Risk management

The key objective of risk management is to ensure the firm is adequately identifying, assessing, mitigating and monitoring the risks it is exposed to on an ongoing basis. It aims to protect from excessive losses and prevent detriment to customers, the business and stakeholders whilst supporting growth and identifying opportunities. It also aims to support the execution of the firm’s strategies by ensuring there is appropriate consideration for the optimal risk/return trade-off. Risk management helps ensure firms are adhering to regulations, instilling investor confidence, successfully executing strategies and reducing the risk of failures.

The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) expect all firms they supervise to have risk management capabilities that are effective and proportionate to the activities they carry out. Regulatory scrutiny on risk management practices increased dramatically in the wake of the financial crisis, and Regulators continue to highlight the importance of robust and effective risk management arrangements through their supervision and Dear CEO letters. More broadly, risk management plays a key role in managing the upside and downside of activities for any business in any industry. However, it’s particularly crucial in the financial industry which is subject to complex and interconnected risks. 

Before risk culture was more widely embedded throughout financial services, risk management could be seen as a ‘tick-box exercise’ and was typically used in a reactive way focussing on immediate issues and symptoms rather than delving into the underlying risks faced. In financial services, risk management practices would typically focus on a limited range of risks. For example, credit risk (and other financial risks) was the main focus in the banking industry, whereas in recent years there has been a shift to an enterprise-wide, holistic approach which aims to ensure coverage of all risks across all areas of the business.

In particular, operational and conduct risks have become increasingly important, with this focus aligned to evolving technological advances, digital transformation, focus on operational resilience and consumer outcomes. There has also been an increased focus on a broader range of risks, including geopolitical risk and sustainability risks. This is also relevant for non-banking financial services firms, where the Regulators have increased their focus on the quality and breadth of governance and risk management (e.g. including investment firms, payments firms and consumer credit firms).

Typically, risk was managed in a siloed way by a few individuals in the business, now the aim is to integrate this process throughout the business in every department and at every level. This holistic approach has been directed away from being purely focused on risk mitigation and has allowed for the exploration of new opportunities within the industry. This has also required a shift in risk culture, including in relation to tone from the top, individual accountability, the authority and resources of Risk Functions and inclusion of risk factors in remuneration decisions. 

At firm-level, poor risk management ultimately means the business is more exposed to the possibility of a risk crystallising and having a negative impact on organisation which could result in financial loss, reduction of investor confidence, fines issued by the regulator, and in extreme scenarios, firm failure. The repercussions of failures in financial services can, at the extreme end of the spectrum, have a knock-on effect across the whole industry, resulting in substantial financial losses and systemic instability as was the case in the financial crisis of 2007/8.

If firms do not identify and assess risks on an ongoing basis, this hinders their ability to adequately mitigate, monitor and report. The financial industry is constantly evolving, and with it new risks emerge, for example, machine learning and Artificial Intelligence (AI). If firms don’t identify new risks or reassess existing risks regularly, they may be unable to take the required steps to fully integrate them into their risk management process and could ultimately lead to financial losses or even firm failure.

By assessing the business’s risk maturity and tracking its progress to its target maturity state, firms will better understand the actions they need to take to improve the overall effectiveness of their risk management, implement successful risk mitigation strategies and address any weaknesses that impact their operational efficiency. Regular assessments ensure that the firm’s risk management capabilities evolve with the business, remaining fit for purpose as well as aligning with regulatory requirements.

Typically, firms structure their risk management using a three-line model, with clear responsibilities assigned to each line. The ultimate responsibility for risk management is placed with the board. To summarise the responsibilities of each line:

• The first line is responsible for identifying and managing risks in their respective business areas on an ongoing basis.
• The second line is responsible for developing policies and frameworks and monitoring the effectiveness of risk management practices in the Firm. This includes providing guidance and challenge to the first line on risk management and compliance matters.
• The third line provides an independent review and challenge on the robustness of the governance and risk management arrangements within the Firm.

Typically, firms report management information related to their performance against key metrics and risk appetite to Board and Executive Committees on a regular basis to support informed decision-making and risk oversight.

Key challenges firms continue to face include but are not limited to:

• Risk practices are reactive, process not outcomes-focused, and fail to have a sufficient and timely impact on reducing the firm’s risk profile.
• Lack of ownership of risk management within the business (first line of defence) leading to heavy reliance on the Risk, Compliance and Internal Audit functions.
• Risk culture is not sufficiently embedded in the organisation with a perception that risk management practices hinder rather than support business decisions.
• Insufficient risk management resources, expertise and experience, particularly in technical areas such as cyber security, AI, modelling, and climate risk.
• Undefined, unassigned and/or unclear roles and responsibilities for risk management, particularly where risk management requires close collaboration across functions/divisions.  
• Limited processes to identify and manage emerging risks (e.g., AI risks, sustainability risks)
• Risk management framework not regularly reassessed, does not evolve with the business therefore becomes unfit for purpose and ineffective.
• Procedures and activities related to risk management are not sufficiently robust and are not reviewed, updated and independently challenged on a sufficiently frequent basis (e.g. risk control and self-assessment processes are ineffective and/or out-of-date, risk event identification, assessment and recording is not implemented consistently etc ).