by John Thackeray

Risk Management – The Transformation


Never before in the age of risk management has so much been asked by so many by so few. Risk Management is going through a change management transformation, the likes of which have never been seen before. The key drivers for this change include a persistent volatile environment, a deep longing to be considered a good social citizen, endless regulation, the growth of non-financial risk types, new methods of customer engagement and a need to address past mistakes. The change is being exacerbated by the new operating environment (working from home), which has been enforced by COVID-19, focusing risk management to think differently both in terms of architecture, people, processes, systems and value.

This paper looks at the key drivers and the implications that it poses and suggests a meaningful pathway for the future of risk management by means of change transformation.


The current operating environment in which firms find themselves is anything but benign. COVID-19 has deepened structural fissures within an already existing fragile ecosystem. Negative interest rates, increased compliance costs, zombie loans, the continuing levying of fines for anti-money laundering and corruption have eaten into income and capital. Moreover, the persistence of scandals which are highlighted every week by social media have evaporated any good will towards financial institutions. Many financial institutions have been seen as facilitators of tax avoidance and enablers of financial crimes. The reputation of many is such that customer expectations, sentiment, and engagement are low, with very little confidence in both the products and the messaging of the organizations. Simply put, the financial organizations seem to many of their stakeholders to have lost their way, with no moral compass to lead them, leaving behind a bankrupt and obscure identity.

Having shot themselves in the foot, retribution has come in the form of heavy regulation partly due to past sins but also as an appeaser towards public opinion. The regulators now have the ready-made excuse to appear in the bowels of financial institutions, dictate terms, with an ever-increasing bright spotlight. This oversight extends and reaches on a global basis with regulation that can be retrospective, leading to unspecified fines for past mishaps from multiple agencies and countries.

Given the 2008 financial crisis, there is no longer an appetite to shore up financial institutions and indeed there is an intolerance towards any protest from the firms on the growing depth and breadth of new legislation which has dictated. This legislation has led to more detailed and demanding capital, leverage, liquidity, and funding requirements, data privacy as well as higher standards for risk reporting, such as BCBS 239. The financial guard rails have seen stiffened with more detail and requirements in the US banking system with regards to ‘CCAR” (Comprehensive Capital Adequacy Review) and by European Union guidelines with regards to stress testing, both bodies now seemingly dictating capital and dividend policy.

The growing of non-financial risk i.e. types cyber, model, climate and conduct has had a dramatic effect on financial institutions and their operations. Each risk now has entered the Enterprise Risk Management portfolio and needs to be addressed with urgency. Model Risk has increased with data availability and advances in computing, modelling, and the need to address in quick order pressing legislation such as “CECL” ‘(Current Expected Credit Losses)”. Climate Risk has maintained its ascendancy as an emerging risk with the Bank of England leading the way both in terms of supervision and legislation. Operational resilience has gained a foothold boosted by COVID-19 with a resultant knock on to reputational risk. Conduct risk has escalated as scandals highlighted by social media question the ethics of firms on how far they will go to boost their profits. All these pressing risks by themselves have sequestered an inordinate amount of energy and cost both in terms of mitigating and reporting.


These drivers will have huge implications on the effectiveness and adequacy of business systems and operations. Technology or the increased reliance on it will be seen as a panacea, the gatekeeper that can both thwart the risks and increase the opportunities posed by these drivers. The increased use of technology continues to transform the normal processes and channels of engagement/experience and accentuate the social distancing relationship. Big Data, Machine learning and Artificial Intelligence championed by the burgeoning ranks of the FINTECH are the go-to components to mitigate the effect of the drivers by means of reimagining business processes.

As regulations become more complex and the consequences of noncompliance ever more severe, financial institutions will likely have no choice but to eliminate human interventions to hardwire the right behaviors and standards into their operations, systems, and processes. There will be a need for new algorithms to parse the data, which will need to be reviewed and challenged on a constant basis. Where these interventions cannot be automated, robust surveillance and monitoring will be increasingly critical.

Increased costs have led to an ever-increasing reliance on automation, both in decision making and processes. The amount of big data being generated will enable the more astute to redesign their processes using a comprehensive data management set of both public and private data sets. Processes such as underwriting will be digitalized, information submitted need only be scanned and verified without any in person engagement.

Artificial and machine learning will be used in behavioral analysis and remove a lot of the expert judgement required by risk officers, therefore eradicating any biases within the decision-making process.

Advances in technology will also help in the key areas of stress testing and scenario planning, especially in evaluation of climate risk within the portfolio. This advancement will lead to the multi-dimensional understanding of risks with complex models that need to be adjusted. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. These idiosyncrasies mean that data and climate scientists and engineers will need to be absorbed within the existing risk management structure. Moreover, stress testing and scenario planning will also have to incorporate operational sustainability and resilience which may call for significant contributions from external third parties to help complete the analysis and evaluation.

changes transformation

The Target Operating Model of Risk Management of the future will be very different, with the risk professionals armed with a new set of technology tools and new skillsets. In order for it be an enabler, the organization needs risk to transform its vision and redefine its role structurally given that many risk professionals will now need to work from a home environment. The main strategy will involve a heavy reliance and incorporation of new technology to both right size and reimagine risk management practices.

