Governance, Risk Management & Culture
Financial Services Internal Audit Planning Priorities 2023
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.
3.1 Risk Culture
A ‘Risk Intelligent Culture’ supports and comprises of appropriate risk awareness, behaviours and judgements about risk‐taking. There are 7 key characteristics of a Risk intelligent culture of an organisation:
- Expectation of challenge: People are comfortable challenging others, including authority figures. The people who are being challenged respond positively.
- Prompt, transparent and honest communications: People are comfortable talking openly and honestly about risk using a common risk vocabulary that promotes shared understanding of risk.
- A learning organisation – continuously improving: The collective ability of the organisation to manage risk more effectively is continuously improving.
- Universal adoption and application: Risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organisation.
- Responsibility: People take personal responsibility for the management of risk and proactively seek to involve others when that is the better approach.
- Understand the value of effective Risk Management: People understand, and enthusiastically articulate, the value that effective risk management brings to the organisation.
- Commonality of purpose: People’s individual interests, values and beliefs are aligned with the organisation purpose, business objectives, goals and strategy and risk strategy, appetite, limits and approach.
Risk culture is an increasing area of interest for Supervisors, and they can and do, challenge firms on all the elements that determine their culture and risk culture.
Across the globe, Regulators and Supervisors, as well as leading industry bodies, are focusing on culture and conduct and there is increased scrutiny of risk culture and enhanced accountability.
Regulators deliberately do not publish specific prescriptive guidance to firms regarding their risk culture, recognising the nuances that each firm will have, and to encourage a level of accountability within firms to set, adopt and support a risk culture that is unique to their organization that ensures good outcomes delivered for customers.
The European Regulators’ interest is not merely a matter of social justice, but a core part of how culture is assessed in a firm.
Regulators are also increasingly interested in the incentivisation structures within organisations and the extent to which these support good risk management outcomes. This includes incentive structures (both financial and non-financial), but also a robust approach to consequence management that is driven from the top.
Any indication of poor risk culture can be expected to drive far more intrusive supervisory scrutiny of firms day-to-day, and so increase substantially the regulatory “overhead” borne by a firm.
In addition to regulatory pressure, there are many competitive advantages associated with a strong, desirable risk culture for organisations. Those with risk intelligent culture tend to be more trustworthy and appealing to customers and employees alike and are better placed to achieve long-term sustainability as compared to those with undesirable cultures.
Objectives for Internal Audit to consider while leveraging existing frameworks and data for insights in risk culture are:
- Perform targeted assessments to audit culture hotspots.
- Design a framework to assess culture.
- Embed culture assessment in various audits.
- Design and implement repeatable and scalable methodology and tools in support of culture assessments.
- Improve Board reporting on culture and establish linkage with ethics and conduct programs.
- Accelerate Internal Audit’s capabilities to perform enterprise-wide culture audits (knowledge, skills, approach, techniques, tools).
Internal Audit can also leverage existing frameworks with insights through analytics, such as:
- Employee voice: Qualitative and quantitative employee engagement feedback, and issues escalated by employees.
- Customer feedback: Customer complaints, satisfaction surveys, external resolution.
- Risk, legal and compliance information (First and Second lines): Fraud cases, breaches, events and losses, breaches remediated, trade and communications supervisory and surveillance alerts, and regulatory testing.
- Training: Employee training and core competency completed.
- HR Data: Turnover, termination, recruitment and rewards (promotion, incentives, performance management).
- Internal Audit Closure of audit issues, repeat findings.
There are also some key questions for Internal Audit to consider in framing discussions on culture:
- How does our organisation define culture?
- What is the link between culture, ethics and conduct?
- What activities does our organisation execute to reinforce its culture?
- How do employees perceive our organisations desired culture?
- What has our organisation done to understand its culture and resulting effects?
- What are some of our organisation's key indicators for culture?
