Principal Oversight Functions
1. Board of Directors
The board’s risk responsibilities typically cover the following areas:
- determining the company’s approach to risk, including setting or approving its risk appetite
- setting and instilling the right culture throughout the organisation
- monitoring the company’s exposure to risk and the key risks that could undermine its strategy, reputation or long-term viability
- identifying the risks inherent in the company’s business model and strategy, including risks from external factors
- overseeing the effectiveness of management’s mitigation processes and controls, and
- ensuring the company has effective crisis management processes
2. The Risk Committee
The board delegates risk management to a risk committee at most financial services firms. This is obligatory for larger firms, but smaller firms have also set up board risk committees to pursue good practice.
The risk committee will typically:
- ratify the key policies and associated procedures of the firm’s risk management activities
- monitor the effectiveness of these critical policies
- translate the overall risk appetite of the firm, approved by the board, into a set of limits that flow
- down through the firm’s executive officers, business divisions and sub-committees.
The exact names for each sub-committee tend to vary across the industry, as do their specific duties. A typical firm has a senior (or group) risk committee to oversee risk management practices and detailed reporting. Junior (or divisional) risk committees that look at specific types of risk, such as credit or market risk, often report to the senior/group risk committee. Investment management firms may also have risk committees specific to fund risks, while their main risk committee will focus on firm risks.
The board’s risk management committee is responsible for independently reviewing the identification, measurement, monitoring, and controlling of all risk types. This includes the adequacy of policy guidelines and systems.
3. Risk Management
The resources to coordinate and monitor risks of all types are generally provided by a centralised risk management function that is independent of the business areas it serves. For firms with a board risk committee, the risk management function is often accountable to this committee and is typically tasked with:
- ensuring that the firm has a robust and consistent risk management and control framework
- providing support, oversight and challenge on the firm’s risk appetite statements
- owning the top-level strategic risk assessment process
- monitoring the firm’s risk profile against its risk appetites
- playing a leading role in defining and embedding the firm’s risk culture
- providing risk training across the firm
- working with other oversight functions such as compliance and audit to provide a comprehensive, robust and efficient assurance framework
In addition, for all risk types, the risk management function would typically:
- oversee and challenge the risk and control self-assessment programme to capture expected risks
- oversee and challenge the firm’s scenario analysis to capture unexpected extreme risks
help to define, and subsequently challenge, the key risk indicators (KRIs) used for risk monitoring
- ensure issues are appropriately escalated, assisting with root-cause analysis for incidents and losses, and tracking any associated actions
- test risk models and critical controls within the business, and recommend improvements
advise on risk-based process mapping
- support the firm’s risk IT system(s)
- benchmark the firm’s risk control framework against industry good practice
Compliance and risk management are not the same, although some of their duties overlap and certainly, the compliance function is a vital component of a firm’s overall risk management.
It is crucial that laws and regulations are followed and that exceptions are noted and corrected promptly – to do otherwise would represent a significant risk to the firm. So, while there is some overlap between compliance and risk governance, each function nevertheless has a different agenda.
Compliance focuses primarily on ensuring that all laws, regulations and internal rules are followed. Risk management ensures that risks are understood and that proactive decisions about which risks to take and which to manage or avoid.
Compliance risk is a significant factor in the overall risk framework of financial services firms. It is not limited to simple compliance with laws and regulations; it also encompasses sound fiduciary principles, prudent ethical standards, client documents, internal policies and procedures, and other contractual obligations.
Some examples of issues that could raise an institution’s level of compliance risk are:
- substandard client account acceptance and review processes
- shortcomings in the ethical culture and expertise of management and staff
- weak internal compliance systems and training programs.
The compliance function has the same dilemma as the risk function – the need to be an adviser of the business on the one hand and the need to monitor relevant activities on the other. Compliance teams must balance the fundamentally different mindsets and approaches required by the proactive ‘trusted adviser’ versus the more reactive ‘independent watchdog’. The ‘independent watchdog’ will report deviations to an appropriate management level or, if appropriate, to the board of directors.
Effective compliance and risk governance is a collaborative process that uses all the various control functions within the organisation, such as risk management, internal control, fraud detection, and legal and human resources.
For example, the risk governance function could help detect potential compliance risks by identifying visible lapses that might indicate a more pervasive non-compliant behaviour ‘below the water-line’. The human resource’s function would be involved as the expert in managing people, communicating expected behaviours, designing appropriate appraisal and reward structures and determining disciplinary measures.
5. Chief Risk Officer/Director/Head of Risk
To assure a strategic focus on risk management at a high level, firms should assign specific senior responsibility for all risk management across the entire organisation. This would be to a head of risk or chief risk officer (CRO) in most cases. The CRO/head of risk governance should be independent of line management and have sufficient influence to directly impact decisions.
The CRO/head of risk governance may oversee a single group called the risk management department. Professionals working within that department, called risk managers, are responsible for facilitating the taking of applicable financial risks by the other departments within the firm.
