
Theylaugh whenI say readFSBevery morning, beforereading FT or
WSJ!
It is time toread therecommendationsof the FSBcarefully. It is about
theboard, senior management, risk officers,complianceofficers,internal
and external auditors.
This is our Number 1. Thesepagesaresoimportant.
Welcometo the Top 10list.
BestRegards,
GeorgeLekatis
President of the IARCP
General Manager, ComplianceLLC
1200 G Street NW Suite
800, Washington DC
20005, USA Tel: (202) 449-
9750
Email: lekatis@risk-compliance-association.com
Web: www.risk-compliance-association.com
HQ: 1220N. Market Street Suite
804,Wilmington DE 19801,USA
Tel: (302) 342-8828
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
4. P a g e | 4
Thematic Review on Risk Governance
Peer Review Report
Financial Stability Board (FSB) member jurisdictionshave
committed, under the FSBCharter and in the FSBFrameworkfor
StrengtheningAdherence toInternational Standards, toundergo periodic
peer reviews.
Tofulfil this responsibility, theFSB hasestablisheda regular programme
of country and thematicpeer reviewsof itsmember jurisdictions.
Thematic reviewsfocuson the implementation and effectivenessacross
theFSBmembership of international financial standardsdeveloped by
standard-settingbodiesand policiesagreedwithintheFSB inaparticular
area important for global financial stability.
Keynote Luncheon Speech
By CommissionerElisseB. Walter
U.S. Securitiesand ExchangeCommission
32ndAnnual SEC and Financial ReportingInstitute
Conference, Pasadena, CA
Background on the PCAOB
Steven B. Harris, Board Member
Kennesaw State GraduateStudent Meeting
Washington, DC
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
5. P a g e | 5
Financial ConglomeratesDirective
Technical Review
This Prudential RegulationAuthority (PRA) policystatement
publishesthe final rulesimplementingthe Financial Conglomerates
DirectiveTechnical Review (2011/ 89/ EC) (FICOD 1) whichamendsthe
Financial ConglomeratesDirective(2002/ 87/ EC) and certain other
Directivesinsofar astheyapplyto financial conglomerates.
Committeeon theGlobal Financial System
CGFS Papers No 49
Asset encumbrance, financial reform and the
demand for collateral assets
Report submitted bya WorkingGroup establishedby
theCommitteeon theGlobal Financial System
TheGroup waschaired byAerdt Houben, NetherlandsBank
Given that thedemand for collateral assetsis increasing, theCommittee
on theGlobal Financial System (CGFS) in May 2012establisheda
WorkingGroup (chairedbyAerdt Houben, NetherlandsBank) toexplore
theimplicationsof this trend for marketsand policy.
Thisreport presentstheGroup‘sfindingsfrom asystem-wideperspective
anddrawsbroad conclusionsfor policymakers.
Thereport presentsevidenceof increasedrelianceby bankson
collateralisedfundingmarketsin recent years for some regions,withthe
increasebeingmost pronounced in Europe.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
6. P a g e | 6
Peer Review of Switzerland
Review Report
FSB country peer reviews
TheFSB hasestablisheda regular programmeof country peer reviewsof
itsmember jurisdictions.
Theobjectiveof thereviewsis to examinethestepstaken or plannedby
national authoritiestoaddressInternational MonetaryFund (IM F) -
World Bank FSAP recommendationsconcerningfinancial regulation and
supervision aswell asinstitutional and market infrastructure.
PCAOB Entersinto Enforcement
CooperationAgreement with Chinese
Regulators
ThePublic CompanyAccounting Oversight Board announced that it has
enteredintoa Memorandum of Understanding(MOU) on Enforcement
Cooperation withthe China SecuritiesRegulatory Commission(CSRC)
andthe Ministryof Finance(MOF).
TheMOU establishesa cooperativeframeworkbetweenthepartiesfor
theproduction and exchangeof audit documentsrelevant to
investigationsin both countries‘respectivejurisdictions.
Morespecifically, it providesa mechanism for thepartiestorequest and
receivefrom each other assistancein obtainingdocumentsand
information in furtheranceof their investigativeduties.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
7. P a g e | 7
Islamic commerce and finance
Opening remarks by Dr Michael Gondwe, Governor
of the Bank of Zambia, at the workshop on ―Islamic
commerce and finance‖, Lusaka.
Threequestionson thenature and management
of risk
Keynote speechby Mr Norman T L Chan, Chief
Executiveof the Hong Kong MonetaryAuthority, at
theHong Kong MonetaryAuthority-Global Association of Risk
Professionals(GARP) Global Risk Forum OpeningDinner, Hong Kong.
Investor Protection Through Economic
Analysis
By Craig M. Lewis, Chief Economist and Director
Division of Risk, Strategy, and Financial Innovation, U.S. Securities and
ExchangeCommission
Speechat the PennsylvaniaAssociation of Public Employee Retirement
SystemsAnnual Spring Forum Harrisburg, PA
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
8. P a g e | 8
Thematic Review on Risk
Governance
Peer Review Report
Foreword
Financial Stability Board (FSB) member jurisdictionshave
committed, under the FSBCharter and in the FSBFrameworkfor
StrengtheningAdherence toInternational Standards, toundergo periodic
peer reviews.
Tofulfil this responsibility, theFSB hasestablisheda regular programme
of country and thematicpeer reviewsof itsmember jurisdictions.
Thematic reviewsfocuson the implementation and effectivenessacross
theFSBmembership of international financial standardsdeveloped by
standard-settingbodiesand policiesagreedwithintheFSB inaparticular
area important for global financial stability.
Thematic reviewsmay alsoanalyseother areasimportant for global
financial stabilitywhereinternational standardsor policiesdo not yet
exist.
Theobjectivesof thereviewsare toencourage consistent cross-country
and cross-sectorimplementation;toevaluate (wherepossible) the extent
towhichstandards and policieshavehad their intended results;and to
identify gapsand weaknessesin reviewedareasand to make
recommendationsfor potential follow-up(includingvia the development
of new standards) by FSB members.
This report describes the findings of the thematic peer review on risk
governance, including the key elements of the discussion in the FSB
StandingCommitteeon StandardsImplementation (SCSI).
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
9. P a g e | 9
Thedraft report for discussion waspreparedby a team chairedby Swee
Lian Teo(MonetaryAuthority of Singapore), comprisingTed Price
(CanadaOffice of theSuperintendent of FinancialInstitutions),XiangQi
(China Banking Regulatory Commission), JérômeLachand (France
Autoritéde Contrôle Prudentiel), Sofia Nikopoulos(German BaFin),
Adriana Elizondo(MexicoNational Bankingand Securities
Commission), FranciscoGil (Bank of Spain), Mike Brosnan (United
StatesOffice of theComptroller of the Currency), Xavier-YvesZanota
(member of theBasel Committeeon BankingSupervisionSecretariat),
Mats Isaksson(Organisation for Economic Co-operation and
Development), and Laura Ard (World Bank).
Merylin Coombs and Grace Sone (FSBSecretariat) providedsupport to
theteam and contributed to thepreparation of the peer review report.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
10. P a g e | 10
Executive summary
Therecent global financial crisisexposed a number of governance
weaknessesthat resulted in firms‘failureto understand the risks they
weretaking.
In the wakeof thecrisis,numerousreportspainted a fairlybleak picture
of risk governanceframeworksat financial institutions,whichconsistsof
thethreekey functions:
Theboard, the firm-wideriskmanagement function, and the
independent assessment of risk governance.
Thecrisis highlightedthat manyboardshaddirectorswithlittlefinancial
industryexperienceand limitedunderstanding of the rapidlyincreasing
complexityof theinstitutionstheywereleading.
Toooften, directorswereunabletodedicatesufficienttime tounderstand
thefirm‘s businessmodel and toodeferential tosenior management.
In addition, manyboards did not pay sufficient attention to risk
management or set up effectivestructures, such asa dedicatedrisk
committee, tofacilitate meaningful analysisof thefirm‘srisk exposures
andtoconstructivelychallengemanagement‘sproposalsand decisions.
Theriskcommitteesthat didexist wereoften staffedbydirectorsshort on
both experienceand independencefrom management.
Theinformationprovidedtothe board wasvoluminousand not easily
understood whichhamperedthe abilityof directorsto fulfil their
responsibilities.
Moreover,mostfirmslackedaformal processtoindependentlyassessthe
proprietyof their risk governanceframeworks.
Without the appropriatechecksand balancesprovidedby theboard, the
risk management function, and independent assessment functions,a
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
11. P a g e | 11
cultureof excessiverisk-takingand leveragewasallowedto permeate in
theseweaklygoverned firms.
Further, withtherisk management function lackingtheauthority, stature
and independencetorein in the firm‘s risk-taking, the abilityto address
anyweaknessesin riskgovernanceidentified by internal control
assessment and testingprocesseswasobstructed.
Thepeer review found that, sincethecrisis, national authorities have
takenseveralmeasurestoimproveregulatoryandsupervisoryoversight of
risk governanceat financial institutions.
Thesemeasuresincludedeveloping or strengtheningexistingregulation
or guidance, raisingsupervisoryexpectationsfor the risk management
function, engagingmore frequentlywiththeboard andmanagement, and
assessingthe accuracyand usefulnessof the information provided to the
boardtoenableeffectivedischarge of their responsibilities.
Nonetheless, more workremains;national authoritiesneedtostrengthen
their abilityto assessthe effectivenessof a firm‘s risk governance,and
more specificallyitsrisk culture tohelp ensure sound risk governance
through changingenvironments.
Supervisorswill need to undergo a substantial changein approach since
assessingrisk governanceframeworksentails forming an integratedview
acrossall aspectsof the framework.
Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheir
surveyed firm(s) toward enhanced risk governancein sevenareas.
Toprovidesome consistencytothis exercise,the review team developed
high-level criteria to assist supervisoryevaluationsof firms‘
progress,drawingfrom a compilationof relevant
principles,recommendationsand supervisoryguidance.
Thehigh-levelcriteria wereviewedasfundamental prerequisitesfor risk
governanceframeworks.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
12. P a g e | 12
This evaluation found that manyof the best risk governancepracticesat
surveyed firms are now more advancedthannational guidance.
This outcome may havebeen motivated by firms‘need to regain market
confidencerather than regulatoryrequirements.
Firms have made particularprogressin:
•assessingthe collectiveskillsand qualificationsof theboard aswell as
theboard‘s effectivenesseither through self-evaluationsor through the
useof third parties;
•institutinga stand-alonerisk committeethat is composed onlyof
independent directorsand having a clear definitionof independence;
•establishingagroup-widechiefriskofficer(CRO) andriskmanagement
functionthat isindependent from revenue-generatingresponsibilitiesand
hasthestature, authorityand independencetochallengedecisionson risk
madebymanagement and businesslines;and
• integratingthediscussionsamong therisk and audit committees
through joint meetingsor cross-membership.
