It’s been nearly nine months since the deadline to implement FINMA’s Circular 2017/1 “Corporate Governance – Banks“. And the odds are that you still have doubts about the effectiveness of the Internal Control System (ICS). With the stakes high, it’s time to consider whether your ICS is truly effective and take steps to get up to speed.
FINMA’s Circular 2017/1 “Corporate Governance – Banks” defined far-reaching requirements on Corporate Governance, Risk Management and the Internal Control System and the deadline for implementation passed in June 2018.
Across the industry, banks and financial service providers are adjusting their existing frameworks and systems to meet regulators’ growing expectations and to meet the market’s expectation of an efficiently run, forward-looking enterprise strategy.
Common pain points concerning the ICS include:
At the same time, the public’s zero-tolerance for incidents and demand for squeaky clean processes has grown. Indeed, the reputational risk threat for banks and the financial industry has never been higher. One needs only to think of how news spreads like wild-fire across social media. Subsequently, the ICS is a prerequisite for operational resilience: the ability to rebound quickly after a shock – with minimum losses.
The FINMA requirements for an ICS seem simple. They ask for an organizational setup consisting of business units and independent control functions, in addition to an internal audit function (i.e. a consistent three lines of defence model).
Still, a number of building blocks are required to ensure that an ICS is truly effective:
1) A risk tolerance as a true management tool
The risk tolerance tends to be seen as an isolated reference point which primary purpose is ensuring regulatory compliance. A true risk tolerance, on the other hand, is a value-adding tool aligned to the strategy and decision-making. It covers a bank’s full range of key risks and is translated into quantitative, measurable limits that provide early warning if something goes wrong.
2) A balanced three lines of defence model
In today’s business world the second line of defence may still be too strongly involved in business units’ risk management activities. This contradicts the concept of independence and generates additional costs. A shift in culture is necessary. The operating model must be clearly set out and must delineate the roles and responsibilities of each line. Rather than performing risk management activities on behalf of the first line, the second line should provide guidance, review and challenge the first line. In adding value by proactively tackling broader risk topics, the bank better prepared to mitigate emerging risks.
3) A united second line of defence
There are typically separate control units for areas such as operational risk, compliance, third-party risk, business continuity management and IT. In contrast to a stand-alone, segregated approach by each unit (using, for example, different systems and tools and sending individual reports to management), a unified and streamlined approach with clear allocation of responsibilities is more effective in identifying threats, while saving real money.
4) Transparency on front-to-back processes, risks and controls
Front-to-back processes including supply chains must be understood and analyzed regularly to identify the related risks and assess whether existing controls are effective in mitigating them. A systematic approach is required for process analysis and the mapping of controls to the risks they mitigate.
5) Proof of effective control activities
Well-established, legacy control processes and the absence of significant incidents to date may give a false sense of security. To keep pace with change, there must be an overarching, robust approach for testing controls on a bank-wide basis and translating the results into an ongoing assessment of effectiveness. In this context, financial intermediaries need to ask themselves whether they feel comfortable with control re-performance by the second line of defence or whether the second line should establish an independent control testing.
The odds are that your ICS may be out of date and unable to keep up with increasing complexities, rising exposures in the technological environment and the advent of unknown, toxic combinations of risk.
The tendency is to act only in the aftermath of major incidents. In the best case, the high pace of change may leave you behind on current alterations. In the worst case, you end up in the press, having to deal with the regulators and running change management programs when your whole organization is already under significant stress and public pressure.
Investing in streamlined, high-performance and resilient processes will help you cut costs in the long run and stay competitive. Or simply make the difference between success and failure.