3.2. Diversity and Inclusion
Diversity of thought and inclusive behaviours in financial services help deliver better consumer and market outcomes including fair value, fair treatment, suitability, confidence and access. Firms need to be sufficiently diverse and inclusive to be able to understand the needs of their customer bases. A lack of diversity could lead to inadequate challenge at decision-making levels, which could lead to consumer and market harm. Inclusion is equally important as individuals should be able to express their views, speak up and raise concerns in a psychologically safe environment, supporting greater innovation and competition for customers and markets. Achieving major change takes personal commitment from everyone in an organisation. This includes leaders, who must prioritise improving diversity and inclusion, exemplify what inclusion means, and are held accountable for outcomes to ensure progress is made. Further, many organisations adopt a structured approach to diversity and inclusion, focused on standalone projects which do not address underlying cultural barriers that exist, and which fail to integrate diversity and inclusion into business processes.
Current events and trends - including reckonings around racism, injustice, and inequality - have pushed Internal Audit into a new realm: diversity, equality, and inclusion (DEI). While this represents a non-traditional area for the function, numerous factors—both lofty and pragmatic—compel Internal Audit to take stock of DEI initiatives across the organisation and play a role in advancing them:
- Discriminatory practices are inherently objectionable. Internal Audit has both an opportunity and an obligation to help an organisation to foster a diverse and inclusive culture.
- A diverse workforce and inclusive culture are essential components of successful organisations, correlated with improved job performance, reduced turnover, and decreased absenteeism.
- Diversity, equality, and inclusion are critical attributes for job-seekers, and organisations that embrace DEI will have an advantage in recruiting and retaining top talent.
Internal Audit, with its broad perspective on risk and its extensive relationships across the organisation, is uniquely suited to help assess the current state of DEI in the organisation and advise on appropriate paths forward. This includes serving as catalysts by advising on risk indicators and KPIs; assessing whether DEI programs are meeting their intended objectives; and reporting results to the Board, Committees, and senior leaders. Internal Audit should be on the lookout for—and advise against— any quick-fix or shallow solutions proposed or enacted by Management. If the DEI initiative seems like a band-aid approach, employees and the marketplace will quickly take note. Specifically Internal Audit should:
- Assess the whether the culture is inclusive and diverse at all levels through mechanisms like review of root causes of resignations and demographic data such as senior leader composition, hiring and bonus and benefits.
- Evaluate the governance around Diversity & Inclusion (D&I) right from the Board level down. This includes a review of whether values reflect the firm’s desire to be diverse and inclusive, whether expected behaviours have been defined to support such values. It also includes a review of internal policies and procedures.
- Review of defined key indicators of diversity such as diversity at different grades, pay gap data and progress.
- Review KPIs and targets set by the Board around key indicators of diversity and Board’s assessment of culture.
- Review of the gap analysis against Board’s expectations and KPIs and an assessment of Management’s actionable plans and adherence to the Board’s strategy.
- Evaluate whether D&I training materials are fit for purpose.
- Review whether individual contribution to D&I forms a part of performance reviews.
- Evaluate the review and investigation policies and processes to ensure that any incidents or reports of behaviours against the firm’s D&I values and expected behaviours are investigated at an adequate level and on a timely basis leading to appropriate disposal being actioned and reported in line with the outcome.
- Assess the management information supporting the effectiveness of the D&I program and strategy.
- As a function, lead by example and ensure to incorporate appropriate attitudes and behaviours in the function itself, especially where it employs large numbers.
3.3. Risk Management Effectiveness and Maturity
In a rapidly transforming and uncertain world, effective risk management continues to be critical. Expectations of boards, regulators and other stakeholders in relation to risk management have undergone a ‘step change’ across all sectors in response to the COVID-19 pandemic and most recently the conflict in Ukraine and Russia. It is important that firms ensure:
(1) they can monitor and react to, current and emerging risks;
(2) their risk management frameworks and controls are effective, embedded and matured in line with the growth of the business and changes to its risk profile; and
(3) the risk management function has sufficient resources, capability and status to have a positive impact on decision-making. To ensure that Internal Audit needs to review risk management to provide an independent view of its effectiveness in its role as the Third Line of Defence to support the Board. Also, it helps Internal Audit functions meet regulatory expectations.
