Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk management presentation June 10 2013


Published on

International Association of Risk and Compliance Professionals (IARCP)

Every Monday
Top 10 risk and compliance management related news stories and world events
Do you want to receive (at not cost) every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You can register at:

Receive the New Member Orientation Newsletters
You will have the opportunity to learn (at not cost) what members registered before you have already learned. Understand better risk and compliance management, projects, careers, challenges and opportunities.
You can register at:

Published in: Business
  • Be the first to comment

  • Be the first to like this

Risk management presentation June 10 2013

  1. 1. P a g e | 1International Association of Risk and ComplianceProfessionals (IARCP)1200 G Street NW Suite 800 Washington, DC 20005-6705 USATel: 202-449-9750 www.risk-compliance-association.comTop 10 risk and compliance management related news storiesand world events that (for better or for worse) shaped theweeks agenda, and what is nextDear Member,It was2 a.m. and I wasreadyto sleep, but I alsowantedtocheck my emails another time.Yes,I have readthefamous book ―The4-HourWorkweek‖ byTimothyFerriss, but I disagreewithhim, soI havedecided to dotheopposite: Tocheck emails morefrequently. Sorry Tim.Oneof the first emailswasan important one: RedAlert, China occupiesthePublic CompanyAccounting Oversight Board.Therewaseven apicture!International Association of Risk and Compliance Professionals (IARCP)
  2. 2. P a g e | 2What?I know that China implementsa ChineseSarbanes-Oxley… but what isthat now?I read in thepicture that PCAOB JamesR.Doty “”What?IsJamesR. Dotywell?Fortunately, Jamesisverywell. Therewasnoredalert.One ofmyfriends, John, and attorney, sent me this email.Read more aboutat number 7 of our listbelow.Thefollowingmorning, I received another email.Title:―Forecastingisthe art of saying what will happen, and thenexplainingwhyit didnt ‖Message:I hate you. Our bossisfollowingyour stresstestingrecommendations. LaoTzu hassaid that thosewhohave knowledgedont predict. Thosewhopredict, dont have knowledge.Signature:TerminatorTerminator?ArnoldSchwarzenegger, didyou send thisemail?Who?LaoTzu?TheChineseagain?I replied!―DearArnold (orother Terminator),International Association of Risk and Compliance Professionals (IARCP)
  3. 3. P a g e | 3It is not me! It isBaseliii that asksfor a forward-lookingperspective!Basel iii requiresstresstesting.And, wehave a crystal ball in riskmanagement:The recommendationsof the Financial StabilityBoard(FSB).‖Therecommendations…Whoreadstheserecommendations?Soimportant ... I have ledsomeclassessinceJanuary, nobody readsFSB.Theylaugh whenI say readFSBevery morning, beforereading FT orWSJ!It is time toread therecommendationsof the FSBcarefully. It is abouttheboard, senior management, risk officers,complianceofficers,internaland external auditors.This is our Number 1. Thesepagesaresoimportant.Welcometo the Top 10list.BestRegards,GeorgeLekatisPresident of the IARCPGeneral Manager, ComplianceLLC1200 G Street NW Suite800, Washington DC20005, USA Tel: (202) 449-9750Email: lekatis@risk-compliance-association.comWeb: www.risk-compliance-association.comHQ: 1220N. Market Street Suite804,Wilmington DE 19801,USATel: (302) 342-8828International Association of Risk and Compliance Professionals (IARCP)
  4. 4. P a g e | 4Thematic Review on Risk GovernancePeer Review ReportFinancial Stability Board (FSB) member jurisdictionshavecommitted, under the FSBCharter and in the FSBFrameworkforStrengtheningAdherence toInternational Standards, toundergo periodicpeer reviews.Tofulfil this responsibility, theFSB hasestablisheda regular programmeof country and thematicpeer reviewsof itsmember jurisdictions.Thematic reviewsfocuson the implementation and effectivenessacrosstheFSBmembership of international financial standardsdeveloped bystandard-settingbodiesand policiesagreedwithintheFSB inaparticulararea important for global financial stability.Keynote Luncheon SpeechBy CommissionerElisseB. WalterU.S. Securitiesand ExchangeCommission32ndAnnual SEC and Financial ReportingInstituteConference, Pasadena, CABackground on the PCAOBSteven B. Harris, Board MemberKennesaw State GraduateStudent MeetingWashington, DCInternational Association of Risk and Compliance Professionals (IARCP)
  5. 5. P a g e | 5Financial ConglomeratesDirectiveTechnical ReviewThis Prudential RegulationAuthority (PRA) policystatementpublishesthe final rulesimplementingthe Financial ConglomeratesDirectiveTechnical Review (2011/ 89/ EC) (FICOD 1) whichamendstheFinancial ConglomeratesDirective(2002/ 87/ EC) and certain otherDirectivesinsofar astheyapplyto financial conglomerates.Committeeon theGlobal Financial SystemCGFS Papers No 49Asset encumbrance, financial reform and thedemand for collateral assetsReport submitted bya WorkingGroup establishedbytheCommitteeon theGlobal Financial SystemTheGroup waschaired byAerdt Houben, NetherlandsBankGiven that thedemand for collateral assetsis increasing, theCommitteeon theGlobal Financial System (CGFS) in May 2012establishedaWorkingGroup (chairedbyAerdt Houben, NetherlandsBank) toexploretheimplicationsof this trend for marketsand policy.Thisreport presentstheGroup‘sfindingsfrom asystem-wideperspectiveanddrawsbroad conclusionsfor policymakers.Thereport presentsevidenceof increasedrelianceby banksoncollateralisedfundingmarketsin recent years for some regions,withtheincreasebeingmost pronounced in Europe.International Association of Risk and Compliance Professionals (IARCP)
  6. 6. P a g e | 6Peer Review of SwitzerlandReview ReportFSB country peer reviewsTheFSB hasestablisheda regular programmeof country peer reviewsofitsmember jurisdictions.Theobjectiveof thereviewsis to examinethestepstaken or plannedbynational authoritiestoaddressInternational MonetaryFund (IM F) -World Bank FSAP recommendationsconcerningfinancial regulation andsupervision aswell asinstitutional and market infrastructure.PCAOB Entersinto EnforcementCooperationAgreement with ChineseRegulatorsThePublic CompanyAccounting Oversight Board announced that it hasenteredintoa Memorandum of Understanding(MOU) on EnforcementCooperation withthe China SecuritiesRegulatory Commission(CSRC)andthe Ministryof Finance(MOF).TheMOU establishesa cooperativeframeworkbetweenthepartiesfortheproduction and exchangeof audit documentsrelevant toinvestigationsin both countries‘respectivejurisdictions.Morespecifically, it providesa mechanism for thepartiestorequest andreceivefrom each other assistancein obtainingdocumentsandinformation in furtheranceof their investigativeduties.International Association of Risk and Compliance Professionals (IARCP)
  7. 7. P a g e | 7Islamic commerce and financeOpening remarks by Dr Michael Gondwe, Governorof the Bank of Zambia, at the workshop on ―Islamiccommerce and finance‖, Lusaka.Threequestionson thenature and managementof riskKeynote speechby Mr Norman T L Chan, ChiefExecutiveof the Hong Kong MonetaryAuthority, attheHong Kong MonetaryAuthority-Global Association of RiskProfessionals(GARP) Global Risk Forum OpeningDinner, Hong Kong.Investor Protection Through EconomicAnalysisBy Craig M. Lewis, Chief Economist and DirectorDivision of Risk, Strategy, and Financial Innovation, U.S. Securities andExchangeCommissionSpeechat the PennsylvaniaAssociation of Public Employee RetirementSystemsAnnual Spring Forum Harrisburg, PAInternational Association of Risk and Compliance Professionals (IARCP)
  8. 8. P a g e | 8Thematic Review on RiskGovernancePeer Review ReportForewordFinancial Stability Board (FSB) member jurisdictionshavecommitted, under the FSBCharter and in the FSBFrameworkforStrengtheningAdherence toInternational Standards, toundergo periodicpeer reviews.Tofulfil this responsibility, theFSB hasestablisheda regular programmeof country and thematicpeer reviewsof itsmember jurisdictions.Thematic reviewsfocuson the implementation and effectivenessacrosstheFSBmembership of international financial standardsdeveloped bystandard-settingbodiesand policiesagreedwithintheFSB inaparticulararea important for global financial stability.Thematic reviewsmay alsoanalyseother areasimportant for globalfinancial stabilitywhereinternational standardsor policiesdo not yetexist.Theobjectivesof thereviewsare toencourage consistent cross-countryand cross-sectorimplementation;toevaluate (wherepossible) the extenttowhichstandards and policieshavehad their intended results;and toidentify gapsand weaknessesin reviewedareasand to makerecommendationsfor potential follow-up(includingvia the developmentof new standards) by FSB members.This report describes the findings of the thematic peer review on riskgovernance, including the key elements of the discussion in the FSBStandingCommitteeon StandardsImplementation (SCSI).International Association of Risk and Compliance Professionals (IARCP)
  9. 9. P a g e | 9Thedraft report for discussion waspreparedby a team chairedby SweeLian Teo(MonetaryAuthority of Singapore), comprisingTed Price(CanadaOffice of theSuperintendent of FinancialInstitutions),XiangQi(China Banking Regulatory Commission), JérômeLachand (FranceAutoritéde Contrôle Prudentiel), Sofia Nikopoulos(German BaFin),Adriana Elizondo(MexicoNational Bankingand SecuritiesCommission), FranciscoGil (Bank of Spain), Mike Brosnan (UnitedStatesOffice of theComptroller of the Currency), Xavier-YvesZanota(member of theBasel Committeeon BankingSupervisionSecretariat),Mats Isaksson(Organisation for Economic Co-operation andDevelopment), and Laura Ard (World Bank).Merylin Coombs and Grace Sone (FSBSecretariat) providedsupport totheteam and contributed to thepreparation of the peer review report.International Association of Risk and Compliance Professionals (IARCP)
  10. 10. P a g e | 10Executive summaryTherecent global financial crisisexposed a number of governanceweaknessesthat resulted in firms‘failureto understand the risks theyweretaking.In the wakeof thecrisis,numerousreportspainted a fairlybleak pictureof risk governanceframeworksat financial institutions,whichconsistsofthethreekey functions:Theboard, the firm-wideriskmanagement function, and theindependent assessment of risk governance.Thecrisis highlightedthat manyboardshaddirectorswithlittlefinancialindustryexperienceand limitedunderstanding of the rapidlyincreasingcomplexityof theinstitutionstheywereleading.Toooften, directorswereunabletodedicatesufficienttime tounderstandthefirm‘s businessmodel and toodeferential tosenior management.In addition, manyboards did not pay sufficient attention to riskmanagement or set up effectivestructures, such asa dedicatedriskcommittee, tofacilitate meaningful analysisof thefirm‘srisk exposuresandtoconstructivelychallengemanagement‘sproposalsand decisions.Theriskcommitteesthat didexist wereoften staffedbydirectorsshort onboth experienceand independencefrom management.Theinformationprovidedtothe board wasvoluminousand not easilyunderstood whichhamperedthe abilityof directorsto fulfil theirresponsibilities.Moreover,mostfirmslackedaformal processtoindependentlyassesstheproprietyof their risk governanceframeworks.Without the appropriatechecksand balancesprovidedby theboard, therisk management function, and independent assessment functions,aInternational Association of Risk and Compliance Professionals (IARCP)
