Enabling Board & Senior Management Risk Oversight
Updated: 2 days ago
The Financial Service Authority[i] provided excellent insights on the RBS bankruptcy and its subsequent £45bn UK Government bailout, outlining the importance of adequate Board and Senior Management risk oversight. Whilst recognising the context in which certain decisions were made, the report also points to the lack of understanding of the risks involved and issues with skills and experience, poor risk culture, especially in the context of the ABN AMRO acquisition.
Following the 2007-08 financial crisis, many regulators have increased their requirements on Board of Directors and Senior Management, and specifically targeted individual roles and responsibilities[ii]. Though many enforcements and fines were directed to financial firms, far fewer individuals were held to account. This was primarily due to the lack of linkage between control / process failures and individual’s responsibilities, which enabled senior managers to claim that someone else was responsible. To quote Martin Wheatley, the former Chief Executive of the UK Financial Conduct Authority;
“Industries characterised by weak accountability – or by individuals seeking to protect themselves on a ‘Murder on the Orient Express’ defence (it wasn’t me, it could have been anyone) – are almost invariably less financially stable, and more prone to misconduct”[iii]
This change in regulatory focus forced many financial institutions to enhance and align both governance and risk management capabilities to support these new responsibilities. As a result, Board Governance requirements have been overhauled, including upgrading membership, enhancing decision-making accountabilities and ensuring that governance information was challenged to enable effective oversight of the risks within their organisation.
This article will first explore both Board and Senior Management risk oversight responsibilities for regulated and non-regulated firms. Then, it will look at good practices in terms of Board composition and supporting governance structure. Finally, practical guidance will be provided on developing relevant risk management frameworks and systems, aligned to Board and Senior Management oversight responsibilities and designed to protect the firm and its key stakeholders.
Board and Senior Management Risk Oversight Responsibilities
The Board of Directors is ultimately accountable to the shareholders of the firm. It is appointed to define and oversee the strategy and structure / capabilities of the firm, and to ensure through effective delegation to senior management the day-to-day management of the firm. Directors look after the affairs of the company, and are in a position of trust. Local legislators impose many duties, responsibilities and burdens upon directors, to enforce their fiduciary obligations.
The National Association of Corporate Directors (NACD[iv]) identified 10 principles to underpin effective Board risk oversight which are applicable to all type of firms and provide useful guidance to design both risk management systems and governance. These include:
Understanding the company’s key drivers of success;
Assess the risks in the company strategy;
Define the role of the full Board, and its standing committees, with regards to risk oversight;
Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources;
Work with management to understand and agree on the types (and format) of risk information the board requires;
Encourage dynamic and constructive risk dialogue between management and the Board, including a willingness to challenge assumptions;
Closely monitor the potential risks to the company’s culture and its incentives structure;
Monitor critical alignment – of strategy, risk, controls, compliance, incentives and people;
Consider emerging and interrelated risks: What’s around the next corner? and
Periodically assess the Board’s risk oversight processes: Do they enable the Board to achieve its risk oversight objectives?
Financial regulated firms have additional regulatory requirements they must comply with. The Board of Directors must ensure relevant mechanisms and frameworks are in place to monitor adherence to the granted licence(s). Being a registered firm might also require the firm to conduct regular Internal Capital / Liquidity Adequacy Assessment Process. Without going into the details of these regulated processes, at a minimum the Board should ensure the firm has a documented business strategy and financial plan, adequate corporate governance arrangements, and risk and treasury frameworks in place to identify, assess, manage and monitor its risk and capital / liquidity position.