Firms in all sectors should consider the importance of Boards’ oversight over current and emerging risks. Supervisory feedback across all sectors continues to reference the need for risk management frameworks, operating models and controls to be effective, fully embedded and matured across the Three Lines of Defence as businesses grow and develop. It also sets out regulatory expectations of the Board and relevant sub-committees in providing effective oversight of risk management and internal controls.
Internal Audit functions will be aware of the long-standing requirement embedded within the Internal Audit standards to assess the adequacy and effectiveness of the risk management function. However, European Regulators have re-emphasised the need for firms to regularly assess the effectiveness of the independent risk management function driven by the weaknesses observed by the Regulator in the holistic management of risk across businesses. The primary root causes for such weaknesses have been noted to be:
- a risk culture characterised by lack of accountability and risk ownership by the frontline business executives; and
- where the independent risk function lacks standing and where senior management incentives do not promote safe, sound, and sustainable outcomes for the firm.
Area of Focus
Design Maturity and Embeddedness of the Risk Management Framework
Internal Audit should assess on a regular basis (at least once every three years) the adequacy and effectiveness of the organisation’s risk management framework and extent to which it is fit for purpose given the nature, scale and complexity of the business and its risk profile. Internal Audit should also assess on an appropriate frequency the extent to which the framework and operating model is operationally embedded throughout the organisation and mature across the Three Lines of Defence.
Internal Audit should regularly assess the quality and appropriateness of Board-level risk information and reporting from the First and Second Lines of Defence. This should include whether significant matters which pose a threat to risk appetite and the achievement of the organisation’s strategic objectives are escalated promptly and the overall quality of supporting narrative and analysis. Internal Audit should provide assurance on the quality and reliability of risk information governance, reporting arrangements and extent to which this allows for informed risk management decisions and contributes to the right risk culture.
Adequacy and Effectiveness of the Risk Function
Internal Audit should understand the stature and prominence of the independent risk management function and in doing so should assess:
3.4. Investment Governance
The European Regulators expect asset managers' investment governance to be robust. This includes the processes for governance and oversight of risk exposures across all asset classes and the entire business model, including outsourced activities and counterparty risk monitoring. Firms should have controls, governance and oversight to monitor and manage risks throughout the investment processes, ensuring clients’ interests are prioritised. This becomes even more important considering the increased European Regulators focus on preventing and reducing customer harm. Further, it is essential that firms can demonstrate robust controls around compliance of investment mandates / guidelines including accurate and timely monitoring against investment guidelines, identification of active and passive breaches, escalation of such breaches internally as well as communication to customers.
Investment Governance Maturity: Whilst the concept itself has been around for a while, firms constantly endeavour to move up the maturity ladder through the following phases:
- Unsophisticated: Lack of clear strategy and vision, unclear roles and responsibilities across the lines of defence, heavy reliance on manual processes with limited and or no documented policies and procedures.
- Reactive: Post incident monitoring characterised by more of “tick the box” exercises rather than looking at the substance of investment performance. Ability to conduct fund level analysis of performance and risk but based on a combination of system-based and manual tools.
- Evolving: Well established Investment Committee, clear delineation of roles between the Three Lines of Defence, (limited) dashboard reporting, ability to conduct multiple risk type analysis across funds.
- Integrated: Investment Committee with cross functional representation, consistent understanding and articulation of investment risk management across the Three Lines of Defence, ability to use multi-dimensional scenario and stress tests, “in-time” reporting with integrated feeds from various transaction systems to report events.
- Optimised: Cross functional Investment Committees with “challenge partners” who can provide advice and guidance to investment teams, published risk appetite statements with limits and metrics supported by quantitative and qualitative measures. Integrated multi-asset software solutions used for business decision making.
Consumer Information and Harm: There is increasing regulatory focus on how firms are ensuring the high quality of information dissemination to customers to enable informed decisions and ensure that they can identify suitable products that meet their investment needs and risk tolerance. Special focus is on marketing of high-risk investments such as mini-bonds.