  11. 11. P a g e | 11cultureof excessiverisk-takingand leveragewasallowedto permeate intheseweaklygoverned firms.Further, withtherisk management function lackingtheauthority, statureand independencetorein in the firm‘s risk-taking, the abilityto addressanyweaknessesin riskgovernanceidentified by internal controlassessment and testingprocesseswasobstructed.Thepeer review found that, sincethecrisis, national authorities havetakenseveralmeasurestoimproveregulatoryandsupervisoryoversight ofrisk governanceat financial institutions.Thesemeasuresincludedeveloping or strengtheningexistingregulationor guidance, raisingsupervisoryexpectationsfor the risk managementfunction, engagingmore frequentlywiththeboard andmanagement, andassessingthe accuracyand usefulnessof the information provided to theboardtoenableeffectivedischarge of their responsibilities.Nonetheless, more workremains;national authoritiesneedtostrengthentheir abilityto assessthe effectivenessof a firm‘s risk governance,andmore specificallyitsrisk culture tohelp ensure sound risk governancethrough changingenvironments.Supervisorswill need to undergo a substantial changein approach sinceassessingrisk governanceframeworksentails forming an integratedviewacrossall aspectsof the framework.Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheirsurveyed firm(s) toward enhanced risk governancein sevenareas.Toprovidesome consistencytothis exercise,the review team developedhigh-level criteria to assist supervisoryevaluationsof firms‘progress,drawingfrom a compilationof relevantprinciples,recommendationsand supervisoryguidance.Thehigh-levelcriteria wereviewedasfundamental prerequisitesfor riskgovernanceframeworks.International Association of Risk and Compliance Professionals (IARCP)
  12. 12. P a g e | 12This evaluation found that manyof the best risk governancepracticesatsurveyed firms are now more advancedthannational guidance.This outcome may havebeen motivated by firms‘need to regain marketconfidencerather than regulatoryrequirements.Firms have made particularprogressin:•assessingthe collectiveskillsand qualificationsof theboard aswell astheboard‘s effectivenesseither through self-evaluationsor through theuseof third parties;•institutinga stand-alonerisk committeethat is composed onlyofindependent directorsand having a clear definitionof independence;•establishingagroup-widechiefriskofficer(CRO) andriskmanagementfunctionthat isindependent from revenue-generatingresponsibilitiesandhasthestature, authorityand independencetochallengedecisionson riskmadebymanagement and businesslines;and• integratingthediscussionsamong therisk and audit committeesthrough joint meetingsor cross-membership.Although many surveyed firms have made progress in the last fewyears, significant gaps remain, relative to the criteriadeveloped, particularlyin risk management.There werealsodifferencesin progressacrossregionswithfirms inadvancedeconomieshavingadopted more of thedesirable riskgovernancepractices.Theresultsof the supervisory evaluationsweregrouped by:(i)all surveyed firms;(ii)firmsidentified by theFSBand Basel Committeeon BankingSupervision(BCBS) asglobal systemicallyimportant financialinstitutions,or G-SIFIs;andInternational Association of Risk and Compliance Professionals (IARCP)
  13. 13. P a g e | 13(iii) firms that residein advanced economies(AEs) or emergingmarketand developing economies(EMDEs).In summary, acrossthesevenareasevaluated, firms have madethemostprogressin definingtheboard‘s role and responsibilities, and reasonableprogressin their approach torisk governanceand the independentassessment of risk governance.Thesupervisoryevaluations,however,indicatethat surveyed firmsshouldcontinuetoworktowarddefiningthe responsibilitiesof the riskcommitteeand strengtheningtheir risk management functionsasnearly50 per cent of surveyed firms did not meet all of the evaluation criteria intheseareas.By type of institution, surveyed G-SIFIsare more advanced than otherfinancial institutionsin definingthe responsibilitiesof theboard and riskcommittee, conducting independent assessmentsof riskgovernance, providing relevant informationtothe board and riskcommittee,and tosome extent more advanced in the risk managementfunction.Theseresultssupport the finding that thefirms in the regionshardest hitbythe financial crisishave made themost progress.Meanwhile, supervisory evaluationsof firmsthat residein EMDEs showthat nearly65 per cent did not meet all of thecriteria for the riskmanagement function.Thesegapsneed immediateattention by both supervisorsand firms.Other significant findingscomingout of thereview includethefollowing:•Nationalauthoritiesdonot engageonasufficientlyregularandfrequentbasiswiththeboard, risk committeeand audit committee.Several jurisdictionshold such meetingsonlyonce a year or on anas-neededbasis.International Association of Risk and Compliance Professionals (IARCP)
  14. 14. P a g e | 14•Good progresshasbeen made towardelevatingtheCRO‘sstature, authority, and independence.In many firms, the CRO hasa direct reportinglinetothechief executiveofficer (CEO) and a rolethat is distinct from other executivefunctionsandbusinesslineresponsibilities(e.g., no ―dual-hatting‖).This elevation, however,needsto be supported by the involvement of theriskcommitteeinreviewingtheperformanceandsettingtheobjectivesoftheCRO, ensuring that the CRO hasaccessto the board and riskcommitteewithout impediment (includingreportingdirectlyto theboard/ riskcommittee), and facilitatingperiodic meetingswithdirectorswithout thepresenceof executivedirectorsor other management.•Moreworkis neededon the part of both national authoritiesand firmson establishinganeffectiverisk appetiteframework (RAF).Assessing a firm‘s RAF is a challengingtaskthat requiresgreater clarityand an elevated level of consistencyamong national authorities.•Supervisoryexpectationsfor the independent assessment of internalcontrol systemsbyinternal audit or other independent functionwerewell-establishedprior tothe crisis.As such, thisis an area that demonstrated relativelysound practicesacrossthe FSBmembership at both national authoritiesand firms.However,no jurisdictionhad specificexpectationsfor internal audit toperiodicallyprovidea firm-wideassessment of risk management or riskgovernanceprocesses.•Nearly all firms have an independent chief audit executive (CAE) whoreports administratively to the CEO and the audit committee chair andwhodirectlyreportsaudit findingsto a permanent audit committee.However,there is still room for improving theCAE‘s accesstodirectorsbeyond thoseon theaudit committee.International Association of Risk and Compliance Professionals (IARCP)
  15. 15. P a g e | 15Drawingfrom the findingsof thereview, includingdiscussionswithindustryorganisationsaswell asrisk committeedirectorsand CROs ofseveral firmsthat participatedin the review,the report identifiessome ofthebetter practicesexemplifiedby national authoritiesand firms tocollectivelyform a list of sound risk governance practices.It alsodrawsonsomeof therelevant principlesand recommendationsforrisk governancepublished by other organisationsand standard settingbodies.No onesingleauthority orfirm, however, demonstratedall of thesesoundpractices.This integratedand coherent list of sound practicesaimstohelp nationalauthoritiestake a more holistic approach to risk governance, rather thanlookingat eachfacet in isolation, and may providea basisforconsiderationby authorities and standard setting bodiesastheyreviewtheir guidanceandstandardsfor strengtheningriskgovernancepractices.Thereview setsout several recommendationsto ensure the effectivenessof risk governanceframeworkscontinuetoimprove by targetingareaswheremore substantial workis needed.While the review focused onbanksand broker-dealersthat aresystemicallyimportant, these recommendationsapply to other types offinancial institutions, includinginsurersand financial conglomerates.Recommendations:1.Toensure that firms‘risk governancepracticescontinue toimprove, FSB member jurisdictionsshould strengthen their regulatoryand supervisoryguidanceforfinancialinstitutions,in particularforSIFIs, and devoteadequate resources(both in skillsand quantity) toassesstheeffectivenessof risk governanceframeworks.In particular, national authoritiesshould considerthe followingsoundrisk governancepractices:International Association of Risk and Compliance Professionals (IARCP)
  16. 16. P a g e | 16i.Set requirementson the independenceand composition ofboards,includingrequirementson relevant typesof skillsthat theboard, collectively, shouldhave (e.g., risk management, financialindustryexpertise) aswell asthetime commitment expected.ii.Hold the board accountablefor itsoversight of thefirm‘sriskgovernanceand assessif the level and typesof risk information providedtothe board enableeffectivedischargeof board responsibilities.Boardsshould satisfythemselvesthat theinformation theyreceivefrommanagement and the control functionsiscomprehensive, accurate, complete and timelyto enableeffectivedecision-makingon the firm‘s strategy, risk profile and emerging risks.This includesestablishingcommunication proceduresbetweenthe riskcommitteeand the board and acrossother board committees,mostimportantlytheaudit and financecommittees.iii.Set requirementstoelevatethe CRO‘sstature,authority, andindependencein thefirm.Thisincludesrequiringtheriskcommitteetoreviewtheperformanceandobjectivesof the CRO, ensuring the CRO hasunfettered accessto theboard and risk committee(includinga direct reportinglinetothe boardand/ orriskcommittee),andexpectingtheCRO tomeetperiodicallywithdirectorswithout executive directorsand management present.TheCRO shouldhave a direct reportinglineto the CEO and a distinctrolefrom other executivefunctionsand businesslineresponsibilities(e.g., no ―dual-hatting‖).Further, the CRO should be involved in activitiesand decisions(from arisk perspective) that may affect the firm‘sprospectiverisk profile(e.g., strategicbusinessplans,newproducts,mergersandacquisitions,internal capital adequacyassessment process,or ICAAP).International Association of Risk and Compliance Professionals (IARCP)
  17. 17. P a g e | 17iv.Require the board (or audit committee) toobtain an independentassessment of the design and effectivenessof the risk governanceframeworkon an annual basis.v.Engagemore frequentlywiththe board, risk committee, auditcommittee,CEO, CRO, andother relevant functions,suchastheCFO, toassessthe firm‘s riskculture(e.g., the ―toneat the top‖), whetherdirectorsprovide effectivechallengetomanagement‘sproposalsanddecisions,andwhethertheriskmanagement functionhastheappropriateauthorityto influencedecisionsthat affect thefirm‘s riskexposures.2.Therelevant standard settingbodies(e.g., BCBS, IAIS, IOSCO, OECD) should review their principlesforgovernance, takingintoconsiderationthe sound risk governancepracticeslisted in Section V.3.Riskculture plays a critical rolein ensuring effectiverisk governanceenduresthrough changingenvironments.TheFSB SupervisoryIntensityand Effectivenessgroup hasagreed toimplement therecommendationfrom the 2012FSBprogressreport onenhancedsupervisionto explorewaystoformallyassessriskculture,particularlyat G-SIFIs.This work should becompleted by September 2013.4.Toimprovetheir abilityto assessfirms‘progresstowardmore effectiverisk management, national authoritiesshould provide guidanceon thekeyelementsthat are incorporatedin effectiverisk appetiteframeworks.Toenablefirmstodefine frameworkswitha minimum amount ofcomparability despitetheir firm-specificnature, acommon nomenclaturefor termsused in risk appetitestatements(e.g., ―risk appetite‖, ―riskcapacity‖, ―risk limits‖) should be established.The FSB Supervisory Intensity and Effectiveness group, in collaborationwith relevant standard setters, has agreed to finalise thiswork by the endof 2013.International Association of Risk and Compliance Professionals (IARCP)
