Over the past 10 years, the Banking Industry has experienced a number of severe shocks. From the global financial crisis to global austerity to the LIBOR and FX scandals and the recent oil price slump, a number of risks have emerged that were previously not considered important. Regulators have also added to the pressure on banks to understand their risks and implement solutions that help manage these risks. Internal Audit has not been immune to this, where these events have highlighted the need for Internal Auditors to change the way they think and operate.
EMERGING RISK TRENDS WITHIN THE BANKING SECTOR
Some of the key risks emerging within the Banking Sector are:
1. CORPORATE GOVERNANCE – TONE AT THE TOP
All banks are in the business of making money. The key is to do so safely and this mindset needs to come from the top. Management need to ensure that their front-line understand the risks involved and have adequate controls in place to manage them.
2. STRATEGIES LINKED TO RISK APPETITE/RISK TOLERANCE
The starting point for managing risk as a business is to evaluate the appetite for risk and then formulate the business strategy around it. Any disconnect between the strategy and the risk appetite will result in the organization pursuing opportunities that go beyond their risk tolerance levels and without an appreciation of the risks that they are taking.
3. FOCUS ON AREA OF EXPERTISE
Banks need to understand their products and their related risks, thereby building expertise in these products. A simple rule should be followed: if a transaction is not in line with your strategy or your area of expertise, it should not be done, period.
4. LIQUIDITY/CAPITAL ADEQUACY
Banks need to be aware of two things: the importance of liquidity and the fact that severe economic shocks can break down any assumptions around liquidity by affecting correlations between financial instruments. In relation to this, regulators across the world have started introducing stricter liquidity and capital adequacy requirements. On their part, banks should have robust Contingency Funding Plans in place and should regularly stress test their liquidity portfolios using severe shock scenarios.
5. DANGERS OF GEARING AND OVER-LEVERAGE
Leverage, whilst having tremendous potential upside, exacerbates downside risk. Excessive leverage can potentially have a negative impact on the capital. Banks, by their very nature, are highly geared and hence have a responsibility to ensure that they do not become over-leveraged.
6. QUALITY OF ASSETS
It is imperative that banks understand the quality of their asset book and take steps to ensure that adequate quality is maintained. A main concern is the over-reliance on external rating agencies as an indicator of asset quality. Whilst such ratings may be a good initial indicator, banks and financial institutions need to build appropriate internal rating models to gauge asset quality.
7. PERILS OF INADEQUATE RISK TRANSFERENCE
Banks use a variety of financial instruments and tools to transfer risk away from them. Some of these can be complex in structure and as such may not necessarily work as expected. Where necessary, banks need to ensure that risk is adequately transferred using scenario analysis and stress testing.
8. UNDERSTANDING MODELS
Banks use various models to help measure and manage risk. These are usually based on certain assumptions and; therefore there is a need to ensure that models are thoroughly validated and back-tested before they can be considered reliable.
9. RISK-BASED COMPENSATION
In an effort to curb excessive risk-taking, banks have started to introduce the concept of risk-based compensation. This means that rewards are now tempered by the level of risk taken to achieve them. This ensures that even if the frontline follows an aggressive profit-generating strategy, they would not be rewarded if they take on undue risk.
10. EQUITABLE INVESTMENT IN SYSTEMS AND ENABLEMENT RESOURCES
Banks tend to invest more in the business-generating frontline, rather than in systems and enablement resources supporting that business. This has resulted in risks going unmanaged, as certain transactions for example are being managed through spreadsheets. Equitable investment in the governance and support infrastructure is required to ensure that business is conducted safely.
HOW SHOULD NTERNAL AUDIT RESPOND?
So what are the implications for Internal Audit? As the 3rd line of defense, Internal Audit needs to upgrade its practices so that it can meet its dual mandate of independent assurance to the Board and value addition to the business. It needs to be more responsive to its environment and be closer to the business, in order to achieve these objectives.
Some of the developments that could be considered by the Internal Audit Function are:
1. ROBUST RISK-BASED PLANNING
The Internal Audit profession has already adopted a risk-based approach; however, this needs to be taken further. Banks operate in a very dynamic environment and risks need to be constantly reassessed. This can be done through lessons learned exercises or on the back of regulatory hot topics, as well as through constant dialogue with the business.
2. PARTNERING/RELATIONSHIP CONCEPT
Internal auditors need to partner and build relationships with the business in order to keep abreast of their operations and related progress. This will enable them better assess and anticipate potential risks as they emerge.
3. CONTINUOUS MONITORING
Today’s environment is too dynamic to simply rely on annual audits, and hence there is a need for employing continuous monitoring techniques. Internal auditors should have inquiry access to all systems used by the business and be able to view exactly what business managers are seeing. Access to regular management information will help keep them abreast of the developments.
“Internal auditors need to partner and build relationships with the business in order to keep a finger on the pulse of the organization.”
4. EXERCISE OF RATIONALITY
One question that an internal auditor should always ask is whether the income generated by a business or a transaction is reasonable. The age-old adage applies: If it is too good to be true, it probably is. Internal auditors need to adopt a cynical challenge to identify excessive income being generated from excessive risk-taking.
5. UP-SKILLING OF AUDITORS
Having only an audit qualification is no longer enough. If they are to audit effectively, internal auditors need to receive the same training as the businesses they are auditing. Internal Audit management can enhance the skills of their teams by having them obtain business qualifications, or by hiring people with prior industry experience.
6. SOURCING SPECIALIZATION
Internal Audit management need to avail other avenues to source specialized resources. Whilst outsourcing/co-sourcing is one option, one abundant source of experience and expertise is the business itself. Internal Audit can invite business staff as guest auditors on audit assignments. This will not only allow the auditors to gain from the guest’s expertise, but also allows businesses to have a better understanding of the work of Internal Audit.
7. AWARENESS OF REGULATIONS
The staggering amount of regulatory fines recently levied on financial institutions is testament to the fact that businesses need to keep abreast of regulations. Regulatory compliance should be at the foremost of Internal Audit’s agenda. Conversely, Internal Audit should also focus on unregulated or under-regulated areas as they are usually subject to limited oversight.
Recessions and crises provide a very important opportunity for internal auditors. They usually highlight the risks that are often overlooked during economic growth/expansion periods. It is during such times that Internal Audit can really learn lessons that provide valuable insight into what went wrong, the implications on the internal audit profession, and how internal auditors can change or improve their processes and practice.
Internal Audit can no longer play the same traditional role. Internal Auditors need to really understand the risks within the businesses, partner with them to keep a finger on the pulse of the organization so that they are aware of things as they happen, and better develop their teams’ skills. At the same time, internal audit needs to resist pressures from management and ensure that its voice is heard across the organization. Ultimately, internal audit is the last line of defense and therefore cannot afford to be complacent.
TAUSEEF ABDUL GHAFFAR CFA, FRM, CPA is the Senior Vice President & Head of Audit of the Global Wholesale Bank at the National Bank of Abu Dhabi.