1 / 211

Global Risk and Compliance Insights: Weekly Highlights from the IARCP

Stay informed with the International Association of Risk and Compliance Professionals (IARCP) as we highlight the top 10 risk and compliance management stories influencing global agendas this week. Discover crucial updates on the PCAOB's role in U.S. capital market protection, insights into China’s regulatory actions, and the importance of stress testing in financial stability. Join us as we analyze trends, share key findings from influential reports, and prepare for what lies ahead in the dynamic realm of risk management and compliance.

elaine
Télécharger la présentation

Global Risk and Compliance Insights: Weekly Highlights from the IARCP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. P age |1 InternationalAssociationofRiskandCompliance Professionals(IARCP) 1200GStreetNWSuite800Washington, DC20005-6705USATel:202-449-9750www.risk-compliance-association.com Top10riskandcompliancemanagementrelatednewsstoriesandworldeventsthat(forbetterorforworse)shapedthe week'sagenda,andwhatisnext DearMember, Itwas2a.m.andIwasreadytosleep,butIalsowantedtocheckmyemailsanothertime. Yes,Ihavereadthefamousbook“The4-HourWorkweek”byTimothyFerriss,butIdisagreewith him,soIhavedecidedtodotheopposite:Tocheckemailsmore frequently.SorryTim. Oneofthefirstemailswasanimportantone:RedAlert,ChinaoccupiesthePublicCompanyAccountingOversightBoard. Therewasevenapicture! InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  2. P age |2 What? IknowthatChinaimplementsaChineseSarbanes-Oxley…butwhatisthatnow? IreadinthepicturethatPCAOB主席JamesR.Doty说:“这份协议是 在跨境执法合作中迈出的重要一步,它也是保护美国资本市场投资者 利益必要的一步。” What?IsJamesR.Dotywell? Fortunately,Jamesisverywell.Therewasnoredalert.Oneofmyfriends,John,andattorney,sentmethisemail. Readmoreabout说:这份协议是在跨境执法合作中迈出的重要一步, 它也是保护美国资本市场投资者利益必要的一步atnumber7ofourlistbelow. Thefollowingmorning,Ireceivedanotheremail. Title:“Forecastingistheartofsayingwhatwillhappen,andthenexplainingwhyitdidn't” Message:Ihateyou.Ourbossisfollowingyourstresstestingrecommendations.LaoTzuhassaidthatthosewhohaveknowledgedon'tpredict.Thosewhopredict,don'thaveknowledge. Signature:Terminator Terminator? ArnoldSchwarzenegger,didyousendthisemail? Who?LaoTzu?TheChineseagain?Ireplied! “DearArnold(orotherTerminator), InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  3. P age |3 Itisnotme!ItisBaseliiithatasksforaforward-lookingperspective!Baseliiirequiresstresstesting.And,wehaveacrystalballinriskmanagement:TherecommendationsoftheFinancialStabilityBoard(FSB).” Therecommendations… Whoreadstheserecommendations?Soimportant...IhaveledsomeclassessinceJanuary,nobodyreadsFSB. TheylaughwhenIsayreadFSBeverymorning,beforereadingFTorWSJ! ItistimetoreadtherecommendationsoftheFSBcarefully.Itisabout theboard,seniormanagement,riskofficers,complianceofficers,internalandexternalauditors. ThisisourNumber1.Thesepagesaresoimportant. WelcometotheTop10list. BestRegards, GeorgeLekatisPresidentoftheIARCP GeneralManager,ComplianceLLC 1200GStreetNWSuite800, WashingtonDC20005,USATel:(202)449-9750 Email:lekatis@risk-compliance-association.com Web:www.risk-compliance-association.comHQ:1220N.MarketStreetSuite804,WilmingtonDE19801,USA Tel:(302)342-8828 InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  4. P age |4 ThematicReviewonRiskGovernancePeerReviewReport FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengthening AdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. KeynoteLuncheonSpeech ByCommissionerElisseB.Walter U.S.SecuritiesandExchangeCommission 32ndAnnualSECandFinancialReportingInstituteConference,Pasadena,CA BackgroundonthePCAOB StevenB.Harris,BoardMember KennesawStateGraduateStudentMeetingWashington,DC InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  5. P age |5 FinancialConglomeratesDirectiveTechnicalReview ThisPrudentialRegulationAuthority(PRA)policystatementpublishesthefinalrulesimplementingtheFinancialConglomerates DirectiveTechnicalReview(2011/89/EC)(FICOD1)whichamendstheFinancialConglomeratesDirective(2002/87/EC)andcertainother Directivesinsofarastheyapplytofinancialconglomerates. CommitteeontheGlobalFinancialSystemCGFSPapersNo49 Assetencumbrance,financialreformandthedemandforcollateralassets ReportsubmittedbyaWorkingGroupestablishedbytheCommitteeontheGlobalFinancialSystem TheGroupwaschairedbyAerdtHouben,NetherlandsBank Giventhatthedemandforcollateralassetsisincreasing,theCommitteeontheGlobalFinancialSystem(CGFS)inMay2012establishedaWorkingGroup(chairedbyAerdtHouben,NetherlandsBank)toexploretheimplicationsofthistrendformarketsandpolicy. ThisreportpresentstheGroup’sfindingsfromasystem-wideperspectiveanddrawsbroadconclusionsforpolicymakers. Thereportpresentsevidenceofincreasedreliancebybanksoncollateralisedfundingmarketsinrecentyearsforsomeregions,withtheincreasebeingmostpronouncedinEurope. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  6. P age |6 PeerReviewofSwitzerland ReviewReport FSBcountrypeerreviews TheFSBhasestablishedaregularprogrammeofcountrypeerreviewsofitsmemberjurisdictions. TheobjectiveofthereviewsistoexaminethestepstakenorplannedbynationalauthoritiestoaddressInternationalMonetaryFund(IMF)-WorldBankFSAPrecommendationsconcerningfinancialregulationandsupervisionaswellasinstitutionalandmarketinfrastructure. PCAOBEntersintoEnforcementCooperationAgreementwithChineseRegulators ThePublicCompanyAccountingOversightBoardannouncedthatithasenteredintoaMemorandumofUnderstanding(MOU)onEnforcementCooperationwiththeChinaSecuritiesRegulatoryCommission(CSRC)andtheMinistryofFinance(MOF). TheMOUestablishesacooperativeframeworkbetweenthepartiesfortheproductionandexchangeofauditdocumentsrelevanttoinvestigationsinbothcountries’respectivejurisdictions. Morespecifically,itprovidesamechanismforthepartiestorequestandreceivefromeachotherassistanceinobtainingdocumentsandinformationinfurtheranceoftheirinvestigativeduties. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  7. P age |7 Islamiccommerceandfinance OpeningremarksbyDrMichaelGondwe,GovernoroftheBankofZambia,attheworkshopon“Islamiccommerceandfinance”,Lusaka. Threequestionsonthenatureandmanagementofrisk KeynotespeechbyMrNormanTLChan,ChiefExecutiveoftheHongKongMonetaryAuthority,at theHongKongMonetaryAuthority-GlobalAssociationofRisk Professionals(GARP)GlobalRiskForumOpeningDinner,HongKong. InvestorProtectionThroughEconomicAnalysis ByCraigM.Lewis,ChiefEconomistandDirector DivisionofRisk,Strategy,andFinancialInnovation,U.S.SecuritiesandExchangeCommission SpeechatthePennsylvaniaAssociationofPublicEmployeeRetirementSystemsAnnualSpringForumHarrisburg,PA InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  8. P age |8 ThematicReviewonRiskGovernance PeerReviewReportForeword FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengthening AdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. Thematicreviewsmayalsoanalyseotherareasimportantforglobalfinancialstabilitywhereinternationalstandardsorpoliciesdonotyetexist. Theobjectivesofthereviewsaretoencourageconsistentcross-countryandcross-sectorimplementation;toevaluate(wherepossible)theextent towhichstandardsandpolicieshavehadtheirintendedresults;andtoidentifygapsandweaknessesinreviewedareasandtomakerecommendationsforpotentialfollow-up(includingviathedevelopmentofnewstandards)byFSBmembers. Thisreportdescribesthefindingsofthethematicpeerreviewonriskgovernance,includingthekeyelementsofthediscussionintheFSBStandingCommitteeonStandardsImplementation(SCSI). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  9. P age |9 ThedraftreportfordiscussionwaspreparedbyateamchairedbySweeLianTeo(MonetaryAuthorityofSingapore),comprisingTedPrice(CanadaOfficeoftheSuperintendentofFinancialInstitutions),XiangQi(ChinaBankingRegulatoryCommission),JérômeLachand(FranceAutoritédeContrôlePrudentiel),SofiaNikopoulos(GermanBaFin),AdrianaElizondo(MexicoNationalBankingandSecuritiesCommission),FranciscoGil(BankofSpain),MikeBrosnan(UnitedStatesOfficeoftheComptrolleroftheCurrency),Xavier-YvesZanota(memberoftheBaselCommitteeonBankingSupervisionSecretariat), MatsIsaksson(OrganisationforEconomicCo-operationandDevelopment),andLauraArd(WorldBank). MerylinCoombsandGraceSone(FSBSecretariat)providedsupporttotheteamandcontributedtothepreparationofthepeerreviewreport. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  10. P age |10 Executivesummary Therecentglobalfinancialcrisisexposedanumberofgovernanceweaknessesthatresultedinfirms’failuretounderstandtheriskstheyweretaking. Inthewakeofthecrisis,numerousreportspaintedafairlybleakpictureofriskgovernanceframeworksatfinancialinstitutions,whichconsistsofthethreekeyfunctions: Theboard,thefirm-wideriskmanagementfunction,andtheindependentassessmentofriskgovernance. Thecrisishighlightedthatmanyboardshaddirectorswithlittlefinancialindustryexperienceandlimitedunderstandingoftherapidlyincreasingcomplexityoftheinstitutionstheywereleading. Toooften,directorswereunabletodedicatesufficienttimetounderstandthefirm’sbusinessmodelandtoodeferentialtoseniormanagement. Inaddition,manyboardsdidnotpaysufficientattentiontoriskmanagementorsetupeffectivestructures,suchasadedicatedriskcommittee,tofacilitatemeaningfulanalysisofthefirm’sriskexposuresandtoconstructivelychallengemanagement’sproposalsanddecisions. Theriskcommitteesthatdidexistwereoftenstaffedbydirectorsshorton bothexperienceandindependencefrommanagement. Theinformationprovidedtotheboardwasvoluminousandnoteasilyunderstoodwhichhamperedtheabilityofdirectorstofulfiltheirresponsibilities. Moreover,mostfirmslackedaformalprocesstoindependentlyassesstheproprietyoftheirriskgovernanceframeworks. Withouttheappropriatechecksandbalancesprovidedbytheboard,theriskmanagementfunction,andindependentassessmentfunctions,a InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  11. P age |11 cultureofexcessiverisk-takingandleveragewasallowedtopermeateintheseweaklygovernedfirms. Further,withtheriskmanagementfunctionlackingtheauthority,statureandindependencetoreininthefirm’srisk-taking,theabilitytoaddressanyweaknessesinriskgovernanceidentifiedbyinternalcontrolassessmentandtestingprocesseswasobstructed. Thepeerreviewfoundthat,sincethecrisis,nationalauthoritieshavetakenseveralmeasurestoimproveregulatoryandsupervisoryoversightofriskgovernanceatfinancialinstitutions. Thesemeasuresincludedevelopingorstrengtheningexistingregulationorguidance,raisingsupervisoryexpectationsfortheriskmanagementfunction,engagingmorefrequentlywiththeboardandmanagement,andassessingtheaccuracyandusefulnessoftheinformationprovidedtotheboardtoenableeffectivedischargeoftheirresponsibilities. Nonetheless,moreworkremains;nationalauthoritiesneedtostrengthentheirabilitytoassesstheeffectivenessofafirm’sriskgovernance,andmorespecificallyitsriskculturetohelpensuresoundriskgovernancethroughchangingenvironments. Supervisorswillneedtoundergoasubstantialchangeinapproachsinceassessingriskgovernanceframeworksentailsforminganintegratedviewacrossallaspectsoftheframework. Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheirsurveyedfirm(s)towardenhancedriskgovernanceinsevenareas. Toprovidesomeconsistencytothisexercise,thereviewteamdevelopedhigh-levelcriteriatoassistsupervisoryevaluationsoffirms’progress,drawingfromacompilationofrelevantprinciples,recommendationsandsupervisoryguidance. Thehigh-levelcriteriawereviewedasfundamentalprerequisitesforriskgovernanceframeworks. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  12. P age |12 • Thisevaluationfoundthatmanyofthebestriskgovernancepracticesatsurveyedfirmsarenowmoreadvancedthannationalguidance. • Thisoutcomemayhavebeenmotivatedbyfirms’needtoregainmarketconfidenceratherthanregulatoryrequirements. • Firmshavemadeparticularprogressin: • assessingthecollectiveskillsandqualificationsoftheboardaswellastheboard’seffectivenesseitherthroughself-evaluationsorthroughtheuseofthirdparties; • institutingastand-aloneriskcommitteethatiscomposedonlyofindependentdirectorsandhavingacleardefinitionofindependence; • establishingagroup-widechiefriskofficer(CRO)andriskmanagementfunctionthatisindependentfromrevenue-generatingresponsibilitiesandhasthestature,authorityandindependencetochallengedecisionsonriskmadebymanagementandbusinesslines;and • integratingthediscussionsamongtheriskandauditcommittees • throughjointmeetingsorcross-membership. • Althoughmanysurveyedfirmshavemadeprogressinthelastfewyears,significantgapsremain,relativetothecriteriadeveloped,particularlyinriskmanagement. • Therewerealsodifferencesinprogressacrossregionswithfirmsinadvancedeconomieshavingadoptedmoreofthedesirableriskgovernancepractices. • Theresultsofthesupervisoryevaluationsweregroupedby: • allsurveyedfirms; • firmsidentifiedbytheFSBandBaselCommitteeonBankingSupervision(BCBS)asglobalsystemicallyimportantfinancialinstitutions,orG-SIFIs;and InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  13. P age |13 • (iii)firmsthatresideinadvancedeconomies(AEs)oremergingmarket anddevelopingeconomies(EMDEs). • Insummary,acrossthesevenareasevaluated,firmshavemadethemostprogressindefiningtheboard’sroleandresponsibilities,andreasonableprogressintheirapproachtoriskgovernanceandtheindependentassessmentofriskgovernance. • Thesupervisoryevaluations,however,indicatethatsurveyedfirmsshouldcontinuetoworktowarddefiningtheresponsibilitiesoftheriskcommitteeandstrengtheningtheirriskmanagementfunctionsasnearly 50percentofsurveyedfirmsdidnotmeetalloftheevaluationcriteriain theseareas. • Bytypeofinstitution,surveyedG-SIFIsaremoreadvancedthanotherfinancialinstitutionsindefiningtheresponsibilitiesoftheboardandriskcommittee,conductingindependentassessmentsofriskgovernance,providingrelevantinformationtotheboardandriskcommittee,andtosomeextentmoreadvancedintheriskmanagementfunction. • Theseresultssupportthefindingthatthefirmsintheregionshardesthitbythefinancialcrisishavemadethemostprogress. • Meanwhile,supervisoryevaluationsoffirmsthatresideinEMDEsshowthatnearly65percentdidnotmeetallofthecriteriafortheriskmanagementfunction. • Thesegapsneedimmediateattentionbybothsupervisorsandfirms. • Othersignificantfindingscomingoutofthereviewincludethefollowing: • Nationalauthoritiesdonotengageonasufficientlyregularandfrequentbasiswiththeboard,riskcommitteeandauditcommittee. • Severaljurisdictionsholdsuchmeetingsonlyonceayearoronanas-neededbasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  14. P age |14 • GoodprogresshasbeenmadetowardelevatingtheCRO’sstature,authority,andindependence. • Inmanyfirms,theCROhasadirectreportinglinetothechiefexecutiveofficer(CEO)andarolethatisdistinctfromotherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). • Thiselevation,however,needstobesupportedbytheinvolvementoftheriskcommitteeinreviewingtheperformanceandsettingtheobjectivesoftheCRO,ensuringthattheCROhasaccesstotheboardandriskcommitteewithoutimpediment(includingreportingdirectlytotheboard/riskcommittee),andfacilitatingperiodicmeetingswithdirectorswithoutthepresenceofexecutivedirectorsorothermanagement. • Moreworkisneededonthepartofbothnationalauthoritiesandfirmsonestablishinganeffectiveriskappetiteframework(RAF). • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistencyamongnationalauthorities. • Supervisoryexpectationsfortheindependentassessmentofinternalcontrolsystemsbyinternalauditorotherindependentfunctionwerewell-establishedpriortothecrisis. • Assuch,thisisanareathatdemonstratedrelativelysoundpracticesacrosstheFSBmembershipatbothnationalauthoritiesandfirms. • However,nojurisdictionhadspecificexpectationsforinternalaudittoperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Nearlyallfirmshaveanindependentchiefauditexecutive(CAE)whoreportsadministrativelytotheCEOandtheauditcommitteechairandwhodirectlyreportsauditfindingstoapermanentauditcommittee. • However,thereisstillroomforimprovingtheCAE’saccesstodirectorsbeyondthoseontheauditcommittee. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  15. P age |15 Drawingfromthefindingsofthereview,includingdiscussionswithindustryorganisationsaswellasriskcommitteedirectorsandCROsofseveralfirmsthatparticipatedinthereview,thereportidentifiessomeofthebetterpracticesexemplifiedbynationalauthoritiesandfirmstocollectivelyformalistofsoundriskgovernancepractices. Italsodrawsonsomeoftherelevantprinciplesandrecommendationsforriskgovernancepublishedbyotherorganisationsandstandardsettingbodies. Noonesingleauthorityorfirm,however,demonstratedallofthesesound practices. Thisintegratedandcoherentlistofsoundpracticesaimstohelpnational authoritiestakeamoreholisticapproachtoriskgovernance,ratherthanlookingateachfacetinisolation,andmayprovideabasisfor considerationbyauthoritiesandstandardsettingbodiesastheyreviewtheirguidanceandstandardsforstrengtheningriskgovernancepractices. Thereviewsetsoutseveralrecommendationstoensuretheeffectivenessofriskgovernanceframeworkscontinuetoimprovebytargetingareaswheremoresubstantialworkisneeded. Whilethereviewfocusedonbanksandbroker-dealersthataresystemicallyimportant,theserecommendationsapplytoothertypesoffinancialinstitutions,includinginsurersandfinancialconglomerates. Recommendations: 1.Toensurethatfirms’riskgovernancepracticescontinuetoimprove,FSBmemberjurisdictionsshouldstrengthentheirregulatoryandsupervisoryguidanceforfinancialinstitutions,inparticularforSIFIs,and