The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

Real-World Risk Rigors Require Effective Challenge

Views
Larger Font
2 minutes to read

Man plans, God laughs, according to the Yiddish proverb. Bank regulators, not so much – at least not when it comes to risk management, which continues to be an ever-moving target for financial institutions. Providing stakeholders with assurance that the risk control frameworks financial institutions have adopted will hold fast in an actual emergency is an ongoing challenge, and banks test their plans annually. The tests are meant to be aggressive and realistic – in a regulatory vernacular, they need to represent an “effective challenge.” Getting effective challenge right, however, is easier said than done.

The Federal Reserve and the OCC have published guidance outlining the characteristics of an effective challenge. I, and several of my colleagues, recently shared thoughts and advice on this as part of the Risk Management Association’s audio conference series.

As is often the case, there is a gap between present conditions and the desired future state. Risk management at many institutions is applied inconsistently across the three lines of defense and different risk types. The rules governing the control challenge process and the process for escalating risk management concerns to executive and board attention are often poorly defined, documentation is limited, and risk management often lacks the authority to effectively challenge operational managers, inhibiting mitigation efforts.

The best way for financial services providers to combat these challenges is by following leading practices – for example:

  • Building effective challenge into risk management processes
  • Clearly documenting policies and procedures
  • Documenting challenges – for example, through detailed meeting minutes at management- and board-level meetings, and
  • Requiring the appropriate escalation and resolution

Effective enterprisewide risk management requires the cooperation and alignment of all three lines of defense, plus effective oversight by top executives and the board of directors. The board of directors oversees all three lines of defense and, working closely with executive management, sets the risk appetite and the “tone at the top” of the organization to strengthen the company’s overall risk management process.

Each line of defense plays a specific role. The first line focuses on business, financial and operational risks. The second independently establishes protocols for risk and compliance decisions. The third line, which includes internal audit, assesses risk management and risk governance processes, and conducts its own tests to ensure that risk management policies are adequate and effective.

To have an impact, an effective challenge must do several things:

  • Drive two-way communication on strategic business and risk decisions
  • Provide transparency and direction to business and risk leadership before issues arise, and
  • Enable the business to grow and pursue new opportunities according to its established risk appetite

These are common-sense steps, but common sense isn’t always common. The upshot is that robust risk management is a cultural process that depends on a strong tone at the top and an engaged middle and bottom. More than just planning, best practices call for extensive monitoring and effective challenges that pull no punches and seek to make the system stronger and more secure than before. Communication is key. So is continuous improvement.

How is your organization implementing effective challenge? Join the conversation by leaving your comments below.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Authors

Matthew Perconte

By Matthew Perconte

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search