- 1. P a g e | 1International Association of Risk and
ComplianceProfessionals (IARCP)1200 G Street NW Suite 800
Washington, DC 20005-6705 USATel: 202-449-9750
www.risk-compliance-association.comTop 10 risk and compliance
management related news storiesand world events that (for better or
for worse) shaped theweeks agenda, and what is nextDear Member,It
was2 a.m. and I wasreadyto sleep, but I alsowantedtocheck my emails
another time.Yes,I have readthefamous book The4-HourWorkweek
byTimothyFerriss, but I disagreewithhim, soI havedecided to
dotheopposite: Tocheck emails morefrequently. Sorry Tim.Oneof the
first emailswasan important one: RedAlert, China occupiesthePublic
CompanyAccounting Oversight Board.Therewaseven
apicture!International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com
2. P a g e | 2What?I know that China implementsa
ChineseSarbanes-Oxley but what isthat now?I read in thepicture that
PCAOB JamesR.Doty What?IsJamesR. Dotywell?Fortunately,
Jamesisverywell. Therewasnoredalert.One ofmyfriends, John, and
attorney, sent me this email.Read more aboutat number 7 of our
listbelow.Thefollowingmorning, I received another
email.Title:Forecastingisthe art of saying what will happen, and
thenexplainingwhyit didnt Message:I hate you. Our
bossisfollowingyour stresstestingrecommendations. LaoTzu hassaid
that thosewhohave knowledgedont predict. Thosewhopredict, dont have
knowledge.Signature:TerminatorTerminator?ArnoldSchwarzenegger,
didyou send thisemail?Who?LaoTzu?TheChineseagain?I
replied!DearArnold (orother Terminator),International Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 3. P a g e | 3It is not
me! It isBaseliii that asksfor a forward-lookingperspective!Basel
iii requiresstresstesting.And, wehave a crystal ball in
riskmanagement:The recommendationsof the Financial
StabilityBoard(FSB).TherecommendationsWhoreadstheserecommendations?Soimportant
... I have ledsomeclassessinceJanuary, nobody readsFSB.Theylaugh
whenI say readFSBevery morning, beforereading FT orWSJ!It is time
toread therecommendationsof the FSBcarefully. It is abouttheboard,
senior management, risk officers,complianceofficers,internaland
external auditors.This is our Number 1.
Thesepagesaresoimportant.Welcometo the Top
10list.BestRegards,GeorgeLekatisPresident of the IARCPGeneral
Manager, ComplianceLLC1200 G Street NW Suite800, Washington
DC20005, USA Tel: (202) 449-9750Email:
[email protected]:
www.risk-compliance-association.comHQ: 1220N. Market Street
Suite804,Wilmington DE 19801,USATel: (302) 342-8828International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 4. P a g e | 4Thematic
Review on Risk GovernancePeer Review ReportFinancial Stability
Board (FSB) member jurisdictionshavecommitted, under the FSBCharter
and in the FSBFrameworkforStrengtheningAdherence toInternational
Standards, toundergo periodicpeer reviews.Tofulfil this
responsibility, theFSB hasestablisheda regular programmeof country
and thematicpeer reviewsof itsmember jurisdictions.Thematic
reviewsfocuson the implementation and
effectivenessacrosstheFSBmembership of international financial
standardsdeveloped bystandard-settingbodiesand
policiesagreedwithintheFSB inaparticulararea important for global
financial stability.Keynote Luncheon SpeechBy CommissionerElisseB.
WalterU.S. Securitiesand ExchangeCommission32ndAnnual SEC and
Financial ReportingInstituteConference, Pasadena, CABackground on
the PCAOBSteven B. Harris, Board MemberKennesaw State
GraduateStudent MeetingWashington, DCInternational Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 5. P a g e | 5Financial
ConglomeratesDirectiveTechnical ReviewThis Prudential
RegulationAuthority (PRA) policystatementpublishesthe final
rulesimplementingthe Financial ConglomeratesDirectiveTechnical
Review (2011/ 89/ EC) (FICOD 1) whichamendstheFinancial
ConglomeratesDirective(2002/ 87/ EC) and certain
otherDirectivesinsofar astheyapplyto financial
conglomerates.Committeeon theGlobal Financial SystemCGFS Papers No
49Asset encumbrance, financial reform and thedemand for collateral
assetsReport submitted bya WorkingGroup establishedbytheCommitteeon
theGlobal Financial SystemTheGroup waschaired byAerdt Houben,
NetherlandsBankGiven that thedemand for collateral assetsis
increasing, theCommitteeon theGlobal Financial System (CGFS) in May
2012establishedaWorkingGroup (chairedbyAerdt Houben,
NetherlandsBank) toexploretheimplicationsof this trend for
marketsand policy.Thisreport presentstheGroupsfindingsfrom
asystem-wideperspectiveanddrawsbroad conclusionsfor
policymakers.Thereport presentsevidenceof increasedrelianceby
banksoncollateralisedfundingmarketsin recent years for some
regions,withtheincreasebeingmost pronounced in Europe.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 6. P a g e | 6Peer
Review of SwitzerlandReview ReportFSB country peer reviewsTheFSB
hasestablisheda regular programmeof country peer reviewsofitsmember
jurisdictions.Theobjectiveof thereviewsis to examinethestepstaken
or plannedbynational authoritiestoaddressInternational MonetaryFund
(IM F) -World Bank FSAP recommendationsconcerningfinancial
regulation andsupervision aswell asinstitutional and market
infrastructure.PCAOB Entersinto EnforcementCooperationAgreement
with ChineseRegulatorsThePublic CompanyAccounting Oversight Board
announced that it hasenteredintoa Memorandum of Understanding(MOU)
on EnforcementCooperation withthe China SecuritiesRegulatory
Commission(CSRC)andthe Ministryof Finance(MOF).TheMOU establishesa
cooperativeframeworkbetweenthepartiesfortheproduction and
exchangeof audit documentsrelevant toinvestigationsin both
countriesrespectivejurisdictions.Morespecifically, it providesa
mechanism for thepartiestorequest andreceivefrom each other
assistancein obtainingdocumentsandinformation in furtheranceof
their investigativeduties.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
7. P a g e | 7Islamic commerce and financeOpening remarks by Dr
Michael Gondwe, Governorof the Bank of Zambia, at the workshop on
Islamiccommerce and finance, Lusaka.Threequestionson thenature and
managementof riskKeynote speechby Mr Norman T L Chan,
ChiefExecutiveof the Hong Kong MonetaryAuthority, attheHong Kong
MonetaryAuthority-Global Association of RiskProfessionals(GARP)
Global Risk Forum OpeningDinner, Hong Kong.Investor Protection
Through EconomicAnalysisBy Craig M. Lewis, Chief Economist and
DirectorDivision of Risk, Strategy, and Financial Innovation, U.S.
Securities andExchangeCommissionSpeechat the
PennsylvaniaAssociation of Public Employee RetirementSystemsAnnual
Spring Forum Harrisburg, PAInternational Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
8. P a g e | 8Thematic Review on RiskGovernancePeer Review
ReportForewordFinancial Stability Board (FSB) member
jurisdictionshavecommitted, under the FSBCharter and in the
FSBFrameworkforStrengtheningAdherence toInternational Standards,
toundergo periodicpeer reviews.Tofulfil this responsibility, theFSB
hasestablisheda regular programmeof country and thematicpeer
reviewsof itsmember jurisdictions.Thematic reviewsfocuson the
implementation and effectivenessacrosstheFSBmembership of
international financial standardsdeveloped
bystandard-settingbodiesand policiesagreedwithintheFSB
inaparticulararea important for global financial stability.Thematic
reviewsmay alsoanalyseother areasimportant for globalfinancial
stabilitywhereinternational standardsor policiesdo not
yetexist.Theobjectivesof thereviewsare toencourage consistent
cross-countryand cross-sectorimplementation;toevaluate
(wherepossible) the extenttowhichstandards and policieshavehad
their intended results;and toidentify gapsand weaknessesin
reviewedareasand to makerecommendationsfor potential
follow-up(includingvia the developmentof new standards) by FSB
members.This report describes the findings of the thematic peer
review on riskgovernance, including the key elements of the
discussion in the FSBStandingCommitteeon StandardsImplementation
(SCSI).International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 9. P a g e
| 9Thedraft report for discussion waspreparedby a team chairedby
SweeLian Teo(MonetaryAuthority of Singapore), comprisingTed
Price(CanadaOffice of theSuperintendent of
FinancialInstitutions),XiangQi(China Banking Regulatory
Commission), JrmeLachand (FranceAutoritde Contrle Prudentiel),
Sofia Nikopoulos(German BaFin),Adriana Elizondo(MexicoNational
Bankingand SecuritiesCommission), FranciscoGil (Bank of Spain),
Mike Brosnan (UnitedStatesOffice of theComptroller of the
Currency), Xavier-YvesZanota(member of theBasel Committeeon
BankingSupervisionSecretariat),Mats Isaksson(Organisation for
Economic Co-operation andDevelopment), and Laura Ard (World
Bank).Merylin Coombs and Grace Sone (FSBSecretariat)
providedsupport totheteam and contributed to thepreparation of the
peer review report.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 10. P a g
e | 10Executive summaryTherecent global financial crisisexposed a
number of governanceweaknessesthat resulted in firmsfailureto
understand the risks theyweretaking.In the wakeof
thecrisis,numerousreportspainted a fairlybleak pictureof risk
governanceframeworksat financial
institutions,whichconsistsofthethreekey functions:Theboard, the
firm-wideriskmanagement function, and theindependent assessment of
risk governance.Thecrisis highlightedthat
manyboardshaddirectorswithlittlefinancialindustryexperienceand
limitedunderstanding of the rapidlyincreasingcomplexityof
theinstitutionstheywereleading.Toooften,
directorswereunabletodedicatesufficienttime tounderstandthefirms
businessmodel and toodeferential tosenior management.In addition,
manyboards did not pay sufficient attention to riskmanagement or
set up effectivestructures, such asa dedicatedriskcommittee,
tofacilitate meaningful analysisof thefirmsrisk
exposuresandtoconstructivelychallengemanagementsproposalsand
decisions.Theriskcommitteesthat didexist wereoften
staffedbydirectorsshort onboth experienceand independencefrom
management.Theinformationprovidedtothe board wasvoluminousand not
easilyunderstood whichhamperedthe abilityof directorsto fulfil
theirresponsibilities.Moreover,mostfirmslackedaformal
processtoindependentlyassesstheproprietyof their risk
governanceframeworks.Without the appropriatechecksand
balancesprovidedby theboard, therisk management function, and
independent assessment functions,aInternational Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 11. P a g e |
11cultureof excessiverisk-takingand leveragewasallowedto permeate
intheseweaklygoverned firms.Further, withtherisk management
function lackingtheauthority, statureand independencetorein in the
firms risk-taking, the abilityto addressanyweaknessesin
riskgovernanceidentified by internal controlassessment and
testingprocesseswasobstructed.Thepeer review found that,
sincethecrisis, national authorities
havetakenseveralmeasurestoimproveregulatoryandsupervisoryoversight
ofrisk governanceat financial
institutions.Thesemeasuresincludedeveloping or
strengtheningexistingregulationor guidance,
raisingsupervisoryexpectationsfor the risk managementfunction,
engagingmore frequentlywiththeboard andmanagement, andassessingthe
accuracyand usefulnessof the information provided to
theboardtoenableeffectivedischarge of their
responsibilities.Nonetheless, more workremains;national
authoritiesneedtostrengthentheir abilityto assessthe
effectivenessof a firms risk governance,andmore specificallyitsrisk
culture tohelp ensure sound risk governancethrough
changingenvironments.Supervisorswill need to undergo a substantial
changein approach sinceassessingrisk governanceframeworksentails
forming an integratedviewacrossall aspectsof the
framework.Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheirsurveyed
firm(s) toward enhanced risk governancein sevenareas.Toprovidesome
consistencytothis exercise,the review team developedhigh-level
criteria to assist supervisoryevaluationsof
firmsprogress,drawingfrom a compilationof
relevantprinciples,recommendationsand
supervisoryguidance.Thehigh-levelcriteria wereviewedasfundamental
prerequisitesfor riskgovernanceframeworks.International Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 12. P a g e | 12This
evaluation found that manyof the best risk
governancepracticesatsurveyed firms are now more
advancedthannational guidance.This outcome may havebeen motivated
by firmsneed to regain marketconfidencerather than
regulatoryrequirements.Firms have made
particularprogressin:assessingthe collectiveskillsand
qualificationsof theboard aswell astheboards effectivenesseither
through self-evaluationsor through theuseof third
parties;institutinga stand-alonerisk committeethat is composed
onlyofindependent directorsand having a clear definitionof
independence;establishingagroup-widechiefriskofficer(CRO)
andriskmanagementfunctionthat isindependent from
revenue-generatingresponsibilitiesandhasthestature, authorityand
independencetochallengedecisionson riskmadebymanagement and
businesslines;and integratingthediscussionsamong therisk and audit
committeesthrough joint meetingsor cross-membership.Although many
surveyed firms have made progress in the last fewyears, significant
gaps remain, relative to the criteriadeveloped, particularlyin risk
management.There werealsodifferencesin
progressacrossregionswithfirms inadvancedeconomieshavingadopted
more of thedesirable riskgovernancepractices.Theresultsof the
supervisory evaluationsweregrouped by:(i)all surveyed
firms;(ii)firmsidentified by theFSBand Basel Committeeon
BankingSupervision(BCBS) asglobal systemicallyimportant
financialinstitutions,or G-SIFIs;andInternational Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 13. P a g e | 13(iii)
firms that residein advanced economies(AEs) or emergingmarketand
developing economies(EMDEs).In summary,
acrossthesevenareasevaluated, firms have madethemostprogressin
definingtheboards role and responsibilities, and
reasonableprogressin their approach torisk governanceand the
independentassessment of risk
governance.Thesupervisoryevaluations,however,indicatethat surveyed
firmsshouldcontinuetoworktowarddefiningthe responsibilitiesof the
riskcommitteeand strengtheningtheir risk management
functionsasnearly50 per cent of surveyed firms did not meet all of
the evaluation criteria intheseareas.By type of institution,
surveyed G-SIFIsare more advanced than otherfinancial
institutionsin definingthe responsibilitiesof theboard and
riskcommittee, conducting independent assessmentsof riskgovernance,
providing relevant informationtothe board and riskcommittee,and
tosome extent more advanced in the risk
managementfunction.Theseresultssupport the finding that thefirms in
the regionshardest hitbythe financial crisishave made themost
progress.Meanwhile, supervisory evaluationsof firmsthat residein
EMDEs showthat nearly65 per cent did not meet all of thecriteria
for the riskmanagement function.Thesegapsneed immediateattention by
both supervisorsand firms.Other significant findingscomingout of
thereview includethefollowing:Nationalauthoritiesdonot
engageonasufficientlyregularandfrequentbasiswiththeboard, risk
committeeand audit committee.Several jurisdictionshold such
meetingsonlyonce a year or on anas-neededbasis.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 14. P a g e | 14Good
progresshasbeen made towardelevatingtheCROsstature, authority, and
independence.In many firms, the CRO hasa direct
reportinglinetothechief executiveofficer (CEO) and a rolethat is
distinct from other
executivefunctionsandbusinesslineresponsibilities(e.g., no
dual-hatting).This elevation, however,needsto be supported by the
involvement of
theriskcommitteeinreviewingtheperformanceandsettingtheobjectivesoftheCRO,
ensuring that the CRO hasaccessto the board and
riskcommitteewithout impediment (includingreportingdirectlyto
theboard/ riskcommittee), and facilitatingperiodic
meetingswithdirectorswithout thepresenceof executivedirectorsor
other management.Moreworkis neededon the part of both national
authoritiesand firmson establishinganeffectiverisk
appetiteframework (RAF).Assessing a firms RAF is a
challengingtaskthat requiresgreater clarityand an elevated level of
consistencyamong national authorities.Supervisoryexpectationsfor
the independent assessment of internalcontrol systemsbyinternal
audit or other independent functionwerewell-establishedprior tothe
crisis.As such, thisis an area that demonstrated relativelysound
practicesacrossthe FSBmembership at both national authoritiesand
firms.However,no jurisdictionhad specificexpectationsfor internal
audit toperiodicallyprovidea firm-wideassessment of risk management
or riskgovernanceprocesses.Nearly all firms have an independent
chief audit executive (CAE) whoreports administratively to the CEO
and the audit committee chair andwhodirectlyreportsaudit findingsto
a permanent audit committee.However,there is still room for
improving theCAEs accesstodirectorsbeyond thoseon theaudit
committee.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 15. P a g
e | 15Drawingfrom the findingsof thereview,
includingdiscussionswithindustryorganisationsaswell asrisk
committeedirectorsand CROs ofseveral firmsthat participatedin the
review,the report identifiessome ofthebetter practicesexemplifiedby
national authoritiesand firms tocollectivelyform a list of sound
risk governance practices.It alsodrawsonsomeof therelevant
principlesand recommendationsforrisk governancepublished by other
organisationsand standard settingbodies.No onesingleauthority
orfirm, however, demonstratedall of thesesoundpractices.This
integratedand coherent list of sound practicesaimstohelp
nationalauthoritiestake a more holistic approach to risk
governance, rather thanlookingat eachfacet in isolation, and may
providea basisforconsiderationby authorities and standard setting
bodiesastheyreviewtheir guidanceandstandardsfor
strengtheningriskgovernancepractices.Thereview setsout several
recommendationsto ensure the effectivenessof risk
governanceframeworkscontinuetoimprove by targetingareaswheremore
substantial workis needed.While the review focused onbanksand
broker-dealersthat aresystemicallyimportant, these
recommendationsapply to other types offinancial institutions,
includinginsurersand financial
conglomerates.Recommendations:1.Toensure that firmsrisk
governancepracticescontinue toimprove, FSB member
jurisdictionsshould strengthen their regulatoryand
supervisoryguidanceforfinancialinstitutions,in particularforSIFIs,
and devoteadequate resources(both in skillsand quantity)
toassesstheeffectivenessof risk governanceframeworks.In particular,
national authoritiesshould considerthe followingsoundrisk
governancepractices:International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
16. P a g e | 16i.Set requirementson the independenceand
composition ofboards,includingrequirementson relevant typesof
skillsthat theboard, collectively, shouldhave (e.g., risk
management, financialindustryexpertise) aswell asthetime commitment
expected.ii.Hold the board accountablefor itsoversight of
thefirmsriskgovernanceand assessif the level and typesof risk
information providedtothe board enableeffectivedischargeof board
responsibilities.Boardsshould satisfythemselvesthat theinformation
theyreceivefrommanagement and the control functionsiscomprehensive,
accurate, complete and timelyto enableeffectivedecision-makingon
the firms strategy, risk profile and emerging risks.This
includesestablishingcommunication proceduresbetweenthe
riskcommitteeand the board and acrossother board
committees,mostimportantlytheaudit and financecommittees.iii.Set
requirementstoelevatethe CROsstature,authority, andindependencein
thefirm.Thisincludesrequiringtheriskcommitteetoreviewtheperformanceandobjectivesof
the CRO, ensuring the CRO hasunfettered accessto theboard and risk
committee(includinga direct reportinglinetothe boardand/
orriskcommittee),andexpectingtheCRO
tomeetperiodicallywithdirectorswithout executive directorsand
management present.TheCRO shouldhave a direct reportinglineto the
CEO and a distinctrolefrom other executivefunctionsand
businesslineresponsibilities(e.g., no dual-hatting).Further, the
CRO should be involved in activitiesand decisions(from arisk
perspective) that may affect the firmsprospectiverisk profile(e.g.,
strategicbusinessplans,newproducts,mergersandacquisitions,internal
capital adequacyassessment process,or ICAAP).International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 17. P a g e |
17iv.Require the board (or audit committee) toobtain an
independentassessment of the design and effectivenessof the risk
governanceframeworkon an annual basis.v.Engagemore
frequentlywiththe board, risk committee, auditcommittee,CEO, CRO,
andother relevant functions,suchastheCFO, toassessthe firms
riskculture(e.g., the toneat the top), whetherdirectorsprovide
effectivechallengetomanagementsproposalsanddecisions,andwhethertheriskmanagement
functionhastheappropriateauthorityto influencedecisionsthat affect
thefirms riskexposures.2.Therelevant standard settingbodies(e.g.,
BCBS, IAIS, IOSCO, OECD) should review their
principlesforgovernance, takingintoconsiderationthe sound risk
governancepracticeslisted in Section V.3.Riskculture plays a
critical rolein ensuring effectiverisk governanceenduresthrough
changingenvironments.TheFSB SupervisoryIntensityand
Effectivenessgroup hasagreed toimplement therecommendationfrom the
2012FSBprogressreport onenhancedsupervisionto
explorewaystoformallyassessriskculture,particularlyat G-SIFIs.This
work should becompleted by September 2013.4.Toimprovetheir
abilityto assessfirmsprogresstowardmore effectiverisk management,
national authoritiesshould provide guidanceon thekeyelementsthat
are incorporatedin effectiverisk
appetiteframeworks.Toenablefirmstodefine frameworkswitha minimum
amount ofcomparability despitetheir firm-specificnature, acommon
nomenclaturefor termsused in risk appetitestatements(e.g., risk
appetite, riskcapacity, risk limits) should be established.The FSB
Supervisory Intensity and Effectiveness group, in collaborationwith
relevant standard setters, has agreed to finalise thiswork by the
endof 2013.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 18. P a g
e | 185.TheFSB should consider launchinga follow-upreview on
riskgovernanceafter 2016(i.e., after the G-SIFI policy
measuresbegin tobephased in), to assessnational
authoritiesimplementationof therecommendationstostrengthentheir
supervisoryguidanceand oversightof risk governance.Thereview
alsoshould includethe G-SIFIs identified in 2014by the FSBin
collaborationwiththeBCBSand IAIS.I.
