 The quality and frequency of risk information for governing
bodies varies significantly from firm to firm.
 Where risk information is provided, performance indicators
relevant to particular risks, assessments of the availability
and effectiveness of treatment and comparison of risks
against risk appetite are seldom included.
 Many firms have not clearly defined their appetite for, or
tolerance of, risk.
 The banking crisis and the economic environment has
further highlighted the importance of firms having in place
effective risk management controls driven by firms senior
management. Over the last 12 months there have been
various regulatory and European reports & publications on
this matter for example:
 Walker Report; A review of corporate governance in UK
banks and other financial industry entities, quote from
report:
‘Firms should satisfy themselves on the integrity of its risk
management controls and that they are robust and
defensible’
CEIOPS’’ Advice for Level 2 Implementing Measures
on Solvency II: System of Governance Synopsis
‘A clearly defined and well documented risk management
strategy that includes the risk management objectives, key
risk management principles, general risk appetite and
assignment of risk management responsibilities across all
the activities of the undertaking and is consistent with the
undertaking’s overall business’
 ‘Effective Corporate Governance (Significant influence
controlled functions and Walker Review) Policy Statement
(PS) September 2010’
A new framework of classification of controlled functions
NED holding a Chairman role will be reclassified:





CF2a (Chairman)
CF2b (Senior independent director)
CF2c (Chairman of risk committee)
CF2d (Chairman of audit committee)
CF2e (Chairman of remuneration committee)
Chair of Risk/Audit/Remuneration Committees
 The FSA comment that they would not preclude executive
directors from performing the role of chairperson for firms
risk/audit/remuneration committees, where that is deemed
appropriate in the circumstances of the firm, however they
would expect this to be in exceptional circumstances only
and for these functions typically to be filled by a NED.
Finance, Audit & Risk (CF28)
The CF28 function will be spilt into three distinct functions
finance, risk and internal audit – CF 13, 14, and 15
respectively.
Internal Audit Function
 FSA adding further guidance to SUP 10 to make it clear
that they expect the person responsible for CF15 not to be
responsible for another governing function
 Additionally the FSA acknowledge the role of today’s
internal audit function and are amending SUP 10.8.3 R to
include a requirement that the internal audit function reports
on the effectiveness of the firm’s systems of internal control.
Outsourcing of CF 13 (Finance) & CF15 (Internal Audit)
A third-party service provider may be used to help a firm fulfil
a particular task or activity but cannot be in a position of
significant influence – that can only be a person at a firm. For
example, if a firm’s internal audit function has been
outsourced, the person carrying out the internal audit function
(CF15) would normally be the person responsible for that
function to the governing body or in larger firms to the audit
committee.
The Walker Review - effective risk management
Risk Committee
Where no risk committee exists, there should, however,
still be someone accountable for risk at the firm and the
governing body will retain responsibility for risk oversight.
Chief Risk Officer (CRO)
FSA expectation is that CRO will challenge and alert the
board in instances where it is seeking to act beyond its
already agreed risk appetite/tolerances.