Individual financial institutions, especially banks, should be watchful of the economic impact of risk events such as theCovid-19 pandemic and potential economic disruption due to geo-political events in Europe, and take adequate measures to maintain their resilience, according to Reserve Bank of India Deputy Governor MK Jain.
The Deputy Governor observed that the nature and frequency of risks faced by the financial system today are unparalleled and unpredictable.
“In this regard, it is important to recognise the inter-linkages between quality of governance and resilience of financial institutions.
“Even as high quality governance enhances resilience, poor corporate governance is a source of risk to financial institutions and the financial system,” Jain said in his keynote address at CAFRAL.
He observed that effective internal defences will help in building organisations that are strong, resilient, disciplined and enjoy the benefits of sustained growth and customer confidence.
It will also pre-empt supervisory action and the attendant reputational risks that arise in case transgressions are detected.
He underscored the importance of governance structures and practices in the banks, which should prioritise protection of the interest of their depositors.
Banks enjoy high leverage as they can raise a substantial amount of uncollateralised deposits, and perform the function of liquidity and maturity transformation, he said.
RBI’s assessment and findings
In recent years, RBI’s assessment of oversight and assurance functions has received greater focus given their importance in addressing the root cause of problems.
The common weaknesses in oversight and assurance functions include failure / delay in detection and reporting of non-compliance, persisting sub-par compliance, deficiencies in compliance testing with respect to inadequate coverage and limited transaction testing, persisting irregularities due to non-addressing of root causes and not ensuring sustainability of compliance.
Further, the compliance operation was often found to be inadequately staffed and the quality of staff was also found be wanting.
On the risk management front, the central bank found a disconnect between the Risk Appetite Framework as approved by the board and actual business strategy and decision making, weak risk culture which was amplified by the absence of guidance from the senior management, improper risk assessment, repeated exceptions to risk policies, conflict of interest, especially in related party transactions, and absence or faulty enterprise-wide risk management.
Operational risk was seen to be high on account of people risk, elevated IT and technology risk, and high outsourcing risks, Jain said.
On the internal audit front, RBI found the audit process unable to capture irregularities, certain areas were not covered under the scope of audit, and compliance and audit were not collaborating with each other.
It came across lack of ownership and accountability, inadequate review of practices that require alignment to address the interests of all stakeholders, and non-compliance/ delay in compliance with audit observations .
The Deputy Governor observed that oversight and assurance functions have a key role in value creation for a financial institution, strengthening public confidence, preserving and enhancing its reputation, and maintaining the integrity of its business and management.
“The board should engage with the oversight and assurance functions and assure them of direct and unfettered access.
“The “tone from the top” would set the pace for a sound organisation culture that values honesty and integrity,” he said.
Jain emphasised that appointment and removal of heads of oversight and assurance functions should have stringent barriers and they must be independent of executive management.
Assurance functionaries should not perform tasks on which they are required to take a view independent of the risk takers.
Weaknesses and irregularities recurring
On the recurrence of weaknesses and irregularities, the Deputy Governor said: “My expectation from the banks is that they make serious efforts towards overall improvement and sustainability in their compliance.”
Jain noted that the quality of deliberations, the level of challenge provided to executive management, and the time allocated to important agenda items is often inadequate.
‘The board members should focus on strategic and important matters… Many times, a large number of agenda items are included, including table items, which do not allow for proper evaluation of proposals. The board also needs to work in a cohesive manner,” he said.
Jain underscored the need for the board to start looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firm-wide implications.
Adequate investments in technology should be ensured.
“In its role of oversight, the board needs to oversee the overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls.
“Whether the institution has the appropriate skills, resources, and approaches in place to minimise cyber risk and mitigate any damage that may occur also needs to be seen,” the Deputy Governor said.
It is important to ensure that financial institutions are board-driven and do not end up being dominated by individuals. Experience has shown that this leads to undesirable consequences, he added.
While regulations are in place to check improper Related Party Transactions, including their disclosure, it is important that the Board and Audit Committee exercise close oversight over such matters and get satisfactory assurances.
March 29, 2022