IntroductionIncreasingtheintensityand effectivenessof supervision
to reducethemoral hazard posed by SIFIsisa keycomponent of the
FSBspolicymeasures,endorsedby G20 Leaders.Sincethe onset of
theglobal crisis,supervisorshave intensifiedtheiroversight of
financial
institutions,particularlySIFIs,soastoreducetheprobabilityof their
failure.Specifically, supervisoryexpectationsof risk management
functionsandoverall risk governanceframeworkshave increased, asthis
wasan areathat exhibitedsignificant weaknessesin many financial
institutionsduring theglobal financial crisis.While supervisorsare
responsiblefor assessingwhethera firms riskgovernanceframework and
processesareadequate,appropriate andeffectivefor managing the firms
risk profile, the firms management isresponsiblefor identifying and
managingthefirms risk.In October2011, theFSB
agreedtoconductathematicpeerreviewonriskgovernancetoassessprogresstowardenhancingpracticesat
nationalauthoritiesand firms(banksand broker-dealers).For
purposesof this review, risk governancecollectivelyrefersto
theroleand responsibilitiesof theboard, thefirm-wideCRO and
riskmanagement function, and the independent assessment of the
riskgovernanceframework (seeChart 2).International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 19. P a g e | 19Board
responsibilitiesand practices:The board is responsibleforensuring
that the firm hasan appropriate risk
governanceframeworkgiventhefirms businessmodel, complexityand
sizewhichisembeddedintothe firms risk culture.How boardsassume such
responsibilitiesvariesacrossjurisdictions.Firm-wide risk management
function: The CRO and risk managementfunction are responsible for
the firms risk management across the entireorganisation, ensuring
that the firms risk profile remains within the
riskappetitestatement (RAS) asapproved bytheboard.Therisk
management function is responsibleforidentifying, measuring,
monitoring, and recommendingstrategiestocontrol or mitigate risks,
and reportingon risk exposureson anaggregatedand
disaggregatedbasis.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 20. P a g
e | 20Independent assessment of the risk
governanceframework:Theindependent assessment of the firms
riskgovernanceframeworkplaysacrucial rolein the ongoing
maintenanceof a firms internal controls,riskmanagement and risk
governance.It helpsa firm accomplish itsobjectivesby bringinga
disciplinedapproachto evaluateand improvetheeffectivenessof
riskmanagement, control and governanceprocesses.This may involve
internalparties, such asinternalaudit, or externalresourcessuch
asthird-party reviewers(e.g., audit firms, consultants).Thepeer
review did not focuson other relevant dimensionsof riskgovernance,
such asrisk disclosures and
firm-widecompensationpractices(sincethese areashavebeen covered by
previousFSBpeerreviews) or risk dataaggregation capabilitiesat
banks (sincethis topicisbeingcoveredby a taskforce of the
BCBS.Separately, theInternationalAssociation of
InsuranceSupervisors(IAIS)launcheda peer review at the end of
2012againstitsCore Principlesongovernanceand risk management and
internalcontrols.There is currentlynosingleset of principlesand
standardsthatcomprehensivelyaddressesand integratesrisk governance
requirements;however, a number of different standardsand
recommendationson goodgovernanceframeworksare relevant.Thereview
thereforedid not assesscompliancewith any specificstandard, but
used a compilation of existingstandards
andrecommendations(asappropriate) totake stockof risk
governancepracticesat both national authoritiesand firms, and
toidentifyany gapstherein.Supervisorswereasked to evaluate
firmsprogressand the review teamdevelopedhigh-levelcriteria
toprovidesomeconsistencytothisexercise.Thefindingsof the review
werebased on theresponsestoquestionnairesfrom FSB member
jurisdictions11and from the 36banks andInternational Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 21. P a g e |
21broker-dealersthat FSB members deemedassignificant for the
purposeof the review.Section II takesstock of national
authoritiesinitiativesto strengthenoversight of
firmsriskgovernanceframeworksanddescribestherangeofsupervisorypracticesin
four broad areas:(1)Theboard and
itscommittees;(2)Thefirm-wideriskmanagement function, including
theCRO;(3)Theindependent assessment of the firm-widerisk
managementframeworkby internal audit and/ or third
parties;and(4)Thesupervisoryassessment of risk
governanceframeworks.Section III examinesrisk governancepracticesat
surveyed firms and thechangesmade sincethe financial crisis.In
additiontotheresponsestothequestionnaire,thefindingsdrawontheoutcomesof
discussionswith industry organisationsaswell
asriskcommitteedirectorsand CROs of several firms that
participatedin thereview.National supervisorswereasked to
assessfirmsprogresstowardenhancingkeyriskgovernancefunctions,aswell
asthe accuracyandcompletenessof theresponsesprovided by
firmsheadquarteredin theirjurisdiction.Section IV setsout the
conclusionsand recommendationsdrawn from thefindingsof the review,
which is followed bya list of sound risk governancepracticesthat
encompassan overlay of supervisory expectationsfor soundpracticesat
firms.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 22. P a g
e | 22II. National authorities oversight of risk governance
practicesSincethe financial crisis, national authoritieshave
increasedtheirsupervisoryfocuson risk governance, which is a
critical element forpromotinga more resilient financial
system.Underpinningthe rangeof reformsisthe issuancein 2010of the
BCBSPrinciplesfor Enhancing Corporate Governanceand the
OECDpublication on Corporate Governanceand the Financial
CrisisConclusionsand Emerging Good Practices.Someof the
notablechangesembedded in regulatory and
supervisoryguidanceinclude:introducingexplicit requirementsfor
theestablishment of a riskcommittee; conveying
expectationstostrengthen therisk management function,includingthe
stature and qualificationsof the CRO; introducingadditional
requirementsfor risk governanceat SIFIs;enhancingthe mandate and
resourcesof supervisoryauthorities inrelationtorisk
governanceoversight;increasingthe intensityof engagement betweenthe
supervisorand theboard and senior management on riskgovernance
issues;andadjustingthe supervisory riskassessment process,
particularlyincreasingthefocuson risk governanceacrossdifferent
businessmodels.Annex
CprovidesmoredetailsontheinitiativesFSBmembershavetakentostrengthen
oversight of risk
governancepractices,includingimplementationofother relevant
principlessuchastheFSB principlesforsoundcompensation practicesand
recommendationsput forwardin the2009 report by theSenior
SupervisorGroup (SSG) on risk managementpracticesduring
thefinancial crisis.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
23. P a g e | 23While supervisoryguidancehasimproved,
progresshasbeen unevenacrossthefunctionsthat collectivelyform
theriskgovernanceframework.Basedon thefindingsfrom the review,some
areaswheremoresupervisoryrequirementsand/ or guidancewouldbeuseful
include:Acleardefinitionof independencewhichisseparatefrom
non-executivedirector;Theestablishment of a stand-alonerisk
committeethat is composed ofindependent directors;Thelevel and
typesof risk informationfirmsshouldprovide aswellasthefrequencyof
risk reporting;Thekey featuresof an
effectiveriskappetiteframeworktohelpsupervisoryevaluations;andThewaysinternalaudit
can provide feedback on whethera firms riskgovernanceprocessesare
keeping pacewith trendsand/ or align withbest practices.Thenext
four sub-sectionssummariseexistingsupervisoryexpectationsfor the
three keyrisk governancefunctionsand
examineauthoritiesapproachestoassessingtheimplementation of
supervisoryexpectations.1. The board and its
committeesRegulatoryand supervisoryguidancespecifying therole
andresponsibilitiesof the board are prevalent acrossthe
FSBmembership, includingamong other thingsfor risk governance.Akey
responsibilityof theboard isto approve the firms overall
businessstrategyand RAF.As such, theboard
hasultimateresponsibilityfor the firms riskmanagement,
includingsettingtheriskcultureofthefirm
andoverseeingmanagementsimplementationof the
agreedbusinessstrategy.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
24. P a g e | 24Toensure that boardsare focused on the higher-level
strategic and riskissues,supervisorsare engagingmore
frequentlywiththeboard inparticular withindependent
directors.Thedefinitionof what constituteseffectiverisk
governanceisevolving, however, supervisorshighlight theimportanceof
the boardsettingthetoneat the top in regard tothefirmsstrategy and
riskcultureand challengingmanagement on the adherencetothe
agreedrisk appetite.1.1Board compositionTheleadershipstructure
tooverseethefirms risk management variesacrossjurisdictions.Most
jurisdictionsrequire the establishment of a permanent
auditcommittee, whichhasa longer historythan other board
sub-committees,driven by requirementsfrom securities
regulatorstoprovideassuranceto the qualityof the financial
information provided byregisteredfinancial institutions.As such,
more specific regulatory and supervisory requirements for
thecomposition and independence of the audit committee are set out
thanfor the risk committee.For example, a number of
jurisdictionsrequire the audit committeetocomprise a majorityof
independent or non-executivedirectors, severaljurisdictionsrequire
the audit committeechair tobe independent (or insome casesa
non-executive), and in a few jurisdictionsthe participationof the
chair of theboard is restricted.The establishment of a stand-alone
risk committee is less prevalent andthe requirement typically
applies to large, complex financial institutions(e.g.,
firmswithmany legal entitiesand/ or cross-border operations).Where
stand-alonerisk committeesexist, several jurisdictions19requirerisk
committee members tohave expertisein risk-related
disciplinesandonlya few jurisdictionsrequire a minimum number of
independentdirectors.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
25. P a g e | 25In Hong Kong, however,forthcoming changeswill
require all, or themajority, of themembersof therisk committeetobe
non-executivedirectors.Annex D providesfurther details on the
regulatory and supervisoryguidancefor thecompositionof theboard
andsub-committees, but someof the key
featuresinclude:Independence:Manyjurisdictionshaveestablishedgeneralrequirementsconcerningtheindependenceof
theboard to ensure thatthereis objectivejudgement and
decision-makingon theboard.Many jurisdictionsalsoset out
quantitativeminimums for the number ofindependent directorson
theboard.Someother jurisdictionsonlyset quantitativeminimums for
the numberofnon-executivedirectorswhichdoesnot
necessarilyensureindependentjudgement on the
