Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

2.1. Credit Risk Management – Risk Reporting

Why is it important?

The ability of financial institutions to identify, measure and manage their credit risks is fundamental to their long-term viability. Credit Risk Reporting is where those abilities should be apparent for all to see. A firm that cannot appropriately assess the riskiness of its credit portfolios could be taking on too much risk – which can very rapidly translate into impairment, credit losses, write-offs and capital depletion. Credit Risk Reporting needs to contain the information required to steer firms through highly uncertain times. Key to this is the robust prioritisation and escalation of risk issues, highlighting whether the current risk management strategy is operating as intended with clear accountability for agreed actions.

What’s new?

Since March 2020, there has been a deluge of COVID-19 related changes to the way credit risks are managed and reported; some of the drivers for this are noted below:

  • Introduction of a number of new Government loan schemes / facilities driving additional complexity in monitoring and reporting: COVID-19 Business Interruption Loan Scheme (CBILS), COVID-19 Corporate Financing Facility (CCFF), COVID-19 Large Business Interruption Loan Scheme (CLBILS), and Bounce Back Loan Scheme (BBLS).
  • Prudential Regulation Authority (PRA) statements and guidance on IFRS9 and COVID-19.
  • FCA proposal for temporary financial relief for customers affected by COVID-19.
  • Dear CEO letter on COVID-19: IFRS 9, capital requirements and loan covenants.
  • PRA guidance to firms on mortgages, motor finance, and high-cost credit, rent-to-own, buy-now pay-later and pawn-broking.

Collectively, these reporting obligations raise the risks of misstatements, compliance failures and a decline in the quality of existing reports as a result of new reporting burdens.

In addition, firms are increasingly looking to report on their credit capacity (e.g. collections and recoveries management), and deploy integrated dashboards with more timely data for quicker decisions.

In May 2020, the EBA also published its finalised risk reporting guidelines: EBA Guidelines on loan origination and monitoring.

What should Internal Audit be doing?

  • Assess the adequacy of credit risk reports and how well they help members of key governance and oversight committees to discharge their duties (as set out in the relevant Terms of Reference or Charters).
  • Focus on the reporting of COVID-19 related forbearance and how clearly its impacts have been explained to the audience of credit risk reports.
  • Check that the reporting of impairment and expected credit losses is consistent with regulatory guidance and the firm’s policies – especially given the additional scope for IFRS 9 models to be (temporarily) overridden with Management judgements in light of COVID-19.
  • Examine the extent to which diverse COVID-19 related scenarios have been reported to senior committees, with respect to credit risk.
  • Assess how clearly the strategy for dealing with COVID-19 associated credit risks have been communicated and tracked.

Key contacts: Damian Hales and Dan Oake

2.2. Recovery Planning

Why is it important?

In previous years and since the release of the PRA’s Supervisory Statement SS9/17 – “Recovery Planning” in 2017, there has been a strong regulatory focus on firms to enhance Recovery Plans and the scenarios modelled within.

Most firms based their stresses on iterations of macro-economic scenarios provided by the Bank of England, adverse impacts of Brexit and/or idiosyncratic impacts of an event which impacts the firm’s reputation. The emergence of the COVID-19 pandemic presented a different dimension of stress, with potential rapid asset quality, liquidity and capital impacts and the ability of a firm’s Recovery Plan to track a deterioration in the “BAU” environment has been of particular interest across the market. Firms’ indicator frameworks are now brought back into sharp focus, especially as a number of asset quality metrics are directly impacted by COVID-19 (such as arrears and provisions).

What’s new?

Proposed changes to Recovery Planning from the PRA (which were not initiated by the COVID-19 pandemic) are two-fold currently:

  • Whilst no specific feedback or guidance has been provided by the PRA on COVID-19 and Recovery Plans, the use of central bank facilities (mainly the Term Funding Scheme with Additional Incentives for SMEs (TFSME)) throughout the pandemic so far has meant asset encumbrance has come back to the PRA’s attention, as something which can pose a risk to liquidity and funding if not managed properly. As such, with the release of the PRA’s Policy Statement PS18/20 – “Asset Encumbrance”, the PRA has changed the requirements for Recovery Planning to include the impact of Asset Encumbrance on Recovery Planning as a whole. 
  • Simplified obligations have been introduced by the PRA in its Consultation Paper CP10/20 – “Simplified Obligations for Recovery Planning”, which reduces the number of scenarios for eligible firms to two, as well as re-affirming proportionality in that such firms need not submit the Recovery Plan Information Template.

Whilst these are relatively minor changes, they require new thinking from firms around what scenario testing should include, and what the impacts of asset encumbrance are on Recovery Planning. Furthermore, the impact and response to the COVID-19 pandemic should bring out practical adjustments and enhancements to a firm’s Recovery Plan, especially in an environment where operational changes (such as working remotely or an increase in collections activity) is running alongside.