Listed below are some suggestions, which no doubt can be modified depending on the size and complexity of the organization.

• Risk management will be seen as foremost Firm Culture Champions and then Risk Culture Champions. Building and maintaining these identical and symbiotic cultures will be critical to ensuring the success of both the enterprise and risk function of the future. The combination of these cultures is likely to be a requisite element in a firm’s future competitive advantage. The secret recipe is to start with the risk culture first and then distribute and evangelize, so that both cultures will include a vision that will include the advocation of a strong corporate value. In order for this to take root, the firm will need to monitor and survey on a regular basis the action of its employees, no doubt enhanced by technology.

• The Chief Risk Officer (“CRO”) will be seen as a Champion of the firm and will be one of the stronger internal candidates to succeed the CEO. He/she will have to become an exceptional narrator who, armed with data, can convey and articulate the message of today. The brave new normal will call for greater transparency around disclosures concerning IT/Supplier disruptions, Operational resilience, Cyber-attacks, Sustainability, Climate change. The CRO must be able to engage in the conversation with the right message and be the voice piece of the firm backed by the data.

• The risk stripes will have to be reorganized structurally around correlated risk stripe clusters e.g. Fraud, Operations, Technology, IT Security, Compliance, Human Resources, Model, Conduct, and Reputation Anti Money Laundering will all come within the same coordinated structure and governance rather than standalone silos. The synergies will result in smaller teams of agile multi discipline staff with a depth and breadth of knowledge in one or more of these subject areas.

• The Risk Personnel with be multi trained in data analytics as a starting point and have the ability to match this with practical experience in all risk stripes. The tour of duty will include cross training in the various risk disciplines which will enable the team to speak a common language while applying consistent standards. Risk professionals will be expected to wear many hats, expectations high on delivery and communication skills.

• The risk management ecosystem will demand a comprehensive enterprise wide data base which is expected to help financial institutions create a repository for all types of structured and unstructured data. Since risk functions in the future are expected to become increasingly data driven, the supporting data infrastructure is a critical enabler. This data will have many uses and create a data driven analytical risk area which will need to be resourced by staff with multiple skill sets. Understanding the data will improve overall quality, aggregation capabilities, and risk reporting timeliness thus affording the management information systems to be displayed in a means that offers the users, a great deal of information in real time, improving the quality and timeliness of fact-based decisions.

passing thoughts

Broader responsibilities, better trained, smaller, multi risk disciplined, data hungry, these will be the new requisite qualities of risk personnel. Change will happen. The question is – are you willing to embrace the change or not. The firm that thinks ahead with this mind set will be the one left standing not only with a competitive advantage but also with an enhanced reputation.

By John Thackeray


An organization can become more productive by championing a hybrid model workplace that fosters and promotes a culture of inclusivity and trust. At the heart of a hybrid workforce model, are the ideas of shared ownership and trust, which can help the organization break down long-standing beliefs about productivity and performance.

Trust is one of the most important ingredients in this model and this can be facilitated by delivering creative management strategies and exhibiting clear behavioral standards. This trust requires management strategies to place a greater emphasis on behavioral standards such as accountability, transparency, and communication, creating a culture, whereby employees feel safe and appreciated within an inclusive environment.

Trust and Management Strategie

Maintaining greater leadership communication and visibility: Create new ways to engage informally with your employees. By defining and embracing new behaviors, that are observable to all, and by deliberately making space for virtual employees to engage in informal interactions—leaders can facilitate social cohesion and trust-building in their teams.

Establish team rituals to cement a strong bond of personal relationships enabling team members to have fun in a safe environment, thus improving morale. Ensuring that the transitions between respective team norms for onsite and remote are as smooth as possible, gives employees a cohesive experience, that feels designed, not random but shared.

Fostering an open environment by letting employees’ voices be heard e.g. by means of a virtual “Lunch and Learn” opportunity or a “Fly By” opportunity with an executive, thus enabling the employees, the opportunity, to share in a safe mode.

Re-evaluate your procedures and policies ensuring that the content is consistent, resilient and fit for purpose in the hybrid workplace. e.g. The importance of On Boarding has never been greater in the emphasis of team and trust, setting out and reinforcing cultural values in terms of expectations and requires considerable procedural changes to previous practices.

Measuring performance on outcomes: Instead of focusing on tasks or hours worked, focus on the outcomes and the quality of results. By focusing on results over style, regardless of location, a more productive, engaging, and meaningful work culture can be evidenced and shared. Success is evidenced by means of clear and transparent (“KPI’S’), key performance indicators.


In order to be more productive, the culture must embrace the hybrid model with a mindset of shared ownership and trust, principles, which in turn SHOULD complement, the existing values of the organization.

Procedures are written primarily to reduce the inherent risk by documenting in writing the business process or activity. Effective procedures are an insight and window into the control, governance and oversight of the organization.

In order for procedures to be effective, they should have the following traits.

The focus of this paper is on the primary trait, data points. These set the standard and expectations which enables procedures to be written in a consistent and repeatable format. Moreover, common data points can ensure the proper enforcement of policy by reinforcing the guidelines and standards prescribed. This paper articulates a menu of data points which must be considered in the appreciation and application of this objective.