Although many surveyed firms have made progress in the last few
years, significant gaps remain, relative to the criteria
developed, particularlyin risk management.
There werealsodifferencesin progressacrossregionswithfirms in
advancedeconomieshavingadopted more of thedesirable risk
governancepractices.
Theresultsof the supervisory evaluationsweregrouped by:
(i)all surveyed firms;
(ii)firmsidentified by theFSBand Basel Committeeon Banking
Supervision(BCBS) asglobal systemicallyimportant financial
institutions,or G-SIFIs;and
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
13. P a g e | 13
(iii) firms that residein advanced economies(AEs) or emergingmarket
and developing economies(EMDEs).
In summary, acrossthesevenareasevaluated, firms have madethemost
progressin definingtheboard‘s role and responsibilities, and reasonable
progressin their approach torisk governanceand the independent
assessment of risk governance.
Thesupervisoryevaluations,however,indicatethat surveyed firmsshould
continuetoworktowarddefiningthe responsibilitiesof the risk
committeeand strengtheningtheir risk management functionsasnearly
50 per cent of surveyed firms did not meet all of the evaluation criteria in
theseareas.
By type of institution, surveyed G-SIFIsare more advanced than other
financial institutionsin definingthe responsibilitiesof theboard and risk
committee, conducting independent assessmentsof risk
governance, providing relevant informationtothe board and risk
committee,and tosome extent more advanced in the risk management
function.
Theseresultssupport the finding that thefirms in the regionshardest hit
bythe financial crisishave made themost progress.
Meanwhile, supervisory evaluationsof firmsthat residein EMDEs show
that nearly65 per cent did not meet all of thecriteria for the risk
management function.
Thesegapsneed immediateattention by both supervisorsand firms.
Other significant findingscomingout of thereview includethefollowing:
•Nationalauthoritiesdonot engageonasufficientlyregularandfrequent
basiswiththeboard, risk committeeand audit committee.
Several jurisdictionshold such meetingsonlyonce a year or on an
as-neededbasis.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
14. P a g e | 14
•Good progresshasbeen made towardelevatingtheCRO‘s
stature, authority, and independence.
In many firms, the CRO hasa direct reportinglinetothechief executive
officer (CEO) and a rolethat is distinct from other executivefunctions
andbusinesslineresponsibilities(e.g., no ―dual-hatting‖).
This elevation, however,needsto be supported by the involvement of the
riskcommitteeinreviewingtheperformanceandsettingtheobjectivesof
theCRO, ensuring that the CRO hasaccessto the board and risk
committeewithout impediment (includingreportingdirectlyto the
board/ riskcommittee), and facilitatingperiodic meetingswithdirectors
without thepresenceof executivedirectorsor other management.
•Moreworkis neededon the part of both national authoritiesand firms
on establishinganeffectiverisk appetiteframework (RAF).
Assessing a firm‘s RAF is a challengingtaskthat requiresgreater clarity
and an elevated level of consistencyamong national authorities.
•Supervisoryexpectationsfor the independent assessment of internal
control systemsbyinternal audit or other independent functionwere
well-establishedprior tothe crisis.
As such, thisis an area that demonstrated relativelysound practices
acrossthe FSBmembership at both national authoritiesand firms.
However,no jurisdictionhad specificexpectationsfor internal audit to
periodicallyprovidea firm-wideassessment of risk management or risk
governanceprocesses.
•Nearly all firms have an independent chief audit executive (CAE) who
reports administratively to the CEO and the audit committee chair and
whodirectlyreportsaudit findingsto a permanent audit committee.
However,there is still room for improving theCAE‘s accesstodirectors
beyond thoseon theaudit committee.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
15. P a g e | 15
Drawingfrom the findingsof thereview, includingdiscussionswith
industryorganisationsaswell asrisk committeedirectorsand CROs of
several firmsthat participatedin the review,the report identifiessome of
thebetter practicesexemplifiedby national authoritiesand firms to
collectivelyform a list of sound risk governance practices.
It alsodrawsonsomeof therelevant principlesand recommendationsfor
risk governancepublished by other organisationsand standard setting
bodies.
No onesingleauthority orfirm, however, demonstratedall of thesesound
practices.
This integratedand coherent list of sound practicesaimstohelp national
authoritiestake a more holistic approach to risk governance, rather than
lookingat eachfacet in isolation, and may providea basisfor
considerationby authorities and standard setting bodiesastheyreview
their guidanceandstandardsfor strengtheningriskgovernancepractices.
Thereview setsout several recommendationsto ensure the effectiveness
of risk governanceframeworkscontinuetoimprove by targetingareas
wheremore substantial workis needed.
While the review focused onbanksand broker-dealersthat are
systemicallyimportant, these recommendationsapply to other types of
financial institutions, includinginsurersand financial conglomerates.
Recommendations:
1.Toensure that firms‘risk governancepracticescontinue to
improve, FSB member jurisdictionsshould strengthen their regulatory
and supervisoryguidanceforfinancialinstitutions,in particularfor
SIFIs, and devoteadequate resources(both in skillsand quantity) to
assesstheeffectivenessof risk governanceframeworks.
In particular, national authoritiesshould considerthe followingsound
risk governancepractices:
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
16. P a g e | 16
i.Set requirementson the independenceand composition of
boards,includingrequirementson relevant typesof skillsthat the
board, collectively, shouldhave (e.g., risk management, financial
industryexpertise) aswell asthetime commitment expected.
ii.Hold the board accountablefor itsoversight of thefirm‘srisk
governanceand assessif the level and typesof risk information provided
tothe board enableeffectivedischargeof board responsibilities.
Boardsshould satisfythemselvesthat theinformation theyreceivefrom
management and the control functionsis
comprehensive, accurate, complete and timelyto enableeffective
decision-makingon the firm‘s strategy, risk profile and emerging risks.
This includesestablishingcommunication proceduresbetweenthe risk
committeeand the board and acrossother board committees,most
importantlytheaudit and financecommittees.
iii.Set requirementstoelevatethe CRO‘sstature,authority, and
independencein thefirm.
Thisincludesrequiringtheriskcommitteetoreviewtheperformanceand
objectivesof the CRO, ensuring the CRO hasunfettered accessto the
board and risk committee(includinga direct reportinglinetothe board
and/ orriskcommittee),andexpectingtheCRO tomeetperiodicallywith
directorswithout executive directorsand management present.
TheCRO shouldhave a direct reportinglineto the CEO and a distinct
rolefrom other executivefunctionsand businesslineresponsibilities
(e.g., no ―dual-hatting‖).
Further, the CRO should be involved in activitiesand decisions(from a
risk perspective) that may affect the firm‘sprospectiverisk profile
(e.g., strategicbusinessplans,newproducts,mergersand
acquisitions,internal capital adequacyassessment process,or ICAAP).
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
17. P a g e | 17
iv.Require the board (or audit committee) toobtain an independent
assessment of the design and effectivenessof the risk governance
frameworkon an annual basis.
v.Engagemore frequentlywiththe board, risk committee, audit
committee,CEO, CRO, andother relevant functions,suchastheCFO, to
assessthe firm‘s riskculture(e.g., the ―toneat the top‖), whether
directorsprovide effectivechallengetomanagement‘sproposalsand
decisions,andwhethertheriskmanagement functionhastheappropriate
authorityto influencedecisionsthat affect thefirm‘s riskexposures.
2.Therelevant standard settingbodies
(e.g., BCBS, IAIS, IOSCO, OECD) should review their principlesfor
governance, takingintoconsiderationthe sound risk governance
practiceslisted in Section V.
3.Riskculture plays a critical rolein ensuring effectiverisk governance
enduresthrough changingenvironments.
TheFSB SupervisoryIntensityand Effectivenessgroup hasagreed to
implement therecommendationfrom the 2012FSBprogressreport on
enhancedsupervisionto explorewaystoformallyassessrisk
culture,particularlyat G-SIFIs.
This work should becompleted by September 2013.
4.Toimprovetheir abilityto assessfirms‘progresstowardmore effective
risk management, national authoritiesshould provide guidanceon thekey
elementsthat are incorporatedin effectiverisk appetiteframeworks.
Toenablefirmstodefine frameworkswitha minimum amount of
comparability despitetheir firm-specificnature, acommon nomenclature
for termsused in risk appetitestatements(e.g., ―risk appetite‖, ―risk
capacity‖, ―risk limits‖) should be established.
The FSB Supervisory Intensity and Effectiveness group, in collaboration
with relevant standard setters, has agreed to finalise thiswork by the end
of 2013.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
18. P a g e | 18
5.TheFSB should consider launchinga follow-upreview on risk
governanceafter 2016(i.e., after the G-SIFI policy measuresbegin tobe
phased in), to assessnational authorities‘implementationof the
recommendationstostrengthentheir supervisoryguidanceand oversight
of risk governance.
Thereview alsoshould includethe G-SIFIs identified in 2014by the FSB
in collaborationwiththeBCBSand IAIS.
I. Introduction
Increasingtheintensityand effectivenessof supervision to reducethe
moral hazard posed by SIFIsisa keycomponent of the FSB‘spolicy
measures,endorsedby G20 Leaders.
Sincethe onset of theglobal crisis,supervisorshave intensifiedtheir
oversight of financial institutions,particularlySIFIs,soastoreducethe
probabilityof their failure.
Specifically, supervisoryexpectationsof risk management functionsand
overall risk governanceframeworkshave increased, asthis wasan area
that exhibitedsignificant weaknessesin many financial institutions
during theglobal financial crisis.
While supervisorsare responsiblefor assessingwhethera firm‘s risk
governanceframework and processesareadequate,appropriate and
effectivefor managing the firm‘s risk profile, the firm‘s management is
responsiblefor identifying and managingthefirm‘s risk.
In October2011, theFSB agreedtoconductathematicpeerreviewonrisk
governancetoassessprogresstowardenhancingpracticesat national
authoritiesand firms(banksand broker-dealers).
For purposesof this review, risk governancecollectivelyrefersto therole
and responsibilitiesof theboard, thefirm-wideCRO and risk
management function, and the independent assessment of the risk
governanceframework (seeChart 2).
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
19. P a g e | 19
•Board responsibilitiesand practices:The board is responsiblefor
ensuring that the firm hasan appropriate risk governanceframework
giventhefirm‘s businessmodel, complexityand sizewhichisembedded
intothe firm‘s risk culture.
