Professional Documents
Culture Documents
1
Key Course Aims
• How does risk management add value to
financial institutions?
• How can risk management theories support
practice within financial institutions?
• What does effective risk management look like
and how can we analyse this?
2
Session Aims
• Introduce the course and your Course Leader
• Review key resources on the Canvas site,
including assignment information
• Provide some foundation materials to help
you understand more advanced sessions
3
WHAT IS RISK AND IS
IT ALWAYS A THREAT
TO FINANCIAL
INSTITUTIONS?
What is Risk?
Definitions of Risk
• Risk is the combination of the probability of an event
IRM and its consequence. Consequences can range
from positive to negative
9
Exercise
• What services do
financial institutions
provide?
• What are the risks
associated with these
services?
• Which of these are
speculative risks?
10
What Is Risk Management?
• Risk management is the process by which
individuals and organisations balance risk and
opportunity
• Risk management can be used to both:
– Improve our understanding of the risks that we face
– Manipulate our exposure to risk (up or down)
• All individuals and organisations practice risk
management in some form or another, whether
consciously or not!
11
Risk Management Defined
• Process which aims to help organisations
understand, evaluate and take action on all their
IRM risks with a view to increasing the probability of
success and reducing the likelihood of failure
Assess
Monitor Level of
Exposure Exposure
14
Risk Management Essentials
Formal and Informal
Adaptive
Effective risk
management is Risks
There is no best
about people approach. You must
(behaviours and Risk management
tailor your risk looks to maximise
engagement), as well management
as processes and opportunities and
response and minimise threats.
tools continuously Essential to
improve understand risk
appetite
16
Conclusion
• There are many different types of financial
institution taking a wide range of risks to
generate returns
• These risks are not easy to manage!
• And the value of this risk management is not
always clear
• As we shall learn next!
17
18
RISK APPETITE
What is the Optimum Level of Risk for Financial Institutions?
1
Overview
• What is risk
appetite?
• Academic research
into risk appetite
• Expressing appetite
in an effective way
• Other elements of
an effective risk
appetite framework
2
3
Exercise
Speculative Risk Pure Risk
• Identify one speculative risk • Identify one pure risk that
that can impact on a bank can impact on a bank?
• When should a bank take • Is it practical to eliminate
this risk? this risk?
• Should there there a limit to • If not, why not?
this risk taking?
4
Definitions of Risk Appetite
Willingness Acceptability
to take risk of risk
Risk is necessary to
generate a return
5
Risk Appetite
The risk you take to generate a The return you require for risk
return taking
Risk Appetite: When Life is Simple!
The security market frontier: the risk (Beta) for a given
expected return (or minimum return for a given risk). The risk-
return trade off is constant, and there’s no maximum risk.
7
Risk Appetite: Risk/Return Frontier
A non-linear risk appetite frontier: the maximum risk for a given
expected return where the risk-return trade off gets more demanding.
Expected
Return
Minimum
Required
Return
Risk
8
Which Project is Outside of
Appetite?
Expected
Return
Project C
Project A
Project B
Risk
9
Expressing and Reporting Appetite
= ?
Source: M Leitch (2010) Making sense of risk appetite, tolerance, and acceptance
(revised), (http://workinginuncertainty.co.uk/appetite.shtml)
10
Commercial
Organisation
Economic
Capital Share Price
Risk is hard
Risk is easy to quantify
to quantify
Non- Commercial
Organisation
11
12
Quantitative vrs Qualitative
Comparative Advantage of Comparative Advantage of
Numbers Words
• Appetite formulated using • Appetite formulated using
objective measures of risk narrative statements
• Clarity regarding whether • Not all risks can be measured
you are in/outside your • Easier to understand – at all
appetite for risk levels
• Can express appetite using • Allows you to express
established management absolutes (e.g. zero
methods (RAG limits, ROI, tolerance) where appropriate
VaR, etc) • May be able to align to
• Easy to integrate into risk strategic vision and values
based capital framework
13
Weighing Up the Pros and Cons
“A firm’s risk appetite will contain both qualitative and quantitative
elements…… Clearly defined qualitative elements should help the
Board and senior management assess the firm’s current risk level
relative to risk appetite as adopted.” (Institute of International
Finance, Report into the Financial Crisis, 2008)
14
Exercise
15
Having designed an effective risk
appetite approach, how should it
be implemented?