Below is a table of data points followed by explanations of each data point. **High/Medium/Low refers to scale in relation to admission to the procedures.

Data points explained.

1.Inherent Risk

Inherent risk is an assessed level of the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of control. Usually categorized into High, Medium, Low. This categorization importantly focuses the organization in both understanding and addressing those processes which represent the greatest risks to the organization, thus, enabling the proper allocation of resources to mitigate these risks.

2.Objective/Purpose and Scope

The purpose is the reason why the business exists, why you exist or why the team does what it does. The objective is the what it needs to do to achieve its goals. Scope of an activity, project or procedure represents the limitations or defines the boundaries of its application. These data points set the stage for the document and allow the reader to appreciate the significance of the process or processes.

3. Owner

Quintessentially the most important player within the process. Each owner has a unique responsibility and accountability to ensuring that the procedures are effective. It is a measurement of management skills and application and a true testament of both standards, leadership and behavior. It is the responsibility of the owner to clearly communicate and train those involved within the process. Given that the most effective control is that of segregation of duties, the Owner can never be the Approver.

4. Approver

Another implicit control is that of Authorizations. which ensures that the Approver is always one level above that of the Owner in the Organizational Hierarchy.

5.Roles and Responsibilities

According to research by the Harvard Business Review, clearly defining people’s roles and responsibilities matters more when determining a team’s success than outlining the precise path the team will take. In other words, team members perform better when they know exactly what they will be responsible for versus having a specific set of predefined steps to complete.

6. Key Controls

Key controls are the procedures organizations put into place to contain internal risks. Key controls are identified because:

7. Escalation/Exceptions/Remediation/Overrides

Every process will from time to time require exceptions, overrides which will require a clear and transparent, escalation and remediation process. This process must be formalized, and records kept to document both the decision-making process and the approval authority. The process speaks to governance and oversight as well as giving an indication of whether the procedures require revisions or amendments.

8.Training and Communication

This is perhaps the most overlooked data point, but it is important part of the efficacy of the procedures. Lack of both or little evidence of these data points being demonstrated, implies a lack of ownership involvement.

9. New Procedures, 10. Legal/Regulatory 11. Updates, Revisions and Amendments

All these data points are crucial in ensuring the currency and relevancy of the procedures. The owner is again responsible for the compliance of each of these data points. Given that these data points are either ad hoc or determined on an annual basis, the materiality of these points have a lower ranking.

12. Business Continuity

A business continuity plan refers to an organization’s system of procedures to restore critical business functions in the event of unplanned disaster. These disasters could include natural disasters, security breaches, service outages, or other potential threats. Usually in most procedures, there is a line item as to the plans and preparations.

13. Data Storage/Integrity/Governance/Management

Data is often said to be an organization greatest asset and as such policy and standards are dictated at the enterprise level. Given the risks and the regulations surrounding data misuse, this is a vulnerability that needs to be addressed upfront. Great care is needed to ensure that any enterprise standards are being complied and adhered to and that personnel are cognizant of such standards. Again, this is a data point whose compliance is an insight into how enterprise directives are being executed.

14. KPI’S, KRI’S

While Key Risk Indicators (KRIs) are used to indicate potential risks, Key Performance Indicators (KPIs) measure performance. At times, they represent key ratios that management can track as indicators of evolving risks, and potential opportunities, which signal the need for action. These measures are normally found in more mature processes.


In order for an organization to achieve consistent and repeatable procedures, it must first determine what data points are required and what data points are achievable. This paper has provided a menu which is not inexhaustible, but which requires considerable thought with regard to the appropriate data points. Much will depend on the organizations objectives and whether they wish to have a set of free-standing procedures or procedures which are more aligned to a consistent look and feel.

A consistent look and feel with consistent data points makes the procedures more auditable and compliant with policy and standards.

In his article,7 Key Elements of Effective Enterprise Risk ManagementJohn Thackeray describes how a well structured ERM system allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. Without useful documentation and steps to broadly communicate the elements, the best planned ERM system will fail. In this article John describes what it takes to document your ERM system.

Efficacy of Risk Documents

Good written risk documentation is both an art and a science; in the perfect world blending the writer and subject matter expert as one. Unfortunately, we do not live in a perfect world and this blend is difficult to find. Too many risk documents have either been badly written by the subject matter expert and or have been deemed content light and aspirational by the writer.

To achieve clarity, the risk documentation should be written from an independent viewpoint by someone who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization while being understood by the outside world.

Good documentation is a prerequisite in the successful implementation of risk management, acting as a delivery and message mechanism. Documentation must:

The documentation affects and defines the engagement with internal and external stakeholders, articulating and defining the organization’s culture, attitude, and commitment towards risk.


The board has overall responsibility for ensuring that risks are managed. They delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. Therefore, the board requires a comfort and assurance level that risk documentation is being used and isdirecting the organization toward achieving its objectives.

Here are three signals of effectiveness.

