Governance, Risk Management & Culture

A ‘Risk Intelligent Culture’ supports and comprises of appropriate risk awareness, behaviours and judgements about risk‐taking. There are 7 key characteristics of a Risk intelligent culture of an organisation:

1. Expectation of challenge: People are comfortable challenging others, including authority figures. The people who are being challenged respond positively.
2. Prompt, transparent and honest communications: People are comfortable talking openly and honestly about risk using a common risk vocabulary that promotes shared understanding of risk.
3. A learning organisation – continuously improving: The collective ability of the organisation to manage risk more effectively is continuously improving.
4. Universal adoption and application: Risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organisation.
5. Responsibility: People take personal responsibility for the management of risk and proactively seek to involve others when that is the better approach.
6. Understand the value of effective Risk Management: People understand, and enthusiastically articulate, the value that effective risk management brings to the organisation.
7. Commonality of purpose: People’s individual interests, values and beliefs are aligned with the organisation purpose, business objectives, goals and strategy and risk strategy, appetite, limits and approach.

Risk culture is an increasing area of interest for Supervisors, and they can and do, challenge firms on all the elements that determine their culture and risk culture.

• Across the globe, Regulators and Supervisors, as well as leading industry bodies, are focusing on culture and conduct and there is increased scrutiny of risk culture and enhanced accountability. 
• Regulators deliberately do not publish specific prescriptive guidance to firms regarding their risk culture, recognising the nuances that each firm will have, and to encourage a level of accountability within firms to set, adopt and support a risk culture that is unique to their organization that ensures good outcomes delivered for customers. However, there are certain risk culture elements that the Regulator continues to focus on. These include: 
  • Purpose: The Financial Conduct Authority (FCA) “will look more deeply at the concept of purpose in Financial Services and the case for creating purposeful cultures”. 
  • “Tone from the middle”: G30 - “tone from above is as important as tone from the top”.
  • Psychological safety: Banking Standards Board – 40 percent of employees who spoke up said that they had not felt listened to or taken seriously.
• The FCA’s interest is not merely a matter of social justice, but a core part of how culture is assessed in a firm.
• Regulators are also increasingly interested in the incentivisation structures within organisations and the extent to which these support good risk management outcomes. This includes incentive structures (both financial and non-financial), but also a robust approach to consequence management that is driven from the top. 
• Any indication of poor risk culture can be expected to drive far more intrusive supervisory scrutiny of firms day-to-day, and so increase substantially the regulatory “overhead” borne by a firm. 
• In addition to regulatory pressure, there are many competitive advantages associated with a strong, desirable risk culture for organisations. Those with risk intelligent culture tend to be more trustworthy and appealing to customers and employees alike and are better placed to achieve long-term sustainability as compared to those with undesirable cultures.

Diversity of thought and inclusive behaviours in financial services help deliver better consumer and market outcomes including fair value, fair treatment, suitability, confidence and access. Firms need to be sufficiently diverse and inclusive to be able to understand the needs of their customer bases. A lack of diversity could lead to inadequate challenge at decision-making levels, which could lead to consumer and market harm. Inclusion is equally important as individuals should be able to express their views, speak up and raise concerns in a psychologically safe environment, supporting greater innovation and competition for customers and markets. Achieving major change takes personal commitment from everyone in an organisation. This includes leaders, who must prioritise improving diversity and inclusion, exemplify what inclusion means, and are held accountable for outcomes to ensure progress is made. Further, many organisations adopt a structured approach to diversity and inclusion, focused on standalone projects which do not address underlying cultural barriers that exist, and which fail to integrate diversity and inclusion into business processes.

• In July 2021, the Financial Conduct Authority (FCA) published a consultation paper titled Diversity and Inclusion on Company Boards and Executive Management. The objective was to consult on proposals to require greater transparency on the diversity of public company Boards and Executive Management teams, including comply or explain targets on gender and ethnic diversity and standardised data to be disclosed on an annual basis.
• Following the consultation, a policy statement (PS22/3) was issued in April 2022. The FCA is proceeding with the proposed focus of setting annual disclosure requirements on the representation of women and people from an ethnic minority background at Board and Executive levels (both against targets on a “comply or explain” basis and the accompanying numerical tables). It has also maintained the proposed scope of the requirements and is proceeding with the proposed changes to the Disclosure Guidance and Transparency Rules (DTRs). The FCA has added a new section to the disclosure, which requires transparency on the issuer’s approach to collecting the data. 
• Current events and trends - including reckonings around racism, injustice, and inequality - have pushed Internal Audit into a new realm: diversity, equality, and inclusion (DEI). While this represents a non-traditional area for the function, numerous factors—both lofty and pragmatic—compel Internal Audit to take stock of DEI initiatives across the organisation and play a role in advancing them:

In a rapidly transforming and uncertain world, effective risk management continues to be critical. Expectations of boards, regulators and other stakeholders in relation to risk management have undergone a ‘step change’ across all sectors in response to the COVID-19 pandemic and most recently the conflict in Ukraine and Russia. It is important that firms ensure:
(1) they can monitor and react to, current and emerging risks;
(2) their risk management frameworks and controls are effective, embedded and matured in line with the growth of the business and changes to its risk profile; and
(3) the risk management function has sufficient resources, capability and status to have a positive impact on decision-making. To ensure that Internal Audit needs to review risk management to provide an independent view of its effectiveness in its role as the Third Line of Defence to support the Board. Also, it helps Internal Audit functions meet regulatory expectations, and the requirements of the Internal Audit Financial Services (FS) Code of Practice.