To enable effective risk oversight, delegated duties / responsibilities to Senior Management should be identified and monitored. These delegated duties underpin Senior Management’s oversight responsibilities, including day to day management of risks. Senior managers are accountable for the risks arising from the activities within their remit, from running the business, managing processes to management of employees, contractors, and/or vendors. They are expected to have the tools in place to monitor their risks, to identify and implement relevant risk mitigation activities and to escalate risk falling outside of appetite or tolerance. In the UK, the Senior Manager & Certification Regime (SMCR) has significantly increased transparency on financial firm’s accountability structure. It has introduced a Responsibility Map[v], a Statement of Responsibilities[vi] and a statutory Duty of Responsibilities[vii]. These ultimately require senior management to take reasonable steps to prevent regulatory breaches and ensure adequacy of the organisational culture. In combination, they create a strong incentive for senior managers to clarify the scope of their responsibilities and to identify and document the mechanisms in place to control and manage these responsibilities.
Board of Directors and Senior Managers face a strong challenge in the structure of the oversight to be implemented. Specifically, Directors are accountable for the risk arising from a legal entity stand point, whilst senior managers typically look at risk from a functional stand point. Often, the two views do not align. This situation can be amplified by the operating model and legal entity structure financial firms adopt, leading to complex relationships to manage: parent vs subsidiary, function/business vs legal entity. The Board of Directors of financial subsidiaries can end up being particularly exposed in these situations as the parent company and/or a senior manager can make operational decisions impacting them without prior notification and discussion. Their resources can also be limited or non-existent to operate their independent oversight. This situation demands clarity on the roles of the various Boards and Executive Committees (or equivalent) and these relationships should be codified through the Board or Committee Terms of Reference - i.e. who decides what -. The Board should also consider appointing representatives of key functions as directors to ensure alignment of resources and accountability.
Board Composition and Supporting Structure
“The board and its committees should consist of directors with the appropriate balance of skills, experience, independence and knowledge of the company to enable it to discharge its duties and responsibilities effectively” (Source: UK Corporate Governance Code).
The Board of Directors would typically be composed of executive directors and non-executive directors; the exact structure would differ country by country. For example, in the UK the expectations is to have a unitary Board; however in Germany, the (Independent) Non-Executive Directors could sit in a separate Supervisory Board in charge of overseeing the Management Board which is composed of executive directors. Regardless of the structure in place, a Board should be balanced to ensure no single individual or small group can dominate the decision making.
Independent Non-Executive Directors (iNED) play a critical role in providing independent oversight of senior managers and executive directors. They can be appointed to chair Audit and Risk Committees, Remuneration and/or Nomination Committees. Considering they do not engage in day-to-day management of the organisation, they get all relevant information to perform their duties primarily through the firm’s governance structure and through bilateral engagement. This must be considered when setting up the governance and defining the reporting structure and format, especially when it comes to risk information.
The Board must ensure all aspects falling in scope of its remit are covered through governance. It should also define how the governance should operate, to ensure effective coverage, whilst removing duplication. An effective way to proceed is to identify key themes, and associated sub-activities, to be covered (e.g. employee life cycle, financial, client life cycle, risk & regulatory oversight) and map them out through the governance structure. For example, a Risk Committee can be established to monitor the firm’s risk profile and regulatory compliance. It would be composed by risk and control functions and potentially be chaired by an iNED. Then, a Client Forum can be setup to monitor the client life cycle on the platform from sales pitch to Know Your Customer controls and client on-boarding, to contract execution and off-boarding. This forum would be primarily attended by sales, operations and compliance functions. This approach has 2 key benefits. Firstly, it ensures each theme is covered only by one governance body and each governance body sees its composition aligned to relevant core functions. Secondly, it enables a systematic and efficient coverage of all operational, financial, risk and compliance, and reporting mechanisms the Board relies on to manage the firms, especially iNEDs. Additionally, the Board structure should also link to the Directors and Senior Management roles and responsibilities, and provide clear alignment to document how it satisfies the reasonable steps under UK SMCR or Hong Kong Manager in Charge.
The Governance plays a key role in evidencing how decisions are made and actions / issues followed up. The Board of Directors must ensure decisions are documented; that should always include the deliberation, supporting material - including risk assessments, views and/or recommendations - as well as key challenges raised during the review and how those challenges were addressed. Whilst a Board of Directors can make a wrong decision; but there is no excuse for making a wrong decision by failing to perform and document proper due diligence. In the context of SMCR, this is equally applicable to Senior Management. Considering current regulatory appetite to assign individual responsibilities, similar approaches are likely to be adopted by most regulators[viii].
