
John Thackeray is a risk & compliance practitioner and an acknowledged writer. As a
former senior risk executive at Citigroup, Deutsche AG and Société Générale, he has had
a first-hand engagement with US and European regulators. John holds an MBA from the
Chartered Institute of Bankers and was a Lecturer in Banking, Economics and Law.
He is a frequent contributor, thought leader and speaker on risk industry insights and has published
risk articles and white papers for the Professional Risk Managers’ International Association, the Global
Association of Risk Professionals, the Risk Management Association, the Association of Certified Fraud
Examiners, the Association of Certified Anti-Money Laundering Specialists, and the Chief Financial Officers
University.
Introduction
Climate risk is the defining issue of our generation, but it is the velocity of climate change which will have the greatest and most profound impact upon our lives. Climate risk is a long-term science-based, non-diversifiable risk, impacting and affecting all industries. To the corporate world, climate risk is a balance sheet risk, a profit and loss risk and more importantly a reputational risk. The risk requires firms to think about assigning a set of comprehensive roles and social responsibilities/values that can be measured up and be accountable to mitigate the challenges posed. Through climate change, one sees the interconnectedness of emerging risks, with the current pandemic, a manifestation of both the velocity and acceleration of this risk, ushering in a change transformation of both thought, word and deed.
Business Model Changes
COVID 19 is a dress rehearsal for climate change, a harbinger and abstract of what is in store down the road. The current pandemic is an agent of change, causing disruption and requiring firms to adapt their business models to accommodate these changing circumstances. Such a change can be seen in the realm of stress testing and scenario design, (which are the common tools used to identify, measure, quantify and review enterprise risks both known and unknown), with the data provided by COVID 19 adding more realistic data and testing parameters to the emergence of climate change. Stress testing and scenario design have been around for a while but what has changed in this pandemic is the need to repurpose/enhance existing models, whilst at the same time, overlaying and incorporating new thinking and parameters. Common issues such as data quality, information technology and risk management have had to be structurally addressed to ensure that the resultant output of these test results is both meaningful and transparent to its many users. The pandemic has asked questions on the gathering, collection and frequency of data utilized, requiring, and enhancing data sets which can be introduced and populated for climate change modelling.
Business/Government Leadership
COVID 19 has ignited and obfuscated the current climate change debate, with politicians from all walks of life, trying to distract and manipulate the debate for short term considerations .This political uncertainty is amplified by the fact that firms operating in multi jurisdictions , will have to cater to the differing lenses and perspectives of a constantly changing central government policy. If the way out of the current pandemic comes in the form of a green viral, it may be that the corporate world needs to take the initiative, striving to do what is right, leading to greener pastures.
Governance
Firms have now been forced to plan to include climate risk within their portfolio of risks, with a framework that includes the five pillars of governance, risk management, strategy, pricing and metrics. The lynchpin of this framework, is governance and this is evidenced by company boards driving and dictating the change, rather than senior management; setting a whole new sense of social and commercial responsibility, the likes of which have never been seen before. Moreover, boards now have had to educated at short order with many turning to colleagues from the insurance industry who have a wealth of experience in forecasting and dealing with the long-term implications of climate. It is becoming self-evident to boards that firms very existence is wrapped up in the way they approach climate risk and the efforts needed to improve their continuing viability, sustainability and resilience. This Climate change DNA is invoking for the few who walk this path, a strong culture of compliance and governance focusing on quality returns and maximizing the customer experience.
Disclosures
Many firms have been forced to disclosure their efforts by means of written narrative in their financial reporting. The quality of their disclosures will be under the microscope with stakeholders alike, looking to see that the words have been translated into concrete actions. Boards and senior management will be watched with eagle eyes on how they behave with any discrepancies, the subject of litigation and social media scrutiny. The messaging will be all important and could be part of the sustainable company brand. The requirements need to comply with the above measures are exacting, with financial institutions now needing to monitor their customers green efforts and behavior by means of covenants and warranties. The covenants and warranties are far reaching extending to both funding and investment decisions, in terms of research and development and capital expenditure. Lending firms are becoming more closely identified with their customers and their borrowing policies, a reflection of their climate corporate governance. This gives the opportunity for lending firms to position themselves as “green” role models and brand their lending accordingly. The more astute firms will take this onboard with performance tables being designed and produced indicating the applicability of climate risk standards, enabling the corporate world to be benchmarked against one another.
Conclusion
Above all, climate risk must be thought of as a commercial risk, the institutions that embrace these changes and adopt, reinforce corporate values which can be a game changer in terms of reputation and culture. Those institutions that adopt a higher purpose with a climate moral compass are likely to experience anecdotally a more coherent and collective culture. This culture change can be seen as a competitive advantage, but it must be remembered that there are costs associated with the introduction of this climate change vision. Embedding this change transformation requires a sustainable reengineering in terms of business practice and models, demanding investment in different skills sets and training.
Mankind is watching and the question is, do you want to be the shepherd or the sheep, the choice is yours?

To regain public trust, the boards of directors at banks must take proactive steps to court complaints and encourage whistleblowing about employees’ malfeasance.
By John Thackeray
Public perception that financial institutions are driven by greed and wilful blindness has recently been reinforced by a seemingly never-ending litany of scandals. This impression of failure is a damming condemnation of both management and boards of directors to communicate clear messaging and to implement and maintain effective conduct-risk plans.