16
Implementing Risk Appetite
18
Conclusions
• Risk appetite is a relatively easy concept to
articulate, but designing an effective risk appetite
framework for all types of risk is hard
• Ultimately the diversity of opinion that remains in
relation to some issues (e.g. willingness vrs
acceptability), coupled with the relatively
immaturity of the concept means that it is
difficult to be clear on good practice
• There are no easy answers when it comes to risk
appetite, but there is academic and practitioner
work that can help identify good practice
19
Recommended Resources
CRO Forum (2013) Establishing and Embedding Risk Appetite:
Practitioner’s View, Chief Risk Officer’s Forum, Amsterdam,
https://www.thecroforum.org/2013/12/20/establishing-and-
embedding-risk-appetite-practitioners-view-2/
20
Session 3: Governance
Where Risk Management fits with
Corporate Governance and
Compliance (Internal Control)
Session Outline
• The role of corporate governance and internal
control
• Three lines of defence approach – does it
work?
• What about risk management? Does
corporate governance help or hinder effective
risk management?
www.accountingtools.com/articles/internal-
control.html
www.cgi.org.uk/about-us/policy/what-is-
corporate-governance
What is
Governance?
What is Internal
Control?
The Basic Principle Agent Problem
Underlying Theory: Moral Hazard
• Moral hazard arises where one party to a contract exploits their
access to privileged information to produce outcomes that while
beneficial to them are not beneficial to their counterparty.
• A commonly cited example of this is employee ‘shirking’, whereby
an employee attempts to provide less work than the principle has
paid for.
• Similarly a firm’s executives may seek to acquire ‘managerial
perquisites’ at the expense of its owners.
• But these are not relevant to risk management. The key risk
management problem is different risk preferences.
• Note that agency theory is effectively a special case of Moral
Hazard. Agency theory is also referred to as the ‘principle agent
problem’. This relates to the difficulties that arise under conditions
of incomplete and asymmetric information when a principal hires
an agent that does not have the same goals as them.
• For a good discussion on agency theory see: K Eisenhardt (1989)
“Agency theory: An Assessment and Review”, Academy of
Management Review, 14 (1), 57-74
• Identify a recent bank (or other financial institution) scandal
that was the result of a failure in governance or internal
Exercise control
• Why did this scandal occur?
• Could it have been prevented?
Recent Case Study
www.bloomberg.c
om/news/articles/
2022-07-
12/trading-
scandal-roils-a-31-
billion-indian-
mutual-fund-giant
Developing Effective Frameworks
Corporate Governance Internal Control
• An effective board that makes • Clear, communicated and
decisions in the ‘company enforced policies and
interest’ and ensures that the
interests of the ‘owners’ (and procedures.
other stakeholders) are met. • Appropriate risk culture
• Sufficient independent • Regular review of controls
directors (non executives) who
are able to challenge
and their effectiveness.
decisions. Should include a • Risk and audit committees.
separate Chairperson. • 3 Lines of Defence(?).
• Comprehensive and accurate
reporting (disclosure), plus
dialogue (AGM, etc.).
• Effective internal control….
Three Lines of Defence
Risk
Oversight
Check out:
www.pwc.com/en_GX/gx/insurance/pd
f/three_lines_of_defence.pdf
Responsibilities
https://global.theiia.org/about/about-
internal-auditing/Pages/Three-Lines-
Model.aspx
12
Relationship with Risk Management?
• Risk management offers many tools to support
effective corporate governance, internal control
and compliance.
• Weak governance, internal control and
compliance may expose a financial institution to
many different types of risk (e.g. people risk,
market risk, regulatory risk, etc.).
• But don’t think that risk management is all about
governance and control. Remember that it is a
strategic tool.
Governance
Risk and
Compliance
https://www.oceg.org/abo
ut/what-is-grc/
https://www.g2.com/categ
ories/grc-platforms
Integrating Risk, Governance and
Internal Control
Board
Risk Risk
Audit
Committees Framework
• How might risk
Exercise management be
strengthened by a close
relationship with
governance and internal
control?
• How might risk
management be
weakened by these
relationships?
Conclusions
• Good corporate governance and internal control
are seen by many as essential components of any
firm, especially financial institutions.
