In the volatile and unpredictable realm of financial services, risk documentation must be current, viable, operational and, most importantly, effective. Exactly how, you might ask, can this be achieved? That’s a very good question.
The success of risk documentation depends, in part, on the size and operating environment of each individual firm, as well as on the time, energy and cost that each firm allocates to this cause. But there are seven key risk documentation guidelines (which I like to call the Magnificent Seven) that every firm can follow:
- Establish roles and responsibilities. Relevant stakeholders must be identified and assigned tasks.
- Choose and implement the right metrics. Metrics gauge the operational efficiency of documentation, and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose.
- Build a structured process that allows for challenges. Asking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows employees to challenge these processes, when necessary.
- Emphasize data integrity. Good documentation should always be written with a view toward output. An understanding of how the data is collected and delivered will give a clear indication about how the documentation fits within the operating environment. The true test is a meaningful output.
- Enforce policies and procedures. Attestation, by itself, is not enough. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders.
- Develop exception and escalation protocols. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.”
- Prioritize training. A commitment to training will speak volumes about the tone set from the top of the organization. Indeed, reinforcement through regular training will drive the corporate message home, ensuring a commonality of standards and purpose.
Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment.
The proof of the pudding is in the eating, but to some it might seem like the pudding has been overbaked. The “Magnificent Seven” require effort and engagement from all parties concerned. A simple attestation is a non-starter, because it’s an easy option that can mask both ignorance and accountability.
In the long run, since effective risk documentation protects both the economic standing and reputation of an organization, the effort required to follow these guidelines is well worth it.