Risk management

International and UK regulators have increased their focus on risk management and risk culture since the financial crisis revealed their failings as one of the root causes. This introduces wide-ranging opportunities as well as complex, interrelated risks. In light of this, it is now more important than ever for organisations of all sizes to obtain the best possible advice and benefit from robust risk management.

The risks that firms face are meaningful, complex, and highly integrated. To be both agile and resilient, businesses must have a clear understanding of their risk profiles and how to manage them. An effective enterprise risk management framework enables the assessment, prioritisation, and management of risk in a holistic way, at an enterprise level. It should also provide critical insights that help drive decision-making and grow the business, taking advantage of the opportunities that arise as well as managing the downside of risk.

Firms must already contend with a challenging economic environment driven by high inflation and interest rates, cost of living increases, geopolitical tensions, supply chain challenges, and a climate crisis. The collapse of Silicon Valley Bank and the buyout of Credit Suisse by UBS in March 2023 has further shaken the market and highlighted the prevalence of risk management, governance and culture failures and, illustrates the importance of leadership walking the walk when it comes to managing risk.

How we can help

We aim to help you develop, strengthen, and embed your enterprise risk management capabilities. We can support your business in a range of ways such as conducting high-level reviews of your framework, detailed analysis of specific elements of your framework and, developing and implementing risk improvement plans. 

Contact us today

We can help you create your governance, risk and control frameworks further by looking at:

Governance

  • Develop comprehensive and effective governance approaches, including training to understand why risk management is key to your business optimising costs
  • Develop and embed your three lines model, defining risk owners and responsibilities
  • Evaluate the challenge and assurance functions in your organisation

Risk Strategy

  • Structure a risk management framework proportional for your business
  • Define a practical risk appetite statement
  • Review and strengthen how risk management and appetite is adopted throughout the organisation and how risk management is considered in strategic planning

Culture

  • Conduct interviews and review risk management practice to understand how risk management is perceived throughout the organisation
  • Review and strengthen the integration between risk management and performance management
  • Provide risk culture training for the board, executives and staff on a regular basis

Process

  • Establish processes to identify and systematically record risks and KRIs
  • Review and evaluate risk assessment and prioritisation methodology
  • Review effectiveness of key controls, control testing framework and mitigation measures

Reporting

  • Review and develop risk reporting to the business, senior management and the board ensuring the key information is being communicated at sufficient frequencies
  • Ensure data handling and processing supports integrity of risk management and reporting
  • Consider risk forecasting and how this informs your risk management practice

Case Study

Risk management framework review

We supported an Asset Management Firm to establish an integrated risk management framework that is robust, fit-for-purpose and in line with industry requirements. We delivered the following:

  • Reviewed and updated the Terms of Reference (ToR) of the Board and other governance committees to ensure sufficient oversight of risk management practices
  • Assisted management to define and draft the roles and responsibilities for each of the three lines of the business.
  • Drafted the Firm’s Risk Management Framework Policy
  • Developed a common risk taxonomy to ensure appropriate risk categorisation and description.
  • Designed and updated a risk register to be used across all departments
  • Assisted management to establish a consistent risk assessment methodology
  • Facilitated workshop on Risk Appetite Statement (limits, tolerances and triggers) and fundamental components of the Risk Management Framework

Risk management FAQs

What is the objective of risk management in financial services?

The key objective of risk management is to ensure the firm is adequately identifying, assessing, mitigating and monitoring the risks it is exposed to on an ongoing basis. It aims to protect from excessive losses and prevent detriment to customers, the business and stakeholders whilst supporting growth and identifying opportunities. It also aims to support the execution of the firm’s strategies by ensuring there is appropriate consideration for the optimal risk/return trade-off. Risk management helps ensure firms are adhering to regulations, instilling investor confidence, successfully executing strategies and reducing the risk of failures.

Who does it apply to?

The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) expect all firms they supervise to have risk management capabilities that are effective and proportionate to the activities they carry out. Regulatory scrutiny on risk management practices increased dramatically in the wake of the financial crisis, and Regulators continue to highlight the importance of robust and effective risk management arrangements through their supervision and Dear CEO letters. More broadly, risk management plays a key role in managing the upside and downside of activities for any business in any industry. However, it’s particularly crucial in the financial industry which is subject to complex and interconnected risks. 

How has risk management evolved over the years?