How boardsassume such responsibilitiesvariesacrossjurisdictions.
•Firm-wide risk management function: The CRO and risk management
function are responsible for the firm‘s risk management across the entire
organisation, ensuring that the firm‘s risk profile remains within the risk
appetitestatement (RAS) asapproved bytheboard.
Therisk management function is responsiblefor
identifying, measuring, monitoring, and recommendingstrategiesto
control or mitigate risks, and reportingon risk exposureson an
aggregatedand disaggregatedbasis.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
20. P a g e | 20
•Independent assessment of the risk governanceframework:The
independent assessment of the firm‘s riskgovernanceframeworkplaysa
crucial rolein the ongoing maintenanceof a firm‘s internal controls,risk
management and risk governance.
It helpsa firm accomplish itsobjectivesby bringinga disciplined
approachto evaluateand improvetheeffectivenessof risk
management, control and governanceprocesses.
This may involve internalparties, such asinternalaudit, or external
resourcessuch asthird-party reviewers(e.g., audit firms, consultants).
Thepeer review did not focuson other relevant dimensionsof risk
governance, such asrisk disclosures and firm-widecompensation
practices(sincethese areashavebeen covered by previousFSBpeer
reviews) or risk dataaggregation capabilitiesat banks (sincethis topicis
beingcoveredby a taskforce of the BCBS.
Separately, theInternationalAssociation of InsuranceSupervisors(IAIS)
launcheda peer review at the end of 2012againstitsCore Principleson
governanceand risk management and internalcontrols.
There is currentlynosingleset of principlesand standardsthat
comprehensivelyaddressesand integratesrisk governance requirements;
however, a number of different standardsand recommendationson good
governanceframeworksare relevant.
Thereview thereforedid not assesscompliancewith any specific
standard, but used a compilation of existingstandards and
recommendations(asappropriate) totake stockof risk governance
practicesat both national authoritiesand firms, and toidentifyany gaps
therein.
Supervisorswereasked to evaluate firms‘progressand the review team
developedhigh-levelcriteria toprovidesomeconsistencytothisexercise.
Thefindingsof the review werebased on theresponsestoquestionnaires
from FSB member jurisdictions11and from the 36banks and
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
21. P a g e | 21
broker-dealersthat FSB members deemedassignificant for the purpose
of the review.
Section II takesstock of national authorities‘initiativesto strengthen
oversight of firms‘riskgovernanceframeworksanddescribestherangeof
supervisorypracticesin four broad areas:
(1)Theboard and itscommittees;
(2)Thefirm-wideriskmanagement function, including theCRO;
(3)Theindependent assessment of the firm-widerisk management
frameworkby internal audit and/ or third parties;and
(4)Thesupervisoryassessment of risk governanceframeworks.
Section III examinesrisk governancepracticesat surveyed firms and the
changesmade sincethe financial crisis.
In additiontotheresponsestothequestionnaire,thefindingsdrawonthe
outcomesof discussionswith industry organisationsaswell asrisk
committeedirectorsand CROs of several firms that participatedin the
review.
National supervisorswereasked to assessfirms‘progresstoward
enhancingkeyriskgovernancefunctions,aswell asthe accuracyand
completenessof theresponsesprovided by firmsheadquarteredin their
jurisdiction.
Section IV setsout the conclusionsand recommendationsdrawn from the
findingsof the review, which is followed bya list of sound risk governance
practicesthat encompassan overlay of supervisory expectationsfor sound
practicesat firms.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
22. P a g e | 22
II. National authorities‘ oversight of risk governance practices
Sincethe financial crisis, national authoritieshave increasedtheir
supervisoryfocuson risk governance, which is a critical element for
promotinga more resilient financial system.
Underpinningthe rangeof reformsisthe issuancein 2010of the BCBS
Principlesfor Enhancing Corporate Governanceand the OECD
publication on Corporate Governanceand the Financial Crisis–
Conclusionsand Emerging Good Practices.
Someof the notablechangesembedded in regulatory and supervisory
guidanceinclude:
•introducingexplicit requirementsfor theestablishment of a risk
committee;
• conveying expectationstostrengthen therisk management function,
includingthe stature and qualificationsof the CRO;
• introducingadditional requirementsfor risk governanceat SIFIs;
•enhancingthe mandate and resourcesof supervisoryauthorities in
relationtorisk governanceoversight;
•increasingthe intensityof engagement betweenthe supervisorand the
board and senior management on riskgovernance issues;and
•adjustingthe supervisory riskassessment process, particularlyincreasing
thefocuson risk governanceacrossdifferent businessmodels.
Annex CprovidesmoredetailsontheinitiativesFSBmembershavetaken
tostrengthen oversight of risk governancepractices,including
implementationofother relevant principlessuchastheFSB principlesfor
soundcompensation practicesand recommendationsput forwardin the
2009 report by theSenior SupervisorGroup (SSG) on risk management
practicesduring thefinancial crisis.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
23. P a g e | 23
While supervisoryguidancehasimproved, progresshasbeen uneven
acrossthefunctionsthat collectivelyform theriskgovernanceframework.
Basedon thefindingsfrom the review,some areaswheremore
supervisoryrequirementsand/ or guidancewouldbeuseful include:
•Acleardefinitionof independencewhichisseparatefrom non-executive
director;
•Theestablishment of a stand-alonerisk committeethat is composed of
independent directors;
•Thelevel and typesof risk informationfirmsshouldprovide aswellas
thefrequencyof risk reporting;
•Thekey featuresof an effectiveriskappetiteframeworktohelp
supervisoryevaluations;and
•Thewaysinternalaudit can provide feedback on whethera firm‘s risk
governanceprocessesare keeping pacewith trendsand/ or align with
best practices.
Thenext four sub-sectionssummariseexistingsupervisoryexpectations
for the three keyrisk governancefunctionsand examineauthorities‘
approachestoassessingtheimplementation of supervisoryexpectations.
1. The board and its committees
Regulatoryand supervisoryguidancespecifying therole and
responsibilitiesof the board are prevalent acrossthe FSB
membership, includingamong other thingsfor risk governance.
Akey responsibilityof theboard isto approve the firm‘s overall business
strategyand RAF.
As such, theboard hasultimateresponsibilityfor the firm‘s risk
management, includingsettingtheriskcultureofthefirm andoverseeing
management‘simplementationof the agreedbusinessstrategy.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
24. P a g e | 24
Toensure that boardsare focused on the higher-level strategic and risk
issues,supervisorsare engagingmore frequentlywiththeboard in
particular withindependent directors.
Thedefinitionof what constituteseffectiverisk governanceis
evolving, however, supervisorshighlight theimportanceof the board
settingthe―toneat the top‖ in regard tothefirm‘sstrategy and risk
cultureand challengingmanagement on the adherencetothe agreed
risk appetite.
1.1Board composition
Theleadershipstructure tooverseethefirm‘s risk management varies
acrossjurisdictions.
Most jurisdictionsrequire the establishment of a permanent audit
committee, whichhasa longer historythan other board sub-
committees,driven by requirementsfrom securities regulatorstoprovide
assuranceto the qualityof the financial information provided by
registeredfinancial institutions.
As such, more specific regulatory and supervisory requirements for the
composition and independence of the audit committee are set out than
for the risk committee.
For example, a number of jurisdictionsrequire the audit committeeto
comprise a majorityof independent or non-executivedirectors, several
jurisdictionsrequire the audit committeechair tobe independent (or in
some casesa non-executive), and in a few jurisdictionsthe participation
of the chair of theboard is restricted.
The establishment of a stand-alone risk committee is less prevalent and
the requirement typically applies to large, complex financial institutions
(e.g., firmswithmany legal entitiesand/ or cross-border operations).
Where stand-alonerisk committeesexist, several jurisdictions19require
risk committee members tohave expertisein risk-related disciplinesand
onlya few jurisdictionsrequire a minimum number of independent
directors.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
25. P a g e | 25
In Hong Kong, however,forthcoming changeswill require all, or the
majority, of themembersof therisk committeetobe non-executive
directors.
Annex D providesfurther details on the regulatory and supervisory
guidancefor thecompositionof theboard andsub-committees, but some
of the key featuresinclude:
•Independence:Manyjurisdictionshaveestablishedgeneral
requirementsconcerningtheindependenceof theboard to ensure that
thereis objectivejudgement and decision-makingon theboard.
Many jurisdictionsalsoset out quantitativeminimums for the number of
independent directorson theboard.
Someother jurisdictionsonlyset quantitativeminimums for the number
ofnon-executivedirectorswhichdoesnot necessarilyensureindependent
judgement on the board.
•Expertise:Regardlessof theboard structure, theboard needsto
comprise memberswhocollectivelybringa balanceof
expertise, skills,experienceand perspectiveswhile exhibitingthe
objectivitytoensure decisionsarebased on sound judgement and
thoughtful deliberations.
Many jurisdictionsconduct periodic reviewsof the performance, training
and skillsneeded in theboard and risk committee.
Requiringspecific skillsfor all directorsare a common practice (usually
subsumed in ―fit and proper‖ tests) and typically includerelevant
knowledge, experienceand skillsin financeand/ or business.
Several jurisdictions not only look at individual qualifications but also
take a holistic view of the board, examining their collective skills and
qualifications.
In additiontohaving certain skillsand qualifications,some jurisdictions
requiredirectorsto have the capacityto dedicatesufficient time and
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
26. P a g e | 26
energyin reviewinginformation and developing an understanding of the
key issuesrelated to the firm‘s activities.
1.2 Governance of the board
For theboardtoeffectivelysuperviseand managethefirm‘sadherenceto
theagreed businessstrategyand risk appetite,directorsshould be
provided and haveaccessto comprehensiveinformation about the firm‘s
risks.
This involvesensuringthere are communication and reportingprocedures
acrossboardsub-committees,andseveralnationalauthoritiesset out such
requirementsin their guidance(seeAnnex E).
However,there is littlesupervisoryguidanceprovided on thelevel and
typesof risk information firms should provideaswell asthe frequencyof
risk reporting.
Importantly, the riskmanagement reportsprovided totheboard should
contributeto sound risk management and decision-making.
Theboard and itscommittees, however, should not just rely on the
information management reportsprovided.
Theyshould consider if there isa need for additional risk-related
information whichshould be made available tothem whenneeded.
Onlya few jurisdictions,however, require theboard to have such access.
2. The firm-wide risk management function
Sincethe financial crisis, national authoritieshave intensifiedtheir
oversight of firms‘risk management practicesand raisedtheir
expectationsfor what is considered strong risk management, whichis
integral to the core businessof a financial institution.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
27. P a g e | 27
Thefailure to have a strong, independent risk management function can
lead to ill-informedboardsand senior management teamsaswell as
imprudent decisions.
