Primarily as a result of Basel III, there has been a radical overhaul in recent years in the risk management department. The result is a number of significant risk change projects, including IFRS9 credit risk modelling, the FRTB, BCBS239, ICAAP, ILAAP amongst others; which have led to a major challenge for internal audit. Due to the greater complexity of models and processes of the major risk change projects, internal audit is a key area and ultimately essential to the success of a bank, particularly at a time where many of these major projects are nearing implementation and consequently auditing is required to prevent a bank falling at the last hurdle. In addition to these major projects, the other key focuses for risk audit include operational risk issues such as anti-money laundering, or the issue of risk culture, and the need to effectively manage the resources between risk and risk audit, where the expertise required is the same.
Ahead of the 3rd Edition Risk Audit in Banking conference, Sarah Daly, Director and Head of Internal Audit at Bank of Montreal Ireland plc shared her views on the impact and importance of regulatory changes on risk, the difficulties involved and the actions that need to be taken.
What are the main changes in the risk space for this year and what is the impact of these changes on credit, counterparty credit, market and operational risk?
There are a number of changes that will have substantial implications. For some changes, such as IFRS 9, risk data aggregation and IT (BCBS 239) as well as the revised IRRBB standards, the impact is understood. However, for others, the impact has yet to be fully determined. The Basel Committee on Banking Supervision (BCBS) is expected to finalise the remainder of its banking framework (Basel IV) in 2017. The key revisions can be summarised as follows:
- Credit Risk – a revised standardised approach, the introduction of an IRB risk weighted asset floor of 75% and constraints on the use of internal models for specific credit portfolios.
- Counterparty Credit Risk – the introduction of a new standardised approach and an IRB floor and the elimination of the internal models approach in the calculation of the credit valuation adjustment.
- Market Risk – a revised trading and banking book boundary; revised internal model and
standardised approaches, emphasis on expected shortfall rather than VaR and desk level internal model eligibility criteria.
- Operational Risk – the replacement of the existing measurement approaches with a new standardised approach using a ‘business indicator’.
The EU Commission published its banking reform package end November 2016 outlining proposed amendments to CRD IV and CRR. The package introduces amongst other measures the finalised BCBS reforms, for example, the leverage ratio and the net stable funding requirement, market risk rules, the standardised approach to counterparty credit risk, and the tightening of the large exposures limit.
Both sets of reforms have substantial implications for the calculation of regulatory capital and the use of internal models. Banks need to examine the individual components, fully assess the potential impact of these revisions on their business model and operations, and implement the necessary changes to ensure compliance.
Why is regulatory risk so important, especially at a time of numerous regulatory changes?
Regulatory risk management assumed heightened importance in the aftermath of the global financial crisis. Financial stability is the new watchword and the gaps identified in regulatory oversight are being plugged through enhanced regulatory frameworks and guidelines. Banks are expected to be able to effectively manage their regulatory risk. However, new regulations are becoming even more far-reaching and complex; they can significantly impact a firm’s business model/strategy and there are higher penalties for non-compliance. I believe that an integrated approach is required to ensure that the impact of new regulations is understood and the required changes are implemented.
What do audit teams need to do to stay on top of new and emerging regulation?
It is easy to feel overwhelmed by the sheer volume and complexity of regulatory change. A number of audit functions are establishing regulatory development focus groups to monitor the regulatory environment. This is done so that they can proactively identify emerging regulatory issues and accordingly update audit coverage and also, if required, audit methodology.
Alternatively, audit functions can leverage off the processes in place within the organisation to manage upstream regulatory risk and proactively engage with risk and compliance functions to understand the impact of new regulations and the steps taken to ensure the new requirements are implemented.
Why is it difficult to audit non-standard risks?
Risk Management continues to struggle to develop appropriate frameworks to effectively manage non-standard risks. These risks are often difficult to quantify and are by their nature ambiguous. Auditing these risks involves a considerable level of judgement as there is often limited quantitative evidence that these risks are being managed effectively. The first step is to ascertain how these risks are being managed and monitored, and then assess the adequacy and effectiveness of what has been implemented.
How can all the risks involved in a large project be mapped?
The key is to, at the outset of the project, put in place an effective process to identify risks, assess their potential consequences and then develop and implement plans to minimise any negative impacts. The status of these risks should be monitored continuously to determine if previously identified risks are still relevant and whether new risks are arising.
What would you like to achieve by attending the 3rd Edition Risk Audit in Banking conference?
I am really looking forward to engaging with other internal audit professionals on how they are dealing with the challenges of keeping abreast of regulatory developments and incorporating these into audit plans. I see the event as a great opportunity to share ideas and to advance the discussion as to how internal audit can continue to provide the expected level of assurance to our stakeholders that these risks are being managed and mitigated.
About Sarah Daly
Sarah Daly is a Director and Head of Internal Audit in Bank of Montreal Ireland plc (BMI). She will be participating in the 3rd Edition Risk Audit in Banking conference being held in London on September 18-19