• History shows that poorly governed and controlled
financial institutions face many potential risks.
• But it is essential to get the balance right. Too
much governance and internal control can stifle
profitable risk taking and creative/entrepreneurial
thinking. Hence a balance must be achieved.
Resources
A Bhimani (2009) “Risk management, corporate
governance and management accounting: emerging
interdependencies” Management Accounting Research,
Vol 20, No 1, p2-5
S Lundqvist (2015) “Why firms implement risk
governance : stepping beyond traditional risk
management to enterprise risk management” Journal of
Accounting and Public Policy, Vol 34, pp 441-446
www.law.ox.ac.uk/business-law-
blog/blog/2021/08/handbook-corporate-governance-
india
www.legalserviceindia.com/legal/article-7435-corporate-
governance-in-india.html
Session 4
Risk Models: Strengths
and Weaknesses
Overview
• The purpose of quantitative risk
models
• A quick look at some popular
modelling approaches
• The limitations of models
• Common examples of mis-use
• Conclusions
Control Identify
Exposure Risks
Assess
Monitor
Level of
Exposure
Exposure
3
The Purpose of Risk Models
5
6
Exercise
• Discuss the benefits associated with using risk models in a financial
institution
• For which risks could models be used?
7
What can you Model?
8
The Essentials of Modelling in FS
Source:
http://www.fdic.gov/bank/analytical/fyi/2003/121003fyi.html
9
Risk Quantification Tools
10
Modeling Tools: Value at Risk
Value-at-Risk (VaR) is the probability that a given loss level (loss of value) could
be exceeded over a given time horizon at a specified level of confidence.
11
VaR Example
• What do these mean:
– VaR of £10m at the 99% level
– VaR of £100m, at the 99.9% level
• VAR shows us the maximum probable loss,
can we estimate the maximum possible loss?
12
Modelling Tools: Internal Ratings
• Commonly used to estimate the default
probabilities of debtors (e.g. mortgage
customers)
• A debtor’s probability of default is often
estimated using a credit scorecard. Scorecards
are used both at the point of application and
for the ongoing rating of ‘mature’ debtors
(behavioural)
• One famous example of a credit scorecard is
the Altman Z score (Altman 1968)
13
Altman’s Z Score
Z=1.2C+1.4E+3.3EBIT+0.6ME+0.999S
A A A BL A
Where:
C = Working Capital
A = Total Assets
EBIT = Earnings Before Interest and Taxes
ME = Market Value of Equity
BL = Book Value of Liabilities
S = Sales
20
How Can Models Be Mis-used?
• Heavy reliance on historical data (link to Black
Swan Theory)
• Very short historical data periods
• Overly optimistic or simplistic assumptions
(e.g. asset liquidity or normal distribution)
• Ignoring risks that cannot be modelled easily
• Not updating model design often enough
• Applying them to an inappropriate
risk/context
21
22
Source: http://www.ft.com/cms/s/0/d90bf12c-dc40-11d9-819f-00000e2511c8.html#axzz2DWfn9u1t
“For reasons that are still unclear, shares began to move in ways that were the
opposite of those predicted by computer models. .. At the beginning of last
week, the GEO “What
fund we
washave
down to alook
fewatpercentage
more closely is the
points from the beginning
of the year. Byphenomenon
Friday it hadoflost
the more
crowdedthantrade
30 per cent of its value… “We
overwhelming
marketthat
were seeing things fundamentals,” he said.deviation
were 25-standard “It makesmoves,
you several days
in a row,” saidreassess
David how
Viniar,
bigGoldman’s
the extremechief
moves
financial
can be.”
officer. “There have
been issues in some of the other quantitative spaces. But nothing like what
we saw last week.”
23
Source: http://www.ft.com/cms/s/0/d2121cb6-49cb-11dc-9ffe-0000779fd2ac.html#axzz2DWfn9u1t
Exercise: The London Whale
• How did the mis-use of risk models contribute
to the London Whale scandal?
www.bloombergview.com/quicktake/the-
london-whale
https://elischolar.library.yale.edu/cgi/viewconte
nt.cgi?article=1016&context=journal-of-
financial-crises
24
Reflection
• Rank these risks in order of the ease at which
they can be modelled: operational risk, credit
risk and market risk
• Will this be the same for all banks?