To inform and reinforce ethical behavior, a firm needs more than, say, a 150-page employee handbook. Indeed, the pressure is now greater than ever for boards to provide sustainable, ethical governance and oversight – independently and proactively.
The question facing banks’ boards is how to ensure that the character and values they preach are actually practiced by their employees. Board members who place their faith in senior management need a multitude of mechanisms to verify this fidelity.
Let’s now take a look at three steps every bank can take to mitigate conduct risk:
1. Proactively court complaints.
Create a department that is responsible for categorizing employee complaints and discovering the root cause of misconduct. Complaints should be risk ranked and be readily communicated to the board. Moreover, employees should be actively encouraged with reimbursement for their time and effort. The idea, of course, is not to exonerate bad behavior and bad practices, but, rather, to better understand their underlying causes.
2. Employ secret bankers to act as a company’s eyes and ears, reporting independently to the board.
Much like the concept of secret shoppers within retail, these specialized bankers can be parachuted into areas of concern – including high-profit groups. They should be trained to observe whether existing working practices are compatible with a bank’s ethics policies and must use all the tools at their disposal to understand behavioral drivers and the underlying pressures that employees are facing.
3. Reward whistleblowing.
Instead of relying on regulators to reward whistleblowers, banks themselves should offer a monetary incentive for employees to report conduct violations. Since whistleblowing is often perceived as a career-ending event, the compensation should be significant. This policy will set the tone from the top, encouraging employees to challenge bad behavior, without being stigmatized and without enduring major financial losses.
Parting Thoughts
All three of these measures are proactive and require very little implementation cost. A change in mindset, above all else, is what’s needed to deploy these measures effectively.
The goal should be to encourage employees to “actively rush toward the fire,” with a plan on to extinguish it. But for that to happen, banks must implement clear conduct standards, while also taking action to better understand employee behaviors.

John Thackeray is a risk and compliance practitioner and writer. His firm, RiskInk, helps businesses control their risks by writing policies and procedures to mitigate them. As a former senior risk executive at Citigroup, Deutsche Bank AG and Société Générale, he has had firsthand engagement with U.S. and European regulators.
by John Thackeray
Risk Management – The Transformation
introduction
Never before in the age of risk management has so much been asked by so many by so few. Risk Management is going through a change management transformation, the likes of which have never been seen before. The key drivers for this change include a persistent volatile environment, a deep longing to be considered a good social citizen, endless regulation, the growth of non-financial risk types, new methods of customer engagement and a need to address past mistakes. The change is being exacerbated by the new operating environment (working from home), which has been enforced by COVID-19, focusing risk management to think differently both in terms of architecture, people, processes, systems and value.
This paper looks at the key drivers and the implications that it poses and suggests a meaningful pathway for the future of risk management by means of change transformation.
drivers
The current operating environment in which firms find themselves is anything but benign. COVID-19 has deepened structural fissures within an already existing fragile ecosystem. Negative interest rates, increased compliance costs, zombie loans, the continuing levying of fines for anti-money laundering and corruption have eaten into income and capital. Moreover, the persistence of scandals which are highlighted every week by social media have evaporated any good will towards financial institutions. Many financial institutions have been seen as facilitators of tax avoidance and enablers of financial crimes. The reputation of many is such that customer expectations, sentiment, and engagement are low, with very little confidence in both the products and the messaging of the organizations. Simply put, the financial organizations seem to many of their stakeholders to have lost their way, with no moral compass to lead them, leaving behind a bankrupt and obscure identity.
Having shot themselves in the foot, retribution has come in the form of heavy regulation partly due to past sins but also as an appeaser towards public opinion. The regulators now have the ready-made excuse to appear in the bowels of financial institutions, dictate terms, with an ever-increasing bright spotlight. This oversight extends and reaches on a global basis with regulation that can be retrospective, leading to unspecified fines for past mishaps from multiple agencies and countries.
Given the 2008 financial crisis, there is no longer an appetite to shore up financial institutions and indeed there is an intolerance towards any protest from the firms on the growing depth and breadth of new legislation which has dictated. This legislation has led to more detailed and demanding capital, leverage, liquidity, and funding requirements, data privacy as well as higher standards for risk reporting, such as BCBS 239. The financial guard rails have seen stiffened with more detail and requirements in the US banking system with regards to ‘CCAR” (Comprehensive Capital Adequacy Review) and by European Union guidelines with regards to stress testing, both bodies now seemingly dictating capital and dividend policy.
The growing of non-financial risk i.e. types cyber, model, climate and conduct has had a dramatic effect on financial institutions and their operations. Each risk now has entered the Enterprise Risk Management portfolio and needs to be addressed with urgency. Model Risk has increased with data availability and advances in computing, modelling, and the need to address in quick order pressing legislation such as “CECL” ‘(Current Expected Credit Losses)”. Climate Risk has maintained its ascendancy as an emerging risk with the Bank of England leading the way both in terms of supervision and legislation. Operational resilience has gained a foothold boosted by COVID-19 with a resultant knock on to reputational risk. Conduct risk has escalated as scandals highlighted by social media question the ethics of firms on how far they will go to boost their profits. All these pressing risks by themselves have sequestered an inordinate amount of energy and cost both in terms of mitigating and reporting.
implications
These drivers will have huge implications on the effectiveness and adequacy of business systems and operations. Technology or the increased reliance on it will be seen as a panacea, the gatekeeper that can both thwart the risks and increase the opportunities posed by these drivers. The increased use of technology continues to transform the normal processes and channels of engagement/experience and accentuate the social distancing relationship. Big Data, Machine learning and Artificial Intelligence championed by the burgeoning ranks of the FINTECH are the go-to components to mitigate the effect of the drivers by means of reimagining business processes.
As regulations become more complex and the consequences of noncompliance ever more severe, financial institutions will likely have no choice but to eliminate human interventions to hardwire the right behaviors and standards into their operations, systems, and processes. There will be a need for new algorithms to parse the data, which will need to be reviewed and challenged on a constant basis. Where these interventions cannot be automated, robust surveillance and monitoring will be increasingly critical.
Increased costs have led to an ever-increasing reliance on automation, both in decision making and processes. The amount of big data being generated will enable the more astute to redesign their processes using a comprehensive data management set of both public and private data sets. Processes such as underwriting will be digitalized, information submitted need only be scanned and verified without any in person engagement.
Artificial and machine learning will be used in behavioral analysis and remove a lot of the expert judgement required by risk officers, therefore eradicating any biases within the decision-making process.
Advances in technology will also help in the key areas of stress testing and scenario planning, especially in evaluation of climate risk within the portfolio. This advancement will lead to the multi-dimensional understanding of risks with complex models that need to be adjusted. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. These idiosyncrasies mean that data and climate scientists and engineers will need to be absorbed within the existing risk management structure. Moreover, stress testing and scenario planning will also have to incorporate operational sustainability and resilience which may call for significant contributions from external third parties to help complete the analysis and evaluation.
changes transformation
The Target Operating Model of Risk Management of the future will be very different, with the risk professionals armed with a new set of technology tools and new skillsets. In order for it be an enabler, the organization needs risk to transform its vision and redefine its role structurally given that many risk professionals will now need to work from a home environment. The main strategy will involve a heavy reliance and incorporation of new technology to both right size and reimagine risk management practices.
Listed below are some suggestions, which no doubt can be modified depending on the size and complexity of the organization.
• Risk management will be seen as foremost Firm Culture Champions and then Risk Culture Champions. Building and maintaining these identical and symbiotic cultures will be critical to ensuring the success of both the enterprise and risk function of the future. The combination of these cultures is likely to be a requisite element in a firm’s future competitive advantage. The secret recipe is to start with the risk culture first and then distribute and evangelize, so that both cultures will include a vision that will include the advocation of a strong corporate value. In order for this to take root, the firm will need to monitor and survey on a regular basis the action of its employees, no doubt enhanced by technology.
• The Chief Risk Officer (“CRO”) will be seen as a Champion of the firm and will be one of the stronger internal candidates to succeed the CEO. He/she will have to become an exceptional narrator who, armed with data, can convey and articulate the message of today. The brave new normal will call for greater transparency around disclosures concerning IT/Supplier disruptions, Operational resilience, Cyber-attacks, Sustainability, Climate change. The CRO must be able to engage in the conversation with the right message and be the voice piece of the firm backed by the data.
• The risk stripes will have to be reorganized structurally around correlated risk stripe clusters e.g. Fraud, Operations, Technology, IT Security, Compliance, Human Resources, Model, Conduct, and Reputation Anti Money Laundering will all come within the same coordinated structure and governance rather than standalone silos. The synergies will result in smaller teams of agile multi discipline staff with a depth and breadth of knowledge in one or more of these subject areas.
• The Risk Personnel with be multi trained in data analytics as a starting point and have the ability to match this with practical experience in all risk stripes. The tour of duty will include cross training in the various risk disciplines which will enable the team to speak a common language while applying consistent standards. Risk professionals will be expected to wear many hats, expectations high on delivery and communication skills.
• The risk management ecosystem will demand a comprehensive enterprise wide data base which is expected to help financial institutions create a repository for all types of structured and unstructured data. Since risk functions in the future are expected to become increasingly data driven, the supporting data infrastructure is a critical enabler. This data will have many uses and create a data driven analytical risk area which will need to be resourced by staff with multiple skill sets. Understanding the data will improve overall quality, aggregation capabilities, and risk reporting timeliness thus affording the management information systems to be displayed in a means that offers the users, a great deal of information in real time, improving the quality and timeliness of fact-based decisions.
passing thoughts
Broader responsibilities, better trained, smaller, multi risk disciplined, data hungry, these will be the new requisite qualities of risk personnel. Change will happen. The question is – are you willing to embrace the change or not. The firm that thinks ahead with this mind set will be the one left standing not only with a competitive advantage but also with an enhanced reputation.
By John Thackeray
Introduction
An organization can become more productive by championing a hybrid model workplace that fosters and promotes a culture of inclusivity and trust. At the heart of a hybrid workforce model, are the ideas of shared ownership and trust, which can help the organization break down long-standing beliefs about productivity and performance.