Therisk management function should be responsiblefor thefirm‘s risk
management frameworkacrossthe entire organisation, ensuring that the
firm‘srisklimitsareconsistent withtheRASand that risk-takingremains
withinthoselimits.
Stresstestsand scenario analysesare viewedasa useful tool for
identifying firms‘vulnerabilitiesand developing risk management
strategiestoaddresstherisksidentified.
Tofulfil theseresponsibilities, risk management functionsshould be led
byan influential and highly effectiveCRO.
2.1Governance of the risk management function
Supervisorshave increasedtheir expectationsfor the risk management
functionand areevaluatingthe CRO‘s
stature, authority, qualifications,and independencewithin thefirm.
As thecrisis demonstrated, theseareprerequisitesfor theCRO tobeable
toinfluencethefirm‘s risk-taking activitiesdirectlyand through the risk
management function, andtoeffectivelyinform theboard asrisks
evolve, are identified, and are taken.
Annex F providesmore information on thegovernance around the risk
management function, but some supervisory practicesregardingthe
CRO function include:
•Independence:Mostjurisdictionsrequire the CRO and/ or risk
management function to be independent;that is, tohave a distinct role
from theother executivefunctions,revenue-generatingfunctionsand
businesslineresponsibilities.
•Stature:TheCRO and riskmanagement functionshould havesufficient
stature in the organisationto influencethefirm‘s risk-takingactivities.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
28. P a g e | 28
In thisregard, somejurisdictionshavesupervisoryguidancethat requires
theCRO to report and have direct accessto the board.
ToelevatetheCRO‘s stature,Singaporeexpectsthedismissal oftheCRO
tobe approved by theboard.
•Authority: To effectivelyfulfil itsrole, many jurisdictions30require the
CRO tohave theauthorityto influencedecisionsthat affect the firm‘s
exposure torisk,and several jurisdictionsset out explicit expectationsfor
theCRO to be able tochallengemanagement‘srecommendationsand
decisionsand communicatedirectlywithsenior management and with
theboard.
•Qualifications:―Fit and proper‖ testsare commonlyused toassessthe
qualificationsand competenciesof theCRO in many FSBmember
jurisdictions.
In addition, theappointment of the CRO is approved by authoritiesin
China,Germany(if theCRO isamember of themanagement board), and
Singapore, while theUnited Kingdom interviewsCRO candidates.
Many jurisdictionsevaluatethe CRO through their on-goingsupervisory
processes.
2.2 Risk appetite framework
Assessing a firm‘s RAF is a challengingtaskthat requiresgreater clarity
and an elevated level of consistencyamong national authorities.
At the coreof the RAF is the firm‘sRAS, whichhas becomean effective
tool for enhancingthe discussionsbetweensupervisorsand boardsabout
thefirm‘s strategicdirectionin termsof risk taking.
However,a key challengetoward assessingthe effectivenessof a firm‘s
RASis a lack of common terminologyfor risk appetite, risk profile, and
risk capacityusedwithin firms, acrossfirmsand acrossnational
authorities.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
29. P a g e | 29
This is an area that isdeveloping in many jurisdictions;for
instance,India, Russia and Saudi Arabia have looked at riskappetiteonly
in context of the BCBSICAAP, while in Canada, Franceand the United
States,separateprocessesare continuingto be put in placetoassess
firms‘RAFs, often drawingon assessment criteriaoutlinedin theworkof
theSSG.
Supervisoryreviewsare underwayin Canada of firms‘integrationof their
RAF withthe strategic, financial and capital planningprocessesand
compensation practices.
In Hong Kong, firms‘risk appetiteisreviewedfrom an integrated
firm-wideperspectivetakinginto account all risks (financial and
non-financial).
Thesupervisor determineswhetherthe firm‘s RASis comprehensiveand
includesthe appropriate risk targetsthat are consistent witheach other.
Thesupervisor will alsodeterminewhetherthe RAS hasa widerangeof
measuresand actionableelementsand whetherrobust proceduresand
controlsare in placefor thesettingand monitoring of the agreedrisk
appetite.
National authoritiesin Singaporeassessannuallyfirms‘link betweenrisk
appetite,strategic objectives,capital planningand operational budget
planning.
Supervisorsalsoreview the firm‘s progressin thetranslationof risk
appetiteintolimitsand triggersby risktype, aswellastheir monitoring
and reportingprocedures.
In Switzerland, supervisorsregularlyreviewtherisk limit frameworksand
theremust be an establishedlink betweenthe limitsand thestrategy.
2.3 Stresstesting
Theobjectiveof stresstestsand scenario analysesis toassessthe
unanticipatedlossesthat a firm may incur under certain stressscenarios
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
30. P a g e | 30
andtheimpact that may have on itsbusinessplans, risk management
strategiesor capital plans.
Theuse of stresstestsin firms‘risk governance and capital planninghas
increasedin recent years with theresultsserving asan input intothe
firm‘s strategicdecision-making.
As firms are increasingly linking stress test results to risk
appetite, ICAAP, contingency planning, and recovery and
resolution plans, supervisory approaches to stress testing are
evolvingaccordingly.
In Canada, supervisorsassesswhether chosen scenariosareappropriate
for the portfolio of the institution, includingsevere shocksand periodsof
severeand sustaineddownturns,and whererelevant, an episodeof
market turbulenceor a shock tomarket liquidityand whetherthe
frequencyand timingof stresstesting is sufficient to support timely
management action.
Similarly, supervisorsin Hong Kong assessthecoverageof stresstests
andthetypes of stressscenariosand parameterschosen in relationto the
firm‘s risk tolerance,overall risk profile and businessplan;
appropriatenessofassumptions;adequacyofpoliciesandprocedures;the
adequacyof thefirm‘scontingencyplanningforactiontobetakenshould
aparticular stressscenario happen; the level of oversight exercisedbythe
board and senior management on thestress-testingprogram and results
generated;and the adequacyof the firm‘sinternal review and audit of its
stress-testingprogram.
Indeed, supervisoryattention nowincludesboth theoutcomesof stress
testsand the effectivenessof the firms‘stresstestingprocesses.
For instance, Singapore, Switzerlandand United Kingdom havededicated
teamstoreview stresstestingpracticesat firms, and China, Germany, and
HongKongexpect firms‘internal audit functionstoassessthe
effectivenessof risk management systemsin general, includingstress
tests.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
31. P a g e | 31
3. Independent assessment of firms‘ risk governance framework
Strong internal control systems are a keyelement of sound risk
governance.
Theboard is responsiblefor overseeingthe implementationof aneffective
risk governanceframework,and assuch, should directlyoverseethe
independent assessment process.
An assessment that isindependent from the businessunit and the risk
management control functioncan assist theboard injudgingwhetherthe
risk governanceframework,internal controlsand oversight processesare
operatingasintended.
This may be performed by internal audit or by third partiessuch asaudit
firmsor consultants.
Regardlessof theapproach, it is critical that the assessment result in an
overall opinion on the design and effectivenessof therisk governance
frameworkand be performed by individualswiththe skillsneeded to
producea reliableassessment.
Currently, audit functionsat only a few firms provide overall opinions
regardingthe riskgovernance framework.
3.1Internal audit
Acrossthe FSB membership, regulatory or supervisoryexpectationsexist
for internal audit.
Annex G providesa comparison of keyregulatory and supervisory
expectationswiththemost notableelements,including:
•Independence:Nearlyall jurisdictions38require firms tohave a
permanent internalaudit function that isindependent from business
lines,support functions(e.g., treasury, legal), and risk management.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
32. P a g e | 32
Firms are alsorequiredto explicitlylink theindependenceof internal
audit toauditorcompensation or careerplans.
Regardless of the direct reporting lines, most jurisdictionsexpect internal
audit to have unfettered accessto the board when reporting internal audit
results.
•Stature:Several jurisdictionsexpect internal audit toreport directlyto
theboard, a committeethereof, or an independent director.
Thedirect reportingrelationship involvesthe responsibleparty
determiningthe CAE‘s compensation, completingthe CAE‘sannual
performanceevaluation, approving the CAE‘s budget, and/ or otherwise
ensuring theCAE isnot undulyinfluencedbytheCEO or other members
of the management team.
While the CAE mayreport totheCEO on day-to-day administrative
matters,all substantivedecisionsregarding the CAE and internal audit
functionaremade at theboard level.
In Singapore, Hong Kong, and Indonesia, thedismissal of the CAE
requirestheaudit committee‘sapproval.
•Qualifications:All FSB membershaveestablishedrequirementsor
expectationsfor theCAE and internal audit staff tohave the skills
necessarytoeffectively carryout their duties.
Supervisoryassessmentsgenerallyconsider the technical
knowledge,experience, and character of individualswithinthe
internal audit function.
•Scope, coverage, and frequency: Manyjurisdictions41expect internal
audit toassessand/ or opineon riskmanagement or risk governance
processes,aswellasinternal controls.
Expectationsfor thescope, coverage, and frequencyof suchassessments
vary widely.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
33. P a g e | 33
However,almost all jurisdictionsexpect internal audit to assessthe
organisationand mandatesof the riskmanagement function(s) and the
adequacyof systems and processesfor assessing, controlling, responding
to, and reportingthe firm‘s risks.
No jurisdictionindicated that it expectsinternalaudit to periodically
providea firm-wideassessment of risk management or risk governance
processes.
•Riskappetiteframework:Manyjurisdictionsexpect internal audit to
assesscompliancewiththeboard-approved risk appetite.
In the United Kingdom, internal audit isexpectedtoensure that
proceduresareinplacetoreportbreachesin thefirm‘sriskappetitetothe
board.
•Benchmarking: Most jurisdictions indicate that internal audit should be
aware of industry trends/best practices and that auditors should consider
such knowledgewhenconductingtheir work.
However,no jurisdictionhad specificexpectationsfor internal audit to
opineon whethera firm‘s risk governance processesare keeping pace
with trendsand/ or align withbest practices.
•Remediation process:There is a wide rangeof expectationsfor internal
audit tofollow-upon remedial actionstoaddressmaterial deficiencies
and several jurisdictionsexpect internal audit to report the resultsof its
follow-upactivitiestotheboard.
Nearlyall jurisdictionsindicatedthat theyrequiresomeform offollow-up
and reporting.
•Chief audit executive:All jurisdictionsindicatethat supervisorsconsider
theCAE‘s performancewhenassessingthequality of internal audit.
