EBA GL 44. Wording Amendments / Additions suggested. Amend ment /Comm ent # page

Transcription

1 EBA GL 44 Amend ment /Comm ent # page Wording Amendments / Additions suggested 4f. 8. The fourth chapter on Internal Control includes the section entitled The role of Chief Risk Officer and the risk management function stemming from the High Level Principles on Risk Management and is aimed at ensuring the proper staffing of the control function, as one weakness identified in the CEBS survey mentioned above was that the control functions were not given sufficient resources to fulfil their duties. The principles also deal with the issue of unapproved exposures, aimed at implementing adequate processes for monitoring the set limits and taking appropriate actions where necessary. 9. The fifth chapter 8. The fourth chapter on Internal Control Framework starts with a description of the Three Lines of Defence model. The chapter includes the section entitled The role of Chief Risk Officer and the risk management function stemming from the High Level Principles on Risk Management and is aimed at ensuring the proper staffing of the control function, as one weakness identified in the CEBS survey mentioned above was that the control functions were not given sufficient resources to fulfil their duties. The principles also deal with the issue of unapproved exposures, aimed at implementing adequate processes for monitoring the set limits and taking appropriate actions where necessary. The section Internal Audit Function describes the role of Internal Audit as the third line of defence and as such - even though being a part of the overall Internal Control Framework itself - independently auditing the control functions of the first and second line of defence. 9. The fifth chapter The EBA s predecessor, the CEBS, had already addressed some of the most significant issues arising from the financial crisis within its High Level Principles on Remuneration published in April 2009 and in its High Level Principles on Risk Management published in 23. The EBA s predecessor, the CEBS, had already addressed some of the most significant issues arising from the financial crisis within its High Level Principles on Remuneration published in April 2009 and in its High Level Principles on Risk Management published in February However, taking into account the findings of its 2009 survey and recent work by other European and international bodies on corporate ECIIA comments on GL 44 May

2 February However, taking into account the findings of its 2009 survey and recent work by other European and international bodies on corporate governance (especially the Basel Committee's Principles for enhancing corporate governance), the EBA saw merit in enhancing these High Level Principles. Accordingly, guidelines concerning the functioning and composition of the management body as well as the qualifications, appointment and succession of its members, as well as improved principles dealing with the Risk Control function, were added. governance (especially the Basel Committee's Principles for enhancing corporate governance), the EBA saw merit in enhancing these High Level Principles. Accordingly, guidelines concerning the functioning and composition of the management body as well as the qualifications, appointment and succession of its members, as well as improved principles dealing with the Risk Control function and the Internal Audit Function were added Internal governance includes all standards and principles concerned with setting an institution s objectives, strategies, and risk tolerance/appetite; how its business is organised; how responsibilities and authority are allocated; how reporting lines are set up and what information they convey; and how internal control is organised. Internal governance also encompasses sound IT systems, outsourcing arrangements and business continuity management The Guideline is consistent with the threelines-of-defence model. The first line of defence provides that an institution should have in place effective processes to identify, measure or assess, monitor, mitigate and report on risks. These processes are referred to as Risk Management. 30. Internal governance includes all standards and principles concerned with setting an institution s objectives, strategies, and risk tolerance/appetite; how its business is organised; how responsibilities and authority are allocated; how reporting lines are set up and what information they convey; and how internal control is organised, monitored and audited. Internal governance also encompasses sound IT systems, outsourcing arrangements and business continuity management. 33. The Guideline is consistent with the three-lines-of-defence model, all three lines of which form the Internal Control Framework of an organization. The first line of defence provides that an institution should have in place effective processes to identify, measure or assess, monitor, mitigate and report on risks. These processes are referred to as Risk Management An institution should as a second line of defence 34. An institution should as a second line of defence have an ECIIA comments on GL 44 May

3 have an appropriate Internal Control framework to develop and maintain systems that ensure : effective and efficient operations; adequate control of risks; prudent conduct of business; reliability of financial and non-financial information reported or disclosed (both internally and externally); and compliance with laws, regulations, supervisory requirements and the institution's internal policies and procedures. The Internal Control framework should cover the whole organisation, including the activities of all business, support and control units. The third line of defence consists of the internal audit function, which provides an independent review of the first two lines of defence In assessing the efficiency of Internal Control within an institution, the management body should be able to rely on the work of control functions, including the Risk Control function, the Compliance function and the Internal Audit function. These control functions should be organisationally independent from the units they control. 14/15 D. Internal control Internal control framework Risk Control function (RCF) The Risk Control Function s role RCF s role in strategy and decisions RCF s role in transactions with related parties appropriate control and monitoring framework to develop and maintain systems that ensure : effective and efficient operations; adequate control of risks; prudent conduct of business; reliability of financial and non-financial information reported or disclosed (both internally and externally); and compliance with laws, regulations, supervisory requirements and the institution's internal policies and procedures. The Internal Control framework should cover the whole organisation, including the activities of all business, support, control and audit units. 35. The third line of defence is the internal audit function, which provides an independent review of the first two lines of defence. 36. In assessing the efficiency of Internal Control Framework within an institution, the management body should be able to rely on the work of control functions, including the Risk Control function and the Compliance function. These control functions should be organisationally independent from the units they control. Furthermore, in assessing the efficiency and effectiveness of the Internal Control Framework the management body should be able to rely on the functionality and results of the Internal Audit Function as the third line of defence. D. Internal Control Framework The Three Lines of Defence model 25. Internal control framework Chief Risk Officer The Risk Control Function (RCF) The Risk Control Function s Role ECIIA comments on GL 44 May