Environment, Society and Governance (ESG) Disclosures: With the increasing focus on ESG, there is an added responsibility on Investment Committees to exercise stronger oversight on how the firm categorises its investments from an ESG perspective and the corresponding disclosures so that they do not mislead the customers and remain within regulatory guidelines.
Area of Focus
Assess the governance and oversight arrangements including the roles and responsibilities of the Board, Chief Investment Officer (CIO) and key governance Committees (including Investment Committee). Also, evaluate the composition of Key governance Committees to ascertain whether there is appropriate participation to enable effective challenge and discussion.
Review whether risk exposures for key financial risks are monitored against the Board approved risk appetite at adequate intervals. Further, breaches if any are identified, escalated and resolved on a timely basis.
Assess the oversight in place to ensure investment restrictions or guidelines are setup timely and completely in line with the Investment Management Agreements for Fund Documents. Also, review the controls in place to ensure timely identification, escalation, reporting and resolution of active and passive breaches to investment restrictions.
Outsourced Investments Management Functions
Evaluate the oversight arrangements over outsourced investment management functions. This includes assessing timeliness of required information relating to portfolio composition, performance, risk management, compliance with investment guidelines and any operational lapses.
Review whether management information comprises an adequate level of detail and on a timely basis. Also, evaluate whether the management information serves to forecast foreseeable risks rather than being a reactive mechanism to risk events that have already materialised.
3.5. Third Party Risk Management
No organisation operates in isolation, however, whilst not every organisation is increasing the volume of engagement with third parties in its ecosystem, we are seeing a trend of organisations becoming increasingly reliant on third (and fourth) parties. Reasons for this include the nature of the relationships, how bespoke the services are (making substitutability challenging), or even how ‘close to core’ the services are. Regardless of the reason, increasing reliance on a third-party ecosystem is clear and this makes the management of that ecosystem even more important. Furthermore, the financial impact of a failure in this ecosystem is costly (through fines, loss of custom or reputational damage). In addition, the increased regulatory scrutiny and prescriptive requirements (as a part of the third-party and operational resilience regulations) have rapidly increased focus on third party risk as firms have seen accelerating digitisation across entire operations, with traditional services and operating models requiring unprecedented changes to new ways of working in such a short space of time.
Regulators are providing more clarity and greater harmonisation of third-party risk regulations in 2022, providing increased direction for firms operating across multiple jurisdictions, greater linkages to third-party management and operational resilience across group level entity structures and heightened data security requirements, including use of the cloud. Our experience has shown firms that acknowledge the cross functional nature of third-party risks and implement third party oversight in a holistic manner, enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in individual siloed teams.
While financial services Internal Audit functions will already be aware of some regulatory requirements, there have been significant new regulatory developments in 2021/22 on third-party risk that have broadened requirements for firms.
For the European Regulators, firms are expected to assess the risks and materiality of all third-party arrangements, including those that do not fall within the definition of ‘outsourcing’ and have clearly articulated that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach.
Internal Audit should consider if the firm has an adequate Third-Party Risk Management (TPRM) framework embedded across the business and should examine this from both a design and an operating effectiveness perspective:
Assess if the following factors are designed adequately:
Overarching governance model;
- Assess if the following factors are designed adequately;
- Overarching governance arrangements;
- TPRM framework and associated policies;
- Allocation of roles and responsibilities;
- Processes and controls to manage third party risks throughout their lifecycle;
- Tools and technologies supporting the TPRM process; and
- Appropriateness of metrics used to measure risk appetite and tolerance within the organisation
Assess control performance in the following areas:
- Risk identification and assessment;
- Third-party selection;
- Contract execution;
- Role and responsibility allocation;
- Ongoing monitoring and reporting assessment appraisal; and
- Contract termination and exit or renewal management.
Hot Topics - Given the increased regulatory scrutiny particular focus should be given to understanding how the TPRM framework assesses and monitors financial insolvency, operational resilience, subcontracting risk and digital risk. For example, Internal Audit should be understanding how the business is utilising tools that enable access to real-time information to supplement the more traditional ‘point-in-time’ data that is collected, which we are seeing has become a key funding priority as firms continue to respond to the pandemic.
