Improvement Risk Control Framework
Case: Improvement Risk Control Framework
Duration
Consultants
Table of Contents
BACKGROUND
A financial institution based in the Netherlands was in need of improving its Risk Control framework (RCF) or Risk Management Framework after ECB related findings. It was required to close gaps in its framework and ensuring it was fit and proper, matching EBA guidelines.
A Risk Control Framework is part of the Internal Control Framework (ICF) or Management Control of an organisation. The Risk Management Framework (RMF) is a collection of standard to identify, measure, manage en monitor and report on risk. There are different industry standards like COSO ERM and ISO31000 that can be chosen as best practice. Even more detailed frameworks like NIST and COBIT are available. This makes the area complex as companies face different methods to manage risks.
CHALLENGE
The RCF framework required improvements on multiple levels while the company was partly reorganising. There were different layers of te the risk control framework that needed work (from strategy to operational processes). The concept of three lines of defence was not crystalized, and the framework would have to operate in ~25 countries. There was an additional time pressure due to a planned follow up meeting from the regulator.
ASSIGNMENT
Review and revise the different layers of the framework including policies, processes, general governance, people enablement and close the relevant gaps
APPROACH
Porteg reviewed the current state (As-is) to better understand the gaps and the current process. By combining process and business analysis we were able to paint both the as-is and the to-be situation. We reviewed the policies and general governance and modified it in line with the organisation and regulatory requirements. We further looked at how technology and processes could truly support 1st line (business) and 2nd line (risk management) and make this efficient and effective (aiming for combination of challenging, Segregation of duties and support). We also assisted in knowledge sharing setups (confluence, sharepoint) and further training concepts. Furthermore we assisted in building control libraries and other reference such as a risk taxonomy
RESULT
The framework was improved and had a better fit with the organisation. The people were properly trained and interaction improved (not just another reporting process). The client could proof that they were in control in various ways with the next visit of the regulator. A long list of Gaps was closed and a review by the ECB resulted in a positive outcome.