• Post Periodic Summary Meeting (PSM) feedback letters issued by the Prudential Regulation Authority (PRA) to firms in all sectors consistently highlight the importance of Boards’ oversight over current and emerging risks. Supervisory feedback across all sectors continues to reference the need for risk management frameworks, operating models and controls to be effective, fully embedded and matured across the Three Lines of Defence as businesses grow and develop. It also sets out regulatory expectations of the Board and relevant sub-committees in providing effective oversight of risk management and internal controls.
• Internal Audit functions will be aware of the long-standing requirement embedded within the Internal Audit FS Code of Practice to assess the adequacy and effectiveness of the risk management function. However, supervisory feedback provided by the PRA to firms in the banking sector during the last 12 months and the joint PRA and Financial Conduct Authority (FCA) ‘Dear CEO’ letter on their Supervisory review of global equity finance businesses (published 10 December 2021), has re-emphasised the need for firms to regularly assess the effectiveness of the independent risk management function driven by the weaknesses observed by the PRA in the holistic management of risk across businesses. The primary root causes for such weaknesses have been noted to be:
  • a risk culture characterised by lack of accountability and risk ownership by the frontline business executives; and 
  • where the independent risk function lacks standing and where senior management incentives do not promote safe, sound, and sustainable outcomes for the firm.

The Financial Conduct Authority (FCA) expects asset managers' investment governance to be robust. This includes the processes for governance and oversight of risk exposures across all asset classes and the entire business model, including outsourced activities and counterparty risk monitoring. Firms should have controls, governance and oversight to monitor and manage risks throughout the investment processes, ensuring clients’ interests are prioritised. This becomes even more important considering the increased FCA focus on preventing and reducing customer harm as can be evidenced from the Business Plan for FY 2022-23. Further, it is essential that firms can demonstrate robust controls around compliance of investment mandates / guidelines including accurate and timely monitoring against investment guidelines, identification of active and passive breaches, escalation of such breaches internally as well as communication to customers.

• Investment Governance Maturity:  Whilst the concept itself has been around for a while, firms constantly endeavour to move up the maturity ladder through the following phases:
  • Unsophisticated: Lack of clear strategy and vision, unclear roles and responsibilities across the lines of defence, heavy reliance on manual processes with limited and or no documented policies and procedures. 
  • Reactive: Post incident monitoring characterised by more of “tick the box” exercises rather than looking at the substance of investment performance. Ability to conduct fund level analysis of performance and risk but based on a combination of system-based and manual tools. 
  • Evolving: Well established Investment Committee, clear delineation of roles between the Three Lines of Defence, (limited) dashboard reporting, ability to conduct multiple risk type analysis across funds.
  • Integrated: Investment Committee with cross functional representation, consistent understanding and articulation of investment risk management across the Three Lines of Defence, ability to use multi-dimensional scenario and stress tests, “in-time” reporting with integrated feeds from various transaction systems to report events.
   
  • Optimised: Cross functional Investment Committees with “challenge partners” who can provide advice and guidance to investment teams, published risk appetite statements with limits and metrics supported by quantitative and qualitative measures. Integrated multi-asset software solutions used for business decision making. 
• Consumer Information and Harm: As echoed in the FCA’s Business Plan for FY 2022-23, there is increasing regulatory focus on how firms are ensuring the high quality of information dissemination to customers to enable informed decisions and ensure that they can identify suitable products that meet their investment needs and risk tolerance. Special focus is on marketing of high-risk investments such as mini-bonds. 
• Environment, Society and Governance (ESG) Disclosures: With the increasing focus on ESG, there is an added responsibility on Investment Committees to exercise stronger oversight on how the firm categorises its investments from an ESG perspective and the corresponding disclosures so that they do not mislead the customers and remain within regulatory guidelines.

No organisation operates in isolation, however, whilst not every organisation is increasing the volume of engagement with third parties in its ecosystem, we are seeing a trend of organisations becoming increasingly reliant on third (and fourth) parties. Reasons for this include the nature of the relationships, how bespoke the services are (making substitutability challenging), or even how ‘close to core’ the services are. Regardless of the reason, increasing reliance on a third-party ecosystem is clear and this makes the management of that ecosystem even more important. Furthermore, the financial impact of a failure in this ecosystem is costly (through fines, loss of custom or reputational damage). In addition, the increased regulatory scrutiny and prescriptive requirements (as a part of the third-party and operational resilience regulations) have rapidly increased focus on third party risk as firms have seen accelerating digitisation across entire operations, with traditional services and operating models requiring unprecedented changes to new ways of working in such a short space of time. 

