The Prudential Regulation Authority (PRA) continues to focus on firms’ risk management and governance, reinforcing the importance of a robust risk culture and sound risk management practices. Their attention and emphasis remain important in the wake of the latest banking crises in North America and Switzerland and is reflected in their regular messaging on the subject (both at a sector specific and individual firm level) and their individual and cross-firm thematic reviews of risk management and control frameworks.
However, despite this, some firms have not matured or fully embedded their risk management frameworks (RMF) across the Three Lines of Defence at sufficient pace; or failed to ensure that lessons from past crises are definitively learned in full and thoroughly embedded across the first and second lines of defence. Both these scenarios present a recipe for disaster for firms, their stakeholders and customers, the regulators’ objectives, and the stability of the UK financial system. Consequently, it is vital that:
When it comes to evaluating the effectiveness, maturity, and level of embeddedness of the RMF, IA practice across the Financial Services industry is mixed. This is mainly due to the breadth and depth of the RMF posing challenges on how best to provide assurance. Good practice, based on our experience of working with a significant number of IA functions across the sector, consists of IA assessing the following on a regular basis using a risk-based approach:
As well as providing assurance over the key objectives associated with these reviews, their results are also an important input in informing IA’s assessment of the adequacy and effectiveness of the risk function (required to be performed under the CIIA Internal Audit Financial Services Code of Practice); and, of course, IA’s annual opinion on the organisation’s governance, risk management and internal control systems.
With respect to assessments of the risk function, good practice is for board risk committees in conjunction with the audit committee, to consider seeking an independent evaluation of Risk function effectiveness at least every three to five years – with IA functions being able to perform such assessments where they possess the capability to do so. This approach typically complements existing self-assessments of risk function effectiveness led by the Chief Risk Officer (generally reported to the board risk committee annually) which can also be considered as part of the review scope and provides further input and justification to IA’s annual opinion with respect to risk management.
If you are considering how best to:
and would like to discuss these topics further, or you need support, please reach out to a member of our team.