This blog is part of a series of insights on Building Society risk management.
An area that is continually subject to debate and focus within Building Society Board’s is the effectiveness of the risk governance arrangements established within their firms. The vast majority of Building Societies (if not all) within the sector employ a traditional three lines of defence model as part of their risk governance and management structure. Whilst many societies can point to their structure as evidence of the three lines of defence, the Prudential Regulation Authority (‘PRA’) has increasingly challenged Boards and Senior Management as to how they are satisfied that this approach is implemented and that it operates in both an appropriate and acceptable manner.
Where the PRA has raised concerns regarding the risk governance arrangements maintained by societies; or the Board and Senior Management have not been able to demonstrate to the PRA how they have satisfied themselves that the three lines of defence approach has been implemented and operates in an effective manner; this has typically resulted in a Risk Management and Governance (‘RM&G’) scalar being applied to the Society’s PRA buffer until such time that the PRA has obtained assurance that this is the case.
Over the past 18 months, risk governance and risk management structures that have raised regulatory interest and concern have included different combinations of the following:
- Board Risk Committees which do not consist of a majority of independent Non-Executive Directors;
- Non-Executive Directors being voting members of first line (i.e. Executive led) risk governance committees; thus raising concern that they are getting too heavily involved in, and taking accountability for, the day-to-day management of the business;
- Chief Risk Officers (or equivalents) or other senior personnel within the Risk Function chairing, or having voting rights within, first line risk governance committees, thus compromising their second line risk oversight role and independence;
- Second line Risk Function personnel taking ownership of the management of risks which should be owned by accountable managers within the first line of defence; and
- Chief Risk Officers, or members of the Risk Function, having accountability for certain roles and responsibilities that should be owned by the first line of defence (for example, the production of the ICAAP, ILAAP and Recovery & Resolution Plan). Whilst the second line Risk Function should provide input and effective oversight and challenge in this regard based on their own independent analysis, they should not have accountability for authoring these documents.
In addition, where risk management roles and responsibilities have not been clearly defined or mapped out across the Society in the context of the three lines of defence model (thus resulting in a lack of common understanding and confusion amongst Senior Management and staff), this has also attracted regulatory scrutiny.
We have observed that Building Societies often benefit from having a clear organisational structure with well defined, transparent and consistent lines of responsibility covering the three lines of defence. This structure works well when it is comprehensive and proportionate to the size, scale and complexity of the Society’s activities, and Senior Management and staff at all levels have a clear understanding of their role and responsibilities in the context of the three lines of defence model.
Boards capable of satisfying themselves about the effectiveness of their risk governance arrangements and risk management structure are also likely to be able to demonstrate to their regulatory supervisors why they feel that this is the case.
We have a wealth of knowledge and experience of delivering both Audit and Assurance services to Building Societies across the sector. We have working relationships with more than 90% of the sector, giving us an unparalleled position and ability to provide a deep level of industry insight into current regulatory hot topics and key areas of focus.
Our depth of knowledge, understanding and industry experience means that we are well placed to provide invaluable insight and deliver tailored, pragmatic and proportionate solutions (either in an advisory or internal audit capacity) to help societies address new challenges and create competitive advantage.