  18. 18. P a g e | 185.TheFSB should consider launchinga follow-upreview on riskgovernanceafter 2016(i.e., after the G-SIFI policy measuresbegin tobephased in), to assessnational authorities‘implementationof therecommendationstostrengthentheir supervisoryguidanceand oversightof risk governance.Thereview alsoshould includethe G-SIFIs identified in 2014by the FSBin collaborationwiththeBCBSand IAIS.I. IntroductionIncreasingtheintensityand effectivenessof supervision to reducethemoral hazard posed by SIFIsisa keycomponent of the FSB‘spolicymeasures,endorsedby G20 Leaders.Sincethe onset of theglobal crisis,supervisorshave intensifiedtheiroversight of financial institutions,particularlySIFIs,soastoreducetheprobabilityof their failure.Specifically, supervisoryexpectationsof risk management functionsandoverall risk governanceframeworkshave increased, asthis wasan areathat exhibitedsignificant weaknessesin many financial institutionsduring theglobal financial crisis.While supervisorsare responsiblefor assessingwhethera firm‘s riskgovernanceframework and processesareadequate,appropriate andeffectivefor managing the firm‘s risk profile, the firm‘s management isresponsiblefor identifying and managingthefirm‘s risk.In October2011, theFSB agreedtoconductathematicpeerreviewonriskgovernancetoassessprogresstowardenhancingpracticesat nationalauthoritiesand firms(banksand broker-dealers).For purposesof this review, risk governancecollectivelyrefersto theroleand responsibilitiesof theboard, thefirm-wideCRO and riskmanagement function, and the independent assessment of the riskgovernanceframework (seeChart 2).International Association of Risk and Compliance Professionals (IARCP)
  19. 19. P a g e | 19•Board responsibilitiesand practices:The board is responsibleforensuring that the firm hasan appropriate risk governanceframeworkgiventhefirm‘s businessmodel, complexityand sizewhichisembeddedintothe firm‘s risk culture.How boardsassume such responsibilitiesvariesacrossjurisdictions.•Firm-wide risk management function: The CRO and risk managementfunction are responsible for the firm‘s risk management across the entireorganisation, ensuring that the firm‘s risk profile remains within the riskappetitestatement (RAS) asapproved bytheboard.Therisk management function is responsibleforidentifying, measuring, monitoring, and recommendingstrategiestocontrol or mitigate risks, and reportingon risk exposureson anaggregatedand disaggregatedbasis.International Association of Risk and Compliance Professionals (IARCP)
  20. 20. P a g e | 20•Independent assessment of the risk governanceframework:Theindependent assessment of the firm‘s riskgovernanceframeworkplaysacrucial rolein the ongoing maintenanceof a firm‘s internal controls,riskmanagement and risk governance.It helpsa firm accomplish itsobjectivesby bringinga disciplinedapproachto evaluateand improvetheeffectivenessof riskmanagement, control and governanceprocesses.This may involve internalparties, such asinternalaudit, or externalresourcessuch asthird-party reviewers(e.g., audit firms, consultants).Thepeer review did not focuson other relevant dimensionsof riskgovernance, such asrisk disclosures and firm-widecompensationpractices(sincethese areashavebeen covered by previousFSBpeerreviews) or risk dataaggregation capabilitiesat banks (sincethis topicisbeingcoveredby a taskforce of the BCBS.Separately, theInternationalAssociation of InsuranceSupervisors(IAIS)launcheda peer review at the end of 2012againstitsCore Principlesongovernanceand risk management and internalcontrols.There is currentlynosingleset of principlesand standardsthatcomprehensivelyaddressesand integratesrisk governance requirements;however, a number of different standardsand recommendationson goodgovernanceframeworksare relevant.Thereview thereforedid not assesscompliancewith any specificstandard, but used a compilation of existingstandards andrecommendations(asappropriate) totake stockof risk governancepracticesat both national authoritiesand firms, and toidentifyany gapstherein.Supervisorswereasked to evaluate firms‘progressand the review teamdevelopedhigh-levelcriteria toprovidesomeconsistencytothisexercise.Thefindingsof the review werebased on theresponsestoquestionnairesfrom FSB member jurisdictions11and from the 36banks andInternational Association of Risk and Compliance Professionals (IARCP)
  21. 21. P a g e | 21broker-dealersthat FSB members deemedassignificant for the purposeof the review.Section II takesstock of national authorities‘initiativesto strengthenoversight of firms‘riskgovernanceframeworksanddescribestherangeofsupervisorypracticesin four broad areas:(1)Theboard and itscommittees;(2)Thefirm-wideriskmanagement function, including theCRO;(3)Theindependent assessment of the firm-widerisk managementframeworkby internal audit and/ or third parties;and(4)Thesupervisoryassessment of risk governanceframeworks.Section III examinesrisk governancepracticesat surveyed firms and thechangesmade sincethe financial crisis.In additiontotheresponsestothequestionnaire,thefindingsdrawontheoutcomesof discussionswith industry organisationsaswell asriskcommitteedirectorsand CROs of several firms that participatedin thereview.National supervisorswereasked to assessfirms‘progresstowardenhancingkeyriskgovernancefunctions,aswell asthe accuracyandcompletenessof theresponsesprovided by firmsheadquarteredin theirjurisdiction.Section IV setsout the conclusionsand recommendationsdrawn from thefindingsof the review, which is followed bya list of sound risk governancepracticesthat encompassan overlay of supervisory expectationsfor soundpracticesat firms.International Association of Risk and Compliance Professionals (IARCP)
  22. 22. P a g e | 22II. National authorities‘ oversight of risk governance practicesSincethe financial crisis, national authoritieshave increasedtheirsupervisoryfocuson risk governance, which is a critical element forpromotinga more resilient financial system.Underpinningthe rangeof reformsisthe issuancein 2010of the BCBSPrinciplesfor Enhancing Corporate Governanceand the OECDpublication on Corporate Governanceand the Financial Crisis–Conclusionsand Emerging Good Practices.Someof the notablechangesembedded in regulatory and supervisoryguidanceinclude:•introducingexplicit requirementsfor theestablishment of a riskcommittee;• conveying expectationstostrengthen therisk management function,includingthe stature and qualificationsof the CRO;• introducingadditional requirementsfor risk governanceat SIFIs;•enhancingthe mandate and resourcesof supervisoryauthorities inrelationtorisk governanceoversight;•increasingthe intensityof engagement betweenthe supervisorand theboard and senior management on riskgovernance issues;and•adjustingthe supervisory riskassessment process, particularlyincreasingthefocuson risk governanceacrossdifferent businessmodels.Annex CprovidesmoredetailsontheinitiativesFSBmembershavetakentostrengthen oversight of risk governancepractices,includingimplementationofother relevant principlessuchastheFSB principlesforsoundcompensation practicesand recommendationsput forwardin the2009 report by theSenior SupervisorGroup (SSG) on risk managementpracticesduring thefinancial crisis.International Association of Risk and Compliance Professionals (IARCP)
  23. 23. P a g e | 23While supervisoryguidancehasimproved, progresshasbeen unevenacrossthefunctionsthat collectivelyform theriskgovernanceframework.Basedon thefindingsfrom the review,some areaswheremoresupervisoryrequirementsand/ or guidancewouldbeuseful include:•Acleardefinitionof independencewhichisseparatefrom non-executivedirector;•Theestablishment of a stand-alonerisk committeethat is composed ofindependent directors;•Thelevel and typesof risk informationfirmsshouldprovide aswellasthefrequencyof risk reporting;•Thekey featuresof an effectiveriskappetiteframeworktohelpsupervisoryevaluations;and•Thewaysinternalaudit can provide feedback on whethera firm‘s riskgovernanceprocessesare keeping pacewith trendsand/ or align withbest practices.Thenext four sub-sectionssummariseexistingsupervisoryexpectationsfor the three keyrisk governancefunctionsand examineauthorities‘approachestoassessingtheimplementation of supervisoryexpectations.1. The board and its committeesRegulatoryand supervisoryguidancespecifying therole andresponsibilitiesof the board are prevalent acrossthe FSBmembership, includingamong other thingsfor risk governance.Akey responsibilityof theboard isto approve the firm‘s overall businessstrategyand RAF.As such, theboard hasultimateresponsibilityfor the firm‘s riskmanagement, includingsettingtheriskcultureofthefirm andoverseeingmanagement‘simplementationof the agreedbusinessstrategy.International Association of Risk and Compliance Professionals (IARCP)
  24. 24. P a g e | 24Toensure that boardsare focused on the higher-level strategic and riskissues,supervisorsare engagingmore frequentlywiththeboard inparticular withindependent directors.Thedefinitionof what constituteseffectiverisk governanceisevolving, however, supervisorshighlight theimportanceof the boardsettingthe―toneat the top‖ in regard tothefirm‘sstrategy and riskcultureand challengingmanagement on the adherencetothe agreedrisk appetite.1.1Board compositionTheleadershipstructure tooverseethefirm‘s risk management variesacrossjurisdictions.Most jurisdictionsrequire the establishment of a permanent auditcommittee, whichhasa longer historythan other board sub-committees,driven by requirementsfrom securities regulatorstoprovideassuranceto the qualityof the financial information provided byregisteredfinancial institutions.As such, more specific regulatory and supervisory requirements for thecomposition and independence of the audit committee are set out thanfor the risk committee.For example, a number of jurisdictionsrequire the audit committeetocomprise a majorityof independent or non-executivedirectors, severaljurisdictionsrequire the audit committeechair tobe independent (or insome casesa non-executive), and in a few jurisdictionsthe participationof the chair of theboard is restricted.The establishment of a stand-alone risk committee is less prevalent andthe requirement typically applies to large, complex financial institutions(e.g., firmswithmany legal entitiesand/ or cross-border operations).Where stand-alonerisk committeesexist, several jurisdictions19requirerisk committee members tohave expertisein risk-related disciplinesandonlya few jurisdictionsrequire a minimum number of independentdirectors.International Association of Risk and Compliance Professionals (IARCP)
  25. 25. P a g e | 25In Hong Kong, however,forthcoming changeswill require all, or themajority, of themembersof therisk committeetobe non-executivedirectors.Annex D providesfurther details on the regulatory and supervisoryguidancefor thecompositionof theboard andsub-committees, but someof the key featuresinclude:•Independence:Manyjurisdictionshaveestablishedgeneralrequirementsconcerningtheindependenceof theboard to ensure thatthereis objectivejudgement and decision-makingon theboard.Many jurisdictionsalsoset out quantitativeminimums for the number ofindependent directorson theboard.Someother jurisdictionsonlyset quantitativeminimums for the numberofnon-executivedirectorswhichdoesnot necessarilyensureindependentjudgement on the board.•Expertise:Regardlessof theboard structure, theboard needstocomprise memberswhocollectivelybringa balanceofexpertise, skills,experienceand perspectiveswhile exhibitingtheobjectivitytoensure decisionsarebased on sound judgement andthoughtful deliberations.Many jurisdictionsconduct periodic reviewsof the performance, trainingand skillsneeded in theboard and risk committee.Requiringspecific skillsfor all directorsare a common practice (usuallysubsumed in ―fit and proper‖ tests) and typically includerelevantknowledge, experienceand skillsin financeand/ or business.Several jurisdictions not only look at individual qualifications but alsotake a holistic view of the board, examining their collective skills andqualifications.In additiontohaving certain skillsand qualifications,some jurisdictionsrequiredirectorsto have the capacityto dedicatesufficient time andInternational Association of Risk and Compliance Professionals (IARCP)
