Hi, (To atone for the recent lull in posts) I have 4 comments and questions on Chapter 12 of the CMP and the related textbook reading. Appreciate any answers to the questions, even if ignore the lengthier comments. 1. Acted Notes section 2.4 (page 14) lists 5 skills required within a risk function, including 'implementation skills' as the final bullet. What does 'implementation skills' refer to? If it is simply the reliability and capability to implement an agreed risk plan, then this list of 5 skills appears incredibly generic and equally applies to any job ranging from street cleaners to airline pilots! Personally work in an insurer's risk function and the job descriptions focus on written and verbal communication, courage to challenge etc. 2. Lam (Chapter 6, page 91) states that an "increasingly common industry practice is the creation of communities of risk that cut across hierarchical levels and business units". What are these "communities of risk" - is it essentially a range of staff forming a risk specialism/working party to regularly share updates or volunteers from each business unit becoming a 'risk champion'? 3. (i) This (and many preceding) Chapter's notes & Lam frequently mention the concept of 'integrating risk management' into business processes, Board reporting etc. Does this simply mean ensuring that risk considerations, metrics etc are always considered as part of business processes, strategic decisions etc. (So for example, (A) requiring all Board strategy papers to include a Risk opinion on material concerns, (B) regularly providing Board members with an ERM scorecard/dashboard, etc) (ii) Lam (top of pg 94) mentions 'integrated monitoring' -is this effectively the example he provides of (Policy 6.0 at GE Capital) regularly checking if business performance breaches a pre-determined trigger point which then activates reconsidering the original decision and a mitigation plan (exiting unprofitable business, decreasing investment etc). [It seems that 'integrated' is the ERM buzzword, also featuring on page 12 of the notes describing the 'partnership model' of installing risk management staff into roles in each business unit.] 4. Sections 2,4 and 5 cover the respective roles of a Risk, Compliance and Internal Audit function. However, given their overlapping objectives & responsibilities (examples (i) - (ii) below plus many others) I remain unsure of their exact distinctions. (i) Page 19 of notes states that internal audit responsibilities may include: "monitoring compliance with laws and regulations" -isn't that Compliance's role? (ii) "Risks are an important concern for the internal audit function" Surely that's the point of a Risk function? Presume one answer is that Risk & Compliance are 'Line 2' (of the 3 lines of defence) while Internal Audit are 'Line 3' reviewing the effectiveness of the Line 2's work. But in practice this often reduces Internal Audit work to reviewing Line 2's process documents and box-ticking' ie. monitoring that Line 2 adheres to its process document. This led me to wonder the actual benefits in practice of 3 distinct functions (or 'lines of defence') implied by this Chapter (and often required by regulation) versus a combined 'Assurance' function fulfilling Risk, Compliance and Internal Audit responsibilities (guess this was the norm before the emergence of ERM and still is the case for small non-financial companies). The benefit of a combined function is to reduce duplication of work and better use the respective skillsets of risk, compliance and audit professionals. Regular peer and occasional external reviews as well as effective Committees could provide independent challenge of Line 2, instead of a dedicated Internal Audit function. But on the flipside appreciate that the numerous disaster case studies and financial crises led to the independence of the 3 functions.
Hi Bill, 1. It is, however this is referring to the setting up and continued maintenance of successful ERM within an organisation, including an effective risk framework. Further information on implementing ERM within an organisation can be found in Chapter 31. 2. Yes. Lam seems to refer more to the latter (ie people getting together for risk knowledge sharing within an organisation) which is an example of good risk culture noted in Module 4, however, say, the IFoA risk management working parties are also a good example of a community of risk. 3. You’re right, risk integration means ensuring that risk is always considered in business processes and strategic decision making, and Lam was referring to GE as an example of integrated monitoring against key risk management assumptions. Other examples can include, for example, allowing for the cost of risk in pricing, allocating capital based on risk-adjusted return or banks making acceptance decisions based on risk limits. As for integration being mentioned a lot, it is integral to ERM, since it is the difference between taking a silo-based risk management approach and the holistic ERM approach. Therefore, I’m not surprised that it’s mentioned often! 4. Your first answer is correct and shows the split of the roles; though internal audit isn’t just a box-ticking exercise. As part of their reports they also evaluate the internal control environment (designed to ensure compliance and effective risk management), and provide management recommendations (which are then tracked) – so they do provide independent, objective input. That is an argument for having Internal Audit as a separate line; that this input adds value over and above what one combined function would provide. I hope this helps and happy to follow up on any further questions. Alvin.