board.Expertise:Regardlessof theboard structure, theboard
needstocomprise memberswhocollectivelybringa balanceofexpertise,
skills,experienceand perspectiveswhile
exhibitingtheobjectivitytoensure decisionsarebased on sound
judgement andthoughtful deliberations.Many jurisdictionsconduct
periodic reviewsof the performance, trainingand skillsneeded in
theboard and risk committee.Requiringspecific skillsfor all
directorsare a common practice (usuallysubsumed in fit and proper
tests) and typically includerelevantknowledge, experienceand
skillsin financeand/ or business.Several jurisdictions not only
look at individual qualifications but alsotake a holistic view of
the board, examining their collective skills andqualifications.In
additiontohaving certain skillsand qualifications,some
jurisdictionsrequiredirectorsto have the capacityto
dedicatesufficient time andInternational Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
26. P a g e | 26energyin reviewinginformation and developing an
understanding of thekey issuesrelated to the firms activities.1.2
Governance of the boardFor theboardtoeffectivelysuperviseand
managethefirmsadherencetotheagreed businessstrategyand risk
appetite,directorsshould beprovided and haveaccessto
comprehensiveinformation about the firmsrisks.This
involvesensuringthere are communication and
reportingproceduresacrossboardsub-committees,andseveralnationalauthoritiesset
out suchrequirementsin their guidance(seeAnnex E).However,there is
littlesupervisoryguidanceprovided on thelevel andtypesof risk
information firms should provideaswell asthe frequencyofrisk
reporting.Importantly, the riskmanagement reportsprovided
totheboard shouldcontributeto sound risk management and
decision-making.Theboard and itscommittees, however, should not
just rely on theinformation management reportsprovided.Theyshould
consider if there isa need for additional risk-relatedinformation
whichshould be made available tothem whenneeded.Onlya few
jurisdictions,however, require theboard to have such access.2. The
firm-wide risk management functionSincethe financial crisis,
national authoritieshave intensifiedtheiroversight of firmsrisk
management practicesand raisedtheirexpectationsfor what is
considered strong risk management, whichisintegral to the core
businessof a financial institution.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 27. P a g e |
27Thefailure to have a strong, independent risk management function
canlead to ill-informedboardsand senior management teamsaswell
asimprudent decisions.Therisk management function should be
responsiblefor thefirms riskmanagement frameworkacrossthe entire
organisation, ensuring that thefirmsrisklimitsareconsistent
withtheRASand that
risk-takingremainswithinthoselimits.Stresstestsand scenario
analysesare viewedasa useful tool foridentifying
firmsvulnerabilitiesand developing risk
managementstrategiestoaddresstherisksidentified.Tofulfil
theseresponsibilities, risk management functionsshould be ledbyan
influential and highly effectiveCRO.2.1Governance of the risk
management functionSupervisorshave increasedtheir expectationsfor
the risk managementfunctionand areevaluatingthe CROsstature,
authority, qualifications,and independencewithin thefirm.As
thecrisis demonstrated, theseareprerequisitesfor theCRO
tobeabletoinfluencethefirms risk-taking activitiesdirectlyand
through the riskmanagement function, andtoeffectivelyinform
theboard asrisksevolve, are identified, and are taken.Annex F
providesmore information on thegovernance around the riskmanagement
function, but some supervisory practicesregardingtheCRO function
include:Independence:Mostjurisdictionsrequire the CRO and/ or
riskmanagement function to be independent;that is, tohave a
distinct rolefrom theother
executivefunctions,revenue-generatingfunctionsandbusinesslineresponsibilities.Stature:TheCRO
and riskmanagement functionshould havesufficientstature in the
organisationto influencethefirms
risk-takingactivities.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
28. P a g e | 28In thisregard,
somejurisdictionshavesupervisoryguidancethat requirestheCRO to
report and have direct accessto the board.ToelevatetheCROs
stature,Singaporeexpectsthedismissal oftheCROtobe approved by
theboard.Authority: To effectivelyfulfil itsrole, many
jurisdictions30require theCRO tohave theauthorityto
influencedecisionsthat affect the firmsexposure torisk,and several
jurisdictionsset out explicit expectationsfortheCRO to be able
tochallengemanagementsrecommendationsanddecisionsand
communicatedirectlywithsenior management and
withtheboard.Qualifications:Fit and proper testsare commonlyused
toassessthequalificationsand competenciesof theCRO in many
FSBmemberjurisdictions.In addition, theappointment of the CRO is
approved by authoritiesinChina,Germany(if theCRO isamember of
themanagement board), andSingapore, while theUnited Kingdom
interviewsCRO candidates.Many jurisdictionsevaluatethe CRO through
their on-goingsupervisoryprocesses.2.2 Risk appetite
frameworkAssessing a firms RAF is a challengingtaskthat
requiresgreater clarityand an elevated level of consistencyamong
national authorities.At the coreof the RAF is the firmsRAS,
whichhas becomean effectivetool for enhancingthe
discussionsbetweensupervisorsand boardsaboutthefirms
strategicdirectionin termsof risk taking.However,a key
challengetoward assessingthe effectivenessof a firmsRASis a lack of
common terminologyfor risk appetite, risk profile, andrisk
capacityusedwithin firms, acrossfirmsand
acrossnationalauthorities.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
29. P a g e | 29This is an area that isdeveloping in many
jurisdictions;forinstance,India, Russia and Saudi Arabia have
looked at riskappetiteonlyin context of the BCBSICAAP, while in
Canada, Franceand the UnitedStates,separateprocessesare
continuingto be put in placetoassessfirmsRAFs, often drawingon
assessment criteriaoutlinedin theworkoftheSSG.Supervisoryreviewsare
underwayin Canada of firmsintegrationof theirRAF withthe strategic,
financial and capital planningprocessesandcompensation practices.In
Hong Kong, firmsrisk appetiteisreviewedfrom an
integratedfirm-wideperspectivetakinginto account all risks
(financial andnon-financial).Thesupervisor determineswhetherthe
firms RASis comprehensiveandincludesthe appropriate risk
targetsthat are consistent witheach other.Thesupervisor will
alsodeterminewhetherthe RAS hasa widerangeofmeasuresand
actionableelementsand whetherrobust proceduresandcontrolsare in
placefor thesettingand monitoring of the
agreedriskappetite.National authoritiesin
Singaporeassessannuallyfirmslink betweenriskappetite,strategic
objectives,capital planningand operational
budgetplanning.Supervisorsalsoreview the firms progressin
thetranslationof riskappetiteintolimitsand triggersby risktype,
aswellastheir monitoringand reportingprocedures.In Switzerland,
supervisorsregularlyreviewtherisk limit frameworksandtheremust be
an establishedlink betweenthe limitsand thestrategy.2.3
StresstestingTheobjectiveof stresstestsand scenario analysesis
toassesstheunanticipatedlossesthat a firm may incur under certain
stressscenariosInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 30. P a g
e | 30andtheimpact that may have on itsbusinessplans, risk
managementstrategiesor capital plans.Theuse of stresstestsin
firmsrisk governance and capital planninghasincreasedin recent
years with theresultsserving asan input intothefirms
strategicdecision-making.As firms are increasingly linking stress
test results to riskappetite, ICAAP, contingency planning, and
recovery andresolution plans, supervisory approaches to stress
testing areevolvingaccordingly.In Canada, supervisorsassesswhether
chosen scenariosareappropriatefor the portfolio of the institution,
includingsevere shocksand periodsofsevereand sustaineddownturns,and
whererelevant, an episodeofmarket turbulenceor a shock tomarket
liquidityand whetherthefrequencyand timingof stresstesting is
sufficient to support timelymanagement action.Similarly,
supervisorsin Hong Kong assessthecoverageof stresstestsandthetypes
of stressscenariosand parameterschosen in relationto thefirms risk
tolerance,overall risk profile and
businessplan;appropriatenessofassumptions;adequacyofpoliciesandprocedures;theadequacyof
thefirmscontingencyplanningforactiontobetakenshouldaparticular
stressscenario happen; the level of oversight exercisedbytheboard
and senior management on thestress-testingprogram and
resultsgenerated;and the adequacyof the firmsinternal review and
audit of itsstress-testingprogram.Indeed, supervisoryattention
nowincludesboth theoutcomesof stresstestsand the effectivenessof
the firmsstresstestingprocesses.For instance, Singapore,
Switzerlandand United Kingdom havededicatedteamstoreview
stresstestingpracticesat firms, and China, Germany,
andHongKongexpect firmsinternal audit
functionstoassesstheeffectivenessof risk management systemsin
general, includingstresstests.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
31. P a g e | 313. Independent assessment of firms risk governance
frameworkStrong internal control systems are a keyelement of sound
riskgovernance.Theboard is responsiblefor overseeingthe
implementationof aneffectiverisk governanceframework,and assuch,
should directlyoverseetheindependent assessment process.An
assessment that isindependent from the businessunit and the
riskmanagement control functioncan assist theboard
injudgingwhethertherisk governanceframework,internal controlsand
oversight processesareoperatingasintended.This may be performed by
internal audit or by third partiessuch asauditfirmsor
consultants.Regardlessof theapproach, it is critical that the
assessment result in anoverall opinion on the design and
effectivenessof therisk governanceframeworkand be performed by
individualswiththe skillsneeded toproducea
reliableassessment.Currently, audit functionsat only a few firms
provide overall opinionsregardingthe riskgovernance
framework.3.1Internal auditAcrossthe FSB membership, regulatory or
supervisoryexpectationsexistfor internal audit.Annex G providesa
comparison of keyregulatory and supervisoryexpectationswiththemost
notableelements,including:Independence:Nearlyall
jurisdictions38require firms tohave apermanent internalaudit
function that isindependent from businesslines,support
functions(e.g., treasury, legal), and risk management.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 32. P a g e | 32Firms
are alsorequiredto explicitlylink theindependenceof internalaudit
toauditorcompensation or careerplans.Regardless of the direct
reporting lines, most jurisdictionsexpect internalaudit to have
unfettered accessto the board when reporting internal
auditresults.Stature:Several jurisdictionsexpect internal audit
toreport directlytotheboard, a committeethereof, or an independent
director.Thedirect reportingrelationship involvesthe
responsiblepartydeterminingthe CAEs compensation, completingthe
CAEsannualperformanceevaluation, approving the CAEs budget, and/ or
otherwiseensuring theCAE isnot undulyinfluencedbytheCEO or other
membersof the management team.While the CAE mayreport totheCEO on
day-to-day administrativematters,all substantivedecisionsregarding
the CAE and internal auditfunctionaremade at theboard level.In
Singapore, Hong Kong, and Indonesia, thedismissal of the
CAErequirestheaudit committeesapproval.Qualifications:All FSB
membershaveestablishedrequirementsorexpectationsfor theCAE and
internal audit staff tohave the skillsnecessarytoeffectively
carryout their duties.Supervisoryassessmentsgenerallyconsider the
technicalknowledge,experience, and character of
individualswithintheinternal audit function.Scope, coverage, and
frequency: Manyjurisdictions41expect internalaudit toassessand/ or
opineon riskmanagement or risk governanceprocesses,aswellasinternal
controls.Expectationsfor thescope, coverage, and frequencyof
suchassessmentsvary widely.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
33. P a g e | 33However,almost all jurisdictionsexpect internal
audit to assesstheorganisationand mandatesof the riskmanagement
function(s) and theadequacyof systems and processesfor assessing,
controlling, respondingto, and reportingthe firms risks.No
jurisdictionindicated that it expectsinternalaudit to
periodicallyprovidea firm-wideassessment of risk management or risk
governanceprocesses.Riskappetiteframework:Manyjurisdictionsexpect
internal audit toassesscompliancewiththeboard-approved risk
appetite.In the United Kingdom, internal audit isexpectedtoensure
thatproceduresareinplacetoreportbreachesin
thefirmsriskappetitetotheboard.Benchmarking: Most jurisdictions
indicate that internal audit should beaware of industry trends/best
practices and that auditors should considersuch
knowledgewhenconductingtheir work.However,no jurisdictionhad
specificexpectationsfor internal audit toopineon whethera firms
risk governance processesare keeping pacewith trendsand/ or align
withbest practices.Remediation process:There is a wide rangeof
expectationsfor internalaudit tofollow-upon remedial
actionstoaddressmaterial deficienciesand several
jurisdictionsexpect internal audit to report the resultsof
itsfollow-upactivitiestotheboard.Nearlyall
jurisdictionsindicatedthat theyrequiresomeform offollow-upand
reporting.Chief audit executive:All jurisdictionsindicatethat
supervisorsconsidertheCAEs performancewhenassessingthequality of
internal audit.Such assessmentsmay be performed off-site,within
on-siteinspections,and/ orthrough regular meetingswiththeCAE and
internalaudit staff.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
34. P a g e | 34In Saudi Arabia, the appointment of the CAE
requires a no objectionfrom the central bank, and in Indonesia,
banksare required to report tobank supervisorstheappointment and
dismissalof their CAE.3.2 Third partiesEmploying third parties
could help toenhancethe qualityof firmsindependent assessmentsby
providingan unbiased opinion of a firmsrisk
governanceframeworkasmany internal audit functionsare staffedwith
individualswhoseexperience may be limited to thepracticesemployed
by one or twofirms.In addition, third partiesoftenhave a broader
understandingof leadingindustrypractices, especiallyin highly
technical areas.Most jurisdictionsallowtheuse of third
partiestoassessa firms riskgovernanceframework, and in China and
theNetherlands, theexternalauditoralsoassessestheeffectivenessof
the internalaudit
function.Manyjurisdictionsappropriatelystipulatethroughregulationorguidancethat:(i)The
use of a third party does not relinquish the board or
managementfrom ultimate responsibility for ensuring the reliability
of the independentassessments,and(ii)Largeand complex firms should
not become overlyreliant on thirdpartiestoprovide expertisethat
should be developed withinthefirmsinternalaudit function.France
specificallyrequires that outsourcingarrangementsbe engagedand
overseen by internalaudit toensure independenceand that
internalaudit maintainsaccountability for the scope, coverage, and
frequency ofwork.Several jurisdictions,however,restrict the use of
third parties.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 35. P a g
e | 35For instance,in Italy, internalaudit
workcanbeoutsourcedonlybysmallcredit
institutionswithlimitedoperational complexity.Meanwhile, in
SouthAfrica the central bank must approve anyoutsourcingactivity,
and in Korea, the useof third partiestoassessafirms risk
governanceframework is not regulated.4. Supervisory
approachestoward assessing risk
governanceframeworksSupervisorsplaya crucial rolein assessingthe
adequacyof a firms riskgovernanceframework and thepracticesemployed
by a firm
toindependentlyassessitsframework.Supervisoryexpectationsfor risk
governancepracticesoutlinedabovearegenerallyset out within the
legal frameworkthrough a combinationoflegislation, regulationand
supervisory guidance;however, the
approachvariesconsiderablyacrossjurisdictions.Australia and Canada
complement their standardswith writtenguidanceprovided to
theindustry toassist withtheimplementationof
prudentialrequirementsand adoption of good
practices.Supervisoryapproachestowardassessingimplementationofregulatoryorsupervisoryguidanceencompassa
varietyof steps(e.g., on-siteinspections,off-sitereviews,
horizontal reviews).Supervisoryassessmentsgenerallyoccur at
leastonce a year acrosstheFSB membership, though inArgentina
assessmentstakeplaceevery 18monthsand the UnitedKingdom is moving
from a bi-annual assessmenttowarda system of
continuoussupervision.Several jurisdictionstake a
risk-basedapproach to on-siteexaminations,focusing on riskier
institutions.In the United States,national authoritieshave on-site
teamswithexpertiseto assessthe governancepracticesat the largest
and mostcomplex bankson a real timebasis.International Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 36. P a g e | 36In
China, joint regulatory meetingsareheld on a regular
basisbetweenthefirmsheadoffice,itsbranches,andtheregulatoryauthoritywherethebranchesare
located.Meetingswithdirectorsand senior management provideanother
avenuefor national authoritiestoassessfirmsrisk
governancepractices.Annex H providesmore information on
theapproachestaken toassessingfirmsrisk management
frameworks.Supervisorsreceivea widerangeof risk reportsor
informationfrom firmson their risk management practices,
includingfrom external auditorsorother third partiesaswell
assupportingdocumentation requested
duringon-siteinspections.Standardised financial and risk
reportingarea common practice;however, thetypes of reportsor
information provided varies.For instance, in Argentina, new
reportingrequirementswill requestquantitativemeasuresfor risk
governanceand formal exposure limitsforeach of the significant
risksand stresstest information;in Hong Kongand elsewhere, regular
prudential reportingdata and adhoc requestsforpeer group
analysisare utilised, e.g., stresstest capital analysis
andhorizontal credit reviewsof common (problem) loanaccounts; and
inCanada and Singapore, supervisory teamsworkwithrisk
specialiststoidentify trendsthat can triggeradditional
investigationsor reviews.National authoritieshave accesstoa broad
set of supervisorytools toincentivisefirmsto
remediatedeficiencieswithintheir risk governanceframework,depending
on the severityof thedeficiency.Thesetoolsincludemoral suasion,
capital
surcharges,restrictionsoncertainbusinessactivities,imposingfinesand
penalties, and theultimatepenaltyof withdrawingbank licences.While
alargenumber ofsupervisoryauthoritiescanuseanumberofthesetools,a
few have limitedsupervisorypowersto scalethe sanction
basedInternational Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 37. P a g e | 37on
theseverityof theinfraction, raisingconcerns over their
abilitytoeffectivelyinterveneearlywherenecessarywhenrisksstart to
surface.Moreover,even though some national authoritieshave the
authoritytoimposefines,thisisdifficult toimplement inpractice, for
instance,duetocumbersomeprocessesor supervisorslackingthe will
toact.III. Firms risk governance practicesThefinancial
crisisspurred fundamental changesin risk governancepracticesat
financial institutions,and in many cases,surveyed firms areaheadof
regulatoryand supervisory guidance.In general, surveyedfirmsthat
weremostaffectedbythecrisishavemadethegreatest
advancements,perhapsnecessitatedby a need tore-gainmarket
confidence.Firms that werelesstroubledfrom thecrisis, however,
haveincreasedtheintensityof themeasuresthat theyhad in place
pre-crisis.Someof the most obviouschangesinclude:Consolidatingand
raisingtheprofile of the risk management
functionacrossbankinggroupsthrough theestablishment of a groupCRO,
increasingthestatureandauthorityoftheCRO
andincreasingtheCROsinvolvement in relevant internal
committees.Changing thereportinglinesof therisk management function
sothattheCRO now reportsdirectlyto theCEO whilealsohaving a direct
linktothe risk committee.Intensifying the oversight of risk
issuesat theboard through creation of astand-alonerisk
committee,supportedby greater linkswiththe riskmanagement function
and other risk-relatedboardcommittees, particularlyaudit and
compensation committees.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
38. P a g e | 38Cross-membershipof the audit committeeand risk
committeeis nowquitecommon, withsomefirmsinvolving(orat
leastinviting) thechair oftheboard, even the full board, ontothe
riskcommittee.Thetime commitment of independent
directorshasincreasedconsiderably over thepast several
years.Upgrading the skills requirements of independent directors on
the riskcommittee and expecting these members to commit more time
to theseendeavours.Thecomposition of boardshaschangedconsiderably
withmanynon-executivedirectorsnow having financial industry
experience;thedominanceof membersfrom industrial companiesor major
shareholdersis much lessthan a decade ago.Changing the attitude
toward the ownership of risk across the firm withthe business line
now being much more accountable for the risks createdbytheir
activitiesthan previously.In additiontochangingthe compositionand
improving thestrength oftheboard,therehavebeenmajor
developmentsinhowfirmsanalyserisksandthe associatedtoolsutilised
suchasRAFs, stresstestsand reversestresstesting.Oneof the
keylessonsfrom thecrisiswasthat reputational risk
wasseverelyunderestimated;hence, there is more focuson
businessconductandthesuitabilityof products, e.g., the type of
productssoldand whotheyare soldto.As the crisisshowed, consumer