  26. 26. P a g e | 26energyin reviewinginformation and developing an understanding of thekey issuesrelated to the firm‘s activities.1.2 Governance of the boardFor theboardtoeffectivelysuperviseand managethefirm‘sadherencetotheagreed businessstrategyand risk appetite,directorsshould beprovided and haveaccessto comprehensiveinformation about the firm‘srisks.This involvesensuringthere are communication and reportingproceduresacrossboardsub-committees,andseveralnationalauthoritiesset out suchrequirementsin their guidance(seeAnnex E).However,there is littlesupervisoryguidanceprovided on thelevel andtypesof risk information firms should provideaswell asthe frequencyofrisk reporting.Importantly, the riskmanagement reportsprovided totheboard shouldcontributeto sound risk management and decision-making.Theboard and itscommittees, however, should not just rely on theinformation management reportsprovided.Theyshould consider if there isa need for additional risk-relatedinformation whichshould be made available tothem whenneeded.Onlya few jurisdictions,however, require theboard to have such access.2. The firm-wide risk management functionSincethe financial crisis, national authoritieshave intensifiedtheiroversight of firms‘risk management practicesand raisedtheirexpectationsfor what is considered strong risk management, whichisintegral to the core businessof a financial institution.International Association of Risk and Compliance Professionals (IARCP)
  27. 27. P a g e | 27Thefailure to have a strong, independent risk management function canlead to ill-informedboardsand senior management teamsaswell asimprudent decisions.Therisk management function should be responsiblefor thefirm‘s riskmanagement frameworkacrossthe entire organisation, ensuring that thefirm‘srisklimitsareconsistent withtheRASand that risk-takingremainswithinthoselimits.Stresstestsand scenario analysesare viewedasa useful tool foridentifying firms‘vulnerabilitiesand developing risk managementstrategiestoaddresstherisksidentified.Tofulfil theseresponsibilities, risk management functionsshould be ledbyan influential and highly effectiveCRO.2.1Governance of the risk management functionSupervisorshave increasedtheir expectationsfor the risk managementfunctionand areevaluatingthe CRO‘sstature, authority, qualifications,and independencewithin thefirm.As thecrisis demonstrated, theseareprerequisitesfor theCRO tobeabletoinfluencethefirm‘s risk-taking activitiesdirectlyand through the riskmanagement function, andtoeffectivelyinform theboard asrisksevolve, are identified, and are taken.Annex F providesmore information on thegovernance around the riskmanagement function, but some supervisory practicesregardingtheCRO function include:•Independence:Mostjurisdictionsrequire the CRO and/ or riskmanagement function to be independent;that is, tohave a distinct rolefrom theother executivefunctions,revenue-generatingfunctionsandbusinesslineresponsibilities.•Stature:TheCRO and riskmanagement functionshould havesufficientstature in the organisationto influencethefirm‘s risk-takingactivities.International Association of Risk and Compliance Professionals (IARCP)
  28. 28. P a g e | 28In thisregard, somejurisdictionshavesupervisoryguidancethat requirestheCRO to report and have direct accessto the board.ToelevatetheCRO‘s stature,Singaporeexpectsthedismissal oftheCROtobe approved by theboard.•Authority: To effectivelyfulfil itsrole, many jurisdictions30require theCRO tohave theauthorityto influencedecisionsthat affect the firm‘sexposure torisk,and several jurisdictionsset out explicit expectationsfortheCRO to be able tochallengemanagement‘srecommendationsanddecisionsand communicatedirectlywithsenior management and withtheboard.•Qualifications:―Fit and proper‖ testsare commonlyused toassessthequalificationsand competenciesof theCRO in many FSBmemberjurisdictions.In addition, theappointment of the CRO is approved by authoritiesinChina,Germany(if theCRO isamember of themanagement board), andSingapore, while theUnited Kingdom interviewsCRO candidates.Many jurisdictionsevaluatethe CRO through their on-goingsupervisoryprocesses.2.2 Risk appetite frameworkAssessing a firm‘s RAF is a challengingtaskthat requiresgreater clarityand an elevated level of consistencyamong national authorities.At the coreof the RAF is the firm‘sRAS, whichhas becomean effectivetool for enhancingthe discussionsbetweensupervisorsand boardsaboutthefirm‘s strategicdirectionin termsof risk taking.However,a key challengetoward assessingthe effectivenessof a firm‘sRASis a lack of common terminologyfor risk appetite, risk profile, andrisk capacityusedwithin firms, acrossfirmsand acrossnationalauthorities.International Association of Risk and Compliance Professionals (IARCP)
  29. 29. P a g e | 29This is an area that isdeveloping in many jurisdictions;forinstance,India, Russia and Saudi Arabia have looked at riskappetiteonlyin context of the BCBSICAAP, while in Canada, Franceand the UnitedStates,separateprocessesare continuingto be put in placetoassessfirms‘RAFs, often drawingon assessment criteriaoutlinedin theworkoftheSSG.Supervisoryreviewsare underwayin Canada of firms‘integrationof theirRAF withthe strategic, financial and capital planningprocessesandcompensation practices.In Hong Kong, firms‘risk appetiteisreviewedfrom an integratedfirm-wideperspectivetakinginto account all risks (financial andnon-financial).Thesupervisor determineswhetherthe firm‘s RASis comprehensiveandincludesthe appropriate risk targetsthat are consistent witheach other.Thesupervisor will alsodeterminewhetherthe RAS hasa widerangeofmeasuresand actionableelementsand whetherrobust proceduresandcontrolsare in placefor thesettingand monitoring of the agreedriskappetite.National authoritiesin Singaporeassessannuallyfirms‘link betweenriskappetite,strategic objectives,capital planningand operational budgetplanning.Supervisorsalsoreview the firm‘s progressin thetranslationof riskappetiteintolimitsand triggersby risktype, aswellastheir monitoringand reportingprocedures.In Switzerland, supervisorsregularlyreviewtherisk limit frameworksandtheremust be an establishedlink betweenthe limitsand thestrategy.2.3 StresstestingTheobjectiveof stresstestsand scenario analysesis toassesstheunanticipatedlossesthat a firm may incur under certain stressscenariosInternational Association of Risk and Compliance Professionals (IARCP)
  30. 30. P a g e | 30andtheimpact that may have on itsbusinessplans, risk managementstrategiesor capital plans.Theuse of stresstestsin firms‘risk governance and capital planninghasincreasedin recent years with theresultsserving asan input intothefirm‘s strategicdecision-making.As firms are increasingly linking stress test results to riskappetite, ICAAP, contingency planning, and recovery andresolution plans, supervisory approaches to stress testing areevolvingaccordingly.In Canada, supervisorsassesswhether chosen scenariosareappropriatefor the portfolio of the institution, includingsevere shocksand periodsofsevereand sustaineddownturns,and whererelevant, an episodeofmarket turbulenceor a shock tomarket liquidityand whetherthefrequencyand timingof stresstesting is sufficient to support timelymanagement action.Similarly, supervisorsin Hong Kong assessthecoverageof stresstestsandthetypes of stressscenariosand parameterschosen in relationto thefirm‘s risk tolerance,overall risk profile and businessplan;appropriatenessofassumptions;adequacyofpoliciesandprocedures;theadequacyof thefirm‘scontingencyplanningforactiontobetakenshouldaparticular stressscenario happen; the level of oversight exercisedbytheboard and senior management on thestress-testingprogram and resultsgenerated;and the adequacyof the firm‘sinternal review and audit of itsstress-testingprogram.Indeed, supervisoryattention nowincludesboth theoutcomesof stresstestsand the effectivenessof the firms‘stresstestingprocesses.For instance, Singapore, Switzerlandand United Kingdom havededicatedteamstoreview stresstestingpracticesat firms, and China, Germany, andHongKongexpect firms‘internal audit functionstoassesstheeffectivenessof risk management systemsin general, includingstresstests.International Association of Risk and Compliance Professionals (IARCP)
  31. 31. P a g e | 313. Independent assessment of firms‘ risk governance frameworkStrong internal control systems are a keyelement of sound riskgovernance.Theboard is responsiblefor overseeingthe implementationof aneffectiverisk governanceframework,and assuch, should directlyoverseetheindependent assessment process.An assessment that isindependent from the businessunit and the riskmanagement control functioncan assist theboard injudgingwhethertherisk governanceframework,internal controlsand oversight processesareoperatingasintended.This may be performed by internal audit or by third partiessuch asauditfirmsor consultants.Regardlessof theapproach, it is critical that the assessment result in anoverall opinion on the design and effectivenessof therisk governanceframeworkand be performed by individualswiththe skillsneeded toproducea reliableassessment.Currently, audit functionsat only a few firms provide overall opinionsregardingthe riskgovernance framework.3.1Internal auditAcrossthe FSB membership, regulatory or supervisoryexpectationsexistfor internal audit.Annex G providesa comparison of keyregulatory and supervisoryexpectationswiththemost notableelements,including:•Independence:Nearlyall jurisdictions38require firms tohave apermanent internalaudit function that isindependent from businesslines,support functions(e.g., treasury, legal), and risk management.International Association of Risk and Compliance Professionals (IARCP)
  32. 32. P a g e | 32Firms are alsorequiredto explicitlylink theindependenceof internalaudit toauditorcompensation or careerplans.Regardless of the direct reporting lines, most jurisdictionsexpect internalaudit to have unfettered accessto the board when reporting internal auditresults.•Stature:Several jurisdictionsexpect internal audit toreport directlytotheboard, a committeethereof, or an independent director.Thedirect reportingrelationship involvesthe responsiblepartydeterminingthe CAE‘s compensation, completingthe CAE‘sannualperformanceevaluation, approving the CAE‘s budget, and/ or otherwiseensuring theCAE isnot undulyinfluencedbytheCEO or other membersof the management team.While the CAE mayreport totheCEO on day-to-day administrativematters,all substantivedecisionsregarding the CAE and internal auditfunctionaremade at theboard level.In Singapore, Hong Kong, and Indonesia, thedismissal of the CAErequirestheaudit committee‘sapproval.•Qualifications:All FSB membershaveestablishedrequirementsorexpectationsfor theCAE and internal audit staff tohave the skillsnecessarytoeffectively carryout their duties.Supervisoryassessmentsgenerallyconsider the technicalknowledge,experience, and character of individualswithintheinternal audit function.•Scope, coverage, and frequency: Manyjurisdictions41expect internalaudit toassessand/ or opineon riskmanagement or risk governanceprocesses,aswellasinternal controls.Expectationsfor thescope, coverage, and frequencyof suchassessmentsvary widely.International Association of Risk and Compliance Professionals (IARCP)