Trust is one of the most important ingredients in this model and this can be facilitated by delivering creative management strategies and exhibiting clear behavioral standards. This trust requires management strategies to place a greater emphasis on behavioral standards such as accountability, transparency, and communication, creating a culture, whereby employees feel safe and appreciated within an inclusive environment.
Trust and Management Strategie
Maintaining greater leadership communication and visibility: Create new ways to engage informally with your employees. By defining and embracing new behaviors, that are observable to all, and by deliberately making space for virtual employees to engage in informal interactions—leaders can facilitate social cohesion and trust-building in their teams.
Establish team rituals to cement a strong bond of personal relationships enabling team members to have fun in a safe environment, thus improving morale. Ensuring that the transitions between respective team norms for onsite and remote are as smooth as possible, gives employees a cohesive experience, that feels designed, not random but shared.
Fostering an open environment by letting employees’ voices be heard e.g. by means of a virtual “Lunch and Learn” opportunity or a “Fly By” opportunity with an executive, thus enabling the employees, the opportunity, to share in a safe mode.
Re-evaluate your procedures and policies ensuring that the content is consistent, resilient and fit for purpose in the hybrid workplace. e.g. The importance of On Boarding has never been greater in the emphasis of team and trust, setting out and reinforcing cultural values in terms of expectations and requires considerable procedural changes to previous practices.
Measuring performance on outcomes: Instead of focusing on tasks or hours worked, focus on the outcomes and the quality of results. By focusing on results over style, regardless of location, a more productive, engaging, and meaningful work culture can be evidenced and shared. Success is evidenced by means of clear and transparent (“KPI’S’), key performance indicators.
Conclusion
In order to be more productive, the culture must embrace the hybrid model with a mindset of shared ownership and trust, principles, which in turn SHOULD complement, the existing values of the organization.
Procedures are written primarily to reduce the inherent risk by documenting in writing the business process or activity. Effective procedures are an insight and window into the control, governance and oversight of the organization.
In order for procedures to be effective, they should have the following traits.
- Consistent data points which are easily understood and communicated.
- Use the active voice when writing procedures: It’s more direct and leaves less room for interpretation.
- Explains to readers “why” the procedure is necessary in a way a new hire can understand how this procedure helps the company achieve its objectives.
The focus of this paper is on the primary trait, data points. These set the standard and expectations which enables procedures to be written in a consistent and repeatable format. Moreover, common data points can ensure the proper enforcement of policy by reinforcing the guidelines and standards prescribed. This paper articulates a menu of data points which must be considered in the appreciation and application of this objective.
Below is a table of data points followed by explanations of each data point. **High/Medium/Low refers to scale in relation to admission to the procedures.

Data points explained.
1.Inherent Risk
Inherent risk is an assessed level of the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of control. Usually categorized into High, Medium, Low. This categorization importantly focuses the organization in both understanding and addressing those processes which represent the greatest risks to the organization, thus, enabling the proper allocation of resources to mitigate these risks.
2.Objective/Purpose and Scope
The purpose is the reason why the business exists, why you exist or why the team does what it does. The objective is the what it needs to do to achieve its goals. Scope of an activity, project or procedure represents the limitations or defines the boundaries of its application. These data points set the stage for the document and allow the reader to appreciate the significance of the process or processes.
3. Owner
Quintessentially the most important player within the process. Each owner has a unique responsibility and accountability to ensuring that the procedures are effective. It is a measurement of management skills and application and a true testament of both standards, leadership and behavior. It is the responsibility of the owner to clearly communicate and train those involved within the process. Given that the most effective control is that of segregation of duties, the Owner can never be the Approver.
4. Approver
Another implicit control is that of Authorizations. which ensures that the Approver is always one level above that of the Owner in the Organizational Hierarchy.
5.Roles and Responsibilities
According to research by the Harvard Business Review, clearly defining people’s roles and responsibilities matters more when determining a team’s success than outlining the precise path the team will take. In other words, team members perform better when they know exactly what they will be responsible for versus having a specific set of predefined steps to complete.
6. Key Controls
Key controls are the procedures organizations put into place to contain internal risks. Key controls are identified because:
- They will reduce or eliminate some type of risk.
- They are regularly tested or audited for effectiveness.
- They protect some area of the business.
- They can expose a potential area of failure.
7. Escalation/Exceptions/Remediation/Overrides
Every process will from time to time require exceptions, overrides which will require a clear and transparent, escalation and remediation process. This process must be formalized, and records kept to document both the decision-making process and the approval authority. The process speaks to governance and oversight as well as giving an indication of whether the procedures require revisions or amendments.
8.Training and Communication
This is perhaps the most overlooked data point, but it is important part of the efficacy of the procedures. Lack of both or little evidence of these data points being demonstrated, implies a lack of ownership involvement.
9. New Procedures, 10. Legal/Regulatory 11. Updates, Revisions and Amendments
All these data points are crucial in ensuring the currency and relevancy of the procedures. The owner is again responsible for the compliance of each of these data points. Given that these data points are either ad hoc or determined on an annual basis, the materiality of these points have a lower ranking.
12. Business Continuity
A business continuity plan refers to an organization’s system of procedures to restore critical business functions in the event of unplanned disaster. These disasters could include natural disasters, security breaches, service outages, or other potential threats. Usually in most procedures, there is a line item as to the plans and preparations.
