FSB Consultative Document - Guidance on Supervisory Interaction with Financial Institutions on Risk Culture

Similar documents
Increasing the Intensity and Effectiveness of Supervision

Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14 th Floor New York, New York USA

April 12, Attn: Mr. Chris Spedding, Secretary to the Committee. Responded via to

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

Mr. Paul Druckman Chief Executive Officer, International Integrated Reporting Council

Response ed to

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

REVISED CORPORATE GOVERNANCE PRINCIPLES FOR BANKS (CONSULTATION PAPER) ISSUED BY THE BASEL COMMITTEE ON BANKING SUPERVISION

Guidance on arrangements to support operational continuity in resolution

Ms. Maridel Piloto de Noronha, PAS Secretariat Via

COSO Internal Control Integrated Framework Public Exposure Feedback Questions, December 2011

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

SEMINAR FOR SENIOR BANK SUPERVISORS

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

International Federation of Accountants International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, New York USA

Principles for enhancing corporate governance issued by Basel Committee. Comments of IFACI s Banking Professional Group

We suggest the Consultative Document consider a two prong approach which:

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Implementation Guides

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

Chief Executive Officers, General Managers and Board Presidents Saskatchewan Credit Unions

PROMOTING A COLLABORATIVE ENVIRONMENT AMONG RISK MANAGEMENT, INTERNAL AUDIT, AND COMPLIANCE DEPARTMENTS. ANDREW SIMPSON, CISA COO CaseWare RCM Inc.

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Embedding Operational Risk

Banks Internal Control System, the case of Albania

Your committee: Evaluates the "tone at the top" and the company's culture, understanding their relevance to financial reporting and compliance

A Framework for Audit Quality

Auditing Governance at Board level October 2017

IIF IIF Issues Paper Promoting Sound Risk Culture 11. IIF Issues Paper

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

A FRAMEWORK FOR AUDIT QUALITY. KEY ELEMENTS THAT CREATE AN ENVIRONMENT FOR AUDIT QUALITY February 2014

Good Practices of the Audit Committee

\\R~~~::o~~i '~":.,~, Response ed to comments(fpcaobus.org

Community Housing Cymru s Code of Governance

Code of Governance for Community Housing Cymru s Members (a consultation)

May 16, Ms. Kathleen Healy International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, New York 10017

Director Training and Qualifications

SUMMARY OF KING IV PRINCIPAL DISCLOSURES. Leadership, ethics and corporate citizenship

Financial Services Internal Audit insights. Effective Internal Audit RAISING THE BAR. May 2014

How to Deliver Value Through The Three Lines of Defense

SENIOR MANAGEMENT ASSESSMENT CRITERIA1

December 4, Response ed to

Several matters are pertinent to a discussion of audit quality with respect to external audits of banks.

PULSE OF INTERNAL AUDIT. Navigating an Increasingly Volatile Risk Environment

Practice Guide. Developing the Internal Audit Strategic Plan

ENHANCING CORPORATE GOVERNANCE

Exposure Draft: Proposed International Standard on Auditing 540 (Revised), Auditing Accounting Estimates and Related Disclosures

Control Environment Toolkit: Internal Audit Function

Maneuvering the Politics of Internal Auditing to Make Positive Change. Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA IIA President and CEO

AFM Corporate Governance Code

COMPLIANCE MANAGEMENT FRAMEWORK FOR VICTORIA UNIVERSITY

Libor. the risk lesson

Risky Business: Internal Audit Best Practices for Community Banks. Presented by: Angela Roberts & Leonard Wagers

Response ed to Re: PCAOB Rulemaking Docket Matter No. 028

Tackling serious failings in firms A response to the Special Measures proposal of the Parliamentary Commission on Banking Standards

Final Report. Guidelines. on internal governance under Directive 2013/36/EU EBA/GL/2017/ September 2017

TERMS OF REFERENCE FOR THE BOARD OF DIRECTORS

Compliance Program Effectiveness Guide

Report on an External Quality Assessment of the Investigations function in UNICEF

While state regulators are supportive of the removal of duplicative guidance, we believe that additional

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Conversation with Representative Hill A Financial Services Perspective

BOM / BSD 7 /April 2001 BANK OF MAURITIUS. Guideline on Corporate Governance

SM&CR Culture Measurement Toolkit

Basel Committee on Banking Supervision. Consultative Document. External audits of banks. Issued for comment by 21 June 2013

