13 Insights on Challenges within Risk Management and Compliance 2024
In 2024, the Danish FSA issued a number of orders regarding the risk management and compliance functions to several financial institutions. These orders emphasise the importance of robust risk management and effective compliance to ensure financial stability and compliance with regulatory requirements.
The orders issued point out specific weaknesses in the risk management and compliance functions of a wide range of financial organisations. The orders emphasise the need for improved risk management, better internal control, and a more effective compliance structure.s
Resolving an order takes a lot of effort and energy and involves the involvement of all key stakeholders in the organisation. In addition to the overall management towards the FSA, resolving an injunction will generate a new design of understanding the regulatory framework, building new internal governance, and implementing new future process. The methods are instructive and lead to a new culture and way of working in and between the lines of defences.
Based on the inspection reports from the first half of 2024, there are a number of insights and lessons to be learnt. Management of second line functions is not “one size fits all”, and individual consideration must always be given to the chosen business model and risk appetite. At the same time, you need to be aware that requirements are constantly changing, so what was adequate last year may not be “okay” anymore. Risks and expectations are shifting, so you need to keep your finger on the pulse.
Key takeaways – 13 recommendations for management of the risk management and compliance function
Based on today’s challenges in the compliance and risk management area, we have gathered some recommendations on how to prioritize going forward.
- Ensure your business model and your risk assessment are aligned. Too often there are inadequate risk assessments or annual plans from the risk management or compliance function, where risks are not adequately identified, or where assumptions or documentation behind them are inadequate.
- Review and update the key guidelines for execution in instructions and procedures. Without ensuring compliant internal governance and ground rules, the risk management or compliance function will not function optimally and as intended. This means strengthening the risk management and compliance function’s structure, processes and organisation to ensure an overview of all significant risks and that the risks are regularly examined and handled correctly.
- Make sure you have sufficient resources and independent roles and focus on the role of either CRO or CCO. Typically, there are other tasks in the organization that take time and require prioritization. As a result, focus, staffing and competences take the back seat, weakening your resilience for continuous compliance and risk mitigation.
- Make sure you fulfil the necessary tasks set out in the principles in executive order, the Financial Business Act, EBA Guidelines and other relevant financial regulations. If in doubt about compliance, perform internal gap analyses or other stress scenarios to ensure you are aware of your situation, risk situation and economic health. And keep an eye on the upcoming regulations that affect you, so you’re ready for governance design and implementation of new regulations after a specific effective date.
- Pay attention to the incorporation of sufficient independent compensating measures to ensure adequate control of the financial organisation’s risks. This is both in the short and long term. This also means that the risk management or compliance officer must ensure that they are not involved in the provision of services or the performance of activities that they themselves control.
- Mistakes and offences will happen all the time – it’s hard to avoid. In such cases, formalised recommendations, warnings or concerns should be given to management, to give the board a correct update on the risk situation in the organisation. In the worst case, the authorities must be informed, including a plan for compliant governance and management of the area.
- Constant and sufficient control and assessment of whether the second line is confident in the first line of defence’s methods, procedures and any risk mitigation measures. Don’t just follow the annual plan, but be ready to change direction if developments in the organisation warrant it.
- Be careful not to get bogged down in describing the rationale for the risk assessment in each risk area. And get it documented. Preferably have the risk validated by others, so the risk assessment is not just based on one set of eyes, but on the overall competence within the risk management area.
- Involve line managers, internal controller, management and other stakeholders to assess risks holistically. Not only are risks identified and mitigated significantly better, but you also build a good risk culture in the organisation.
- Train and educate relevant people, and at the same time make sure to get outside input to your organisation. Market insight and experience from the network is invaluable and ensures you have a contemporary understanding of what it takes to have a compliance and risk function.
- Both the risk management and compliance functions should conduct their own independent analyses and reviews and not rely solely on the work of others. Be critical in assumptions, methodology, data extraction and legal requirements, while using common sense and proportionality to the business model.
- Focus on efficiency in the 2nd line, where you continuously coordinate work areas so that the functions can jointly cover as many risks as possible. It’s a win-win for both 1st and 2nd line.
- Management buy-in and management culture are essential for good governance. Maintaining a professional attitude is important to build respect around roles, responsibilities and work tasks.
A good risk management and compliance function requires a comprehensive approach that combines management commitment, clear policies, regular training, effective controls, and continuous monitoring and improvement. By integrating risk management into all aspects of the organisation’s operations and decision-making, the organisation can protect itself better from potential threats and ensure long-term success and stability.
Want to know more? Read about our Risk Management offering here