This blog is part of a series of insights on Building Society risk management.

Given the content of each of the earlier blogs in this series, one could be forgiven for assuming that if your Society effectively addresses each of the key concerns outlined in our previous blogs, you should be well on your way to satisfying the regulatory requirements and expectations in this regard. However, a topical question asked by members of Boards as well as members of both Risk Committees and Audit Committees is “how do we know we’ve passed the embedding test?”.


A key criteria of the Prudential Regulation Authority (‘PRA’) in addressing the answer to this question relates to the culture that is established within the firm. “The Board should articulate and maintain a culture of risk awareness and ethical behaviour for the entire organisation to follow in pursuit of its strategic goals…the non-executives have a key role to play in holding management to account for embedding and maintaining this culture” (Supervisory Statement 5/16: ‘Corporate Governance – Board Responsibilities’ (issued in March 2016).

The response of Board’s looking to demonstrate that their Society has passed the “embedding test” is, of course, multi-faceted. However, in answering the question “how do you know?”, Society Chief Risk Officers (or equivalents), Risk Committee Chairs and members, should consider the following in informing their judgement:

  • How often does senior management and the Board assess the strength of the Society’s risk culture, and who performs this assessment? How often is an independent view obtained?• How often does senior management and the Board assess the strength of the Society’s risk culture, and who performs this assessment? How often is an independent view obtained?
  • How prominent is effective risk management within the Society’s remuneration and reward structures, and how effective are these in disincentivising risk taking outside of the Board’s risk appetite?
  • Does Risk Appetite effectively drive and guide risk-based decision making within the business, and is this consistently demonstrated through Board and Board sub-committee meetings and minutes?
  • Are Early Warning Indicators (‘EWIs’) and triggers appropriately calibrated in line with the Society’s Risk Strategy and Risk Appetite and can the Society demonstrate that these have allowed for timely decision-making and action?
  • Is effective first and second line monitoring and reporting of the Society’s adherence to the Board’s risk appetite and risk policies in place? 
  • How effective is the Risk Function in providing sufficient guidance and support to the first line of defence, as well as appropriate levels of independent oversight and challenge to the Board and senior management?
  • Is risk management information (‘MI’) provided to those charged with governance and oversight effective in providing both forward-looking insight and analysis, with recommendations as to the course of action to take in line with the Board’s strategy and stated risk appetite?
  • Is there a clear and consistent understanding at all levels of the organisation regarding the key risks faced by the Society, where the Society is operating at in the context of the Board’s risk appetite, and whether performance is in line with the Society’s Risk Strategy?
  • What were the results of the most recent Internal Audit review of the design, implementation and operating effectiveness of the Risk Management Framework (‘RMF’)? Where do we stand against our peers and how ‘risk mature’ is our organisation?

The PRA considers that a strong control framework and good risk management culture are of fundamental importance in ensuring a Society’s safety and soundness. Only by maintaining i) a culture of risk awareness and ethical behaviour within the organisation; ii) an RMF that is well designed and operates effectively; and iii) ensuring that independent assurance is periodically received on an ongoing basis on the extent to which risk management is embedded within the Society; will Board’s be able to know whether they’ve passed the ‘embedding test’.

Our experience

We have a wealth of knowledge and experience of delivering both Audit and Assurance services to Building Societies across the sector. We have working relationships with more than 90% of the sector, giving us an unparalleled position and ability to provide a deep level of industry insight into current regulatory hot topics and key areas of focus.

Our depth of knowledge, understanding and industry experience means that we are well placed to provide invaluable insight and deliver tailored, pragmatic and proportionate solutions (either in an advisory or internal audit capacity) to help societies address new challenges and create competitive advantage.


Matt Perkins

Matt Perkins - Partner, Head of Building Societies, Deloitte

Matt leads Deloitte’s national Building Society practice and is responsible for a team of c. 80 individuals across External Audit, Internal Audit, Tax, Corporate Finance and Consulting.

Email | LinkedIn

Kieren Cooper

Kieren Cooper - Partner, Financial Services, Deloitte

Kieren is a Partner in Deloitte’s Midlands Financial Services Practice and leads a large number of Internal and External Audit engagement in the Building Society sector.

Email | LinkedIn

Adam Roberts

Adam Roberts - Senior Manager, Financial Services, Deloitte

Adam is a Senior Internal Audit Manager working in Deloitte’s Financial Services Practice based in the Midlands and works with a wide range of Building Societies. Adam is a specialist member of the Institute of Risk Management (‘IRM’) and specialises in the delivery of Risk Management audits.

Email | LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.