Risk and compliance control frameworks: Latest Central Bank letter to investment firms
The Central Bank’s latest Dear CEO letter to investment firms stems from its recent targeted reviews of firms’ risk and compliance control frameworks.
The targeted reviews identified a number of good practices, summarised in Appendix 1, across a number of investment firms. However, the Central Bank also identified deficiencies in six key areas:
- Frameworks and governance: some risk management frameworks were insufficiently comprehensive or joined-up, with under-resourced risk and compliance control functions which, in turn, were not structured in a way that ensured their independence.
- Board oversight: risk and compliance matters were not being adequately prioritised by some boards, and some boards did not give sufficient weight to their collective responsibility and accountability in those areas. The Central Bank criticised the practice of risk and compliance matters being dealt with at board sub-committee level (with little, if any, board involvement), and the overly-reactive approach being taken by some firms to dealing with issues as they arise.
- Risk appetite statement (RAS): some boards did not recognise the importance of a RAS to monitoring and controlling risks, and the targeted reviews showed that some firms were not using the RAS as an effective risk management tool. Instances of over-reliance on a group RAS, which did not properly reflect the risks that are relevant to the local entity, were also identified.
- RAS design: in some cases, the RAS reviewed by the Central Bank did not adequately set out the firm’s risk appetite and motivation, did not clearly and consistently identify material risks, did not adequately set out the firm’s risk appetite, was not clearly linked to the firm’s strategic objectives, did not consider emerging risks and, in some cases, was spread across several risk documents.
- Reporting: risk appetite reporting to the board or to the risk committee was also poor in some cases, with a lack of defined escalation processes.
- Cascading risk appetite: in some cases, the firm’s risk appetite and risk limits had not been communicated properly throughout its organisation, and formal training on the firm’s risk appetite was not being provided to employees.
Appendix 2 to the letter reiterates the Central Bank’s expectations across the above six areas. It has asked all firms to discuss the letter at the next board meeting, and review their frameworks against both the deficiencies identified in Appendix 2 and the good practices identified in Appendix 1. It expects gaps and weaknesses to be dealt with promptly.
If you would like to discuss any of the matters raised in the letter in more detail, please get in touch with our market-leading Financial Regulation Group.