Such assessmentsmay be performed off-site,within on-site
inspections,and/ orthrough regular meetingswiththeCAE and internal
audit staff.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
34. P a g e | 34
In Saudi Arabia, the appointment of the CAE requires a ―no objection‖
from the central bank, and in Indonesia, banksare required to report to
bank supervisorstheappointment and dismissalof their CAE.
3.2 Third parties
Employing third parties could help toenhancethe qualityof firms‘
independent assessmentsby providingan unbiased opinion of a firm‘s
risk governanceframeworkasmany internal audit functionsare staffed
with individualswhoseexperience may be limited to thepractices
employed by one or twofirms.
In addition, third partiesoftenhave a broader understandingof leading
industrypractices, especiallyin highly technical areas.
Most jurisdictionsallowtheuse of third partiestoassessa firm‘s risk
governanceframework, and in China and theNetherlands, theexternal
auditoralsoassessestheeffectivenessof the internalaudit function.
Manyjurisdictionsappropriatelystipulatethroughregulationorguidance
that:
(i)The use of a third party does not relinquish the board or management
from ultimate responsibility for ensuring the reliability of the independent
assessments,and
(ii)Largeand complex firms should not become overlyreliant on third
partiestoprovide expertisethat should be developed withinthefirm‘s
internalaudit function.
France specificallyrequires that outsourcingarrangementsbe engaged
and overseen by internalaudit toensure independenceand that internal
audit maintainsaccountability for the scope, coverage, and frequency of
work.
Several jurisdictions,however,restrict the use of third parties.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
35. P a g e | 35
For instance,in Italy, internalaudit workcanbeoutsourcedonlybysmall
credit institutionswithlimitedoperational complexity.
Meanwhile, in SouthAfrica the central bank must approve any
outsourcingactivity, and in Korea, the useof third partiestoassessa
firm‘s risk governanceframework is not regulated.
4. Supervisory approachestoward assessing risk governance
frameworks
Supervisorsplaya crucial rolein assessingthe adequacyof a firm‘s risk
governanceframework and thepracticesemployed by a firm to
independentlyassessitsframework.
Supervisoryexpectationsfor risk governancepracticesoutlinedaboveare
generallyset out within the legal frameworkthrough a combinationof
legislation, regulationand supervisory guidance;however, the approach
variesconsiderablyacrossjurisdictions.
Australia and Canada complement their standardswith writtenguidance
provided to theindustry toassist withtheimplementationof prudential
requirementsand adoption of good practices.
Supervisoryapproachestowardassessingimplementationofregulatoryor
supervisoryguidanceencompassa varietyof steps(e.g., on-site
inspections,off-sitereviews, horizontal reviews).
Supervisoryassessmentsgenerallyoccur at leastonce a year acrossthe
FSB membership, though inArgentina assessmentstakeplaceevery 18
monthsand the UnitedKingdom is moving from a bi-annual assessment
towarda system of continuoussupervision.
Several jurisdictionstake a risk-basedapproach to on-site
examinations,focusing on riskier institutions.
In the United States,national authoritieshave on-site teamswith
expertiseto assessthe governancepracticesat the largest and most
complex bankson a real timebasis.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
36. P a g e | 36
In China, joint regulatory meetingsareheld on a regular basisbetween
thefirm‘sheadoffice,itsbranches,andtheregulatoryauthoritywherethe
branchesare located.
Meetingswithdirectorsand senior management provideanother avenue
for national authoritiestoassessfirms‘risk governancepractices.
Annex H providesmore information on theapproachestaken to
assessingfirms‘risk management frameworks.
Supervisorsreceivea widerangeof risk reportsor informationfrom firms
on their risk management practices, includingfrom external auditorsor
other third partiesaswell assupportingdocumentation requested during
on-siteinspections.
Standardised financial and risk reportingarea common practice;
however, thetypes of reportsor information provided varies.
For instance, in Argentina, new reportingrequirementswill request
quantitativemeasuresfor risk governanceand formal exposure limitsfor
each of the significant risksand stresstest information;in Hong Kong
and elsewhere, regular prudential reportingdata and adhoc requestsfor
peer group analysisare utilised, e.g., stresstest capital analysis and
horizontal credit reviewsof common (problem) loanaccounts; and in
Canada and Singapore, supervisory teamsworkwithrisk specialiststo
identify trendsthat can triggeradditional investigationsor reviews.
National authoritieshave accesstoa broad set of supervisorytools to
incentivisefirmsto remediatedeficiencieswithintheir risk governance
framework,depending on the severityof thedeficiency.
Thesetoolsincludemoral suasion, capital surcharges,restrictionson
certainbusinessactivities,imposingfinesand penalties, and theultimate
penaltyof withdrawingbank licences.
While alargenumber ofsupervisoryauthoritiescanuseanumberofthese
tools,a few have limitedsupervisorypowersto scalethe sanction based
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
37. P a g e | 37
on theseverityof theinfraction, raisingconcerns over their abilityto
effectivelyinterveneearlywherenecessarywhenrisksstart to surface.
Moreover,even though some national authoritieshave the authorityto
imposefines,thisisdifficult toimplement inpractice, for instance,dueto
cumbersomeprocessesor supervisorslackingthe will toact.
III. Firms‘ risk governance practices
Thefinancial crisisspurred fundamental changesin risk governance
practicesat financial institutions,and in many cases,surveyed firms are
aheadof regulatoryand supervisory guidance.
In general, surveyedfirmsthat weremostaffectedbythecrisishavemade
thegreatest advancements,perhapsnecessitatedby a need tore-gain
market confidence.
Firms that werelesstroubledfrom thecrisis, however, haveincreasedthe
intensityof themeasuresthat theyhad in place pre-crisis.
Someof the most obviouschangesinclude:
•Consolidatingand raisingtheprofile of the risk management function
acrossbankinggroupsthrough theestablishment of a group
CRO, increasingthestatureandauthorityoftheCRO andincreasingthe
CRO‘sinvolvement in relevant internal committees.
•Changing thereportinglinesof therisk management function sothat
theCRO now reportsdirectlyto theCEO whilealsohaving a direct link
tothe risk committee.
•Intensifying the oversight of risk issuesat theboard through creation of a
stand-alonerisk committee,supportedby greater linkswiththe risk
management function and other risk-relatedboard
committees, particularlyaudit and compensation committees.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
38. P a g e | 38
Cross-membershipof the audit committeeand risk committeeis now
quitecommon, withsomefirmsinvolving(orat leastinviting) thechair of
theboard, even the full board, ontothe riskcommittee.
Thetime commitment of independent directorshasincreased
considerably over thepast several years.
•Upgrading the skills requirements of independent directors on the risk
committee and expecting these members to commit more time to these
endeavours.
Thecomposition of boardshaschangedconsiderably withmany
non-executivedirectorsnow having financial industry experience;the
dominanceof membersfrom industrial companiesor major shareholders
is much lessthan a decade ago.
•Changing the attitude toward the ownership of risk across the firm with
the business line now being much more accountable for the risks created
bytheir activitiesthan previously.
In additiontochangingthe compositionand improving thestrength of
theboard,therehavebeenmajor developmentsinhowfirmsanalyserisks
andthe associatedtoolsutilised suchasRAFs, stresstestsand reverse
stresstesting.
Oneof the keylessonsfrom thecrisiswasthat reputational risk was
severelyunderestimated;hence, there is more focuson businessconduct
andthesuitabilityof products, e.g., the type of productssoldand who
theyare soldto.
As the crisisshowed, consumer productssuch asresidential mortgage
loanscould become a sourceof financial instability.
The next four sub-sections summarise the findings from the surveyed
firms regarding the three key risk governance functions and provide a
summary of the supervisoryevaluationsof firms‘progress.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
39. P a g e | 39
1. The board and its committees
Theboardisresponsibleforensuringthat thefirm hasanappropriaterisk
governanceframework that iscommensurate withthe firm‘s
strategy, complexityand size.
Theboard‘srole and responsibilitiesfor risk governanceare generally
definedin theboard‘scharter and includeapproval of the firm‘s strategy
andoverseeingitsimplementation, settingout theguidelinesandpolicies
forrisk management, andensuringthefirm‘sinternalcontrolsarerobust.
Theboard is alsoresponsiblefor formulatingthemandateand
responsibilitiesof itscommitteessuch astherisk and audit committees.
For instance, audit committeesshould ensure businessunitshave
effectiveremediationplansto addressany control weaknessesnoted by
internalaudit.
Somefirms havedeveloped a CorporateGovernanceFrameworkor Code
whereall rulesregarding theroles, responsibilitiesand oversight
functionsof theboard are assembled.
Establishingan enterprise or firm-wideriskmanagement framework can
help toprovidean overview of risk policy architectureand process.
Having a stand-alonerisk committee is a common practice eventhough
it is not required byall national authorities.
Firms generallyensure that the riskcommittee,whichis responsiblefor
overseeingsenior management‘simplementationof the risk
strategy, coversall therisksfacedat thefirm-widelevel,includingfinancial
risksaswell asoperational, compliance, legal and regulatory risks.
Regular meetingsare held withsenior management and theCRO to
discussperformanceof the businessunit and compliancewiththe RAS
and risk limits.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
40. P a g e | 40
Material risks arepresented and discussedon both an aggregate basis
andby type of risk.
Afew firms, however, noted the challengeof aggregating risksdueto the
complexityof theorganisation, underscoring the importanceof risk
committeesaddressinginformation challengesarisingfrom the
complexityof largefirms.
An effectivegovernancestructure hasmeasuresto prevent concentration
of powerand responsibility, such asrequiringa number of independent
directors,representation of certain skillsand qualificationson the
board, and theboard regularly evaluatingitseffectiveness.
It is common for boards tohave independent directors; some firms
establishminimum quantitativerequirements,ranging from a minimum
of one-third to three-quartersof theboard.
Most firmsprovide a definitionof independencein theboard‘s
charter, whichis embedded in the firm‘s governance framework.
Therisk committeeoften comprisesonly independent directors.
There is a widerangeof practiceregarding the qualificationsfor members
of theboard and risk committee;one firm highlightedthat theskills
requiredby theboard are evolving, in part reflectingthe riskstakenby the
firm.
Somefirms perform a matrix analysis of the experienceand expertiseof
each director toidentify skillsneededfrom incomingdirectors.
There is alsoa widerangeof practice involvinglimitationslinked to
boardstructure, including:
(i)Thepreclusionof thechair of theboard from beingchair of either the
risk or audit committee;
(ii)Theseparation of the rolesof the CEO and chair of theboard;and
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
41. P a g e | 41
(iii) Limitedtenure on a committee.
Periodic reviewsoftheperformanceoftheboardandriskcommitteearea
common practice.
Reviewsare conductedby the board nomination or governance
committeesor bythe entire board.
In some cases,external partiesmay beemployed. Such reviewsmay
includean assessment of training and skillsneededon theboard.
In some firms, the board considersthefunctioning of its overall
committeestructure, includingthenumber and typesof committeesand
thehighest and best use of board members‘expertise.
Theyalsoevaluatethereportingby the committeestothefull board.
Theboard and risk committeeare abletoreceiveinformation, both
formallyand informally, directlyfrom theCRO or theriskmanagement
function.
It is becoming a common practicefor the CRO toreport information
directlyto theboard; the risk reportsare usuallystandardisedin termsof
formality, frequencyand content.
Both theoverall risk level of the firm and information for each risk type
are included in the reportingtemplate (e.g., a heat map of identified risk
categoriesacrossregions,global business, and a report withthetop and
emergingrisks faced by the firm).
Somefirmsexplicitlydefineanddocument theinformationthat theboard
and risk committeeshall receive, set theagenda at thebeginningof the
year, and circulatetomembersin advanceof meetingsthe relevant
material to support the agenda item.
Somefirms require internal audit, or a third party, toverify the
accuracy, comprehensivenessand completenessof informationprovided
to theboard and risk committee.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
42. P a g e | 42
Other firms satisfythemselvesthrough discussionswithmanagement or
conduct self-assessmentsof the effectivenessof the information provided
tothe board.
2. The risk management function
Sincethe financial crisis, many firmshave improved risk management.
Someof the most obviouschangesrelate to the governanceprocesses
around the risk management function; there alsohave been major
changesin how risksare analysed and communicatedand theassociated
toolsthat are utilised.
2.1Governance of the risk management function
Sincethe financial crisis, many firmshave strengthenedhowtheir risk
management functionsare structured, resourced, compensated, whothe
functionis accountableto aswell asits overall mandate.
In many ways, thesechangesare bringingthegovernance arrangements
for the risk management function up tothestandard that hastypically
appliedtothe internal audit function for several years.
Firms are therefore encouraged to at least consider the validity of any
remaining differences in governance processes that surround the two
functions.
One of the most common improvements made by firms over the past five
years hasbeen to consolidate and raisethe profile of the risk management
functionthrough theestablishment of a group-wideCRO.
TheCRO and the riskmanagement function generallyhave been given
more stature, authorityand independencecompared to thepre-crisis
period.
Almost all firms reported that theynow have a CRO with firm-wide
responsibilityfor risk management whooperatesindependently.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
43. P a g e | 43
Assessment of the CRO‘sstature, authorityand independenceincludes
theprocessfor appointment, dismissal andperformanceevaluationof the
CRO aswell asthe staffing requirementsof the risk management function
more generally.
Onlya few firmsnoted that thechair of the risk committeeisinvolved in
theperformanceassessment of the CRO.
Further, only a few firms link the adequacy and qualifications of the risk
management staff to an annual process that takes into consideration the
strategyof thefirm goingforward.
Most firms noted that the CRO hasa direct reporting line to the CEO
(versus another business unit) which represents a major improvement
sincethe crisis.
However,there are still examplescited at a small number of firms where
theCRO doesnot have a direct reporting lineto theCEO.
Afew firms require the CRO tohave a direct reportinglinetothe
board, whichhelps toboost the stature of the CRO.
A large number of firms alsonoted that their CRO is able to ―access‖ the
board, generally through the risk committee, but it is unclear how this is
done in practice.
Almost all firms operate witha CRO whois separatefrom revenue -
generatingresponsibilitiesor other executivefunctions(that is,
―dual-hatting‖ of theCRO‘s responsibilitiesisavoided). Such a structure
is essential for the CRO‘s independence.
This separation of responsibilitieshasbeen reinforced by many firms
re-structuringtheirrisk management functionsunderagroup-wide
CRO, with regional or businesslineCROs having a direct reportingline
to the
group CRO, rather thantotheregional or businesslineheadsashad
occurred in the past.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
44. P a g e | 44
Topreservetheindependenceintended from suchstructures,
‗dual-hatting‘of responsibilitiesshould alsobe avoided for thosesenior
positionsin therisk management function that report to thegroup CRO,
particularlyat globallyactive, complex firms.
At somefirms, theCRO reportstotheCFO or,in afew exceptional
cases,oneperson assumesthe responsibilitiesof both the CRO and CFO.
In addition, there are instancesat some firms wherethe CRO is assigned
other functional, albeit non-revenuegenerating, responsibilities.
Where this relatesto the oversight of functionssuch ascomplianceand
anti-moneylaundering, theconcern ismore about the riskof
over-burdeningtheCRO, particularlyin more complex, global
institutions,than thepotential for conflict of interest per se.
Indeed, much progresshasbeen made towardelevatingthestature and
independenceof theCRO.
While the role of theCRO hasbroadened and includesinvolvement in a
number of keyprocessesand internal committeesthat require inputs
from therisk management function, other important processeswarrant
greater participationof theCRO, such as:
•Mergersand acquisitions. While theanalysisof a proposedmerger or
acquisitionwouldbesubmittedtotheboardor a committeefor
approval,the CRO generallytakespart in the processasa member of the
committee.
Onlya few firmsrequire theCRO toprepare a formal risk opinion on
plannedmergers and acquisitions.
•Strategicplanningprocess. Traditionally, theCRO isresponsibleforthe
oversight of the existingrisk profile of thefirm and of thoserisks being
taken on a day-to-day basisasa result of previousbusinessdecisions.
However,asindicatedabove, the CRO should alsobecome increasingly
involved, in a more proactive manner, in theactivitiesand plansthat deal
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
45. P a g e | 45
with prospectivebusinessrisk, includingthoseriskswhichmay arise
from theexecution of the firm‘sstrategicbusinessplan.
TheCRO shouldbeinvolved in thisprocess, from a risk perspective, by
interactingwithsenior management and theboard, understanding
strategic businessplans,and formallyopining on theprospectiverisk
profile and whetheror not the firm hasthe necessaryresourcesand
systemsto accommodatethe resultingexposures.
If suchresourcesarenot available,thenspacein thestrategicplanshould
becreated to ensure proper risk controls.
•Treasuryfunction. Some firmshaveclearlydefined the rolesand
responsibilitiesof the CRO regarding oversight of a firm‘s treasury
function.
However,there is a rangeof practicesurrounding the organisational
relationship betweenthesetwofunctions:
(i)Theindependent liquidityrisk control function hasresponsibilityfor
themanagement and control of liquidityrisk and that function reports
directlyto the CRO;
(ii)TheCRO participatesasa voting member of the relevant
management committee(typically the asset and liabilitymanagement
committee), withnospecific role for the CRO defined;or
(iii)TheCFO aloneis responsiblefor thetreasury function without any
oversight from the CRO in therisk management process.
2.2 Risk management tools
Twokey additionstorisk management toolshave been (i) the
development of RAFsand (ii) more robust and severe stresstesting
practices.
Relatedtothis, and giventhe under estimationof reputational risk
pre-crisis, therenowismuchgreaterfocuswithinmanyfirmsonbusiness
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
46. P a g e | 46
conduct andthesuitabilityofproducts,e.g., thetype ofproductssoldand
towhom they aresold.
TheRAF isanincreasinglyimportant toolin centralisingthefocusonthe
firm‘s risk profile and providing a more integratedpictureof the firm‘s
risks.
Firms indicateda good degreeof understandingthe key
elements,objectivesand usesof RAFs whicharegenerallyin line
withrecent studiessuch asthe 2010SSGreport on developmentsin
risk appetiteframeworksand IT infrastructure.
Key featuresof a risk appetite framework (RAF)
•RAFshelp drive strategic decisionsand right-size a firm‘s risk profile.
•RAFs establish an explicit, forward-looking view of a firm‘s desired risk
profile in a varietyof scenarios and set out a processfor achieving that risk
profile.
•RAFsincludea risk appetitestatement that establishesboundariesfor
thedesired businessfocusand articulatetheboard‘sdesired approachto
a variety of businesses,risk areas,and in some cases, product types.
•Themore developed RAFs are flexibleand responsivetoenvironmental
changes;however, risk appetiteisdefinitiveand consistent enough to
contain strategicdrift.
•RAFsset expectationsfor businesslinestrategy reviewsand facilitate
regular discussionsabout how tomanage unexpected economicor
market eventsin particular geographiesor products.
Discussions with firms, however, reveal that there is significant variation
in the perception of how much firms have progressed in the
development, comprehensivenessand implementationof their RAFs.
Oneof the keychallengesisdifferent interpretationsof essential
elements,includingrisk appetite, risk limits,and risk capacity.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
47. P a g e | 47
•Somefirmswereableto report significant progressand have had an
RAF for several years(in some casessincebeforethe crisis).
Thesefirms‘RAFs werelinked tothe firm‘s strategy and integratedwith
most other relevant internal processessuch asbudgeting, compensation
plans,mergersand acquisitionevaluations,new product approval, and
stresstesting.
Thesefirmswereableto report that theunderstandingof the RAF was
widespreadbothacrossfunctionallinesandwithinmultiplelayersoftheir
firm.
They were also able to identify clear examples of how they had used their
RAF in strategic decision-making processes, such as decisions to actively
reducethe complexityof their operations.
That said, even at these firms, it was recognised that operationalising an
effective RAF is a continual journey that needs to evolve with changesin
internalprocessesand the external environment.
•Anumber of firmsreported that their implementationof an RAF was
more recent and whileit had been linkedto the firm‘s strategy and
integratedwithsome of thekey internal processes,further work is
envisaged, such as:linkingthe RAF withall the relevant internal
processes;ensuring that qualitativeaswell asquantitativemetrics are
appropriatelyincluded;and somewhat relatedly, broadeningthe RAF to
cover thoseharder toquantify risks, such asoperational, complianceand
reputation risks.
• For other firms, their RAFsare at an early stageof development.
While they may have a high-level frameworkin place, numerousgaps
exist.
For example, the coveragemay not extend toall relevant subsidiariesin
theframework becausethe riskappetiteis not clearlyarticulated at the
businesslevel nor integrated with all therelevant internal processes.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
48. P a g e | 48
Further, some RAFs are lessdevelopedin termsof includingall the
material risks the firm faces, particularlyreputational and operational
risks.
All firms surveyed considered risk limitsto be thevehicle for
operationalisingtheRAF at the businesslinelevel.