In larger firms, there may be more specialisation, and the CRO/head of risk management might oversee staff with specific responsibilities, for example:
- market risk management
- credit risk management
- operational risk management
Each of these people, in turn, might oversee a respective department or team. Alternatively, the CRO may simply manage market and credit risk teams, and the operational risk team might report to another senior manager.
Each firm must determine how best to achieve a strong corporate ‘risk voice’, and often this has been done by having the CRO report directly to the CEO. Alternatively, the CRO is given a seat on the board. In many cases, the CRO will report now to the board’s risk committee.
Some firms make it a practice for the CRO to report regularly to the entire board to review risk issues and exposures and the risk committee. A strong, independent voice will mean that the CRO has the mandate to bring to the attention of both line and senior management, or the board, any situation that could materially violate risk appetite guidelines.
6. Internal and External Audit
Internal audit plays a vital role in the risk control framework as part of the ‘third line of defence’. It provides an independent, internal assessment of the effectiveness of the firm’s processes, controls and procedures. It also independently assesses the effectiveness of the risk management process.
By performing regular business reviews, an internal audit assesses whether the firm’s processes and procedures are adequately controlled, up-to-date, and performed according to manuals and documentation.
It also acts as a ‘dry run’ for external audits and regulatory examiners. Internal audits must have an unrestricted mandate to review all aspects of the transaction life cycle and be independent of senior managers and their departments who are subject to review. Internal audits are considered the sound practice to report to the board of directors through the audit committee.
Identification of Errors and Breaches
There is a crossover with the operational risk governance process in that internal audit also involves identifying risk issues and potential or actual control failures and breaches. However, auditing is aimed more at checking the control environment on a ‘snapshot’ basis (e.g., once every six months), highlighting issues (audit points) but leaving cause-effect analysis and solution implementation to the business.
On the other hand, operational risk governance monitors risk on a continuous, day-to-day basis, allowing more dynamic and strategic management. Therefore, audit information should be used to input operational risk management.
Departmental operational risk assessments can, in turn, be used to create a risk-based audit plan. External auditors are required to audit the annual accounts and to report to the members of the company whether, in their opinion, the annual accounts:
1. Have been prepared under the Companies Act.
2. Give a ‘true and fair view’.
Additionally, and of great assistance to the risk oversight function, a firm’s external auditors produce specialised reports for the board and external clients; these give assurance that the firm’s control environment works as designed.
7. Internal and External Legal Support
Legal risk arises from:
1. Uncertainty due to legal actions.
2. Uncertainty in the applicability or interpretation of contracts, laws or regulations.
Depending on an institution’s circumstances, the legal risk may entail such issues as the following:
- Contract formation – what constitutes a legitimate contract? Is an oral agreement sufficient, or must there be a legal document? What sort of documentation is required?
- The legality of derivatives transactions – in some jurisdictions, there are issues relating to whether certain derivatives could be deemed gambling contracts and thus made unenforceable.
- Netting agreements – under what circumstances will a close-out netting agreement be enforceable
- Contract frustration – might unforeseen circumstances invalidate a contract? For example, if an agreement is linked to an index or currency which ceases to exist, will the agreement become invalid?
Legal risk can be a problem for institutions that transact business across borders. Not only are they exposed to uncertainty relating to the laws of multiple jurisdictions, but they also face uncertainty as to which jurisdiction will have authority over any particular legal issue.
Larger firms tend to have in-house legal departments bolstered by contract staff from external law firms during busy periods or when specialist advice is required. Smaller firms rely on external advice, perhaps maintaining just one or two in-house lawyers.
In either case, financial services firms typically require good quality legal advice on matters such as:
- institutional client mandates
- regulatory compliance issues
- underwriting Initial Public Offerings (IPOs)
- international markets and cross-border activities
- enforcement, disciplinary matters and dispute resolution
- compliance procedures
- internet/e-commerce contract law
- money laundering
- employment contracts and third-party vendor agreements
8. Regulatory Oversight
The regulator itself also carries out a key oversight role. This involves lengthy and in-depth on-site visits looking at all the important aspects of how the firm is run for larger firms. Even for smaller firms, processes such as the Internal Capital Adequacy Assessment (ICAAP) mean that the regulator receives detailed reports on how the firm is managing its risks and capital.
Setting up the risk governance structure is not a one-off exercise. Whether planned or unplanned, corporate changes must take the current governance structure into account and also (in the case of planned changes) any upgrading that might be required as a result of the change.
Such planned changes could include acquiring a firm and merging it with the existing business. Careful thought needs to be given to how its existing governance structure will be merged with the acquiring firm’s governance structure – and how any gaps or overlaps will be managed.
To be prepared for unplanned changes, such as senior managers leaving the firm, succession plans must exist for each member of the firm’s key committees. A succession plan might reveal that certain roles have no obvious successor. This will allow the firm to nominate and prepare a member of staff to be the successor or, in the case of NEDs, to develop relationships with future potential candidates.