1. Cultural attitude towards risk: This establishes and confirms clear roles and responsibilities that reinforce ownership, accountability and responsibility. Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment.Most companies will have a risk charter which binds the Board and senior management to a fiduciary duty of their responsibilities. It will impose a structure and governance affording a value add which directs the performance of corporate objectives in a controlled fashion.

Part of this cultural attitude towards risk is evidenced in the Review and ChallengeAsking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows employees to challenge these processes, when necessary. For instance,with 360 degree feedback or employee lunches with the C suite. Both enable open communication and transparency.

Moreover, this will be evidenced through training. A commitment to training will speak volumes about the tone set from the top of the organization. Indeed, reinforcement through regular training will drive the corporate message home, ensuring a commonality of standards and purpose.

2. The right metrics. Metrics gauge the operational efficiency of documentation and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose.Return on Equity, Risk adjusted capital return, return on investment are some metrics that can be adjusted for with regard to risk.

3. Continuous assessment and review of policies and procedures. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.” and or exceptions. These exceptions and escalation would be actively tracked to gain an understanding of the validity of the documents.With limited resources only core and material documents would have to be reviewed and tested especially in the light of changing working conditions and impactful legislation . A structure which enforces this oversight is a sign that risk mitigation is part of the organization’s DNA.

Passing thoughts

These three signals are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization.

Risk Documentation is where the written word captures the spoken word: documenting the ERM systems ensures intentions and actions are aligned – which makes for a better world.

This article was published on CFO.University


The crisis fraud risk management is born out of a highly volatile atmosphere which can upend and overwhelm even the most structured fraud risk management program. This volatile atmosphere is here with us today and comes in the form of COVID-19. COVID-19 represents the single greatest challenge to fraud risk management (“FRM”) because pandemics and their effects were never identified as a driving force in the escalation of both existing and new types of emerging fraud. Moreover, business continuity plans had an isolated focus on operations rather than people and operations, with much shorter timeframes envisaged.

“1In a new survey conducted by the Association of Certified Fraud Examiners (ACFE) about the effect COVID-19 has on fraud, 90% of respondents reported that they have seen an increase in scams targeting consumers, with 51% believing the increase has been by a significant amount. Respondents reported seeing an immediate increase in a number of specific fraud schemes. Of those surveyed, 75% said they already have encountered an increase in phishing through government impersonation, and 71% report seeing an increase in charity fraud. They also have experienced an increase in fraudulent vaccines, cures or tests for the coronavirus (66%); third-party seller and buyer scams on legitimate online retail websites (64%); business email compromise scams (62%); and cyberbreaches (61%). Link to survey: ACFE COVID-19 survey.”

Pandemic effects

There is no doubt that a Pandemic can cause economic and financial hardship on a massive scale both on an individual and corporate scale. In times of economic crisis, employees’ personal financial pressures tend to rise, which is often where the decision to steal and embezzle is rationalized. This justification can proliferate as many key individuals are wearing multiple hats with a dilution of segregation of duties. This rationalization extends to companies that face pressure to falsify their financials in order to meet earnings targets or secure and maintain financing. Constrained supply chains and reliance on key third party vendors may increase the incidence of bribery and corruption as the need to meet and support company objectives becomes paramount.

In this threatened environment, companies may seek to cut costs which will often target non-revenuegenerating departments e.g. compliance, internal audit, while at the same time reducing budgets for control training.

The lack of fraud assessments that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud. As organizations make cuts in the attempt to operate with a leaner staff, they can find themselves caught in a perfect storm for fraud: mounting financial pressures motivating employees and customers alike providing a common co-operative cause, fused with a highly toxic emotional, irrational and survival based mindset acting as a powder keg.

Social distancing from the virus has increased the online risk with fraudsters having already found ways to use coronavirus warnings as a veil for malware injections and other fraud schemes. Social distancing has meant the need and increased usage for contactless payments and with it a proliferation of social engineering attempts leading to an uptick in fraud in the space of e-commerce and online payments with an incessant increase in both identity theft and account manipulation. This increase in social engineering has escalated with the reliance on home office environments, which by themselves offer fraudsters the opportunities to both degrade and infiltrate organizations’ data and information systems.


The first thing is to realize that such a crisis raises the vulnerability of the organization to fraud and is a true test of the fraud resilience of the organization. Outlined below are three countermeasures that the fraud risk program should adopt and introduce in the new challenging environment.

1. Re-evaluate and reassess fraud policy and procedures
The existing FRM framework needs to be re-evaluated and reassessed knowing that a scan of the environment and the resultant ensuring pressures will create new emerging opportunities and stronger motives for the performance of fraud. The new normal will create new avenues as outlined above for the fraudster which may expose the soft operational underbelly of the organization. There may be a need to get ahead of the fraud curve and proactively amend and adapt the policy and procedures to reflect the new normal, e.g. a new fraud taxonomy. Existing policy and procedures that may now be compromised in terms of operational efficiency will have to be adapted in a timely fashion in respect to the redrawing of fraud risk appetites and tolerances, with greater insight and participation from stakeholders.

