Of corporate governance, risk management and internal audit 

Clayton John Mifsud

Clayton John Mifsud explores how risk management and internal audit functions can be used effectively to strengthen governance frameworks and ensure compliance with new regulatory requirements in the Financial Services Industry.

Increasing expectations on governance

The financial services industry has seen board of directors pushing for enhanced governance frameworks within their organisations. This push for improved governance is not a recent phenomenon. There are also pressures on Board to make such a push. Consequent EU Directives have pushed for increased governance around internal process. What’s more, Regulators aren’t the only catalyst for change. The expectations of investors and other stakeholders on governance, especially on listed entities, are increasing.

Stakeholders are more than ever holding Board accountable for the effectiveness of their overall governance process. This shift is real, and it is significant, and is likely to amount to an expectation of greater board involvement in the means by which governance is organised and effected.

These expectations sometimes go down to a product level. This is especially true with new Regulation drafted following the 2008 financial crisis. Both the Markets in Financial Instruments Directive II (MiFID II) and the Insurance Distribution Directive (IDD) have product governance requirements which factor in Board involvement.

Solvency II and Basel III have specific requirements for a “fit and proper” Board which conducts proper oversight throughout all the function of the respective bank or insurance company. And whilst this was also required with their precursors, the expectation now is for the Board get their hands dirty and ensure that a proper governance framework is in place.

The risk function

Whilst direct board involvement may be realistic in smaller organisations, larger banks and insurance companies may find these requirements challenging. Such Board have generally responded by strengthening internal policies and establishing board-level committees with clear mandates. Roles such as the chief risk officers (CROs) are now common and head well-resourced units which can assist the Board in their monitoring work.

In fact it is now not uncommon, especially in larger organisation, to find individuals with risk-related function such as enterprise risk management specialists, compliance officers, internal control specialists, and fraud investigators amongst others. Each would be looking at specific risk areas with the aim of helping the Board to manage the different risks which the organisation may face.  

Yet, the challenge for Boards is how to transform the various risk management functions from simply being a corporate function to a discipline which is embedded across the enterprise and viewed as a strategic asset. With this, there also needs to be a shift from a bolted-on, point-specific compliance “solutions” that add costs and headcount to responses that integrate financial, operating, risk, and regulatory requirements. Only through such a transformation, the full benefit of risk management can be obtained.

The role of internal audit

Turning to the internal audit function, it also plays a key role within the governance framework. It is the third line of defence reporting directly to the audit committee which ultimately feeds back to the Board. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives.

Yet, a 2016 Deloitte Survey showed that only 28% of Chief Audit Executives believe that their functions have strong impact and influence within the organisation. In fact, 16% believe that internal audit has little or no influence. This is irrespective of the fact that subsequent EU Directive and Regulations have put Internal Audit as a key function.

Effective implementation

The synergy between both functions is key. For example under Solvency II, insurers are to have both a risk function as part of the second line of defence with internal audit acting as the third line of defence. Both are considered as key functions. This is in line with the three lines of defence model which is the de-facto governance models applied throughout the financial services industry. As already mentioned above, with the myriad of regulation coming into force, having a strong risk function supported by an effective internal audit function is key.

Taking the 4th Money Laundering Directive as an example, it requires strong internal processes around client onboarding, products and even recruitment. The risk function will be key in this area. There are also ongoing requirements for risk assessments to be carried out and monitoring of client and employee activity. The work of internal audit will be to support the AML Compliance function and ensure that all business areas are adhering with the requirements.

The challenge that both of these functions face, and which ultimately have an impact on their strength and effectiveness within the organisation, is to have skills which remain relevant as organisations grow and develop. Whereas before the skills were focused on an understanding of operational framework, controls and audit methodologies, IT focused knowledge is now required. Regulations such as the General Data Protection Directive (GDPR), which impacts all Financial Services firms, clearly requires a team of individuals from a risk and internal audit background with both operational and IT risks and controls knowledge. 

Does the perfect solution exist?

It is clear that it may not be enough for various risk and internal audit functions to be present within an organisation. There are challenges for the Board and Senior Management who need to assign specific roles and effectively coordinate the roles of both function. This is key to ensure that there are neither “gaps” in controls nor unnecessary duplication of work.

Clear responsibilities must be defined so that each function understands the boundaries of their responsibilities and how their position fits within the organisation’s overall risk and control structure. Without a cohesive, coordinated approach, limited resources may not be deployed effectively, and significant risks may not be identified or managed appropriately. With the variety of threats faced by financial services organisation, internal weaknesses may pose increased risk. The resulting consequences would be too high to ignore.

Did you find this useful?