productssuch asresidential mortgageloanscould become a sourceof
financial instability.The next four sub-sections summarise the
findings from the surveyedfirms regarding the three key risk
governance functions and provide asummary of the
supervisoryevaluationsof firmsprogress.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 39. P a g e | 391. The
board and its committeesTheboardisresponsibleforensuringthat
thefirm hasanappropriateriskgovernanceframework that iscommensurate
withthe firmsstrategy, complexityand size.Theboardsrole and
responsibilitiesfor risk governanceare generallydefinedin
theboardscharter and includeapproval of the firms
strategyandoverseeingitsimplementation, settingout
theguidelinesandpoliciesforrisk management,
andensuringthefirmsinternalcontrolsarerobust.Theboard is
alsoresponsiblefor formulatingthemandateandresponsibilitiesof
itscommitteessuch astherisk and audit committees.For instance,
audit committeesshould ensure
businessunitshaveeffectiveremediationplansto addressany control
weaknessesnoted byinternalaudit.Somefirms havedeveloped a
CorporateGovernanceFrameworkor Codewhereall rulesregarding
theroles, responsibilitiesand oversightfunctionsof theboard are
assembled.Establishingan enterprise or firm-wideriskmanagement
framework canhelp toprovidean overview of risk policy
architectureand process.Having a stand-alonerisk committee is a
common practice eventhoughit is not required byall national
authorities.Firms generallyensure that the riskcommittee,whichis
responsibleforoverseeingsenior managementsimplementationof the
riskstrategy, coversall therisksfacedat
thefirm-widelevel,includingfinancialrisksaswell asoperational,
compliance, legal and regulatory risks.Regular meetingsare held
withsenior management and theCRO todiscussperformanceof the
businessunit and compliancewiththe RASand risk limits.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 40. P a g e | 40Material
risks arepresented and discussedon both an aggregate basisandby
type of risk.Afew firms, however, noted the challengeof aggregating
risksdueto thecomplexityof theorganisation, underscoring the
importanceof riskcommitteesaddressinginformation
challengesarisingfrom thecomplexityof largefirms.An
effectivegovernancestructure hasmeasuresto prevent concentrationof
powerand responsibility, such asrequiringa number of
independentdirectors,representation of certain skillsand
qualificationson theboard, and theboard regularly
evaluatingitseffectiveness.It is common for boards tohave
independent directors; some firmsestablishminimum
quantitativerequirements,ranging from a minimumof one-third to
three-quartersof theboard.Most firmsprovide a definitionof
independencein theboardscharter, whichis embedded in the firms
governance framework.Therisk committeeoften comprisesonly
independent directors.There is a widerangeof practiceregarding the
qualificationsfor membersof theboard and risk committee;one firm
highlightedthat theskillsrequiredby theboard are evolving, in part
reflectingthe riskstakenby thefirm.Somefirms perform a matrix
analysis of the experienceand expertiseofeach director toidentify
skillsneededfrom incomingdirectors.There is alsoa widerangeof
practice involvinglimitationslinked toboardstructure,
including:(i)Thepreclusionof thechair of theboard from beingchair
of either therisk or audit committee;(ii)Theseparation of the
rolesof the CEO and chair of theboard;andInternational Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 41. P a g e | 41(iii)
Limitedtenure on a committee.Periodic
reviewsoftheperformanceoftheboardandriskcommitteeareacommon
practice.Reviewsare conductedby the board nomination or
governancecommitteesor bythe entire board.In some cases,external
partiesmay beemployed. Such reviewsmayincludean assessment of
training and skillsneededon theboard.In some firms, the board
considersthefunctioning of its overallcommitteestructure,
includingthenumber and typesof committeesandthehighest and best use
of board membersexpertise.Theyalsoevaluatethereportingby the
committeestothefull board.Theboard and risk committeeare
abletoreceiveinformation, bothformallyand informally, directlyfrom
theCRO or theriskmanagementfunction.It is becoming a common
practicefor the CRO toreport informationdirectlyto theboard; the
risk reportsare usuallystandardisedin termsofformality,
frequencyand content.Both theoverall risk level of the firm and
information for each risk typeare included in the reportingtemplate
(e.g., a heat map of identified riskcategoriesacrossregions,global
business, and a report withthetop andemergingrisks faced by the
firm).Somefirmsexplicitlydefineanddocument theinformationthat
theboardand risk committeeshall receive, set theagenda at
thebeginningof theyear, and circulatetomembersin advanceof
meetingsthe relevantmaterial to support the agenda item.Somefirms
require internal audit, or a third party, toverify theaccuracy,
comprehensivenessand completenessof informationprovidedto theboard
and risk committee.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 42. P a g
e | 42Other firms satisfythemselvesthrough
discussionswithmanagement orconduct self-assessmentsof the
effectivenessof the information providedtothe board.2. The risk
management functionSincethe financial crisis, many firmshave
improved risk management.Someof the most obviouschangesrelate to
the governanceprocessesaround the risk management function; there
alsohave been majorchangesin how risksare analysed and
communicatedand theassociatedtoolsthat are utilised.2.1Governance
of the risk management functionSincethe financial crisis, many
firmshave strengthenedhowtheir riskmanagement functionsare
structured, resourced, compensated, whothefunctionis accountableto
aswell asits overall mandate.In many ways, thesechangesare
bringingthegovernance arrangementsfor the risk management function
up tothestandard that hastypicallyappliedtothe internal audit
function for several years.Firms are therefore encouraged to at
least consider the validity of anyremaining differences in
governance processes that surround the twofunctions.One of the most
common improvements made by firms over the past fiveyears hasbeen
to consolidate and raisethe profile of the risk
managementfunctionthrough theestablishment of a
group-wideCRO.TheCRO and the riskmanagement function generallyhave
been givenmore stature, authorityand independencecompared to
thepre-crisisperiod.Almost all firms reported that theynow have a
CRO with firm-wideresponsibilityfor risk management
whooperatesindependently.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
43. P a g e | 43Assessment of the CROsstature, authorityand
independenceincludestheprocessfor appointment, dismissal
andperformanceevaluationof theCRO aswell asthe staffing
requirementsof the risk management functionmore generally.Onlya few
firmsnoted that thechair of the risk committeeisinvolved
intheperformanceassessment of the CRO.Further, only a few firms
link the adequacy and qualifications of the riskmanagement staff to
an annual process that takes into consideration thestrategyof
thefirm goingforward.Most firms noted that the CRO hasa direct
reporting line to the CEO(versus another business unit) which
represents a major improvementsincethe crisis.However,there are
still examplescited at a small number of firms wheretheCRO doesnot
have a direct reporting lineto theCEO.Afew firms require the CRO
tohave a direct reportinglinetotheboard, whichhelps toboost the
stature of the CRO.A large number of firms alsonoted that their CRO
is able to access theboard, generally through the risk committee,
but it is unclear how this isdone in practice.Almost all firms
operate witha CRO whois separatefrom revenue
-generatingresponsibilitiesor other executivefunctions(that
is,dual-hatting of theCROs responsibilitiesisavoided). Such a
structureis essential for the CROs independence.This separation of
responsibilitieshasbeen reinforced by many
firmsre-structuringtheirrisk management
functionsunderagroup-wideCRO, with regional or businesslineCROs
having a direct reportinglineto thegroup CRO, rather
thantotheregional or businesslineheadsashadoccurred in the
past.International Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 44. P a g e |
44Topreservetheindependenceintended from
suchstructures,dual-hattingof responsibilitiesshould alsobe avoided
for thoseseniorpositionsin therisk management function that report
to thegroup CRO,particularlyat globallyactive, complex firms.At
somefirms, theCRO reportstotheCFO or,in afew
exceptionalcases,oneperson assumesthe responsibilitiesof both the
CRO and CFO.In addition, there are instancesat some firms wherethe
CRO is assignedother functional, albeit non-revenuegenerating,
responsibilities.Where this relatesto the oversight of
functionssuch ascomplianceandanti-moneylaundering, theconcern
ismore about the riskofover-burdeningtheCRO, particularlyin more
complex, globalinstitutions,than thepotential for conflict of
interest per se.Indeed, much progresshasbeen made
towardelevatingthestature andindependenceof theCRO.While the role
of theCRO hasbroadened and includesinvolvement in anumber of
keyprocessesand internal committeesthat require inputsfrom therisk
management function, other important processeswarrantgreater
participationof theCRO, such as:Mergersand acquisitions. While
theanalysisof a proposedmerger
oracquisitionwouldbesubmittedtotheboardor a
committeeforapproval,the CRO generallytakespart in the processasa
member of thecommittee.Onlya few firmsrequire theCRO toprepare a
formal risk opinion onplannedmergers and
acquisitions.Strategicplanningprocess. Traditionally, theCRO
isresponsiblefortheoversight of the existingrisk profile of thefirm
and of thoserisks beingtaken on a day-to-day basisasa result of
previousbusinessdecisions.However,asindicatedabove, the CRO should
alsobecome increasinglyinvolved, in a more proactive manner, in
theactivitiesand plansthat dealInternational Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 45. P a g e | 45with
prospectivebusinessrisk, includingthoseriskswhichmay arisefrom
theexecution of the firmsstrategicbusinessplan.TheCRO
shouldbeinvolved in thisprocess, from a risk perspective,
byinteractingwithsenior management and theboard,
understandingstrategic businessplans,and formallyopining on
theprospectiveriskprofile and whetheror not the firm hasthe
necessaryresourcesandsystemsto accommodatethe resultingexposures.If
suchresourcesarenot available,thenspacein
thestrategicplanshouldbecreated to ensure proper risk
controls.Treasuryfunction. Some firmshaveclearlydefined the
rolesandresponsibilitiesof the CRO regarding oversight of a firms
treasuryfunction.However,there is a rangeof practicesurrounding the
organisationalrelationship
