|
part of an organisation’s corporate governance structure. Internal Audit should be
independent of these functions and be neither responsible for, nor part of, them.
■
Internal Audit should include within its scope an assessment of the adequacy and
effectiveness of the Risk Management, Compliance and Finance functions. In eval-
uating the effectiveness of internal controls and risk management processes, in no
circumstances should Internal Audit rely exclusively on the work of Risk Manage-
ment, Compliance or Finance. Internal Audit should always examine, for itself, an
appropriate sample of the activities under review.
■
Internal Audit should exercise informed judgement as to what extent it is appropri-
ate to take account of relevant work undertaken by others, such as Risk Manage-
ment, Compliance or Finance, in either its risk assessment or determination of the
level of audit testing of the activities under review. Any judgement which results
in less intense Internal Audit scrutiny should only be made after an evaluation of
the effectiveness of that function in relation to the area under review.
S E C O N D L I N E : B E T W E E N G U I D A N C E A N D C H A L L E N G E
The relationship between the first and second lines of defense is probably the aspect of
the 3 LoD model to have generated the most debate. Many regulators require a second
line to be “independent” from the first line, to provide “oversight and challenge” of the
risk management activities performed in the first line. Yet, pure independence of the
second line of defense raises the question of the duplication with internal audit. More
fundamentally, it is close to impossible to operate effective oversight and challenge
before risk management activities are both embedded and mature in the business.
2
Guidance on Effective Internal Audit in the Financial Sector
, second edition, Institute of Internal
Auditors, September 2017.
100
RISK MITIGATION
Therefore, the first role of the operational risk management function is to edu-
cate all internal parties on the essentials of ORM. The key considerations in the first
instance are: what is operational risk, how to recognize and report operational incidents,
what are the benefits of good operational risk management and what are the pitfalls of
poor risk management. Next, risk training can focus on the description and imple-
mentation of risk management tools for risk identification, assessment and root cause
analysis or scenario workshops. Effective, engaged and widespread training on oper-
ational risk is an important prerequisite for any implementation of a risk management
framework.
Yet, the risk function can still maintain its independence from the first line, even
when providing thorough guidance on risk management methods: the key is in ask-
ing questions without suggesting answers. For instance, a risk manager from the sec-
ond line of defense may very well run a risk and control self-assessment workshop
with the business, triggering reflections on risks and effectiveness of controls, while
also remaining independent. However, the manager must collate the responses and
challenge the answers and their justifications, without influencing the content of the
answers and their assessment. It is important to avoid the first line delegating the risk
assessment and risk sign-off to the risk functions: this is neither a role nor a responsi-
bility that the risk function should take or endorse. The risk function owns the method-
ology; the first line owns the risks.
On one end of the spectrum, risk and business work in such close collaboration that
the lines of defense are blurred and risk ownership is unclear. This is more common in
small firms, sometimes when the small size of teams makes it difficult to clearly sepa-
rate the roles. At the other end of the spectrum, this time more often observed in larger
organizations, first and second line develop a somewhat conflicted relationship, where
the risk function cannot demonstrate its added value to the business and is perceived
as a hindrance rather than an asset.
I have met a handful of firms where the relationship between the business and the
risk function is positive, respectful and constructive. A couple of these firms define their
relationship as a “partnership model.” One of them is an insurance company, whose
model is represented in the case study here. Cooperation and joint decision-making are
a powerful way to embed risk management in the business.
C A S E S T U D Y : T H E P A R T N E R S H I P M O D E L
Figure 9.1 lists the roles and responsibilities of the first and the second lines
of defense in an international insurance company. The “partnership model”
highlights an area of explicit cooperation and joint decisions between the risk
function and the business. In this firm, line 1 and line 2 have a good working
relationship.
Operational Risk Governance
101
I
m
ple
m
ent the
ERMF
Identify all
m
aterial
risks via the
governance
process
Agree risk appetite
li
m
its/thresholds
SAST/RST
workshop
Deliver the
ele
m
ents of ORSA
report
V
alidation of the
capital
m
odel
Set an appropriate
capital buffer
Agree key risk
indicators
Aligning the
business and risk
strategy
Monitor changes in
the risk profile
Assess changes in
risk profile against
appetite
I
m
ple
m
ent the risk
policies
Deliver the business
plan within appetite
Consider risk in all
significant business
decisions
Develop the
ERMF
Line 2
Line 1
Do'stlaringiz bilan baham: |
