The review covered three key functions of risk governance – the Board and the role of non-executive directors; the group-wide risk management function and the role of the CRO; and the independent assessment of risk governance.
The review covers three main areas:
Regulatory requirements and supervisory practices – since the financial crisis, many national authorities have strengthened their regulations or guidance on risk governance, and have increased their supervisory efforts by engaging more frequently and intensively with the Boards and senior management of firms. But the review concludes that more needs to be done here, in particular to enhance the ability of supervisors to assess the effectiveness of a firm's risk governance, and to focus more on risk culture.
Enhanced risk governance in firms – a survey of 36 banking groups from across the G20 area found that standards of risk governance have improved since the financial crisis. Indeed in some cases firms have gone beyond national guidance. Overall, however, more progress needs to be made.
Sound risk governance practices – drawing on the findings of the review, the FSB sets out a list of good practices for firms to aspire to, and for national authorities to use as a basis for assessing risk governance in major financial institutions.
Implications for firms…
Firms should be assessing whether they meet the sound risk practices set out by the FSB, taking steps to meet these standards where gaps exist.
- At a minimum, firms should be assessing themselves against the high-level criteria (based on existing international standards) used by the FSB for its review of major banking groups. The review found significant gaps in all the firms in its sample, so firms should not assume that they are performing well against these criteria.
- For G-SIFIs, the weakest area was found to be the risk management function, and in particular firms' risk appetite statements, IT infrastructures and their inability to aggregate risk data efficiently. Firms should pay particular attention to these areas, the last of which links closely to the recently published Basel Committee principles for risk data aggregation and reporting.
- Beyond these basics, firms should also be assessing themselves against the sound risk governance practices developed from the good practices observed by the FSB during its review, including the importance of the independent assessment of their risk governance framework. The FSB recommends that the international standard setters and national authorities should toughen their standards to reflect these sound risk governance practices.
- In addition, firms should consider whether they have a strong risk culture – the FSB intends to publish a report by September 2013 on how supervisors can assess risk culture.
- Given the progress that firms have already made in these areas, one key challenge is to integrate the FSB's findings into existing initiatives to improve risk governance.
- The FSB recommendations to national authorities will reinforce the pressure on firms to pursue all these assessments and implementation.