EBA GL 44. Wording Amendments / Additions suggested. Amend ment /Comm ent # page

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

MANAGING RISK AT SUNCORP

Members by Region The Global IIA in 2017 International Affiliates: 39 Members: 47,410 YOY Change: +1% 190,000+ MEMBERS COUNTRIES & TERRITORIE

CORPORATE GOVERNANCE STATEMENT 30 JUNE 2017

Re: IOSCO Consultation Report, Good Practices for Audit Committees in

Guidance Note: Class 1 Credit Unions

What We Will Cover Today

Qatar, 24 May Basel II and Corporate Governance Issues

An integrated approach for assessing risk culture at financial institutions

Executive Director Position Profile

Corporate Governance and Financial Markets

Three Lines of Defense vs. Five Lines of Assurance

ARCHIVED Audit of Risk Management

Maximizing value from your lines of defense

STATE OF INTERNAL AUDIT 2013

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Implementation Guide 1200

Practice Advisory : Quality Assurance and Improvement Program

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

AUDITING CULTURE. Kayla Flanders, CIA, CRMA Deanna Bennigsdorf, CIA, CRMA IIA Sioux Falls Chapter February 20, 2018

Recommendations for consistent national reporting of data on the use of compensation tools to address misconduct risk. Consultative Document

Proposed International Standard on Auditing 315 (Revised)

Implementation Guide 2130

BOARD OF DIRECTORS CHARTER

Internal Audit & the Audit Committee

Our mission is to promote transparency and integrity in business. We monitor the quality of UK Public Interest Entity audits. We have responsibility f

CHARTER OF THE BOARD OF DIRECTORS

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

Mr. Jim Sylph Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

Appendix 2 JFSA s views on the comments submitted in English

Transcription:

Richard F. Chambers Certified Internal Auditor Certified Government Auditing Professional Certification in Control Self-Assessment Certification in Risk Management Assurance President and Chief Executive Officer T: +1-407-937-1200 E-mail: richard.f.chambers@theiia.org January 31, 2014 Mr. Svein Andresen Secretary Financial Stability Board Bank of International Settlements Centralbahnplatz 2 CH-4002 Basel Switzerland Dear Mr. Andresen, RE: FSB Consultative Document - Guidance on Supervisory Interaction with Financial Institutions on Risk Culture On behalf of the over 180,000 global members of The Institute of Internal Auditors (The IIA), I am pleased to provide our observations and comments on the Financial Stability Board s (FSB) Guidance on Supervisory Interaction with Financial Institutions on Risk Culture Consultative Document. As the global standards-setting body for the professional practice of internal auditing, we appreciate the opportunity to provide comment on this guidance and fully concur with the concept of increasing the intensity and effectiveness of supervision for the promotion of a sound risk culture within financial institutions. Our comments are based on discussions conducted by a core team of globally represented internal audit professionals who are thought leaders with experience in the public and private sectors; internal and external auditing; and small, medium, and large domestic and multinational companies, both within and outside of the financial services sector. Our primary comments related to the Consultative Document are below. Additional, more detailed observations and comments are provided in Attachment A. Overall the Consultative Document has been well thought out and offers a good balance of high level principle-based guidance with enough detail to provide direction. We believe, however, that there remain opportunities for further consideration. Principally, 1) Financial institutions are profitable and provide shareholder value over the long-term by prudently managing risk taking activities. Although the Consultative Document refers to prudent risk taking in the Compensation and Incentives sections, much of the Consultative Document is written with a slant toward risk avoidance. ly, risk culture should be about creating an environment where undertaking risk on behalf of the institution is done consistent with the management of risk within tolerance levels approved by the board and senior management.

2) Consider including or referencing additional guidance that would be useful to both the institution and the supervisor, when applying this particular guidance. For example, Within section three on Supervisory Guidance, the Consultative Document states, In particular, supervisors should assess how the board and senior management systematically assess the risk culture of the institution, and document what they are finding and how any deficiencies in risk culture are addressed. The institution's willingness to sufficiently document the elements supporting its risk culture should form part of the supervisor's overall assessment. We suggest that additional guidance may be necessary to supplement a supervisor s ability to successfully assess an institution s risk culture, document findings, review remediation plans and determine an institution s willingness to document elements of its own risk culture. Please do not hesitate to contact Glenn Darinzo, IIA s Director of Standards and Guidance, if you have any questions about this response and/or would like to schedule a time for us to either meet in person or via conference call. Mr. Darinzo can be reached via email: glenn.darinzo@theiia.org or phone 1-407-937-1164. Again we applaud the efforts of the FSB to promulgate guidance for the promotion of a sound risk culture within financial institutions. I look forward to an opportunity to meet you in the future to continue our discussions and further build awareness of the critical role internal auditing can and does play in ensuring good governance, risk management and internal controls thereby enhancing financial stability within financial institutions and other organizations. Best Regards, Richard F. Chambers, CIA, CGAP, CCSA, CRMA President and Chief Executive Officer Page 2 of 5

Attachment A Specific Section Comments Be consistent by replacing firm or organization with institution. The last section on Talent Development and Succession Planning refers to training programs that are available for all staff to develop risk management competencies. However, training on risk identification and risk assessment has a significant impact on a financial institution s risk culture. Suggest providing more detailed descriptions of training such as, risk assessment, risk culture, risk appetite, tolerance levels, risk statements, and overall risk management. Also suggest addressing different types and the frequency of training required. The Consultative Document should include some additional tools to assist the supervisors in effectively assessing the risk culture of financial institutions. Specifically, within section three on Supervisory Guidance, the guidance states that supervisors are in a unique position to assess risk culture and that assessing risk culture is embedded in every supervisory activity. However, the guidance does not provide details or tools to assist the supervisor in how to evaluate a financial institution s risk culture. Additionally, the guidance does not include the polling of external stakeholders in their assessment of the financial institution s risk culture. In both instances, it would be helpful in assisting supervisors to include tools such as interviews at all levels within the institution, internal and external surveys, and risk assessment workshops (or focus groups) that would be beneficial when evaluating an institution s risk culture. 2. Indicators of a sound risk culture First bullet Tone from the top: The board of directors and senior management are the starting point for setting the financial institution s core values and risk culture, and their behaviour must reflect the values being espoused. This would include ensuring adequacy of investments in key governance and risk management resources to include people, processes and systems. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution. 3. supervisory guidance 3 rd paragraph In particular, behaviours that underpin supervisory findings should be highlighted to the board, which has ultimate responsibility for outlining, directing and overseeing the financial institution s risk culture. The supervisor raising, and the financial institution acting early to address, the root causes of the actual or suspected behavioural weakness will aid in preventing (or mitigating the impact of) particular undesired cultural norms from taking root and growingdeviating from the board s expectations. 3.1 Tone from the top 1 st paragraph Non-executive directors can play an important role in bringing experience from other industriesfinancial institutions or companies in other regulated industries where behaviours and practices generally necessitate a sound risk culture (e.g., healthcare, nuclear energy) and often are well placed to bring a fresh perspective and sage advice about issues such as behaviour in relation to overall culture. and The appropriate tone and standard of behaviour fromat the top is a necessary condition for promoting sound risk management. However, it is far from sufficient. For lasting change, the tone and behaviour in the middle (e.g., middle management actions that reinforce the tone from the top ), and indeed throughout the institution, is also important. Indicators of tone from the top Page 3 of 5

