In a report commissioned by Acin Risk.net surveyed more than 100 first line of defence risk control professionals, between December 2021 and February 2022, about both the current state of play in the industry and what they think could, and should, happen in the near future. On April 21, the results of these discussions will be published in a report by Risk.net, to be accompanied by an acin webinar.

By and large, the findings of the report echoed what we have been advocating for a number of years. This is doubtless gratifying, but it remains somewhat alarming that a great many firms have a lot of work to do before they can say that their risk controls are fit for purpose.

For example, only 19% of respondents said that technology can currently properly analyse risk data at their organisation, while even fewer (18%) said that dynamic risk control self-assessments (RCSAs) or reviews are implemented at the moment. More than half those surveyed said that risk control should be more of a priority at the institution in which they work.

Broadly speaking, there are three main areas of risk control on which banks must focus, according to the report. These are better engagement with regulators, more complete data and more widespread use of RCSAs.

• Financial institutions need to be able to demonstrate to regulators that they have the most appropriate risk controls in place. Mapping controls to regulations is one way of doing that. If this is accomplished, it is has the corollary but not inconsiderable benefit that the most senior managers in the bank can also see that the right controls are aligned to regulatory requirements.
• Clean, coherent and consistent data, which is standardised and organised according to the same criteria and terminology throughout the institution, is of paramount importance. Without that, no bank has any hope of understanding the risks it faces at every level. The bigger the bank, with more businesses and more geographical jurisdictions, the more true this is.
• Risk controls must be ongoing and dynamic, rather than periodic. At the moment, RCSAs come around generally at the same time every quarter, every year or or even every two years and generally constitute a redundant box-ticking exercise. They should be triggered by internal and external events including and should also be tied to the distinct and peculiar risk appetite of each institution.

All this needs to be married to cutting edge technology, without this data cannot be digested or understood, and RCSAs cannot be dynamic and responsive.

At the moment, however, the fundamental machinery is often lacking. When asked what makes their job particularly challenging, the most popular provided by the risk control officers polled was the disconnection of dashboards from actual risk controls.

The second most popular answer to the same question was the insufficiency of data to fully support senior manager accountability.

This last point may well send shivers down the spine of senior managers as, according to the UK’s Senior Manager and Certification Regime (SMCR), failures of risk management on their watch could buy them a one way ticket to jail.

These are the themes Acin has stressed over the last couple of years, and here they are once again borne out by this report. This time, however, it’s from the horse’s mouth. Over 100 senior professionals at the heart of the risk control industry responded to the questions. The results are derived from their experience and their answers, not conceived in an ivory tower. That’s why it should be listened to.

To pre-register to download the 2022 Risk.net research report click here

To attend the webinar click here

About Acin

Acin has a comprehensive, pre-built risk and control quick start library of inventories constructed through industry consultation and mapped to regulatory guidance, to provide immediate value and accelerate impact. Easily and proactively demonstrate to the regulator, auditors, investors, shareholders, and boards that you are managing climate risk – ahead of regulatory deadlines.