This article is a follow on from ‘Internal Audit and Risk Management – a crucial working partnership’ feature which was posted to https://www.jcbfl.co.uk/internal-audit-and-risk-management-a-crucial-working-partnership/ in August 2021.
Risk Management, and the Risk Management Framework (RMF), is a pillar of any (at least) medium sized company’s Corporate Governance structure and is a key focus for the Internal Audit function whether scoping any audit, or planning to perform an audit of the RMF itself.
Internal Audit approach
- Assessing risk maturity – Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.
- Periodic audit planning – Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritising all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks.
- Individual audit assignments – Carrying out individual risk-based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.
- Risk Management Framework internal audit
Lloyd’s Minimum Standards (LMS)
Lloyd’s Minimum Standards are statements of business conduct which Lloyd’s Managing Agents are expected to comply with to operate at Lloyd’s. LMS can be aligned with the internal control environment and incorporated into an internal audit program. LMS is also a useful tool for company market insurers, and their internal auditors, given its comprehensive reach and contemporaneous character (the current LMS were all updated in January 2021).
Until Lloyd’s fully transitions to principles-based oversight in Q2 2022, you can find the Minimum Standards at https://www.lloyds.com/conducting-business/requirements-and-standards/minimum-standards/
‘MS5 – Risk Management’ requires there to be an effective risk management system in place which has the following expectations:
Risk Management Strategy
- key risk management principles;
- risk appetite and approved risk tolerance limits;
- risk management approaches and processes; and
- assignment of risk management responsibilities across all the managing agent’s activities.
Decision making process
- risk and risk management issues are addressed by the Board and appropriate committee(s);
- the identification and assessment of risk and control prompts action where necessary; and
- the persons who effectively run the business or have other key functions take into account the information reported as part of the risk management system in their decision-making process
Risk management policies should cover the following areas:
- define and categorise the material risks by type to which the business is exposed;
- define the approved risk tolerance limits for each type of risk;
- implementation of the risk strategy;
- facilitation of control mechanisms; and
- accommodate the nature, scope and time horizon of the business and the associated risks.
Risk Identification & Assessment
The risk management system should include processes by an organisation can identify, assess and mitigate the significant risks to the achievement of its business objectives, to include:
- processes which are proportionate to the nature, scale and complexity of the risks inherent in the business;
- consideration to risk exposure in the short and long term;
- formal risk identification is undertaken at least annually, and updated regularly;
- risk is assessed using appropriate qualitative and/or quantitative techniques, which include consideration of risk aggregations and correlations;
- there are internal controls in place, designed to manage risks to acceptable levels and the effectiveness of controls is regularly considered in managing and balancing risk and appetite;
- details of all significant risks and controls are documented, e.g., in a risk register;
- the performance of stress tests and scenario analysis, including reverse stress tests, with regard to all relevant risks faced by the business in their risk management system;
- that processes do not place undue reliance on third party information; and
- a process to identify, assess and manage emerging risks.
Risk Monitoring & Reporting
The RMF should include reporting procedures and processes which ensure that information on the material risks faced by the business and the effectiveness of the risk management system are actively monitored and analysed. This includes ensuring that:
- processes for regular monitoring and update of the risk profile for changes to the internal and external risk environment, and identifying and responding to significant issues and events (Risk Event Monitoring);
- sufficient measures and checks are in place to enable ongoing monitoring of the internal and external risk environment;
- key risk information (KRI) is reported via the governance structure;
- risk analysis prompts appropriate modifications to the risk management system where necessary; and
- the risk profile is a key input to setting and re-setting business objectives, policies, risk appetite and the internal control environment.