betweenthesetwofunctions:(i)Theindependent liquidityrisk control
function hasresponsibilityforthemanagement and control of
liquidityrisk and that function reportsdirectlyto the
CRO;(ii)TheCRO participatesasa voting member of the
relevantmanagement committee(typically the asset and
liabilitymanagementcommittee), withnospecific role for the CRO
defined;or(iii)TheCFO aloneis responsiblefor thetreasury function
without anyoversight from the CRO in therisk management process.2.2
Risk management toolsTwokey additionstorisk management toolshave
been (i) thedevelopment of RAFsand (ii) more robust and severe
stresstestingpractices.Relatedtothis, and giventhe under
estimationof reputational riskpre-crisis,
therenowismuchgreaterfocuswithinmanyfirmsonbusinessInternational
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 46. P a g e | 46conduct
andthesuitabilityofproducts,e.g., thetype ofproductssoldandtowhom
they aresold.TheRAF isanincreasinglyimportant toolin
centralisingthefocusonthefirms risk profile and providing a more
integratedpictureof the firmsrisks.Firms indicateda good degreeof
understandingthe keyelements,objectivesand usesof RAFs
whicharegenerallyin linewithrecent studiessuch asthe 2010SSGreport
on developmentsinrisk appetiteframeworksand IT infrastructure.Key
featuresof a risk appetite framework (RAF)RAFshelp drive strategic
decisionsand right-size a firms risk profile.RAFs establish an
explicit, forward-looking view of a firms desired riskprofile in a
varietyof scenarios and set out a processfor achieving that
riskprofile.RAFsincludea risk appetitestatement that
establishesboundariesforthedesired businessfocusand
articulatetheboardsdesired approachtoa variety of businesses,risk
areas,and in some cases, product types.Themore developed RAFs are
flexibleand responsivetoenvironmentalchanges;however, risk
appetiteisdefinitiveand consistent enough tocontain
strategicdrift.RAFsset expectationsfor businesslinestrategy
reviewsand facilitateregular discussionsabout how tomanage
unexpected economicormarket eventsin particular geographiesor
products.Discussions with firms, however, reveal that there is
significant variationin the perception of how much firms have
progressed in thedevelopment, comprehensivenessand implementationof
their RAFs.Oneof the keychallengesisdifferent interpretationsof
essentialelements,includingrisk appetite, risk limits,and risk
capacity.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 47. P a g
e | 47Somefirmswereableto report significant progressand have had
anRAF for several years(in some casessincebeforethe
crisis).ThesefirmsRAFs werelinked tothe firms strategy and
integratedwithmost other relevant internal processessuch
asbudgeting, compensationplans,mergersand
acquisitionevaluations,new product approval,
andstresstesting.Thesefirmswereableto report that
theunderstandingof the RAF
waswidespreadbothacrossfunctionallinesandwithinmultiplelayersoftheirfirm.They
were also able to identify clear examples of how they had used
theirRAF in strategic decision-making processes, such as decisions
to activelyreducethe complexityof their operations.That said, even
at these firms, it was recognised that operationalising aneffective
RAF is a continual journey that needs to evolve with
changesininternalprocessesand the external environment.Anumber of
firmsreported that their implementationof an RAF wasmore recent and
whileit had been linkedto the firms strategy andintegratedwithsome
of thekey internal processes,further work isenvisaged, such
as:linkingthe RAF withall the relevant internalprocesses;ensuring
that qualitativeaswell asquantitativemetrics
areappropriatelyincluded;and somewhat relatedly, broadeningthe RAF
tocover thoseharder toquantify risks, such asoperational,
complianceandreputation risks. For other firms, their RAFsare at an
early stageof development.While they may have a high-level
frameworkin place, numerousgapsexist.For example, the coveragemay
not extend toall relevant subsidiariesintheframework becausethe
riskappetiteis not clearlyarticulated at thebusinesslevel nor
integrated with all therelevant internal processes.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 48. P a g e | 48Further,
some RAFs are lessdevelopedin termsof includingall thematerial
risks the firm faces, particularlyreputational and
operationalrisks.All firms surveyed considered risk limitsto be
thevehicle foroperationalisingtheRAF at the
businesslinelevel.Thecommunicationand escalationprocessfor any
breachesseemedtobevery similar acrossthe firmssurveyed: the risk
management functionwasresponsiblefor monitoring risk
limits,metrics, and breaches,andescalatingany
concerns;businessunitshaveto explain breachestotherisk management
committeeor board dependingonthe nature and sizeof the exposure;
theauthorisation of exceptionswasdefined top-down;and action
planswererequired.However,there weredifferencesbetweenfirms in
their approachestodeparturesfrom theRAF: some firmsgrant
flexibilityfor a businesslinetodepart from theRAF if the global
risk appetitewasnotbreached, whereasothers giveno flexibilityfor
individual businesslinesto deviatefrom their businesslinerisk
limits.Embedding the firmsagreedRAS intothefirmsrisk
cultureremainsachallengebut several approacheshave been taken by
firms.Anumber of firmshavedeveloped training programs and
manuals(withonefirm requiringrelevant employees tocertify every
year that they haveattendedthetrainingprogram and read themanual),
but onlya few firmsreported that theyhavelinkedcore risk
objectivestostaff performancemanagement processes.Discussionswith
firms revealedthat a keytocreatingincentivesfor abetter risk
culture in firms is to link risk objectiveswitheithercompensation
or career advancement prospects.Stresstestinghasbecome a common
tool for firms.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 49. P a g
e | 49Thegovernancearound
group-widestresstestingtypicallyinvolvesfirmsdeveloping their own
historical and hypothetical scenarios, thoughnational
authoritiescan alsoset scenarios.TheCRO and risk management
functiongenerallyhave a centralrole,actingasthe ownerof the
processor participatingin thecommitteeleadingtheeffort.Thetesting
is conducted at least annually, and in many caseson
aquarterlybasis.Stresstestsresultsare usuallypresented
totheriskcommitteeandsometimestothenational
supervisor.Theseprocessesappear tobe furthest developed inAEs, and
some alsoperform reversestresstestingand
counterpartystresstesting.In contrast, some firmsin EMDEs havenot
performed stresstestingonan integratedbasisor are still in the
processof implementingtheir stresstestingprocesses.Most firmsuse
thestresstesting resultsfor their budgeting, RAF andICAAP
processesand to set contingencyplans against stressedconditions.3.
Independent assessment of firms risk governance
framework3.1Internal auditFirms primarily rely on their internal
audit functionsto independentlyassesstheir risk
governanceframeworks.In almost all cases,internalaudit
assessestheframeworkthroughaseriesof individual
assuranceaudits,combined withsome project-specific andother ongoing
audit work.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 50. P a g
e | 50Afew internal audit functionsdemonstratethebetter
practiceofprovidingan overall opinion of the risk
governanceframework on anannual basis.In
linewithexpectationsestablishedby national authorities, all of
thefirmsinternalaudit functionsareorganisationallyseparate from
businesslinesand have unfetteredaccesstotheboard.Almost every firm
reported that theyhavemade changestostrengthentheir internal audit
functionssince2008.Majorchangesinclude:appointing a CAE;
establishingmore attractivecompensation plansand careerpathsfor
internalauditors;increasingboth thenumber and skillsof internal
audit staff; expandinginternalauditsrole/ responsibilities,
includingparticipatingasanobserver at riskmanagement
committeesanddecision-makingprocesses;andenhancingbusinessmonitoring.Internal
auditsroleand responsibilitiesare primarilyestablishedvia anaudit
charter, withaudit manualsdetailingproceduresforplanning,
executing, and reporting audits work.At all surveyed firms,
internal audit isresponsiblefor assessingriskmanagement or risk
governanceprocessesaswell asinternal controls.While national
authoritiesexpectationsvary, most internal
auditfunctionsalsoassess:Theappropriatenessofassumptionsusedinscenario
analysis andstresstesting,Thedegreetowhichthefirms risk
governanceis keeping pacewithindustrytrendsand aligns withbest
practices,Thequalityand adequacyof resourceswithinthe risk
managementfunction,International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 51. P a g
e | 51Theoverall efficiencyand integrityof risk management
informationsystems, and Theeffectivenessof the risk and
issueescalation process.Most firmsindicated that internal audit
plays a rolein monitoringwhetherthebusinessand risk management
unitsareoperatingaccordingtothe RAF.However,somefirmsrelyprimarily
ontheindependent riskmanagementfunctionfor this assessment.Internal
auditsroleis generallyto test that practicesalign
withtheprocessesand proceduresestablishedin theRAF, though a few
firmsexpect internal audit to alsoopineon theappropriatenessof
thelimitsand other tolerancesestablishedin theRAF.Given that
manyRAFs are in theearlystagesof evolution, some firmsnoted that
internal auditsrole and responsibilitiesrelated totheRAF arestill
being defined and implemented.Firms reporteda widerangeof
practiceswithregard totheformat andcontent of reportingto the
board.At several firms, theCAE providesregular reportstotheboard or
auditcommittee, summarisingtheresultsof internal auditswork,
includingoverall conclusionsor ratings,key findings,material risks/
issues,andfollow-upof managementsresolution of
identifiedissues.Meanwhile, some internal audit functions only
provide the board or auditcommittee with a periodic synthesis of
internal audit activity or a reporton audit reports, which doesnot
seem sufficient to ensure the board cancarryout its
responsibilitieswithinthe riskgovernanceframework.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 52. P a g e | 522. Third
partiesApproximately half of the firms that participated in the
peer reviewindicated that they have used third parties to assess
their firms riskgovernanceframework or componentsof the
framework.Therest of the firmsindicatedthat theyused third parties
toprovideperspectivesand benchmarks relatedtoregulatory
expectationsandindustrybest practicesassociatedwith
riskgovernanceframeworks, orsignificant aspectsof
thoseframeworks,withthis information beingusedtopromote upgradesin
firm practices.Such an approach wasseen ashelpful in meetingthe
continual challengeof developing and maintainingrisk
governanceframeworksthat keepabreast of
changinglegislative/regulatoryenvironmentsalong
withanevolvingeconomicand competitivelandscape.3. Escalation
processesAll firms reportedhavinginternal policies, procedures,and/
or processestofacilitateemployeesreportingconcernsand
issueswithinthe firm.Thesearein addition to external complaint and
whistle-blowerprocessesestablished by supervisors.Some firms
describedhavingprocessestailoredtodifferent typesofissues(e.g.,
issuesimpactingfinancialresultsand related disclosuresversusgeneral
issuesrelated to risk and/ orcontrolbreakdowns).For
sensitiveinformation, most firmshave established
aninternalwhistle-blowing hotlineand offer employeesanonymity and
otherprotectionsfrom negativeconsequencesto the extent
possibleunder therelevant lawsof thejurisdiction.For
non-sensitiveinformation,
processesgenerallyinvolveemployeesreporting to a direct
supervisoror senior manager within thebusinessunit and/ or toan
individual withinan independentrisk, compliance,and/ oraudit
function or legal department.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
53. P a g e | 533.4 Evaluation of the effectivenessof the
independentassessmentWhile there is nocommon practicefor
comprehensively evaluatingtheeffectivenessof theindependent
assessment of the riskgovernanceframework,most firms have several
processesin placefor assessingtheworkof theinternal audit
function.Someof the key processesand/ or criteriaused
include:Thenumberofinternalauditsthat cover riskmanagement
topicsduringthecourse of an audit cycle,Thenumber and types of risk
management issuesidentified by internalaudit, Resultsof internal
auditsquality assuranceactivities,Resultsof periodicinternalaudit
self-assessmentsand/ or assessmentsperformed by external parties,
Qualityof information provided to the audit
committee,andCompliancewiththeInstituteof InternalAuditors(IIA)
professionalstandards.4. Supervisory evaluationsof risk governance
practicesThepeer review askedsupervisorsof surveyed firmsto
evaluate firmsprogresstowardenhancedrisk governanceacrossseven
broad areas.Tohelp provide someconsistencytothis
exercise,high-level evaluationcriteria weredeveloped (seeAnnex A)
and the supervisory evaluationswerereviewedfor all surveyed firms;
G-SIFIs;and by region.Thecriteria weredevelopedby drawingfrom a
compilationof relevantprinciples,recommendationsand supervisory
guidance, and areInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 54. P a g
e | 54consideredby the review team asthe fundamental
preconditionsforeffectiverisk governanceframeworks.In summary,
surveyed firms have madethemost progressinstrengthening(ii)
theroleand responsibilitiesof theboard, withnearly80percent
ofsurveyed
firmsevaluatedbynationalsupervisorsasmeetingorexceedingall of
thecriteria.This is an area that warrantedsignificant changesbut is
alsoviewedascomparatively easytoimplement.Morework,however,is
needed by supervisorsto assessthe trueeffectivenessof
theboardsoversight of thefirm.Further, despite significant
improvements in (i) firms approaches to riskgovernance and (vii)
the independent assessment of the risk managementfunction,
significant gapsremain.Roughly50per cent of surveyed firms failedto
meet all of the criteria in(iii) havingdefined responsibilitiesof
therisk committeeand (vi) theriskmanagement
function.Theseareasneedmuch greater attention on thepart of both
supervisorsand firms.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
55. P a g e | 55The supervisory evaluations indicate that, among
the G-SIFIs surveyed, more progress hasbeen made toward enhancing
risk governance practices relative to other surveyed firms,Oneof
the keyhindrancesto effectiverisk management at G-SIFIs hasbeen
weaknessesin firmsIT infrastructuresand the inabilitytoaggregate
risk data efficiently.While progressisbeingmade, some
supervisorsnoted their firm couldnot completethe FSB Data Gaps
common data template for G-SIFIs.This common data
templateaimstoaddresskey information gapsidentifiedduring
thecrisisand provide a strong frameworkfor assessingpotential
systemic risks.However,G-SIFIs identified in November 2011and
November 2012areexpectedto meet higher expectationsfor risk data
aggregationcapabilitiesand riskreportingbeginningin January
2016.International Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 56. P a g e |
56Byregion, firmsthat resideinAEshavegenerallyprogressedfurther
thanthosein EMDEs acrossall aspectsof theareasevaluated, except for
(iii)risk committee responsibilities(seeChart 5 below).This aligns
with thefinding that firmsthat werehardest hit during thefinancial
crisishavemade the most progressassuch firms largelyresidein
advanced economies.These firms experienced a significant turnover
in senior management anddirectors, including more non-executive
directors, but board oversight ofrisk through an
establishedriskcommittee is weak acrossregions.For EMDEs, risk
governance practices need to be significantly enhanced;in
particular in the (vi) risk management function asapproximately65
percent of surveyed firms donot meet all of the criteria.Other
areaswheremore workisneeded is in their (i) approach
toriskgovernanceand (iv) governanceof the board and risk
committeewheremore than 50per cent of firms donot meet all of
theevaluation criteria.Thesegapsneed
immediateattention.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 57. P a g
e | 57IV. Conclusionsand recommendationsMuch progresshasbeen made
towardenhancingrisk governanceframeworksat surveyed
firmssincethecrisis.Nonetheless, thisprogresshasbeenuneven
acrossthe functionsthatcollectivelyform therisk governanceframework
the board, thefirm-wideriskmanagement function, and the independent
assessment ofrisk governance.Specifically, firmshave mademost
progressin defining the role andresponsibilitiesof the board, but
much more needstobe donetostrengthenthe roleof the risk
committeeand the CRO and riskmanagement function.Continued
weaknessesin riskmanagement will underminetheeffectivenessof
thechangesmade toboard oversight of the firms
riskgovernanceframework.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
58. P a g e | 58Toensure that progresscontinuestowardachievingmore
effectiveriskgovernanceframeworks,a more integrated and consistent
approachacrossall aspectsof the riskgovernanceframeworkhasto be
developed.Such an approach will require a shift in attitudefor both
firmsandsupervisorsasthis requires takinga holistic view of all
aspectsof theriskgovernanceframework rather than lookingat each
facet in isolation.Drawingfrom the survey responsesand
discussionswith risk committeedirectorsand CROs, this report
setsout a list of sound risk governancepracticesthat should help
supervisorsto enhancetheir oversight of riskgovernanceat financial
institutions,in particularat SIFIs (seeSection V).While none of the
surveyed authoritiesand firmsexhibitedall of
thesesoundpractices,many firmspracticestendedto be more advanced
thantheguidanceprovidedby national authorities.Recommendation 1:
Toensure that firmsrisk governance practicescontinueto improve, FSB
member jurisdictionsshould strengthen theirregulatoryand
supervisory guidancefor financial institutions,inparticular for
SIFIs,and devote adequate resources(both in skillsandquantity)
toassessthe effectivenessof risk governanceframeworks.In
particular,nationalauthoritiesshouldtakeintoconsiderationthesetofsoundrisk
governancepracticesidentified during thepeer
review.Recommendation2: The relevant standard settingbodies(e.g.,
BCBS,IAIS, IOSCO, OECD) should review their
principles,takingintoconsiderationthesound practicesfor risk
governancelisted inSection V.Recommendation 3:Risk cultureplays a
critical role in ensuring effectiverisk governanceenduresthrough
changingenvironments.TheFSB SupervisoryIntensityand
Effectivenessgroup hasagreed toimplement therecommendationfrom the
2012FSBprogressreport onenhancedsupervisionto
explorewaystoformallyassessriskculture,particularlyat
G-SIFIs.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 59. P a g
e | 59This work should becompleted by September 2013.As the
supervisoryevaluationsrevealed, both national
authoritiesandfirmsneed tofocuson strengtheningfirmsrisk management
functions.Effectiverisk governanceisbasedon a well-designedand
articulatedfirm-widerisk management framework,whichreflectsthe
firms riskculture,enumeratesthe firmsrisk profile, andensuresthat
therisk limitsset out in the agreedRAS arenot breached.Therisk
limitshave to beproperly defined and calibratedand align
withcompensation aswell asescalation processesthat
enableappropriateactiontobetaken if thefirm
isoperatingoutsideitsriskappetiteand risklimits.Developing an
effectiveRAF, however, remainsa challengefor mostfirms;firms need
to make further progressin linkingtheir RAFs
tobusinessstrategiessothat RAFs become truly effectiveand
operationaltools.Recommendation4: Toimprove their ability
toassessfirmsprogresstowardmore effectiverisk management, national
authoritiesshouldprovideguidanceon the keyelementsthat are
incorporatedin effectiverisk appetiteframeworks.Toenablefirmsto
define frameworkswitha minimum amount ofcomparability despitetheir
firm-specificnature, acommon nomenclaturefor termsused in risk
appetitestatements(e.g., risk appetite, riskcapacity, risk limits)
should be established.The FSB Supervisory Intensity and
Effectiveness group, in collaborationwith relevant standard
setters, has agreed to finalise thiswork by the endof
2013.Effectiveinternal control systems are a keyelement of
soundriskgovernance, and supervisoryexpectationsfor the
independentassessment of internal control systems byinternalaudit
werewellestablished prior tothe crisis.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 60. P a g e | 60This
includesguidanceissuedby the BCBSasearlyas199849and by alonger
history of regulatory requirementsfor
publicly-tradedfinancialinstitutions,includingpermanent audit
committeesand independentCAEs.Since the crisis, many supervisors
have appropriately elevated theirexpectations of internal audit
functions to include more qualitativeassessmentsof policies,
procedures,risk limitsand risk exposures.As such, thisis an area
that demonstrated relativelysound practicesacrossthe FSBmembership
for both national authoritiesand financialinstitutions.Nearlyall
firms havean independent CAE whoreportsadministrativelytothe CEO or
audit committee chair and whodirectlyreportsauditfindingsto a
permanent audit committee.Despitethe widerangeof sound
practices,there isstill room forimproving the CAEsaccessto
directorsbeyond thoseon theauditcommittee.Regulatorsalsoneed to
elevateand conveyexpectationsfor internalaudit,and/ orathirdparty,
toperiodicallyprovideafirm-wideassessmentof risk management or risk
governanc