The Risk function plays a key role in providing the relevant information to the Board to support its decision making and oversight role (see next section); it also provides relevant independent challenge. The positioning of the Risk function in the corporate governance structure is always a hot topic: should the Risk function have a seat at the table? Should the Chief Risk Officer be appointed Board Director? Should he/she have a veto right on strategic and operational decisions? Regardless of the approach followed, the Risk function must have the space to expose its analysis and opinions unfiltered to the Board - or a subset - and its recommendations be considered in the firm’s decision making. This approach also underpins the relationship across governance, risk management and organisational culture.
Risk Management Framework & Systems
The Risk Management function provides the structured frameworks and governance to enable effective identification, assessment, mitigation and monitoring of the risks born by the firm’s activities. Building from the previous sections, it becomes apparent that the risk information must cater for a multi-dimensional risk ownership and oversight[ix]: at a minimum at legal entity, country and functional/business levels.
As a starting point, a risk appetite limit and tolerance framework[x] is defined and implemented. This enables both the Board and Senior Management to have clarity on how much risk the firm can take and how much risk is required to support the firm’s business strategy. This would include both statements and metrics. For example, the firm might have “a very low tolerance to business disruption” (statement) and this would be measured through dedicated metrics monitoring the number of business continuity plans in place. Such framework should always include measurements on capital and liquidity levels. It also identifies at which point corrective action must be taken to bring the risk to an acceptable level. At the extreme, a firm could run such excessive risks that it ultimately leads to its failure, for example Lehman Brothers, or not take enough risk to deliver on its business strategy. The Risk Management function should consider how granular the risk appetite limit and tolerance framework should be; for example, it might be necessary to provide appetite and tolerance for regulated subsidiaries to meet local regulatory requirements. However, it might not be necessary to break down limit and tolerance by function.
Next, the notion of risk ownership must be defined. For example, operational risk ownership would include all risks arising from conducting the business, including the impact of external events, management of people, processes (including controls), business technology application and outsourced/procurement activities. It is necessary to identify who owns the risk and ensure mitigation strategies are in place to maintain the risk within acceptable levels. Practically, the firm is broken into many small units with a single owner. To enable effective risk management, the unit owner should have an inventory of all (key) processes, controls, technology applications, vendors, etc. in his/her remit and associated risks.
The Risk function ensures the risk owners have the relevant risk toolkit at their disposal to identify and assess their risks, and when necessary to enable timely escalation of any unanticipated risk or breach. This includes, but is not limited to, a Risk and Control Self-Assessment framework (RCSA), a vendor assessment and monitoring programme, a technology assessment and monitoring programme, market risk value at risk, credit risk monitoring, etc. The list of tools is dependent on the complexity and size of the firm and the type of activity. For example, an investment manager or custody firm will primarily focus on operational risk, but a bank will have to implement strong credit risk monitoring. These frameworks are structured to enable effective risk oversight, including monitoring of risk appetite and tolerance. As a result, the output of the RCSA for example should support reporting at a legal entity, country and functional level; such requirements should be considered at the design stage and prior to rollout to avoid significant re-work.
The mitigation of risk is required if a risk is outside of acceptable level. The action(s) taken will depend on the nature of the activity and the risk. For example, a bank might have to cut on its lending activity to reduce credit risk exposure; an asset manager might have to implement new controls to ensure compliance with its fiduciary obligations; a custodian might have to automate its processes to remove the risks altogether. Whatever the action required is, the execution of the mitigation activities should always be tracked.