Regulators are providing more clarity and greater harmonisation of third-party risk regulations in 2022, providing increased direction for firms operating across multiple jurisdictions, greater linkages to third-party management and operational resilience across group level entity structures and heightened data security requirements, including use of the cloud. Our experience has shown firms that acknowledge the cross functional nature of third-party risks and implement third party oversight in a holistic manner, enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in individual siloed teams.

While financial services Internal Audit functions will already be aware of some regulatory requirements, there have been significant new regulatory developments in 2021/22 on third-party risk that have broadened requirements for firms.

The Prudential Regulation Authority’s (PRA’s) Supervisory Statement (SS) 2/21, ‘Outsourcing and third-party risk management’, was published in March 2021 and has come into effect since 31 March 2022. The statement makes it more explicit that firms are expected to assess the risks and materiality of all third-party arrangements, including those that do not fall within the definition of ‘outsourcing’ and have clearly articulated that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach.

The Financial Conduct Authority (FCA), in collaboration with Bank of England and PRA, is planning to launch a discussion paper in 2022. The paper will propose an oversight regime for the supervisory authorities to set resilience standards, a testing approach, and enforcement powers for Critical Third Parties. The responses will be used to inform a consultation in 2023.

As per 2022 FCA Business Plan, there is an increased focus on improving oversight of Authorised Representatives (AR). An AR carries out regulated activity under the responsibility of an authorised firm. The authorised firm (the Principal) is responsible for making sure that the AR is fit and proper and complies with rules. The FCA is consulting (CP21/34) on changes to their current regime in order to:

• clarify and strengthen the responsibilities and expectations of principals; and 
• increase the amount and timeliness of information FCA receives on Principals and their ARs.

The final rules were published during August 2022 via Policy Statement PS 22/11 with implementation due in December 2022. Please also refer to section 4.2 ‘Improving the Appointed Representatives Regime’.

In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for UK and EU regulators, given the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance within the UK and at EU level relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance, while ensuring that variable remuneration is appropriately adjusted for risk and does not impact a firm’s ability to maintain a sound capital base. For banking and asset management firms, UK and EU regulations require that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis. For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s board can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.

• While equivalent principles apply across the banking, asset management and insurance sectors, the remuneration rules and latest developments are specific to each. Across all sectors however, we have been seeing an increased focus from UK and EU regulators on the implementation of existing rules. 
• The requirement in the remuneration rules applicable to banking and asset management firms is for the implementation of remuneration policy to be subject to a central and independent internal review each year. For asset management firms, the current guidance is less prescriptive, although does expect firms to ensure that the review is independent. Draft EU guidance for investment firms under the upcoming Investment Firms Directive (IFD) suggests that Internal Audit will be expected to undertake this review, while near-final UK guidance for UK investment firms is less prescriptive. In practice, some firms will undertake a comprehensive review on a periodic (e.g. 3 yearly) basis and then review particular areas in more detail on a rotational basis each year. However, it will be important to ensure that material changes in policies, processes and practices year-on-year are considered, to ensure continued compliance with the remuneration rules.
• For firms in the banking sector, the amended remuneration rules under the Capital Requirements Directive (CRD V) were implemented in the UK for performance years starting on or after 29 December 2020 (with the implementation date varying between jurisdictions across the EU). This has included certain changes in how Material Risk Takers should be identified and changes relating to the disapplication of certain remuneration rules on the basis of proportionality. In the UK, smaller firms are no longer permitted to disapply the limit on the amount of variable remuneration that can be awarded (the ‘bonus cap’) or to disapply clawback. 
• Financial Conduct Authority (FCA) regulated investment firms will become subject to specific remuneration rules in a new Remuneration Code under the UK Investment Firm Prudential Regime (IFPR) from January 2022 (with equivalent rules applicable to EU firms under the Investment Firms Directive - IFD), with the result that many such firms and their senior staff may become subject to the rules on deferral, payment in instruments and malus / clawback for the first time.
• From an insurance standpoint, UK and EU firms must continue to comply with the Solvency II remuneration provisions (in place since 2016), and with the provisions relevant to remuneration under the insurance distribution regime (derived from the Insurance Distribution Directive (IDD)), aimed at enhancing consumer protection and mitigating the risks of conflicts of interests and mis-selling. UK firms must have regard to the Prudential Regulation Authority (PRA) guidance on the Solvency II remuneration provisions, while EU firms must take account of the European Insurance and Occupational Pensions Authority’s new Opinion, published in 2020, which sets out its expectations regarding the application of the Solvency II remuneration rules.