The financial services sector has seen its boards of directors push for improved governance structures in their organizations. This push for better governance is not a recent phenomenon. New regulations have also contributed to improved governance of internal processes. Furthermore, regulatory agencies are not the only catalysts for change. The expectations of investors and other stakeholders are increasing with respect to governance.
More than ever, stakeholders are holding boards accountable for the effectiveness of governance processes in general. This change is real and significant and probably reflects an expectation of greater board involvement in the organization and the execution of governance.
While direct board involvement can be a realistic measure in smaller organizations, banks and large insurance companies may find these requirements challenging. In general, boards have responded by strengthening internal policies and creating board-level committees with clear roles. Positions such as Chief Risk Officer (CRO) are now commonplace and these professionals head well-resourced units that can assist the board in the task of monitoring.
It is now common, especially in larger organizations, to find individuals with risk-related functions, such as corporate risk management specialists, compliance managers, internal control specialists and fraud investigators, among others. Each one examines specific risk areas to help the board manage the different risks the organization may face.
However, the challenge is to transform the different risk management functions into a disciplined effort, incorporated across the enterprise, which is perceived as a strategic asset. This also requires the convergence of existing compliance solutions, specific for each use, which incorporate financial, operational, risk and regulatory requirements. Only with this kind of transformation can the full benefit of risk management be achieved.
The Role of Internal Audits
Internal audits also play a key role within the governance structure. It is the line of defense that reports directly to the audit committee, which ultimately reports to the board. Internal audits provide a guarantee that governance, risk management and internal controls are effective.
However, recent research reveals that only 28% of audit executives believe their roles have a strong influence and impact within their organizations. In fact, many of them believe that internal auditing has little or no influence, being only a normative and mandatory function within the organization.
Synergy between both functions is fundamental. The challenge that both functions face and which, ultimately, have an impact on their strength and effectiveness within the organization, is to possess skills that are relevant as organizations grow and develop. While previously skills focused on understanding the operational structure, controls and audit methodologies, IT-focused knowledge is now required. Regulations, such as the General Data Protection Regulation (GDPR), which affect all Financial Services companies, clearly require a team of people from a risk and internal auditing environment with a knowledge of risks, operational controls and IT.
Clearly, just the presence of a risk and internal audit function in an organization is not enough. The challenge is effectively coordinating the tasks of both functions. This is key to ensuring there are no gaps in controls or the unnecessary duplication of work.
Clear roles must be defined so that each function understands the limits of its responsibilities and how its role fits into the organization’s overall risk and control structure. Without a cohesive and coordinated approach, limited resources may not be effectively implemented and significant risks may not be identified or adequately managed.
With the diversity of threats facing financial services organizations, internal weaknesses can represent a significant risk. The resulting consequences would be too substantial to ignore.