Overhaul of code on managing risk in UK financial services

31 August 2017

New guidance on how risk should be managed in UK banks and other financial institutions is being published by the Chartered Institute of Internal Auditors (The Institute) on 31 August.

The new edition of the Institute’s ‘Guidance on Effective Internal Audit in Financial Services’ -  widely known as the Financial Services Code – was produced following wide consultation with the industry and with the support of the Bank of England, PRA, FCA, and Financial Reporting Council.  It strengthens the role of internal audit in ensuring that financial institutions properly manage all their risks; and it should lead to internal audit playing an even more active part in preventing failures, scandals or mismanagement in UK financial services firms.

Internal auditors are responsible for ensuring that the organisation that they work for is properly managing all significant risks - both financial and non-financial.  The Code provides a best-practice benchmark against which boards and regulators can assess the effectiveness of their internal audit functions. 

The key changes to the Code include:

  • Recommending internal audit should report annually on whether firms are adhering to their own risk appetite framework;
  • Recommending internal audit should review the action taken by the firm following any significant adverse event, such as regulatory breaches, including the roles of all the key actors;
  • Spelling out that internal audit’s plans must be regularly reviewed to take account of new and emerging risks;
  • Recommending internal audit should look critically at the work of the organisation’s other control functions, in terms not only of their processes but also their quality;
  • Underlining the central role that internal audit should play in assessing the culture of the firm. It should look not only at the ‘tone at the top’, but also at whether behaviours right across the organisation are in line with its stated values, ethics, risk appetite and policies, and report on its findings; and
  • Recommending audit committees should discuss the objectivity and independence of chief internal auditors each year after they have been in post for seven years.

Institute Chief Executive, Dr. Ian Peters, says:

“The new Code should make internal audit an even stronger watchdog in managing risk effectively in UK financial services.”

“The Code has already made a real difference to the profile and authority of internal audit since it was published in 2013.  It has driven real improvements in performance across the sector, especially in the area of culture.  But the time has come to go further. “

“It is not just about changing the ‘tone at the top’ but about helping to achieve a sea change in culture in banks and financial services firms – a shift in attitudes and behaviours. To achieve this, there need to be systematic and objective assessment of behaviour at the frontline, not just in the boardroom.”  

“Overall, the enhanced Code should help ensure that internal auditors can play their full part in effectively protecting the assets, reputation and sustainability of their organisations.”

“Internal auditors across the sector now need to drive these changes forward.  They should demand, and get, stronger backing from audit committees and board.  Boards, in turn, should expect and demand more from internal audit departments.  And the new Code needs the continued support of the regulators to give it even more clout.”

The original Code was published by the Institute in July 2013, in the aftermath of the 2008 global financial crisis, and was prompted by an analysis of its causes and by governance, risk management and control failures including LIBOR and rogue trader scandals.   It was welcomed by UK regulators, who have made clear that they regard compliance with the Code as necessary.     

The review of the Code, instigated by the Institute, was conducted by an independent committee of senior industry figures, chaired by Mike Ashley, chair of the audit committee of Barclays, with the support of regulators; and involved two rounds of consultation with the sector. 

 

ENDS