Skip to main content

Governance, Risk Management and Culture

Regulatory pressure continues to drive major change in firms’ governance, risk management and culture, particularly through the introduction of the Senior Manager and Certification Regime (SMCR) in the UK. There is an increased focus on the roles and responsibilities of the second line of defence, business culture, psychological safety at the workplace and the use of remuneration structures to encourage ethical behaviour towards customers.

Our view of the change in IA focus from prior year to now: 


Robust corporate governance arrangements are key to driving good culture and desired behaviour within firms. Corporate governance and culture will be at the forefront of the regulatory agenda in 2020, heightened by the implementation of the Senior Managers and Certification Regime (‘SMCR’) in prior years, which is designed to reinforce the concept of individual accountability for Senior Managers to ensure they demonstrate their adherence to Conduct rules.

There are a number of areas relating to SMCR upon which firms should continue to focus:

  • Clearly defining responsibilities and articulating the delineation between individual's responsibilities, specifically in areas that impact all areas of the business such as technology and operations.
  • Documenting reasonable steps that are taken in a consistent and practical way.
  • Ensuring that Fit and Proper assessments are robust and adequately documented. 

IA's role

IA are already focusing on this area and the frequency and robustness of reviews carried out over corporate governance frameworks and board effectiveness is expected to increase. IA’s focus areas should include:

  • Review of governance arrangements.
  • Robustness and review of the risk management framework.
  • Alignment of the risk management framework to the achievement of a firm’s strategy.
  • Monitoring of the effectiveness of changes made.
  • Assessment of the adequacy of actions and communications to reinforce the fundamental principles of the norms of behaviour of those charged with governance. 



4.2 Second Line of Defence

The FCA re-iterated in their 2019-20 business plan the importance of effective governance. A governance framework demonstrating appropriate three lines of defence responsibilities supports effective governance. Currently, there remains a high level of regulatory focus on the effectiveness of the second line of defence. Potential challenges, particularly relating to the second line of defence include: reliance by second line on IA to ‘plug the gaps’ in second line monitoring and second line undertaking first line activities due to a perceived risk of lack of capability or capacity within the first line.

IA's role

IA should consider:

  • The roles and responsibilities of Second Line Risk and Compliance in the governance structure.
  • Outputs from Second Line Risk and Compliance in day-to-day decision-making.
  • Whether there is effective oversight of emerging industry issues/regulatory concerns.



The FCA wish to promote healthy cultures within firms, which in turn should have the leadership capability to create and maintain these cultures. One area of focus relates to remuneration structures to ensure that they do not encourage behaviours or practices amongst staff which could result in unfair outcomes for customers, or harm the broader financial market.

The regulator expects firms in the next year to demonstrate awareness of culture, take steps to address any issues and reflect in their business practices.

There is a need to ensure Non-Executive Directors challenge Executive Directors on adherence to Risk Appetite and that these risk appetites are clearly documented in documents such as Operational Risk Self Assessments to promote good decision making.

IA's role

IA should consider:

  • Reviewing adherence to risk appetite documented policies and procedures.
  • Reviewing controls over the management of conflicts of interest within commercial arrangements which may drive inappropriate behaviour and controls that ensure customer interests are protected.
  • Performing a focused review of the culture indicators within the firm, how they are embedded into the strategy and how this is measured and monitored.
  • Validating the remuneration and incentive arrangements across all parts of the firm to ensure they are effective in encouraging a customer-centric culture. 



The term ‘psychological safety’ is used to describe a workplace where employees feel safe to express new ideas, raise issues, challenge unethical behaviour and voice concerns without the fear or sense of embarrassment, punishment, retribution or rejection. The FCA focuses on creating a psychologically safe environment within the financial services industry. The FCA conducted its first CultureSprint focused on creating a speak up, listen up culture across the financial services industry. The FCA considers psychological safety particularly important within Financial Services, as it prevents employees from pursuing the best customer outcomes in the face of traditional behaviours and incentive structures and is therefore considered to be a contributing factor in major firm failures.

IA's role

IA has an important role to play including:

  • Reviewing the tone at the top, including seeking evidence to demonstrate senior management are promoting a culture of psychological safety.
  • Assessing the design and operating effectiveness of initiatives that promote a psychologically safe environment, particularly with regards to risk and controls.
  • Reflecting on audit findings and opining on psychological safety through the assessment of stakeholder behaviours observed during audits (including when discussing audit findings) and whether they support psychological safety.

IA has typically found explicit discussion of culture to be difficult, however, leveraging the concept of psychological safety when commenting on culture in both IA reports and Audit Committee papers can be helpful.  



In recent years, the regulatory and governance framework in many financial services firms has become increasingly complex. Within the insurance industry, the Insurance Distribution Directive (IDD) is now in effect and is designed to enhance consumer protection when buying insurance and to support competition between insurance distributors. IDD has forced firms to re-evaluate their remuneration structures and to design and implement remuneration policies and procedures in compliance with IDD.

IA's role

Firms should be planning annual reviews of their remuneration policies, processes and implementation in light of the remuneration regulatory requirements. IA’s approach should take account of relevant financial services regulation and make use of reward specialists in this rapidly evolving area.

Alternatively, IA should assess the rigour and robustness through these annual reviews where they are being performed by another function in the firm (for example, Risk and/or Compliance). 


Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey