For both storied financial institutions and highly regarded start-ups, there are numerous examples of businesses failing despite claiming to have “world-class” risk management frameworks. In this article, we discuss certain beliefs and processes that are fundamental to responsible risk management. While our suggestions may be obvious to some, recent high-profile governance failures (including investment due diligence) suggest a disconnect between governance experts and some business leaders about what constitutes meaningful risk management.

RISK MANAGEMENT PRINCIPLES

Checks and balances slow the speed of doing business, especially for major initiatives.

While we believe corporate governance is a net positive for a business, in practice risk management processes often slow down decisions. A basic example is spending authority for basic office equipment (like paper). While any employee may have the authority to spend up to $100 of a firm’s money, there can be increasingly complex approval processes as the amounts get higher. Multiple sign-offs may be required, and extensive justifications of the expenditure may need to be prepared. Although this fact pattern is mundane, we hope it illustrates how bureaucratic processes normally have a legitimate purpose even when they adversely impact the speed of decisions.

Keep this belief in mind when:

• Due diligence checks on a client or an investment are taking forever.
• You miss a lucrative business opportunity due to not having the requisite approvals.

Larger businesses require more bureaucracy than smaller businesses.

We think this is self-evident. We highlight this principle because as a business grows, it may need to add risk management processes even when the nature and transactions of the business have not changed.

For a recent example, we can understand why the cryptocurrency exchange, FTX, did not have a Chief Risk Officer when it started its business. However, we think that role should have been established and filled by the time FTX had a multi-billion dollar valuation, and some of the world’s best institutional investors had come onboard.

Keep this principle in mind when:

• You grow frustrated at revisiting corporate governance topics that have been previously addressed.
• The governance requirements of your company become stricter.

You cannot primarily rely on the diligence of others for risk management.

It is fine to consider the decisions of other firms as part of a risk management process. It is not acceptable to make material decisions primarily by the rule of “If it’s good enough for X then it is good enough for me”.

Keep this principle in mind when your firm has unique questions or objections regarding an investment that have not been raised by other investors.

Bad actors may try to bully you.

Bad actors may use any number of tactics to take on imprudent risks, such as:

• Publicly stating they have a conservative risk appetite while acting differently behind closed doors.
• Suggesting that their risk management approach/analysis is more sophisticated than you can understand.
• Making false or misleading statements about internal or external approvals or checks being completed.

Keep this principle in mind when you doubt your considered judgement or feel unduly pressured. Especially in compliance and risk management, making a decision pressure rather than the merits of the argument can lead to material adverse consequences.

Managing conflicts of interest is part of risk management.

A financial institution is expected to conduct periodic reviews of the responsibilities of key personnel to minimise areas of potential conflicts of interest.⁽¹⁾ If a business fails to consider and guard against conflicts of interest it can be materially and adversely affected.

Keep this principle in mind when you engage in related party transactions or when exceptions to your policies or greater transaction permissions are granted to affiliates.

RISK MANAGEMENT PROCESSES

In light of the foregoing, we have set out some basic steps, a skeleton, for businesses to consider adopting for their risk management framework. While many businesses will require or prefer more sophisticated risk management frameworks, we think there is merit to setting out a simple framework that reduces execution risks due to human error or otherwise.

We acknowledge that the framework below does not offer any novel procedures or ideas. Instead, the processes we have highlighted and more can be found in existing MAS guidelines on risk management and other subjects, which all Singapore regulated financial institutions should ensure they are familiar.

Identify and document risks facing your business.

The Board and senior management should understand the material risks facing a company, and the tools used to mitigate such risks. This analysis should be documented (with the knowledge that the analysis and framework could be reviewed with the benefit of hindsight by regulators, prosecutors or the general public in the event of adverse circumstances at the firm) and kept up to date. While all companies have obligations to abide by applicable law, the Boards of regulated financial institutions will need to consider how the risks in their business and adverse events could affect the integrity or operation of the financial system.

For further reading, see the MAS’ Guidelines on Risk Management Practices – Board and Senior Management.

Establish lines of accountability and escalation.

In September 2020, the Monetary Authority of Singapore (the “MAS”) issued the Guidelines of Individual Accountability and Conduct (the “IAC Guidelines”). The IAC Guidelines offer excellent insights on how companies can strengthen their risk management frameworks, including guidance on establishing clear and transparent management structures and reporting relationships. They are an excellent reference for all companies, regulated or otherwise. In the future, we anticipate that the best practice will be for regulated financial institutions to conduct culture audits involving anonymous questionnaires/upward reviews so employees can provide feedback on whether a financial institution has achieved the specified outcomes in the IAC Guidelines.

We also recommend that financial institutions occasionally undertake post-mortem reviews of their risk management practices after significant events such as the discovery of a material due diligence oversight or a failure to obtain adequate approvals for corporate action. Although such post-mortem reviews may duplicate the work done by the internal audit function, the reviews occur when the relevant events are fresh in mind. Such reviews can accelerate the implementation of process improvements. The MAS has referenced the value of post-mortem reviews in the Guidance for Effective AML/CFT Transactions Monitoring Controls.

Stress testing

To quote the MAS, “An institution should include a variety of short-term and protracted institution-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into its stress testing programmes for risk management purposes.”⁽²⁾ For the digital asset sector, we think key assumptions to test are (1) prices of the digital payment tokens that you deal in, (2) transaction volumes and (3) headcount and legal/compliance costs.

For further reading, see the MAS Guidelines on Risk Management Practices – Liquidity Risk.

Internal audit checks

Financial institutions are expected to have an internal audit function that assesses the effectiveness of the institution’s risk management, compliance and corporate governance processes. The degree to which a regulated financial institution adopts this guidance may vary depending on the firm’s risk and business profile.

Internal audit can be outsourced to a third-party service provider,⁽³⁾ such as HM. There are pros and cons to using a third-party service provider compared to having an in-house internal audit function, and we acknowledge our conflict of interest. We think the biggest advantages to using a third-party service provider are that third-parties may (1) have a better sense of best practices across an industry as a result of auditing multiple businesses and (2) offer more of an outsider perspective as a result of not being a full-time employee of the company. The second point can be particularly helpful if there are issues to be raised which are sensitive to the extent they reflect badly on the firm’s senior management. On the other hand, cons include that a third-party service provider may not understand your business as thoroughly or readily as a full-time employee.

For further reading, see MAS Guidance on Risk Management Practices – Internal Controls.

CONCLUSION

Risk management can be daunting because the stakes are high and prudence is subjective. Decisions which result in adverse consequences may be judged by external parties with the benefit of hindsight. HM offers various services to assist companies with risk management, including:

• assistance with developing policies and procedures;
• outsourced Chief Risk Officer services;
• risk management and corporate governance audits; and
• board and senior management advisory.

Whether you want to strengthen your risk management framework or want external validation of your existing governance and processes, we would be delighted to assist.

For further information, contact:

Chris Holland: Partner | [email protected]

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

¹ See Paragraph 2.4.3 of the Guidelines on Risk Management Practices – Internal Controls (the “Control Guidelines”).

² See Paragraph 3.6 of Guidelines on Risk Management Practices – Liquidity Risk.

³ See Paragraph 5.12.1 of the MAS Guidelines on Outsourcing.