2. Review and renew the fraud control environment
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

3. Improve the fraud message, communication, and data channels
As the crisis continues, there is a greater need to engage and communicate the fraud message without overloading the individual with information. Sharing experiences and observations is paramount and can act as an early warning system. Fraud Risk will be elevated in conjunction and heavily correlated with the increased incidences and risks of cybersecurity and anti-money laundering. Information flows to understand this triage of threats need to be on a timely basis and aligned in a coordinated fashion from internal and external data sources such as Compliance, Information Technology, Audit and Third-Party Vendors. The organization must understand the interconnectedness of fraud with all the other risks facing the organization and be able to respond at the enterprise level.

One result of the new working environment has meant information flows have increased as the number of whistleblowers who are now either disengaged or emboldened from working at home have decided to come forth. According to a recent Wall Street Journal article, the U.S. Securities and Exchange Commission received about 4,000 tips from mid-March to mid-May, which is a 35% increase2 from the previous period last year. The whistleblowing hotlines mean that there is a readymade, low cost source and credible assessments that can be conducted providing the organization has the resources and resolve to investigate.

Fraud risk managers need to tailor their message to different audiences at a faster pace and need to be better communicators. Fraud communication needs to be reinforced and this extends to training needs, with the need to be creative, involving topics which are current, so the message is easily assimilated and on point. The importance of training needs to be emphasized and for once must be rigorously enforced with penalties for noncompliance.

With this information overload, fraud risk managers will have to provide clean, accessible, robust, and sustainable data with the need to keep vast amounts of data for future inspection and audit. The amount of big data being generated will enable the more astute to redesign their control processes using a comprehensive data management set of both public and private data sets. The data flows need to be treated in perspective with any anomalies explained with the number of false positives created by the increased data flow. Sanitization and regular inspection are a must to power the behavioral analysis which can detect those new and existing incidences of fraud.

Moreover, certain segments of the customer base will be more prone to high risks, and fraud investigators will have to employ key behavioral analysis to drive informed decisions on whether transactions are fraudulent or genuine. Machine Learning and Artificial intelligence will have to be woven into the fraud risk manager’s fabric, providing data analytics that can be used to understand device vulnerability and attacks.

These challenges will alter the role and responsibility of the fraud risk manager who will become data custodians, model risk managers and ad hoc technologists.

Passing thoughts

Crisis fraud risk management means that fraud risk managers must have an adaptable and credible plan and stay focused rather than become embroiled in the crisis themselves. The three countermeasures above offer insight and guidance to alleviate the vulnerability and mitigate the number of fraud incidences in a crisis.

Professional Risk Management International Association

Fraud is all around us, grabbing the headlines every single day. Fraud is a high-impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly. Many firms focus on the low-probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.

Let’s take a look at four steps a firm can take to develop and maintain an effective fraud risk management program.

1. Create a dedicated governance structure to manage fraud risk.

The first requirement is to build an organizational culture to combat fraud at all levels of the firm. This should demonstrate a senior-level commitment and set an anti-fraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an anti-fraud entity that, among other things, will:

2. Create a fraud risk assessment.

The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, methods and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.

Requirements include:

3. Design and implement an anti-fraud strategy with specific control activities.

Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting, responding, monitoring and evaluating. The following questions can be used to guide the firm’s resource allocation in response to fraud:

4. Conduct risk-based monitoring and evaluate all components of the framework.

Collection and analysis of data — including data from reporting mechanisms and instances of detected fraud — is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy, fraud controls and response efforts.

A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.

Every fraud risk management program can be further enhanced by fraud awareness training and by communicating results — for example, instances of fraud that have been identified and corrective actions that have been taken — to employees.

Following these four steps will help to prevent, but not eliminate, fraud. Most fraud can be staved off by a comprehensive risk management program, but as criminals and morally compromised people concoct new forms of deceit, financial institutions must remain vigilant.

This article was published on ACFE Insights

The defining issue and top global emerging risk of 2020 is climate risk, which has been gaining a sense of urgency with major implications for financial institutions. Climate change can no longer be viewed in isolation as a reputational risk bust must be seen and addressed as a financial risk that needs to be integrated into existing risk management frameworks. Climate risk is a “transverse” risk that can extend its reach into existing risk stripes. As climate risk manifests itself through existing risk stripes, climate change can also heighten credit risks for banks, as demonstrated by the recent PG&E bankruptcy. Banks need to consider how climate-driven financial risks can be embedded into current financial risk management frameworks.

Regulators have been influenced by increasing interest in both the impact and implications of climate change as a result of public awareness and the failure of governments and the United Nations to reach substantive and collective agreement. In this vacuum, central banks are starting to lead by example by including climate-related risks in their evaluations, leading to an escalation of policy pronouncements which are likely to adjust more rapidly with an intensification in the climate change debate. Increased cooperation is evidenced by The Network of Central Banks and Supervisors for Greening the Financial System (NGFS), an international cooperation and collaboration between central banks and regulators with a main aim to address the financial sector’s attempts to achieve the Paris climate goals.

Since climate change continues to have huge economic and political implications, regulators are pushing financial institutions to take climate risk issues in their analyses of country risk and sovereign ratings which will filter down into individual counterparty ratings.

