Introduction
Do you know where in your organization you are exposed to the highest risk of (for example) fraud, ESG-related risks, or IT disruption that can have the most impact on achieving your performance objectives?
Boards and executive management teams often have a good sense based on their gut feeling and experience, however, in today’s rapidly changing and challenging operating environment, that is not enough.
We have entered a time where Boards and executive management teams need to have a better answer. In the meantime, regulatory expectations for banks are increasing to connect GRC activities with business outcomes. The result is a complex matrix of relations between strategy objectives, risk appetite levels, indicators, oversight, business processes, assessment frameworks, and disclosures. The continuing lack of resources, outdated frameworks, and unclear organizational structures add to the urgency when preparing for the increased regulatory expectations. Boards can’t ignore these expectations and need to redesign their current G(P)RC practices.
These expectations are laid down in various regional and national guidelines, principles, and/ or legislation and point in one direction:
A traditional GRC approach without corresponding business outcomes and performance elements will not sustain.
As a result, successful institutions adopt a concept that describes the interconnectivity best:
Governance, Performance, Risk and Compliance (GPRC).
It is apparent that an effective GPRC implementation is supported by the use of appropriate technology solutions while at the same time taking a proactive approach in preparing for adoption. Based on our experiences of implementing GPRC technology, we have come to the following 5 ways that will help you prepare.
Top 5 ways banks apply to prepare for GPRC
We see five fundamental areas our clients act on when adopting GPRC:
- Strategy : Describing effective, measurable strategic objectives.
- Framework : Apply integrated risk management framework.
- Data : Obtain key data insights driving performance objectives with related risk exposures and control effectiveness.
- Culture : Identifying elements that drive the desired culture.
- Risk Appetite : Defining clear risk appetite (qualitative and quantitative).
In the following pages, we have also included a regulatory perspective based on the most common regulatory guiding standards relating to the individual areas. This is not meant to be complete nor provide any assurance on the subject described as interpretations by local supervisors deviate on a case-by-case basis.
1. Describing effective, measurable strategic objectives
The success of banks is highly dependent on the ability of their management teams to define and promote effective and measurable strategic objectives. Without these objectives, they have about as much chance of seeing the desired outcome, as they do of winning the lottery without buying a ticket.
We see successful institutions breaking their strategic objectives down and establishing well-written objectives comprising three main parts:
- A verb. Objectives are action-oriented, and therefore must start with a verb.
- What you’re going to do. This is the aspirational component of the objective.
- “In order to” or “so that.” This last piece is critical because it describes the business impact you hope to achieve with the objective.
Beyond sticking to the formula above, effective objectives should be meaningful to you. The more you care about an objective, the more likely you are to achieve it. Take for example the digital transformation objective. Digital technologies will be a key lever to improve efficiency, offering institutions new avenues for revenue growth. By taking advantage of digital innovation, institutions can also keep pace with competitors like FinTechs, BigTechs, and other digital natives. Of course, investing in digitalization entails short-term costs before they can reap the benefits of such technologies. Investment in digital technologies also entails operational risks to banks. Today, institutions can’t afford not to follow this path.
Regulatory perspective: The European Banking Authority (EBA) Corporate governance principles for banks state that an effective risk governance framework requires robust communication about risk issues, including the bank’s risk strategy. In addition, a bank should explicitly link the development of the risk appetite to the budget process and annual business strategy review, considering the bank’s strategic objectives and multi-year strategy plan. When looking at specific risk domains, for example, Environmental, Social and Governance (ESG), the required disclosures link ESG risks specifically to the overall business strategy and processes. These disclosures are designed in line with the EBA’s ‘Report on management and supervision of ESG risks for credit institutions and investment firms’.
2. Apply integrated risk management framework
An integrated risk management (IRM) approach allows Banks to manage disparate risk types across the organization, top to bottom. Having an IRM framework is critical for FI’s that wish to implement business-integrated GRC programs as it enables Banks to holistically manage not only their strategic risks associated with the strategic objectives, but also incorporates financial, compliance, cybersecurity, operational, IT, model, and third-party risk.
Banks that have successfully adopted IRM have done this by selecting the right tools and technologies corresponding to their business needs and required data insights. The selected (often technical) solutions enable process automation and cross-functional risk visibility across the organization needed for effective IRM. Ultimately an IRM will create an in-depth understanding of all aspects of risk throughout the organization, including cybersecurity and operational risk and eliminates departmental silos, and foster a risk-intelligent corporate culture.