  33. 33. P a g e | 33However,almost all jurisdictionsexpect internal audit to assesstheorganisationand mandatesof the riskmanagement function(s) and theadequacyof systems and processesfor assessing, controlling, respondingto, and reportingthe firm‘s risks.No jurisdictionindicated that it expectsinternalaudit to periodicallyprovidea firm-wideassessment of risk management or risk governanceprocesses.•Riskappetiteframework:Manyjurisdictionsexpect internal audit toassesscompliancewiththeboard-approved risk appetite.In the United Kingdom, internal audit isexpectedtoensure thatproceduresareinplacetoreportbreachesin thefirm‘sriskappetitetotheboard.•Benchmarking: Most jurisdictions indicate that internal audit should beaware of industry trends/best practices and that auditors should considersuch knowledgewhenconductingtheir work.However,no jurisdictionhad specificexpectationsfor internal audit toopineon whethera firm‘s risk governance processesare keeping pacewith trendsand/ or align withbest practices.•Remediation process:There is a wide rangeof expectationsfor internalaudit tofollow-upon remedial actionstoaddressmaterial deficienciesand several jurisdictionsexpect internal audit to report the resultsof itsfollow-upactivitiestotheboard.Nearlyall jurisdictionsindicatedthat theyrequiresomeform offollow-upand reporting.•Chief audit executive:All jurisdictionsindicatethat supervisorsconsidertheCAE‘s performancewhenassessingthequality of internal audit.Such assessmentsmay be performed off-site,within on-siteinspections,and/ orthrough regular meetingswiththeCAE and internalaudit staff.International Association of Risk and Compliance Professionals (IARCP)
  34. 34. P a g e | 34In Saudi Arabia, the appointment of the CAE requires a ―no objection‖from the central bank, and in Indonesia, banksare required to report tobank supervisorstheappointment and dismissalof their CAE.3.2 Third partiesEmploying third parties could help toenhancethe qualityof firms‘independent assessmentsby providingan unbiased opinion of a firm‘srisk governanceframeworkasmany internal audit functionsare staffedwith individualswhoseexperience may be limited to thepracticesemployed by one or twofirms.In addition, third partiesoftenhave a broader understandingof leadingindustrypractices, especiallyin highly technical areas.Most jurisdictionsallowtheuse of third partiestoassessa firm‘s riskgovernanceframework, and in China and theNetherlands, theexternalauditoralsoassessestheeffectivenessof the internalaudit function.Manyjurisdictionsappropriatelystipulatethroughregulationorguidancethat:(i)The use of a third party does not relinquish the board or managementfrom ultimate responsibility for ensuring the reliability of the independentassessments,and(ii)Largeand complex firms should not become overlyreliant on thirdpartiestoprovide expertisethat should be developed withinthefirm‘sinternalaudit function.France specificallyrequires that outsourcingarrangementsbe engagedand overseen by internalaudit toensure independenceand that internalaudit maintainsaccountability for the scope, coverage, and frequency ofwork.Several jurisdictions,however,restrict the use of third parties.International Association of Risk and Compliance Professionals (IARCP)
  35. 35. P a g e | 35For instance,in Italy, internalaudit workcanbeoutsourcedonlybysmallcredit institutionswithlimitedoperational complexity.Meanwhile, in SouthAfrica the central bank must approve anyoutsourcingactivity, and in Korea, the useof third partiestoassessafirm‘s risk governanceframework is not regulated.4. Supervisory approachestoward assessing risk governanceframeworksSupervisorsplaya crucial rolein assessingthe adequacyof a firm‘s riskgovernanceframework and thepracticesemployed by a firm toindependentlyassessitsframework.Supervisoryexpectationsfor risk governancepracticesoutlinedabovearegenerallyset out within the legal frameworkthrough a combinationoflegislation, regulationand supervisory guidance;however, the approachvariesconsiderablyacrossjurisdictions.Australia and Canada complement their standardswith writtenguidanceprovided to theindustry toassist withtheimplementationof prudentialrequirementsand adoption of good practices.Supervisoryapproachestowardassessingimplementationofregulatoryorsupervisoryguidanceencompassa varietyof steps(e.g., on-siteinspections,off-sitereviews, horizontal reviews).Supervisoryassessmentsgenerallyoccur at leastonce a year acrosstheFSB membership, though inArgentina assessmentstakeplaceevery 18monthsand the UnitedKingdom is moving from a bi-annual assessmenttowarda system of continuoussupervision.Several jurisdictionstake a risk-basedapproach to on-siteexaminations,focusing on riskier institutions.In the United States,national authoritieshave on-site teamswithexpertiseto assessthe governancepracticesat the largest and mostcomplex bankson a real timebasis.International Association of Risk and Compliance Professionals (IARCP)
  36. 36. P a g e | 36In China, joint regulatory meetingsareheld on a regular basisbetweenthefirm‘sheadoffice,itsbranches,andtheregulatoryauthoritywherethebranchesare located.Meetingswithdirectorsand senior management provideanother avenuefor national authoritiestoassessfirms‘risk governancepractices.Annex H providesmore information on theapproachestaken toassessingfirms‘risk management frameworks.Supervisorsreceivea widerangeof risk reportsor informationfrom firmson their risk management practices, includingfrom external auditorsorother third partiesaswell assupportingdocumentation requested duringon-siteinspections.Standardised financial and risk reportingarea common practice;however, thetypes of reportsor information provided varies.For instance, in Argentina, new reportingrequirementswill requestquantitativemeasuresfor risk governanceand formal exposure limitsforeach of the significant risksand stresstest information;in Hong Kongand elsewhere, regular prudential reportingdata and adhoc requestsforpeer group analysisare utilised, e.g., stresstest capital analysis andhorizontal credit reviewsof common (problem) loanaccounts; and inCanada and Singapore, supervisory teamsworkwithrisk specialiststoidentify trendsthat can triggeradditional investigationsor reviews.National authoritieshave accesstoa broad set of supervisorytools toincentivisefirmsto remediatedeficiencieswithintheir risk governanceframework,depending on the severityof thedeficiency.Thesetoolsincludemoral suasion, capital surcharges,restrictionsoncertainbusinessactivities,imposingfinesand penalties, and theultimatepenaltyof withdrawingbank licences.While alargenumber ofsupervisoryauthoritiescanuseanumberofthesetools,a few have limitedsupervisorypowersto scalethe sanction basedInternational Association of Risk and Compliance Professionals (IARCP)
  37. 37. P a g e | 37on theseverityof theinfraction, raisingconcerns over their abilitytoeffectivelyinterveneearlywherenecessarywhenrisksstart to surface.Moreover,even though some national authoritieshave the authoritytoimposefines,thisisdifficult toimplement inpractice, for instance,duetocumbersomeprocessesor supervisorslackingthe will toact.III. Firms‘ risk governance practicesThefinancial crisisspurred fundamental changesin risk governancepracticesat financial institutions,and in many cases,surveyed firms areaheadof regulatoryand supervisory guidance.In general, surveyedfirmsthat weremostaffectedbythecrisishavemadethegreatest advancements,perhapsnecessitatedby a need tore-gainmarket confidence.Firms that werelesstroubledfrom thecrisis, however, haveincreasedtheintensityof themeasuresthat theyhad in place pre-crisis.Someof the most obviouschangesinclude:•Consolidatingand raisingtheprofile of the risk management functionacrossbankinggroupsthrough theestablishment of a groupCRO, increasingthestatureandauthorityoftheCRO andincreasingtheCRO‘sinvolvement in relevant internal committees.•Changing thereportinglinesof therisk management function sothattheCRO now reportsdirectlyto theCEO whilealsohaving a direct linktothe risk committee.•Intensifying the oversight of risk issuesat theboard through creation of astand-alonerisk committee,supportedby greater linkswiththe riskmanagement function and other risk-relatedboardcommittees, particularlyaudit and compensation committees.International Association of Risk and Compliance Professionals (IARCP)
  38. 38. P a g e | 38Cross-membershipof the audit committeeand risk committeeis nowquitecommon, withsomefirmsinvolving(orat leastinviting) thechair oftheboard, even the full board, ontothe riskcommittee.Thetime commitment of independent directorshasincreasedconsiderably over thepast several years.•Upgrading the skills requirements of independent directors on the riskcommittee and expecting these members to commit more time to theseendeavours.Thecomposition of boardshaschangedconsiderably withmanynon-executivedirectorsnow having financial industry experience;thedominanceof membersfrom industrial companiesor major shareholdersis much lessthan a decade ago.•Changing the attitude toward the ownership of risk across the firm withthe business line now being much more accountable for the risks createdbytheir activitiesthan previously.In additiontochangingthe compositionand improving thestrength oftheboard,therehavebeenmajor developmentsinhowfirmsanalyserisksandthe associatedtoolsutilised suchasRAFs, stresstestsand reversestresstesting.Oneof the keylessonsfrom thecrisiswasthat reputational risk wasseverelyunderestimated;hence, there is more focuson businessconductandthesuitabilityof products, e.g., the type of productssoldand whotheyare soldto.As the crisisshowed, consumer productssuch asresidential mortgageloanscould become a sourceof financial instability.The next four sub-sections summarise the findings from the surveyedfirms regarding the three key risk governance functions and provide asummary of the supervisoryevaluationsof firms‘progress.International Association of Risk and Compliance Professionals (IARCP)
  39. 39. P a g e | 391. The board and its committeesTheboardisresponsibleforensuringthat thefirm hasanappropriateriskgovernanceframework that iscommensurate withthe firm‘sstrategy, complexityand size.Theboard‘srole and responsibilitiesfor risk governanceare generallydefinedin theboard‘scharter and includeapproval of the firm‘s strategyandoverseeingitsimplementation, settingout theguidelinesandpoliciesforrisk management, andensuringthefirm‘sinternalcontrolsarerobust.Theboard is alsoresponsiblefor formulatingthemandateandresponsibilitiesof itscommitteessuch astherisk and audit committees.For instance, audit committeesshould ensure businessunitshaveeffectiveremediationplansto addressany control weaknessesnoted byinternalaudit.Somefirms havedeveloped a CorporateGovernanceFrameworkor Codewhereall rulesregarding theroles, responsibilitiesand oversightfunctionsof theboard are assembled.Establishingan enterprise or firm-wideriskmanagement framework canhelp toprovidean overview of risk policy architectureand process.Having a stand-alonerisk committee is a common practice eventhoughit is not required byall national authorities.Firms generallyensure that the riskcommittee,whichis responsibleforoverseeingsenior management‘simplementationof the riskstrategy, coversall therisksfacedat thefirm-widelevel,includingfinancialrisksaswell asoperational, compliance, legal and regulatory risks.Regular meetingsare held withsenior management and theCRO todiscussperformanceof the businessunit and compliancewiththe RASand risk limits.International Association of Risk and Compliance Professionals (IARCP)