Thecommunicationand escalationprocessfor any breachesseemedto
bevery similar acrossthe firmssurveyed: the risk management function
wasresponsiblefor monitoring risk limits,metrics, and breaches,and
escalatingany concerns;businessunitshaveto explain breachestothe
risk management committeeor board dependingonthe nature and size
of the exposure; theauthorisation of exceptionswasdefined top-down;
and action planswererequired.
However,there weredifferencesbetweenfirms in their approachesto
departuresfrom theRAF: some firmsgrant flexibilityfor a businessline
todepart from theRAF if the global risk appetitewasnot
breached, whereasothers giveno flexibilityfor individual businesslines
to deviatefrom their businesslinerisk limits.
Embedding the firm‘sagreedRAS intothefirm‘srisk cultureremainsa
challengebut several approacheshave been taken by firms.
Anumber of firmshavedeveloped training programs and manuals(with
onefirm requiringrelevant employees tocertify every year that they have
attendedthetrainingprogram and read themanual), but onlya few firms
reported that theyhavelinkedcore risk objectivestostaff performance
management processes.
Discussionswith firms revealedthat a keytocreatingincentivesfor a
better risk culture in firms is to link risk objectiveswitheither
compensation or career advancement prospects.
Stresstestinghasbecome a common tool for firms.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
49. P a g e | 49
Thegovernancearound group-widestresstestingtypicallyinvolvesfirms
developing their own historical and hypothetical scenarios, though
national authoritiescan alsoset scenarios.
TheCRO and risk management functiongenerallyhave a central
role,actingasthe ownerof the processor participatingin the
committeeleadingtheeffort.
Thetesting is conducted at least annually, and in many caseson a
quarterlybasis.
Stresstestsresultsare usuallypresented totheriskcommitteeand
sometimestothenational supervisor.
Theseprocessesappear tobe furthest developed inAEs, and some also
perform reversestresstestingand counterpartystresstesting.
In contrast, some firmsin EMDEs havenot performed stresstestingon
an integratedbasisor are still in the processof implementingtheir stress
testingprocesses.
Most firmsuse thestresstesting resultsfor their budgeting, RAF and
ICAAP processesand to set contingencyplans against stressed
conditions.
3. Independent assessment of firms‘ risk governance framework
3.1Internal audit
Firms primarily rely on their internal audit functionsto independently
assesstheir risk governanceframeworks.
In almost all cases,internalaudit assessestheframeworkthroughaseries
of individual assuranceaudits,combined withsome project-specific and
other ongoing audit work.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
50. P a g e | 50
Afew internal audit functionsdemonstratethebetter practiceof
providingan overall opinion of the risk governanceframework on an
annual basis.
In linewithexpectationsestablishedby national authorities, all of the
firms‘internalaudit functionsareorganisationallyseparate from business
linesand have unfetteredaccesstotheboard.
Almost every firm reported that theyhavemade changestostrengthen
their internal audit functionssince2008.
Majorchangesinclude:appointing a CAE; establishingmore attractive
compensation plansand careerpathsfor internalauditors;increasing
both thenumber and skillsof internal audit staff; expandinginternal
audit‘srole/ responsibilities, includingparticipatingasanobserver at risk
management committeesanddecision-makingprocesses;andenhancing
businessmonitoring.
Internal audit‘sroleand responsibilitiesare primarilyestablishedvia an
audit charter, withaudit manualsdetailingproceduresfor
planning, executing, and reporting audit‘s work.
At all surveyed firms, internal audit isresponsiblefor assessingrisk
management or risk governanceprocessesaswell asinternal controls.
While national authorities‘expectationsvary, most internal audit
functionsalsoassess:
•Theappropriatenessofassumptionsusedinscenario analysis andstress
testing,
•Thedegreetowhichthefirm‘s risk governanceis keeping pacewith
industrytrendsand aligns withbest practices,
•Thequalityand adequacyof resourceswithinthe risk management
function,
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
51. P a g e | 51
•Theoverall efficiencyand integrityof risk management information
systems, and
• Theeffectivenessof the risk and issueescalation process.
Most firmsindicated that internal audit plays a rolein monitoring
whetherthebusinessand risk management unitsareoperatingaccording
tothe RAF.
However,somefirmsrelyprimarily ontheindependent riskmanagement
functionfor this assessment.
Internal audit‘sroleis generallyto test that practicesalign withthe
processesand proceduresestablishedin theRAF, though a few firms
expect internal audit to alsoopineon theappropriatenessof thelimits
and other tolerancesestablishedin theRAF.
Given that manyRAFs are in theearlystagesof evolution, some firms
noted that internal audit‘srole and responsibilitiesrelated totheRAF are
still being defined and implemented.
Firms reporteda widerangeof practiceswithregard totheformat and
content of reportingto the board.
At several firms, theCAE providesregular reportstotheboard or audit
committee, summarisingtheresultsof internal audit‘swork, including
overall conclusionsor ratings,key findings,material risks/ issues,and
follow-upof management‘sresolution of identifiedissues.
Meanwhile, some internal audit functions only provide the board or audit
committee with a periodic synthesis of internal audit activity or a ―report
on audit reports‖, which doesnot seem sufficient to ensure the board can
carryout its responsibilitieswithinthe riskgovernanceframework.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
52. P a g e | 52
2. Third parties
Approximately half of the firms that participated in the peer review
indicated that they have used third parties to assess their firm‘s risk
governanceframework or componentsof the framework.
Therest of the firmsindicatedthat theyused third parties toprovide
perspectivesand benchmarks relatedtoregulatory expectationsand
industrybest practicesassociatedwith riskgovernanceframeworks, or
significant aspectsof thoseframeworks,withthis information beingused
topromote upgradesin firm practices.
Such an approach wasseen ashelpful in meetingthe continual challenge
of developing and maintainingrisk governanceframeworksthat keep
abreast of changinglegislative/regulatoryenvironmentsalong withan
evolvingeconomicand competitivelandscape.
3. Escalation processes
All firms reportedhavinginternal policies, procedures,and/ or processes
tofacilitateemployeesreportingconcernsand issueswithinthe firm.
Thesearein addition to external complaint and whistle-blowerprocesses
established by supervisors.Some firms describedhavingprocesses
tailoredtodifferent typesofissues(e.g., issuesimpactingfinancialresults
and related disclosuresversusgeneral issuesrelated to risk and/ orcontrol
breakdowns).
•For sensitiveinformation, most firmshave established aninternal
―whistle-blowing‖ hotlineand offer employeesanonymity and other
protectionsfrom negativeconsequencesto the extent possibleunder the
relevant lawsof thejurisdiction.
•For non-sensitiveinformation, processesgenerallyinvolveemployees
reporting to a direct supervisoror senior manager within thebusiness
unit and/ or toan individual withinan independent
risk, compliance,and/ oraudit function or legal department.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
53. P a g e | 53
3.4 Evaluation of the effectivenessof the independent
assessment
While there is nocommon practicefor comprehensively evaluatingthe
effectivenessof theindependent assessment of the riskgovernance
framework,most firms have several processesin placefor assessingthe
workof theinternal audit function.
Someof the key processesand/ or criteriaused include:
•Thenumberofinternalauditsthat cover riskmanagement topicsduring
thecourse of an audit cycle,
•Thenumber and types of risk management issuesidentified by internal
audit,
• Resultsof internal audit‘squality assuranceactivities,
•Resultsof periodicinternalaudit self-assessmentsand/ or assessments
performed by external parties,
• Qualityof information provided to the audit committee,and
•CompliancewiththeInstituteof InternalAuditors‘(IIA) professional
standards.
4. Supervisory evaluationsof risk governance practices
Thepeer review askedsupervisorsof surveyed firmsto evaluate firms‘
progresstowardenhancedrisk governanceacrossseven broad areas.
Tohelp provide someconsistencytothis exercise,high-level evaluation
criteria weredeveloped (seeAnnex A) and the supervisory evaluations
werereviewedfor all surveyed firms; G-SIFIs;and by region.
Thecriteria weredevelopedby drawingfrom a compilationof relevant
principles,recommendationsand supervisory guidance, and are
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
54. P a g e | 54
consideredby the review team asthe fundamental preconditionsfor
effectiverisk governanceframeworks.
In summary, surveyed firms have madethemost progressin
strengthening(ii) theroleand responsibilitiesof theboard, withnearly80
percent ofsurveyed firmsevaluatedbynationalsupervisorsasmeetingor
exceedingall of thecriteria.
This is an area that warrantedsignificant changesbut is alsoviewedas
comparatively easytoimplement.
Morework,however,is needed by supervisorsto assessthe true
effectivenessof theboard‘soversight of thefirm.
Further, despite significant improvements in (i) firms‘ approaches to risk
governance and (vii) the independent assessment of the risk management
function, significant gapsremain.
Roughly50per cent of surveyed firms failedto meet all of the criteria in
(iii) havingdefined responsibilitiesof therisk committeeand (vi) therisk
management function.
Theseareasneedmuch greater attention on thepart of both supervisors
and firms.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
55. P a g e | 55
The supervisory evaluations indicate that, among the G-SIFIs surveyed, more progress has
been made toward enhancing risk governance practices relative to other surveyed firms,
Oneof the keyhindrancesto effectiverisk management at G-SIFIs has
been weaknessesin firms‘IT infrastructuresand the inabilityto
aggregate risk data efficiently.
While progressisbeingmade, some supervisorsnoted their firm could
not completethe FSB Data Gaps common data template for G-SIFIs.
This common data templateaimstoaddresskey information gaps
identifiedduring thecrisisand provide a strong frameworkfor assessing
potential systemic risks.
However,G-SIFIs identified in November 2011and November 2012are
expectedto meet higher expectationsfor risk data aggregation
capabilitiesand riskreportingbeginningin January 2016.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
56. P a g e | 56
Byregion, firmsthat resideinAEshavegenerallyprogressedfurther than
thosein EMDEs acrossall aspectsof theareasevaluated, except for (iii)
risk committee responsibilities(seeChart 5 below).
This aligns with thefinding that firmsthat werehardest hit during the
financial crisishavemade the most progressassuch firms largelyreside
in advanced economies.
These firms experienced a significant turnover in senior management and
directors, including more non-executive directors, but board oversight of
risk through an establishedriskcommittee is weak acrossregions.
For EMDEs, risk governance practices need to be significantly enhanced;
in particular in the (vi) risk management function asapproximately65 per
cent of surveyed firms donot meet all of the criteria.
Other areaswheremore workisneeded is in their (i) approach torisk
governanceand (iv) governanceof the board and risk committeewhere
more than 50per cent of firms donot meet all of theevaluation criteria.
Thesegapsneed immediateattention.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
57. P a g e | 57
IV. Conclusionsand recommendations
Much progresshasbeen made towardenhancingrisk governance
frameworksat surveyed firmssincethecrisis.