13. Data Storage/Integrity/Governance/Management
Data is often said to be an organization greatest asset and as such policy and standards are dictated at the enterprise level. Given the risks and the regulations surrounding data misuse, this is a vulnerability that needs to be addressed upfront. Great care is needed to ensure that any enterprise standards are being complied and adhered to and that personnel are cognizant of such standards. Again, this is a data point whose compliance is an insight into how enterprise directives are being executed.
14. KPI’S, KRI’S
While Key Risk Indicators (KRIs) are used to indicate potential risks, Key Performance Indicators (KPIs) measure performance. At times, they represent key ratios that management can track as indicators of evolving risks, and potential opportunities, which signal the need for action. These measures are normally found in more mature processes.
Conclusion
In order for an organization to achieve consistent and repeatable procedures, it must first determine what data points are required and what data points are achievable. This paper has provided a menu which is not inexhaustible, but which requires considerable thought with regard to the appropriate data points. Much will depend on the organizations objectives and whether they wish to have a set of free-standing procedures or procedures which are more aligned to a consistent look and feel.
A consistent look and feel with consistent data points makes the procedures more auditable and compliant with policy and standards.

In his article,7 Key Elements of Effective Enterprise Risk Management, John Thackeray describes how a well structured ERM system allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. Without useful documentation and steps to broadly communicate the elements, the best planned ERM system will fail. In this article John describes what it takes to document your ERM system.
Efficacy of Risk Documents
Good written risk documentation is both an art and a science; in the perfect world blending the writer and subject matter expert as one. Unfortunately, we do not live in a perfect world and this blend is difficult to find. Too many risk documents have either been badly written by the subject matter expert and or have been deemed content light and aspirational by the writer.
To achieve clarity, the risk documentation should be written from an independent viewpoint by someone who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization while being understood by the outside world.
Good documentation is a prerequisite in the successful implementation of risk management, acting as a delivery and message mechanism. Documentation must:
- deliver a consistent message,
- speak a common language,
- have clear objectives allied to the maintenance of the organization’s objectives
, - be easy to review, evaluateand update frequently.
The documentation affects and defines the engagement with internal and external stakeholders, articulating and defining the organization’s culture, attitude, and commitment towards risk.
3 SIGNALS OF EFFECTIVENESS
The board has overall responsibility for ensuring that risks are managed. They delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. Therefore, the board requires a comfort and assurance level that risk documentation is being used and isdirecting the organization toward achieving its objectives.
Here are three signals of effectiveness.
1. Cultural attitude towards risk: This establishes and confirms clear roles and responsibilities that reinforce ownership, accountability and responsibility. Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment.Most companies will have a risk charter which binds the Board and senior management to a fiduciary duty of their responsibilities. It will impose a structure and governance affording a value add which directs the performance of corporate objectives in a controlled fashion.
Part of this cultural attitude towards risk is evidenced in the Review and Challenge. Asking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows employees to challenge these processes, when necessary. For instance,with 360 degree feedback or employee lunches with the C suite. Both enable open communication and transparency.
Moreover, this will be evidenced through training. A commitment to training will speak volumes about the tone set from the top of the organization. Indeed, reinforcement through regular training will drive the corporate message home, ensuring a commonality of standards and purpose.
2. The right metrics. Metrics gauge the operational efficiency of documentation and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose.Return on Equity, Risk adjusted capital return, return on investment are some metrics that can be adjusted for with regard to risk.
3. Continuous assessment and review of policies and procedures. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.” and or exceptions. These exceptions and escalation would be actively tracked to gain an understanding of the validity of the documents.With limited resources only core and material documents would have to be reviewed and tested especially in the light of changing working conditions and impactful legislation . A structure which enforces this oversight is a sign that risk mitigation is part of the organization’s DNA.
Passing thoughts
These three signals are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization.
Risk Documentation is where the written word captures the spoken word: documenting the ERM systems ensures intentions and actions are aligned – which makes for a better world.
This article was published on CFO.University
Introduction
The crisis fraud risk management is born out of a highly volatile atmosphere which can upend and overwhelm even the most structured fraud risk management program. This volatile atmosphere is here with us today and comes in the form of COVID-19. COVID-19 represents the single greatest challenge to fraud risk management (“FRM”) because pandemics and their effects were never identified as a driving force in the escalation of both existing and new types of emerging fraud. Moreover, business continuity plans had an isolated focus on operations rather than people and operations, with much shorter timeframes envisaged.
“1In a new survey conducted by the Association of Certified Fraud Examiners (ACFE) about the effect COVID-19 has on fraud, 90% of respondents reported that they have seen an increase in scams targeting consumers, with 51% believing the increase has been by a significant amount. Respondents reported seeing an immediate increase in a number of specific fraud schemes. Of those surveyed, 75% said they already have encountered an increase in phishing through government impersonation, and 71% report seeing an increase in charity fraud. They also have experienced an increase in fraudulent vaccines, cures or tests for the coronavirus (66%); third-party seller and buyer scams on legitimate online retail websites (64%); business email compromise scams (62%); and cyberbreaches (61%). Link to survey: ACFE COVID-19 survey.”