• What are they key requirements for effective
risk modelling?
• What tools can be used to enhance risk
modelling?
25
What Banks Say About Risk Models
• Look in Annual Report and Pillar 3
• Confirm that they use risk models for your
chosen area of risk
• See which models they use (probably VaR)
• Check their ‘model validation’ approach and
any discussion on ‘model risk’
• How do they overcome any model
weaknesses? Look especially for tools like
scenario analysis and stress testing
26
Example Information
Scenario and
stress testing to
complement
VaR
28
Pillar Three Document?
29
Conclusions
• Almost all financial institutions make use of
risk models
• This is to be expected as models are extremely
valuable tools
• However they are only one tool in the box
30
“If formal models of markets have
displaced human intelligence, one
reason might be that they appear more
scientific than they are.”
32
Risk Management
Reporting
How to Understand the Risk Management Reports of Banks and other
Financial Institutions
Why do financial institutions produce
such large risk reports?
Would financial institutions do this voluntarily?
Loss Gain
Asymmetric
Payoffs
3
A Nexus of Unequal Contracts
External
Regulators
Environment
Creditors
Internal
Environment
Employees
Owners/
Suppliers Organisation Shareholders
Directors
Rating
Agencies
General
Public
Customers
4
The Basel
III Accord
International Standards for the
Regulation and Supervision of
Financial Institutions
6
The Three Pillars
Minimum Supervisory
Disclosure
Capital Review
Minimum capital Own risk
Annual Report
requirements assessment
www.bankofengland.co.uk/-
/media/boe/files/ccbs/resources/modelling-credit-risk.pdf
Credit Risk Scorecards
• Commonly used to estimate the default probabilities
of obligors and the loss given default
• An obligor’s probability of default is often estimated
using a credit scorecard. Scorecards are used both at
the point of application and for the ongoing rating of
‘mature’ obligors (these are called behavioural score
cards)
www.dnb.co.uk/content/dam/english/b
usiness-trends/business-credit-
scorecard-ebook-uk.pdf
Exercise: Credit Scorecards
What are the advantages and limitations of using credit scorecards?
Credit Modelling
Evidence from Banks
Treat Transfer
Strategies
Tolerate
Terminate
(Finance)
Treating Credit Risk
How?
CreditC Risk Transfer
r
e
d
i
t
Securitisation
Exercise: What are the risks associated
with the securitisation of credit risk?
Commodity
Price Risk
Counterparty
Transaction Risk
Financial Risks Risk
Credit Risk
Issue Risk
Portfolio
concentration
Issuer Risk
Funding Risk
Liquidity Risk
Asset Risk
Current Sources of Risk
Control Assess
Assessing Market Risk
What are the main
options?
Value at Risk
www.cfainstitute.org/en/membership/professi
onal-development/refresher-
readings/measuring-managing-market-risk
Banks Talking About VaR
Another Bank
www.bankofengland.co.uk/stress-testing
https://rbidocs.rbi.org.in/rdocs/content/pdfs/FC021212ST_1.pdf
Source:
http://www.actuaries.org/CTTEES_SOLV/Documents/StressTestingPaper.pdf
Comparing Scenario and Stress
Stress Testing Scenario Analysis
• Usually involves adjusting • Usually involves looking at
one parameter at a time multiple parameters
• Idea is to see how • May be less extreme
gains/losses might change • May be linked to a specific
‘in extremis’ event (e.g. a new
• Example Stress Tests: government or pandemic)
Oil +/-5%, Interest Rates +/- • May involve an element of
100 bps, Equities +/-10%, etc. judgement
Another Bank
Reverse Stress Testing
Estimate Consider
Begin with Determine
magnitude of potential
failure mitigations
impact scenarios
www.icaew.com/technical/audit-and-
assurance/professional-scepticism/stress-testing
Controlling Market Risk
Group Exercise: Identify as many market risk
control strategies as possible
Remember that the goal is to take market risk to
generate a positive return
But what is the right level of risk and how can a
bank maintain this?
Trading Risk: The 3 Offices
www.allaboutfinancecareers.co.uk/industry/in
vestment-banking/front-office-middle-office-
and-back-office-explained
Interest Rate Gap Management
https://corporatefinanceinstitute.com/resourc
es/knowledge/finance/negative-gap/
Futures, Swaps and
Options?