4 RCF s role in complexity of the legal structure RCF s role in material changes RCF s role in measurement and assessment RCF s role in monitoring RCF s role in unapproved exposures Chief Risk Officer RCF s role in strategy and decisions... RCF s role in transactions with related parties... RCF s role in complexity of the legal structure... RCF s role in material changes... RCF s role in measurement and assessment... RCF s role in monitoring... RCF s role in unapproved exposures Compliance function Internal Audit function Compliance function... E. Information systems and business continuity The management body of an institution s parent company should ensure the different group entities (including the institution itself) receive enough information for all of them to get a clear perception of the general aims and risks of the group. Any flow of significant information between entities relevant to the group s operational functioning should be documented and made accessible promptly, when requested, to the management body, the control functions and supervisors, as appropriate. 22 h. an adequate and effective internal control framework, that includes well-functioning Risk 30. Internal Audit function... E. Information systems and business continuity The management body of an institution s parent company should ensure the different group entities (including the institution itself) receive enough information for all of them to get a clear perception of the general aims and risks of the group. Any flow of significant information between entities relevant to the group s operational functioning should be documented and made accessible promptly, when requested, to the management body, the control functions, the Internal Audit function and supervisors, as appropriate. h. an adequate and effective Internal Control Framework, that includes well-functioning Risk Control, Compliance and Internal Audit functions ECIIA comments on GL 44 May

5 Control, Compliance and Internal Audit functions as well as an appropriate financial reporting and accounting framework Management and supervisory functions of the management body 1. The management and supervisory function of the management body of an institution shall interact effectively. Explanatory note as well as an appropriate financial and supervisory reporting and accounting framework. 10. Management and supervisory functions of the management body 1. The management and supervisory function of the management body of an institution shall interact effectively. They are expected to set the right tone at the top to ensure an appropriate risk culture which includes support for, and acceptance of, Internal Audit at all levels of the institution. Explanatory note 22 Explanatory note The supervisory function oversees the management function and provides advice to it. Its oversight role consists in providing constructive challenge when developing the strategy of an institution; monitoring of the performance of the management function and the realisation of agreed goals and objectives; and ensuring the integrity of the financial information and effective risk management and internal controls. Explanatory note The supervisory function oversees the management function and provides advice to it. Its oversight role consists in providing constructive challenge when developing the strategy of an institution; monitoring of the performance of the management function and the realisation of agreed goals and objectives; and ensuring the integrity of the financial and supervisory reporting, an effective risk management and internal controls and the Internal Audit Function Each function should 4. The management body should appoint a suitable head of the Internal Audit Function (IAF), evaluate the adequacy of the IAF in accordance with national and international professional standards and reassess to what extent the IAF s reviews cover the whole range of ECIIA comments on GL 44 May

6 activities of an institution, including the risk appetite framework elements. 5. Each function should 37 D. Internal control D. Internal Control Framework 24. Internal control framework The Three Lines of Defence model NB : Senior Management = Management body in its management function and Governing Body / Audit Committee = Management body in its supervisory function FOR EBA: THE FOLLOWING MIGHT BE SHORTENED IF DEEMED ECIIA comments on GL 44 May

7 NECESSARY: The Three Lines of Defence model provides a simple and effective way, regardless of size or complexity, to assign specific roles and to coordinate effectively and efficiently among risk and control functions so that there are neither gaps in controls nor unnecessary duplications of coverage by clarifying essential roles and duties. Management control is the first line of defence in risk management, the various risk control and compliance oversight functions established by management are the second line of defence, and independent assurance is the third. Each of these three lines plays a distinct role within the organization s wider governance framework. The Three Lines of Defence model distinguishes among three groups (or lines) involved in effective risk management: 1. Functions that own and manage risks. 2. Functions that oversee risks. 3. Functions that provide independent assurance. 1. As the first line of defence, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees. ECIIA comments on GL 44 May