Regulatory perspective: Risk monitoring and reporting in a bank should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. These EBA principles for ‘corporate governance principles for banks’ are in line with the IRM practices and procedures as published in the BCBS239 principles on ‘effective risk data aggregation and risk reporting’. It expects Banks to demonstrate that their risk management practices are founded on a comprehensive governance and oversight framework supported by the appropriate tools and methodologies. Information on risk and underlying data components should be aggregated on a largely automated basis to reduce the probability of errors. A Bank should be able to capture and aggregate all material risk data across the banking group. This information should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question. Banks’ continuous efforts to implement BCBS 239, have resulted in tangible progress in several key areas, including overarching governance, risk data aggregation capabilities, and reporting practices.
3. Obtain key data insights
Once defined what good outcomes look like based on the strategic objectives and business model characteristics, market-leading banks collect data, insights, and management evidence to test and showcase the effectiveness of their risk management approach. They assess whether their existing risk management information is sufficient to meet their objectives and (external regulatory) expectations. In obtaining this insight, they have resolved the challenges around responsibility and accountability for data quality across the organizations.
Regulatory perspective: BCBS 239 principles are specifically designed to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices, while in turn, enhancing the risk management and decision-making processes. The principles have become a standard across the banking industry, as local supervisors follow the BCBS recommendations and apply the principles to Domestic Systemically Important Banks.
4. Identifying elements that drive the desired culture
Culture is what people do… repeatedly… when no one’s watching. The desired risk culture is a culture that aligns with the institution’s norms, attitudes, and behaviors related to risk awareness, risk-taking and risk management, and the controls that shape decisions on risks. Culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume in doing so.
A sound, diligent, and consistent risk culture is a key element of effective risk management and enables sound and informed decision-making. Market-leading banks are developing an integrated and institution-wide risk culture, based on a full understanding and holistic view of the risks they face and how they are managed, considering the institution’s risk appetite. They develop a risk culture through policies, communication, and staff training regarding the institutions’ activities, strategy, and risk profile, and adapt communication and staff training to take into account staff’s responsibilities regarding risk-taking and risk management.
Regulatory perspective: European regulators expect a strong risk culture that promotes risk awareness, and encourages open communication and challenges about risk-taking across the organization as well as vertically to and from the Board and senior management. Successful institutions align their practices to their customers and have an appropriate purpose and associated business model. This is taken from the FSB Guidance on supervisory interaction with banks on risk culture and EBA Corporate Governance principles for Banks.
5. Defining clear risk appetite (qualitative and quantitative)
Banks must take risks; there is no risk-free path to achieving objectives. Effective risk management requires a strong, organization-wide governance structure that makes risk considerations a priority of the Board and senior management. Without such leadership and commitment, efforts to enhance risk management may be perceived as a bureaucratic “compliance exercise”.
An effective risk appetite statement is linked to the institution’s short- and long-term strategic, capital, and financial plans, as well as compensation programs. The challenge lies in identifying, prioritizing, and addressing the right risks at an optimal level, in the most effective ways. Banks often place great importance on quantitative risk appetite levels over qualitative levels. Leading banks that implemented GPRC effectively have found a way to do both.
Quantitative risk appetite: Defining a bank’s risk capacity is a crucial step in developing a comprehensive and effective Risk Appetite Statement (RAS). The RAS is also the area in which the concept of risk appetite connects directly with those of ICAAP/ILAAP and recovery planning. Therefore, risk capacity is mostly calculated in terms of capital adequacy. However, after the collapse of SVB, a liquidity risk capacity is evenly important and many banks use regulatory stress-based metrics for this purpose such as LCR (Liquidity Coverage Ratio).
Qualitative risk appetite: Leading banks have addressed more difficult to quantify risks in their RAF and RAS. Examples relate to reputation and conduct risks as well as money laundering and unethical practices. It also clearly articulates the motivations for taking on or avoiding certain types of risks, products, services, organizations, customers, cyber, ESG, country/regional exposures, or other categories.
Regulatory perspective: Both FSB principles for an effective risk appetite framework as well as BCBS 239 provide clear expectations on risk appetite and the underlying data requirements, both qualitative and quantitative. We highlight the following:
- Risk data and reports should provide management with the ability to monitor and track risks relative to the bank’s risk tolerance/appetite.
- Banks should develop forward-looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite.
- Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance, and propose recommendations for action where appropriate.
- The Board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.
Conclusion
Insight into key areas of risk will enable targeted action and drive business decisions. This can only be effective if decisions are based on the current state of business while anticipating future developments (through forecasting, predictions, or simulation) in both risk, compliance, and performance.
Recent global events will increase the expectations put on banks to provide insights into the (risk) elements that drive performance objectives and assign measures appropriately. Simultaneously, Boards and executive management teams need to ensure their strategic plans align with their medium-term structural changes in the operating environment. Changes are evident resulting from high inflation, interest rate volatility, disruptions in the global supply chain, and slowing economies.
Therefore, now is the time to act and invest in GPRC and provide answers to business needs as well as proactively respond to market changes and regulatory expectations.