“Financial institutions should establish a comprehensive risk management framework and adopt the sound practices recommended in these guidelines. Through its supervisory process, MAS will continue to assess the adequacy of financial institutions’ risk management systems and controls, and the extent to which they have adopted these guidelines.” – The Monetary Authority of Singapore (1)
Do you know who is a believer in the need to take calculated risks? The Monetary Authority of Singapore!
In a book celebrating its 40th anniversary, the Chairman of the Monetary Authority of Singapore (the “MAS”) cited its willingness to take calculated risks as one of the intangibles that gives the MAS its strength. (2)
For the narrow segment of our audience that is both an aggressive risk taker and an avid reader of articles on regulatory compliance, this is where the good news ends…at least until you get to the part about how Holland & Marie can help.
EXPECTATIONS ON FINANCIAL INSTITUTIONS TO ADDRESS RISK MANAGEMENT
The board of directors (the “Board”) of a financial institution (“FI”) is responsible for overseeing the governance of risk in the FI. Pursuant to the MAS’ Guidelines on Risk Management Practices – Board and Senior Management (the “Board Risk Guidelines”), the MAS expects that senior management of a FI will provide the Board with information on “all potentially material risks facing the institution, including those relevant to the institution’s risk profile, capital and liquidity needs. Information should be comprehensive, accurate, complete and timely.” (3)
The MAS goes on to recommend:
“The Board should ensure that senior management establishes a risk management system for identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating risks regularly. In particular,
- risk management strategies, policies, processes and limits should be properly documented and communicated within the institution. They should be regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles, capital strength, and market and macroeconomic conditions;
- risk management policies and processes should provide a comprehensive “institution-wide” view of the institution’s exposures to material risks, such as credit, market, underwriting, liquidity, country and transfer, interest rate, legal, compliance, fraud, reputational, strategic, regulatory and operational risks;
- risk management processes should assess risks arising from the macroeconomic environment affecting the markets in which the institution operates and to incorporate such assessments into the institution’s risk management process;
- exception to policies, processes and limits should receive the prompt attention of, and authorisation by, the appropriate level of management and the Board, where necessary;
- the risk management function should be adequately resourced and independent, with clearly delineated authority and responsibilities. The risk management function should have access to the Board to perform their duties effectively. The team performing this function should report the institution’s risk exposures directly to the Board and senior management; and
- where models are used to measure components of risk, the Board and senior management should ensure that the models are validated and tested regularly by an independent party. They should also understand the limitations and uncertainties relating to the output of the models and the risks inherent in their use.” (4)
It is important to note that the Board Risk Guidelines are not the only source of reference material on risk management. Instead, the Board Risk Guidelines are a subset of the MAS’ general Guidelines on Risk Management. There are also MAS notices and circulars which an FI should review and consider.
Bottom line – managing the risks of a FI is not a small task.
INTERNAL OPTIONS TO ADDRESS RISK MANAGEMENT
The ultimate responsibility for governing risk lies with the Board. (5) However, having competent personnel in an FI’s risk management, control and audit functions is a cornerstone of effective risk management. (6)
There is no single management structure that is required to effectively manage a FI’s risks, especially because risk management frameworks can involve quantitative and qualitative analyses. Some FIs put risk management under the purview of the Chief Executive Officer (“CEO”) or the Chief Operating Officer (“COO”) or create a Management Risk Committee (7) to manage enterprise-wide risks. The MAS has also said that, depending on the scale, nature and complexity of a FI’s activities, the Board may appoint a Chief Risk Officer (“CRO”) which should (1) be a distinct role from other executive functions and business line responsibilities and (2) have a reporting line to the Board.
For any FI that can afford to hire a full-time CRO, we highly recommend it as a prudent risk management measure that indicates a corporate culture that takes corporate governance seriously. However, many FI’s are not in a position to hire a full-time CRO and thus must consider alternatives.
RISK MANAGEMENT COMPLICATIONS FOR FINANCIAL INSTITUTIONS
All businesses face and manage risks. However, licensed and exempt FIs face unique issues because the effectiveness of their risk management frameworks is not solely judged by their shareholders or the Board. Instead, regulators (including the MAS) also evaluate FIs’ risk management frameworks.
The MAS uses a single risk assessment system – Comprehensive Risk Assessment Framework and Technique (“CRAFT”) – to assess the risks of an FI. (8) MAS risk rates FIs based on an assessment of inherent risks and control factors, of oversight and governance arrangements and of financial strength factors. CRAFT also takes into account the policies, procedures and controls that institutions have in place to manage and mitigate money laundering and terrorism financing risks. A four-point rating scale is used to rate all components after which the MAS assesses the FI with a final Overall Risk Rating (reviewed periodically) of High, Medium High, Medium Low or Low. (9)
While the MAS does not prescribe a uniform set of risk management requirements on FIs, we recommend that FIs proactively implement a risk management framework that clearly and specifically addresses best practice benchmarks and key performance indicators. The key is to create a framework that is robust and yet relatively simple (10) to execute.
CAN A FI OUTSOURCE RISK MANAGEMENT?
