Developing and Implementing a Risk Governance Framework
Namfisa (Namibia Financial Institution Supervisory Authority), is in the process of reviewing its supervisory methodology and intends to deploy Risk Based Supervision (“RBS”). The implementation thereof intended to assist the authority in actively regulating risk as part of the greater Bills Implementation Project.
Risk-Based Supervision is gradually becoming the dominant approach to regulatory supervision of financial institutions around the world. It is a comprehensive, formally structured system that assesses risks within the financial system, giving priority to the resolution of those risks.
RBS is often contrasted with rules-based regulation. The latter, also known as principles or compliance-based supervision, is a method of regulation which involves checking for and enforcing compliance with rules – legislation, regulations or policies – that apply to an entity.
RBS has a regulatory emphasis of “focusing on what matters” – assessing the degree of risk in business operations and determining how to reduce the risk as required.
With RBS, entities are always being monitored, both for compliance with the rules and for how they approach risk management. Failure to comply or to manage risk is noted, and action is taken according to the appropriate legislation, to deal with any concerns. Risk Management therefore takes centre stage in RBS and will form part of overall fiduciary duties.
1. Risk Management Assessment in Practice
Risk management is multi-dimensional and includes in depth analysis of inter alia:
- Financial soundness
- Risk benefits
- Cost control
- Trustee decision making
- Service providers
Risk within each dimension is monitored by probability (i.e. rare to almost certain) and financial impact (insignificant to catastrophic), with detailed monthly, quarterly, annual and tri-annual risk mitigation action plans and clear accountabilities.
2. Risk Management Cycle
Risk can be defined as the uncertainty of an outcome, measured relative to the ability to bear it. Risk Management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.
A Risk Management Framework should be implemented holistically taking into account the organisation strategy. This framework should be implemented bearing in mind the cycle below:
The outcome related to Identification, Assessment and Management is:
- Risk Management Policy. This incorporates all related policies as required by the regulator;
- Risk Register;
The Risk Management Cycle depicted above is explained in detail below.
2.1 Risk Identification
This process identifies the key risks that can have a material impact on strategy success. The risks to be considered relate to the following areas of the organisations operations:
- Legal and Regulatory
- Governance (structure)
- Finance and Accounting
- Administration (Information Management)
- Service Provider Management
2.2 Risk Assessment
The likelihood and potential extent of the impact of each risk occurring is determined. The likelihood of each risk (i.e. the probability of it occurring in the near future) is classified as:
- Almost Certain (Less than 1 year)
- Likely (Less than 1 year)
- Probable (1 year to 2 years)
- Unlikely (Greater than 2 years)
- Rare (Greater than 3 years)
The extent of the impact of each risk occurring is classified as:
- Significant (Unable to sustain operations)
- Major (Reduced ability to achieve major business objectives)
- Moderate (Disruption to normal operations)
- Minor (No material impact on operations)
- Insignificant (No impact on operations)
2.3 Risk Management
During this process, the appropriate response to each identified risk is determined together with the party responsible. Risks can be mitigated in a number of ways:
- Avoiding the risk
- Reducing the risk
- Passing on/Insuring the risk
- Sharing the risk
- Retaining the risk
Each identified risk will be mapped to the appropriate mitigating action.
2.4 Risk Monitoring
Risks will be monitored on an ongoing basis through:
- Reviewing the controls and mitigations put in place
- Considering who is accountable for managing the risks
- Considering how the risks can be measured and reported on
- Ensuring proper policies are in place
2.5 Risk Modification
Based on the changing situation (i.e. changes to regulation) each risk is re-assessed by following steps 1 to 4.
Supervision of financial institutions can be carried out for a variety of reasons and through a variety of techniques and approaches. The basis that is adopted within a particular jurisdiction or country has to reflect the local environment and legislative expectations.
The traditional supervisory approach has been to review the operations of the entity to ensure that it is in compliance with the legislation and regulations and to ensure that the financial statements that have been prepared meet the requirements of the reporting methodology and to ensure that the results are an accurate representation of the facts.
The risk based supervisory process takes this traditional approach one step further so that the process identifies, and focuses the review effort on the areas of risk in the entity’s operation that could impair the viability of the company. The focus is on the risks in the entity and on the management processes for dealing with those risks.
As a result, to understand how this process could work one should consider the range of risks to which entities are exposed, the risk mitigation techniques that could be used to manage the risk exposure and understand some of the “best practices” that well run companies use in such circumstances.
The objectives of RBS therefore are:
- Overall view of the entity to consider the risks that it faces in its business
- To determine the risk level of the entity
- To identify the most vulnerable areas of the entity and to focus resources on those high risk areas
- To assess the effectiveness of risk management techniques implemented.
Although Namfisa have yet to issue clear guidelines on what the regulatory requirements on Risk Management Architecture will look like, we can take examples from developed markets which includes:
- The establishment of a Risk Management Plan/Strategy; Board of Trustees/Directors are required to issue risk management guidelines with written policies and procedures for addressing risks;
- Establishment of a Committee for Risk Management; accountable body that inter alia reviews long term risk management;
- Establishment of a centralised Risk Management Function; must be independent of all other departments in the organisation;
- Establishment of clear reporting obligations and lines; with the Public Officer acting as the compliance officer.
NMG has amassed extensive international experience by providing various services to regulators on other continents. We therefore believe that this diversity of experience provides us with a unique perspective to meet the requirements of this proposal.
Our key relevant strengths include:
- Specialised actuarial and risk management expertise
- Presence and experience in the Namibian market
- An experienced and strong consulting team
- Specific experience in assisting large clients with the development of risk governance frameworks.
NMG will at all times work closely with the client to ensure that our service offering meets your needs. NMG sees its differentiator as the ability to combine consulting and marketing principles with sound actuarial theory. This provides the client with practical, easily understandable solutions.