slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
P a g e | 1 PowerPoint Presentation
Download Presentation
P a g e | 1

Loading in 2 Seconds...

play fullscreen
1 / 211

P a g e | 1 - PowerPoint PPT Presentation


  • 83 Views
  • Updated on

P a g e | 1 Inter n a tio n a l A s s oci a t ion of R isk a nd Compl i a n c e Pro f e s s io n a ls ( I A RCP) 1200 G St re e t NW Su i te 800 W a s h i ng t o n, D C 200 0 5 - 67 0 5 U SA T e l : 202 - 449 - 9750 w w w .ri s k - co m pl i a nce - a s s o c i a tion . co m.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

P a g e | 1


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. P age |1 InternationalAssociationofRiskandCompliance Professionals(IARCP) 1200GStreetNWSuite800Washington, DC20005-6705USATel:202-449-9750www.risk-compliance-association.com Top10riskandcompliancemanagementrelatednewsstoriesandworldeventsthat(forbetterorforworse)shapedthe week'sagenda,andwhatisnext DearMember, Itwas2a.m.andIwasreadytosleep,butIalsowantedtocheckmyemailsanothertime. Yes,Ihavereadthefamousbook“The4-HourWorkweek”byTimothyFerriss,butIdisagreewith him,soIhavedecidedtodotheopposite:Tocheckemailsmore frequently.SorryTim. Oneofthefirstemailswasanimportantone:RedAlert,ChinaoccupiesthePublicCompanyAccountingOversightBoard. Therewasevenapicture! InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    2. P age |2 What? IknowthatChinaimplementsaChineseSarbanes-Oxley…butwhatisthatnow? IreadinthepicturethatPCAOB主席JamesR.Doty说:“这份协议是 在跨境执法合作中迈出的重要一步,它也是保护美国资本市场投资者 利益必要的一步。” What?IsJamesR.Dotywell? Fortunately,Jamesisverywell.Therewasnoredalert.Oneofmyfriends,John,andattorney,sentmethisemail. Readmoreabout说:这份协议是在跨境执法合作中迈出的重要一步, 它也是保护美国资本市场投资者利益必要的一步atnumber7ofourlistbelow. Thefollowingmorning,Ireceivedanotheremail. Title:“Forecastingistheartofsayingwhatwillhappen,andthenexplainingwhyitdidn't” Message:Ihateyou.Ourbossisfollowingyourstresstestingrecommendations.LaoTzuhassaidthatthosewhohaveknowledgedon'tpredict.Thosewhopredict,don'thaveknowledge. Signature:Terminator Terminator? ArnoldSchwarzenegger,didyousendthisemail? Who?LaoTzu?TheChineseagain?Ireplied! “DearArnold(orotherTerminator), InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    3. P age |3 Itisnotme!ItisBaseliiithatasksforaforward-lookingperspective!Baseliiirequiresstresstesting.And,wehaveacrystalballinriskmanagement:TherecommendationsoftheFinancialStabilityBoard(FSB).” Therecommendations… Whoreadstheserecommendations?Soimportant...IhaveledsomeclassessinceJanuary,nobodyreadsFSB. TheylaughwhenIsayreadFSBeverymorning,beforereadingFTorWSJ! ItistimetoreadtherecommendationsoftheFSBcarefully.Itisabout theboard,seniormanagement,riskofficers,complianceofficers,internalandexternalauditors. ThisisourNumber1.Thesepagesaresoimportant. WelcometotheTop10list. BestRegards, GeorgeLekatisPresidentoftheIARCP GeneralManager,ComplianceLLC 1200GStreetNWSuite800, WashingtonDC20005,USATel:(202)449-9750 Email:lekatis@risk-compliance-association.com Web:www.risk-compliance-association.comHQ:1220N.MarketStreetSuite804,WilmingtonDE19801,USA Tel:(302)342-8828 InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    4. P age |4 ThematicReviewonRiskGovernancePeerReviewReport FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengthening AdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. KeynoteLuncheonSpeech ByCommissionerElisseB.Walter U.S.SecuritiesandExchangeCommission 32ndAnnualSECandFinancialReportingInstituteConference,Pasadena,CA BackgroundonthePCAOB StevenB.Harris,BoardMember KennesawStateGraduateStudentMeetingWashington,DC InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    5. P age |5 FinancialConglomeratesDirectiveTechnicalReview ThisPrudentialRegulationAuthority(PRA)policystatementpublishesthefinalrulesimplementingtheFinancialConglomerates DirectiveTechnicalReview(2011/89/EC)(FICOD1)whichamendstheFinancialConglomeratesDirective(2002/87/EC)andcertainother Directivesinsofarastheyapplytofinancialconglomerates. CommitteeontheGlobalFinancialSystemCGFSPapersNo49 Assetencumbrance,financialreformandthedemandforcollateralassets ReportsubmittedbyaWorkingGroupestablishedbytheCommitteeontheGlobalFinancialSystem TheGroupwaschairedbyAerdtHouben,NetherlandsBank Giventhatthedemandforcollateralassetsisincreasing,theCommitteeontheGlobalFinancialSystem(CGFS)inMay2012establishedaWorkingGroup(chairedbyAerdtHouben,NetherlandsBank)toexploretheimplicationsofthistrendformarketsandpolicy. ThisreportpresentstheGroup’sfindingsfromasystem-wideperspectiveanddrawsbroadconclusionsforpolicymakers. Thereportpresentsevidenceofincreasedreliancebybanksoncollateralisedfundingmarketsinrecentyearsforsomeregions,withtheincreasebeingmostpronouncedinEurope. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    6. P age |6 PeerReviewofSwitzerland ReviewReport FSBcountrypeerreviews TheFSBhasestablishedaregularprogrammeofcountrypeerreviewsofitsmemberjurisdictions. TheobjectiveofthereviewsistoexaminethestepstakenorplannedbynationalauthoritiestoaddressInternationalMonetaryFund(IMF)-WorldBankFSAPrecommendationsconcerningfinancialregulationandsupervisionaswellasinstitutionalandmarketinfrastructure. PCAOBEntersintoEnforcementCooperationAgreementwithChineseRegulators ThePublicCompanyAccountingOversightBoardannouncedthatithasenteredintoaMemorandumofUnderstanding(MOU)onEnforcementCooperationwiththeChinaSecuritiesRegulatoryCommission(CSRC)andtheMinistryofFinance(MOF). TheMOUestablishesacooperativeframeworkbetweenthepartiesfortheproductionandexchangeofauditdocumentsrelevanttoinvestigationsinbothcountries’respectivejurisdictions. Morespecifically,itprovidesamechanismforthepartiestorequestandreceivefromeachotherassistanceinobtainingdocumentsandinformationinfurtheranceoftheirinvestigativeduties. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    7. P age |7 Islamiccommerceandfinance OpeningremarksbyDrMichaelGondwe,GovernoroftheBankofZambia,attheworkshopon“Islamiccommerceandfinance”,Lusaka. Threequestionsonthenatureandmanagementofrisk KeynotespeechbyMrNormanTLChan,ChiefExecutiveoftheHongKongMonetaryAuthority,at theHongKongMonetaryAuthority-GlobalAssociationofRisk Professionals(GARP)GlobalRiskForumOpeningDinner,HongKong. InvestorProtectionThroughEconomicAnalysis ByCraigM.Lewis,ChiefEconomistandDirector DivisionofRisk,Strategy,andFinancialInnovation,U.S.SecuritiesandExchangeCommission SpeechatthePennsylvaniaAssociationofPublicEmployeeRetirementSystemsAnnualSpringForumHarrisburg,PA InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    8. P age |8 ThematicReviewonRiskGovernance PeerReviewReportForeword FinancialStabilityBoard(FSB)memberjurisdictionshavecommitted,undertheFSBCharterandintheFSBFrameworkforStrengthening AdherencetoInternationalStandards,toundergoperiodicpeerreviews. Tofulfilthisresponsibility,theFSBhasestablishedaregularprogrammeofcountryandthematicpeerreviewsofitsmemberjurisdictions. ThematicreviewsfocusontheimplementationandeffectivenessacrosstheFSBmembershipofinternationalfinancialstandardsdevelopedbystandard-settingbodiesandpoliciesagreedwithintheFSBinaparticularareaimportantforglobalfinancialstability. Thematicreviewsmayalsoanalyseotherareasimportantforglobalfinancialstabilitywhereinternationalstandardsorpoliciesdonotyetexist. Theobjectivesofthereviewsaretoencourageconsistentcross-countryandcross-sectorimplementation;toevaluate(wherepossible)theextent towhichstandardsandpolicieshavehadtheirintendedresults;andtoidentifygapsandweaknessesinreviewedareasandtomakerecommendationsforpotentialfollow-up(includingviathedevelopmentofnewstandards)byFSBmembers. Thisreportdescribesthefindingsofthethematicpeerreviewonriskgovernance,includingthekeyelementsofthediscussionintheFSBStandingCommitteeonStandardsImplementation(SCSI). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    9. P age |9 ThedraftreportfordiscussionwaspreparedbyateamchairedbySweeLianTeo(MonetaryAuthorityofSingapore),comprisingTedPrice(CanadaOfficeoftheSuperintendentofFinancialInstitutions),XiangQi(ChinaBankingRegulatoryCommission),JérômeLachand(FranceAutoritédeContrôlePrudentiel),SofiaNikopoulos(GermanBaFin),AdrianaElizondo(MexicoNationalBankingandSecuritiesCommission),FranciscoGil(BankofSpain),MikeBrosnan(UnitedStatesOfficeoftheComptrolleroftheCurrency),Xavier-YvesZanota(memberoftheBaselCommitteeonBankingSupervisionSecretariat), MatsIsaksson(OrganisationforEconomicCo-operationandDevelopment),andLauraArd(WorldBank). MerylinCoombsandGraceSone(FSBSecretariat)providedsupporttotheteamandcontributedtothepreparationofthepeerreviewreport. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    10. P age |10 Executivesummary Therecentglobalfinancialcrisisexposedanumberofgovernanceweaknessesthatresultedinfirms’failuretounderstandtheriskstheyweretaking. Inthewakeofthecrisis,numerousreportspaintedafairlybleakpictureofriskgovernanceframeworksatfinancialinstitutions,whichconsistsofthethreekeyfunctions: Theboard,thefirm-wideriskmanagementfunction,andtheindependentassessmentofriskgovernance. Thecrisishighlightedthatmanyboardshaddirectorswithlittlefinancialindustryexperienceandlimitedunderstandingoftherapidlyincreasingcomplexityoftheinstitutionstheywereleading. Toooften,directorswereunabletodedicatesufficienttimetounderstandthefirm’sbusinessmodelandtoodeferentialtoseniormanagement. Inaddition,manyboardsdidnotpaysufficientattentiontoriskmanagementorsetupeffectivestructures,suchasadedicatedriskcommittee,tofacilitatemeaningfulanalysisofthefirm’sriskexposuresandtoconstructivelychallengemanagement’sproposalsanddecisions. Theriskcommitteesthatdidexistwereoftenstaffedbydirectorsshorton bothexperienceandindependencefrommanagement. Theinformationprovidedtotheboardwasvoluminousandnoteasilyunderstoodwhichhamperedtheabilityofdirectorstofulfiltheirresponsibilities. Moreover,mostfirmslackedaformalprocesstoindependentlyassesstheproprietyoftheirriskgovernanceframeworks. Withouttheappropriatechecksandbalancesprovidedbytheboard,theriskmanagementfunction,andindependentassessmentfunctions,a InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    11. P age |11 cultureofexcessiverisk-takingandleveragewasallowedtopermeateintheseweaklygovernedfirms. Further,withtheriskmanagementfunctionlackingtheauthority,statureandindependencetoreininthefirm’srisk-taking,theabilitytoaddressanyweaknessesinriskgovernanceidentifiedbyinternalcontrolassessmentandtestingprocesseswasobstructed. Thepeerreviewfoundthat,sincethecrisis,nationalauthoritieshavetakenseveralmeasurestoimproveregulatoryandsupervisoryoversightofriskgovernanceatfinancialinstitutions. Thesemeasuresincludedevelopingorstrengtheningexistingregulationorguidance,raisingsupervisoryexpectationsfortheriskmanagementfunction,engagingmorefrequentlywiththeboardandmanagement,andassessingtheaccuracyandusefulnessoftheinformationprovidedtotheboardtoenableeffectivedischargeoftheirresponsibilities. Nonetheless,moreworkremains;nationalauthoritiesneedtostrengthentheirabilitytoassesstheeffectivenessofafirm’sriskgovernance,andmorespecificallyitsriskculturetohelpensuresoundriskgovernancethroughchangingenvironments. Supervisorswillneedtoundergoasubstantialchangeinapproachsinceassessingriskgovernanceframeworksentailsforminganintegratedviewacrossallaspectsoftheframework. Thepeerreviewalsoaskedsupervisorstoevaluateprogressmadebytheirsurveyedfirm(s)towardenhancedriskgovernanceinsevenareas. Toprovidesomeconsistencytothisexercise,thereviewteamdevelopedhigh-levelcriteriatoassistsupervisoryevaluationsoffirms’progress,drawingfromacompilationofrelevantprinciples,recommendationsandsupervisoryguidance. Thehigh-levelcriteriawereviewedasfundamentalprerequisitesforriskgovernanceframeworks. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    12. P age |12 • Thisevaluationfoundthatmanyofthebestriskgovernancepracticesatsurveyedfirmsarenowmoreadvancedthannationalguidance. • Thisoutcomemayhavebeenmotivatedbyfirms’needtoregainmarketconfidenceratherthanregulatoryrequirements. • Firmshavemadeparticularprogressin: • assessingthecollectiveskillsandqualificationsoftheboardaswellastheboard’seffectivenesseitherthroughself-evaluationsorthroughtheuseofthirdparties; • institutingastand-aloneriskcommitteethatiscomposedonlyofindependentdirectorsandhavingacleardefinitionofindependence; • establishingagroup-widechiefriskofficer(CRO)andriskmanagementfunctionthatisindependentfromrevenue-generatingresponsibilitiesandhasthestature,authorityandindependencetochallengedecisionsonriskmadebymanagementandbusinesslines;and • integratingthediscussionsamongtheriskandauditcommittees • throughjointmeetingsorcross-membership. • Althoughmanysurveyedfirmshavemadeprogressinthelastfewyears,significantgapsremain,relativetothecriteriadeveloped,particularlyinriskmanagement. • Therewerealsodifferencesinprogressacrossregionswithfirmsinadvancedeconomieshavingadoptedmoreofthedesirableriskgovernancepractices. • Theresultsofthesupervisoryevaluationsweregroupedby: • allsurveyedfirms; • firmsidentifiedbytheFSBandBaselCommitteeonBankingSupervision(BCBS)asglobalsystemicallyimportantfinancialinstitutions,orG-SIFIs;and InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    13. P age |13 • (iii)firmsthatresideinadvancedeconomies(AEs)oremergingmarket anddevelopingeconomies(EMDEs). • Insummary,acrossthesevenareasevaluated,firmshavemadethemostprogressindefiningtheboard’sroleandresponsibilities,andreasonableprogressintheirapproachtoriskgovernanceandtheindependentassessmentofriskgovernance. • Thesupervisoryevaluations,however,indicatethatsurveyedfirmsshouldcontinuetoworktowarddefiningtheresponsibilitiesoftheriskcommitteeandstrengtheningtheirriskmanagementfunctionsasnearly 50percentofsurveyedfirmsdidnotmeetalloftheevaluationcriteriain theseareas. • Bytypeofinstitution,surveyedG-SIFIsaremoreadvancedthanotherfinancialinstitutionsindefiningtheresponsibilitiesoftheboardandriskcommittee,conductingindependentassessmentsofriskgovernance,providingrelevantinformationtotheboardandriskcommittee,andtosomeextentmoreadvancedintheriskmanagementfunction. • Theseresultssupportthefindingthatthefirmsintheregionshardesthitbythefinancialcrisishavemadethemostprogress. • Meanwhile,supervisoryevaluationsoffirmsthatresideinEMDEsshowthatnearly65percentdidnotmeetallofthecriteriafortheriskmanagementfunction. • Thesegapsneedimmediateattentionbybothsupervisorsandfirms. • Othersignificantfindingscomingoutofthereviewincludethefollowing: • Nationalauthoritiesdonotengageonasufficientlyregularandfrequentbasiswiththeboard,riskcommitteeandauditcommittee. • Severaljurisdictionsholdsuchmeetingsonlyonceayearoronanas-neededbasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    14. P age |14 • GoodprogresshasbeenmadetowardelevatingtheCRO’sstature,authority,andindependence. • Inmanyfirms,theCROhasadirectreportinglinetothechiefexecutiveofficer(CEO)andarolethatisdistinctfromotherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). • Thiselevation,however,needstobesupportedbytheinvolvementoftheriskcommitteeinreviewingtheperformanceandsettingtheobjectivesoftheCRO,ensuringthattheCROhasaccesstotheboardandriskcommitteewithoutimpediment(includingreportingdirectlytotheboard/riskcommittee),andfacilitatingperiodicmeetingswithdirectorswithoutthepresenceofexecutivedirectorsorothermanagement. • Moreworkisneededonthepartofbothnationalauthoritiesandfirmsonestablishinganeffectiveriskappetiteframework(RAF). • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistencyamongnationalauthorities. • Supervisoryexpectationsfortheindependentassessmentofinternalcontrolsystemsbyinternalauditorotherindependentfunctionwerewell-establishedpriortothecrisis. • Assuch,thisisanareathatdemonstratedrelativelysoundpracticesacrosstheFSBmembershipatbothnationalauthoritiesandfirms. • However,nojurisdictionhadspecificexpectationsforinternalaudittoperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Nearlyallfirmshaveanindependentchiefauditexecutive(CAE)whoreportsadministrativelytotheCEOandtheauditcommitteechairandwhodirectlyreportsauditfindingstoapermanentauditcommittee. • However,thereisstillroomforimprovingtheCAE’saccesstodirectorsbeyondthoseontheauditcommittee. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    15. P age |15 Drawingfromthefindingsofthereview,includingdiscussionswithindustryorganisationsaswellasriskcommitteedirectorsandCROsofseveralfirmsthatparticipatedinthereview,thereportidentifiessomeofthebetterpracticesexemplifiedbynationalauthoritiesandfirmstocollectivelyformalistofsoundriskgovernancepractices. Italsodrawsonsomeoftherelevantprinciplesandrecommendationsforriskgovernancepublishedbyotherorganisationsandstandardsettingbodies. Noonesingleauthorityorfirm,however,demonstratedallofthesesound practices. Thisintegratedandcoherentlistofsoundpracticesaimstohelpnational authoritiestakeamoreholisticapproachtoriskgovernance,ratherthanlookingateachfacetinisolation,andmayprovideabasisfor considerationbyauthoritiesandstandardsettingbodiesastheyreviewtheirguidanceandstandardsforstrengtheningriskgovernancepractices. Thereviewsetsoutseveralrecommendationstoensuretheeffectivenessofriskgovernanceframeworkscontinuetoimprovebytargetingareaswheremoresubstantialworkisneeded. Whilethereviewfocusedonbanksandbroker-dealersthataresystemicallyimportant,theserecommendationsapplytoothertypesoffinancialinstitutions,includinginsurersandfinancialconglomerates. Recommendations: 1.Toensurethatfirms’riskgovernancepracticescontinuetoimprove,FSBmemberjurisdictionsshouldstrengthentheirregulatoryandsupervisoryguidanceforfinancialinstitutions,inparticularforSIFIs,and devoteadequateresources(bothinskillsandquantity)toassesstheeffectivenessofriskgovernanceframeworks. Inparticular,nationalauthoritiesshouldconsiderthefollowingsoundriskgovernancepractices: InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    16. P age |16 Setrequirementsontheindependenceandcompositionofboards,includingrequirementsonrelevanttypesofskillsthattheboard,collectively,shouldhave(e.g.,riskmanagement,financialindustryexpertise)aswellasthetimecommitmentexpected. Holdtheboardaccountableforitsoversightofthefirm’sriskgovernanceandassessifthelevelandtypesofriskinformationprovidedtotheboardenableeffectivedischargeofboardresponsibilities. Boardsshouldsatisfythemselvesthattheinformationtheyreceivefrommanagementandthecontrolfunctionsiscomprehensive,accurate,completeandtimelytoenableeffectivedecision-makingonthefirm’sstrategy,riskprofileandemergingrisks. Thisincludesestablishingcommunicationproceduresbetweentheriskcommitteeandtheboardandacrossotherboardcommittees,mostimportantlytheauditandfinancecommittees. SetrequirementstoelevatetheCRO’sstature,authority,andindependenceinthefirm. ThisincludesrequiringtheriskcommitteetoreviewtheperformanceandobjectivesoftheCRO,ensuringtheCROhasunfetteredaccesstotheboardandriskcommittee(includingadirectreportinglinetotheboardand/orriskcommittee),andexpectingtheCROtomeetperiodicallywithdirectorswithoutexecutivedirectorsandmanagementpresent. TheCROshouldhaveadirectreportinglinetotheCEOandadistinct rolefromotherexecutivefunctionsandbusinesslineresponsibilities(e.g.,no“dual-hatting”). Further,theCROshouldbeinvolvedinactivitiesanddecisions(fromariskperspective)thatmayaffectthefirm’sprospectiveriskprofile(e.g.,strategicbusinessplans,newproducts,mergersandacquisitions,internalcapitaladequacyassessmentprocess,orICAAP). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    17. P age |17 Requiretheboard(orauditcommittee)toobtainanindependentassessmentofthedesignandeffectivenessoftheriskgovernanceframeworkonanannualbasis. Engagemorefrequentlywiththeboard,riskcommittee,auditcommittee,CEO,CRO,andotherrelevantfunctions,suchastheCFO,toassessthefirm’sriskculture(e.g.,the“toneatthetop”),whetherdirectorsprovideeffectivechallengetomanagement’sproposalsanddecisions,andwhethertheriskmanagementfunctionhastheappropriateauthoritytoinfluencedecisionsthataffectthefirm’sriskexposures. Therelevantstandardsettingbodies(e.g.,BCBS,IAIS,IOSCO,OECD)shouldreviewtheirprinciplesforgovernance,takingintoconsiderationthesoundriskgovernancepracticeslistedinSectionV. Riskcultureplaysacriticalroleinensuringeffectiveriskgovernanceenduresthroughchangingenvironments. TheFSBSupervisoryIntensityandEffectivenessgrouphasagreedtoimplementtherecommendationfromthe2012FSBprogressreportonenhancedsupervisiontoexplorewaystoformallyassessriskculture,particularlyatG-SIFIs. ThisworkshouldbecompletedbySeptember2013. Toimprovetheirabilitytoassessfirms’progresstowardmoreeffectiveriskmanagement,nationalauthoritiesshouldprovideguidanceonthekeyelementsthatareincorporatedineffectiveriskappetiteframeworks. Toenablefirmstodefineframeworkswithaminimumamountofcomparabilitydespitetheirfirm-specificnature,acommonnomenclaturefortermsusedinriskappetitestatements(e.g.,“riskappetite”,“riskcapacity”,“risklimits”)shouldbeestablished. TheFSBSupervisoryIntensityandEffectivenessgroup,incollaborationwithrelevantstandardsetters,hasagreedtofinalisethisworkbytheendof2013. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    18. P age |18 • TheFSBshouldconsiderlaunchingafollow-upreviewonriskgovernanceafter2016(i.e.,aftertheG-SIFIpolicymeasuresbegintobephasedin),toassessnationalauthorities’implementationoftherecommendationstostrengthentheirsupervisoryguidanceandoversightofriskgovernance. • ThereviewalsoshouldincludetheG-SIFIsidentifiedin2014bytheFSBincollaborationwiththeBCBSandIAIS. • Introduction • IncreasingtheintensityandeffectivenessofsupervisiontoreducethemoralhazardposedbySIFIsisakeycomponentoftheFSB’spolicymeasures,endorsedbyG20Leaders. • Sincetheonsetoftheglobalcrisis,supervisorshaveintensifiedtheiroversightoffinancialinstitutions,particularlySIFIs,soastoreducetheprobabilityoftheirfailure. • Specifically,supervisoryexpectationsofriskmanagementfunctionsandoverallriskgovernanceframeworkshaveincreased,asthiswasanareathatexhibitedsignificantweaknessesinmanyfinancialinstitutionsduringtheglobalfinancialcrisis. • Whilesupervisorsareresponsibleforassessingwhetherafirm’sriskgovernanceframeworkandprocessesareadequate,appropriateandeffectiveformanagingthefirm’sriskprofile,thefirm’smanagementisresponsibleforidentifyingandmanagingthefirm’srisk. • InOctober2011,theFSBagreedtoconductathematicpeerreviewonriskgovernancetoassessprogresstowardenhancingpracticesatnational authoritiesandfirms(banksandbroker-dealers). • Forpurposesofthisreview,riskgovernancecollectivelyreferstotheroleandresponsibilitiesoftheboard,thefirm-wideCROandriskmanagementfunction,andtheindependentassessmentoftheriskgovernanceframework(seeChart2). InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    19. P age |19 • Boardresponsibilitiesandpractices:Theboardisresponsibleforensuringthatthefirmhasanappropriateriskgovernanceframeworkgiventhefirm’sbusinessmodel,complexityandsizewhichisembeddedintothefirm’sriskculture. • Howboardsassumesuchresponsibilitiesvariesacrossjurisdictions. • Firm-wideriskmanagementfunction:TheCROandriskmanagementfunctionareresponsibleforthefirm’sriskmanagementacrosstheentireorganisation,ensuringthatthefirm’sriskprofileremainswithintheriskappetitestatement(RAS)asapprovedbytheboard. • Theriskmanagementfunctionisresponsibleforidentifying,measuring,monitoring,andrecommendingstrategiestocontrolormitigaterisks,andreportingonriskexposuresonanaggregatedanddisaggregated basis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    20. P age |20 • Independentassessmentoftheriskgovernanceframework:Theindependentassessmentofthefirm’sriskgovernanceframeworkplaysacrucialroleintheongoingmaintenanceofafirm’sinternalcontrols,riskmanagementandriskgovernance. • Ithelpsafirmaccomplishitsobjectivesbybringingadisciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,controlandgovernanceprocesses. • Thismayinvolveinternalparties,suchasinternalaudit,orexternalresourcessuchasthird-partyreviewers(e.g.,auditfirms,consultants). • Thepeerreviewdidnotfocusonotherrelevantdimensionsofriskgovernance,suchasriskdisclosuresandfirm-widecompensation practices(sincetheseareashavebeencoveredbypreviousFSBpeerreviews)orriskdataaggregationcapabilitiesatbanks(sincethistopicisbeingcoveredbyataskforceoftheBCBS. • Separately,theInternationalAssociationofInsuranceSupervisors(IAIS)launchedapeerreviewattheendof2012againstitsCorePrinciplesongovernanceandriskmanagementandinternalcontrols. • Thereiscurrentlynosinglesetofprinciplesandstandardsthatcomprehensivelyaddressesandintegratesriskgovernancerequirements;however,anumberofdifferentstandardsandrecommendationsongoodgovernanceframeworksarerelevant. • Thereviewthereforedidnotassesscompliancewithanyspecificstandard,butusedacompilationofexistingstandardsandrecommendations(asappropriate)totakestockofriskgovernancepracticesatbothnationalauthoritiesandfirms,andtoidentifyanygapstherein. • Supervisorswereaskedtoevaluatefirms’progressandthereviewteamdevelopedhigh-levelcriteriatoprovidesomeconsistencytothisexercise. • ThefindingsofthereviewwerebasedontheresponsestoquestionnairesfromFSBmemberjurisdictions11andfromthe36banksand InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    21. P age |21 broker-dealersthatFSBmembersdeemedassignificantforthepurposeofthereview. SectionIItakesstockofnationalauthorities’initiativestostrengthenoversightoffirms’riskgovernanceframeworksanddescribestherangeofsupervisorypracticesinfourbroadareas: Theboardanditscommittees; Thefirm-wideriskmanagementfunction,includingtheCRO; Theindependentassessmentofthefirm-wideriskmanagementframeworkbyinternalauditand/orthirdparties;and Thesupervisoryassessmentofriskgovernanceframeworks. SectionIIIexaminesriskgovernancepracticesatsurveyedfirmsandthechangesmadesincethefinancialcrisis. Inadditiontotheresponsestothequestionnaire,thefindingsdrawontheoutcomesofdiscussionswithindustryorganisationsaswellasriskcommitteedirectorsandCROsofseveralfirmsthatparticipatedinthereview. Nationalsupervisorswereaskedtoassessfirms’progresstowardenhancingkeyriskgovernancefunctions,aswellastheaccuracyandcompletenessoftheresponsesprovidedbyfirmsheadquarteredintheirjurisdiction. SectionIVsetsouttheconclusionsandrecommendationsdrawnfromthefindingsofthereview,whichisfollowedbyalistofsoundriskgovernancepracticesthatencompassanoverlayofsupervisoryexpectationsforsound practicesatfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    22. P age |22 • II.Nationalauthorities’oversightofriskgovernancepractices • Sincethefinancialcrisis,nationalauthoritieshaveincreasedtheirsupervisoryfocusonriskgovernance,whichisacriticalelementforpromotingamoreresilientfinancialsystem. • Underpinningtherangeofreformsistheissuancein2010oftheBCBSPrinciplesforEnhancingCorporateGovernanceandtheOECDpublicationonCorporateGovernanceandtheFinancialCrisis–ConclusionsandEmergingGoodPractices. • Someofthenotablechangesembeddedinregulatoryandsupervisoryguidanceinclude: • introducingexplicitrequirementsfortheestablishmentofariskcommittee; • conveyingexpectationstostrengthentheriskmanagementfunction, • includingthestatureandqualificationsoftheCRO; • introducingadditionalrequirementsforriskgovernanceatSIFIs; • enhancingthemandateandresourcesofsupervisoryauthoritiesinrelationtoriskgovernanceoversight; • increasingtheintensityofengagementbetweenthesupervisorandtheboardandseniormanagementonriskgovernanceissues;and • adjustingthesupervisoryriskassessmentprocess,particularlyincreasingthefocusonriskgovernanceacrossdifferentbusinessmodels. • AnnexCprovidesmoredetailsontheinitiativesFSBmembershavetakentostrengthenoversightofriskgovernancepractices,includingimplementationofotherrelevantprinciplessuchastheFSBprinciplesforsoundcompensationpracticesandrecommendationsputforwardinthe 2009reportbytheSeniorSupervisorGroup(SSG)onriskmanagementpracticesduringthefinancialcrisis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    23. P age |23 • Whilesupervisoryguidancehasimproved,progresshasbeenunevenacrossthefunctionsthatcollectivelyformtheriskgovernanceframework. • Basedonthefindingsfromthereview,someareaswheremoresupervisoryrequirementsand/orguidancewouldbeusefulinclude: • Acleardefinitionofindependencewhichisseparatefromnon-executivedirector; • Theestablishmentofastand-aloneriskcommitteethatiscomposedofindependentdirectors; • Thelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting; • Thekeyfeaturesofaneffectiveriskappetiteframeworktohelpsupervisoryevaluations;and • Thewaysinternalauditcanprovidefeedbackonwhetherafirm’sriskgovernanceprocessesarekeepingpacewithtrendsand/oralignwith bestpractices. • Thenextfoursub-sectionssummariseexistingsupervisoryexpectationsforthethreekeyriskgovernancefunctionsandexamineauthorities’approachestoassessingtheimplementationofsupervisoryexpectations. • 1.Theboardanditscommittees • RegulatoryandsupervisoryguidancespecifyingtheroleandresponsibilitiesoftheboardareprevalentacrosstheFSBmembership,includingamongotherthingsforriskgovernance. • Akeyresponsibilityoftheboardistoapprovethefirm’soverallbusinessstrategyandRAF. • Assuch,theboardhasultimateresponsibilityforthefirm’sriskmanagement,includingsettingtheriskcultureofthefirmandoverseeingmanagement’simplementationoftheagreedbusinessstrategy. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    24. P age |24 Toensurethatboardsarefocusedonthehigher-levelstrategicandriskissues,supervisorsareengagingmorefrequentlywiththeboardinparticularwithindependentdirectors. Thedefinitionofwhatconstituteseffectiveriskgovernanceisevolving,however,supervisorshighlighttheimportanceoftheboardsettingthe“toneatthetop”inregardtothefirm’sstrategyandriskcultureandchallengingmanagementontheadherencetotheagreedriskappetite. 1.1Boardcomposition Theleadershipstructuretooverseethefirm’sriskmanagementvariesacrossjurisdictions. Mostjurisdictionsrequiretheestablishmentofapermanentauditcommittee,whichhasalongerhistorythanotherboardsub-committees,drivenbyrequirementsfromsecuritiesregulatorstoprovideassurancetothequalityofthefinancialinformationprovidedbyregisteredfinancialinstitutions. Assuch,morespecificregulatoryandsupervisoryrequirementsforthecompositionandindependenceoftheauditcommitteearesetoutthanfortheriskcommittee. Forexample,anumberofjurisdictionsrequiretheauditcommitteetocompriseamajorityofindependentornon-executivedirectors,severaljurisdictionsrequiretheauditcommitteechairtobeindependent(orinsomecasesanon-executive),andinafewjurisdictionstheparticipationofthechairoftheboardisrestricted. Theestablishmentofastand-aloneriskcommitteeislessprevalentandtherequirementtypicallyappliestolarge,complexfinancialinstitutions(e.g.,firmswithmanylegalentitiesand/orcross-borderoperations). Wherestand-aloneriskcommitteesexist,severaljurisdictions19requireriskcommitteememberstohaveexpertiseinrisk-relateddisciplinesandonlyafewjurisdictionsrequireaminimumnumberofindependentdirectors. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    25. P age |25 • InHongKong,however,forthcomingchangeswillrequireall,orthemajority,ofthemembersoftheriskcommitteetobenon-executivedirectors. • AnnexDprovidesfurtherdetailsontheregulatoryandsupervisoryguidanceforthecompositionoftheboardandsub-committees,butsomeofthekeyfeaturesinclude: • Independence:Manyjurisdictionshaveestablishedgeneralrequirementsconcerningtheindependenceoftheboardtoensurethat thereisobjectivejudgementanddecision-makingontheboard. • Manyjurisdictionsalsosetoutquantitativeminimumsforthenumberofindependentdirectorsontheboard. • Someotherjurisdictionsonlysetquantitativeminimumsforthenumberofnon-executivedirectorswhichdoesnotnecessarilyensureindependentjudgementontheboard. • Expertise:Regardlessoftheboardstructure,theboardneedstocomprisememberswhocollectivelybringabalanceofexpertise,skills,experienceandperspectiveswhileexhibitingtheobjectivitytoensuredecisionsarebasedonsoundjudgementandthoughtfuldeliberations. • Manyjurisdictionsconductperiodicreviewsoftheperformance,training andskillsneededintheboardandriskcommittee. • Requiringspecificskillsforalldirectorsareacommonpractice(usuallysubsumedin“fitandproper”tests)andtypicallyincluderelevantknowledge,experienceandskillsinfinanceand/orbusiness. • Severaljurisdictionsnotonlylookatindividualqualificationsbutalsotakeaholisticviewoftheboard,examiningtheircollectiveskillsandqualifications. • Inadditiontohavingcertainskillsandqualifications,somejurisdictionsrequiredirectorstohavethecapacitytodedicatesufficienttimeand InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    26. P age |26 energyinreviewinginformationanddevelopinganunderstandingofthekeyissuesrelatedtothefirm’sactivities. 1.2Governanceoftheboard Fortheboardtoeffectivelysuperviseandmanagethefirm’sadherencetotheagreedbusinessstrategyandriskappetite,directorsshouldbeprovidedandhaveaccesstocomprehensiveinformationaboutthefirm’srisks. Thisinvolvesensuringtherearecommunicationandreportingproceduresacrossboardsub-committees,andseveralnationalauthoritiessetoutsuchrequirementsintheirguidance(seeAnnexE). However,thereislittlesupervisoryguidanceprovidedonthelevelandtypesofriskinformationfirmsshouldprovideaswellasthefrequencyofriskreporting. Importantly,theriskmanagementreportsprovidedtotheboardshouldcontributetosoundriskmanagementanddecision-making. Theboardanditscommittees,however,shouldnotjustrelyontheinformationmanagementreportsprovided. Theyshouldconsiderifthereisaneedforadditionalrisk-relatedinformationwhichshouldbemadeavailabletothemwhenneeded. Onlyafewjurisdictions,however,requiretheboardtohavesuchaccess. 2.Thefirm-wideriskmanagementfunction Sincethefinancialcrisis,nationalauthoritieshaveintensifiedtheiroversightoffirms’riskmanagementpracticesandraisedtheirexpectationsforwhatisconsideredstrongriskmanagement,whichisintegraltothecorebusinessofafinancialinstitution. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    27. P age |27 • Thefailuretohaveastrong,independentriskmanagementfunctioncanleadtoill-informedboardsandseniormanagementteamsaswellasimprudentdecisions. • Theriskmanagementfunctionshouldberesponsibleforthefirm’sriskmanagementframeworkacrosstheentireorganisation,ensuringthatthefirm’srisklimitsareconsistentwiththeRASandthatrisk-takingremainswithinthoselimits. • Stresstestsandscenarioanalysesareviewedasausefultoolforidentifyingfirms’vulnerabilitiesanddevelopingriskmanagementstrategiestoaddresstherisksidentified. • Tofulfiltheseresponsibilities,riskmanagementfunctionsshouldbeled byaninfluentialandhighlyeffectiveCRO. • 2.1Governanceoftheriskmanagementfunction • SupervisorshaveincreasedtheirexpectationsfortheriskmanagementfunctionandareevaluatingtheCRO’sstature,authority,qualifications,andindependencewithinthefirm. • Asthecrisisdemonstrated,theseareprerequisitesfortheCROtobeabletoinfluencethefirm’srisk-takingactivitiesdirectlyandthroughtheriskmanagementfunction,andtoeffectivelyinformtheboardasrisksevolve,areidentified,andaretaken. • AnnexFprovidesmoreinformationonthegovernancearoundtheriskmanagementfunction,butsomesupervisorypracticesregardingtheCROfunctioninclude: • Independence:MostjurisdictionsrequiretheCROand/orriskmanagementfunctiontobeindependent;thatis,tohaveadistinctrolefromtheotherexecutivefunctions,revenue-generatingfunctionsand businesslineresponsibilities. • Stature:TheCROandriskmanagementfunctionshouldhavesufficientstatureintheorganisationtoinfluencethefirm’srisk-takingactivities. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    28. P age |28 • Inthisregard,somejurisdictionshavesupervisoryguidancethatrequirestheCROtoreportandhavedirectaccesstotheboard. • ToelevatetheCRO’sstature,SingaporeexpectsthedismissaloftheCROtobeapprovedbytheboard. • Authority:Toeffectivelyfulfilitsrole,manyjurisdictions30requiretheCROtohavetheauthoritytoinfluencedecisionsthataffectthefirm’sexposuretorisk,andseveraljurisdictionssetoutexplicitexpectationsfortheCROtobeabletochallengemanagement’srecommendationsanddecisionsandcommunicatedirectlywithseniormanagementandwiththeboard. • Qualifications:“Fitandproper”testsarecommonlyusedtoassessthequalificationsandcompetenciesoftheCROinmanyFSBmemberjurisdictions. • Inaddition,theappointmentoftheCROisapprovedbyauthoritiesinChina,Germany(iftheCROisamemberofthemanagementboard),andSingapore,whiletheUnitedKingdominterviewsCROcandidates. • ManyjurisdictionsevaluatetheCROthroughtheiron-goingsupervisoryprocesses. • 2.2Riskappetiteframework • Assessingafirm’sRAFisachallengingtaskthatrequiresgreaterclarityandanelevatedlevelofconsistencyamongnationalauthorities. • AtthecoreoftheRAFisthefirm’sRAS,whichhasbecomeaneffectivetoolforenhancingthediscussionsbetweensupervisorsandboardsaboutthefirm’sstrategicdirectionintermsofrisktaking. • However,akeychallengetowardassessingtheeffectivenessofafirm’sRASisalackofcommonterminologyforriskappetite,riskprofile,andriskcapacityusedwithinfirms,acrossfirmsandacrossnational authorities. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    29. P age |29 Thisisanareathatisdevelopinginmanyjurisdictions;forinstance,India,RussiaandSaudiArabiahavelookedatriskappetiteonlyincontextoftheBCBSICAAP,whileinCanada,FranceandtheUnitedStates,separateprocessesarecontinuingtobeputinplacetoassessfirms’RAFs,oftendrawingonassessmentcriteriaoutlinedintheworkoftheSSG. SupervisoryreviewsareunderwayinCanadaoffirms’integrationoftheirRAFwiththestrategic,financialandcapitalplanningprocessesandcompensationpractices. InHongKong,firms’riskappetiteisreviewedfromanintegratedfirm-wideperspectivetakingintoaccountallrisks(financialand non-financial). Thesupervisordetermineswhetherthefirm’sRASiscomprehensiveandincludestheappropriaterisktargetsthatareconsistentwitheachother. ThesupervisorwillalsodeterminewhethertheRAShasawiderangeofmeasuresandactionableelementsandwhetherrobustproceduresandcontrolsareinplaceforthesettingandmonitoringoftheagreedrisk appetite. NationalauthoritiesinSingaporeassessannuallyfirms’linkbetweenriskappetite,strategicobjectives,capitalplanningandoperationalbudgetplanning. Supervisorsalsoreviewthefirm’sprogressinthetranslationofriskappetiteintolimitsandtriggersbyrisktype,aswellastheirmonitoring andreportingprocedures. InSwitzerland,supervisorsregularlyreviewtherisklimitframeworksandtheremustbeanestablishedlinkbetweenthelimitsandthestrategy. 2.3Stresstesting Theobjectiveofstresstestsandscenarioanalysesistoassesstheunanticipatedlossesthatafirmmayincurundercertainstressscenarios InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    30. P age |30 andtheimpactthatmayhaveonitsbusinessplans,riskmanagementstrategiesorcapitalplans. Theuseofstresstestsinfirms’riskgovernanceandcapitalplanninghasincreasedinrecentyearswiththeresultsservingasaninputintothefirm’sstrategicdecision-making. Asfirmsareincreasinglylinkingstresstestresultstoriskappetite,ICAAP,contingencyplanning,andrecoveryandresolutionplans,supervisoryapproachestostresstestingareevolvingaccordingly. InCanada,supervisorsassesswhetherchosenscenariosareappropriatefortheportfoliooftheinstitution,includingsevereshocksandperiodsofsevereandsustaineddownturns,andwhererelevant,anepisodeofmarketturbulenceorashocktomarketliquidityandwhetherthefrequencyandtimingofstresstestingissufficienttosupporttimelymanagementaction. Similarly,supervisorsinHongKongassessthecoverageofstresstestsandthetypesofstressscenariosandparameterschoseninrelationtothefirm’srisktolerance,overallriskprofileandbusinessplan;appropriatenessofassumptions;adequacyofpoliciesandprocedures;theadequacyofthefirm’scontingencyplanningforactiontobetakenshouldaparticularstressscenariohappen;thelevelofoversightexercisedbytheboardandseniormanagementonthestress-testingprogramandresultsgenerated;andtheadequacyofthefirm’sinternalreviewandauditofitsstress-testingprogram. Indeed,supervisoryattentionnowincludesboththeoutcomesofstresstestsandtheeffectivenessofthefirms’stresstestingprocesses. Forinstance,Singapore,SwitzerlandandUnitedKingdomhavededicatedteamstoreviewstresstestingpracticesatfirms,andChina,Germany,andHongKongexpectfirms’internalauditfunctionstoassesstheeffectivenessofriskmanagementsystemsingeneral,includingstresstests. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    31. P age |31 • 3.Independentassessmentoffirms’riskgovernanceframework • Stronginternalcontrolsystemsareakeyelementofsoundriskgovernance. • Theboardisresponsibleforoverseeingtheimplementationofan effectiveriskgovernanceframework,andassuch,shoulddirectlyoverseetheindependentassessmentprocess. • Anassessmentthatisindependentfromthebusinessunitandtheriskmanagementcontrolfunctioncanassisttheboardinjudgingwhethertheriskgovernanceframework,internalcontrolsandoversightprocessesareoperatingasintended. • Thismaybeperformedbyinternalauditorbythirdpartiessuchasauditfirmsorconsultants. • Regardlessoftheapproach,itiscriticalthattheassessmentresultinanoverallopiniononthedesignandeffectivenessoftheriskgovernanceframeworkandbeperformedbyindividualswiththeskillsneededtoproduceareliableassessment. • Currently,auditfunctionsatonlyafewfirmsprovideoverallopinionsregardingtheriskgovernanceframework. • 3.1Internalaudit • AcrosstheFSBmembership,regulatoryorsupervisoryexpectationsexistforinternalaudit. • AnnexGprovidesacomparisonofkeyregulatoryandsupervisoryexpectationswiththemostnotableelements,including: • Independence:Nearlyalljurisdictions38requirefirmstohaveapermanentinternalauditfunctionthatisindependentfrombusinesslines,supportfunctions(e.g.,treasury,legal),andriskmanagement. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    32. P age |32 • Firmsarealsorequiredtoexplicitlylinktheindependenceofinternal audittoauditorcompensationorcareerplans. • Regardlessofthedirectreportinglines,mostjurisdictionsexpectinternal audittohaveunfetteredaccesstotheboardwhenreportinginternalauditresults. • Stature:Severaljurisdictionsexpectinternalaudittoreportdirectlytotheboard,acommitteethereof,oranindependentdirector. • ThedirectreportingrelationshipinvolvestheresponsiblepartydeterminingtheCAE’scompensation,completingtheCAE’sannualperformanceevaluation,approvingtheCAE’sbudget,and/orotherwiseensuringtheCAEisnotundulyinfluencedbytheCEOorothermembersofthemanagementteam. • WhiletheCAEmayreporttotheCEOonday-to-dayadministrativematters,allsubstantivedecisionsregardingtheCAEandinternalauditfunctionaremadeattheboardlevel. • InSingapore,HongKong,andIndonesia,thedismissaloftheCAErequirestheauditcommittee’sapproval. • Qualifications:AllFSBmembershaveestablishedrequirementsorexpectationsfortheCAEandinternalauditstafftohavetheskillsnecessarytoeffectivelycarryouttheirduties. • Supervisoryassessmentsgenerallyconsiderthetechnicalknowledge,experience,andcharacterofindividualswithintheinternalauditfunction. • Scope,coverage,andfrequency:Manyjurisdictions41expectinternal audittoassessand/oropineonriskmanagementorriskgovernanceprocesses,aswellasinternalcontrols. • Expectationsforthescope,coverage,andfrequencyofsuchassessmentsvarywidely. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    33. P age |33 • However,almostalljurisdictionsexpectinternalaudittoassesstheorganisationandmandatesoftheriskmanagementfunction(s)andtheadequacyofsystemsandprocessesforassessing,controlling,respondingto,andreportingthefirm’srisks. • Nojurisdictionindicatedthatitexpectsinternalaudittoperiodicallyprovideafirm-wideassessmentofriskmanagementorriskgovernanceprocesses. • Riskappetiteframework:Manyjurisdictionsexpectinternalaudittoassesscompliancewiththeboard-approvedriskappetite. • IntheUnitedKingdom,internalauditisexpectedtoensurethatproceduresareinplacetoreportbreachesinthefirm’sriskappetitetotheboard. • Benchmarking:Mostjurisdictionsindicatethatinternalauditshouldbeawareofindustrytrends/bestpracticesandthatauditorsshouldconsidersuchknowledgewhenconductingtheirwork. • However,nojurisdictionhadspecificexpectationsforinternalaudittoopineonwhetherafirm’sriskgovernanceprocessesarekeepingpacewithtrendsand/oralignwithbestpractices. • Remediationprocess:Thereisawiderangeofexpectationsforinternal audittofollow-uponremedialactionstoaddressmaterialdeficienciesandseveraljurisdictionsexpectinternalaudittoreporttheresultsofitsfollow-upactivitiestotheboard. • Nearlyalljurisdictionsindicatedthattheyrequiresomeformoffollow-upandreporting. • Chiefauditexecutive:AlljurisdictionsindicatethatsupervisorsconsidertheCAE’sperformancewhenassessingthequalityofinternalaudit. • Suchassessmentsmaybeperformedoff-site,withinon-siteinspections,and/orthroughregularmeetingswiththeCAEandinternalauditstaff. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    34. P age |34 InSaudiArabia,theappointmentoftheCAErequiresa“noobjection”fromthecentralbank,andinIndonesia,banksarerequiredtoreporttobanksupervisorstheappointmentanddismissaloftheirCAE. 3.2Thirdparties Employingthirdpartiescouldhelptoenhancethequalityoffirms’independentassessmentsbyprovidinganunbiasedopinionofafirm’sriskgovernanceframeworkasmanyinternalauditfunctionsarestaffedwithindividualswhoseexperiencemaybelimitedtothepracticesemployedbyoneortwofirms. Inaddition,thirdpartiesoftenhaveabroaderunderstandingofleadingindustrypractices,especiallyinhighlytechnicalareas. Mostjurisdictionsallowtheuseofthirdpartiestoassessafirm’sriskgovernanceframework,andinChinaandtheNetherlands,theexternal auditoralsoassessestheeffectivenessoftheinternalauditfunction. Manyjurisdictionsappropriatelystipulatethroughregulationorguidancethat: Theuseofathirdpartydoesnotrelinquishtheboardormanagementfromultimateresponsibilityforensuringthereliabilityoftheindependentassessments,and Largeandcomplexfirmsshouldnotbecomeoverlyreliantonthird partiestoprovideexpertisethatshouldbedevelopedwithinthefirm’sinternalauditfunction. Francespecificallyrequiresthatoutsourcingarrangementsbeengagedandoverseenbyinternalaudittoensureindependenceandthatinternal auditmaintainsaccountabilityforthescope,coverage,andfrequencyofwork. Severaljurisdictions,however,restricttheuseofthirdparties. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    35. P age |35 Forinstance,inItaly,internalauditworkcanbeoutsourcedonlybysmallcreditinstitutionswithlimitedoperationalcomplexity. Meanwhile,inSouthAfricathecentralbankmustapproveanyoutsourcingactivity,andinKorea,theuseofthirdpartiestoassessafirm’sriskgovernanceframeworkisnotregulated. 4.Supervisoryapproachestowardassessingriskgovernanceframeworks Supervisorsplayacrucialroleinassessingtheadequacyofafirm’sriskgovernanceframeworkandthepracticesemployedbyafirmtoindependentlyassessitsframework. Supervisoryexpectationsforriskgovernancepracticesoutlinedabovearegenerallysetoutwithinthelegalframeworkthroughacombinationoflegislation,regulationandsupervisoryguidance;however,theapproachvariesconsiderablyacrossjurisdictions. AustraliaandCanadacomplementtheirstandardswithwrittenguidanceprovidedtotheindustrytoassistwiththeimplementationofprudentialrequirementsandadoptionofgoodpractices. Supervisoryapproachestowardassessingimplementationofregulatoryorsupervisoryguidanceencompassavarietyofsteps(e.g.,on-siteinspections,off-sitereviews,horizontalreviews). SupervisoryassessmentsgenerallyoccuratleastonceayearacrosstheFSBmembership,thoughinArgentinaassessmentstakeplaceevery18monthsandtheUnitedKingdomismovingfromabi-annualassessment towardasystemofcontinuoussupervision. Severaljurisdictionstakearisk-basedapproachtoon-siteexaminations,focusingonriskierinstitutions. IntheUnitedStates,nationalauthoritieshaveon-siteteamswithexpertisetoassessthegovernancepracticesatthelargestandmostcomplexbanksonarealtimebasis. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    36. P age |36 InChina,jointregulatorymeetingsareheldonaregularbasisbetweenthefirm’sheadoffice,itsbranches,andtheregulatoryauthoritywherethebranchesarelocated. Meetingswithdirectorsandseniormanagementprovideanotheravenuefornationalauthoritiestoassessfirms’riskgovernancepractices. AnnexHprovidesmoreinformationontheapproachestakentoassessingfirms’riskmanagementframeworks. Supervisorsreceiveawiderangeofriskreportsorinformationfromfirmsontheirriskmanagementpractices,includingfromexternalauditorsorotherthirdpartiesaswellassupportingdocumentationrequestedduringon-siteinspections. Standardisedfinancialandriskreportingareacommonpractice;however,thetypesofreportsorinformationprovidedvaries. Forinstance,inArgentina,newreportingrequirementswillrequestquantitativemeasuresforriskgovernanceandformalexposurelimitsfor eachofthesignificantrisksandstresstestinformation;inHongKongandelsewhere,regularprudentialreportingdataandadhocrequestsforpeergroupanalysisareutilised,e.g.,stresstestcapitalanalysisand horizontalcreditreviewsofcommon(problem)loanaccounts;andinCanadaandSingapore,supervisoryteamsworkwithriskspecialiststoidentifytrendsthatcantriggeradditionalinvestigationsorreviews. Nationalauthoritieshaveaccesstoabroadsetofsupervisorytoolstoincentivisefirmstoremediatedeficiencieswithintheirriskgovernanceframework,dependingontheseverityofthedeficiency. Thesetoolsincludemoralsuasion,capitalsurcharges,restrictionsoncertainbusinessactivities,imposingfinesandpenalties,andtheultimatepenaltyofwithdrawingbanklicences. Whilealargenumberofsupervisoryauthoritiescanuseanumberofthesetools,afewhavelimitedsupervisorypowerstoscalethesanctionbased InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    37. P age |37 • ontheseverityoftheinfraction,raisingconcernsovertheirabilityto effectivelyinterveneearlywherenecessarywhenrisksstarttosurface. • Moreover,eventhoughsomenationalauthoritieshavetheauthoritytoimposefines,thisisdifficulttoimplementinpractice,forinstance,duetocumbersomeprocessesorsupervisorslackingthewilltoact. • III.Firms’riskgovernancepractices • Thefinancialcrisisspurredfundamentalchangesinriskgovernancepracticesatfinancialinstitutions,andinmanycases,surveyedfirmsareaheadofregulatoryandsupervisoryguidance. • Ingeneral,surveyedfirmsthatweremostaffectedbythecrisishavemadethegreatestadvancements,perhapsnecessitatedbyaneedtore-gain marketconfidence. • Firmsthatwerelesstroubledfromthecrisis,however,haveincreasedtheintensityofthemeasuresthattheyhadinplacepre-crisis. • Someofthemostobviouschangesinclude: • ConsolidatingandraisingtheprofileoftheriskmanagementfunctionacrossbankinggroupsthroughtheestablishmentofagroupCRO,increasingthestatureandauthorityoftheCROandincreasingtheCRO’sinvolvementinrelevantinternalcommittees. • Changingthereportinglinesoftheriskmanagementfunctionsothat theCROnowreportsdirectlytotheCEOwhilealsohavingadirectlinktotheriskcommittee. • Intensifyingtheoversightofriskissuesattheboardthroughcreationofastand-aloneriskcommittee,supportedbygreaterlinkswiththeriskmanagementfunctionandotherrisk-relatedboardcommittees,particularlyauditandcompensationcommittees. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    38. P age |38 • Cross-membershipoftheauditcommitteeandriskcommitteeisnowquitecommon,withsomefirmsinvolving(oratleastinviting)thechairoftheboard,eventhefullboard,ontotheriskcommittee. • Thetimecommitmentofindependentdirectorshasincreasedconsiderablyoverthepastseveralyears. • Upgradingtheskillsrequirementsofindependentdirectorsontheriskcommitteeandexpectingthesememberstocommitmoretimetotheseendeavours. • Thecompositionofboardshaschangedconsiderablywithmany • non-executivedirectorsnowhavingfinancialindustryexperience;thedominanceofmembersfromindustrialcompaniesormajorshareholders • ismuchlessthanadecadeago. • Changingtheattitudetowardtheownershipofriskacrossthefirmwiththebusinesslinenowbeingmuchmoreaccountablefortheriskscreated bytheiractivitiesthanpreviously. • Inadditiontochangingthecompositionandimprovingthestrengthoftheboard,therehavebeenmajordevelopmentsinhowfirmsanalyserisksandtheassociatedtoolsutilisedsuchasRAFs,stresstestsandreversestresstesting. • Oneofthekeylessonsfromthecrisiswasthatreputationalriskwasseverelyunderestimated;hence,thereismorefocusonbusinessconductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandwhotheyaresoldto. • Asthecrisisshowed,consumerproductssuchasresidentialmortgageloanscouldbecomeasourceoffinancialinstability. • Thenextfoursub-sectionssummarisethefindingsfromthesurveyedfirmsregardingthethreekeyriskgovernancefunctionsandprovideasummaryofthesupervisoryevaluationsoffirms’progress. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    39. P age |39 1.Theboardanditscommittees Theboardisresponsibleforensuringthatthefirmhasanappropriateriskgovernanceframeworkthatiscommensuratewiththefirm’sstrategy,complexityandsize. Theboard’sroleandresponsibilitiesforriskgovernancearegenerallydefinedintheboard’scharterandincludeapprovalofthefirm’sstrategyandoverseeingitsimplementation,settingouttheguidelinesandpoliciesforriskmanagement,andensuringthefirm’sinternalcontrolsarerobust. Theboardisalsoresponsibleforformulatingthemandateandresponsibilitiesofitscommitteessuchastheriskandauditcommittees. Forinstance,auditcommitteesshouldensurebusinessunitshaveeffectiveremediationplanstoaddressanycontrolweaknessesnotedbyinternalaudit. SomefirmshavedevelopedaCorporateGovernanceFrameworkorCodewhereallrulesregardingtheroles,responsibilitiesandoversightfunctionsoftheboardareassembled. Establishinganenterpriseorfirm-wideriskmanagementframeworkcanhelptoprovideanoverviewofriskpolicyarchitectureandprocess. Havingastand-aloneriskcommitteeisacommonpracticeeventhoughitisnotrequiredbyallnationalauthorities. Firmsgenerallyensurethattheriskcommittee,whichisresponsibleforoverseeingseniormanagement’simplementationoftheriskstrategy,coversalltherisksfacedatthefirm-widelevel,includingfinancialrisksaswellasoperational,compliance,legalandregulatoryrisks. RegularmeetingsareheldwithseniormanagementandtheCROtodiscussperformanceofthebusinessunitandcompliancewiththeRASandrisklimits. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    40. P age |40 Materialrisksarepresentedanddiscussedonbothanaggregatebasisandbytypeofrisk. Afewfirms,however,notedthechallengeofaggregatingrisksduetothecomplexityoftheorganisation,underscoringtheimportanceofriskcommitteesaddressinginformationchallengesarisingfromthecomplexityoflargefirms. Aneffectivegovernancestructurehasmeasurestopreventconcentrationofpowerandresponsibility,suchasrequiringanumberofindependentdirectors,representationofcertainskillsandqualificationsontheboard,andtheboardregularlyevaluatingitseffectiveness. Itiscommonforboardstohaveindependentdirectors;somefirmsestablishminimumquantitativerequirements,rangingfromaminimumofone-thirdtothree-quartersoftheboard. Mostfirmsprovideadefinitionofindependenceintheboard’scharter,whichisembeddedinthefirm’sgovernanceframework. Theriskcommitteeoftencomprisesonlyindependentdirectors. Thereisawiderangeofpracticeregardingthequalificationsformembersoftheboardandriskcommittee;onefirmhighlightedthattheskillsrequiredbytheboardareevolving,inpartreflectingtheriskstakenbythefirm. Somefirmsperformamatrixanalysisoftheexperienceandexpertiseofeachdirectortoidentifyskillsneededfromincomingdirectors. Thereisalsoawiderangeofpracticeinvolvinglimitationslinkedtoboardstructure,including: Thepreclusionofthechairoftheboardfrombeingchairofeithertheriskorauditcommittee; TheseparationoftherolesoftheCEOandchairoftheboard;and InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    41. P age |41 (iii)Limitedtenureonacommittee. Periodicreviewsoftheperformanceoftheboardandriskcommitteeareacommonpractice. Reviewsareconductedbytheboardnominationorgovernancecommitteesorbytheentireboard. Insomecases,externalpartiesmaybeemployed.Suchreviewsmayincludeanassessmentoftrainingandskillsneededontheboard. Insomefirms,theboardconsidersthefunctioningofitsoverallcommitteestructure,includingthenumberandtypesofcommitteesandthehighestandbestuseofboardmembers’expertise. Theyalsoevaluatethereportingbythecommitteestothefullboard. Theboardandriskcommitteeareabletoreceiveinformation,bothformallyandinformally,directlyfromtheCROortheriskmanagementfunction. ItisbecomingacommonpracticefortheCROtoreportinformationdirectlytotheboard;theriskreportsareusuallystandardisedintermsof formality,frequencyandcontent. Boththeoverallrisklevelofthefirmandinformationforeachrisktypeareincludedinthereportingtemplate(e.g.,aheatmapofidentifiedriskcategoriesacrossregions,globalbusiness,andareportwiththetopandemergingrisksfacedbythefirm). Somefirmsexplicitlydefineanddocumenttheinformationthattheboardandriskcommitteeshallreceive,settheagendaatthebeginningoftheyear,andcirculatetomembersinadvanceofmeetingstherelevantmaterialtosupporttheagendaitem. Somefirmsrequireinternalaudit,orathirdparty,toverifytheaccuracy,comprehensivenessandcompletenessofinformationprovidedtotheboardandriskcommittee. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    42. P age |42 Otherfirmssatisfythemselvesthroughdiscussionswithmanagementorconductself-assessmentsoftheeffectivenessoftheinformationprovidedtotheboard. 2.Theriskmanagementfunction Sincethefinancialcrisis,manyfirmshaveimprovedriskmanagement.Someofthemostobviouschangesrelatetothegovernanceprocesses aroundtheriskmanagementfunction;therealsohavebeenmajorchangesinhowrisksareanalysedandcommunicatedandtheassociated toolsthatareutilised. 2.1Governanceoftheriskmanagementfunction Sincethefinancialcrisis,manyfirmshavestrengthenedhowtheirriskmanagementfunctionsarestructured,resourced,compensated,whothefunctionisaccountabletoaswellasitsoverallmandate. Inmanyways,thesechangesarebringingthegovernancearrangementsfortheriskmanagementfunctionuptothestandardthathastypicallyappliedtotheinternalauditfunctionforseveralyears. Firmsarethereforeencouragedtoatleastconsiderthevalidityofanyremainingdifferencesingovernanceprocessesthatsurroundthetwofunctions. Oneofthemostcommonimprovementsmadebyfirmsoverthepastfiveyearshasbeentoconsolidateandraisetheprofileoftheriskmanagementfunctionthroughtheestablishmentofagroup-wideCRO. TheCROandtheriskmanagementfunctiongenerallyhavebeengivenmorestature,authorityandindependencecomparedtothepre-crisisperiod. AlmostallfirmsreportedthattheynowhaveaCROwithfirm-wide responsibilityforriskmanagementwhooperatesindependently. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    43. P age |43 AssessmentoftheCRO’sstature,authorityandindependenceincludestheprocessforappointment,dismissalandperformanceevaluationoftheCROaswellasthestaffingrequirementsoftheriskmanagementfunctionmoregenerally. Onlyafewfirmsnotedthatthechairoftheriskcommitteeisinvolvedin theperformanceassessmentoftheCRO. Further,onlyafewfirmslinktheadequacyandqualificationsoftheriskmanagementstafftoanannualprocessthattakesintoconsiderationthestrategyofthefirmgoingforward. MostfirmsnotedthattheCROhasadirectreportinglinetotheCEO(versusanotherbusinessunit)whichrepresentsamajorimprovementsincethecrisis. However,therearestillexamplescitedatasmallnumberoffirmswheretheCROdoesnothaveadirectreportinglinetotheCEO. AfewfirmsrequiretheCROtohaveadirectreportinglinetotheboard,whichhelpstoboostthestatureoftheCRO. AlargenumberoffirmsalsonotedthattheirCROisableto“access”theboard,generallythroughtheriskcommittee,butitisunclearhowthisisdoneinpractice. AlmostallfirmsoperatewithaCROwhoisseparatefromrevenue-generatingresponsibilitiesorotherexecutivefunctions(thatis, “dual-hatting”oftheCRO’sresponsibilitiesisavoided).SuchastructureisessentialfortheCRO’sindependence. Thisseparationofresponsibilitieshasbeenreinforcedbymanyfirms re-structuringtheirriskmanagementfunctionsunderagroup-wideCRO,withregionalorbusinesslineCROshavingadirectreportinglinetothe groupCRO,ratherthantotheregionalorbusinesslineheadsashadoccurredinthepast. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    44. P age |44 • Topreservetheindependenceintendedfromsuchstructures, • ‘dual-hatting’ofresponsibilitiesshouldalsobeavoidedforthoseseniorpositionsintheriskmanagementfunctionthatreporttothegroupCRO, • particularlyatgloballyactive,complexfirms. • Atsomefirms,theCROreportstotheCFOor,inafewexceptionalcases,onepersonassumestheresponsibilitiesofboththeCROandCFO. • Inaddition,thereareinstancesatsomefirmswheretheCROisassignedotherfunctional,albeitnon-revenuegenerating,responsibilities. • Wherethisrelatestotheoversightoffunctionssuchascomplianceandanti-moneylaundering,theconcernismoreabouttheriskof • over-burdeningtheCRO,particularlyinmorecomplex,global • institutions,thanthepotentialforconflictofinterestperse. • Indeed,muchprogresshasbeenmadetowardelevatingthestatureandindependenceoftheCRO. • WhiletheroleoftheCROhasbroadenedandincludesinvolvementinanumberofkeyprocessesandinternalcommitteesthatrequireinputsfromtheriskmanagementfunction,otherimportantprocesseswarrantgreaterparticipationoftheCRO,suchas: • Mergersandacquisitions.Whiletheanalysisofaproposedmergeroracquisitionwouldbesubmittedtotheboardoracommitteeforapproval,theCROgenerallytakespartintheprocessasamemberofthecommittee. • OnlyafewfirmsrequiretheCROtoprepareaformalriskopiniononplannedmergersandacquisitions. • Strategicplanningprocess.Traditionally,theCROisresponsibleforthe oversightoftheexistingriskprofileofthefirmandofthoserisksbeingtakenonaday-to-daybasisasaresultofpreviousbusinessdecisions. • However,asindicatedabove,theCROshouldalsobecomeincreasinglyinvolved,inamoreproactivemanner,intheactivitiesandplansthatdeal InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    45. P age |45 • withprospectivebusinessrisk,includingthoseriskswhichmayarisefromtheexecutionofthefirm’sstrategicbusinessplan. • TheCROshouldbeinvolvedinthisprocess,fromariskperspective,byinteractingwithseniormanagementandtheboard,understandingstrategicbusinessplans,andformallyopiningontheprospectiveriskprofileandwhetherornotthefirmhasthenecessaryresourcesandsystemstoaccommodatetheresultingexposures. • Ifsuchresourcesarenotavailable,thenspaceinthestrategicplanshould becreatedtoensureproperriskcontrols. • Treasuryfunction.SomefirmshaveclearlydefinedtherolesandresponsibilitiesoftheCROregardingoversightofafirm’streasuryfunction. • However,thereisarangeofpracticesurroundingtheorganisationalrelationshipbetweenthesetwofunctions: • TheindependentliquidityriskcontrolfunctionhasresponsibilityforthemanagementandcontrolofliquidityriskandthatfunctionreportsdirectlytotheCRO; • TheCROparticipatesasavotingmemberoftherelevantmanagementcommittee(typicallytheassetandliabilitymanagementcommittee),withnospecificrolefortheCROdefined;or • TheCFOaloneisresponsibleforthetreasuryfunctionwithoutany oversightfromtheCROintheriskmanagementprocess. • 2.2Riskmanagementtools • Twokeyadditionstoriskmanagementtoolshavebeen(i)thedevelopmentofRAFsand(ii)morerobustandseverestresstestingpractices. • Relatedtothis,andgiventheunderestimationofreputationalrisk pre-crisis,therenowismuchgreaterfocuswithinmanyfirmsonbusiness InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    46. P age |46 • conductandthesuitabilityofproducts,e.g.,thetypeofproductssoldandtowhomtheyaresold. • TheRAFisanincreasinglyimportanttoolincentralisingthefocusonthefirm’sriskprofileandprovidingamoreintegratedpictureofthefirm’srisks. • Firmsindicatedagooddegreeofunderstandingthekeyelements,objectivesandusesofRAFswhicharegenerallyinlinewithrecentstudiessuchasthe2010SSGreportondevelopmentsinriskappetiteframeworksandITinfrastructure. • Keyfeaturesofariskappetiteframework(RAF) • RAFshelpdrivestrategicdecisionsandright-sizeafirm’sriskprofile. • RAFsestablishanexplicit,forward-lookingviewofafirm’sdesiredriskprofileinavarietyofscenariosandsetoutaprocessforachievingthatriskprofile. • RAFsincludeariskappetitestatementthatestablishesboundariesforthedesiredbusinessfocusandarticulatetheboard’sdesiredapproachtoavarietyofbusinesses,riskareas,andinsomecases,producttypes. • ThemoredevelopedRAFsareflexibleandresponsivetoenvironmentalchanges;however,riskappetiteisdefinitiveandconsistentenoughtocontainstrategicdrift. • RAFssetexpectationsforbusinesslinestrategyreviewsandfacilitateregulardiscussionsabouthowtomanageunexpectedeconomicormarketeventsinparticulargeographiesorproducts. • Discussionswithfirms,however,revealthatthereissignificantvariationintheperceptionofhowmuchfirmshaveprogressedinthedevelopment,comprehensivenessandimplementationoftheirRAFs. • Oneofthekeychallengesisdifferentinterpretationsofessentialelements,includingriskappetite,risklimits,andriskcapacity. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    47. P age |47 • SomefirmswereabletoreportsignificantprogressandhavehadanRAFforseveralyears(insomecasessincebeforethecrisis). • Thesefirms’RAFswerelinkedtothefirm’sstrategyandintegratedwithmostotherrelevantinternalprocessessuchasbudgeting,compensation plans,mergersandacquisitionevaluations,newproductapproval,andstresstesting. • ThesefirmswereabletoreportthattheunderstandingoftheRAFwaswidespreadbothacrossfunctionallinesandwithinmultiplelayersoftheirfirm. • TheywerealsoabletoidentifyclearexamplesofhowtheyhadusedtheirRAFinstrategicdecision-makingprocesses,suchasdecisionstoactivelyreducethecomplexityoftheiroperations. • Thatsaid,evenatthesefirms,itwasrecognisedthatoperationalisingan effectiveRAFisacontinualjourneythatneedstoevolvewithchangesin internalprocessesandtheexternalenvironment. • AnumberoffirmsreportedthattheirimplementationofanRAFwasmorerecentandwhileithadbeenlinkedtothefirm’sstrategyandintegratedwithsomeofthekeyinternalprocesses,furtherworkisenvisaged,suchas:linkingtheRAFwithalltherelevantinternalprocesses;ensuringthatqualitativeaswellasquantitativemetricsareappropriatelyincluded;andsomewhatrelatedly,broadeningtheRAFtocoverthosehardertoquantifyrisks,suchasoperational,complianceandreputationrisks. • Forotherfirms,theirRAFsareatanearlystageofdevelopment. • Whiletheymayhaveahigh-levelframeworkinplace,numerousgapsexist. • Forexample,thecoveragemaynotextendtoallrelevantsubsidiariesin theframeworkbecausetheriskappetiteisnotclearlyarticulatedatthebusinesslevelnorintegratedwithalltherelevantinternalprocesses. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    48. P age |48 Further,someRAFsarelessdevelopedintermsofincludingallthematerialrisksthefirmfaces,particularlyreputationalandoperationalrisks. AllfirmssurveyedconsideredrisklimitstobethevehicleforoperationalisingtheRAFatthebusinesslinelevel. Thecommunicationandescalationprocessforanybreachesseemedtobeverysimilaracrossthefirmssurveyed:theriskmanagementfunctionwasresponsibleformonitoringrisklimits,metrics,andbreaches,andescalatinganyconcerns;businessunitshavetoexplainbreachestotheriskmanagementcommitteeorboarddependingonthenatureandsizeoftheexposure;theauthorisationofexceptionswasdefinedtop-down;andactionplanswererequired. However,thereweredifferencesbetweenfirmsintheirapproachestodeparturesfromtheRAF:somefirmsgrantflexibilityforabusinesslinetodepartfromtheRAFiftheglobalriskappetitewasnotbreached,whereasothersgivenoflexibilityforindividualbusinesslinestodeviatefromtheirbusinesslinerisklimits. Embeddingthefirm’sagreedRASintothefirm’sriskcultureremainsachallengebutseveralapproacheshavebeentakenbyfirms. Anumberoffirmshavedevelopedtrainingprogramsandmanuals(withonefirmrequiringrelevantemployeestocertifyeveryyearthattheyhaveattendedthetrainingprogramandreadthemanual),butonlyafewfirmsreportedthattheyhavelinkedcoreriskobjectivestostaffperformancemanagementprocesses. Discussionswithfirmsrevealedthatakeytocreatingincentivesforabetterriskcultureinfirmsistolinkriskobjectiveswitheithercompensationorcareeradvancementprospects. Stresstestinghasbecomeacommontoolforfirms. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    49. P age |49 Thegovernancearoundgroup-widestresstestingtypicallyinvolvesfirmsdevelopingtheirownhistoricalandhypotheticalscenarios,though nationalauthoritiescanalsosetscenarios. TheCROandriskmanagementfunctiongenerallyhaveacentralrole, actingastheowneroftheprocessorparticipatinginthecommitteeleadingtheeffort. Thetestingisconductedatleastannually,andinmanycasesonaquarterlybasis. Stresstestsresultsareusuallypresentedtotheriskcommitteeandsometimestothenationalsupervisor. TheseprocessesappeartobefurthestdevelopedinAEs,andsomealsoperformreversestresstestingandcounterpartystresstesting. Incontrast,somefirmsinEMDEshavenotperformedstresstestingonanintegratedbasisorarestillintheprocessofimplementingtheirstresstestingprocesses. Mostfirmsusethestresstestingresultsfortheirbudgeting,RAFandICAAPprocessesandtosetcontingencyplansagainststressedconditions. 3.Independentassessmentoffirms’riskgovernanceframework 3.1Internalaudit Firmsprimarilyrelyontheirinternalauditfunctionstoindependentlyassesstheirriskgovernanceframeworks. Inalmostallcases,internalauditassessestheframeworkthroughaseriesofindividualassuranceaudits,combinedwithsomeproject-specificandotherongoingauditwork. InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com

    50. P age |50 • Afewinternalauditfunctionsdemonstratethebetterpracticeofprovidinganoverallopinionoftheriskgovernanceframeworkonan annualbasis. • Inlinewithexpectationsestablishedbynationalauthorities,allofthefirms’internalauditfunctionsareorganisationallyseparatefrombusinesslinesandhaveunfetteredaccesstotheboard. • Almosteveryfirmreportedthattheyhavemadechangestostrengthentheirinternalauditfunctionssince2008. • Majorchangesinclude:appointingaCAE;establishingmoreattractivecompensationplansandcareerpathsforinternalauditors;increasingboththenumberandskillsofinternalauditstaff;expandinginternalaudit’srole/responsibilities,includingparticipatingasanobserveratriskmanagementcommitteesanddecision-makingprocesses;andenhancingbusinessmonitoring. • Internalaudit’sroleandresponsibilitiesareprimarilyestablishedviaanauditcharter,withauditmanualsdetailingproceduresforplanning,executing,andreportingaudit’swork. • Atallsurveyedfirms,internalauditisresponsibleforassessingriskmanagementorriskgovernanceprocessesaswellasinternalcontrols. • Whilenationalauthorities’expectationsvary,mostinternalauditfunctionsalsoassess: • Theappropriatenessofassumptionsusedinscenarioanalysisandstresstesting, • Thedegreetowhichthefirm’sriskgovernanceiskeepingpacewithindustrytrendsandalignswithbestpractices, • Thequalityandadequacyofresourceswithintheriskmanagementfunction, InternationalAssociationofRiskandComplianceProfessionals(IARCP) www.risk-compliance-association.com