Market Risk Capital: What is
the Optimum Amount?
• Regulatory requirements
• Market risk profile relative to risk appetite
• Effectiveness of market risk models
• Effectiveness of other market risk management tools
• More??
Evidence from Barclays
Coping well
with stress
Liquidity Risk
Banks borrow short And lend long
www.businesstoday.in/industry/banks/story/6-reasons-why-
yes-bank-collapsed-251442-2020-03-05
Funding Gap
Duration 0-3 Months 3-6 Months
Asset (Loan 6m) 300 300
Liability (Deposit 3m) 300 0
Liquidity Gap 0 -300
What will
this cost?
How do
banks fund
this gap?
Group Exercise
What sources of funds can financial institutions Consider the availability, reliability and speed of
use to help manage a liquidity gap? funding
Conclusion
Market and liquidity risks must be taken to Beware over-reliance on mathematical models
generate returns. But take too much and solvency and be prepared for the unexpected!
is threatened
Resources
P Jorion (2009) “Risk Management Lessons from the
Credit Crisis” European Financial Management, Vol 15,
No. 5, pp923–933 (good on limitations of VaR models)
Basel rules:
www.bis.org/bcbs/publ/d352.htm (capital
requirements)
www.bis.org/bcbs/publ/d521.htm (Covid and
market/liquidity risk)
Session 9: Operational Risk
Contents
• What is
operational risk?
• Types of
operational risk
• Anticipation
• Resilience
• Risk culture
Standard Definition
“Operational risk is defined as the risk of loss resulting
from inadequate or failed internal processes, people
and systems or from external events. This definition
includes legal risk, but excludes strategic and
reputational risk.”
See Basel (2006) “International Convergence of Capital
Measurement and Capital Standards: A Revised
Framework” Bank for International Settlements,
Paragraph 644.
Framework
Risk Governance
Infrastructure Culture
Appetite/Tolerance
/ Risk Categorisation
Anticipation Resilience
Exercise: Use the above bow-tie template to complete the analysis of a scenario of
your choice. Choose one of the Basel level 1 event types as the starting point for
your work.
People Resources
Processes
Human
External Reputation
Events
Recommended Data Fields
Essential Fields Description
Scenario Describe the scenario (e.g. a fire, etc.)
Causes These may be failures in people, processes and
systems and or external events
Outcomes Financial, reputational and human effects
Management What actions could management take to mitigate the
actions effects of the scenario
Net Effects Consider base case, best case and worst case (note
that duration will be a factor here)
Prevention Actions to prevent the scenario from occurring
Opportunities Can management exploit the scenario?
Qualitative OR Management
Assessing Risk Culture
Source:
www.ey.com/Public
ation/vwLUAssets/Ri
sk_culture_-
_How_can_you_cre
ate_a_sound_risk_c
ulture/$FILE/EY-risk-
culture-model-
brochure.pdf
Risk Culture?
Case Study
www.thebalance.com/lehman-brothers-collapse-causes-impact-4842338
From Pillar 2
Risk Culture
Challenge: Describe the Orange Code
Managing Resilience
The World
is Changing
Exercise
Using the PESTLE factors identify How easy is it to anticipate the causes
potential sources of new operational and effects of these risks?
risks
Can You Name this
Volcano?
What Distinguishes a
Transboundary
Crisis?
Common Features of
Transboundary Crises
• Crosses domains
• Rapid escalation
• High uncertainty
• No easy solutions
Three Phases of Resilience
www.apra.gov.au/covid-19-a-real-world-
test-of-operational-resilience
Remember Formal and Informal
Formal
Preparedness Responsiveness
(e.g. scenarios, (communication,
and risk competency and
appetite) coordination)
During/After
Before
Develop Leadership
Situation
Awareness (Risk) Culture
Informal
Think the Unthinkable
Reverse Stress Testing
Estimate Consider
Begin with Determine
magnitude of potential
failure mitigations
impact scenarios
https://www.hse.gov.uk/construction/lwit/ass
ets/downloads/situational-awareness.pdf
Case Example
Discussion
What were the critical success
factors that helped HEB to adapt
to the COVID-19 pandemic?
www.texasmonthly.com/food/heb
-prepared-coronavirus-pandemic/
• Operational risk is:
– Diverse
Conclusions – Dynamic
– Dangerous
• But effective management is essential!