Section 3.1.1 The board and senior management are committed to establishing, monitoring, and adhering to an effective risk appetite statementframework, supported by appropriate risk appetite statement(s) that underpins the financial institution s risk management strategy and are integrated with the overall business strategy. 3.1.3 The board and senior management promote through behaviours, actions and words a risk culture that expects integrity and a sound approach to risk management. 3.1.4 The board and senior management promote an open exchange of views, challenge and debate, including healthy skepticism that encourages and supports openness to challenge those in authority by providing alternative points of view that may result in a better decision, ensuring that all directors have the tools, resources and information to carry out their roles effectively, particularly in exercising their challenge function. 3.1.5 The board and senior management have mechanisms in place, such as talent development and succession planning, which help to lessen the influence of dominant personalities and behaviours. For example, a robust confidential 360 degree review process can help identify such personalities and result in appropriate coaching. (Rationale for proposed changes: While talent development and succession planning are important factors, there are many other important factors.) 3.1.6 throughout the institution as a whole is the same asconsistent with the tone atfrom the top. 3.1.7 The board and senior management have mechanisms in place to assess whether the risk appetite framework, the risk appetite statement(s), risk management strategy and overall business strategy. (Rationale for proposed changes: It all starts with the RAF, and there could be more than one risk appetite statement.) 3.1.9 The board and senior management demonstrate a clear understanding of the quality and consistency of risk management decision-making throughout the business, including how risk is decision-making is understood and how that understanding should influence decisions consistent with the financial institution s risk appetite and the business strategy. 3.1.10 The board and senior management have clear views on the business lines considered to pose the greatest challenges to risk management such as unusually profitable parts of the business, and these are subject to constructive and credible challenge about the risk-return balance. 3.1.11 The board and senior management systematically monitor how quickly issues raised by the boardthemselves, supervisors, external audit, internal audit, and otheras well as by any second line of defense control functions are addressed by management. 3.1.12 to the firminstitution, are reviewed at allthe appropriate levels of the organizationinstitution and are seen as an opportunity to strengthen the financial institution s risk culture and make it more robust. (Rationale for proposed changes: strengthen and robust seemed synonymous.) 3.1.13 Assessment and communication of lessons learned from past errorsevents is seen as an opportunity to enhance and/or strengthen the institution s risk culture, and to enact real changes for the future. (Rationale for proposed changes: Events is a broader term and lessons can be learned from things other than errors, and real changes for the future seemed unnecessary to make this point.) 3.2 Accountability 1 st paragraph In particular, business lines, the risk management function, and internal audit and all applicable second line of defense functions (e.g., compliance, security, etc.) should have clearly delineated responsibilities in regard to assessment, monitoring, identification, management and mitigation of, as well as reporting on, risk. Accountability speaks to the prompt identification, management, and escalation of emerging and unexpected risk issues, and having a clear understanding of the consequences for not doing so, while retaining ownershipday-to-day operating management of risk with the units originating them. Indicators of accountability 3.2.2 Mechanisms are in place for the lines of business to share sharing of information on emerging and unexpected risks, including horizontally to other business lines and units that might be impacted, as well as low probability, high impact risks, both horizontally across business lines and vertically up the institution. (Rationale for proposed changes: Information sharing is more than just across business lines. Also, the term unexpected risks seems incorrect, since it is not a risk if you don t expect it even remotely. So, low probability, high impact risks may get at the point intended more generally (e.g., black swans.) Page 4 of 5

Section 3.2.3 Employees are held accountable for their actions and are aware of the consequences for not adhering to the desired risk management behaviours, regardless of whether their actions resulted in financial gain or loss to the financial institution., and are aware of the consequences for not adhering to the desired risk management behaviour. 3.2.6 Mechanisms are established for employees to raiseelevate and report concerns when they feel discomfort about products or practices, even where they are not making a specific allegation of wrongdoing, and for acting on those concerns. (Rationale for proposed changes: To clarify what acting on concerns means, by using elevate and report language.) 3.2.8 Consequences are clearly established, articulated and applied for business lines or individuals anyone engaged in, or supporting, risk-taking that is excessive relative to 3.2.9 Breaches in internal policies, procedures and risk limits, as well as non-adherence to internal codes of conducts, are understood to have a potential impact on an individual s compensation and responsibilities, orcan affect career progression and, depending on severity, may result in including termination. Stature of risk management 3.3.3 The chief risk officer, and risk management function and internal audit share the same stature as the lines of business, actively participating in senior management committees and proactively being involved in all the relevant risk decisions. 3.3.4 The chief risk officer, the and risk management function and internal audit have appropriate direct access to the board and senior management and effectively utilize it. 3.3.5 Compliance, legal, internal audit and other second line of defense control functions Indicators of incentives 3.4.2 promote the financial institution s desired core values, compliance with policies and procedures,, internal audit results, and address internal control deficiencies and supervisory findings timely. (Rationale for proposed changes: Internal audit results are secondary to the seriousness and timeliness with which management addresses control deficiencies, regardless of who identifies such deficiencies (e.g., internal audit, external audit, supervisory agencies, etc.) 3.4.5 Succession planning processes for key management positions include risk management experience, to include individuals with responsibilities consistent with that of being and not only revenue-based accomplishments; for instance, the chief risk officer, chief compliance officer and chief internal audit officer can be considered as a as potential candidates for chief executive officerother C-level executive positions, including the chief executive officer. (Rationale for proposed changes: It is implied that not only revenue-based accomplishments are part of this by the way it is worded.) Page 5 of 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback