Risk Governance Evolving beyond the traditional

Transcript:Risk Governance Evolving beyond the traditional:
Risk Governance Evolving beyond the traditional ‘Three lines of defense’ model – Implications for Internal Audit Leon Bloom Partner lebloom@deloitte.ca May, 2015 Agenda Emerging risk governance requirements – Context and expectations Current practices in risk governance – Issues, challenges and shortcomings Guiding principles – Roles, responsibilities and accountabilities Guiding principles – Policies, processes and practices Three lines of defense – Definition vs. effective application and the case for redesign Aligning the risk governance model with the business model and risk and capital management processes Structures for risk taking, risk oversight, risk assurance (Internal Audit) and board oversight The business case for transition, challenges and benefits 2 Among other things, regulators are giving emphasis to four high priority areas The inherent riskiness of the business model – Where and how are earnings generated and is there is an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated? Tail risk – Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated? Risk Governance – How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principals of a sound risk management and control culture? Operating culture – the degree of awareness, attitudes, and behaviors of an organization’s employees toward risk and how risk is managed within the organization. Risk culture is a key indicator of how widely an organization’s risk management policies and practices have been adopted. 3 Risk governance requirements 4 Emerging risk governance requirements The significantly changed environment resulting from the continuing global financial crisis has resulted in a ‘higher hurdle’ of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices. 5 Risk governance – Challenges Governance observations Roles, responsibilities and accountability are often unclear Second and third line functions being used as management assurance and quality control functions Communication paths are not defined Committee structures, responsibilities and mandates lack clarity Objectives and the target end state for ERM is unclear Insufficient focus and time spent discussing risks across the organization Monitoring fails to identify