Risk management can be outsourced, with the caveat that such outsourcing does not diminish the obligations of the FI, its Board and senior management to comply with applicable law and regulation. Importantly, outsourcing all or substantially all of a FI’s risk management functions is considered a “material outsourcing arrangement” regarding which a FI must exercise additional oversight. (11)
HOLLAND & MARIE’S RISK MANAGEMENT SOLUTIONS
Holland & Marie offers several risk management solutions, including:
- Outsourced CRO services;
- Ad hoc advisory or project services (i.e. risk control self assessments, new business initiative assessments, business continuity programs testing, risk framework gap analysis, internal audit and training (Board or employee)); and
- Assistance in preparing or reviewing risk management policies and
Our Value Proposition
New FIs such as companies licensed under the Singapore Payment Services Act
New FIs need to establish their initial risk management framework. We either (1) advise the Board and senior management on what they need to do or (2) offer outsourced risk management solutions, including outsourced CROs, that take over the risk management function and report to the FI’s Board and CEO.
Established FIs looking to audit or improve on their risk management frameworks
For established FIs, having an external advisor review and possibly enhance a risk management framework can be helpful to demonstrate a FI’s seriousness about corporate governance. Even if an FI is already doing an outstanding job managing risk with its internal resources, it may be helpful to look at the company’s risk universe with a fresh pair of eyes or merely have the strength of the existing risk management framework validated by an external third party.
Our Credentials
Our senior team has experience serving on corporate boards (including director experience of licensed and listed companies), as well as CEO, COO, General Counsel and risk management experience. In particular, Kevin Riendeau, CEO of Anextere (12) (a business and technology solutions company for financial institutions), has recently joined Holland & Marie as a Special Advisor. Kevin’s experience includes serving as Head of Oversight and Control, Asia Pacific for J.P. Morgan Asset Management. We believe our direct experience and expertise enables us to offer practical and sound risk management advice, including the ability serve as a FI’s outsourced CRO. You can find out more about our services here.
Our Approach
In addition to MAS notices and guidelines, there are numerous reference materials that can be considered in establishing a risk management framework such as ISO 31000 or the Singapore Institute of Directors Board Risk Committee Guide. However, our approach is to take our subject matter expertise and establish a framework that is commensurate to the FIs nature, size and complexity. We believe simpler frameworks are best as they reduce execution risk, which may be the most under-rated risk that a FI faces.
CONCLUSION
Risk management is an area of judgement that is often evaluated with the benefit of hindsight or in circumstances where something has gone wrong. Although a FI’s senior management handles risk issues on a day to day basis, the Board is accountable for ensuring the FI has sound risk management processes and operating procedures that integrate prudent risk limits with appropriate risk measurement, monitoring and reporting.13 As a result, it is critical that the Board and senior management adopt a risk management framework that is robust and yet allows a business to take risks.
If you think Holland & Marie can assist your business with risk management, please do not hesitate to reach out for an initial conversation.
If you think you have risk management 100% under control, we would also ask you to reach out. We have to learn how you do it!
HOLLAND & MARIE
Holland & Marie is a compliance, risk, C-Suite and legal solutions firm based in Singapore. We have extensive experience in resolving typical compliance issues including regulatory inspections, satisfying regulatory requirements and maintaining best practices in corporate governance to navigate the rapidly changing regulatory landscape.
For further information, contact:
Chris Holland: Partner | Holland & Marie | 201802481R
7 Straits View, Marina One East Tower, #05-01 Singapore 018936
Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.
———————————————————————————————————————————————————-
(1) See Paragraph 6 of MAS Guidelines on Risk Management Practices – Objective and Scope.
(2) See the Forward by Mr Tharman Shanmugaratnam, Chairman of the Monetary Authority of Singapore to “Sustaining Stability Serving Singapore” (October 2011), available at https://www.mas.gov.sg/-/media/MAS/About-MAS/MAS-40th-Anniversary- Full.pdf?la=en&hash=4CA6ACEC760075F66B666A816177443F7CC1A784
(3) See Paragraph 2.1.3 of the Board Risk Guidelines (March 1, 2013).
(4) Id at Paragraph 2.3.1.
(5) See Paragraph 1.1.1 of the Board Risk Committee Guide (Singapore Institute of Directors) (2018).
(6) See Paragraph 2(a) of MAS Guidelines to Risk Management Practices – Objectives and Scope (March 1, 2013).
(7) A management risk committee typically comprises key executives and heads of departments coming together to review and discuss the common frisk management framework approved by the Board, as well as the key risks and mitigation plans.
(8) See the MAS’ Framework for Impact and Risk Assessment for of Financing Institutions (April 1, 2007).
(9) See Paragraph 3.4 of MAS’ Framework for Impact and Risk Assessment of Financial Institutions (April 1, 2007)
(10) Compliance is never simple. Our motto is “Compliance Made Simpler” because we do not believe simple can be achieved in most fact patterns. Instead, we establish frameworks that are aligned with best practice but also allow maximum flexibility to enable common sense to prevail.
(11) See MAS’ Guidelines on Outsourcing (October 5, 2018).
(12) For information about Anextere, click here.