Recommended Resources
• Kaplan, R.S. and Mikes, A. (2016) “Risk
Management – The Revealing Hand” Journal
of Applied Corporate Finance, Vol. 28, No. 1,
pp.8-18
• Institute of Operational Risk: www.ior-
institute.org/
• Information on scenario planning:
www.planning.org/knowledgebase/scenariopl
anning/
© Vlerick Business School
Case Study: Embedding Operational Risk Management
Read the case below and look for information on the tools that this bank uses to manage risk. Then
look for information on the risk culture of the organisation and the relationship that the risk
management team has with the wider business.
Once you have done this reflect on the questions below. We will discuss your thoughts during the
first day of the training course:
1. Reflect on the potential benefits and costs associated with this bank’s operational risk
management framework.
2. How did the culture of the organisation influence attitudes towards the new risk
management framework?
3. What could the risk function do to improve acceptance of the new risk management
framework?
To help manage these pains the organisation recently implemented a brand new
ERM framework and accompanying IT system.
The The ‘tone from the top’ emphasises informal and relaxed human relations with
Organisation’s an emphasis on being yourself, following the ‘bring yourself to work’ philosophy
Culture and evidenced by the fact that people wear casual clothes.
Most of the staff are in a single building. This helps to reinforce personal
relationships/communication and build trust. The strong personal relationships
and high levels of trust mean that decisions can be taken quickly. The new risk
approach, for example was designed and implemented in less than a year. But
might decisions be made too quickly?
The period of significant growth that the organisation is enjoying has influenced
its culture. Growth has helped to create an optimistic team spirit that reinforces
the feeling of trust between staff. In addition, staff are generally very customer
focused and want to do what is best for the customer and the wider
organisation: “I had ten years of a shrinking culture, where redundancies is all I
did. Spent all my time making people redundant and I found it at the start there
was a lot of fear in that… And what I found was when you were dealing with
people they tended to be very politically minded so there were, their reactions
or the decisions were based on, how can I protect myself and get what I want
out of this? ….Whereas I come in here and it’s completely different. It’s a
growth business, is the first thing and people genuinely want to do the right
thing for the customer and the right thing for the bank. You know I had to do a
double take in the first month in some of these meetings. I’d come away
thinking, really? I don’t have to fight and argue and shout and bang the desk. No,
no, because that’s the best for the customer and everyone recognises it. It’s
quite remarkable, almost like a family, family business type of feel about it”.
Risk Culture High levels of trust mean that staff members tend to accept the word of others
and are reluctant to challenge. However, as the organisation grows its
management systems and associated operational processes and controls are
being put under pressure. There has been much change to accommodate this
pressure on processes and controls, this includes a new risk framework and
system.
The Board, CRO and risk function are working to improve the effectiveness of
the organisation’s risk controls both to prevent significant risks and to improve
the efficiency of operational processes. As part of this the risk function is
becoming more challenging, an approach that is encountering resistance from
staff, especially at more junior levels of management, who are not used to
challenge. There is a new emphasis on control testing and documentary
evidence, which some are uncomfortable with, as it is seen as doubting the word
of others. The tensions between maintaining trust and effective risk governance
were explained as follows: “I don’t have to fight and argue and shout and bang
the desk. No, no, because that’s the best for the customer and everyone
recognises it. It’s quite remarkable, almost like a family, family business type of
feel about it. Now there’s a downside to that as well because we are a bank and
we’re regulated and we have got to do things right. So you’ve got to have
governance in place and it’s got to be strict etc., etc. So you’ve got to balance
the two…”
Risk The organisation has 1st line risk specialists and a 2nd line risk function. 1st line
Governance specialists work to support business management in making risk and control
decisions and in conducting risk and control assessments. The 2nd line function
provides oversight and challenge. The 2nd line must sign off the new process
assessments and control testing for accuracy and completeness. These two lines,
along with internal audit in the 3rd line form a three lines of defence approach to
risk governance.
“I don’t think we’re traditionally doing oversight as you would describe it just
now. So, oversight to me would be if I think about our business in a mature
state, really understand what they do, how they do it and where the risks are
and the control system that they operate within”.
