1 / 211

P a g e | 1

P a g e | 1 Inter n atio na l A s s oci a t ion of R isk a nd Co mpl i a n c e Pr o f e s s io na l s ( I A RCP) 12 0 0 G St re e t N W Su i t e 8 0 0 W a s h i ng t o n, D C 2 000 5 - 67 0 5 U SA T e l : 2 0 2 - 44 9 - 9750 www .ri s k - c ompl i ance-a ss o c i a tion . c om.

tad-pena
Download Presentation

P a g e | 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. P age |1 InternationalAssociationofRiskandComplianceProfessionals(IARCP) 1200GStreet NWSuite800Washington,DC20005-6705USATel:202-449-9750www.risk-compliance-association.com Top10riskandcompliancemanagementrelatednewsstoriesandworldeventsthat(forbetterorforworse)shapedthe week'sagenda,andwhatisnext DearMember, Itwas2a.m.andIwasready tosleep,butIalsowantedtocheckmyemailsanothertime. Yes,Ihavereadthefamousbook“The4-HourWorkweek”byTimothyFerriss,butIdisagreewith him,soIhavedecidedtodothe opposite:Tocheck emailsmorefrequently.SorryTim. Oneofthefirstemailswasanimportantone:RedAlert,ChinaoccupiesthePublicCompanyAccountingOversightBoard. Therewasevenapicture! InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  2. P age |2 What? IknowthatChinaimplementsaChineseSarbanes-Oxley…butwhatisthatnow? Iread inthepicturethatPCAOB主席JamesR.Doty说:“这份协议是 在跨境执法合作中迈出的重要一步,它也是保护美国资本市场投资者 利益必要的一步。” What?IsJamesR.Dotywell? Fortunately,Jamesisverywell.Therewasnoredalert.Oneofmyfriends,John,andattorney,sentmethisemail. Readmoreabout说:这份协议是在跨境执法合作中迈出的重要一步, 它也是保护美国资本市场投资者利益必要的一步atnumber7ofourlistbelow. Thefollowingmorning,Ireceivedanotheremail. Title:“Forecastingis theartofsayingwhatwillhappen,andthenexplainingwhyitdidn't” Message:Ihateyou.Ourbossisfollowingyourstresstestingrecommendations.Lao Tzuhassaidthatthosewhohaveknowledgedon'tpredict.Thosewho predict,don'thaveknowledge. Signature:Terminator Terminator? ArnoldSchwarzenegger,didyousendthisemail? Who?LaoTzu?TheChineseagain?Ireplied! “DearArnold(orotherTerminator), InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  3. P age |3 Itisnotme!ItisBaseliiithatasksforaforward-lookingperspective!Baseliiirequiresstresstesting.And,wehaveacrystalballinriskmanagement:TherecommendationsoftheFinancialStabilityBoard(FSB).” Therecommendations… Whoreadstheserecommendations?Soimportant...Ihaveledsome classessinceJanuary,nobodyreadsFSB. TheylaughwhenIsayreadFSBeverymorning,beforereadingFTor WSJ! ItistimetoreadtherecommendationsoftheFSBcarefully.Itisabout theboard,seniormanagement,risk officers,complianceofficers,internalandexternalauditors. ThisisourNumber1.Thesepagesaresoimportant.Welcome totheTop10list. BestRegards, GeorgeLekatisPresidentoftheIARCP GeneralManager,ComplianceLLC 1200GStreetNWSuite800,WashingtonDC20005,USATel:(202)449-9750 Email:lekatis@risk-compliance-association.com Web:www.risk-compliance-association.comHQ:1220N.MarketStreetSuite804,WilmingtonDE19801,USA Tel:(302)342-8828 InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  4. P age |4 ThematicReviewonRiskGovernancePeerReviewReport FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengtheningAdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. KeynoteLuncheonSpeech By CommissionerElisseB.Walter U.S. SecuritiesandExchangeCommission 32ndAnnualSECand FinancialReportingInstituteConference,Pasadena,CA BackgroundonthePCAOB StevenB.Harris,BoardMemberKennesawStateGraduateStudentMeetingWashington,DC InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  5. P age |5 FinancialConglomeratesDirectiveTechnicalReview ThisPrudentialRegulationAuthority(PRA) policystatementpublishesthefinalrulesimplementingtheFinancialConglomerates DirectiveTechnicalReview(2011/89/EC)(FICOD1)whichamendstheFinancialConglomeratesDirective(2002/87/EC)andcertainother Directivesinsofarastheyapplytofinancialconglomerates. CommitteeontheGlobalFinancialSystemCGFSPapersNo49 Assetencumbrance,financialreformandthedemandforcollateral assets ReportsubmittedbyaWorkingGroupestablishedby theCommitteeontheGlobalFinancialSystem TheGroupwaschairedbyAerdtHouben,NetherlandsBank Giventhatthedemandforcollateralassetsisincreasing,theCommitteeontheGlobalFinancialSystem(CGFS) in May2012establishedaWorkingGroup(chairedbyAerdtHouben,NetherlandsBank)toexploretheimplicationsofthistrendformarketsandpolicy. ThisreportpresentstheGroup’sfindingsfromasystem-wideperspectiveanddrawsbroadconclusionsforpolicymakers. Thereportpresentsevidenceofincreasedreliancebybanksoncollateralisedfundingmarketsinrecentyearsforsomeregions,withtheincreasebeingmostpronouncedinEurope. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  6. P age |6 PeerReviewofSwitzerlandReviewReport FSBcountrypeerreviews TheFSBhasestablishedaregularprogrammeofcountrypeerreviewsofitsmemberjurisdictions. The objectiveofthereviewsistoexaminethestepstakenorplannedbynationalauthoritiestoaddressInternationalMonetaryFund(IMF)-WorldBankFSAP recommendationsconcerningfinancialregulationandsupervisionaswellasinstitutionalandmarketinfrastructure. PCAOBEntersintoEnforcementCooperationAgreementwithChineseRegulators The PublicCompanyAccountingOversightBoardannouncedthatithasenteredintoaMemorandumofUnderstanding(MOU)onEnforcementCooperationwiththeChinaSecuritiesRegulatoryCommission(CSRC)andtheMinistryofFinance(MOF). TheMOUestablishesacooperativeframeworkbetweenthepartiesfortheproductionandexchangeofauditdocumentsrelevanttoinvestigationsinbothcountries’respectivejurisdictions. Morespecifically,itprovidesamechanismforthepartiestorequestandreceivefromeachotherassistancein obtainingdocumentsandinformationinfurtheranceoftheir investigativeduties. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  7. P age |7 Islamiccommerceandfinance OpeningremarksbyDrMichaelGondwe,GovernoroftheBankofZambia,attheworkshopon“Islamiccommerceandfinance”,Lusaka. Threequestionsonthenatureandmanagementofrisk KeynotespeechbyMrNormanTLChan,ChiefExecutiveoftheHongKongMonetaryAuthority,at theHongKongMonetaryAuthority-GlobalAssociationofRisk Professionals(GARP)GlobalRiskForumOpeningDinner,HongKong. InvestorProtectionThroughEconomicAnalysis ByCraigM.Lewis,ChiefEconomistandDirector DivisionofRisk,Strategy,andFinancialInnovation,U.S.SecuritiesandExchangeCommission SpeechatthePennsylvaniaAssociationofPublicEmployeeRetirementSystemsAnnualSpringForumHarrisburg,PA InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  8. P age |8 ThematicReviewonRiskGovernance PeerReviewReportForeword FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengtheningAdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. Thematicreviewsmayalsoanalyse otherareasimportantforglobalfinancialstabilitywhereinternationalstandardsorpoliciesdonotyetexist. The objectivesofthereviewsaretoencourageconsistentcross-countryandcross-sectorimplementation;toevaluate(wherepossible)theextent towhichstandardsandpolicieshavehadtheirintendedresults;and toidentifygapsandweaknessesinreviewedareasandtomakerecommendationsforpotentialfollow-up(includingviathedevelopmentofnewstandards)byFSBmembers. Thisreportdescribes thefindingsofthethematicpeerreviewonriskgovernance,includingthekeyelementsofthediscussionintheFSBStandingCommitteeonStandardsImplementation(SCSI). InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  9. P age |9 ThedraftreportfordiscussionwaspreparedbyateamchairedbySweeLianTeo(MonetaryAuthorityofSingapore),comprisingTedPrice(CanadaOfficeoftheSuperintendentofFinancialInstitutions),XiangQi(ChinaBankingRegulatoryCommission),JérômeLachand(FranceAutoritédeContrôlePrudentiel),SofiaNikopoulos(GermanBaFin),AdrianaElizondo(MexicoNationalBankingandSecuritiesCommission),FranciscoGil(BankofSpain),Mike Brosnan(UnitedStatesOfficeoftheComptrolleroftheCurrency),Xavier-Yves Zanota(memberoftheBaselCommitteeonBankingSupervisionSecretariat),MatsIsaksson(OrganisationforEconomicCo-operationandDevelopment),andLauraArd(WorldBank). Merylin CoombsandGraceSone(FSBSecretariat)providedsupport totheteamandcontributed to thepreparationofthepeerreviewreport. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  10. P age |10 Executivesummary Therecentglobalfinancialcrisisexposedanumberofgovernanceweaknessesthatresultedin firms’failure to understandtheriskstheyweretaking. In thewakeofthecrisis,numerousreportspaintedafairlybleakpictureofriskgovernanceframeworksatfinancialinstitutions,whichconsistsofthethreekeyfunctions: Theboard,thefirm-widerisk managementfunction,andtheindependentassessmentofrisk governance. Thecrisishighlightedthatmanyboardshaddirectorswithlittlefinancialindustryexperienceandlimitedunderstandingoftherapidlyincreasingcomplexityoftheinstitutionstheywereleading. Toooften,directorswereunabletodedicatesufficienttimetounderstandthefirm’sbusinessmodelandtoodeferentialtoseniormanagement. In addition,manyboardsdidnotpaysufficientattention to riskmanagementorsetupeffectivestructures,suchasadedicatedriskcommittee,tofacilitatemeaningfulanalysisofthefirm’sriskexposuresandtoconstructivelychallengemanagement’sproposalsanddecisions. Theriskcommitteesthatdidexistwereoftenstaffedbydirectorsshorton bothexperienceandindependencefrommanagement. Theinformationprovidedtotheboardwasvoluminousandnoteasily understoodwhichhamperedtheabilityofdirectors to fulfiltheirresponsibilities. Moreover,mostfirmslackedaformalprocesstoindependentlyassesstheproprietyoftheirriskgovernanceframeworks. Withouttheappropriatechecksandbalancesprovidedbytheboard,theriskmanagementfunction,andindependentassessmentfunctions,a InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  11. P age |11 cultureofexcessiverisk-takingandleveragewasallowed topermeateintheseweaklygovernedfirms. Further,withtheriskmanagementfunctionlackingtheauthority,statureandindependencetoreininthefirm’srisk-taking,theabilityto addressanyweaknessesinrisk governanceidentifiedbyinternalcontrolassessmentandtestingprocesseswasobstructed. Thepeerreviewfoundthat,sincethecrisis,nationalauthoritieshavetakenseveralmeasurestoimproveregulatoryandsupervisoryoversightofriskgovernanceatfinancialinstitutions. Thesemeasuresincludedevelopingorstrengtheningexistingregulationorguidance,raisingsupervisoryexpectationsfortheriskmanagementfunction,engagingmorefrequentlywiththeboardandmanagement,andassessingtheaccuracyandusefulnessoftheinformationprovided totheboardtoenableeffectivedischargeoftheirresponsibilities. Nonetheless,moreworkremains;nationalauthoritiesneedtostrengthentheirability to assess theeffectivenessofafirm’sriskgovernance,andmorespecificallyitsriskculturetohelpensuresoundrisk governancethroughchangingenvironments. Supervisorswillneed toundergoasubstantialchangein approachsinceassessingrisk governanceframeworksentailsforminganintegratedviewacrossallaspectsoftheframework. Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheirsurveyedfirm(s)towardenhancedrisk governanceinsevenareas. Toprovidesomeconsistencytothisexercise,thereviewteamdevelopedhigh-levelcriteriatoassistsupervisoryevaluationsoffirms’progress,drawingfromacompilationofrelevantprinciples,recommendationsandsupervisoryguidance. Thehigh-levelcriteriawereviewedasfundamentalprerequisitesforriskgovernanceframeworks. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  12. P age |12 • Thisevaluationfoundthatmanyofthebestriskgovernancepracticesatsurveyedfirmsarenow moreadvancedthannationalguidance. • Thisoutcomemayhavebeenmotivatedbyfirms’needto regainmarketconfidenceratherthanregulatoryrequirements. • Firmshavemadeparticularprogressin: • assessingthecollectiveskillsandqualificationsoftheboardaswellastheboard’seffectivenesseitherthroughself-evaluationsorthroughtheuseofthirdparties; • institutingastand-alonerisk committeethatiscomposedonlyofindependentdirectorsandhavingacleardefinitionofindependence; • establishingagroup-widechiefriskofficer(CRO)andriskmanagementfunctionthatisindependentfromrevenue-generatingresponsibilitiesandhasthestature,authorityandindependencetochallengedecisionsonrisk madebymanagementandbusinesslines;and • integratingthediscussionsamongtheriskandauditcommitteesthroughjointmeetingsorcross-membership. • Althoughmanysurveyedfirmshavemadeprogressinthelastfewyears,significantgapsremain,relative tothecriteriadeveloped,particularlyinriskmanagement. • Therewerealsodifferencesinprogressacrossregionswithfirmsinadvancedeconomieshavingadoptedmoreofthedesirableriskgovernancepractices. • Theresultsofthesupervisoryevaluationsweregroupedby: • allsurveyedfirms; • firmsidentifiedbytheFSBandBaselCommitteeonBankingSupervision(BCBS)asglobalsystemicallyimportantfinancialinstitutions,orG-SIFIs;and InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  13. P age |13 • (iii)firmsthatresideinadvancedeconomies(AEs)oremergingmarketanddevelopingeconomies(EMDEs). • In summary,acrossthesevenareasevaluated,firmshavemadethemostprogressindefiningtheboard’sroleandresponsibilities,andreasonableprogressintheirapproachtorisk governanceandtheindependentassessmentofrisk governance. • Thesupervisoryevaluations,however,indicatethatsurveyedfirmsshouldcontinuetoworktowarddefiningtheresponsibilitiesoftheriskcommitteeandstrengtheningtheirriskmanagementfunctionsasnearly 50percentofsurveyedfirmsdidnotmeetalloftheevaluationcriteria intheseareas. • Bytypeof institution,surveyedG-SIFIsaremoreadvancedthanotherfinancialinstitutionsin definingtheresponsibilitiesoftheboardandriskcommittee,conducting independentassessmentsofriskgovernance,providingrelevantinformationtotheboardandrisk committee,andtosomeextentmoreadvancedintheriskmanagementfunction. • Theseresultssupport thefindingthatthefirmsintheregionshardesthitbythefinancialcrisishavemadethemostprogress. • Meanwhile,supervisoryevaluationsoffirmsthatresideinEMDEsshowthatnearly65percentdidnotmeetallofthecriteriafortheriskmanagementfunction. • Thesegapsneedimmediateattentionbybothsupervisorsandfirms.Othersignificantfindingscomingoutofthereviewincludethefollowing: • Nationalauthoritiesdonotengageonasufficientlyregularandfrequentbasiswiththeboard,risk committeeandauditcommittee. • Severaljurisdictionshold suchmeetingsonlyonceayearoronanas-neededbasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  14. P age |14 • GoodprogresshasbeenmadetowardelevatingtheCRO’sstature,authority,andindependence. • In manyfirms,theCROhasadirectreportinglinetothechiefexecutiveofficer(CEO)andarolethatisdistinctfrom otherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). • Thiselevation,however,needstobesupportedbytheinvolvementoftheriskcommitteeinreviewingtheperformanceandsettingtheobjectivesoftheCRO,ensuringthattheCROhas accesstotheboardandriskcommitteewithoutimpediment(includingreportingdirectlyto theboard/riskcommittee),andfacilitatingperiodicmeetingswithdirectorswithoutthepresenceofexecutivedirectorsorothermanagement. • Moreworkisneededonthepartofbothnationalauthoritiesandfirmsonestablishinganeffectiverisk appetiteframework(RAF). • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistency amongnationalauthorities. • Supervisoryexpectationsfortheindependentassessmentofinternalcontrolsystemsbyinternalauditorother independentfunctionwerewell-establishedpriortothecrisis. • Assuch,thisisanarea thatdemonstratedrelativelysoundpracticesacrosstheFSBmembershipatbothnationalauthoritiesandfirms. • However,nojurisdictionhadspecificexpectationsfor internalaudit toperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Nearlyallfirmshaveanindependentchief auditexecutive(CAE)whoreportsadministrativelytotheCEO andtheauditcommitteechairandwhodirectlyreportsauditfindings to apermanentauditcommittee. • However,thereisstillroomforimprovingtheCAE’saccesstodirectorsbeyondthoseontheauditcommittee. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  15. P age |15 Drawingfromthefindingsofthereview,includingdiscussionswithindustryorganisationsaswellasrisk committeedirectorsandCROsofseveralfirmsthatparticipatedinthereview,thereportidentifiessomeofthebetterpracticesexemplifiedbynationalauthoritiesandfirms to collectivelyformalistofsoundrisk governancepractices. Italsodrawsonsomeoftherelevantprinciplesandrecommendationsforriskgovernancepublishedbyotherorganisationsandstandardsettingbodies. Noonesingleauthorityorfirm,however,demonstratedallofthesesound practices. Thisintegratedandcoherentlistofsoundpracticesaimstohelpnationalauthoritiestakeamoreholisticapproach to riskgovernance,ratherthanlookingat eachfacet in isolation,andmayprovideabasisforconsiderationbyauthoritiesandstandardsettingbodiesastheyreviewtheirguidanceandstandardsforstrengtheningriskgovernancepractices. Thereviewsetsoutseveralrecommendations to ensuretheeffectivenessofriskgovernanceframeworkscontinuetoimprovebytargetingareaswheremoresubstantialworkisneeded. Whilethereviewfocusedonbanksandbroker-dealersthataresystemicallyimportant,theserecommendationsapply to othertypesoffinancialinstitutions,includinginsurersandfinancialconglomerates. Recommendations: 1.Toensurethatfirms’risk governancepracticescontinuetoimprove,FSBmemberjurisdictionsshouldstrengthentheirregulatoryandsupervisoryguidanceforfinancialinstitutions,inparticularforSIFIs,and devoteadequateresources(bothinskillsandquantity)toassesstheeffectivenessofriskgovernanceframeworks. In particular,nationalauthoritiesshouldconsiderthefollowingsoundriskgovernancepractices: InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  16. P age |16 Setrequirementsontheindependenceandcompositionofboards,includingrequirementsonrelevanttypesofskillsthattheboard,collectively,shouldhave(e.g.,risk