devoteadequateresources(bothinskillsandquantity)toassesstheeffectivenessofriskgovernanceframeworks. Inparticular,nationalauthoritiesshouldconsiderthefollowingsoundriskgovernancepractices: InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  16. P age |16 Setrequirementsontheindependenceandcompositionofboards,includingrequirementsonrelevanttypesofskillsthattheboard,collectively,shouldhave(e.g.,riskmanagement,financialindustryexpertise)aswellasthetimecommitmentexpected. Holdtheboardaccountableforitsoversightofthefirm’sriskgovernanceandassessifthelevelandtypesofriskinformationprovidedtotheboardenableeffectivedischargeofboardresponsibilities. Boardsshouldsatisfythemselvesthattheinformationtheyreceivefrommanagementandthecontrolfunctionsiscomprehensive,accurate,completeandtimelytoenableeffectivedecision-makingonthefirm’sstrategy,riskprofileandemergingrisks. Thisincludesestablishingcommunicationproceduresbetweentheriskcommitteeandtheboardandacrossotherboardcommittees,mostimportantlytheauditandfinancecommittees. SetrequirementstoelevatetheCRO’sstature,authority,andindependenceinthefirm. ThisincludesrequiringtheriskcommitteetoreviewtheperformanceandobjectivesoftheCRO,ensuringtheCROhasunfetteredaccesstotheboardandriskcommittee(includingadirectreportinglinetotheboardand/orriskcommittee),andexpectingtheCROtomeetperiodicallywithdirectorswithoutexecutivedirectorsandmanagementpresent. TheCROshouldhaveadirectreportinglinetotheCEOandadistinct rolefromotherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). Further,theCROshouldbeinvolvedinactivitiesanddecisions(fromariskperspective)thatmayaffectthefirm’sprospectiveriskprofile(e.g.,strategicbusinessplans,newproducts,mergersandacquisitions,internalcapitaladequacyassessmentprocess,orICAAP). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  17. P age |17 Requiretheboard(orauditcommittee)toobtainanindependentassessmentofthedesignandeffectivenessoftheriskgovernanceframeworkonanannualbasis. Engagemorefrequentlywiththeboard,riskcommittee,auditcommittee,CEO,CRO,andotherrelevantfunctions,suchastheCFO,toassessthefirm’sriskculture(e.g.,the“toneatthetop”),whetherdirectorsprovideeffectivechallengetomanagement’sproposalsanddecisions,andwhethertheriskmanagementfunctionhastheappropriateauthoritytoinfluencedecisionsthataffectthefirm’sriskexposures. Therelevantstandardsettingbodies(e.g.,BCBS,IAIS,IOSCO,OECD)shouldreviewtheirprinciplesforgovernance,takingintoconsiderationthesoundriskgovernancepracticeslistedinSectionV. Riskcultureplaysacriticalroleinensuringeffectiveriskgovernanceenduresthroughchangingenvironments. TheFSBSupervisoryIntensityandEffectivenessgrouphasagreedtoimplementtherecommendationfromthe2012FSBprogressreportonenhancedsupervisiontoexplorewaystoformallyassessriskculture,particularlyatG-SIFIs. ThisworkshouldbecompletedbySeptember2013. Toimprovetheirabilitytoassessfirms’progresstowardmoreeffectiveriskmanagement,nationalauthoritiesshouldprovideguidanceonthekeyelementsthatareincorporatedineffectiveriskappetiteframeworks. Toenablefirmstodefineframeworkswithaminimumamountofcomparabilitydespitetheirfirm-specificnature,acommonnomenclaturefortermsusedinriskappetitestatements(e.g.,“riskappetite”,“riskcapacity”,“risklimits”)shouldbeestablished. TheFSBSupervisoryIntensityandEffectivenessgroup,incollaborationwithrelevantstandardsetters,hasagreedtofinalisethisworkbytheendof2013. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  18. P age |18 • TheFSBshouldconsiderlaunchingafollow-upreviewonriskgovernanceafter2016(i.e.,aftertheG-SIFIpolicymeasuresbegintobephasedin),toassessnationalauthorities’implementationoftherecommendationstostrengthentheirsupervisoryguidanceandoversightofriskgovernance. • ThereviewalsoshouldincludetheG-SIFIsidentifiedin2014bytheFSBincollaborationwiththeBCBSandIAIS. • Introduction • IncreasingtheintensityandeffectivenessofsupervisiontoreducethemoralhazardposedbySIFIsisakeycomponentoftheFSB’spolicymeasures,endorsedbyG20Leaders. • Sincetheonsetoftheglobalcrisis,supervisorshaveintensifiedtheiroversightoffinancialinstitutions,particularlySIFIs,soastoreducetheprobabilityoftheirfailure. • Specifically,supervisoryexpectationsofriskmanagementfunctionsandoverallriskgovernanceframeworkshaveincreased,asthiswasanareathatexhibitedsignificantweaknessesinmanyfinancialinstitutionsduringtheglobalfinancialcrisis. • Whilesupervisorsareresponsibleforassessingwhetherafirm’sriskgovernanceframeworkandprocessesareadequate,appropriateandeffectiveformanagingthefirm’sriskprofile,thefirm’smanagementisresponsibleforidentifyingandmanagingthefirm’srisk. • InOctober2011,theFSBagreedtoconductathematicpeerreviewonriskgovernancetoassessprogresstowardenhancingpracticesatnational authoritiesandfirms(banksandbroker-dealers). • Forpurposesofthisreview,riskgovernancecollectivelyreferstotheroleandresponsibilitiesoftheboard,thefirm-wideCROandriskmanagementfunction,andtheindependentassessmentoftheriskgovernanceframework(seeChart2). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  19. P age |19 • Boardresponsibilitiesandpractices:Theboardisresponsibleforensuringthatthefirmhasanappropriateriskgovernanceframeworkgiventhefirm’sbusinessmodel,complexityandsizewhichisembeddedintothefirm’sriskculture. • Howboardsassumesuchresponsibilitiesvariesacrossjurisdictions. • Firm-wideriskmanagementfunction:TheCROandriskmanagementfunctionareresponsibleforthefirm’sriskmanagementacrosstheentireorganisation,ensuringthatthefirm’sriskprofileremainswithintheriskappetitestatement(RAS)asapprovedbytheboard. • Theriskmanagementfunctionisresponsibleforidentifying,measuring,monitoring,andrecommendingstrategiestocontrolormitigaterisks,andreportingonriskexposuresonanaggregatedanddisaggregated basis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  20. P age |20 • Independentassessmentoftheriskgovernanceframework:Theindependentassessmentofthefirm’sriskgovernanceframeworkplaysacrucialroleintheongoingmaintenanceofafirm’sinternalcontrols,riskmanagementandriskgovernance. • Ithelpsafirmaccomplishitsobjectivesbybringingadisciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,controlandgovernanceprocesses. • Thismayinvolveinternalparties,suchasinternalaudit,orexternalresourcessuchasthird-partyreviewers(e.g.,auditfirms,consultants). • Thepeerreviewdidnotfocusonotherrelevantdimensionsofriskgovernance,suchasriskdisclosuresandfirm-widecompensation practices(sincetheseareashavebeencoveredbypreviousFSBpeerreviews)orriskdataaggregationcapabilitiesatbanks(sincethistopicisbeingcoveredbyataskforceoftheBCBS. • Separately,theInternationalAssociationofInsuranceSupervisors(IAIS)launchedapeerreviewattheendof2012againstitsCorePrinciplesongovernanceandriskmanagementandinternalcontrols. • Thereiscurrentlynosinglesetofprinciplesandstandardsthatcomprehensivelyaddressesandintegratesriskgovernancerequirements;however,anumberofdifferentstandardsandrecommendationsongoodgovernanceframeworksarerelevant. • Thereviewthereforedidnotassesscompliancewithanyspecificstandard,butusedacompilationofexistingstandardsandrecommendations(asappropriate)totakestockofriskgovernancepracticesatbothnationalauthoritiesandfirms,andtoidentifyanygapstherein. • Supervisorswereaskedtoevaluatefirms’progressandthereviewteamdevelopedhigh-levelcriteriatoprovidesomeconsistencytothisexercise. • ThefindingsofthereviewwerebasedontheresponsestoquestionnairesfromFSBmemberjurisdictions11andfromthe36banksand InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  21. P age |21 broker-dealersthatFSBmembersdeemedassignificantforthepurposeofthereview. SectionIItakesstockofnationalauthorities’initiativestostrengthenoversightoffirms’riskgovernanceframeworksanddescribestherangeofsupervisorypracticesinfourbroadareas: Theboardanditscommittees; Thefirm-wideriskmanagementfunction,includingtheCRO; Theindependentassessmentofthefirm-wideriskmanagementframeworkbyinternalauditand/orthirdparties;and Thesupervisoryassessmentofriskgovernanceframeworks. SectionIIIexaminesriskgovernancepracticesatsurveyedfirmsandthechangesmadesincethefinancialcrisis. Inadditiontotheresponsestothequestionnaire,thefindingsdrawontheoutcomesofdiscussionswithindustryorganisationsaswellasriskcommitteedirectorsandCROsofseveralfirmsthatparticipatedinthereview. Nationalsupervisorswereaskedtoassessfirms’progresstowardenhancingkeyriskgovernancefunctions,aswellastheaccuracyandcompletenessoftheresponsesprovidedbyfirmsheadquarteredintheirjurisdiction. SectionIVsetsouttheconclusionsandrecommendationsdrawnfromthefindingsofthereview,whichisfollowedbyalistofsoundriskgovernancepracticesthatencompassanoverlayofsupervisoryexpectationsforsound practicesatfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  22. P age |22 • II.Nationalauthorities’oversightofriskgovernancepractices • Sincethefinancialcrisis,nationalauthoritieshaveincreasedtheirsupervisoryfocusonriskgovernance,whichisacriticalelementforpromotingamoreresilientfinancialsystem. • Underpinningtherangeofreformsistheissuancein2010oftheBCBSPrinciplesforEnhancingCorporateGovernanceandtheOECDpublicationonCorporateGovernanceandtheFinancialCrisis–ConclusionsandEmergingGoodPractices. • Someofthenotablechangesembeddedinregulatoryandsupervisoryguidanceinclude: • introducingexplicitrequirementsfortheestablishmentofariskcommittee; • conveyingexpectationstostrengthentheriskmanagementfunction, • includingthestatureandqualificationsoftheCRO; • introducingadditionalrequirementsforriskgovernanceatSIFIs; • enhancingthemandateandresourcesofsupervisoryauthoritiesinrelationtoriskgovernanceoversight; • increasingtheintensityofengagementbetweenthesupervisorandtheboardandseniormanagementonriskgovernanceissues;and • adjustingthesupervisoryriskassessmentprocess,particularlyincreasingthefocusonriskgovernanceacrossdifferentbusinessmodels. • AnnexCprovidesmoredetailsontheinitiativesFSBmembershavetakentostrengthenoversightofriskgovernancepractices,includingimplementationofotherrelevantprinciplessuchastheFSBprinciplesforsoundcompensationpracticesandrecommendationsputforwardinthe 2009reportbytheSeniorSupervisorGroup(SSG)onriskmanagementpracticesduringthefinancialcrisis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  23. P age |23 • Whilesupervisoryguidancehasimproved,progresshasbeenunevenacrossthefunctionsthatcollectivelyformtheriskgovernanceframework. • Basedonthefindingsfromthereview,someareaswheremoresupervisoryrequirementsand/orguidancewouldbeusefulinclude: • Acleardefinitionofindependencewhichisseparatefromnon-executivedirector; • Theestablishmentofastand-aloneriskcommitteethatiscomposedofindependentdirectors; • Thelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting; • Thekeyfeaturesofaneffectiveriskappetiteframeworktohelpsupervisoryevaluations;and • Thewaysinternalauditcanprovidefeedbackonwhetherafirm’sriskgovernanceprocessesarekeepingpacewithtrendsand/oralignwith bestpractices. • Thenextfoursub-sectionssummariseexistingsupervisoryexpectationsforthethreekeyriskgovernancefunctionsandexamineauthorities’approachestoassessingtheimplementationofsupervisoryexpectations. • 1.Theboardanditscommittees • RegulatoryandsupervisoryguidancespecifyingtheroleandresponsibilitiesoftheboardareprevalentacrosstheFSBmembership,includingamongotherthingsforriskgovernance. • Akeyresponsibilityoftheboardistoapprovethefirm’soverallbusinessstrategyandRAF. • Assuch,theboardhasultimateresponsibilityforthefirm’sriskmanagement,includingsettingtheriskcultureofthefirmandoverseeingmanagement’simplementationoftheagreedbusinessstrategy. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  24. P age |24 Toensurethatboardsarefocusedonthehigher-levelstrategicandriskissues,supervisorsareengagingmorefrequentlywiththeboardinparticularwithindependentdirectors. Thedefinitionofwhatconstituteseffectiveriskgovernanceisevolving,however,supervisorshighlighttheimportanceoftheboardsettingthe“toneatthetop”inregardtothefirm’sstrategyandriskcultureandchallengingmanagementontheadherencetotheagreedriskappetite. 1.1Boardcomposition Theleadershipstructuretooverseethefirm’sriskmanagementvariesacrossjurisdictions. Mostjurisdictionsrequiretheestablishmentofapermanentauditcommittee,whichhasalongerhistorythanotherboardsub-committees,drivenbyrequirementsfromsecuritiesregulatorstoprovideassurancetothequalityofthefinancialinformationprovidedbyregisteredfinancialinstitutions. Assuch,morespecificregulatoryandsupervisoryrequirementsforthecompositionandindependenceoftheauditcommitteearesetoutthanfortheriskcommittee. Forexample,anumberofjurisdictionsrequiretheauditcommitteetocompriseamajorityofindependentornon-executivedirectors,severaljurisdictionsrequiretheauditcommitteechairtobeindependent(orinsomecasesanon-executive),andinafewjurisdictionstheparticipationofthechairoftheboardisrestricted. Theestablishmentofastand-aloneriskcommitteeislessprevalentandtherequirementtypicallyappliestolarge,complexfinancialinstitutions(e.g.,firmswithmanylegalentitiesand/orcross-borderoperations). Wherestand-aloneriskcommitteesexist,severaljurisdictions19requireriskcommitteememberstohaveexpertiseinrisk-relateddisciplinesandonlyafewjurisdictionsrequireaminimumnumberofindependentdirectors. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  25. P age |25 • InHongKong,however,forthcomingchangeswillrequireall,orthemajority,ofthemembersoftheriskcommitteetobenon-executivedirectors. • AnnexDprovidesfurtherdetailsontheregulatoryandsupervisoryguidanceforthecompositionoftheboardandsub-committees,butsomeofthekeyfeaturesinclude: • Independence:Manyjurisdictionshaveestablishedgeneralrequirementsconcerningtheindependenceoftheboardtoensurethat thereisobjectivejudgementanddecision-makingontheboard. • Manyjurisdictionsalsosetoutquantitativeminimumsforthenumberofindependentdirectorsontheboard. • Someotherjurisdictionsonlysetquantitativeminimumsforthenumberofnon-executivedirectorswhichdoesnotnecessarilyensureindependentjudgementontheboard. • Expertise:Regardlessoftheboardstructure,theboardneedstocomprisememberswhocollectivelybringabalanceofexpertise,skills,experienceandperspectiveswhileexhibitingtheobjectivitytoensuredecisionsarebasedonsoundjudgementandthoughtfuldeliberations. • Manyjurisdictionsconductperiodicreviewsoftheperformance,training andskillsneededintheboardandriskcommittee. • Requiringspecificskillsforalldirectorsareacommonpractice(usuallysubsumedin“fitandproper”tests)andtypicallyincluderelevantknowledge,experienceandskillsinfinanceand/orbusiness. • Severaljurisdictionsnotonlylookatindividualqualificationsbutalsotakeaholisticviewoftheboard,examiningtheircollectiveskillsandqualifications. • Inadditiontohavingcertainskillsandqualifications,somejurisdictionsrequiredirectorstohavethecapacitytodedicatesufficienttimeand InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  26. P age |26 energyinreviewinginformationanddevelopinganunderstandingofthekeyissuesrelatedtothefirm’sactivities. 1.2Governanceoftheboard Fortheboardtoeffectivelysuperviseandmanagethefirm’sadherencetotheagreedbusinessstrategyandriskappetite,directorsshouldbeprovidedandhaveaccesstocomprehensiveinformationaboutthefirm’srisks. Thisinvolvesensuringtherearecommunicationandreportingproceduresacrossboardsub-committees,andseveralnationalauthoritiessetoutsuchrequirementsintheirguidance(seeAnnexE). However,thereislittlesupervisoryguidanceprovidedonthelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting. Importantly,theriskmanagementreportsprovidedtotheboardshouldcontributetosoundriskmanagementanddecision-making. Theboardanditscommittees,however,shouldnotjustrelyontheinformationmanagementreportsprovided. Theyshouldconsiderifthereisaneedforadditionalrisk-relatedinformationwhichshouldbemadeavailabletothemwhenneeded. Onlyafewjurisdictions,however,requiretheboardtohavesuchaccess. 2.Thefirm-wideriskmanagementfunction Sincethefinancialcrisis,nationalauthoritieshaveintensifiedtheiroversightoffirms’riskmanagementpracticesandraisedtheirexpectationsforwhatisconsideredstrongriskmanagement,whichisintegraltothecorebusinessofafinancialinstitution. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  27. P age |27 • Thefailuretohaveastrong,independentriskmanagementfunctioncanleadtoill-informedboardsandseniormanagementteamsaswellasimprudentdecisions. • Theriskmanagementfunctionshouldberesponsibleforthefirm’sriskmanagementframeworkacrosstheentireorganisation,ensuringthatthefirm’srisklimitsareconsistentwiththeRASandthatrisk-takingremainswithinthoselimits. • Stresstestsandscenarioanalysesareviewedasausefultoolforidentifyingfirms’vulnerabilitiesanddevelopingriskmanagementstrategiestoaddresstherisksidentified. • Tofulfiltheseresponsibilities,riskmanagementfunctionsshouldbeled byaninfluentialandhighlyeffectiveCRO. • 2.1Governanceoftheriskmanagementfunction • SupervisorshaveincreasedtheirexpectationsfortheriskmanagementfunctionandareevaluatingtheCRO’sstature,authority,qualifications,andindependencewithinthefirm. • Asthecrisisdemonstrated,theseareprerequisitesfortheCROtobeabletoinfluencethefirm’srisk-takingactivitiesdirectlyandthroughtheriskmanagementfunction,andtoeffectivelyinformtheboardasrisksevolve,areidentified,andaretaken. • AnnexFprovidesmoreinformationonthegovernancearoundtheriskmanagementfunction,butsomesupervisorypracticesregardingtheCROfunctioninclude: • Independence:MostjurisdictionsrequiretheCROand/orriskmanagementfunctiontobeindependent;thatis,tohaveadistinctrolefromtheotherexecutivefunctions,revenue-generatingfunctionsand businesslineresponsibilities. • Stature:TheCROandriskmanagementfunctionshouldhavesufficientstatureintheorganisationtoinfluencethefirm’srisk-takingactivities. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  28. P age |28 • Inthisregard,somejurisdictionshavesupervisoryguidancethatrequirestheCROtoreportandhavedirectaccesstotheboard. • ToelevatetheCRO’sstature,SingaporeexpectsthedismissaloftheCROtobeapprovedbytheboard. • Authority:Toeffectivelyfulfilitsrole,manyjurisdictions30requiretheCROtohavetheauthoritytoinfluencedecisionsthataffectthefirm’sexposuretorisk,andseveraljurisdictionssetoutexplicitexpectationsfortheCROtobeabletochallengemanagement’srecommendationsanddecisionsandcommunicatedirectlywithseniormanagementandwiththeboard. • Qualifications:“Fitandproper”testsarecommonlyusedtoassessthequalificationsandcompetenciesoftheCROinmanyFSBmemberjurisdictions. • Inaddition,theappointmentoftheCROisapprovedbyauthoritiesinChina,Germany(iftheCROisamemberofthemanagementboard),andSingapore,whiletheUnitedKingdominterviewsCROcandidates. • ManyjurisdictionsevaluatetheCROthroughtheiron-goingsupervisoryprocesses. • 2.2Riskappetiteframework • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistencyamongnationalauthorities. • AtthecoreoftheRAFisthefirm’sRAS,whichhasbecomeaneffectivetoolforenhancingthediscussionsbetweensupervisorsandboardsaboutthefirm’sstrategicdirectionintermsofrisktaking. • However,akeychallengetowardassessingtheeffectivenessofafirm’sRASisalackofcommonterminologyforriskappetite,riskprofile,andriskcapacityusedwithinfirms,acrossfirmsandacrossnational authorities. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  29. P age |29 Thisisanareathatisdevelopinginmanyjurisdictions;forinstance,India,RussiaandSaudiArabiahavelookedatriskappetiteonlyincontextoftheBCBSICAAP,whileinCanada,FranceandtheUnitedStates,separateprocessesarecontinuingtobeputinplacetoassessfirms’RAFs,oftendrawingonassessmentcriteriaoutlinedintheworkoftheSSG. SupervisoryreviewsareunderwayinCanadaoffirms’integrationoftheirRAFwiththestrategic,financialandcapitalplanningprocessesandcompensationpractices. InHongKong,firms’riskappetiteisreviewedfromanintegratedfirm-wideperspectivetakingintoaccountallrisks(financialand non-financial). Thesupervisordetermineswhetherthefirm’sRASiscomprehensiveandincludestheappropriaterisktargetsthatareconsistentwitheachother. ThesupervisorwillalsodeterminewhethertheRAShasawiderangeofmeasuresandactionableelementsandwhetherrobustproceduresandcontrolsareinplaceforthesettingandmonitoringoftheagreedrisk appetite. NationalauthoritiesinSingaporeassessannuallyfirms’linkbetweenriskappetite,strategicobjectives,capitalplanningandoperationalbudgetplanning. Supervisorsalsoreviewthefirm’sprogressinthetranslationofriskappetiteintolimitsandtriggersbyrisktype,aswellastheirmonitoring andreportingprocedures. InSwitzerland,supervisorsregularlyreviewtherisklimitframeworksandtheremustbeanestablishedlinkbetweenthelimitsandthestrategy. 2.3Stresstesting Theobjectiveofstresstestsandscenarioanalysesistoassesstheunanticipatedlossesthatafirmmayincurundercertainstressscenarios InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  30. P age |30 andtheimpactthatmayhaveonitsbusinessplans,riskmanagementstrategiesorcapitalplans. Theuseofstresstestsinfirms’riskgovernanceandcapitalplanninghasincreasedinrecentyearswiththeresultsservingasaninputintothefirm’sstrategicdecision-making. Asfirmsareincreasinglylinkingstresstestresultstoriskappetite,ICAAP,contingencyplanning,andrecoveryandresolutionplans,supervisoryapproachestostresstestingareevolvingaccordingly. InCanada,supervisorsassesswhetherchosenscenariosareappropriatefortheportfoliooftheinstitution,includingsevereshocksandperiodsofsevereandsustaineddownturns,andwhererelevant,anepisodeofmarketturbulenceorashocktomarketliquidityandwhetherthefrequencyandtimingofstresstestingissufficienttosupporttimelymanagementaction. Similarly,supervisorsinHongKongassessthecoverageofstresstestsandthetypesofstressscenariosandparameterschoseninrelationtothefirm’srisktolerance,overallriskprofileandbusinessplan;appropriatenessofassumptions;adequacyofpoliciesandprocedures;theadequacyofthefirm’scontingencyplanningforactiontobetakenshouldaparticularstressscenariohappen;thelevelofoversightexercisedbytheboardandseniormanagementonthestress-testingprogramandresultsgenerated;andtheadequacyofthefirm’sinternalreviewandauditofitsstress-testingprogram. Indeed,supervisoryattentionnowincludesboththeoutcomesofstresstestsandtheeffectivenessofthefirms’stresstestingprocesses. Forinstance,Singapore,SwitzerlandandUnitedKingdomhavededicatedteamstoreviewstresstestingpracticesatfirms,andChina,Germany,andHongKongexpectfirms’internalauditfunctionstoassesstheeffectivenessofriskmanagementsystemsingeneral,includingstresstests. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  31. P age |31 • 3.Independentassessmentoffirms’riskgovernanceframework • Stronginternalcontrolsystemsareakeyelementofsoundriskgovernance. • Theboardisresponsibleforoverseeingtheimplementationofan effectiveriskgovernanceframework,andassuch,shoulddirectlyoverseetheindependentassessmentprocess. • Anassessmentthatisindependentfromthebusinessunitandtheriskmanagementcontrolfunctioncanassisttheboardinjudgingwhethertheriskgovernanceframework,internalcontrolsandoversightprocessesareoperatingasintended. • Thismaybeperformedbyinternalauditorbythirdpartiessuchasauditfirmsorconsultants. • Regardlessoftheapproach,itiscriticalthattheassessmentresultinanoverallopiniononthedesignandeffectivenessoftheriskgovernanceframeworkandbeperformedbyindividualswiththeskillsneededtoproduceareliableassessment. • Currently,auditfunctionsatonlyafewfirmsprovideoverallopinionsregardingtheriskgovernanceframework. • 3.1Internalaudit • AcrosstheFSBmembership,regulatoryorsupervisoryexpectationsexistforinternalaudit. • AnnexGprovidesacomparisonofkeyregulatoryandsupervisoryexpectationswiththemostnotableelements,including: • Independence:Nearlyalljurisdictions38requirefirmstohaveapermanentinternalauditfunctionthatisindependentfrombusinesslines,supportfunctions(e.g.,treasury,legal),andriskmanagement. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  32. P age |32 • Firmsarealsorequiredtoexplicitlylinktheindependenceofinternal audittoauditorcompensationorcareerplans. • Regardlessofthedirectreportinglines,mostjurisdictionsexpectinternal audittohaveunfetteredaccesstotheboardwhenreportinginternalauditresults. • Stature:Severaljurisdictionsexpectinternalaudittoreportdirectlytotheboard,acommitteethereof,oranindependentdirector. • ThedirectreportingrelationshipinvolvestheresponsiblepartydeterminingtheCAE’scompensation,completingtheCAE’sannualperformanceevaluation,approvingtheCAE’sbudget,and/orotherwiseensuringtheCAEisnotundulyinfluencedbytheCEOorothermembersofthemanagementteam. • WhiletheCAEmayreporttotheCEOonday-to-dayadministrativematters,allsubstantivedecisionsregardingtheCAEandinternalauditfunctionaremadeattheboardlevel. • InSingapore,HongKong,andIndonesia,thedismissaloftheCAErequirestheauditcommittee’sapproval. • Qualifications:AllFSBmembershaveestablishedrequirementsorexpectationsfortheCAEandinternalauditstafftohavetheskillsnecessarytoeffectivelycarryouttheirduties. • Supervisoryassessmentsgenerallyconsiderthetechnicalknowledge,experience,andcharacterofindividualswithintheinternalauditfunction. • Scope,coverage,andfrequency:Manyjurisdictions41expectinternal audittoassessand/oropineonriskmanagementorriskgovernanceprocesses,aswellasinternalcontrols. • Expectationsforthescope,coverage,andfrequencyofsuchassessmentsvarywidely. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  33. P age |33 • However,almostalljurisdictionsexpectinternalaudittoassesstheorganisationandmandatesoftheriskmanagementfunction(s)andtheadequacyofsystemsandprocessesforassessing,controlling,respondingto,andreportingthefirm’srisks. • Nojurisdictionindicatedthatitexpectsinternalaudittoperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Riskappetiteframework:Manyjurisdictionsexpectinternalaudittoassesscompliancewiththeboard-approvedriskappetite. • IntheUnitedKingdom,internalauditisexpectedtoensurethatproceduresareinplacetoreportbreachesinthefirm’sriskappetitetotheboard. • Benchmarking:Mostjurisdictionsindicatethatinternalauditshouldbeawareofindustrytrends/bestpracticesandthatauditorsshouldconsidersuchknowledgewhenconductingtheirwork. • However,nojurisdictionhadspecificexpectationsforinternalaudittoopineonwhetherafirm’sriskgovernanceprocessesarekeepingpacewithtrendsand/oralignwithbestpractices. • Remediationprocess:Thereisawiderangeofexpectationsforinternal audittofollow-uponremedialactionstoaddressmaterialdeficienciesandseveraljurisdictionsexpectinternalaudittoreporttheresultsofitsfollow-upactivitiestotheboard. • Nearlyalljurisdictionsindicatedthattheyrequiresomeformoffollow-upandreporting. • Chiefauditexecutive:AlljurisdictionsindicatethatsupervisorsconsidertheCAE’sperformancewhenassessingthequalityofinternalaudit. • Suchassessmentsmaybeperformedoff-site,withinon-siteinspections,and/orthroughregularmeetingswiththeCAEandinternalauditstaff. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  34. P age |34 InSaudiArabia,theappointmentoftheCAErequiresa“noobjection”fromthecentralbank,andinIndonesia,banksarerequiredtoreporttobanksupervisorstheappointmentanddismissaloftheirCAE. 3.2Thirdparties Employingthirdpartiescouldhelptoenhancethequalityoffirms’independentassessmentsbyprovidinganunbiasedopinionofafirm’sriskgovernanceframeworkasmanyinternalauditfunctionsarestaffedwithindividualswhoseexperiencemaybelimitedtothepracticesemployedbyoneortwofirms. Inaddition,thirdpartiesoftenhaveabroaderunderstandingofleadingindustrypractices,especiallyinhighlytechnicalareas. Mostjurisdictionsallowtheuseofthirdpartiestoassessafirm’sriskgovernanceframework,andinChinaandtheNetherlands,theexternal auditoralsoassessestheeffectivenessoftheinternalauditfunction. Manyjurisdictionsappropriatelystipulatethroughregulationorguidancethat: Theuseofathirdpartydoesnotrelinquishtheboardormanagementfromultimateresponsibilityforensuringthereliabilityoftheindependentassessments,and Largeandcomplexfirmsshouldnotbecomeoverlyreliantonthird partiestoprovideexpertisethatshouldbedevelopedwithinthefirm’sinternalauditfunction. Francespecificallyrequiresthatoutsourcingarrangementsbeengagedandoverseenbyinternalaudittoensureindependenceandthatinternal auditmaintainsaccountabilityforthescope,coverage,andfrequencyofwork. Severaljurisdictions,however,restricttheuseofthirdparties. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  35. P age |35 Forinstance,inItaly,internalauditworkcanbeoutsourcedonlybysmallcreditinstitutionswithlimitedoperationalcomplexity. Meanwhile,inSouthAfricathecentralbankmustapproveanyoutsourcingactivity,andinKorea,theuseofthirdpartiestoassessafirm’sriskgovernanceframeworkisnotregulated. 4.Supervisoryapproachestowardassessingriskgovernanceframeworks Supervisorsplayacrucialroleinassessingtheadequacyofafirm’sriskgovernanceframeworkandthepracticesemployedbyafirmtoindependentlyassessitsframework. Supervisoryexpectationsforriskgovernancepracticesoutlinedabovearegenerallysetoutwithinthelegalframeworkthroughacombinationoflegislation,regulationandsupervisoryguidance;however,theapproachvariesconsiderablyacrossjurisdictions. AustraliaandCanadacomplementtheirstandardswithwrittenguidanceprovidedtotheindustrytoassistwiththeimplementationofprudentialrequirementsandadoptionofgoodpractices. Supervisoryapproachestowardassessingimplementationofregulatoryorsupervisoryguidanceencompassavarietyofsteps(e.g.,on-siteinspections,off-sitereviews,horizontalreviews). SupervisoryassessmentsgenerallyoccuratleastonceayearacrosstheFSBmembership,thoughinArgentinaassessmentstakeplaceevery18monthsandtheUnitedKingdomismovingfromabi-annualassessment towardasystemofcontinuoussupervision. Severaljurisdictionstakearisk-basedapproachtoon-siteexaminations,focusingonriskierinstitutions. IntheUnitedStates,nationalauthoritieshaveon-siteteamswithexpertisetoassessthegovernancepracticesatthelargestandmostcomplexbanksonarealtimebasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  36. P age |36 InChina,jointregulatorymeetingsareheldonaregularbasisbetweenthefirm’sheadoffice,itsbranches,andtheregulatoryauthoritywherethebranchesarelocated. Meetingswithdirectorsandseniormanagementprovideanotheravenuefornationalauthoritiestoassessfirms’riskgovernancepractices. AnnexHprovidesmoreinformationontheapproachestakentoassessingfirms’riskmanagementframeworks. Supervisorsreceiveawiderangeofriskreportsorinformationfromfirmsontheirriskmanagementpractices,includingfromexternalauditorsorotherthirdpartiesaswellassupportingdocumentationrequestedduringon-siteinspections. Standardisedfinancialandriskreportingareacommonpractice;however,thetypesofreportsorinformationprovidedvaries. Forinstance,inArgentina,newreportingrequirementswillrequestquantitativemeasuresforriskgovernanceandformalexposurelimitsfor eachofthesignificantrisksandstresstestinformation;inHongKongandelsewhere,regularprudentialreportingdataandadhocrequestsforpeergroupanalysisareutilised,e.g.,stresstestcapitalanalysisand horizontalcreditreviewsofcommon(problem)loanaccounts;andinCanadaandSingapore,supervisoryteamsworkwithriskspecialiststoidentifytrendsthatcantriggeradditionalinvestigationsorreviews. Nationalauthoritieshaveaccesstoabroadsetofsupervisorytoolstoincentivisefirmstoremediatedeficiencieswithintheirriskgovernanceframework,dependingontheseverityofthedeficiency. Thesetoolsincludemoralsuasion,capitalsurcharges,restrictionsoncertainbusinessactivities,imposingfinesandpenalties,andtheultimatepenaltyofwithdrawingbanklicences. Whilealargenumberofsupervisoryauthoritiescanuseanumberofthesetools,afewhavelimitedsupervisorypowerstoscalethesanctionbased InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  37. P age |37 • ontheseverityoftheinfraction,raisingconcernsovertheirabilityto effectivelyinterveneearlywherenecessarywhenrisksstarttosurface. • Moreover,eventhoughsomenationalauthoritieshavetheauthoritytoimposefines,thisisdifficulttoimplementinpractice,forinstance,duetocumbersomeprocessesorsupervisorslackingthewilltoact. • III.Firms’riskgovernancepractices • Thefinancialcrisisspurredfundamentalchangesinriskgovernancepracticesatfinancialinstitutions,andinmanycases,surveyedfirmsareaheadofregulatoryandsupervisoryguidance. • Ingeneral,surveyedfirmsthatweremostaffectedbythecrisishavemadethegreatestadvancements,perhapsnecessitatedbyaneedtore-gain marketconfidence. • Firmsthatwerelesstroubledfromthecrisis,however,haveincreasedtheintensityofthemeasuresthattheyhadinplacepre-crisis. • Someofthemostobviouschangesinclude: • ConsolidatingandraisingtheprofileoftheriskmanagementfunctionacrossbankinggroupsthroughtheestablishmentofagroupCRO,increasingthestatureandauthorityoftheCROandincreasingtheCRO’sinvolvementinrelevantinternalcommittees. • Changingthereportinglinesoftheriskmanagementfunctionsothat theCROnowreportsdirectlytotheCEOwhilealsohavingadirectlinktotheriskcommittee. • Intensifyingtheoversightofriskissuesattheboardthroughcreationofastand-aloneriskcommittee,supportedbygreaterlinkswiththeriskmanagementfunctionandotherrisk-relatedboardcommittees,particularlyauditandcompensationcommittees. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  38. P age |38 • Cross-membershipoftheauditcommitteeandriskcommitteeisnowquitecommon,withsomefirmsinvolving(oratleastinviting)thechairoftheboard,eventhefullboard,ontotheriskcommittee. • Thetimecommitmentofindependentdirectorshasincreasedconsiderablyoverthepastseveralyears. • Upgradingtheskillsrequirementsofindependentdirectorsontheriskcommitteeandexpectingthesememberstocommitmoretimetotheseendeavours. • Thecompositionofboardshaschangedconsiderablywithmany • non-executivedirectorsnowhavingfinancialindustryexperience;thedominanceofmembersfromindustrialcompaniesormajorshareholders • ismuchlessthanadecadeago. • Changingtheattitudetowardtheownershipofriskacrossthefirmwiththebusinesslinenowbeingmuchmoreaccountablefortheriskscreated bytheiractivitiesthanpreviously. • Inadditiontochangingthecompositionandimprovingthestrengthoftheboard,therehavebeenmajordevelopmentsinhowfirmsanalyserisksandtheassociatedtoolsutilisedsuchasRAFs,stresstestsandreversestresstesting. • Oneofthekeylessonsfromthecrisiswasthatreputationalriskwasseverelyunderestimated;hence,thereismorefocusonbusinessconductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandwhotheyaresoldto. • Asthecrisisshowed,consumerproductssuchasresidentialmortgageloanscouldbecomeasourceoffinancialinstability. • Thenextfoursub-sectionssummarisethefindingsfromthesurveyedfirmsregardingthethreekeyriskgovernancefunctionsandprovideasummaryofthesupervisoryevaluationsoffirms’progress. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  39. P age |39 1.Theboardanditscommittees Theboardisresponsibleforensuringthatthefirmhasanappropriateriskgovernanceframeworkthatiscommensuratewiththefirm’sstrategy,complexityandsize. Theboard’sroleandresponsibilitiesforriskgovernancearegenerallydefinedintheboard’scharterandincludeapprovalofthefirm’sstrategyandoverseeingitsimplementation,settingouttheguidelinesandpoliciesforriskmanagement,andensuringthefirm’sinternalcontrolsarerobust. Theboardisalsoresponsibleforformulatingthemandateandresponsibilitiesofitscommitteessuchastheriskandauditcommittees. Forinstance,auditcommitteesshouldensurebusinessunitshaveeffectiveremediationplanstoaddressanycontrolweaknessesnotedbyinternalaudit. SomefirmshavedevelopedaCorporateGovernanceFrameworkorCodewhereallrulesregardingtheroles,responsibilitiesandoversightfunctionsoftheboardareassembled. Establishinganenterpriseorfirm-wideriskmanagementframeworkcanhelptoprovideanoverviewofriskpolicyarchitectureandprocess. Havingastand-aloneriskcommitteeisacommonpracticeeventhoughitisnotrequiredbyallnationalauthorities. Firmsgenerallyensurethattheriskcommittee,whichisresponsibleforoverseeingseniormanagement’simplementationoftheriskstrategy,coversalltherisksfacedatthefirm-widelevel,includingfinancialrisksaswellasoperational,compliance,legalandregulatoryrisks. RegularmeetingsareheldwithseniormanagementandtheCROtodiscussperformanceofthebusinessunitandcompliancewiththeRASandrisklimits. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  40. P age |40 Materialrisksarepresentedanddiscussedonbothanaggregatebasisandbytypeofrisk. Afewfirms,however,notedthechallengeofaggregatingrisksduetothecomplexityoftheorganisation,underscoringtheimportanceofriskcommitteesaddressinginformationchallengesarisingfromthecomplexityoflargefirms. Aneffectivegovernancestructurehasmeasurestopreventconcentrationofpowerandresponsibility,suchasrequiringanumberofindependentdirectors,representationofcertainskillsandqualificationsontheboard,andtheboardregularlyevaluatingitseffectiveness. Itiscommonforboardstohaveindependentdirectors;somefirmsestablishminimumquantitativerequirements,rangingfromaminimumofone-thirdtothree-quartersoftheboard. Mostfirmsprovideadefinitionofindependenceintheboard’scharter,whichisembeddedinthefirm’sgovernanceframework. Theriskcommitteeoftencomprisesonlyindependentdirectors. Thereisawiderangeofpracticeregardingthequalificationsformembersoftheboardandriskcommittee;onefirmhighlightedthattheskillsrequiredbytheboardareevolving,inpartreflectingtheriskstakenbythefirm. Somefirmsperformamatrixanalysisoftheexperienceandexpertiseofeachdirectortoidentifyskillsneededfromincomingdirectors. Thereisalsoawiderangeofpracticeinvolvinglimitationslinkedtoboardstructure,including: Thepreclusionofthechairoftheboardfrombeingchairofeithertheriskorauditcommittee; TheseparationoftherolesoftheCEOandchairoftheboard;and InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  41. P age |41 (iii)Limitedtenureonacommittee. Periodicreviewsoftheperformanceoftheboardandriskcommitteeareacommonpractice. Reviewsareconductedbytheboardnominationorgovernancecommitteesorbytheentireboard. Insomecases,externalpartiesmaybeemployed.Suchreviewsmayincludeanassessmentoftrainingandskillsneededontheboard. Insomefirms,theboardconsidersthefunctioningofitsoverallcommitteestructure,includingthenumberandtypesofcommitteesandthehighestandbestuseofboardmembers’expertise. Theyalsoevaluatethereportingbythecommitteestothefullboard. Theboardandriskcommitteeareabletoreceiveinformation,bothformallyandinformally,directlyfromtheCROortheriskmanagementfunction. ItisbecomingacommonpracticefortheCROtoreportinformationdirectlytotheboard;theriskreportsareusuallystandardisedintermsof formality,frequencyandcontent. Boththeoverallrisklevelofthefirmandinformationforeachrisktypeareincludedinthereportingtemplate(e.g.,aheatmapofidentifiedriskcategoriesacrossregions,globalbusiness,andareportwiththetopandemergingrisksfacedbythefirm). Somefirmsexplicitlydefineanddocumenttheinformationthattheboardandriskcommitteeshallreceive,settheagendaatthebeginningoftheyear,andcirculatetomembersinadvanceofmeetingstherelevantmaterialtosupporttheagendaitem. Somefirmsrequireinternalaudit,orathirdparty,toverifytheaccuracy,comprehensivenessandcompletenessofinformationprovidedtotheboardandriskcommittee. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  42. P age |42 Otherfirmssatisfythemselvesthroughdiscussionswithmanagementorconductself-assessmentsoftheeffectivenessoftheinformationprovidedtotheboard. 2.Theriskmanagementfunction Sincethefinancialcrisis,manyfirmshaveimprovedriskmanagement.Someofthemostobviouschangesrelatetothegovernanceprocesses aroundtheriskmanagementfunction;therealsohavebeenmajorchangesinhowrisksareanalysedandcommunicatedandtheassociated toolsthatareutilised. 2.1Governanceoftheriskmanagementfunction Sincethefinancialcrisis,manyfirmshavestrengthenedhowtheirriskmanagementfunctionsarestructured,resourced,compensated,whothefunctionisaccountabletoaswellasitsoverallmandate. Inmanyways,thesechangesarebringingthegovernancearrangementsfortheriskmanagementfunctionuptothestandardthathastypicallyappliedtotheinternalauditfunctionforseveralyears. Firmsarethereforeencouragedtoatleastconsiderthevalidityofanyremainingdifferencesingovernanceprocessesthatsurroundthetwofunctions. Oneofthemostcommonimprovementsmadebyfirmsoverthepastfiveyearshasbeentoconsolidateandraisetheprofileoftheriskmanagementfunctionthroughtheestablishmentofagroup-wideCRO. TheCROandtheriskmanagementfunctiongenerallyhavebeengivenmorestature,authorityandindependencecomparedtothepre-crisisperiod. AlmostallfirmsreportedthattheynowhaveaCROwithfirm-wide responsibilityforriskmanagementwhooperatesindependently. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  43. P age |43 AssessmentoftheCRO’sstature,authorityandindependenceincludestheprocessforappointment,dismissalandperformanceevaluationoftheCROaswellasthestaffingrequirementsoftheriskmanagementfunctionmoregenerally. Onlyafewfirmsnotedthatthechairoftheriskcommitteeisinvolvedin theperformanceassessmentoftheCRO. Further,onlyafewfirmslinktheadequacyandqualificationsoftheriskmanagementstafftoanannualprocessthattakesintoconsiderationthestrategyofthefirmgoingforward. MostfirmsnotedthattheCROhasadirectreportinglinetotheCEO(versusanotherbusinessunit)whichrepresentsamajorimprovementsincethecrisis. However,therearestillexamplescitedatasmallnumberoffirmswheretheCROdoesnothaveadirectreportinglinetotheCEO. AfewfirmsrequiretheCROtohaveadirectreportinglinetotheboard,whichhelpstoboostthestatureoftheCRO. AlargenumberoffirmsalsonotedthattheirCROisableto“access”theboard,generallythroughtheriskcommittee,butitisunclearhowthisisdoneinpractice. AlmostallfirmsoperatewithaCROwhoisseparatefromrevenue-generatingresponsibilitiesorotherexecutivefunctions(thatis, “dual-hatting”oftheCRO’sresponsibilitiesisavoided).SuchastructureisessentialfortheCRO’sindependence. Thisseparationofresponsibilitieshasbeenreinforcedbymanyfirms re-structuringtheirriskmanagementfunctionsunderagroup-wideCRO,withregionalorbusinesslineCROshavingadirectreportinglinetothe groupCRO,ratherthantotheregionalorbusinesslineheadsashadoccurredinthepast. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  44. P age |44 • Topreservetheindependenceintendedfromsuchstructures, • ‘dual-hatting’ofresponsibilitiesshouldalsobeavoidedforthoseseniorpositionsintheriskmanagementfunctionthatreporttothegroupCRO, • particularlyatgloballyactive,complexfirms. • Atsomefirms,theCROreportstotheCFOor,inafewexceptionalcases,onepersonassumestheresponsibilitiesofboththeCROandCFO. • Inaddition,thereareinstancesatsomefirmswheretheCROisassignedotherfunctional,albeitnon-revenuegenerating,responsibilities. • Wherethisrelatestotheoversightoffunctionssuchascomplianceandanti-moneylaundering,theconcernismoreabouttheriskof • over-burdeningtheCRO,particularlyinmorecomplex,global • institutions,thanthepotentialforconflictofinterestperse. • Indeed,muchprogresshasbeenmadetowardelevatingthestatureandindependenceoftheCRO. • WhiletheroleoftheCROhasbroadenedandincludesinvolvementinanumberofkeyprocessesandinternalcommitteesthatrequireinputsfromtheriskmanagementfunction,otherimportantprocesseswarrantgreaterparticipationoftheCRO,suchas: • Mergersandacquisitions.Whiletheanalysisofaproposedmergeroracquisitionwouldbesubmittedtotheboardoracommitteeforapproval,theCROgenerallytakespartintheprocessasamemberofthecommittee. • OnlyafewfirmsrequiretheCROtoprepareaformalriskopiniononplannedmergersandacquisitions. • Strategicplanningprocess.Traditionally,theCROisresponsibleforthe oversightoftheexistingriskprofileofthefirmandofthoserisksbeingtakenonaday-to-daybasisasaresultofpreviousbusinessdecisions. • However,asindicatedabove,theCROshouldalsobecomeincreasinglyinvolved,inamoreproactivemanner,intheactivitiesandplansthatdeal InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  45. P age |45 • withprospectivebusinessrisk,includingthoseriskswhichmayarisefromtheexecutionofthefirm’sstrategicbusinessplan. • TheCROshouldbeinvolvedinthisprocess,fromariskperspective,byinteractingwithseniormanagementandtheboard,understandingstrategicbusinessplans,andformallyopiningontheprospectiveriskprofileandwhetherornotthefirmhasthenecessaryresourcesandsystemstoaccommodatetheresultingexposures. • Ifsuchresourcesarenotavailable,thenspaceinthestrategicplanshould becreatedtoensureproperriskcontrols. • Treasuryfunction.SomefirmshaveclearlydefinedtherolesandresponsibilitiesoftheCROregardingoversightofafirm’streasuryfunction. • However,thereisarangeofpracticesurroundingtheorganisationalrelationshipbetweenthesetwofunctions: • TheindependentliquidityriskcontrolfunctionhasresponsibilityforthemanagementandcontrolofliquidityriskandthatfunctionreportsdirectlytotheCRO; • TheCROparticipatesasavotingmemberoftherelevantmanagementcommittee(typicallytheassetandliabilitymanagementcommittee),withnospecificrolefortheCROdefined;or • TheCFOaloneisresponsibleforthetreasuryfunctionwithoutany oversightfromtheCROintheriskmanagementprocess. • 2.2Riskmanagementtools • Twokeyadditionstoriskmanagementtoolshavebeen(i)thedevelopmentofRAFsand(ii)morerobustandseverestresstestingpractices. • Relatedtothis,andgiventheunderestimationofreputationalrisk pre-crisis,therenowismuchgreaterfocuswithinmanyfirmsonbusiness InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  46. P age |46 • conductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandtowhomtheyaresold. • TheRAFisanincreasinglyimportanttoolincentralisingthefocusonthefirm’sriskprofileandprovidingamoreintegratedpictureofthefirm’srisks. • Firmsindicatedagooddegreeofunderstandingthekeyelements,objectivesandusesofRAFswhicharegenerallyinlinewithrecentstudiessuchasthe2010SSGreportondevelopmentsinriskappetiteframeworksandITinfrastructure. • Keyfeaturesofariskappetiteframework(RAF) • RAFshelpdrivestrategicdecisionsandright-sizeafirm’sriskprofile. • RAFsestablishanexplicit,forward-lookingviewofafirm’sdesiredriskprofileinavarietyofscenariosandsetoutaprocessforachievingthatriskprofile. • RAFsincludeariskappetitestatementthatestablishesboundariesforthedesiredbusinessfocusandarticulatetheboard’sdesiredapproachtoavarietyofbusinesses,riskareas,andinsomecases,producttypes. • ThemoredevelopedRAFsareflexibleandresponsivetoenvironmentalchanges;however,riskappetiteisdefinitiveandconsistentenoughtocontainstrategicdrift. • RAFssetexpectationsforbusinesslinestrategyreviewsandfacilitateregulardiscussionsabouthowtomanageunexpectedeconomicormarketeventsinparticulargeographiesorproducts. • Discussionswithfirms,however,revealthatthereissignificantvariationintheperceptionofhowmuchfirmshaveprogressedinthedevelopment,comprehensivenessandimplementationoftheirRAFs. • Oneofthekeychallengesisdifferentinterpretationsofessentialelements,includingriskappetite,risklimits,andriskcapacity. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  47. P age |47 • SomefirmswereabletoreportsignificantprogressandhavehadanRAFforseveralyears(insomecasessincebeforethecrisis). • Thesefirms’RAFswerelinkedtothefirm’sstrategyandintegratedwithmostotherrelevantinternalprocessessuchasbudgeting,compensation plans,mergersandacquisitionevaluations,newproductapproval,andstresstesting. • ThesefirmswereabletoreportthattheunderstandingoftheRAFwaswidespreadbothacrossfunctionallinesandwithinmultiplelayersoftheirfirm. • TheywerealsoabletoidentifyclearexamplesofhowtheyhadusedtheirRAFinstrategicdecision-makingprocesses,suchasdecisionstoactivelyreducethecomplexityoftheiroperations. • Thatsaid,evenatthesefirms,itwasrecognisedthatoperationalisingan effectiveRAFisacontinualjourneythatneedstoevolvewithchangesin internalprocessesandtheexternalenvironment. • AnumberoffirmsreportedthattheirimplementationofanRAFwasmorerecentandwhileithadbeenlinkedtothefirm’sstrategyandintegratedwithsomeofthekeyinternalprocesses,furtherworkisenvisaged,suchas:linkingtheRAFwithalltherelevantinternalprocesses;ensuringthatqualitativeaswellasquantitativemetricsareappropriatelyincluded;andsomewhatrelatedly,broadeningtheRAFtocoverthosehardertoquantifyrisks,suchasoperational,complianceandreputationrisks. • Forotherfirms,theirRAFsareatanearlystageofdevelopment. • Whiletheymayhaveahigh-levelframeworkinplace,numerousgapsexist. • Forexample,thecoveragemaynotextendtoallrelevantsubsidiariesin theframeworkbecausetheriskappetiteisnotclearlyarticulatedatthebusinesslevelnorintegratedwithalltherelevantinternalprocesses. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  48. P age |48 Further,someRAFsarelessdevelopedintermsofincludingallthematerialrisksthefirmfaces,particularlyreputationalandoperationalrisks. AllfirmssurveyedconsideredrisklimitstobethevehicleforoperationalisingtheRAFatthebusinesslinelevel. Thecommunicationandescalationprocessforanybreachesseemedtobeverysimilaracrossthefirmssurveyed:theriskmanagementfunctionwasresponsibleformonitoringrisklimits,metrics,andbreaches,andescalatinganyconcerns;businessunitshavetoexplainbreachestotheriskmanagementcommitteeorboarddependingonthenatureandsizeoftheexposure;theauthorisationofexceptionswasdefinedtop-down;andactionplanswererequired. However,thereweredifferencesbetweenfirmsintheirapproachestodeparturesfromtheRAF:somefirmsgrantflexibilityforabusinesslinetodepartfromtheRAFiftheglobalriskappetitewasnotbreached,whereasothersgivenoflexibilityforindividualbusinesslinestodeviatefromtheirbusinesslinerisklimits. Embeddingthefirm’sagreedRASintothefirm’sriskcultureremainsachallengebutseveralapproacheshavebeentakenbyfirms. Anumberoffirmshavedevelopedtrainingprogramsandmanuals(withonefirmrequiringrelevantemployeestocertifyeveryyearthattheyhaveattendedthetrainingprogramandreadthemanual),butonlyafewfirmsreportedthattheyhavelinkedcoreriskobjectivestostaffperformancemanagementprocesses. Discussionswithfirmsrevealedthatakeytocreatingincentivesforabetterriskcultureinfirmsistolinkriskobjectiveswitheithercompensationorcareeradvancementprospects. Stresstestinghasbecomeacommontoolforfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  49. P age |49 Thegovernancearoundgroup-widestresstestingtypicallyinvolvesfirmsdevelopingtheirownhistoricalandhypotheticalscenarios,though nationalauthoritiescanalsosetscenarios. TheCROandriskmanagementfunctiongenerallyhaveacentralrole, actingastheowneroftheprocessorparticipatinginthecommitteeleadingtheeffort. Thetestingisconductedatleastannually,andinmanycasesonaquarterlybasis. Stresstestsresultsareusuallypresentedtotheriskcommitteeandsometimestothenationalsupervisor. TheseprocessesappeartobefurthestdevelopedinAEs,andsomealsoperformreversestresstestingandcounterpartystresstesting. Incontrast,somefirmsinEMDEshavenotperformedstresstestingonanintegratedbasisorarestillintheprocessofimplementingtheirstresstestingprocesses. Mostfirmsusethestresstestingresultsfortheirbudgeting,RAFandICAAPprocessesandtosetcontingencyplansagainststressedconditions. 3.Independentassessmentoffirms’riskgovernanceframework 3.1Internalaudit Firmsprimarilyrelyontheirinternalauditfunctionstoindependentlyassesstheirriskgovernanceframeworks. Inalmostallcases,internalauditassessestheframeworkthroughaseriesofindividualassuranceaudits,combinedwithsomeproject-specificandotherongoingauditwork. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

  50. P age |50 • Afewinternalauditfunctionsdemonstratethebetterpracticeofprovidinganoverallopinionoftheriskgovernanceframeworkonan annualbasis. • Inlinewithexpectationsestablishedbynationalauthorities,allofthefirms’internalauditfunctionsareorganisationallyseparatefrombusinesslinesandhaveunfetteredaccesstotheboard. • Almosteveryfirmreportedthattheyhavemadechangestostrengthentheirinternalauditfunctionssince2008. • Majorchangesinclude:appointingaCAE;establishingmoreattractivecompensationplansandcareerpathsforinternalauditors;increasingboththenumberandskillsofinternalauditstaff;expandinginternalaudit’srole/responsibilities,includingparticipatingasanobserveratriskmanagementcommitteesanddecision-makingprocesses;andenhancingbusinessmonitoring. • Internalaudit’sroleandresponsibilitiesareprimarilyestablishedviaanauditcharter,withauditmanualsdetailingproceduresforplanning,executing,andreportingaudit’swork. • Atallsurveyedfirms,internalauditisresponsibleforassessingriskmanagementorriskgovernanceprocessesaswellasinternalcontrols. • Whilenationalauthorities’expectationsvary,mostinternalauditfunctionsalsoassess: • Theappropriatenessofassumptionsusedinscenarioanalysisandstresstesting, • Thedegreetowhichthefirm’sriskgovernanceiskeepingpacewithindustrytrendsandalignswithbestpractices, • Thequalityandadequacyofresourceswithintheriskmanagementfunction, InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

More Related