Before risk culture was more widely embedded throughout financial services, risk management could be seen as a ‘tick-box exercise’ and was typically used in a reactive way focussing on immediate issues and symptoms rather than delving into the underlying risks faced. In financial services, risk management practices would typically focus on a limited range of risks. For example, credit risk (and other financial risks) was the main focus in the banking industry, whereas in recent years there has been a shift to an enterprise-wide, holistic approach which aims to ensure coverage of all risks across all areas of the business.

In particular, operational and conduct risks have become increasingly important, with this focus aligned to evolving technological advances, digital transformation, focus on operational resilience and consumer outcomes. There has also been an increased focus on a broader range of risks, including geopolitical risk and sustainability risks. This is also relevant for non-banking financial services firms, where the Regulators have increased their focus on the quality and breadth of governance and risk management (e.g. including investment firms, payments firms and consumer credit firms).

Typically, risk was managed in a siloed way by a few individuals in the business, now the aim is to integrate this process throughout the business in every department and at every level. This holistic approach has been directed away from being purely focused on risk mitigation and has allowed for the exploration of new opportunities within the industry. This has also required a shift in risk culture, including in relation to tone from the top, individual accountability, the authority and resources of Risk Functions and inclusion of risk factors in remuneration decisions. 

What are the consequences of not having a robust risk management framework in place?

At firm-level, poor risk management ultimately means the business is more exposed to the possibility of a risk crystallising and having a negative impact on organisation which could result in financial loss, reduction of investor confidence, fines issued by the regulator, and in extreme scenarios, firm failure. The repercussions of failures in financial services can, at the extreme end of the spectrum, have a knock-on effect across the whole industry, resulting in substantial financial losses and systemic instability as was the case in the financial crisis of 2007/8.

What are the consequences of not identifying and assessing risks on an ongoing basis?

If firms do not identify and assess risks on an ongoing basis, this hinders their ability to adequately mitigate, monitor and report. The financial industry is constantly evolving, and with it new risks emerge, for example, machine learning and Artificial Intelligence (AI). If firms don’t identify new risks or reassess existing risks regularly, they may be unable to take the required steps to fully integrate them into their risk management process and could ultimately lead to financial losses or even firm failure.

Why should you regularly reassess your risk management framework for maturity and effectiveness?

By assessing the business’s risk maturity and tracking its progress to its target maturity state, firms will better understand the actions they need to take to improve the overall effectiveness of their risk management, implement successful risk mitigation strategies and address any weaknesses that impact their operational efficiency. Regular assessments ensure that the firm’s risk management capabilities evolve with the business, remaining fit for purpose as well as aligning with regulatory requirements.

How is risk management structured and responsibilities established in a financial services firm?

Typically, firms structure their risk management using a three-line model, with clear responsibilities assigned to each line. The ultimate responsibility for risk management is placed with the board. To summarise the responsibilities of each line:

  • The first line is responsible for identifying and managing risks in their respective business areas on an ongoing basis.
  • The second line is responsible for developing policies and frameworks and monitoring the effectiveness of risk management practices in the Firm. This includes providing guidance and challenge to the first line on risk management and compliance matters.
  • The third line provides an independent review and challenge on the robustness of the governance and risk management arrangements within the Firm.

Typically, firms report management information related to their performance against key metrics and risk appetite to Board and Executive Committees on a regular basis to support informed decision-making and risk oversight.

What are the key challenges for firms in implementing and embedding risk management frameworks?

Key challenges firms continue to face include but are not limited to:

  • Risk practices are reactive, process not outcomes-focused, and fail to have a sufficient and timely impact on reducing the firm’s risk profile.
  • Lack of ownership of risk management within the business (first line of defence) leading to heavy reliance on the Risk, Compliance and Internal Audit functions.
  • Risk culture is not sufficiently embedded in the organisation with a perception that risk management practices hinder rather than support business decisions.
  • Insufficient risk management resources, expertise and experience, particularly in technical areas such as cyber security, AI, modelling, and climate risk.
  • Undefined, unassigned and/or unclear roles and responsibilities for risk management, particularly where risk management requires close collaboration across functions/divisions.  
  • Limited processes to identify and manage emerging risks (e.g., AI risks, sustainability risks)
  • Risk management framework not regularly reassessed, does not evolve with the business therefore becomes unfit for purpose and ineffective.
  • Procedures and activities related to risk management are not sufficiently robust and are not reviewed, updated and independently challenged on a sufficiently frequent basis (e.g. risk control and self-assessment processes are ineffective and/or out-of-date, risk event identification, assessment and recording is not implemented consistently etc ).

 

Get in touch

For more information on how we can help, please contact us.

Contact us today

National contact