Pandemic effects
There is no doubt that a Pandemic can cause economic and financial hardship on a massive scale both on an individual and corporate scale. In times of economic crisis, employees’ personal financial pressures tend to rise, which is often where the decision to steal and embezzle is rationalized. This justification can proliferate as many key individuals are wearing multiple hats with a dilution of segregation of duties. This rationalization extends to companies that face pressure to falsify their financials in order to meet earnings targets or secure and maintain financing. Constrained supply chains and reliance on key third party vendors may increase the incidence of bribery and corruption as the need to meet and support company objectives becomes paramount.
In this threatened environment, companies may seek to cut costs which will often target non-revenuegenerating departments e.g. compliance, internal audit, while at the same time reducing budgets for control training.
The lack of fraud assessments that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud. As organizations make cuts in the attempt to operate with a leaner staff, they can find themselves caught in a perfect storm for fraud: mounting financial pressures motivating employees and customers alike providing a common co-operative cause, fused with a highly toxic emotional, irrational and survival based mindset acting as a powder keg.
Social distancing from the virus has increased the online risk with fraudsters having already found ways to use coronavirus warnings as a veil for malware injections and other fraud schemes. Social distancing has meant the need and increased usage for contactless payments and with it a proliferation of social engineering attempts leading to an uptick in fraud in the space of e-commerce and online payments with an incessant increase in both identity theft and account manipulation. This increase in social engineering has escalated with the reliance on home office environments, which by themselves offer fraudsters the opportunities to both degrade and infiltrate organizations’ data and information systems.
Response
The first thing is to realize that such a crisis raises the vulnerability of the organization to fraud and is a true test of the fraud resilience of the organization. Outlined below are three countermeasures that the fraud risk program should adopt and introduce in the new challenging environment.
1. Re-evaluate and reassess fraud policy and procedures
The existing FRM framework needs to be re-evaluated and reassessed knowing that a scan of the environment and the resultant ensuring pressures will create new emerging opportunities and stronger motives for the performance of fraud. The new normal will create new avenues as outlined above for the fraudster which may expose the soft operational underbelly of the organization. There may be a need to get ahead of the fraud curve and proactively amend and adapt the policy and procedures to reflect the new normal, e.g. a new fraud taxonomy. Existing policy and procedures that may now be compromised in terms of operational efficiency will have to be adapted in a timely fashion in respect to the redrawing of fraud risk appetites and tolerances, with greater insight and participation from stakeholders.
2. Review and renew the fraud control environment
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.
3. Improve the fraud message, communication, and data channels
As the crisis continues, there is a greater need to engage and communicate the fraud message without overloading the individual with information. Sharing experiences and observations is paramount and can act as an early warning system. Fraud Risk will be elevated in conjunction and heavily correlated with the increased incidences and risks of cybersecurity and anti-money laundering. Information flows to understand this triage of threats need to be on a timely basis and aligned in a coordinated fashion from internal and external data sources such as Compliance, Information Technology, Audit and Third-Party Vendors. The organization must understand the interconnectedness of fraud with all the other risks facing the organization and be able to respond at the enterprise level.
One result of the new working environment has meant information flows have increased as the number of whistleblowers who are now either disengaged or emboldened from working at home have decided to come forth. According to a recent Wall Street Journal article, the U.S. Securities and Exchange Commission received about 4,000 tips from mid-March to mid-May, which is a 35% increase2 from the previous period last year. The whistleblowing hotlines mean that there is a readymade, low cost source and credible assessments that can be conducted providing the organization has the resources and resolve to investigate.
Fraud risk managers need to tailor their message to different audiences at a faster pace and need to be better communicators. Fraud communication needs to be reinforced and this extends to training needs, with the need to be creative, involving topics which are current, so the message is easily assimilated and on point. The importance of training needs to be emphasized and for once must be rigorously enforced with penalties for noncompliance.
With this information overload, fraud risk managers will have to provide clean, accessible, robust, and sustainable data with the need to keep vast amounts of data for future inspection and audit. The amount of big data being generated will enable the more astute to redesign their control processes using a comprehensive data management set of both public and private data sets. The data flows need to be treated in perspective with any anomalies explained with the number of false positives created by the increased data flow. Sanitization and regular inspection are a must to power the behavioral analysis which can detect those new and existing incidences of fraud.
Moreover, certain segments of the customer base will be more prone to high risks, and fraud investigators will have to employ key behavioral analysis to drive informed decisions on whether transactions are fraudulent or genuine. Machine Learning and Artificial intelligence will have to be woven into the fraud risk manager’s fabric, providing data analytics that can be used to understand device vulnerability and attacks.
These challenges will alter the role and responsibility of the fraud risk manager who will become data custodians, model risk managers and ad hoc technologists.
Passing thoughts
Crisis fraud risk management means that fraud risk managers must have an adaptable and credible plan and stay focused rather than become embroiled in the crisis themselves. The three countermeasures above offer insight and guidance to alleviate the vulnerability and mitigate the number of fraud incidences in a crisis.
Professional Risk Management International Association
Fraud is all around us, grabbing the headlines every single day. Fraud is a high-impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly. Many firms focus on the low-probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.
Let’s take a look at four steps a firm can take to develop and maintain an effective fraud risk management program.
