Swaminathan J: Safeguarding financial stability - the crucial role of assurance functions

Speech by Mr Swaminathan J, Deputy Governor of the Reserve Bank of India, at the Conference for Heads of Assurance Functions, Mumbai, 10 January 2024.

Central bank speech  | 
23 January 2024

Chief Compliance Officers, Chief Risk Officers, Heads of Internal Audit, colleagues from the Reserve Bank of India, Ladies, and Gentlemen. A happy New Year and good afternoon to all of you.

I am delighted to address you today as we gather for this inaugural conference of Heads of Assurance functions. Last year, in our engagements with the Boards of both Public and Private Sector Banks, Governor had emphasized the importance of independence of assurance functions as well as their right to constructively challenge business functions for establishing a strong compliance and risk culture. Indeed, this conference today is a testament to the significant importance the Reserve Bank attaches to the assurance functions in the context of safeguarding financial integrity and promoting regulatory compliance.

Undoubtedly, these are good times for the financial services industry, characterized by robust parameters of performance and soundness. This enviable position is owed, in no small measure, to the hard work and unwavering dedication of the compliance, risk management, and internal audit functions. However, our success should not lull us into complacency. Vigilance and a proactive alert stance are essential to identifying and mitigating risks that may emerge on the horizon.

As custodians of financial stability, we must be acutely alert to the risks emanating from both familiar and unforeseen sources. Risks may be inherent in the business model such as over-concentration to a particular sector or sources of funding. They could also arise due to inadequate oversight over operations, more so in vulnerable areas like outsourcing. The growing use of technology and the pervasive digitalisation of finance bring forth new challenges, notably in the form of cyber-security risks. Then there is also the ever-growing threat of climate risks. In this milieu, assurance functions, acting as the extended arms of supervision, are crucial in identifying, escalating, and facilitating the proactive management of risks and preventing them from ballooning into a crisis.

Indeed, the assurance functions serve as the indispensable foundation, ensuring not only the stability of the individual financial institution but also the resilience of the broader financial system. Supervision, as I am about to explain, comes in much later after the four lines of defence.

  1. As you are aware, the first line of defence operates at the business unit level itself and involves proactive risk management embedded within the daily operations of the bank. Here, assurance functions play a crucial role in fostering a culture of risk awareness and compliance at every level.

  2. The second line builds on this foundation by establishing robust risk management frameworks, policies, and procedures. Compliance and Risk Management functions, with their independence and expertise, contribute significantly to shaping and monitoring these frameworks.

  3. The third line of defence centres around internal audit, providing an objective and systematic evaluation of the effectiveness of risk management and internal controls. Internal audit contributes substantially to this line by ensuring an independent and comprehensive coverage, thorough examinations, and insightful recommendations.

  4. If we take external audit as the fourth line of defence, Supervision, then, becomes the fifth line of defence, complementing the groundwork laid by the assurance functions. Supervisory oversight, while essential, is most effective when supported by a strong foundation of risk-awareness, well-defined risk management and compliance practices, as well as robust internal and external audits.

The seamless collaboration between these lines of defence can form a formidable shield, safeguarding not only individual banks but the entire financial system against potential threats and vulnerabilities. Therefore, the efficacy of assurance functions is not just a matter of internal governance but a lynchpin for the overall health of the financial ecosystem.

The Reserve Bank has always been cognizant of the important role played by the internal assurance functions. More than three decades ago the position of 'Compliance Officer' was formalised in 1992 based on the recommendations of the 'Committee on Frauds and Malpractices in Banks' (also know as the Ghosh Committee). Apart from the compliance function, several instructions have also been issued on risk management and internal audit as well. A key underlying principle repeatedly emphasised in various RBI guidelines and instructions is that assurance functions should have adequate independence and stature within the organisation to function effectively.

I would now like to highlight some specific aspects in the domain of compliance, risk management and internal audit, where I believe there can be greater focus and attention.

Compliance

The Compliance function is at the forefront of ensuring the integrity of banking operations. I would urge you to adopt a 'regulation-plus' approach, where the institution not only meets but exceeds regulatory expectations. The compliance function must go beyond mere adherence to regulatory requirements. Compliance officers must endeavour to ensure that products, processes, and outcomes fully comply not only with the letter of the law or regulation, but also the spirit and intent. This approach ensures not only regulatory compliance but also the cultivation of a culture that prioritizes ethical conduct and sound business practices.