  40. 40. P a g e | 40Material risks arepresented and discussedon both an aggregate basisandby type of risk.Afew firms, however, noted the challengeof aggregating risksdueto thecomplexityof theorganisation, underscoring the importanceof riskcommitteesaddressinginformation challengesarisingfrom thecomplexityof largefirms.An effectivegovernancestructure hasmeasuresto prevent concentrationof powerand responsibility, such asrequiringa number of independentdirectors,representation of certain skillsand qualificationson theboard, and theboard regularly evaluatingitseffectiveness.It is common for boards tohave independent directors; some firmsestablishminimum quantitativerequirements,ranging from a minimumof one-third to three-quartersof theboard.Most firmsprovide a definitionof independencein theboard‘scharter, whichis embedded in the firm‘s governance framework.Therisk committeeoften comprisesonly independent directors.There is a widerangeof practiceregarding the qualificationsfor membersof theboard and risk committee;one firm highlightedthat theskillsrequiredby theboard are evolving, in part reflectingthe riskstakenby thefirm.Somefirms perform a matrix analysis of the experienceand expertiseofeach director toidentify skillsneededfrom incomingdirectors.There is alsoa widerangeof practice involvinglimitationslinked toboardstructure, including:(i)Thepreclusionof thechair of theboard from beingchair of either therisk or audit committee;(ii)Theseparation of the rolesof the CEO and chair of theboard;andInternational Association of Risk and Compliance Professionals (IARCP)
  41. 41. P a g e | 41(iii) Limitedtenure on a committee.Periodic reviewsoftheperformanceoftheboardandriskcommitteeareacommon practice.Reviewsare conductedby the board nomination or governancecommitteesor bythe entire board.In some cases,external partiesmay beemployed. Such reviewsmayincludean assessment of training and skillsneededon theboard.In some firms, the board considersthefunctioning of its overallcommitteestructure, includingthenumber and typesof committeesandthehighest and best use of board members‘expertise.Theyalsoevaluatethereportingby the committeestothefull board.Theboard and risk committeeare abletoreceiveinformation, bothformallyand informally, directlyfrom theCRO or theriskmanagementfunction.It is becoming a common practicefor the CRO toreport informationdirectlyto theboard; the risk reportsare usuallystandardisedin termsofformality, frequencyand content.Both theoverall risk level of the firm and information for each risk typeare included in the reportingtemplate (e.g., a heat map of identified riskcategoriesacrossregions,global business, and a report withthetop andemergingrisks faced by the firm).Somefirmsexplicitlydefineanddocument theinformationthat theboardand risk committeeshall receive, set theagenda at thebeginningof theyear, and circulatetomembersin advanceof meetingsthe relevantmaterial to support the agenda item.Somefirms require internal audit, or a third party, toverify theaccuracy, comprehensivenessand completenessof informationprovidedto theboard and risk committee.International Association of Risk and Compliance Professionals (IARCP)
  42. 42. P a g e | 42Other firms satisfythemselvesthrough discussionswithmanagement orconduct self-assessmentsof the effectivenessof the information providedtothe board.2. The risk management functionSincethe financial crisis, many firmshave improved risk management.Someof the most obviouschangesrelate to the governanceprocessesaround the risk management function; there alsohave been majorchangesin how risksare analysed and communicatedand theassociatedtoolsthat are utilised.2.1Governance of the risk management functionSincethe financial crisis, many firmshave strengthenedhowtheir riskmanagement functionsare structured, resourced, compensated, whothefunctionis accountableto aswell asits overall mandate.In many ways, thesechangesare bringingthegovernance arrangementsfor the risk management function up tothestandard that hastypicallyappliedtothe internal audit function for several years.Firms are therefore encouraged to at least consider the validity of anyremaining differences in governance processes that surround the twofunctions.One of the most common improvements made by firms over the past fiveyears hasbeen to consolidate and raisethe profile of the risk managementfunctionthrough theestablishment of a group-wideCRO.TheCRO and the riskmanagement function generallyhave been givenmore stature, authorityand independencecompared to thepre-crisisperiod.Almost all firms reported that theynow have a CRO with firm-wideresponsibilityfor risk management whooperatesindependently.International Association of Risk and Compliance Professionals (IARCP)
  43. 43. P a g e | 43Assessment of the CRO‘sstature, authorityand independenceincludestheprocessfor appointment, dismissal andperformanceevaluationof theCRO aswell asthe staffing requirementsof the risk management functionmore generally.Onlya few firmsnoted that thechair of the risk committeeisinvolved intheperformanceassessment of the CRO.Further, only a few firms link the adequacy and qualifications of the riskmanagement staff to an annual process that takes into consideration thestrategyof thefirm goingforward.Most firms noted that the CRO hasa direct reporting line to the CEO(versus another business unit) which represents a major improvementsincethe crisis.However,there are still examplescited at a small number of firms wheretheCRO doesnot have a direct reporting lineto theCEO.Afew firms require the CRO tohave a direct reportinglinetotheboard, whichhelps toboost the stature of the CRO.A large number of firms alsonoted that their CRO is able to ―access‖ theboard, generally through the risk committee, but it is unclear how this isdone in practice.Almost all firms operate witha CRO whois separatefrom revenue -generatingresponsibilitiesor other executivefunctions(that is,―dual-hatting‖ of theCRO‘s responsibilitiesisavoided). Such a structureis essential for the CRO‘s independence.This separation of responsibilitieshasbeen reinforced by many firmsre-structuringtheirrisk management functionsunderagroup-wideCRO, with regional or businesslineCROs having a direct reportinglineto thegroup CRO, rather thantotheregional or businesslineheadsashadoccurred in the past.International Association of Risk and Compliance Professionals (IARCP)
  44. 44. P a g e | 44Topreservetheindependenceintended from suchstructures,‗dual-hatting‘of responsibilitiesshould alsobe avoided for thoseseniorpositionsin therisk management function that report to thegroup CRO,particularlyat globallyactive, complex firms.At somefirms, theCRO reportstotheCFO or,in afew exceptionalcases,oneperson assumesthe responsibilitiesof both the CRO and CFO.In addition, there are instancesat some firms wherethe CRO is assignedother functional, albeit non-revenuegenerating, responsibilities.Where this relatesto the oversight of functionssuch ascomplianceandanti-moneylaundering, theconcern ismore about the riskofover-burdeningtheCRO, particularlyin more complex, globalinstitutions,than thepotential for conflict of interest per se.Indeed, much progresshasbeen made towardelevatingthestature andindependenceof theCRO.While the role of theCRO hasbroadened and includesinvolvement in anumber of keyprocessesand internal committeesthat require inputsfrom therisk management function, other important processeswarrantgreater participationof theCRO, such as:•Mergersand acquisitions. While theanalysisof a proposedmerger oracquisitionwouldbesubmittedtotheboardor a committeeforapproval,the CRO generallytakespart in the processasa member of thecommittee.Onlya few firmsrequire theCRO toprepare a formal risk opinion onplannedmergers and acquisitions.•Strategicplanningprocess. Traditionally, theCRO isresponsiblefortheoversight of the existingrisk profile of thefirm and of thoserisks beingtaken on a day-to-day basisasa result of previousbusinessdecisions.However,asindicatedabove, the CRO should alsobecome increasinglyinvolved, in a more proactive manner, in theactivitiesand plansthat dealInternational Association of Risk and Compliance Professionals (IARCP)
  45. 45. P a g e | 45with prospectivebusinessrisk, includingthoseriskswhichmay arisefrom theexecution of the firm‘sstrategicbusinessplan.TheCRO shouldbeinvolved in thisprocess, from a risk perspective, byinteractingwithsenior management and theboard, understandingstrategic businessplans,and formallyopining on theprospectiveriskprofile and whetheror not the firm hasthe necessaryresourcesandsystemsto accommodatethe resultingexposures.If suchresourcesarenot available,thenspacein thestrategicplanshouldbecreated to ensure proper risk controls.•Treasuryfunction. Some firmshaveclearlydefined the rolesandresponsibilitiesof the CRO regarding oversight of a firm‘s treasuryfunction.However,there is a rangeof practicesurrounding the organisationalrelationship betweenthesetwofunctions:(i)Theindependent liquidityrisk control function hasresponsibilityforthemanagement and control of liquidityrisk and that function reportsdirectlyto the CRO;(ii)TheCRO participatesasa voting member of the relevantmanagement committee(typically the asset and liabilitymanagementcommittee), withnospecific role for the CRO defined;or(iii)TheCFO aloneis responsiblefor thetreasury function without anyoversight from the CRO in therisk management process.2.2 Risk management toolsTwokey additionstorisk management toolshave been (i) thedevelopment of RAFsand (ii) more robust and severe stresstestingpractices.Relatedtothis, and giventhe under estimationof reputational riskpre-crisis, therenowismuchgreaterfocuswithinmanyfirmsonbusinessInternational Association of Risk and Compliance Professionals (IARCP)
  46. 46. P a g e | 46conduct andthesuitabilityofproducts,e.g., thetype ofproductssoldandtowhom they aresold.TheRAF isanincreasinglyimportant toolin centralisingthefocusonthefirm‘s risk profile and providing a more integratedpictureof the firm‘srisks.Firms indicateda good degreeof understandingthe keyelements,objectivesand usesof RAFs whicharegenerallyin linewithrecent studiessuch asthe 2010SSGreport on developmentsinrisk appetiteframeworksand IT infrastructure.Key featuresof a risk appetite framework (RAF)•RAFshelp drive strategic decisionsand right-size a firm‘s risk profile.•RAFs establish an explicit, forward-looking view of a firm‘s desired riskprofile in a varietyof scenarios and set out a processfor achieving that riskprofile.•RAFsincludea risk appetitestatement that establishesboundariesforthedesired businessfocusand articulatetheboard‘sdesired approachtoa variety of businesses,risk areas,and in some cases, product types.•Themore developed RAFs are flexibleand responsivetoenvironmentalchanges;however, risk appetiteisdefinitiveand consistent enough tocontain strategicdrift.•RAFsset expectationsfor businesslinestrategy reviewsand facilitateregular discussionsabout how tomanage unexpected economicormarket eventsin particular geographiesor products.Discussions with firms, however, reveal that there is significant variationin the perception of how much firms have progressed in thedevelopment, comprehensivenessand implementationof their RAFs.Oneof the keychallengesisdifferent interpretationsof essentialelements,includingrisk appetite, risk limits,and risk capacity.International Association of Risk and Compliance Professionals (IARCP)
