This blog is part of a series of insights on Building Society risk management.
In the last year, an increasing number of supervisory reviews performed by the Prudential Regulation Authority (‘PRA’) in the sector have commented on the extent to which risk management is properly embedded within the first line of defence. The root causes behind the level and strength of comment made by the PRA have generally been driven as a result of, one or more of, the following:
- business functions within the first line of defence not having properly considered risk when conducting their day-to-day operations, as they see ‘risk’ as a second line responsibility;
- firms having routinely overridden their own systems and controls (i.e. routinely permitted exemptions to key credit criteria to lend disproportionately outside of lending policy);
- key issues not being brought to the attention of relevant Board sub-committees and the Board on a timely basis, or in some cases, at all; and
- a lack of an appropriate culture to manage risk in line with the Board’s risk appetite and prudent management more generally.
Where such root causes have been observed, the PRA has typically imposed Pillar 2 capital add-ons or applied management scalars to those firms; or, alternatively emphasised to the Board’s of these firms that they do not expect the business to undertake significant growth in lending until risk management has been fully embedded within the Society’s operations. To assess the effectiveness of the risk management framework (‘RMF’) and the extent to which risk management is embedded, the PRA has increasingly requested the firm’s Internal Audit function to assess this and provide a formal report to them for their review.
In assessing whether risk management is effectively embedded within a Building Society’s operations, it is important to ensure that accountability for the management of risk is established at appropriate levels throughout the business, and that managers within the first line of defence are aware of, and fully understand, their role and responsibilities in the context of the firms RMF.
Where i) accountability has been properly established within the first line of defence (and this has not been concentrated to a limited group of Executives / senior managers); and ii) appropriate training has been provided by the Risk Function to ensure that managers within the first line of defence are aware of their risk management responsibilities; we have generally observed more timely, escalation of risks and issues from managers to the appropriate Executive-led and Board-level Risk Committees, with more comprehensive management information (“MI”) to support recommended actions suggested by first line management. In addition, where a culture of accountability exists, we have observed that a stronger risk culture is more likely to be demonstrable by the Society. Chairs of Risk Committees, Chief Risk Officers (or equivalents) and Heads of Internal Audit should reflect on how true this is for their own Society.
Although the establishment of accountability, and understanding of roles and responsibilities in respect of risk management within the first line is crucial to the effective embedding of risk management; unless the risk escalation procedures established as part of the RMF allow for the timely escalation and consideration of risks and issues at appropriately defined levels based on their materiality, there remains a heightened risk of the Board’s risk appetite being breached prior to mitigating actions being deployed by management to manage the risk effectively.
Supervisory Statement 5/16: ‘Corporate Governance – Board Responsibilities’ (issued in March 2016), notes that the PRA “expects to see evidence that the Board and its relevant sub-committees exercise effective oversight of risk management and controls, supported with meaningful and well-targeted management information used to inform Board discussions”. Without ensuring that a robust and appropriate process is in place to facilitate the effective escalation of risks and issues from the first line of defence, and ensuring that is supported by standards outlining the information requirements to allow for effective risk based decision-making; Board’s will undoubtedly find it more difficult for their Society to achieve its business objectives within its risk appetite and to satisfy the requirements of the PRA in this regard. Furthermore without this, undue reliance may be placed on the Risk Function to drive risk reporting of first line issues, both placing undesirable pressure on the function as well as serving to “fail the embedding test”.
We have a wealth of knowledge and experience of delivering both Audit and Assurance services to Building Societies across the sector. We have working relationships with more than 90% of the sector, giving us an unparalleled position and ability to provide a deep level of industry insight into current regulatory hot topics and key areas of focus.
Our depth of knowledge, understanding and industry experience means that we are well placed to provide invaluable insight and deliver tailored, pragmatic and proportionate solutions (either in an advisory or internal audit capacity) to help societies address new challenges and create competitive advantage.