The IMF’s new chief, Kristalina Georgieva, pioneered green bonds in 2008 while at the World Bank. She is discussing whether assigning different risk weightings to assets that are more or less green is fostering an important discussion that engages the financial community. Recently the US Democratic Senator Brian Schatz of Hawaii introduced a bill that would direct the Federal Reserve to subject large banks to do stress tests measuring their resilience to climate-related financial risks. The proposed Climate Change Financial Risk Act of 2019 underscores worries among policy makers over the risk posed by the financial system by the continuous and sustainable weather events which continue to plague the continental United States.

Accountability has become the weapon of choice, with financial institutions having signed up to laudable climate principles (i.e. the Equator principles); they will need to demonstrate with actionable examples how they are adhering to such principles. Shareholder and social media will apply a lens which may mean Boards will need to become climate literate at a faster pace.

The need for disclosure is paramount and this process will escalate initiatives led by the Task Force on Climate-Related Financial Disclosures of the Financial Stability Board. As an example, the Task Force is recommending that companies make their climate-related risks known to lenders and other stakeholders.

Board members are increasingly being viewed as fiduciary custodians by their stakeholders and as such there has been a need to include representation from climate science on the Board. Moreover, some Boards are openly demanding the need for organizational structural change by means of a Sustainability Committee reporting directly to them to enhance Board comfort around the climate challenges.

call to action

A call to action seems to have resonated with all stakeholders within the community as evidenced below: • The UK’s regulators — the Prudential Regulation Authority became the first regulator in the world to publish supervisory expectations that explain how financial institutions need to develop a methodology, framework and approach to managing financial risks emanating from climate change.

The Bank of England is insisting that there is a senior manager in each major financial institution responsible for managing climate risk, who can be liable for fines or a ban if there is ineffective governance and oversight.

Barclays has joined sixteen other leading banks, the UN Environment Finance Initiative (UNEP FI) and Acclimatise, in publication of new methodologies that help banks understand how the physical risks and opportunities of a changing climate might affect their loan portfolios.

HSBC has set-up its Climate Change Centre of Excellence which analyzes the commercial implications of climate change for HSBC Group businesses and clients.

French banks such as BNP, Societe Générale, Natixis and Credit Agricole have retreated and stopped lending focused on oil and gas from shale and tar sands. These banks are pioneering in the climate space driven mainly due to France’s Energy Transition Law, which was introduced in 2015 and requires financial institutions to report on their carbon risks.

The European Union is to stop funding oil, gas and coal projects at the end of 2021. The European Investment Bank (EIB), the EU’s financing department, will bar funding for most fossil fuel projects.

Sweden’s central bank has ditched bonds issued by Australian and Canadian regions on the grounds that their carbon emissions are too high.

A shareholder in Australia filed suit against the Commonwealth Bank of Australia for failing adequately to disclose climate risk. The case was dropped after the bank released new reporting that recognized climate change as a financial risk.

A retreat from lending to companies with large carbon footprints has left some financial institutions with large industrial exposures that they had not planned or been prepared to hold.

Spanish energy company Repsol SA is cutting the value of its assets by billions of dollars because the global transition to a lower carbon economy is weakening the outlook for energy prices.

Up until now, these climate risks largely have been absent from investors’ models, but the rating agencies are at least thinking about changing their methodology and methods in assigning ratings, to incorporate climate risk.

Investment funds are now being held to a higher standard when it comes to their portfolio restrictions and guiding principles on climate-related investments.

risk identification

Financial risks stemming from climate change look at those risks as arising through three main channels: physical risk, transition risk and liability risk. Physical risks arise from climate- and weather-related events. These changes in the physical environment will create physical risks that will impact individuals, businesses and economies, consequently affecting a variety of financial transactions. Transition risks arise from the process of adjusting toward a lower-carbon economy. Policy, technology and laws relating to climate change could be accelerated, prompting a reassessment of the value of a large range of assets as costs and opportunities become apparent. This reassessment could modify the value of assets and liabilities, thereby altering the risk profile of financial institutions. As the opportunity to take voluntary steps lessens and the more immediate and demanding government requirements may become, the higher the velocity at which the transition occurs will affect the scale of disruption for affected industries.

Transition risk is likely to be the biggest area of influence on asset values in the shorter term, whereas the physical effects are likely to be the driving factors influencing asset values and economic performance in the medium to longer term.

In jurisdictions such as the US or Europe, lenders are unlikely to be held directly liable for the activities of the companies that they lend to; however, this may soon change due to increased political and social pressure. Banks acting as underwriters of bonds should assess the materiality of climate risks to an issuer’s business when drafting risk factors in the offering documents. For Board members, there is a real risk of being sued for not disclosing and alternatively being sued for making forward looking statements about climate change which prove to be incorrect.