  47. 47. P a g e | 47•Somefirmswereableto report significant progressand have had anRAF for several years(in some casessincebeforethe crisis).Thesefirms‘RAFs werelinked tothe firm‘s strategy and integratedwithmost other relevant internal processessuch asbudgeting, compensationplans,mergersand acquisitionevaluations,new product approval, andstresstesting.Thesefirmswereableto report that theunderstandingof the RAF waswidespreadbothacrossfunctionallinesandwithinmultiplelayersoftheirfirm.They were also able to identify clear examples of how they had used theirRAF in strategic decision-making processes, such as decisions to activelyreducethe complexityof their operations.That said, even at these firms, it was recognised that operationalising aneffective RAF is a continual journey that needs to evolve with changesininternalprocessesand the external environment.•Anumber of firmsreported that their implementationof an RAF wasmore recent and whileit had been linkedto the firm‘s strategy andintegratedwithsome of thekey internal processes,further work isenvisaged, such as:linkingthe RAF withall the relevant internalprocesses;ensuring that qualitativeaswell asquantitativemetrics areappropriatelyincluded;and somewhat relatedly, broadeningthe RAF tocover thoseharder toquantify risks, such asoperational, complianceandreputation risks.• For other firms, their RAFsare at an early stageof development.While they may have a high-level frameworkin place, numerousgapsexist.For example, the coveragemay not extend toall relevant subsidiariesintheframework becausethe riskappetiteis not clearlyarticulated at thebusinesslevel nor integrated with all therelevant internal processes.International Association of Risk and Compliance Professionals (IARCP)
  48. 48. P a g e | 48Further, some RAFs are lessdevelopedin termsof includingall thematerial risks the firm faces, particularlyreputational and operationalrisks.All firms surveyed considered risk limitsto be thevehicle foroperationalisingtheRAF at the businesslinelevel.Thecommunicationand escalationprocessfor any breachesseemedtobevery similar acrossthe firmssurveyed: the risk management functionwasresponsiblefor monitoring risk limits,metrics, and breaches,andescalatingany concerns;businessunitshaveto explain breachestotherisk management committeeor board dependingonthe nature and sizeof the exposure; theauthorisation of exceptionswasdefined top-down;and action planswererequired.However,there weredifferencesbetweenfirms in their approachestodeparturesfrom theRAF: some firmsgrant flexibilityfor a businesslinetodepart from theRAF if the global risk appetitewasnotbreached, whereasothers giveno flexibilityfor individual businesslinesto deviatefrom their businesslinerisk limits.Embedding the firm‘sagreedRAS intothefirm‘srisk cultureremainsachallengebut several approacheshave been taken by firms.Anumber of firmshavedeveloped training programs and manuals(withonefirm requiringrelevant employees tocertify every year that they haveattendedthetrainingprogram and read themanual), but onlya few firmsreported that theyhavelinkedcore risk objectivestostaff performancemanagement processes.Discussionswith firms revealedthat a keytocreatingincentivesfor abetter risk culture in firms is to link risk objectiveswitheithercompensation or career advancement prospects.Stresstestinghasbecome a common tool for firms.International Association of Risk and Compliance Professionals (IARCP)
  49. 49. P a g e | 49Thegovernancearound group-widestresstestingtypicallyinvolvesfirmsdeveloping their own historical and hypothetical scenarios, thoughnational authoritiescan alsoset scenarios.TheCRO and risk management functiongenerallyhave a centralrole,actingasthe ownerof the processor participatingin thecommitteeleadingtheeffort.Thetesting is conducted at least annually, and in many caseson aquarterlybasis.Stresstestsresultsare usuallypresented totheriskcommitteeandsometimestothenational supervisor.Theseprocessesappear tobe furthest developed inAEs, and some alsoperform reversestresstestingand counterpartystresstesting.In contrast, some firmsin EMDEs havenot performed stresstestingonan integratedbasisor are still in the processof implementingtheir stresstestingprocesses.Most firmsuse thestresstesting resultsfor their budgeting, RAF andICAAP processesand to set contingencyplans against stressedconditions.3. Independent assessment of firms‘ risk governance framework3.1Internal auditFirms primarily rely on their internal audit functionsto independentlyassesstheir risk governanceframeworks.In almost all cases,internalaudit assessestheframeworkthroughaseriesof individual assuranceaudits,combined withsome project-specific andother ongoing audit work.International Association of Risk and Compliance Professionals (IARCP)
  50. 50. P a g e | 50Afew internal audit functionsdemonstratethebetter practiceofprovidingan overall opinion of the risk governanceframework on anannual basis.In linewithexpectationsestablishedby national authorities, all of thefirms‘internalaudit functionsareorganisationallyseparate from businesslinesand have unfetteredaccesstotheboard.Almost every firm reported that theyhavemade changestostrengthentheir internal audit functionssince2008.Majorchangesinclude:appointing a CAE; establishingmore attractivecompensation plansand careerpathsfor internalauditors;increasingboth thenumber and skillsof internal audit staff; expandinginternalaudit‘srole/ responsibilities, includingparticipatingasanobserver at riskmanagement committeesanddecision-makingprocesses;andenhancingbusinessmonitoring.Internal audit‘sroleand responsibilitiesare primarilyestablishedvia anaudit charter, withaudit manualsdetailingproceduresforplanning, executing, and reporting audit‘s work.At all surveyed firms, internal audit isresponsiblefor assessingriskmanagement or risk governanceprocessesaswell asinternal controls.While national authorities‘expectationsvary, most internal auditfunctionsalsoassess:•Theappropriatenessofassumptionsusedinscenario analysis andstresstesting,•Thedegreetowhichthefirm‘s risk governanceis keeping pacewithindustrytrendsand aligns withbest practices,•Thequalityand adequacyof resourceswithinthe risk managementfunction,International Association of Risk and Compliance Professionals (IARCP)
  51. 51. P a g e | 51•Theoverall efficiencyand integrityof risk management informationsystems, and• Theeffectivenessof the risk and issueescalation process.Most firmsindicated that internal audit plays a rolein monitoringwhetherthebusinessand risk management unitsareoperatingaccordingtothe RAF.However,somefirmsrelyprimarily ontheindependent riskmanagementfunctionfor this assessment.Internal audit‘sroleis generallyto test that practicesalign withtheprocessesand proceduresestablishedin theRAF, though a few firmsexpect internal audit to alsoopineon theappropriatenessof thelimitsand other tolerancesestablishedin theRAF.Given that manyRAFs are in theearlystagesof evolution, some firmsnoted that internal audit‘srole and responsibilitiesrelated totheRAF arestill being defined and implemented.Firms reporteda widerangeof practiceswithregard totheformat andcontent of reportingto the board.At several firms, theCAE providesregular reportstotheboard or auditcommittee, summarisingtheresultsof internal audit‘swork, includingoverall conclusionsor ratings,key findings,material risks/ issues,andfollow-upof management‘sresolution of identifiedissues.Meanwhile, some internal audit functions only provide the board or auditcommittee with a periodic synthesis of internal audit activity or a ―reporton audit reports‖, which doesnot seem sufficient to ensure the board cancarryout its responsibilitieswithinthe riskgovernanceframework.International Association of Risk and Compliance Professionals (IARCP)
  52. 52. P a g e | 522. Third partiesApproximately half of the firms that participated in the peer reviewindicated that they have used third parties to assess their firm‘s riskgovernanceframework or componentsof the framework.Therest of the firmsindicatedthat theyused third parties toprovideperspectivesand benchmarks relatedtoregulatory expectationsandindustrybest practicesassociatedwith riskgovernanceframeworks, orsignificant aspectsof thoseframeworks,withthis information beingusedtopromote upgradesin firm practices.Such an approach wasseen ashelpful in meetingthe continual challengeof developing and maintainingrisk governanceframeworksthat keepabreast of changinglegislative/regulatoryenvironmentsalong withanevolvingeconomicand competitivelandscape.3. Escalation processesAll firms reportedhavinginternal policies, procedures,and/ or processestofacilitateemployeesreportingconcernsand issueswithinthe firm.Thesearein addition to external complaint and whistle-blowerprocessesestablished by supervisors.Some firms describedhavingprocessestailoredtodifferent typesofissues(e.g., issuesimpactingfinancialresultsand related disclosuresversusgeneral issuesrelated to risk and/ orcontrolbreakdowns).•For sensitiveinformation, most firmshave established aninternal―whistle-blowing‖ hotlineand offer employeesanonymity and otherprotectionsfrom negativeconsequencesto the extent possibleunder therelevant lawsof thejurisdiction.•For non-sensitiveinformation, processesgenerallyinvolveemployeesreporting to a direct supervisoror senior manager within thebusinessunit and/ or toan individual withinan independentrisk, compliance,and/ oraudit function or legal department.International Association of Risk and Compliance Professionals (IARCP)
  53. 53. P a g e | 533.4 Evaluation of the effectivenessof the independentassessmentWhile there is nocommon practicefor comprehensively evaluatingtheeffectivenessof theindependent assessment of the riskgovernanceframework,most firms have several processesin placefor assessingtheworkof theinternal audit function.Someof the key processesand/ or criteriaused include:•Thenumberofinternalauditsthat cover riskmanagement topicsduringthecourse of an audit cycle,•Thenumber and types of risk management issuesidentified by internalaudit,• Resultsof internal audit‘squality assuranceactivities,•Resultsof periodicinternalaudit self-assessmentsand/ or assessmentsperformed by external parties,• Qualityof information provided to the audit committee,and•CompliancewiththeInstituteof InternalAuditors‘(IIA) professionalstandards.4. Supervisory evaluationsof risk governance practicesThepeer review askedsupervisorsof surveyed firmsto evaluate firms‘progresstowardenhancedrisk governanceacrossseven broad areas.Tohelp provide someconsistencytothis exercise,high-level evaluationcriteria weredeveloped (seeAnnex A) and the supervisory evaluationswerereviewedfor all surveyed firms; G-SIFIs;and by region.Thecriteria weredevelopedby drawingfrom a compilationof relevantprinciples,recommendationsand supervisory guidance, and areInternational Association of Risk and Compliance Professionals (IARCP)
  54. 54. P a g e | 54consideredby the review team asthe fundamental preconditionsforeffectiverisk governanceframeworks.In summary, surveyed firms have madethemost progressinstrengthening(ii) theroleand responsibilitiesof theboard, withnearly80percent ofsurveyed firmsevaluatedbynationalsupervisorsasmeetingorexceedingall of thecriteria.This is an area that warrantedsignificant changesbut is alsoviewedascomparatively easytoimplement.Morework,however,is needed by supervisorsto assessthe trueeffectivenessof theboard‘soversight of thefirm.Further, despite significant improvements in (i) firms‘ approaches to riskgovernance and (vii) the independent assessment of the risk managementfunction, significant gapsremain.Roughly50per cent of surveyed firms failedto meet all of the criteria in(iii) havingdefined responsibilitiesof therisk committeeand (vi) theriskmanagement function.Theseareasneedmuch greater attention on thepart of both supervisorsand firms.International Association of Risk and Compliance Professionals (IARCP)