Nonetheless, thisprogresshasbeenuneven acrossthe functionsthat
collectivelyform therisk governanceframework– the board, the
firm-wideriskmanagement function, and the independent assessment of
risk governance.
Specifically, firmshave mademost progressin defining the role and
responsibilitiesof the board, but much more needstobe doneto
strengthenthe roleof the risk committeeand the CRO and risk
management function.
Continued weaknessesin riskmanagement will underminethe
effectivenessof thechangesmade toboard oversight of the firm‘s risk
governanceframework.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
58. P a g e | 58
Toensure that progresscontinuestowardachievingmore effectiverisk
governanceframeworks,a more integrated and consistent approach
acrossall aspectsof the riskgovernanceframeworkhasto be developed.
Such an approach will require a shift in attitudefor both firmsand
supervisorsasthis requires takinga holistic view of all aspectsof therisk
governanceframework rather than lookingat each facet in isolation.
Drawingfrom the survey responsesand discussionswith risk committee
directorsand CROs, this report setsout a list of sound risk governance
practicesthat should help supervisorsto enhancetheir oversight of risk
governanceat financial institutions,in particularat SIFIs (seeSection V).
While none of the surveyed authoritiesand firmsexhibitedall of these
soundpractices,many firms‘practicestendedto be more advanced than
theguidanceprovidedby national authorities.
Recommendation 1: Toensure that firms‘risk governance practices
continueto improve, FSB member jurisdictionsshould strengthen their
regulatoryand supervisory guidancefor financial institutions,in
particular for SIFIs,and devote adequate resources(both in skillsand
quantity) toassessthe effectivenessof risk governanceframeworks.
In particular,nationalauthoritiesshouldtakeintoconsiderationthesetof
soundrisk governancepracticesidentified during thepeer review.
Recommendation2: The relevant standard settingbodies
(e.g., BCBS,IAIS, IOSCO, OECD) should review their principles,taking
intoconsiderationthesound practicesfor risk governancelisted in
Section V.
Recommendation 3:Risk cultureplays a critical role in ensuring effective
risk governanceenduresthrough changingenvironments.
TheFSB SupervisoryIntensityand Effectivenessgroup hasagreed to
implement therecommendationfrom the 2012FSBprogressreport on
enhancedsupervisionto explorewaystoformallyassessrisk
culture,particularlyat G-SIFIs.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
59. P a g e | 59
This work should becompleted by September 2013.
As the supervisoryevaluationsrevealed, both national authoritiesand
firmsneed tofocuson strengtheningfirms‘risk management functions.
Effectiverisk governanceisbasedon a well-designedand articulated
firm-widerisk management framework,whichreflectsthe firm‘s risk
culture,enumeratesthe firm‘srisk profile, andensuresthat therisk limits
set out in the agreedRAS arenot breached.
Therisk limitshave to beproperly defined and calibratedand align with
compensation aswell asescalation processesthat enableappropriate
actiontobetaken if thefirm isoperatingoutsideitsriskappetiteand risk
limits.
Developing an effectiveRAF, however, remainsa challengefor most
firms;firms need to make further progressin linkingtheir RAFs to
businessstrategiessothat RAFs become truly effectiveand operational
tools.
Recommendation4: Toimprove their ability toassessfirms‘progress
towardmore effectiverisk management, national authoritiesshould
provideguidanceon the keyelementsthat are incorporatedin effective
risk appetiteframeworks.
Toenablefirmsto define frameworkswitha minimum amount of
comparability despitetheir firm-specificnature, acommon nomenclature
for termsused in risk appetitestatements(e.g., ―risk appetite‖, ―risk
capacity‖, ―risk limits‖) should be established.
The FSB Supervisory Intensity and Effectiveness group, in collaboration
with relevant standard setters, has agreed to finalise thiswork by the end
of 2013.
Effectiveinternal control systems are a keyelement of soundrisk
governance, and supervisoryexpectationsfor the independent
assessment of internal control systems byinternalaudit werewell
established prior tothe crisis.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
60. P a g e | 60
This includesguidanceissuedby the BCBSasearlyas199849and by a
longer history of regulatory requirementsfor publicly-tradedfinancial
institutions,includingpermanent audit committeesand independent
CAEs.
Since the crisis, many supervisors have appropriately elevated their
expectations of internal audit functions to include more qualitative
assessmentsof policies, procedures,risk limitsand risk exposures.
As such, thisis an area that demonstrated relativelysound practices
acrossthe FSBmembership for both national authoritiesand financial
institutions.
Nearlyall firms havean independent CAE whoreportsadministratively
tothe CEO or audit committee chair and whodirectlyreportsaudit
findingsto a permanent audit committee.
Despitethe widerangeof sound practices,there isstill room for
improving the CAE‘saccessto directorsbeyond thoseon theaudit
committee.
Regulatorsalsoneed to elevateand conveyexpectationsfor internal
audit,and/ orathirdparty, toperiodicallyprovideafirm-wideassessment
of risk management or risk governanceprocesses.
Finally, topromote further progresstoward effectiverisk governance, the
report recommendsthat another peer review be conducted.
Recommendation5: The FSB should consider launchinga follow-up
review on risk governanceafter 2016(i.e., after the G-SIFI policy
measuresbegin to bephased in), to assessnational authorities‘
implementationof therecommendationsto strengthen their supervisory
guidanceand oversight of risk governance.
Thereview alsoshould includethe G-SIFIs identified in 2014by the FSB
in collaborationwiththeBCBSand IAIS.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
61. P a g e | 61
V. Sound risk governance practices
Drawingfrom the findingsof thereview, includingdiscussionswith
industryorganisationsaswell asrisk committeedirectorsand CROs of
several firmsthat participatedin the review,the report setsout a list of
soundrisk governancepractices.
Thelist extractssome of the better practicesexemplified by national
authoritiesand firms.
Thesound practicesalsobuild on some of theprinciplesand
recommendationspublished by other organisationsand standard
setters,drawingtogether thosethat are relevant for risk governance.
This integratedand coherent list of sound practicesaimstohelp national
authoritiesand firmscontinue to improve their risk governance.
The board of directors
1. The board:
a)avoidsconflictsof interestarising from the concentrationof powerat
theboard (e.g., by havingseparatepersonsasboard chairman and CEO
or havinga lead independent directorwhere theboard chairman and
CEO are thesame person);
b)comprises members who collectively bring a balance of expertise
(e.g., risk management and financial industry
expertise), skills,experienceandperspectives;
c)compriseslargelyindependent directorsand there is a clear definition
of independencethat distinguishesbetweenindependent directorsand
non-executivedirectors;
d)sets out clear terms of references for itself and its sub-committees
(including tenure limits for committee members and the chairs), and
establishesa regular and transparent communication mechanism to
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
62. P a g e | 62
ensure continuousand robust dialogueand information sharing between
theboard and itssub-committees;
e)conductsperiodic reviewsof performance of theboard and its
sub-committees(bythe board nomination or governance committee,the
boardthemselves,or an external party).
This includesreviewing, at a minimum annually, thequalificationsof
directorsand their collectiveskills(includingfinancial and risk
expertise), their timecommitment and capacitytoreview informationand
understand the firm‘s businessmodel, and the specialisedtraining
requiredtoidentify desiredskillsfor theboard or for director recruitment
or renewal;
f)setsthe tone from thetop, and seekstoeffectivelyinculcatean
appropriaterisk culture throughout the firm;
g) is responsiblefor overseeingmanagement‘seffectiveimplementation
of a firm-widerisk management frameworkand policieswithinthe firm;
h)approvestheriskappetiteframeworkandensuresit isdirectlylinkedto
thebusinessstrategy, capital plan, financial plan and compensation;
i)hasaccesstoanyinformation requested and receivesinformationfrom
itscommitteesat least quarterly;
j)meetswith national authorities,at least quarterly, either individuallyor
asa group.
2. The risk committee:
a)is required tobe a stand-alonecommittee, distinct from theaudit
committee;
b)hasa chair whois an independent director and avoids―dual-hatting‖
with the chair of theboard, or any other committee;
c) includesmemberswhoareindependent;
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
63. P a g e | 63
d)includesmemberswhohave experiencewith regard to risk
management issuesand practices;
e)discussesall risk strategieson both an aggregatedbasis and by type of
risk;
f)is required toreview and approve thefirm‘s risk policiesat least
annually;
g)overseesthat management hasin placeprocessesto ensure the firm‘s
adherencetothe approved risk policies.
3. The audit committee:
a)is required tobe a stand-alonecommittee, distinct from therisk
committee;
b)hasa chair whois an independent director and avoids―dual-hatting‖
with the chair of theboard, or any other committee;
c) includesmemberswhoareindependent;
d)includesmemberswhohave experiencewith regard to audit practices
and financial literacyat a financial institution;
e)reviewsthe auditsof internal controlsover the risk governance
frameworkestablishedby management toconfirm that theyoperateas
intended;
f)reviewsthethird party opinion of thedesign and effectivenessof the
overall risk governanceframework on an annual basis.
The risk management function
4. The CRO
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
64. P a g e | 64
a)hastheorganisationalstature,skill set, authority, andcharacterneeded
tooversee and monitor the firm‘s risk management and relatedprocesses
andtoensurethat key management and board constituentsare apprised
of the firm‘srisk profileand relevant risk issueson a timelyand regular
basis.
The CRO should have a direct reporting line to the CEO and a distinct
role from other executive functions and business line responsibilities as
well asa direct reportinglineto theboard and/ or risk committee;
b)meetsperiodicallywiththe board and risk committee without
executivedirectorsor management present;
c)is appointed and dismissed with input or approval from the risk
committee or the board and such appointments and dismissals are
disclosedpublicly;
d)is independent of businesslinesand hasthe appropriatestature in the
firm ashis/her performance, compensation and budget is reviewedand
approved by the risk committee;
e)is responsiblefor ensuring that therisk management function is
adequatelyresourced, takingintoaccount thecomplexityand risksof the
firm aswell asitsRAF and strategicbusinessplans;
f)is actively involved in key decision-makingprocessesfrom a risk
perspective(e.g., thereview of thebusinessstrategy/ strategic
planning, new product approvals, stresstesting, recovery and resolution
planning, mergersand acquisitions,fundingand liquiditymanagement
planning) and can challengemanagement‘sdecisionsand
recommendations;
g)is involved in thesettingof risk-related performanceindicatorsfor
businessunits;
h)meets,at a minimum quarterly, withthe firm‘s supervisor todiscuss
thescope and coverageof thework of the risk management function.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com