1. Create a dedicated governance structure to manage fraud risk.
The first requirement is to build an organizational culture to combat fraud at all levels of the firm. This should demonstrate a senior-level commitment and set an anti-fraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an anti-fraud entity that, among other things, will:
- Serve as the repository of knowledge on fraud risks and controls
- Manage the fraud risk assessment process
- Lead or assist with trainings and other fraud awareness activities
- Coordinate anti-fraud initiatives across the program.
2. Create a fraud risk assessment.
The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, methods and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.
Requirements include:
- The identification and assessment of risks to determine the program’s fraud risk profile, starting with inherent fraud risks affecting the program
- An assessment of the likelihood and impact of inherent fraud risks, with the consideration of the nonfinancial impact of fraud risks, including impact on reputation and compliance with laws, regulations and standards
- Determining the firm’s fraud risk tolerance, examining the suitability of existing fraud controls and prioritizing residual fraud risks
- Documenting the program’s fraud risk profile
3. Design and implement an anti-fraud strategy with specific control activities.
Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting, responding, monitoring and evaluating. The following questions can be used to guide the firm’s resource allocation in response to fraud:
- What is the program doing to manage fraud risks?
- When is the program implementing fraud risk management activities?
- Where is the program focusing its fraud risk management activities?
- What are the specific control activities to prevent and detect fraud?
- How is the suitability of existing risk controls assessed and how is residual risk prioritized?
- How does the program respond to identified risks?
- Why is fraud risk management important?
4. Conduct risk-based monitoring and evaluate all components of the framework.
Collection and analysis of data — including data from reporting mechanisms and instances of detected fraud — is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy, fraud controls and response efforts.
A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.
Every fraud risk management program can be further enhanced by fraud awareness training and by communicating results — for example, instances of fraud that have been identified and corrective actions that have been taken — to employees.
Following these four steps will help to prevent, but not eliminate, fraud. Most fraud can be staved off by a comprehensive risk management program, but as criminals and morally compromised people concoct new forms of deceit, financial institutions must remain vigilant.
This article was published on ACFE Insights
The defining issue and top global emerging risk of 2020 is climate risk, which has been gaining a sense of urgency with major implications for financial institutions. Climate change can no longer be viewed in isolation as a reputational risk bust must be seen and addressed as a financial risk that needs to be integrated into existing risk management frameworks. Climate risk is a “transverse” risk that can extend its reach into existing risk stripes. As climate risk manifests itself through existing risk stripes, climate change can also heighten credit risks for banks, as demonstrated by the recent PG&E bankruptcy. Banks need to consider how climate-driven financial risks can be embedded into current financial risk management frameworks.
Regulators have been influenced by increasing interest in both the impact and implications of climate change as a result of public awareness and the failure of governments and the United Nations to reach substantive and collective agreement. In this vacuum, central banks are starting to lead by example by including climate-related risks in their evaluations, leading to an escalation of policy pronouncements which are likely to adjust more rapidly with an intensification in the climate change debate. Increased cooperation is evidenced by The Network of Central Banks and Supervisors for Greening the Financial System (NGFS), an international cooperation and collaboration between central banks and regulators with a main aim to address the financial sector’s attempts to achieve the Paris climate goals.
Since climate change continues to have huge economic and political implications, regulators are pushing financial institutions to take climate risk issues in their analyses of country risk and sovereign ratings which will filter down into individual counterparty ratings.
The IMF’s new chief, Kristalina Georgieva, pioneered green bonds in 2008 while at the World Bank. She is discussing whether assigning different risk weightings to assets that are more or less green is fostering an important discussion that engages the financial community. Recently the US Democratic Senator Brian Schatz of Hawaii introduced a bill that would direct the Federal Reserve to subject large banks to do stress tests measuring their resilience to climate-related financial risks. The proposed Climate Change Financial Risk Act of 2019 underscores worries among policy makers over the risk posed by the financial system by the continuous and sustainable weather events which continue to plague the continental United States.
Accountability has become the weapon of choice, with financial institutions having signed up to laudable climate principles (i.e. the Equator principles); they will need to demonstrate with actionable examples how they are adhering to such principles. Shareholder and social media will apply a lens which may mean Boards will need to become climate literate at a faster pace.
The need for disclosure is paramount and this process will escalate initiatives led by the Task Force on Climate-Related Financial Disclosures of the Financial Stability Board. As an example, the Task Force is recommending that companies make their climate-related risks known to lenders and other stakeholders.
Board members are increasingly being viewed as fiduciary custodians by their stakeholders and as such there has been a need to include representation from climate science on the Board. Moreover, some Boards are openly demanding the need for organizational structural change by means of a Sustainability Committee reporting directly to them to enhance Board comfort around the climate challenges.
call to action
A call to action seems to have resonated with all stakeholders within the community as evidenced below: • The UK’s regulators — the Prudential Regulation Authority became the first regulator in the world to publish supervisory expectations that explain how financial institutions need to develop a methodology, framework and approach to managing financial risks emanating from climate change.
The Bank of England is insisting that there is a senior manager in each major financial institution responsible for managing climate risk, who can be liable for fines or a ban if there is ineffective governance and oversight.
Barclays has joined sixteen other leading banks, the UN Environment Finance Initiative (UNEP FI) and Acclimatise, in publication of new methodologies that help banks understand how the physical risks and opportunities of a changing climate might affect their loan portfolios.