  55. 55. P a g e | 55The supervisory evaluations indicate that, among the G-SIFIs surveyed, more progress hasbeen made toward enhancing risk governance practices relative to other surveyed firms,Oneof the keyhindrancesto effectiverisk management at G-SIFIs hasbeen weaknessesin firms‘IT infrastructuresand the inabilitytoaggregate risk data efficiently.While progressisbeingmade, some supervisorsnoted their firm couldnot completethe FSB Data Gaps common data template for G-SIFIs.This common data templateaimstoaddresskey information gapsidentifiedduring thecrisisand provide a strong frameworkfor assessingpotential systemic risks.However,G-SIFIs identified in November 2011and November 2012areexpectedto meet higher expectationsfor risk data aggregationcapabilitiesand riskreportingbeginningin January 2016.International Association of Risk and Compliance Professionals (IARCP)
  56. 56. P a g e | 56Byregion, firmsthat resideinAEshavegenerallyprogressedfurther thanthosein EMDEs acrossall aspectsof theareasevaluated, except for (iii)risk committee responsibilities(seeChart 5 below).This aligns with thefinding that firmsthat werehardest hit during thefinancial crisishavemade the most progressassuch firms largelyresidein advanced economies.These firms experienced a significant turnover in senior management anddirectors, including more non-executive directors, but board oversight ofrisk through an establishedriskcommittee is weak acrossregions.For EMDEs, risk governance practices need to be significantly enhanced;in particular in the (vi) risk management function asapproximately65 percent of surveyed firms donot meet all of the criteria.Other areaswheremore workisneeded is in their (i) approach toriskgovernanceand (iv) governanceof the board and risk committeewheremore than 50per cent of firms donot meet all of theevaluation criteria.Thesegapsneed immediateattention.International Association of Risk and Compliance Professionals (IARCP)
  57. 57. P a g e | 57IV. Conclusionsand recommendationsMuch progresshasbeen made towardenhancingrisk governanceframeworksat surveyed firmssincethecrisis.Nonetheless, thisprogresshasbeenuneven acrossthe functionsthatcollectivelyform therisk governanceframework– the board, thefirm-wideriskmanagement function, and the independent assessment ofrisk governance.Specifically, firmshave mademost progressin defining the role andresponsibilitiesof the board, but much more needstobe donetostrengthenthe roleof the risk committeeand the CRO and riskmanagement function.Continued weaknessesin riskmanagement will underminetheeffectivenessof thechangesmade toboard oversight of the firm‘s riskgovernanceframework.International Association of Risk and Compliance Professionals (IARCP)
  58. 58. P a g e | 58Toensure that progresscontinuestowardachievingmore effectiveriskgovernanceframeworks,a more integrated and consistent approachacrossall aspectsof the riskgovernanceframeworkhasto be developed.Such an approach will require a shift in attitudefor both firmsandsupervisorsasthis requires takinga holistic view of all aspectsof theriskgovernanceframework rather than lookingat each facet in isolation.Drawingfrom the survey responsesand discussionswith risk committeedirectorsand CROs, this report setsout a list of sound risk governancepracticesthat should help supervisorsto enhancetheir oversight of riskgovernanceat financial institutions,in particularat SIFIs (seeSection V).While none of the surveyed authoritiesand firmsexhibitedall of thesesoundpractices,many firms‘practicestendedto be more advanced thantheguidanceprovidedby national authorities.Recommendation 1: Toensure that firms‘risk governance practicescontinueto improve, FSB member jurisdictionsshould strengthen theirregulatoryand supervisory guidancefor financial institutions,inparticular for SIFIs,and devote adequate resources(both in skillsandquantity) toassessthe effectivenessof risk governanceframeworks.In particular,nationalauthoritiesshouldtakeintoconsiderationthesetofsoundrisk governancepracticesidentified during thepeer review.Recommendation2: The relevant standard settingbodies(e.g., BCBS,IAIS, IOSCO, OECD) should review their principles,takingintoconsiderationthesound practicesfor risk governancelisted inSection V.Recommendation 3:Risk cultureplays a critical role in ensuring effectiverisk governanceenduresthrough changingenvironments.TheFSB SupervisoryIntensityand Effectivenessgroup hasagreed toimplement therecommendationfrom the 2012FSBprogressreport onenhancedsupervisionto explorewaystoformallyassessriskculture,particularlyat G-SIFIs.International Association of Risk and Compliance Professionals (IARCP)
  59. 59. P a g e | 59This work should becompleted by September 2013.As the supervisoryevaluationsrevealed, both national authoritiesandfirmsneed tofocuson strengtheningfirms‘risk management functions.Effectiverisk governanceisbasedon a well-designedand articulatedfirm-widerisk management framework,whichreflectsthe firm‘s riskculture,enumeratesthe firm‘srisk profile, andensuresthat therisk limitsset out in the agreedRAS arenot breached.Therisk limitshave to beproperly defined and calibratedand align withcompensation aswell asescalation processesthat enableappropriateactiontobetaken if thefirm isoperatingoutsideitsriskappetiteand risklimits.Developing an effectiveRAF, however, remainsa challengefor mostfirms;firms need to make further progressin linkingtheir RAFs tobusinessstrategiessothat RAFs become truly effectiveand operationaltools.Recommendation4: Toimprove their ability toassessfirms‘progresstowardmore effectiverisk management, national authoritiesshouldprovideguidanceon the keyelementsthat are incorporatedin effectiverisk appetiteframeworks.Toenablefirmsto define frameworkswitha minimum amount ofcomparability despitetheir firm-specificnature, acommon nomenclaturefor termsused in risk appetitestatements(e.g., ―risk appetite‖, ―riskcapacity‖, ―risk limits‖) should be established.The FSB Supervisory Intensity and Effectiveness group, in collaborationwith relevant standard setters, has agreed to finalise thiswork by the endof 2013.Effectiveinternal control systems are a keyelement of soundriskgovernance, and supervisoryexpectationsfor the independentassessment of internal control systems byinternalaudit werewellestablished prior tothe crisis.International Association of Risk and Compliance Professionals (IARCP)
  60. 60. P a g e | 60This includesguidanceissuedby the BCBSasearlyas199849and by alonger history of regulatory requirementsfor publicly-tradedfinancialinstitutions,includingpermanent audit committeesand independentCAEs.Since the crisis, many supervisors have appropriately elevated theirexpectations of internal audit functions to include more qualitativeassessmentsof policies, procedures,risk limitsand risk exposures.As such, thisis an area that demonstrated relativelysound practicesacrossthe FSBmembership for both national authoritiesand financialinstitutions.Nearlyall firms havean independent CAE whoreportsadministrativelytothe CEO or audit committee chair and whodirectlyreportsauditfindingsto a permanent audit committee.Despitethe widerangeof sound practices,there isstill room forimproving the CAE‘saccessto directorsbeyond thoseon theauditcommittee.Regulatorsalsoneed to elevateand conveyexpectationsfor internalaudit,and/ orathirdparty, toperiodicallyprovideafirm-wideassessmentof risk management or risk governanceprocesses.Finally, topromote further progresstoward effectiverisk governance, thereport recommendsthat another peer review be conducted.Recommendation5: The FSB should consider launchinga follow-upreview on risk governanceafter 2016(i.e., after the G-SIFI policymeasuresbegin to bephased in), to assessnational authorities‘implementationof therecommendationsto strengthen their supervisoryguidanceand oversight of risk governance.Thereview alsoshould includethe G-SIFIs identified in 2014by the FSBin collaborationwiththeBCBSand IAIS.International Association of Risk and Compliance Professionals (IARCP)
  61. 61. P a g e | 61V. Sound risk governance practicesDrawingfrom the findingsof thereview, includingdiscussionswithindustryorganisationsaswell asrisk committeedirectorsand CROs ofseveral firmsthat participatedin the review,the report setsout a list ofsoundrisk governancepractices.Thelist extractssome of the better practicesexemplified by nationalauthoritiesand firms.Thesound practicesalsobuild on some of theprinciplesandrecommendationspublished by other organisationsand standardsetters,drawingtogether thosethat are relevant for risk governance.This integratedand coherent list of sound practicesaimstohelp nationalauthoritiesand firmscontinue to improve their risk governance.The board of directors1. The board:a)avoidsconflictsof interestarising from the concentrationof powerattheboard (e.g., by havingseparatepersonsasboard chairman and CEOor havinga lead independent directorwhere theboard chairman andCEO are thesame person);b)comprises members who collectively bring a balance of expertise(e.g., risk management and financial industryexpertise), skills,experienceandperspectives;c)compriseslargelyindependent directorsand there is a clear definitionof independencethat distinguishesbetweenindependent directorsandnon-executivedirectors;d)sets out clear terms of references for itself and its sub-committees(including tenure limits for committee members and the chairs), andestablishesa regular and transparent communication mechanism toInternational Association of Risk and Compliance Professionals (IARCP)
  62. 62. P a g e | 62ensure continuousand robust dialogueand information sharing betweentheboard and itssub-committees;e)conductsperiodic reviewsof performance of theboard and itssub-committees(bythe board nomination or governance committee,theboardthemselves,or an external party).This includesreviewing, at a minimum annually, thequalificationsofdirectorsand their collectiveskills(includingfinancial and riskexpertise), their timecommitment and capacitytoreview informationandunderstand the firm‘s businessmodel, and the specialisedtrainingrequiredtoidentify desiredskillsfor theboard or for director recruitmentor renewal;f)setsthe tone from thetop, and seekstoeffectivelyinculcateanappropriaterisk culture throughout the firm;g) is responsiblefor overseeingmanagement‘seffectiveimplementationof a firm-widerisk management frameworkand policieswithinthe firm;h)approvestheriskappetiteframeworkandensuresit isdirectlylinkedtothebusinessstrategy, capital plan, financial plan and compensation;i)hasaccesstoanyinformation requested and receivesinformationfromitscommitteesat least quarterly;j)meetswith national authorities,at least quarterly, either individuallyorasa group.2. The risk committee:a)is required tobe a stand-alonecommittee, distinct from theauditcommittee;b)hasa chair whois an independent director and avoids―dual-hatting‖with the chair of theboard, or any other committee;c) includesmemberswhoareindependent;International Association of Risk and Compliance Professionals (IARCP)
  63. 63. P a g e | 63d)includesmemberswhohave experiencewith regard to riskmanagement issuesand practices;e)discussesall risk strategieson both an aggregatedbasis and by type ofrisk;f)is required toreview and approve thefirm‘s risk policiesat leastannually;g)overseesthat management hasin placeprocessesto ensure the firm‘sadherencetothe approved risk policies.3. The audit committee:a)is required tobe a stand-alonecommittee, distinct from theriskcommittee;b)hasa chair whois an independent director and avoids―dual-hatting‖with the chair of theboard, or any other committee;c) includesmemberswhoareindependent;d)includesmemberswhohave experiencewith regard to audit practicesand financial literacyat a financial institution;e)reviewsthe auditsof internal controlsover the risk governanceframeworkestablishedby management toconfirm that theyoperateasintended;f)reviewsthethird party opinion of thedesign and effectivenessof theoverall risk governanceframework on an annual basis.The risk management function4. The CROInternational Association of Risk and Compliance Professionals (IARCP)