Regulatory Compliance Assess adherence to key regulatory requirements, including the:
- Outsourcing guidelines published by European Banking Authority, European Securities and Markets Authority, European Insurance and Occupational Pensions Authority and others. Markets Authority, European Insurance and Occupational Pensions Authority and others.
3.6. Remuneration Risk and Reward
In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for EU regulators, given the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance at EU level relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance, while ensuring that variable remuneration is appropriately adjusted for risk and does not impact a firm’s ability to maintain a sound capital base. For banking and asset management firms, EU regulations require that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis. For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s board can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.
While equivalent principles apply across the banking, asset management and insurance sectors, the remuneration rules and latest developments are specific to each. Across all sectors however, we have been seeing an increased focus from EU regulators on the implementation of existing rules.
The requirement in the remuneration rules applicable to banking and asset management firms is for the implementation of remuneration policy to be subject to a central and independent internal review each year. For asset management firms, the current guidance is less prescriptive, although does expect firms to ensure that the review is independent. Draft EU guidance for investment firms under the upcoming Investment Firms Directive (IFD) suggests that Internal Audit will be expected to undertake this review. In practice, some firms will undertake a comprehensive review on a periodic (e.g. 3 yearly) basis and then review particular areas in more detail on a rotational basis each year. However, it will be important to ensure that material changes in policies, processes and practices year-on-year are considered, to ensure continued compliance with the remuneration rules.
For firms in the banking sector, the amended remuneration rules under the Capital Requirements Directive (CRD V) were implemented in the EU for performance years starting on or after 29 December 2020 (with the implementation date varying between jurisdictions across the EU). This has included certain changes in how Material Risk Takers should be identified and changes relating to the disapplication of certain remuneration rules on the basis of proportionality. In the EU, smaller firms are no longer permitted to disapply the limit on the amount of variable remuneration that can be awarded (the ‘bonus cap’) or to disapply clawback.
European Regulators regulated investment firms will become subject to specific remuneration rules under the EU Investment Firm Directive (IFD), with the result that many such firms and their senior staff may become subject to the rules on deferral, payment in instruments and malus / clawback for the first time.
From an insurance standpoint, EU firms must continue to comply with the Solvency II remuneration provisions (in place since 2016), and with the provisions relevant to remuneration under the insurance distribution regime (derived from the Insurance Distribution Directive (IDD)), aimed at enhancing consumer protection and mitigating the risks of conflicts of interests and mis-selling. EU firms must take account of the European Insurance and Occupational Pensions Authority’s new Opinion, published in 2020, which sets out its expectations regarding the application of the Solvency II remuneration rules.
Design: Review the processes in place around the current remuneration policies, remuneration governance frameworks and disclosures to ascertain whether they are compliant with the applicable reward regulatory requirements, including:
- Remuneration policies and ancillary policies and procedures, such as relating to the structure and determination of fixed and variable remuneration, the identification of Material Risk Takers, structure of variable pay awards (including performance conditions, link to values and behaviours, risk adjustment) and treatment of new hires and leavers;
- Governance including the composition and role of the Remuneration Committee and the role of control functions (e.g., Risk/Compliance) within broader reward governance, including the year-end process; and
- If applicable, specific focus should be paid to areas of the business where commission-based arrangements influence reward.
Implementation: Test the implementation of remuneration processes and procedures underpinning the remuneration policy to ensure they are robust and effective and are being operated in compliance with the applicable rules and regulatory guidance:
- Review the firm’s decision-making framework and the evidencing of this (e.g., input of control and other corporate functions, oversight of Material Risk Taker pay, assessments of firm’s capital soundness);
- Test controls within remuneration process and procedures (e.g.. Material Risk Taker identification); and
- Perform spot checks of systems and outputs.
Future state: Consider how the firm is adapting to future regulatory requirements via review of the firm’s readiness for future regulatory changes in reward (e.g., changes introduced under the EU IFD rules).
Reward structures: Assess the remuneration and incentive arrangements across all parts of the business as to whether they are effective in encouraging a customer–centric culture and do not encourage inappropriate risk-taking.