2016 – dismantling risk governance silos
If 2015 is to be remembered as the year regulators challenged boards to demonstrate their strong governance over their risk management, 2016 promises something just as important. In fact, 2016 will arguably be a truly momentous year in the world of non-financial risk as it could well become the year that risk governance silos are finally dismantled, writes Brian Gregory
In July 2015, in perhaps the most memorable example of regulators challenging boards, the Basel Committee, revised its “Corporate governance principles for banks.” The major revised principles expand the guidance on the role of the board of directors in overseeing the implementation of effective risk management systems. They also emphasise the importance of the board’s collective competence as well as the obligation of individual board members to dedicate sufficient time to their mandates and to keep abreast of developments in banking.
Meanwhile, the principles strengthen the guidance on risk governance, including the risk management roles played by business units, risk management teams, and internal audit and control functions (the three lines of defence), as well as underline the importance of a sound risk culture to drive risk management within a bank. And they provide guidance for bank supervisors in evaluating the processes used by banks to select board members and senior management. Notably, the principles also recognise that compensation systems forms a key component of the governance and incentive structure through which the board and senior management of a bank convey acceptable risk-taking behaviour and reinforce the bank’s operating and risk culture.
This year, in the UK, the Financial Conduct Authority (FCA)/Prudential Regulation Authority (PRA) also replaced the Approved Persons Regime with Senior Managers and Certification (SM&CR) requirements. And in October 2015 the “presumption of responsibility” (said my many commentators as “guilty until you can prove you are innocent”) was replaced with a “duty of responsibility”. As a result it remains clear that the FCA and PRA are making it clear individuals could personally be held to account.
The challenge now for many financial organizations therefore becomes to understand the full extent of the rules and regulations that apply to their business and to be able to map these to their risk management solution. Globally Wolters Kluwer Financial Services believes there are 176 jurisdictions, with 832 Regulatory Bodies and more than 3,400 document types. Additionally, the rules and regulations are not static. New and revised rules and updates to guidance mean now, more than ever before, that banks are spending increasingly significant time and money trying to keep abreast of the changes.
It is therefore unsurprising that many are ramping up plans to choose and implement GRC software solutions, especially those that can import the initial rules and regulations but also proactively receive updates in respect of new or revised rules/regulations together with commentaries.
The focus on personal responsibility, which will be a continuing theme in 2016, is reminiscent of the Sarbanes–Oxley Act of 2002. The need for strong governance and internal controls had been embodied in company law and stock exchanges requirements. Yet it took the requirement for annual “attestation” together with the possibility of personal fines and even imprisonment for false attestation for many companies to undertake a true enterprise assessment of their governance.
The increasing focus on the responsibility of the board and senior management to establish strong risk governance could well see 2016 become the year that risk governance silos are finally dismantled.