Risk A new risk framework and accompanying IT system were implemented in 2018:
Management
Framework 1. The new framework relies on business managers mapping their own
organisational processes and identifying the points of failure (risks) within
these processes. The aim is to align the approach with what managers do –
business managers across the organisation are used to managing
operational processes.
2. Control assessments must be supported by rigorous control testing and
documentation of controls. The aim is to have more effective controls,
especially more preventive (probability reducing) controls with less reliance
on detective controls (which have no impact on probability).
3. Only key risks are required to be identified and documented and only key
controls must be tested and documented. Key risks are those that can have a
significant effect on the whole organisation, key controls are those most
relied upon to ensure the efficient operation of processes. Aim is to focus
attention on what matters most to save resource and improve the
effectiveness of risk management.
4. The new framework/system is designed to be automated as much as
possible (e.g. automated controls testing). But to achieve this high level of
automation significant upfront investment was required to ensure that
processes are mapped accurately, and control tests are robust.
Key The implementation of the new risk management framework signals a step
Embedding change in the formality of the organisation’s risk management activities. The
Challenges goal is to create a risk management approach that is significantly automated
(e.g., the automatic testing of controls). This will help to save staff time and
allow them to concentrate on growing the business while maintaining efficient
and safe processes. This automation goal and the other benefits of the new
approach and system were communicated by the CRO pre-launch. Some
divisions have bought into these benefits, others are less convinced (see risk
culture above).
One concern expressed about the new framework is the increased level of
formality (e.g., detailed process mapping and controls testing), which is not
consistent with the organisations informal/high-trust culture and risk culture.
Other concerns include 1st line resource constraints and related change fatigue.
The implementation of the new risk framework is requiring significant levels of
resource. This includes time spent on training, learning how to use the new tools
and system, mapping processes, documenting key risks and controls and testing
key controls:
“There’s some who really throw themselves into it and will probably have much
better input, and there’s others who just, they got so many other things on. It’s
the prioritisation piece, and again we were just talking about that in terms of
audit committee in terms of these things. How do people prioritise? What is the
biggest pull? And if it’s something that doesn’t float your boat and you don’t see
the benefit of it, which a lot of first lines, who are not risk professionals, struggle
with sometimes.”
“And I still think there’s a challenge as to what it’s going to deliver. It’s better. I
think it’s going to be better, but it is taking a very long time…. I think the time
taken, with everything else at the bank’s got going on, is the big challenge.”
To help improve buy-in for the new risk assessment approach, system and
handbook there was extensive and multi-faceted consultation and
communication during the design and launch phases. Including: a competition to
name the new IT system; system demonstrations; face-to-face training;
webinars; drop-in support sessions and poster campaigns. This all helped to
reinforce the benefits of the new risk framework and system to business
managers. It also helped to train staff on how to use the new mix and system in
an effective manner. A very significant proportion of 2nd line risk function
resource has been devoted to these promotional activities.
The Role of The CRO is an influential figure in the organisation. They have driven the new
the CRO and process risk and control assessment approach to risk management. Business
Risk Function managers are expected to meet with the CRO for “challenge sessions”. These
sessions focus on the evidence that they must prove the effectiveness of their
key controls. These challenge sessions help to motivate business managers to
complete their risk and control assessments, they also reinforce the tone from
the top regarding the importance of risk management and control testing.
The 2nd line risk function has regular contact with the 1st line risk specialists,
business management and 3rd line internal audit. This contact occurs in formal
meetings (e.g., committees) and on a one-to-one or small group basis. Relations
are generally good and there is “open and honest debate” plus cross line
working helps to create synergies between the different skill sets and
responsibilities: “I think sometimes, it’s a genuine discovery on both sides, so the
risk team don’t necessarily know what they’re trying to ask, but we’ll apply our
[business line] expertise and come up with what we think the right answer is”.
One negative is that the 2nd line risk and 3rd line audit functions are located on
separate levels from the first line in the building. This hinders informal
relationship building: “Nobody comes to second line, even the first-line risk and
control teams. Nobody comes up there and it’s like being summoned to the
head teacher’s area or something. So, there is a bit of a them and us culture that
then has materialised again with audit who sit on the third floor, way away from
everybody else which again could be a good thing but…”