management,financialindustryexpertise)aswellasthetimecommitmentexpected. Holdtheboardaccountableforitsoversightofthefirm’sriskgovernanceandassessifthelevelandtypesofriskinformationprovidedtotheboardenableeffectivedischargeofboardresponsibilities. Boardsshouldsatisfythemselvesthattheinformationtheyreceivefrommanagementandthecontrolfunctionsiscomprehensive,accurate,completeandtimelyto enableeffectivedecision-makingonthefirm’sstrategy,risk profileandemergingrisks. Thisincludesestablishingcommunicationproceduresbetweentheriskcommitteeandtheboardandacrossotherboardcommittees,mostimportantlytheauditandfinancecommittees. SetrequirementstoelevatetheCRO’sstature,authority,andindependenceinthefirm. ThisincludesrequiringtheriskcommitteetoreviewtheperformanceandobjectivesoftheCRO,ensuringtheCROhasunfetteredaccesstotheboardandrisk committee(includingadirectreportinglinetotheboardand/orriskcommittee),andexpectingtheCROtomeetperiodicallywithdirectorswithoutexecutivedirectorsandmanagementpresent. TheCRO shouldhaveadirectreportingline totheCEOandadistinctrolefrom otherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). Further,theCROshouldbeinvolvedinactivitiesanddecisions(fromariskperspective)thatmayaffectthefirm’sprospectiverisk profile(e.g.,strategicbusinessplans,newproducts,mergersandacquisitions,internalcapitaladequacyassessmentprocess,orICAAP). InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  17. P age |17 Requiretheboard(orauditcommittee)toobtainanindependentassessmentofthedesignandeffectivenessoftherisk governanceframeworkonanannualbasis. Engagemorefrequentlywiththeboard,risk committee,auditcommittee,CEO,CRO,andotherrelevantfunctions,suchastheCFO,toassessthefirm’sriskculture(e.g.,the“toneatthetop”),whetherdirectorsprovideeffectivechallengetomanagement’sproposalsanddecisions,andwhethertheriskmanagementfunctionhastheappropriateauthority to influencedecisionsthataffect thefirm’srisk exposures. Therelevantstandardsettingbodies(e.g.,BCBS,IAIS,IOSCO, OECD)shouldreviewtheirprinciplesforgovernance,takingintoconsiderationthesoundrisk governancepracticeslistedinSectionV. Risk cultureplaysacriticalrolein ensuringeffectiverisk governanceenduresthrough changingenvironments. TheFSBSupervisoryIntensityandEffectivenessgrouphasagreed toimplementtherecommendationfromthe2012FSBprogressreportonenhancedsupervision to explorewaystoformallyassessriskculture,particularlyatG-SIFIs. ThisworkshouldbecompletedbySeptember2013. To improvetheirability to assessfirms’progresstowardmoreeffectiveriskmanagement,nationalauthoritiesshouldprovideguidanceonthekeyelementsthatareincorporatedineffectiverisk appetiteframeworks. To enablefirmstodefineframeworkswithaminimumamount ofcomparabilitydespitetheirfirm-specificnature,acommonnomenclaturefortermsusedin riskappetitestatements(e.g.,“riskappetite”,“riskcapacity”,“risklimits”)shouldbeestablished. TheFSBSupervisoryIntensityandEffectivenessgroup,incollaborationwithrelevantstandardsetters,hasagreed to finalisethisworkbytheend of2013. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  18. P age |18 • TheFSBshouldconsiderlaunchingafollow-upreviewonriskgovernanceafter2016(i.e.,aftertheG-SIFIpolicy measuresbegintobephasedin),to assessnationalauthorities’implementationoftherecommendationstostrengthentheirsupervisoryguidanceandoversightofriskgovernance. • ThereviewalsoshouldincludetheG-SIFIs identifiedin2014bytheFSBincollaborationwiththeBCBSandIAIS. • Introduction • Increasingtheintensityandeffectivenessofsupervision to reducethemoralhazardposedbySIFIsisakeycomponentoftheFSB’spolicymeasures,endorsedbyG20Leaders. • Sincetheonsetoftheglobalcrisis,supervisorshaveintensifiedtheiroversightoffinancialinstitutions,particularlySIFIs,soastoreducetheprobabilityoftheirfailure. • Specifically,supervisoryexpectationsofriskmanagementfunctionsandoverallrisk governanceframeworkshaveincreased,asthiswasanareathatexhibitedsignificantweaknessesinmanyfinancialinstitutionsduringtheglobalfinancialcrisis. • Whilesupervisorsareresponsibleforassessingwhetherafirm’sriskgovernanceframeworkandprocessesareadequate,appropriateandeffectiveformanagingthefirm’sriskprofile,thefirm’smanagementisresponsibleforidentifyingandmanagingthefirm’srisk. • InOctober2011,theFSBagreedtoconductathematicpeerreviewonriskgovernancetoassessprogresstowardenhancingpracticesatnationalauthoritiesandfirms(banksandbroker-dealers). • Forpurposesofthisreview,riskgovernance collectivelyrefers to theroleandresponsibilitiesoftheboard,thefirm-wideCROandriskmanagementfunction,andtheindependentassessmentoftheriskgovernanceframework(seeChart2). InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  19. P age |19 • Boardresponsibilitiesandpractices:Theboardisresponsibleforensuringthatthefirmhasanappropriaterisk governanceframeworkgiventhefirm’sbusinessmodel,complexityandsizewhichisembeddedintothefirm’srisk culture. • Howboardsassumesuchresponsibilitiesvariesacrossjurisdictions. • Firm-wideriskmanagementfunction:TheCROandriskmanagementfunctionareresponsibleforthefirm’sriskmanagementacrosstheentireorganisation,ensuringthatthefirm’sriskprofileremainswithintheriskappetitestatement(RAS)asapprovedbytheboard. • Therisk managementfunctionisresponsiblefor identifying,measuring,monitoring,andrecommendingstrategiestocontrolormitigaterisks,andreportingonriskexposuresonanaggregatedanddisaggregated basis. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  20. P age |20 • Independentassessmentoftheriskgovernanceframework:Theindependentassessmentofthefirm’srisk governanceframeworkplaysacrucialroleintheongoingmaintenanceofafirm’s internalcontrols,riskmanagementandriskgovernance. • Ithelpsafirmaccomplishitsobjectivesbybringingadisciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,controlandgovernanceprocesses. • Thismayinvolveinternalparties,suchasinternalaudit,orexternalresourcessuchasthird-partyreviewers(e.g.,auditfirms,consultants). • Thepeerreviewdidnotfocuson otherrelevantdimensionsofriskgovernance,suchasriskdisclosuresandfirm-widecompensation practices(sincetheseareashavebeencoveredbypreviousFSBpeerreviews)orrisk dataaggregation capabilitiesatbanks (sincethistopicisbeingcoveredbyataskforceoftheBCBS. • Separately,theInternationalAssociationofInsuranceSupervisors(IAIS)launchedapeerreviewattheendof2012againstitsCorePrinciplesongovernanceandriskmanagementandinternalcontrols. • Thereiscurrentlynosinglesetofprinciplesandstandardsthatcomprehensivelyaddressesandintegratesriskgovernancerequirements;however,anumberofdifferentstandardsandrecommendationsongoodgovernanceframeworksarerelevant. • Thereviewthereforedidnotassesscompliancewithanyspecific standard,butusedacompilationofexistingstandardsand recommendations(asappropriate)totakestockofriskgovernancepracticesatbothnationalauthoritiesandfirms,andtoidentifyanygapstherein. • Supervisorswereaskedtoevaluatefirms’progressandthereview teamdevelopedhigh-levelcriteriatoprovidesomeconsistencytothisexercise. • ThefindingsofthereviewwerebasedontheresponsestoquestionnairesfromFSBmemberjurisdictions11andfromthe36banks and InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  21. P age |21 broker-dealersthatFSBmembersdeemedassignificantforthepurposeofthereview. SectionIItakes stockofnationalauthorities’initiatives to strengthenoversightoffirms’riskgovernanceframeworksanddescribestherangeofsupervisorypracticesin fourbroadareas: Theboardanditscommittees; Thefirm-widerisk managementfunction,includingtheCRO; Theindependentassessmentofthefirm-wideriskmanagementframeworkbyinternalauditand/orthirdparties;and Thesupervisoryassessmentofrisk governanceframeworks. SectionIIIexaminesriskgovernancepracticesatsurveyedfirmsandthechangesmadesincethefinancialcrisis. Inadditiontotheresponsestothequestionnaire,thefindingsdrawontheoutcomesofdiscussionswithindustryorganisationsaswellasriskcommitteedirectorsandCROsofseveralfirmsthatparticipatedinthereview. Nationalsupervisorswereaskedto assessfirms’progress towardenhancingkeyriskgovernancefunctions,aswellastheaccuracyandcompletenessoftheresponsesprovidedbyfirmsheadquarteredintheirjurisdiction. SectionIVsetsouttheconclusionsandrecommendationsdrawnfromthefindingsofthereview,whichisfollowedbyalistofsoundriskgovernancepracticesthatencompassanoverlayofsupervisoryexpectationsforsound practicesatfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  22. P age |22 • II.Nationalauthorities’oversightofriskgovernancepractices • Sincethefinancialcrisis,nationalauthoritieshaveincreasedtheirsupervisoryfocusonrisk governance,whichisacriticalelementforpromotingamoreresilientfinancialsystem. • Underpinningtherangeofreformsis theissuancein 2010oftheBCBSPrinciplesforEnhancingCorporateGovernanceandtheOECDpublicationonCorporateGovernanceandtheFinancialCrisis– ConclusionsandEmergingGoodPractices. • Someofthenotablechangesembeddedinregulatoryandsupervisoryguidanceinclude: • introducingexplicitrequirementsfortheestablishmentofariskcommittee; • conveyingexpectationstostrengthentherisk managementfunction,includingthestatureandqualificationsoftheCRO; • introducingadditionalrequirementsforriskgovernanceatSIFIs; • enhancingthemandateandresourcesofsupervisoryauthoritiesinrelationtorisk governanceoversight; • increasingtheintensityofengagementbetweenthesupervisorandtheboardandseniormanagementonrisk governanceissues;and • adjustingthesupervisoryrisk assessmentprocess,particularlyincreasingthefocusonriskgovernanceacrossdifferentbusinessmodels. • AnnexCprovidesmoredetailsontheinitiativesFSBmembershavetakentostrengthenoversightofrisk governancepractices,includingimplementationofotherrelevantprinciplessuchastheFSBprinciplesforsoundcompensationpracticesandrecommendationsputforwardinthe2009reportbytheSeniorSupervisorGroup(SSG)onriskmanagementpracticesduringthefinancialcrisis. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  23. P age |23 • Whilesupervisoryguidancehasimproved,progresshasbeenuneven acrossthefunctionsthatcollectivelyformtheriskgovernanceframework. • Basedonthefindingsfromthereview,someareaswheremoresupervisoryrequirementsand/orguidancewouldbeusefulinclude: • Acleardefinitionofindependencewhichisseparatefromnon-executivedirector; • Theestablishmentofastand-aloneriskcommitteethatiscomposedofindependentdirectors; • Thelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting; • Thekeyfeaturesofaneffectiverisk appetiteframeworktohelpsupervisoryevaluations;and • Thewaysinternalauditcanprovidefeedbackonwhetherafirm’sriskgovernanceprocessesarekeepingpacewithtrendsand/oralignwith bestpractices. • Thenextfoursub-sectionssummariseexistingsupervisoryexpectationsforthethreekeyriskgovernancefunctionsandexamineauthorities’approachestoassessingtheimplementationofsupervisoryexpectations. • 1.Theboardandits committees • RegulatoryandsupervisoryguidancespecifyingtheroleandresponsibilitiesoftheboardareprevalentacrosstheFSBmembership,includingamongotherthingsforriskgovernance. • Akeyresponsibilityoftheboardis to approve thefirm’soverallbusinessstrategyandRAF. • Assuch,theboardhasultimateresponsibilityforthefirm’sriskmanagement,includingsettingtheriskcultureofthefirmandoverseeingmanagement’simplementationoftheagreedbusinessstrategy. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  24. P age |24 Toensurethatboardsarefocusedonthehigher-levelstrategicandriskissues,supervisorsareengagingmorefrequentlywiththeboardinparticularwithindependentdirectors. Thedefinitionofwhatconstituteseffectiverisk governanceisevolving,however,supervisorshighlighttheimportanceoftheboardsettingthe“toneatthetop”inregardtothefirm’sstrategyandrisk cultureandchallengingmanagementontheadherencetotheagreedriskappetite. 1.1Boardcomposition Theleadershipstructuretooverseethefirm’srisk managementvariesacrossjurisdictions. Mostjurisdictionsrequire theestablishmentofapermanentauditcommittee,whichhasalongerhistorythanotherboardsub-committees,drivenbyrequirementsfromsecuritiesregulatorstoprovideassurance tothequalityofthefinancialinformationprovidedbyregisteredfinancialinstitutions. Assuch,morespecificregulatoryandsupervisoryrequirementsforthecompositionandindependenceoftheauditcommitteearesetoutthanfortherisk committee. Forexample,anumberofjurisdictionsrequiretheauditcommitteetocompriseamajorityofindependentornon-executivedirectors,severaljurisdictionsrequiretheauditcommitteechairtobeindependent(or insomecasesanon-executive),andinafewjurisdictionstheparticipationofthechairoftheboardisrestricted. Theestablishmentofastand-alonerisk committeeislessprevalentandtherequirementtypicallyapplies to large,complexfinancialinstitutions(e.g.,firmswithmanylegalentitiesand/orcross-borderoperations). Wherestand-alonerisk committeesexist,severaljurisdictions19requireriskcommitteememberstohaveexpertisein risk-relateddisciplinesandonlyafewjurisdictionsrequireaminimumnumberofindependentdirectors. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  25. P age |25 • In HongKong, however,forthcomingchangeswillrequireall,orthemajority,ofthemembersoftherisk committeetobenon-executivedirectors. • AnnexDprovidesfurtherdetailsontheregulatoryandsupervisoryguidanceforthecompositionoftheboardandsub-committees,butsomeofthekeyfeaturesinclude: • Independence:Manyjurisdictionshaveestablishedgeneral requirementsconcerningtheindependenceoftheboard to ensurethat thereisobjectivejudgementanddecision-makingontheboard. • Manyjurisdictionsalsosetoutquantitativeminimumsforthenumberofindependentdirectorsontheboard. • Some otherjurisdictionsonlysetquantitativeminimumsforthenumberofnon-executivedirectorswhichdoesnotnecessarilyensureindependentjudgementontheboard. • Expertise:Regardlessoftheboardstructure,theboardneeds tocomprisememberswhocollectivelybringabalanceofexpertise,skills,experienceandperspectiveswhileexhibitingtheobjectivitytoensuredecisionsarebasedonsoundjudgementandthoughtfuldeliberations. • Manyjurisdictionsconductperiodicreviewsoftheperformance,trainingandskillsneededintheboardandrisk committee. • Requiringspecificskillsforalldirectorsareacommonpractice(usuallysubsumedin“fitandproper”tests)andtypicallyincluderelevantknowledge,experienceandskillsin financeand/orbusiness. • Severaljurisdictionsnotonlylookatindividualqualificationsbutalsotakeaholisticviewoftheboard,examiningtheircollectiveskillsandqualifications. • In additiontohavingcertainskillsandqualifications,somejurisdictionsrequiredirectors tohave thecapacity todedicatesufficienttimeand InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  26. P age |26 energyinreviewinginformationanddevelopinganunderstandingofthekeyissuesrelatedtothefirm’sactivities. 1.2Governanceoftheboard Fortheboardtoeffectivelysuperviseandmanagethefirm’sadherencetotheagreedbusinessstrategyandrisk appetite,directorsshouldbeprovidedandhaveaccess to comprehensiveinformationaboutthefirm’srisks. Thisinvolvesensuringtherearecommunicationandreportingproceduresacrossboardsub-committees,andseveralnationalauthoritiessetoutsuchrequirementsintheirguidance(seeAnnexE). However,thereislittlesupervisoryguidanceprovidedonthelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting. Importantly,theriskmanagementreportsprovidedtotheboardshouldcontribute to soundriskmanagementanddecision-making. Theboardanditscommittees,however,shouldnotjustrelyontheinformationmanagementreportsprovided. Theyshouldconsiderifthereisaneedforadditionalrisk-relatedinformationwhichshouldbemadeavailabletothemwhenneeded. Onlyafewjurisdictions,however,requiretheboard tohavesuchaccess. 2.Thefirm-wideriskmanagementfunction Sincethefinancialcrisis,nationalauthoritieshaveintensifiedtheiroversightoffirms’risk managementpracticesandraisedtheirexpectationsforwhatisconsideredstrongrisk management,whichisintegralto thecorebusinessofafinancialinstitution. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  27. P age |27 • Thefailure tohaveastrong, independentrisk managementfunctioncanlead to ill-informedboardsandseniormanagementteamsaswellasimprudentdecisions. • Therisk managementfunctionshouldberesponsibleforthefirm’sriskmanagementframeworkacross theentireorganisation,ensuringthatthefirm’srisklimitsareconsistentwiththeRASandthatrisk-takingremainswithinthoselimits. • Stress testsandscenarioanalysesareviewedasausefultoolforidentifyingfirms’vulnerabilitiesanddevelopingrisk managementstrategiestoaddresstherisksidentified. • Tofulfiltheseresponsibilities,riskmanagementfunctionsshouldbeled byaninfluentialandhighlyeffectiveCRO. • 2.1Governanceoftheriskmanagementfunction • SupervisorshaveincreasedtheirexpectationsfortheriskmanagementfunctionandareevaluatingtheCRO’sstature,authority,qualifications,andindependencewithinthefirm. • Asthecrisisdemonstrated,theseareprerequisitesfortheCROtobeabletoinfluencethefirm’srisk-takingactivitiesdirectlyandthroughtheriskmanagementfunction,andtoeffectivelyinformtheboardasrisksevolve,are identified,andaretaken. • AnnexFprovidesmoreinformationonthegovernancearoundtheriskmanagementfunction,butsomesupervisorypracticesregardingtheCROfunctioninclude: • Independence:MostjurisdictionsrequiretheCROand/orriskmanagementfunction tobeindependent;thatis,tohaveadistinctrolefromthe otherexecutivefunctions,revenue-generatingfunctionsand businesslineresponsibilities. • Stature:TheCROandriskmanagementfunctionshouldhavesufficientstatureintheorganisationtoinfluencethefirm’srisk-takingactivities. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  28. P age |28 • Inthisregard,somejurisdictionshavesupervisoryguidancethatrequirestheCROtoreportandhavedirectaccess to theboard. • ToelevatetheCRO’sstature,SingaporeexpectsthedismissaloftheCROtobeapprovedbytheboard. • Authority:Toeffectivelyfulfilitsrole,manyjurisdictions30require theCROtohavetheauthority to influencedecisionsthataffectthefirm’sexposuretorisk,andseveraljurisdictionssetoutexplicitexpectationsfortheCROtobeabletochallengemanagement’srecommendationsanddecisionsandcommunicatedirectlywithseniormanagementandwiththeboard. • Qualifications:“Fitandproper”testsarecommonlyusedtoassessthequalificationsandcompetenciesoftheCROinmanyFSBmemberjurisdictions. • In addition,theappointmentoftheCROisapprovedbyauthoritiesinChina,Germany(iftheCROisamemberofthemanagementboard),andSingapore,whiletheUnitedKingdominterviewsCROcandidates. • ManyjurisdictionsevaluatetheCROthroughtheiron-goingsupervisoryprocesses. • 2.2Riskappetiteframework • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistencyamongnationalauthorities. • AtthecoreoftheRAFisthefirm’sRAS,whichhas becomeaneffectivetoolforenhancingthediscussionsbetweensupervisorsandboardsaboutthefirm’sstrategicdirectionintermsofrisk taking. • However,akeychallenge towardassessingtheeffectivenessofafirm’sRASisalackofcommonterminologyforriskappetite,riskprofile,andriskcapacityusedwithinfirms,acrossfirmsandacrossnationalauthorities. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  29. P age |29 Thisisanarea thatisdevelopinginmanyjurisdictions;forinstance,India,RussiaandSaudiArabiahavelookedatrisk appetiteonlyincontextoftheBCBSICAAP,while inCanada,FranceandtheUnitedStates,separateprocessesarecontinuingto beputinplacetoassessfirms’RAFs,oftendrawingonassessmentcriteriaoutlinedintheworkoftheSSG. Supervisoryreviewsareunderwayin Canadaoffirms’integrationoftheirRAF withthestrategic,financialandcapitalplanningprocessesandcompensationpractices. InHongKong,firms’risk appetiteisreviewedfromanintegratedfirm-wideperspectivetaking intoaccountallrisks(financialand non-financial). Thesupervisordetermineswhetherthefirm’sRASiscomprehensiveandincludes theappropriaterisktargetsthatareconsistentwitheachother. ThesupervisorwillalsodeterminewhethertheRAShasawiderangeofmeasuresandactionableelementsandwhetherrobustproceduresandcontrolsare inplaceforthesettingandmonitoringoftheagreedriskappetite. NationalauthoritiesinSingaporeassessannuallyfirms’linkbetweenriskappetite,strategicobjectives,capitalplanningandoperationalbudgetplanning. Supervisorsalsoreviewthefirm’sprogressinthetranslationofriskappetiteintolimitsandtriggersbyrisk type,aswellastheirmonitoringandreportingprocedures. InSwitzerland,supervisorsregularlyreviewtherisklimitframeworksandthere mustbeanestablishedlinkbetweenthelimitsandthestrategy. 2.3Stress testing The objectiveofstresstestsandscenarioanalysesistoassesstheunanticipatedlossesthatafirmmayincurundercertainstressscenarios InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  30. P age |30 andtheimpactthatmayhaveonitsbusinessplans,riskmanagementstrategiesorcapitalplans. Theuseofstresstests infirms’riskgovernanceandcapitalplanninghasincreasedin recentyearswiththeresultsservingasaninputintothefirm’sstrategicdecision-making. Asfirmsareincreasinglylinkingstress testresultstorisk appetite,ICAAP,contingencyplanning,andrecoveryandresolutionplans,supervisoryapproachestostresstestingareevolvingaccordingly. InCanada,supervisorsassesswhetherchosenscenariosareappropriatefortheportfoliooftheinstitution, includingsevereshocksandperiodsofsevereandsustained downturns,andwhererelevant,anepisodeofmarketturbulenceorashock tomarketliquidityandwhetherthefrequencyandtimingofstresstestingissufficient to supporttimelymanagementaction. Similarly,supervisorsinHongKongassessthecoverageofstresstestsandthetypesofstressscenariosandparameterschoseninrelationtothefirm’srisktolerance,overallrisk profileandbusinessplan;appropriatenessofassumptions;adequacyofpoliciesandprocedures;theadequacyofthefirm’scontingencyplanningforactiontobetakenshouldaparticularstressscenariohappen;thelevelofoversightexercisedbytheboardandseniormanagementonthestress-testingprogramandresultsgenerated;andtheadequacyofthefirm’s internalreviewandauditofitsstress-testingprogram. Indeed,supervisoryattentionnowincludesboththeoutcomesofstresstestsandtheeffectivenessofthefirms’stresstestingprocesses. Forinstance,Singapore,SwitzerlandandUnitedKingdomhavededicatedteamstoreviewstresstestingpracticesatfirms,andChina,Germany,andHongKongexpectfirms’internalauditfunctionstoassesstheeffectivenessofrisk managementsystemsingeneral,includingstresstests. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  31. P age |31 • 3.Independentassessmentoffirms’riskgovernanceframework • Strong internalcontrolsystemsareakeyelementofsoundriskgovernance. • Theboardisresponsibleforoverseeingtheimplementationofaneffectiveriskgovernanceframework,andassuch,shoulddirectlyoverseetheindependentassessmentprocess. • Anassessmentthatisindependentfromthebusinessunitandtheriskmanagementcontrolfunctioncanassisttheboardinjudgingwhethertheriskgovernanceframework,internalcontrolsandoversightprocessesareoperatingasintended. • Thismaybeperformedbyinternalauditorbythirdpartiessuchasauditfirmsorconsultants. • Regardlessoftheapproach,itiscriticalthattheassessmentresultinanoverallopiniononthedesignandeffectivenessoftherisk governanceframeworkandbeperformedbyindividualswiththeskillsneededtoproduceareliableassessment. • Currently,auditfunctionsatonlyafewfirmsprovideoverallopinionsregardingtherisk governanceframework. • 3.1Internalaudit • Across theFSBmembership,regulatoryorsupervisoryexpectationsexistforinternalaudit. • AnnexGprovidesacomparisonofkeyregulatoryandsupervisoryexpectationswiththemostnotableelements,including: • Independence:Nearlyalljurisdictions38requirefirmstohaveapermanentinternalauditfunctionthatisindependentfrombusinesslines,supportfunctions(e.g.,treasury,legal),andrisk management. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  32. P age |32 • Firmsarealsorequiredtoexplicitlylinktheindependenceofinternalaudittoauditorcompensationorcareerplans. • Regardlessofthedirectreportinglines,mostjurisdictionsexpectinternalaudittohaveunfetteredaccesstotheboardwhenreportinginternalauditresults. • Stature:Severaljurisdictionsexpectinternalaudittoreportdirectlytotheboard,acommitteethereof,oranindependentdirector. • Thedirectreportingrelationshipinvolves theresponsiblepartydeterminingtheCAE’scompensation,completingtheCAE’sannualperformanceevaluation,approvingtheCAE’sbudget,and/orotherwiseensuringtheCAEisnotundulyinfluencedbytheCEOorothermembersofthemanagementteam. • WhiletheCAEmayreporttotheCEOonday-to-dayadministrativematters,allsubstantivedecisionsregardingtheCAEandinternalaudit functionaremadeattheboardlevel. • In Singapore,HongKong,andIndonesia,thedismissaloftheCAErequirestheauditcommittee’sapproval. • Qualifications:AllFSBmembershaveestablishedrequirementsorexpectationsfortheCAEandinternalauditstafftohave theskillsnecessarytoeffectivelycarryouttheirduties. • Supervisoryassessmentsgenerallyconsiderthetechnicalknowledge, experience,andcharacterofindividualswithintheinternalauditfunction. • Scope,coverage,andfrequency:Manyjurisdictions41expectinternalaudittoassessand/oropineonrisk managementorrisk governanceprocesses,aswellasinternalcontrols. • Expectationsforthescope,coverage,andfrequencyofsuchassessmentsvarywidely. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  33. P age |33 • However,almostalljurisdictionsexpectinternalaudit to assesstheorganisationandmandatesoftherisk managementfunction(s)andtheadequacyofsystemsandprocessesforassessing,controlling,respondingto,andreportingthefirm’srisks. • Nojurisdictionindicatedthatitexpectsinternalaudit toperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Riskappetiteframework:Manyjurisdictionsexpectinternalaudit toassesscompliancewiththeboard-approvedrisk appetite. • In theUnitedKingdom, internalauditisexpectedtoensurethatproceduresareinplacetoreportbreachesinthefirm’sriskappetitetotheboard. • Benchmarking:Mostjurisdictionsindicatethatinternalauditshouldbeawareofindustrytrends/bestpracticesandthatauditorsshouldconsidersuchknowledgewhenconductingtheirwork. • However,nojurisdictionhadspecificexpectationsfor internalaudit toopineonwhetherafirm’srisk governanceprocessesarekeepingpacewithtrendsand/oralignwithbestpractices. • Remediationprocess:Thereisawiderangeofexpectationsfor internalaudittofollow-uponremedialactionstoaddressmaterialdeficienciesandseveraljurisdictionsexpectinternalaudit to reporttheresultsofitsfollow-up activitiestotheboard. • Nearlyalljurisdictionsindicatedthattheyrequiresomeformoffollow-upandreporting. • Chiefauditexecutive:AlljurisdictionsindicatethatsupervisorsconsidertheCAE’sperformancewhenassessingthequalityofinternalaudit. • Suchassessmentsmaybeperformedoff-site,withinon-siteinspections,and/orthroughregularmeetingswiththeCAEandinternalauditstaff. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  34. P age |34 InSaudiArabia,theappointmentoftheCAErequiresa“noobjection”fromthecentralbank,andin Indonesia,banksarerequiredtoreporttobanksupervisorstheappointmentanddismissaloftheirCAE. 3.2Thirdparties Employingthirdpartiescouldhelptoenhancethequalityoffirms’independentassessmentsbyprovidinganunbiasedopinionofafirm’sriskgovernanceframeworkasmanyinternalauditfunctionsarestaffedwithindividualswhoseexperiencemaybelimited tothepracticesemployedbyoneortwo firms. In addition,thirdpartiesoftenhaveabroaderunderstandingofleadingindustrypractices,especiallyinhighlytechnicalareas. Mostjurisdictionsallow theuseofthirdpartiestoassessafirm’sriskgovernanceframework,andin ChinaandtheNetherlands,theexternalauditoralsoassessestheeffectivenessoftheinternalauditfunction. Manyjurisdictionsappropriatelystipulatethroughregulationorguidancethat: Theuseofathirdpartydoesnotrelinquishtheboardormanagementfromultimateresponsibilityforensuringthereliabilityoftheindependentassessments,and Largeandcomplexfirmsshouldnotbecomeoverlyreliantonthird partiestoprovideexpertisethatshouldbedevelopedwithinthefirm’sinternalauditfunction. Francespecificallyrequiresthatoutsourcingarrangementsbeengagedandoverseenbyinternalaudittoensureindependenceandthatinternalauditmaintains accountabilityforthescope,coverage,andfrequencyofwork. Severaljurisdictions,however,restricttheuseofthirdparties. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  35. P age |35 Forinstance,inItaly,internalauditworkcanbeoutsourcedonlybysmallcreditinstitutionswithlimitedoperationalcomplexity. Meanwhile,inSouthAfricathecentralbankmustapproveanyoutsourcingactivity,andinKorea,theuseofthirdpartiestoassessafirm’sriskgovernanceframeworkisnotregulated. 4.Supervisoryapproachestowardassessingriskgovernanceframeworks Supervisorsplayacrucialrole inassessingtheadequacyofafirm’sriskgovernanceframeworkandthepracticesemployedbyafirmtoindependentlyassessitsframework. Supervisoryexpectationsforriskgovernancepracticesoutlinedabovearegenerallysetoutwithin thelegalframeworkthroughacombinationoflegislation,regulationandsupervisoryguidance;however,theapproachvariesconsiderablyacrossjurisdictions. AustraliaandCanadacomplementtheirstandardswithwrittenguidanceprovided totheindustrytoassistwiththeimplementationofprudentialrequirementsandadoptionofgoodpractices. Supervisoryapproachestowardassessingimplementationofregulatoryorsupervisoryguidanceencompassavarietyofsteps(e.g.,on-siteinspections,off-sitereviews,horizontalreviews). Supervisoryassessmentsgenerallyoccuratleastonceayearacross theFSBmembership,thoughinArgentinaassessmentstakeplaceevery18monthsandtheUnitedKingdomismovingfromabi-annualassessment towardasystemofcontinuoussupervision. Severaljurisdictionstakearisk-basedapproach to on-siteexaminations,focusingonriskierinstitutions. In theUnitedStates,nationalauthoritieshaveon-siteteamswithexpertisetoassessthegovernancepracticesatthelargestandmostcomplexbanksonarealtimebasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  36. P age |36 In China,jointregulatorymeetingsareheldonaregularbasisbetweenthefirm’sheadoffice,itsbranches,andtheregulatoryauthoritywherethebranchesarelocated. Meetingswithdirectorsandseniormanagementprovideanotheravenuefornationalauthoritiestoassessfirms’risk governancepractices. AnnexHprovidesmoreinformationontheapproachestaken toassessingfirms’riskmanagementframeworks. Supervisorsreceiveawiderangeofriskreportsor informationfromfirmsontheirriskmanagementpractices, includingfromexternalauditorsorotherthirdpartiesaswellassupportingdocumentationrequestedduringon-siteinspections. Standardisedfinancialandrisk reportingareacommonpractice;however,thetypesofreportsorinformationprovidedvaries. Forinstance,inArgentina,newreportingrequirementswillrequestquantitativemeasuresforrisk governanceandformalexposurelimitsforeachofthesignificantrisksandstresstestinformation;inHongKongandelsewhere,regularprudentialreportingdataandadhocrequestsforpeergroupanalysisareutilised,e.g.,stresstestcapitalanalysisand horizontalcreditreviewsofcommon(problem)loan accounts;andinCanadaandSingapore,supervisory teamsworkwithriskspecialists toidentifytrendsthatcantriggeradditionalinvestigationsorreviews. Nationalauthoritieshaveaccesstoabroadsetofsupervisorytoolstoincentivisefirms to remediatedeficiencieswithintheirrisk governanceframework,dependingontheseverityofthedeficiency. Thesetoolsincludemoralsuasion,capitalsurcharges,restrictionsoncertainbusinessactivities,imposingfinesandpenalties,andtheultimatepenaltyofwithdrawingbanklicences. Whilealargenumberofsupervisoryauthoritiescanuseanumberofthesetools,afewhavelimitedsupervisorypowers to scale thesanctionbased InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  37. P age |37 • ontheseverityoftheinfraction,raisingconcernsovertheirability toeffectivelyinterveneearlywherenecessarywhenrisksstart tosurface. • Moreover,eventhoughsomenationalauthoritieshavetheauthoritytoimposefines,thisisdifficulttoimplementinpractice,forinstance,duetocumbersomeprocessesorsupervisorslackingthewilltoact. • III.Firms’riskgovernancepractices • Thefinancialcrisisspurredfundamentalchangesinrisk governancepracticesatfinancialinstitutions,andinmanycases,surveyedfirmsareaheadofregulatoryandsupervisoryguidance. • Ingeneral,surveyedfirmsthatweremostaffectedbythecrisishavemadethegreatestadvancements,perhapsnecessitatedbyaneedtore-gainmarketconfidence. • Firmsthatwerelesstroubledfromthecrisis,however,haveincreasedtheintensityofthemeasuresthattheyhadinplace pre-crisis. • Someofthemostobviouschangesinclude: • Consolidatingandraisingtheprofileoftheriskmanagementfunction acrossbankinggroupsthroughtheestablishmentofagroupCRO,increasingthestatureandauthorityoftheCROandincreasingtheCRO’sinvolvementinrelevantinternalcommittees. • Changingthereportinglinesoftheriskmanagementfunctionsothat theCROnow reportsdirectly totheCEOwhilealsohavingadirectlinktotherisk committee. • Intensifyingtheoversightofrisk issuesattheboardthroughcreationofastand-aloneriskcommittee,supportedbygreaterlinks withtheriskmanagementfunctionand otherrisk-relatedboardcommittees,particularlyauditandcompensationcommittees. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  38. P age |38 • Cross-membershipoftheauditcommitteeandrisk committeeisnowquitecommon,withsomefirmsinvolving(oratleastinviting)thechairoftheboard,eventhefullboard,ontotherisk committee. • Thetimecommitmentofindependentdirectorshasincreasedconsiderablyoverthepastseveralyears. • Upgradingtheskillsrequirementsofindependentdirectorsontheriskcommitteeandexpectingthesemembers to commitmoretime totheseendeavours. • Thecompositionofboardshaschangedconsiderablywithmany • non-executivedirectorsnowhavingfinancialindustryexperience;thedominanceofmembersfromindustrialcompaniesormajorshareholdersismuchlessthanadecadeago. • Changingtheattitudetowardtheownershipofriskacrossthefirmwiththebusinesslinenowbeingmuchmoreaccountablefortheriskscreated bytheir activitiesthanpreviously. • In additiontochangingthecompositionandimprovingthestrengthoftheboard,therehavebeenmajordevelopmentsinhowfirmsanalyserisksandtheassociatedtoolsutilisedsuchasRAFs,stress testsandreversestress testing. • Oneofthekeylessonsfromthecrisiswasthatreputationalriskwasseverelyunderestimated;hence,thereismorefocusonbusinessconductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandwhotheyaresoldto. • Asthecrisisshowed,consumerproductssuchasresidentialmortgageloanscouldbecomeasourceoffinancialinstability. • Thenextfoursub-sectionssummarisethefindingsfromthesurveyedfirmsregardingthethreekeyrisk governancefunctionsandprovideasummaryofthesupervisoryevaluationsoffirms’progress. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  39. P age |39 1.Theboardandits committees Theboardisresponsibleforensuringthatthefirmhasanappropriateriskgovernanceframeworkthatiscommensuratewiththefirm’sstrategy,complexityandsize. Theboard’sroleandresponsibilitiesforrisk governancearegenerallydefinedintheboard’scharterandincludeapprovalofthefirm’sstrategyandoverseeingitsimplementation,settingouttheguidelinesandpoliciesforriskmanagement,andensuringthefirm’sinternalcontrolsarerobust. Theboardisalsoresponsibleforformulatingthemandateandresponsibilitiesofitscommitteessuchastherisk andauditcommittees. Forinstance,auditcommitteesshouldensurebusinessunitshaveeffectiveremediationplans to addressanycontrolweaknessesnotedbyinternalaudit. SomefirmshavedevelopedaCorporateGovernanceFrameworkor Codewhereallrulesregardingtheroles,responsibilitiesandoversightfunctionsoftheboardareassembled. Establishinganenterpriseorfirm-widerisk managementframeworkcanhelptoprovideanoverviewofriskpolicyarchitectureandprocess. Havingastand-alonerisk committeeisacommonpracticeeventhoughitisnotrequiredbyallnationalauthorities. Firmsgenerallyensurethattherisk committee,whichisresponsibleforoverseeingseniormanagement’simplementationoftheriskstrategy,coversalltherisksfacedatthefirm-widelevel,includingfinancialrisksaswellasoperational,compliance,legalandregulatoryrisks. RegularmeetingsareheldwithseniormanagementandtheCROtodiscussperformanceofthebusinessunitandcompliancewiththeRASandrisk limits. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  40. P age |40 Materialrisksarepresentedanddiscussedonbothanaggregatebasisandbytypeofrisk. Afewfirms,however,notedthechallengeofaggregatingrisksdue to thecomplexityoftheorganisation,underscoringtheimportanceofriskcommitteesaddressinginformationchallengesarisingfromthecomplexityoflargefirms. Aneffectivegovernancestructurehasmeasures topreventconcentration ofpowerandresponsibility,suchasrequiringanumberofindependentdirectors,representationofcertainskillsandqualificationsontheboard,andtheboardregularlyevaluatingitseffectiveness. Itiscommonforboardstohaveindependentdirectors;somefirmsestablishminimumquantitativerequirements,rangingfromaminimumofone-third tothree-quartersoftheboard. Most firmsprovideadefinitionofindependence intheboard’scharter,whichisembeddedinthefirm’sgovernanceframework. Therisk committeeoftencomprisesonlyindependentdirectors. Thereisawiderangeofpracticeregardingthequalificationsformembersoftheboardandrisk committee;onefirmhighlightedthattheskillsrequiredbytheboardareevolving, in partreflectingtheriskstakenbythefirm. Somefirmsperformamatrixanalysisoftheexperienceandexpertiseofeachdirectortoidentifyskillsneededfromincomingdirectors. Thereisalsoawiderangeofpracticeinvolvinglimitationslinkedtoboardstructure,including: Thepreclusionofthechairoftheboardfrombeingchairofeithertheriskorauditcommittee; TheseparationoftherolesoftheCEOandchairoftheboard;and InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  41. P age |41 (iii)Limitedtenureonacommittee. Periodicreviewsoftheperformanceoftheboardandriskcommitteeareacommonpractice. Reviewsareconductedby theboardnominationorgovernancecommitteesorbytheentireboard. In somecases,externalpartiesmaybeemployed.Suchreviewsmayincludeanassessmentoftrainingand skillsneededontheboard. In somefirms,theboardconsidersthefunctioningofitsoverallcommitteestructure,includingthenumberandtypesofcommitteesandthehighestandbestuseofboardmembers’expertise. Theyalsoevaluatethereportingbythecommitteestothefullboard. Theboardandriskcommitteeareabletoreceiveinformation, bothformallyandinformally,directlyfromtheCROortherisk managementfunction. ItisbecomingacommonpracticefortheCROtoreportinformationdirectly totheboard;therisk reportsareusuallystandardised in termsofformality,frequencyandcontent. Boththeoverallrisklevelofthefirmandinformationforeachrisk typeare includedinthereportingtemplate(e.g.,aheatmapofidentifiedriskcategoriesacrossregions,globalbusiness,andareportwiththetopandemergingrisksfacedbythefirm). Somefirmsexplicitlydefineanddocumenttheinformationthattheboardandrisk committeeshallreceive,settheagendaatthebeginningoftheyear,andcirculatetomembersinadvanceofmeetingstherelevantmaterialto supporttheagendaitem. Somefirmsrequireinternalaudit,orathirdparty,toverifytheaccuracy,comprehensivenessandcompletenessofinformationprovided to theboardandrisk committee. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  42. P age |42 Otherfirmssatisfythemselvesthroughdiscussionswithmanagementorconductself-assessmentsoftheeffectivenessoftheinformationprovidedtotheboard. 2.Theriskmanagementfunction Sincethefinancialcrisis,manyfirmshaveimprovedriskmanagement. Someofthemostobviouschangesrelateto thegovernanceprocessesaroundtheriskmanagementfunction;therealsohavebeenmajorchangesinhowrisksareanalysedandcommunicatedandtheassociatedtoolsthatareutilised. 2.1Governanceoftheriskmanagementfunction Sincethefinancialcrisis,manyfirmshavestrengthenedhowtheirriskmanagementfunctionsarestructured,resourced,compensated,whothefunctionis accountable to aswellasitsoverallmandate. In manyways,thesechangesarebringingthegovernancearrangementsfortheriskmanagementfunctionuptothestandardthathastypicallyappliedtotheinternalauditfunctionforseveralyears. Firmsarethereforeencouraged to atleastconsiderthevalidityofany remainingdifferencesingovernanceprocessesthatsurroundthetwofunctions. Oneofthemostcommonimprovementsmadebyfirmsoverthepastfiveyearshasbeentoconsolidateandraisetheprofileoftheriskmanagementfunctionthroughtheestablishmentofagroup-wideCRO. TheCROandtherisk managementfunctiongenerallyhavebeengivenmorestature,authorityandindependencecompared to thepre-crisisperiod. AlmostallfirmsreportedthattheynowhaveaCROwithfirm-wideresponsibilityforriskmanagementwhooperatesindependently. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  43. P age |43 AssessmentoftheCRO’sstature,authorityandindependenceincludestheprocessforappointment,dismissalandperformanceevaluationoftheCROaswellasthestaffingrequirementsoftheriskmanagementfunctionmoregenerally. Onlyafewfirmsnotedthatthechairoftherisk committeeisinvolvedintheperformanceassessmentoftheCRO. Further,onlyafewfirmslinktheadequacyandqualificationsoftheriskmanagementstafftoanannualprocessthattakes intoconsiderationthestrategyofthefirmgoingforward. MostfirmsnotedthattheCROhasadirectreportinglinetotheCEO(versus anotherbusinessunit)whichrepresentsamajorimprovementsincethecrisis. However,therearestillexamplescitedatasmallnumberoffirmswheretheCROdoesnothaveadirectreportingline to theCEO. AfewfirmsrequiretheCROtohaveadirectreportinglinetotheboard,whichhelpstoboostthestatureoftheCRO. Alarge numberoffirmsalsonotedthattheirCROisable to“access”theboard,generallythroughtheriskcommittee,butitisunclearhow thisisdoneinpractice. AlmostallfirmsoperatewithaCROwhoisseparatefromrevenue-generatingresponsibilitiesorotherexecutivefunctions(thatis, “dual-hatting”oftheCRO’sresponsibilitiesisavoided).SuchastructureisessentialfortheCRO’sindependence. Thisseparationofresponsibilitieshasbeenreinforcedbymanyfirms re-structuringtheirriskmanagementfunctionsunderagroup-wideCRO,withregionalorbusinesslineCROshavingadirectreportingline to thegroupCRO,ratherthantotheregionalorbusinesslineheadsashadoccurredinthepast. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  44. P age |44 • Topreservetheindependenceintendedfromsuchstructures, • ‘dual-hatting’ofresponsibilitiesshouldalsobeavoidedforthoseseniorpositionsintheriskmanagementfunctionthatreporttothegroupCRO,particularlyatgloballyactive,complexfirms. • Atsomefirms,theCROreportstotheCFOor,inafewexceptionalcases,onepersonassumestheresponsibilitiesofboththeCROandCFO. • In addition,thereareinstancesatsomefirmswheretheCROisassignedotherfunctional,albeitnon-revenuegenerating,responsibilities. • Wherethisrelates totheoversightoffunctionssuchascomplianceandanti-moneylaundering,theconcernismoreabouttherisk of • over-burdeningtheCRO,particularlyinmorecomplex,global • institutions,thanthepotentialforconflictofinterestperse. • Indeed,muchprogresshasbeenmadetowardelevatingthestatureandindependenceoftheCRO. • WhiletheroleoftheCROhasbroadenedandincludesinvolvementin anumberofkeyprocessesandinternalcommitteesthatrequireinputsfromtherisk managementfunction,otherimportantprocesseswarrantgreaterparticipationoftheCRO,suchas: • Mergersandacquisitions.Whiletheanalysisofaproposedmergeroracquisitionwouldbesubmittedtotheboardoracommitteeforapproval, theCROgenerallytakes partintheprocessasamemberofthecommittee. • OnlyafewfirmsrequiretheCROtoprepareaformalriskopiniononplannedmergersand acquisitions. • Strategicplanningprocess.Traditionally,theCROisresponsiblefortheoversightoftheexistingriskprofileofthefirmandofthoserisksbeingtakenonaday-to-daybasisasaresultofpreviousbusinessdecisions. • However,asindicatedabove,theCROshouldalsobecomeincreasinglyinvolved, in amoreproactivemanner,intheactivitiesandplansthatdeal InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  45. P age |45 • withprospectivebusinessrisk,includingthoseriskswhichmayarisefromtheexecutionofthefirm’sstrategicbusinessplan. • TheCRO