Credit & Prudential Regulation

Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

2.1. Recovery Planning

The emergence of the COVID-19 pandemic presented a different dimension of stress, with potential rapid asset quality, liquidity and capital impacts and the ability of a firm’s Recovery Plan to track a deterioration in the business as usual (BAU) environment has been of particular interest across the market.

Firms’ indicator frameworks are now brought back into sharp focus, especially as a number of asset quality metrics are directly impacted by the COVID-19 pandemic (such as arrears and provisions).

The following changes were made to the European regulators’ approach to Recovery Planning requirements:

  • Firms should consider options available to raise liquidity by encumbering assets in each stress scenario, noting the impact of such asset encumbrance on Recovery Planning as a whole; and

Whilst these are relatively minor changes, they require new thinking from firms around what scenario testing should include, and what the impacts of asset encumbrance are on Recovery Planning. Furthermore, the impact and response to the COVID-19 pandemic should bring out practical adjustments and enhancements to a firm’s Recovery Plan, especially in an environment where operational changes (such as working remotely or an increase in collections activity) is running alongside this.

Continued scrutiny remains on firms with regard to the quality of their Recovery Plans. Internal Audit should assess whether the quality of Recovery Planning continues to be enhanced and that the practical learnings and ongoing response to COVID-19 is embedded.

Internal Audit should also consider whether their assurance approach to Recovery Planning includes coverage of the following typical issues identified in firms’ Recovery Plans:

  • Indicators included in the Recovery Plan are not broad enough to allow for identification of potential financial risk. Furthermore, the metrics are not calibrated to a suitable level to allow Management to respond in a timely fashion;
  • Recovery options provide little to no benefit (i.e. an increase to resources, or reduction in requirements) to the capital and liquidity position of the firm;
  • Scenario testing is focused on too few risks and does not always capture the key risks that the firm faces;
  • Dependencies between recovery options, as well as the dependencies the options have operationally and during stress scenario events are analysed at a high-level and not in sufficient detail, potentially reducing the usability of options; and
  • Invocation of the Recovery Plan and the practicalities of actually implementing the Plan are not clear, and have not been properly tested through Fire Drilling of the Recovery Plan.

2.2. Stress Testing

Stress testing continues to be a significant tool for firms to use in risk management practices, and this is heightened amidst the unfolding of the COVID-19 pandemic (specifically in relation to the payment deferrals that have occurred) and also with the climate change agenda continuing to be a huge focus for the regulatory bodies. Whilst stress testing is still routinely used to directly inform firms’ capital and liquidity holdings, it is being increasingly used for a breadth of exercises including business model viability, enhanced understanding of risk drivers, and developing understanding of new risks such as those posed by climate related events. Regulatory bodies continue to assess firms’ stress testing capabilities and outputs, as well as exploring the capabilities and outputs from new areas which focused on financial risks from climate change.

The European regulators have previously published requirements for Internal Capital Adequacy Assessment Processes (ICAAPs) for climate-related risks and prescribed climate related scenarios but this exercise was paused due to the COVID-19 pandemic and has been restarted with an updated position for 2021.

The key requirements for scenario analysis for assessing climate related financial risks are:

Three scenarios:

  • Early action: orderly transition to achieve a net zero CO2 emissions economy within ambitious timescales;
  • Late action: disorderly action to achieve net zero CO2 emissions economy which is unanticipated/sudden and disruptive; and
  • No additional action: minimal action results in a ‘hot house world’ which leads to global warming and an increasingly significant impact from physical risks (see below).

Two key risks:

  • Transition Risk: risks associated with the implementation of significant policy and economical changes required to achieve net zero emissions; and
  • Physical risk: risks associated with the impact from higher global temperatures such as extreme weather events, both currently and expected resultant impacts from taking no further policy action.

Internal Audit should continue to focus on key topical areas such as COVID-19 related impacts and climate change. These two key themes should feature in the following key areas of audit focus:

Scenario generation capabilities:
Strong capabilities for projecting outcomes should include a robust base case plan which can be updated in a timely manner to respond to changes in the external environment such as a stress event/scenario. As such, stress testing of base case plans should be commonplace and should include a range of relevant scenarios that can be utilised effectively to consider any required Management response. These capabilities should be developed for new and growing Banks and should be widened to incorporate climate-related risks. Internal Audit should determine the adequacy of the base case plan and the corresponding capacity of the business to respond to stress events/scenarios.

Horizon scanning:
Horizon scanning practices and associated analyses should be performed to understand the impacts given the many recent and expected changes to guidance as a result of Brexit, CRD V, CRR2, Basel 3.1, COVID-19 and climate related risks. Internal Audit should review the adequacy of the horizon scanning framework to ensure it effectively responds to identifiable future events and scenarios.

Risk appetite:
As the regulatory environment changes, and new insights are gained from stress testing analysis, firms need to ensure they are updating and regularly monitoring their risk appetites to ensure adherence to regulatory minima. Internal Audit should review the approach to this updating process and ensure robust monitoring controls are in place.

Models and data:
Internal Audit should continue to review the adequacy of the governance frameworks and processes around data and models that are heavily used to inform day to day planning and stress testing. There should be a focus on the approach to model updates as result of recent regulatory changes that will impact upon stress testing activities, such as the Pillar 2B assessment as part of the ICAAP.