Given the uncertainty around the future path of emissions, and their associated economic and financial impacts, a natural tool for analyzing these risks is scenario analysis. There are two primary types of scenarios fit for this purpose: climate-impact (physical risk) scenarios and transition scenarios. Climate-impact scenarios investigate the effects climate change could have on economies, societies and ecosystems,

given an assumed level of emissions; transition scenarios model how economies might adjust given a temperature target and government policy. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. The Bank of England is asking British insurers and lenders to gauge to what extent global warming might impact the value of their investments and balance sheets — and its potential to destabilize the financial markets. The three climate scenarios promulgated by the bank’s Prudential Regulation Authority are “exploratory” in nature. The hypothetical narratives are designed in a way to pinpoint risks and exposures with no pass or fail and a publication of results in aggregate without naming institutions.

how climate risk impacts existing risk types

There is a need to examine existing risk types and consider whether climate risk is sufficiently material to be incorporated and embedded into established risk frameworks. Financial risks will typically be greater for long-lived assets and liabilities (e.g., infrastructure, pensions) than short-term contracts, where risks and pricing can be more readily adjusted. There may also be consequential risks, such as concentration risk and asset-liability mismatches. The more that these types of transverse considerations are embedded into firms’ day-to-day governance and risk management processes the better firms will be able to manage and mitigate the financial risks of climate change. The risks relate to a firm’s clients, counterparties, and their own internal operations.

Moreover, credit analysis will also have to change as illustrated below to meet the climate risk challenge.

Climate change may affect the comparative market competitiveness and performance of the firm, i.e. the writing down of carbon asset values on the balance sheet.

Differential pricing and returns may have to be incorporated with the credit proposal emphasizing the basis for carbon free projects

Noncompliance with environmental regulations could result in various and different forms of liability for the project and its stakeholders as well as unwarranted publicity.

The client’s ability to refinance may be compromised once awareness of climate risks have increased, making it more difficult for a current investor to exit.

Repayment sources may be affected as income from the sale of assets or equity by clients may be diminished, as climate change will affect market values.

The cost of insurance for clients may increase, and exclusion clauses may become more onerous. Insurance cover may no longer be available, forcing companies to self-insure, which would require them to make financial provisions to cover future losses, affecting their financial capacity.

passing thoughts

Now is the time to act on greening the financial system in order to move away from a verbal undertaking of corporate responsibility to one of sustainable leadership. The world is watching to see which financial institutions have the vision and leadership that define their role in the social and economic fabric of climate change.

This article was published on issuu

5 Hallmarks of an Effective Cybersecurity Program

This article was published on Global Association of Risk Professionals

In February, the Federal Reserve Board is expected to release scenarios for its 2020 Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act stress test (DFAST) exercises. Moreover, the European Banking Association recently published templates for its EU-wide stress tests. In short, despite the fact that DFAST requirements, in particular, have been scaled back, stress testing is still extremely important for both banks and supervisors.

Since the 2008-09 financial crisis, with the help of severely adverse scenarios and other stress tests, banks have significantly increased their capital buffers relative to risk-weighted assets. The financial system, moreover, now seems much better prepared to withstand a severe shock.

Banks have also used stress tests to improve their modeling, governance and data gathering, and there is now better communication between risk managers and business executives. All of this, of course, is linked not only to greater regulation but also to banks’ understanding about the potential business benefits of the tests.

Stress testing is a forward-looking risk management tool for evaluating the potential impact of both unexpected events and changes in a firm’s financial variables – including capital, asset quality and profitability. It incorporates risk into planning by providing the “what if” scenarios for the strategic and capital planning processes.

The establishment of risk appetite, balance sheet management, risk management and capital management are all inextricably linked to stress testing. The simple objective of stress testing is to keep institutions as a going concern balancing risk capacity (capital, earnings) with risk exposure (credit, market, operational, etc.).

Ultimately, stress testing should also lead to calls for action, which may take the form of, say, developing contingency plans, reducing concentrations, determining the appropriate dividend, or raising capital through equity or debt.

There is a three-item checklist developing effective stress testing: firms must (1) understand and deploy various kinds of stress tests; (2) build a comprehensive framework for modeling different scenarios; and (3) determine whether a top-down or bottom-up approach is the best strategy for evaluating the impact of shocks to macroeconomic variables.

Scenario Analysis, Reverse Stress Testing and Sensitivity Analysis

There are three types of stress testing:

Scenario Analysis entails the development of historical or hypothetical scenarios to assess the impact of various events. Scenarios usually involve a coherent, logical narrative that describes how events occur and in which combination and order.

Through scenario analysis, a firm can evaluate the impact of specified scenarios on its financial position. The scenarios can be chosen based on a defined probability of occurrence – for example, a ‘one-in-a-hundred-years’ event.

The application of scenario analysis shows the complex dependencies between several risk factors and their related key performance indicators (KPIs).

Reverse stress testing assumes a known adverse outcome and then deduces the types of events that could lead to such an outcome. This type of stress testing considers scenarios beyond normal business considerations, challenging common assumptions.

Sensitivity Analysis involves changing and stressing variables, parameters or inputs without an explicit, underlying reason or narrative.

Building a Proper Framework

Stress testing planning must be plausible, consistent, adaptive and reportable. This planning must be underpinned by a robust and effective framework that uses scalable reference data and relies on the efficiency and suitability of its forecasting models.

Furthermore, the framework should test the robustness of risk models: checking the sensitivity of models to different and divergent stresses may help evaluate their effectiveness. The adequacy and practicability of risk limits and triggers must also be measured, and relevant risk drivers should be identified.