shouldbeinvolvedinthisprocess,fromariskperspective,byinteractingwithseniormanagementandtheboard,understandingstrategicbusinessplans,andformallyopiningontheprospectiveriskprofileandwhetherornotthefirmhasthenecessaryresourcesandsystems to accommodatetheresultingexposures. • Ifsuchresourcesarenotavailable,thenspaceinthestrategicplanshould becreated to ensureproperriskcontrols. • Treasuryfunction.SomefirmshaveclearlydefinedtherolesandresponsibilitiesoftheCROregardingoversightofafirm’streasuryfunction. • However,thereisarangeofpracticesurroundingtheorganisationalrelationshipbetweenthesetwo functions: • Theindependentliquidityrisk controlfunctionhasresponsibilityforthemanagementandcontrolofliquidityrisk andthatfunctionreportsdirectly totheCRO; • TheCROparticipatesasavotingmemberoftherelevantmanagementcommittee(typicallytheassetandliabilitymanagementcommittee),withnospecific rolefortheCROdefined;or • TheCFOaloneisresponsibleforthetreasuryfunctionwithoutanyoversightfromtheCROintheriskmanagementprocess. • 2.2Riskmanagementtools • Two keyadditionstoriskmanagementtoolshavebeen(i)thedevelopmentofRAFsand(ii)morerobustandseverestresstestingpractices. • Relatedtothis,andgiventheunderestimationofreputationalrisk pre-crisis,therenowismuchgreaterfocuswithinmanyfirmsonbusiness InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  46. P age |46 • conductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandtowhomtheyaresold. • TheRAFisanincreasinglyimportanttoolincentralisingthefocusonthefirm’sriskprofileandprovidingamoreintegratedpictureofthefirm’s risks. • Firmsindicatedagooddegreeofunderstandingthekeyelements,objectivesandusesofRAFswhicharegenerallyin linewithrecentstudiessuchasthe2010SSGreportondevelopmentsin risk appetiteframeworksandITinfrastructure. • Keyfeaturesofariskappetiteframework(RAF) • RAFshelpdrivestrategicdecisionsandright-sizeafirm’srisk profile. • RAFsestablishanexplicit,forward-lookingviewofafirm’sdesiredriskprofileinavarietyofscenariosandsetoutaprocessforachievingthatriskprofile. • RAFsincludeariskappetitestatementthatestablishesboundariesforthedesiredbusinessfocusandarticulatetheboard’sdesiredapproachtoavarietyofbusinesses,risk areas,andinsome cases,producttypes. • ThemoredevelopedRAFsareflexibleandresponsivetoenvironmentalchanges;however,risk appetiteisdefinitiveandconsistentenough tocontainstrategicdrift. • RAFssetexpectationsforbusinesslinestrategyreviewsandfacilitateregulardiscussionsabouthow tomanageunexpectedeconomicormarketeventsinparticulargeographiesorproducts. • Discussionswithfirms,however,revealthatthereissignificantvariationintheperceptionofhowmuchfirmshaveprogressedinthedevelopment,comprehensivenessandimplementationoftheirRAFs. • Oneofthekeychallengesisdifferentinterpretationsofessentialelements,includingrisk appetite,risklimits,andrisk capacity. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  47. P age |47 • Somefirmswereable to reportsignificantprogressandhavehadanRAF forseveralyears(insomecasessincebeforethecrisis). • Thesefirms’RAFswerelinkedtothefirm’sstrategyandintegratedwithmost otherrelevantinternalprocessessuchasbudgeting,compensation plans,mergersandacquisitionevaluations,newproductapproval,andstress testing. • Thesefirmswereable to reportthattheunderstandingoftheRAFwas widespreadbothacrossfunctionallinesandwithinmultiplelayersoftheirfirm. • Theywerealsoabletoidentifyclearexamplesofhowtheyhadusedtheir RAFinstrategicdecision-makingprocesses,suchasdecisionstoactivelyreducethecomplexityoftheiroperations. • Thatsaid,evenatthesefirms,itwasrecognisedthatoperationalisinganeffectiveRAFisacontinualjourneythatneedstoevolvewithchangesin internalprocessesandtheexternalenvironment. • AnumberoffirmsreportedthattheirimplementationofanRAF wasmorerecentandwhileithadbeenlinkedto thefirm’sstrategyandintegratedwithsomeofthekeyinternalprocesses,furtherworkisenvisaged,suchas:linkingtheRAF withalltherelevantinternalprocesses;ensuringthatqualitativeaswellasquantitativemetricsareappropriatelyincluded;andsomewhatrelatedly,broadeningtheRAFtocoverthosehardertoquantifyrisks,suchasoperational,complianceandreputationrisks. • Forotherfirms,theirRAFsareatanearlystageofdevelopment. • Whiletheymayhaveahigh-levelframeworkinplace,numerousgapsexist. • Forexample,thecoveragemaynotextendtoallrelevantsubsidiariesintheframeworkbecausetherisk appetiteisnotclearlyarticulatedatthebusinesslevelnorintegratedwithalltherelevantinternalprocesses. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  48. P age |48 Further,someRAFsarelessdevelopedintermsofincludingallthematerialrisksthefirmfaces,particularlyreputationalandoperationalrisks. Allfirmssurveyedconsideredrisk limitsto bethevehicleforoperationalisingtheRAF atthebusinesslinelevel. Thecommunicationandescalationprocessforanybreachesseemedtobeverysimilaracross thefirmssurveyed:theriskmanagementfunctionwasresponsibleformonitoringrisk limits,metrics,andbreaches,andescalatinganyconcerns;businessunitshave toexplainbreachestotheriskmanagementcommitteeorboarddependingonthenatureandsizeoftheexposure;theauthorisationofexceptionswasdefined top-down;andactionplanswererequired. However,thereweredifferencesbetweenfirmsintheirapproaches todeparturesfromtheRAF:somefirmsgrantflexibilityforabusinesslinetodepartfromtheRAFiftheglobalriskappetitewasnotbreached,whereasothersgivenoflexibilityfor individualbusinesslinesto deviatefromtheirbusinesslinerisk limits. Embeddingthefirm’sagreedRASintothefirm’srisk cultureremainsachallengebutseveralapproacheshavebeentakenbyfirms. Anumberoffirmshavedevelopedtrainingprogramsandmanuals(withonefirmrequiringrelevantemployeestocertifyeveryyearthattheyhaveattendedthetrainingprogramandreadthemanual),butonlyafewfirmsreportedthattheyhavelinkedcoreriskobjectivestostaffperformancemanagementprocesses. Discussionswithfirmsrevealedthatakeytocreatingincentivesforabetterriskcultureinfirmsisto linkriskobjectiveswitheithercompensationorcareeradvancementprospects. Stress testinghasbecomeacommontoolforfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  49. P age |49 Thegovernancearoundgroup-widestresstestingtypicallyinvolvesfirmsdevelopingtheir ownhistoricalandhypotheticalscenarios,though nationalauthoritiescan alsosetscenarios. TheCROandriskmanagementfunctiongenerallyhaveacentralrole,actingasthe owneroftheprocessorparticipatinginthecommitteeleadingtheeffort. The testingisconductedatleastannually,andinmany casesonaquarterlybasis. Stress testsresultsareusuallypresentedtotherisk committeeandsometimestothenationalsupervisor. TheseprocessesappeartobefurthestdevelopedinAEs,andsomealsoperformreversestresstestingandcounterpartystresstesting. In contrast,somefirmsinEMDEshavenotperformedstresstestingonanintegratedbasisorarestillin theprocessofimplementingtheirstresstestingprocesses. Mostfirmsusethestresstestingresultsfortheirbudgeting,RAF andICAAP processesand to setcontingencyplansagainststressedconditions. 3.Independentassessmentoffirms’riskgovernanceframework 3.1Internalaudit Firmsprimarilyrelyontheirinternalauditfunctions to independentlyassesstheirrisk governanceframeworks. Inalmostallcases,internalauditassessestheframeworkthroughaseriesofindividualassuranceaudits,combinedwithsomeproject-specificandotherongoingauditwork. InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

  50. P age |50 • Afewinternalauditfunctionsdemonstratethebetterpracticeof providinganoverallopinionoftherisk governanceframeworkonan annualbasis. • In linewithexpectationsestablishedbynationalauthorities,allofthefirms’internalauditfunctionsareorganisationallyseparatefrombusinesslinesandhaveunfettered accesstotheboard. • Almosteveryfirmreportedthattheyhavemadechangestostrengthentheir internalauditfunctionssince2008. • Majorchangesinclude:appointingaCAE;establishingmoreattractivecompensationplansandcareerpathsfor internalauditors; increasingboththenumberandskillsofinternalauditstaff;expandinginternalaudit’srole/responsibilities,includingparticipatingasanobserveratriskmanagementcommitteesanddecision-makingprocesses;andenhancingbusinessmonitoring. • Internalaudit’sroleandresponsibilitiesareprimarilyestablishedviaanauditcharter,withauditmanualsdetailingproceduresforplanning,executing,andreportingaudit’swork. • Atallsurveyedfirms,internalauditisresponsibleforassessingriskmanagementorriskgovernanceprocessesaswellasinternalcontrols. • Whilenationalauthorities’expectationsvary,mostinternalauditfunctionsalsoassess: • Theappropriatenessofassumptionsusedinscenarioanalysisandstresstesting, • Thedegreetowhichthefirm’srisk governanceiskeepingpacewithindustrytrendsandalignswithbestpractices, • Thequalityandadequacyofresourceswithintherisk managementfunction, InternationalAssociationofRiskandComplianceProfessionals(IARCP)www.risk-compliance-association.com

More Related