Skip to main content

Risk management – Is the regulator’s messaging on the subject falling on deaf ears? How Internal Audit can support you in ensuring that it is not.

The Prudential Regulation Authority (PRA) continues to focus on firms’ risk management and governance, reinforcing the importance of a robust risk culture and sound risk management practices. Their attention and emphasis remain important in the wake of the latest banking crises in North America and Switzerland and is reflected in their regular messaging on the subject (both at a sector specific and individual firm level) and their individual and cross-firm thematic reviews of risk management and control frameworks.

However, despite this, some firms have not matured or fully embedded their risk management frameworks (RMF) across the Three Lines of Defence at sufficient pace; or failed to ensure that lessons from past crises are definitively learned in full and thoroughly embedded across the first and second lines of defence. Both these scenarios present a recipe for disaster for firms, their stakeholders and customers, the regulators’ objectives, and the stability of the UK financial system. Consequently, it is vital that:

  • risk management is embedded within firms’ culture and is truly integrated in the organisation’s risk strategy, decision-making and objectives and not just seen as a compliance exercise;
  • effective Board and committee oversight of risk management and internal controls occurs, including evolvement of firms’ RMFs;
  • firms ensure that they can monitor, manage, and respond to current and emerging risks; demonstrate that they understand those risks; and ensure that lessons from past crises and events are fully learned, embedded, and firms are better placed to respond to similar events;
  • firms’ risk functions have appropriate standing, are adequately supported by senior management, and have a positive impact on decision-making by effectively performing their role; and
  • Internal Audit (IA) provide regular assurance (as the independent Third Line of Defence) with respect to the effectiveness, maturity, and level of embeddedness of the RMF, and the adequacy and effectiveness of the risk function.

When it comes to evaluating the effectiveness, maturity, and level of embeddedness of the RMF, IA practice across the Financial Services industry is mixed. This is mainly due to the breadth and depth of the RMF posing challenges on how best to provide assurance. Good practice, based on our experience of working with a significant number of IA functions across the sector, consists of IA assessing the following on a regular basis using a risk-based approach:

  • the effectiveness of the design and nature of the overarching RMF as fit for purpose and adequacy of key risk management processes, tools and systems established as part of the framework (across the firm’s risk taxonomy) given the organisational, regulatory, and wider environmental context;
  • the operating effectiveness of key risk management processes and extent to which they have been appropriately and successfully implemented within the business; and
  • the extent to which the RMF and key risk management processes have been effectively embedded in the business, including the extent to which the framework has been matured in line with the growth of the business and changes to its operating model.

As well as providing assurance over the key objectives associated with these reviews, their results are also an important input in informing IA’s assessment of the adequacy and effectiveness of the risk function (required to be performed under the CIIA Internal Audit Financial Services Code of Practice); and, of course, IA’s annual opinion on the organisation’s governance, risk management and internal control systems.

With respect to assessments of the risk function, good practice is for board risk committees in conjunction with the audit committee, to consider seeking an independent evaluation of Risk function effectiveness at least every three to five years – with IA functions being able to perform such assessments where they possess the capability to do so. This approach typically complements existing self-assessments of risk function effectiveness led by the Chief Risk Officer (generally reported to the board risk committee annually) which can also be considered as part of the review scope and provides further input and justification to IA’s annual opinion with respect to risk management.

If you are considering how best to:

  • review the design and operating effectiveness, level of embeddedness, and maturity of your organisation’s RMF and internal control framework; and/or
  • evaluate the adequacy and effectiveness of your organisation’s Risk function;

and would like to discuss these topics further, or you need support, please reach out to a member of our team.