Components of a Stress Testing Framework

Forecasting the impact of stresses and scenarios on the business plan can help prove, or disprove, the viability of that plan. Stress testing, moreover, should enable the understanding of the cause-effect relationship between stresses and changes in the risk profile of a company, allowing senior management to make prompt, well-informed business decisions.

Two Approaches

There are two common stress testing approaches: bottom-up and top-down.

The bottom-up approach evaluates the impact of shocks to macroeconomic variables at the most granular level of data. It considers shocks at individual customer levels, and the results are then aggregated to give a firmwide view of the impact on the firm’s capital levels.

The top-down approach, in contrast, evaluates the impact of shocks to macroeconomic variables on a firm’s balance sheet or income statement.

There are, of course, advantages and disadvantages (see chart, below) to each approach.

Stress Testing Approaches: Pros and Cons

Bottom-Up ApproachTop-Down ApproachCombination
Less dependent on complex models and therefore, quicker to implement.Assumes a static balance sheet.Requires minimal monitoring and intervention.Model and technology intensive, making this approach time consuming.Requires continuous validation of models and underlying assumptions.Realistic modelling of linkages between changes in economic conditions and risk factors. Captures the idiosyncratic risk of the firm.Combining both or contrasting both would yield a clearer picture.
Gives an imprecise modelling of linkages between changes in economic conditions and risk factors.Doesn’t capture the idiosyncratic risk of the firm.Doesn’t capture concentration and correlation risks adequately; assumes zero or constant correlation among portfolios.May give varied results when underlying economic conditions change, even though the balance sheet composition may remain the same.Makes it difficult to benchmark peers, as the idiosyncratic risk is not separated from the systemic risk.Takes a lot of planning and preparation.

Parting Thoughts

Stress testing can shape the risk profile of your organization. It identifies risk concentrations across various business lines, allowing management to form contingency plans while also providing for the integration of business strategy, risk management and capital planning.

What’s more, it offers a forward-looking view of strategic opportunities, and promotes risk discussions that lead to enhanced internal and external risk communication.

This article was published on Global Association of Risk Professionals

Fraud risk management should both inform and shape any third-party risk management program in conjunction with all the other risk disciplines. Now more than ever, with increased regulation and risk, organizations must conduct vigorous, structured and regular due diligence on third-party intermediaries. The risks posed by these parties are many and varied, ranging from cybersecurity to business disaster. With third parties accessing regulated company information, the likelihood and impact of IT security incidents are on the rise.

Regulators are looking for the methodology, the approach and the sustainability of programs designed to capture and mitigate these risks. Moreover, regulators are seeking evidence on how a program and its processes are embedded and aligned within an organization’s risk culture and risk appetite.

Possessing a robust, structured program to mitigate these risks can protect corporate reputation and shield executives, board members and other management from personal and professional liability. At its core, such a program incorporates a risk-based approach, which is a methodical and systematic process of knowing the company’s business, identifying its risks and implementing measures that mitigate those risks.

The diagram below portrays the key considerations which are explained further below.



Each third-party relationship brings with it several multidimensional risks that extend and traverse across suppliers, vendors, contractors, service providers and other parties. An effective third-party risk management process begins by comprehensively identifying third-party risks. This risk identification process should be followed by an analysis of the specific drivers that increase third-party risk. Moreover, your organization needs to understand its universe of vendors and how the third-party ecosystem engages, interacts and connects with its internal and external operating environment.

With an understanding of its risk appetite for vendor risk, a risk framework can be developed with a coherent and consistent set of policies and procedures which define the paradigm of anobjective risk assessment model, crucial in creating a risk profile for third parties. The policies and procedures will, furthermore, describe the implementation of the system, resources, acceptable mitigants, roles and responsibilities.


Your organization should take a risk-based approach to third-party screening and due diligence. Stratify your third parties into various risk categories based on the product or service, as well as the third-party’s location, countries of operation and key contributions. An important part of the process will be to mitigate an over-reliance on any key third party.


Standardized contracts are a must, outlining the rights and responsibilities of all parties, with suitable metrics in place to sustain the relationship. Given the importance of supply chains today, the contract should identify any subcontracting to a fourth party. The key is to contractually bind third parties to inform and get approvals on any fourth-party involvement and ensure that fourth parties are in the scope of screening and risk management processes. Understanding the business continuity process and the compliance requirements of the third party are also important considerations in the selection process.


Monitoring is essential as it will ensure that performance standards set by the program are being implemented and followed with the imposition of well-defined metrics to measure the effectiveness of the program. Continuous third-party monitoring and screening is the key to helping companies make informed decisions about their third parties, with screening against global sanctions lists, law enforcement, watchlists and adverse media reports.


The termination process is often overlooked, but it’s so crucial in the negotiation. It should take what-if scenarios into account, with various trigger points that allow your organization to extricate itself from the relationship in an orderly and timely fashion.

Third-party risk management is one of the top emerging risks, and fraud risk management needs a seat at the risk table to both impact and inform the program but more importantly keep it relevant with regard to outside influences. Fraud risk management can no longer be a silent partner when it comes to third-party risk management.

This article was published on ACFE Insights