What should Internal Audit be doing?

Continued scrutiny remains on firms with regard to the quality of their Recovery Plans. With the emergence of the COVID-19 pandemic and a focus on how firms are identifying changes in the BAU risk environment, the areas of concern highlighted in the PRA’s Dear CEO letter in October 2018 continue to be of high importance. Internal Audit should assess whether the quality of Recovery Planning continues to be enhanced and that the practical learnings and ongoing response to COVID-19 is embedded.

Internal Audit should also consider whether its assurance approach to Recovery Planning includes coverage of the following typical issues identified in firms’ Recovery Plans:

  • Indicators included in the Recovery Plan are not broad enough to allow for identification of potential financial risk. Furthermore, the metrics are not calibrated to a suitable level to allow Management to respond in a timely fashion.
  • Recovery options provide little to no benefit (i.e. an increase to resources, or reduction in requirements) to the capital and liquidity position of the firm.
  • Scenario testing is focused on too few risks and does not always capture the key risks that the firm faces.
  • Dependencies between recovery options, as well as the dependencies the options have operationally and during stress scenario events are analysed at a high-level and not in sufficient detail, potentially reducing the usability of options.
  • Invocation of the Recovery Plan and the practicalities of actually implementing the Plan are not clear and have not been properly tested through Fire Drilling of the Recovery Plan.

Key contacts: Kenny Wong and Joseph Hosapian

2.3. Stress Testing

Why is it important?

Stress testing forms a critical component of a firm’s risk management toolkit. The quality and the outcomes of a regulatory stress test will directly inform a regulator’s assessment of a firm’s capital and liquidity requirements. Given the recent COVID-19 pandemic, firms are considering the emerging repercussions and how to re-align their stress testing capabilities based on their actual recent experiences. Another key focus is on climate related financial risks which relies on developing climate related scenario analysis to support quantification of those risks and the impact on capital requirements. There is also focus on non-systemic growing banks and how they transition to using stress testing to inform capital buffer requirements.

What’s new?

The ECB report on banks’ ICAAP practices which includes a deep dive on how banks deal with climate related risks in their ICAAPs stated that “Banks’ practices for considering these in their risk management processes are barely established and heterogeneous.”

The PRA have previously published requirements for ICAAPs for climate related risks, and the Bank of England’s Biennial Exploratory Scenario (BES) 2019 prescribes climate related scenarios. 

The key requirements for scenario analysis for assessing climate related financial risks are:

  • Far-reaching impact in breadth and magnitude – climate related risks impact a broad range of sectors, business lines and geographic locations. 
  • Uncertain and extended time horizons – climate related risks impact protracted time frames beyond current planning horizons and historical analysis may not be an indicator of future outcomes.
  • Foreseeable nature – there is a high degree of certainty around the outcomes of climate related financial risks.
  • Dependency on short-term actions – the outlook is dependent on the actions taken today.

The PRA have published a consultation paper on ‘Non-systemic UK banks: The PRA’s approach to new and growing banks’ which proposes that “…as banks grow and mature following authorisation, they should develop their stress testing capabilities so they are prepared to transition to a PRA buffer set on a stress test basis.”

What should Internal Audit be doing?

Area of Focus

Model risk management

  • Review the adequacy of governance processes, design of the model, risk management controls and documentation around processes and assumptions, in particular expert judgement and post-model adjustments. The focus will be on existing models which need to be reconfigured as a result of COVID-19, as well as newly developed models and risk management frameworks which will evolve over time in relation to climate related financial risks and in general for growing banks.
Data integrity
  • Review data integrity controls, including controls over completeness and accuracy of data used in stress testing. Review appropriateness and consistency of the data used for climate related risks including scenario data (i.e. two degrees initiative, etc).
SME input
  • Internal Audit should liaise with relevant SMEs to understand how the firm’s stress testing approach for climate related risks compares to emerging best practice. 
Alignment with risk appetite 
  • Review the emerging risk appetite informed by climate related scenario analysis and consider appropriateness of inputs to inform decisions made to reset the firm’s risk appetite. 
Superior capital planning Superior capital planning should include:
  • Evaluation of the appropriateness of the stress scenarios selected, both stress assumptions and Management responses / actions, for both climate related scenario analysis and for new and growing banks adopting scenario analysis for the first time; and.
  • Assessment of the adequacy of timing of generation of stress results.
Scenario development
  • Internal Audit should consider the development of scenarios for climate related financial risks to assess the breadth, magnitude and timescales considered. Furthermore, this should be considered in the context of risk management given the increased assumptions required.
Horizon scanning

Key contacts: Damian Hales and Laura Ellis

Did you find this useful?