HSBC has set-up its Climate Change Centre of Excellence which analyzes the commercial implications of climate change for HSBC Group businesses and clients.
French banks such as BNP, Societe Générale, Natixis and Credit Agricole have retreated and stopped lending focused on oil and gas from shale and tar sands. These banks are pioneering in the climate space driven mainly due to France’s Energy Transition Law, which was introduced in 2015 and requires financial institutions to report on their carbon risks.
The European Union is to stop funding oil, gas and coal projects at the end of 2021. The European Investment Bank (EIB), the EU’s financing department, will bar funding for most fossil fuel projects.
Sweden’s central bank has ditched bonds issued by Australian and Canadian regions on the grounds that their carbon emissions are too high.
A shareholder in Australia filed suit against the Commonwealth Bank of Australia for failing adequately to disclose climate risk. The case was dropped after the bank released new reporting that recognized climate change as a financial risk.
A retreat from lending to companies with large carbon footprints has left some financial institutions with large industrial exposures that they had not planned or been prepared to hold.
Spanish energy company Repsol SA is cutting the value of its assets by billions of dollars because the global transition to a lower carbon economy is weakening the outlook for energy prices.
Up until now, these climate risks largely have been absent from investors’ models, but the rating agencies are at least thinking about changing their methodology and methods in assigning ratings, to incorporate climate risk.
Investment funds are now being held to a higher standard when it comes to their portfolio restrictions and guiding principles on climate-related investments.
risk identification
Financial risks stemming from climate change look at those risks as arising through three main channels: physical risk, transition risk and liability risk. Physical risks arise from climate- and weather-related events. These changes in the physical environment will create physical risks that will impact individuals, businesses and economies, consequently affecting a variety of financial transactions. Transition risks arise from the process of adjusting toward a lower-carbon economy. Policy, technology and laws relating to climate change could be accelerated, prompting a reassessment of the value of a large range of assets as costs and opportunities become apparent. This reassessment could modify the value of assets and liabilities, thereby altering the risk profile of financial institutions. As the opportunity to take voluntary steps lessens and the more immediate and demanding government requirements may become, the higher the velocity at which the transition occurs will affect the scale of disruption for affected industries.
Transition risk is likely to be the biggest area of influence on asset values in the shorter term, whereas the physical effects are likely to be the driving factors influencing asset values and economic performance in the medium to longer term.
In jurisdictions such as the US or Europe, lenders are unlikely to be held directly liable for the activities of the companies that they lend to; however, this may soon change due to increased political and social pressure. Banks acting as underwriters of bonds should assess the materiality of climate risks to an issuer’s business when drafting risk factors in the offering documents. For Board members, there is a real risk of being sued for not disclosing and alternatively being sued for making forward looking statements about climate change which prove to be incorrect.
Given the uncertainty around the future path of emissions, and their associated economic and financial impacts, a natural tool for analyzing these risks is scenario analysis. There are two primary types of scenarios fit for this purpose: climate-impact (physical risk) scenarios and transition scenarios. Climate-impact scenarios investigate the effects climate change could have on economies, societies and ecosystems,
given an assumed level of emissions; transition scenarios model how economies might adjust given a temperature target and government policy. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. The Bank of England is asking British insurers and lenders to gauge to what extent global warming might impact the value of their investments and balance sheets — and its potential to destabilize the financial markets. The three climate scenarios promulgated by the bank’s Prudential Regulation Authority are “exploratory” in nature. The hypothetical narratives are designed in a way to pinpoint risks and exposures with no pass or fail and a publication of results in aggregate without naming institutions.
how climate risk impacts existing risk types
There is a need to examine existing risk types and consider whether climate risk is sufficiently material to be incorporated and embedded into established risk frameworks. Financial risks will typically be greater for long-lived assets and liabilities (e.g., infrastructure, pensions) than short-term contracts, where risks and pricing can be more readily adjusted. There may also be consequential risks, such as concentration risk and asset-liability mismatches. The more that these types of transverse considerations are embedded into firms’ day-to-day governance and risk management processes the better firms will be able to manage and mitigate the financial risks of climate change. The risks relate to a firm’s clients, counterparties, and their own internal operations.
Moreover, credit analysis will also have to change as illustrated below to meet the climate risk challenge.
Climate change may affect the comparative market competitiveness and performance of the firm, i.e. the writing down of carbon asset values on the balance sheet.
Differential pricing and returns may have to be incorporated with the credit proposal emphasizing the basis for carbon free projects
Noncompliance with environmental regulations could result in various and different forms of liability for the project and its stakeholders as well as unwarranted publicity.
The client’s ability to refinance may be compromised once awareness of climate risks have increased, making it more difficult for a current investor to exit.
Repayment sources may be affected as income from the sale of assets or equity by clients may be diminished, as climate change will affect market values.
The cost of insurance for clients may increase, and exclusion clauses may become more onerous. Insurance cover may no longer be available, forcing companies to self-insure, which would require them to make financial provisions to cover future losses, affecting their financial capacity.
passing thoughts
Now is the time to act on greening the financial system in order to move away from a verbal undertaking of corporate responsibility to one of sustainable leadership. The world is watching to see which financial institutions have the vision and leadership that define their role in the social and economic fabric of climate change.