8 Explanatory note In a perfect world, perhaps only one line of defence would be needed to assure effective risk management. In the real world, however, a single line of defence often can prove inadequate. 2. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defence controls. Typical functions in this second line of defence include: A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization. A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. Explanatory note Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. Each of these functions has some degree of independence from the first line of defence, but they are by nature management functions. As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defence serves a vital purpose regarding risk management and internal controls. 3. Internal auditors provide the governing body and senior management with reasonable assurance based on the highest level of independence and objectivity within the organization. Internal audit ECIIA comments on GL 44 May

9 provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives Internal control framework 1. An institution shall 25. Internal control framework 1. An institution shall Risk Control function (RCF) 27. Risk Control Function (RCF) The Risk Control Function s role 28. The Risk Control Function s role Chief Risk Officer 26. Chief Risk Officer 1. An institution shall An institution shall Compliance Function 29. Compliance Function 13 43f 29. Internal Audit function 30. Internal Audit function Internal Audit Function 1. The Internal Audit Function 30. Internal Audit Function (IAF) Explanatory NoteThe following specific rules, regulations, guidelines and advices should apply for the Internal Audit Function: The Internal Audit Function in Banks, Basle Committee on Banking ECIIA comments on GL 44 May

10 Supervision, June 2012; Corporate governance principles for banks, Basle Committee on Banking Supervision, July 2015; Speech of Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism, at the European Confederation of Institutes of Internal Auditing (ECIIA) conference, Paris, 22 September 2015; SSM Framework Regulation, published by ECB on 14 May, 2014; International Standards for the professional practice of Internal Auditing, The Institute of Internal Auditors, newest edition 1. The Internal Audit Function The Internal Audit function ( IAF ) shall assess whether the quality of an institutions internal control framework is both effective and efficient. 1. As part of their mission to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight, the Internal Audit function shall assess whether the quality of an institution s internal control framework is both effective and efficient. If, in exceptional cases, the Internal Audit function may have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to avoid impairments to independence or objectivity The IAF should have unfettered access to relevant documents and information in all operational and control units The management body should encourage the internal auditors to adhere to national and international professional standards Internal audit work should be performed in accordance with an audit plan and detailed audit programs following a risk based approach. The audit plan should be approved 2. The IAF is expected to have unfettered access to all relevant documents and information being relevant to the fulfilment of its duties. 5. The Chief Audit Executive is expected to be at a senior enough level within the institution (normally expected to be at management body level likewise CFO, CRO, etc.) to give him or her the appropriate ECIIA comments on GL 44 May

11 by the audit committee and/or the management body. Explanatory note An example of professional standards referred to here is that of the standards established by the Institute of Internal Auditors. standing, access and authority to challenge the management body. Internal Audit is expected to have the right to attend and observe all or part of the management body meetings and any other key management decision making The Chief Audit Executive is expected to establish a multi annual risk based audit plan which is approved by the appropriate governing body. The audit plan should be reviewed on an ongoing basis and leave the necessary flexibility for unplanned audit reviews. High risk areas should be covered on a more regular basis The Chief Audit Executive is expected to ensure that the audit team has the skills and experience commensurate with the risk of the institution and to implement a strong quality assurance process for the IAF x) including a periodic formal external review. The Chief Audit Executive is expected to provide the Audit Committee with a regular assessment whether Internal Audit does have the resources, the skills and the experience required. This may entail training, recruitment and cosourcing with external third parties. ECIIA comments on GL 44 May X) e.g. according to the Quality Assessment Manual by The IIA, newest edition 8. Subsidiary and branch Heads of Internal Audit are expected to report primarily to the Group Chief Audit Executive, while taking the applicability of local governing law into consideration. It should be assured that the key processes of Internal Audit like the assessment and valuation of risks, audit planning processes, classification of findings, writing of reports, escalation processes and follow-up of the findings follow the same methology.

12 44 6. The IAF should report directly to the management body and/or its audit committee (where applicable) its findings and suggestions for material improvements to internal controls. All audit recommendations should be subject to a formal follow-up procedure by the respective levels of management to ensure and report their resolution. 9. The IAF is expected to report directly to the management body and/or its audit committee (where applicable) its findings and suggestions for material improvements. All audit recommendations should be subject to a formal follow-up procedure by the respective levels of management to ensure and report their resolution. If Management is not following up the recommendation and/or is taking risk which exceeds a level deemed suitable for the organization, the CAE must escalate this to the management function in its supervisory role The IAF is independent from external auditors. There should be an open communication between the IAF and the external auditors. The IAF can rely on the work of the external auditors when determining the annual audit plan. It is possible for the IAF to execute engagements in coordination with the external auditors activity as long as the coordination does not jeopardize its independence and the adherance to the IIA standards. ECIIA comments on GL 44 May