We would also like Compliance Officers to give due attention to the Risk Assessment Report (RAR) observations and Risk Mitigation Plans (RMP). To ensure sustained compliance, it is important to address the root cause of the observations. Further, there should be no compromise on the agreed timelines for RMP, and the bank should ensure that all RMP and RAR observations are comprehensively addressed well before the start of the next inspection cycle. Pending compliance paragraphs is not a desirable situation and may be a reflection of the lack of due attention by the management as well as the Board. Such instances can also invite stern supervisory action.

As you would be aware, the RBI in 2022 introduced the DAKSH platform, which is a web-based end-to-end workflow application with anytime-anywhere secure access that inter-alia facilitates focussed compliance monitoring. Apart from using DAKSH, I would encourage Compliance teams to explore IT solutions for monitoring of internal compliance as well.

Risk Management

Risk management should ensure that the strategic business and capital plans are properly aligned with the risk appetite of the bank. The Internal Capital Adequacy Assessment Process or ICAAP under Pillar 2 is crucial in this regard. Pillar 2 acknowledges that the minimum regulatory requirements stipulated under Pillar 1 may not capture the full spectrum of risks that a bank faces. Therefore, the ICAAP provides a forward-looking mechanism for banks to comprehensively assess and manage their internal capital needs, by considering a broad range of risks. Banks should learn to recognise its inherent value and use ICAAP document as a strategic tool to align capital plans with risk appetite and risk assessment.

The other aspect I would like to highlight is the meticulous monitoring of risk limits. Frequent breaches in risk limits, coupled with their non-ratification or their routine ratification, poses substantial dangers to the stability and integrity of financial institutions that extend beyond the immediate financial implications. If breaches become normalized or overlooked, employees may perceive risk limits as mere guidelines rather than non-negotiable boundaries, thereby compromising the institution's overall risk awareness. Therefore, it is imperative to address breaches systematically, conduct thorough investigations, and implement corrective measures to fortify the risk management practices.

Internal Audit

As regards Internal Audit, very often we come across deficiencies in the scoping, coverage, and periodicity as well as issues in independence of the internal audit function. Proper scoping, periodicity, and independence in risk-based internal audit are essential components of a robust governance and risk management framework.

The scoping process should be aligned with the organization's risk profile. It involves identifying and prioritizing key risk areas that warrant thorough examination. The internal audit should not just rely on the audit reports of a branch/ division but have a program for centralised off-site analytics to timely identify any unusual trend or outliers, examine their materiality and have these rectified by instituting system level controls. I would encourage internal audit to increasingly leverage technology, including usage of Artificial Intelligence and Machine Learning to facilitate early identification of key risk areas.

The periodicity of internal audit should be responsive to the dynamic nature of the risk environment. High-risk areas may necessitate more frequent audits, while lower-risk areas may be subject to less frequent but regular assessments. In addition to regular audits, a continuous monitoring framework should be in place to detect and respond to risks in real-time.

Independence of Assurance Functions

Before I conclude, I would like to delve upon the importance of independence of assurance functions. These functions serve as a critical check and balance within the governance structure of an organization. Therefore, independence of assurance functions is fundamental for ensuring that assurance activities are conducted with integrity, objectivity, and effectiveness. As Heads of Assurance functions, you play a critical role in upholding the integrity and effectiveness of your respective functions within your organizations. You must be vigilant in protecting the independence of these roles, resisting compromises that may arise due to dual hatting or other conflicting roles. While business owners may be known risk takers in pursuit of their business goals, I would urge upon the heads of assurance functions to be the conscience keepers and not allow themselves to be influenced by some short-term priorities.

Very often some friends in the industry confide that only managing a business function improves career prospects as compared to managing assurance functions which are considered typically non glamorous. I can assure you from my personal experience that this is not the case. Promotions are based on a combination of individual performance, skills, and organizational needs. Executives who demonstrate excellence, leadership, and a commitment to contributing to the organization's success are bound to advance in their careers, regardless of whether they are in assurance functions or other areas in the bank.

Conclusion

In conclusion, this inaugural conference of Heads of Assurance functions underscores the significant role these functions play in upholding financial stability. As we navigate good times in the financial services industry, let us not become complacent. Instead, we must remain alert by proactively identifying and mitigating emerging risks. Most importantly, the commitment to independence and effectiveness in our assurance functions is not just a matter of internal governance but a cornerstone for the overall health of the financial ecosystem.

With this, I would once again like to extend my warm wishes to each one of you for a very Happy New Year. May the coming year bring success, prosperity, and fulfilment in both your professional and personal endeavours. As we embark on new challenges and opportunities, may our collective efforts contribute to the continued growth and resilience of the financial sector.

Thank you.