Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
B. Risk management and <strong>in</strong>ternal controls 43,44<br />
B1. Risk management versus <strong>in</strong>ternal control 45<br />
Risk management and <strong>in</strong>ternal control are two<br />
processes that work hand <strong>in</strong> hand. Risk management<br />
is <strong>in</strong>tended to 1) identify risks; 2) assess the bank’s<br />
exposure to risks; 3) monitor exposure and conduct<br />
consequential capital plann<strong>in</strong>g; 4) monitor and assess<br />
decision mak<strong>in</strong>g as it relates to risk, <strong>in</strong> particular,<br />
whether risk decisions are <strong>in</strong> l<strong>in</strong>e with board-approved<br />
risk tolerance and policy; and 5) report to senior<br />
management and the board.<br />
Internal control, on the other hand, ensures that<br />
each key risk has an associated policy and control<br />
mechanism, and that each control policy and<br />
mechanism is be<strong>in</strong>g applied effectively. Internal controls<br />
provide a variety of assurances to management, such<br />
as the reliability of <strong>in</strong><strong>for</strong>mation, compliance with law,<br />
compliance with governance systems, prevention of<br />
excessive managerial discretion or fraud, and so on. It is<br />
a key responsibility of the board to ensure that effective<br />
systems of risk management and control are <strong>in</strong> place. 46<br />
Risk Management and Risk<br />
Management Culture<br />
“When sophisticated risk management comes<br />
too late, I do not th<strong>in</strong>k there is much reason<br />
to celebrate.”<br />
George Bobvos, Montenegro<br />
“Effective risk management is not about<br />
elim<strong>in</strong>at<strong>in</strong>g risk-tak<strong>in</strong>g; risk-tak<strong>in</strong>g is a<br />
fundamental driv<strong>in</strong>g <strong>for</strong>ce <strong>in</strong> bus<strong>in</strong>ess and<br />
entrepreneurship. The aim should be to ensure<br />
that risks are understood and managed and,<br />
when appropriate, communicated.”<br />
Hans Christiansen, Denmark<br />
“One of the most important lessons that I th<strong>in</strong>k<br />
comes out of the crisis from a governance<br />
po<strong>in</strong>t of view is a focus on the risk governance<br />
role of a board.”<br />
A best-practice board will typically need to rely on<br />
an <strong>in</strong>ternal auditor to provide the board, via the<br />
Cather<strong>in</strong>e Lawton, United K<strong>in</strong>gdom<br />
audit committee, with assurances regard<strong>in</strong>g the<br />
bank’s risk management and <strong>in</strong>ternal controls and<br />
corporate governance processes. The <strong>in</strong>ternal auditor traditionally reports to management adm<strong>in</strong>istratively<br />
and to the board functionally, with the head of <strong>in</strong>ternal audit report<strong>in</strong>g directly to the chairperson of the<br />
audit committee or to an <strong>in</strong>dependent lead board member. Internal auditors should enjoy substantive<br />
<strong>in</strong>dependence from management and have direct access to the board.<br />
Supervisors and bankers may use the term <strong>in</strong>ternal control to refer to a variety of aspects of the control<br />
environment, <strong>in</strong>clud<strong>in</strong>g risk management, <strong>in</strong>ternal audit, controls, and compliance. Irrespective of how the<br />
functions of the control environment are named, each one is necessary and should be per<strong>for</strong>med effectively.<br />
In addition, a bank’s general counsel or legal function contributes significantly to the control of risk. Many<br />
problems <strong>in</strong> developed markets dur<strong>in</strong>g the recent f<strong>in</strong>ancial crisis resulted from legal risk failures.<br />
For banks <strong>in</strong> the SEE region, implement<strong>in</strong>g effective and reliable risk management and <strong>in</strong>ternal controls is one<br />
of the most important challenges. It is only through an effective control environment that the board can be<br />
confident that the <strong>in</strong><strong>for</strong>mation and reports that it receives are reliable. It is also the only way the board can<br />
express itself with any certa<strong>in</strong>ty on the risks <strong>in</strong> the bank.<br />
43 2010 BIS Pr<strong>in</strong>ciples, Section III.C, p. 17.<br />
44 For additional specific guidance on risk management, see CEBS, High Level Pr<strong>in</strong>ciples <strong>for</strong> Risk Management (2010).<br />
http://www.eba.europa.eu/documents/Publications/Standards---Guidel<strong>in</strong>es/2010/Risk-management/HighLevelpr<strong>in</strong>ciplesonriskmanagement.aspx.<br />
45 2010 BIS Pr<strong>in</strong>ciples, Section III.C, p. 17.<br />
46 See also BIS, Framework <strong>for</strong> Internal Control Systems <strong>in</strong> Bank<strong>in</strong>g Organizations (1998).<br />
34<br />
<strong>Policy</strong> Brief<br />
<strong>Corporate</strong> <strong>Governance</strong> <strong>for</strong> <strong>Banks</strong> <strong>in</strong> <strong>Southeast</strong> <strong>Europe</strong>