At this stage, it might be useful to elaborate on a key challenge many organisations and risk owners face: the fragmented and duplicative frameworks in place to identify and assess risks/issues, and subsequent required remediation activities. This situation is usually the outcome of organic and historical organisational evolution. For instance, Audit, Risk and Compliance have mechanisms and frameworks that could lead to the identification of the same issue; yet because the identification is done by different teams, the same issue ends up being raised multiple times and required remediation might differ. This could lead to an adverse situation where the risk profile increases and inefficient allocation of resources to remediate issues and controls. Firms can streamline these frameworks, for example by having a single incident process combining risk events, compliance breaches and IT incidents, or using a single repository and taxonomy for remediation activities across all functions.
The tools described above provide the data points to enable effective risk monitoring across the organisation. The monitoring should consider several aspects: adherence to policy requirements[xi], inherent risk and residual risk levels. In addition, monitoring of the control environment should also be in place, though it may not be performed through the risk infrastructure. The granular data used for the risk monitoring must be summarised to support the reporting provided to the Board and Senior Management. Firms use various operating models to generate this reporting; for example, the risk owners might generate the reporting with inputs from the Risk functions or it might be fully generated by the Risk function. Regardless of the model used, the output should cater for the structure presented in the previous section.
The regulatory trend to assign accountability to individuals is pushing many organisations to review their risk oversight model, governance and risk infrastructure. Historically, risk frameworks catered for a risk oversight by function / business; this is now being reviewed to enable a more granular oversight for example at legal entity level. By providing better transparency on risk and issues, the quality of the risk oversight will gradually increase and firms will be more efficient in prioritising their own resources and managing its risks.
What progress have you observed in the space of risk governance and accountability in recent years? Feel free to provide your view in comments
- FSA Royal Bank of Scotland Report - https://www.fca.org.uk/publication/corporate/fsa-rbs.pdf
- Governance Operating Model: A Tool for More Effective Board Oversight https://deloitte.wsj.com/riskandcompliance/2013/06/11/governance-operating-model-a-tool-for-more-effective-board-oversight/
- Best Practices for Board Composition
- UK Board Index 2017
- 10 Principles for Effective Board Risk Oversight https://www.corporatecomplianceinsights.com/10-principles-for-effective-board-risk-oversight/
- Senior Managers Regime Individual accountability and reasonable steps
- Senior Management Regime: top tier enforcement risks
- Composition and structure of the board – the UK Corporate Governance Code
[i] The Financial Service Authority, former UK financial services regulator, was replaced on 1st April 2013 by the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA)
[ii] e.g. Senior Managers and Certification Regime (SMCR) in the UK, Securities and Exchange Commission enhanced proxy disclosure or the Manager in Charge (MIC) in Hong Kong
[iii] Speech by Martin Wheatley, Chief Executive of the FCA, delivered at Bloomberg, March 2015
[iv] The National Association of Corporate Directors (NACD) is the recognized authority on corporate governance delivering the information and insights that corporate board members need to confidently confront complex business challenges and enhance shareowner value.
[v] This includes the identification of required functions such as Chief Risk Officer depending on the type of licence granted to the firm.
[vi] New Senior Manager must prepare a Statement of Responsibilities describing the scope of responsibilities of the individual; this must be maintained at all time by the firm, including in case of departure of the individual (e.g. replacement) This must also consider prescribed responsibilities identified by the Regulator, which must be allocated across Senior Managers
[vii] In case of a breach, the Senior Manager responsible for that area could be held accountable by the regulator if they did not take reasonable steps to prevent or stop the breach from occurring. Penalties against individuals include prohibition/withdrawal of approval, fines and other disciplinary sanctions and warnings.
[viii] The Monetary Authority of Singapore recently issued a consultation paper: “Guidelines on Individual Accountability and Conduct”
[ix] In most firms, risk information is structured to support a managerial view, which typically aligns to a functional structure. This can create a real challenge to support ongoing regulatory and legal oversight which is typically done by legal entity.
[x] Risk Appetite provide an estimate of the amount of risk the organisation is prepared to accept and can be exposed to at any one point in time.
[xi] For example, risk owners should identify and escalate risk issues within a certain time frame.