FINMA requirements with GRC software and risk management solutions

September 20, 2016

Throughout the private and public sector there is a growing need to embrace risk management strategies in order to remain flexible and resilient enough to weather global uncertainty. It is important to note that it is not just financial institutions and banks which need to manage risk, but rather all sectors can benefit from increasing their risk resiliency. The key is combined both agility and resilience into institutional planning, as one without the other merely adds additional risks. Indeed while risk-agile companies are far more likely to experience substantial revenue and profit-margin growth, they risk their long-term success if they fail to incorporate hardening measures to ensure institutional resiliency.

Whereas financial service providers have emerged from the Great Recession stronger and more agile, many other actors, particularly: healthcare providers, engineering and construction firms, energy companies, as well as education and government entities remain less agile and resilient. Actors in these sectors would do well to especially heed the range of new risk management regulations and frameworks which have emerged in recent years.

One such new development are the new Swiss Financial Market Supervisory Authority (FINMA) requirements. Released in March 2016, the new FINMA requirements encompass both new and revised risk management elements. The newest FINMA element is the Circular 2016 / XX ‘Corporate Governance – Banks’ which updates corporate governance, internal control systems and risk management requirements. 2016 / XX also brings together the revised provisions of Circular 2008 / 24 ‘Supervision & Internal Control’. A key change is the fact that the ‘comply or explain’ principle no longer applies.

Additionally, FINMA has released revised versions of Circular 2010 / 1 ‘Remuneration Schemes’ and Circular 2008 / 21 ‘Operational Risks -Banks’. The former now states that the mandatory implementation of minimum standards for remuneration is restricted to large banks. Furthermore, new conditions for the design of remuneration systems have been announced. The latter circular highlights revised requirements for considerations of diversification of risk, particularly IT and cyber risks.

Originally released as drafts in March 2016, the initial planned implementation deadlines for all the aforementioned circulars is August 1st, 2017. Of particular importance to those seeking FINMA compliance guarantees, this date is also the deadline for the implementation for newly introduced concepts. These include; enhanced independence requirements for SGB, separate audit and risk committees (with independent chairpersons, nomination and compensation rules) the Risk Management Framework, as well as the creation of designated Chief Risk Officers.

Circular 2016 / XX also places greater emphasis on the board of directors to exercise increased risk management oversight. This expanded role for the board of directors is part of the need to implement fully capable three-lines-of-defence (3Lod): the board is joined by control requirements from the front office, as well as from independent controlling bodies. It is important for actors not to view these (and other) risk management requirements as purely defensive practices. Effective risk management necessitate that firms adopt both defensive and offensive risk management strategies. Proactive actions not only better insulate organizations from risk, but since they are not purely reactionary, also allow for the discovery of new opportunities in the ever changing risk landscape.

Given that these new rules are the result of a multi-year (and ongoing) reaction to the 2008 Financial Crisis, it is unsurprising that financial institutions are facing the largest changes. It is often difficult to keep abreast of the flurry of new requirements. If Governance, Risk and Compliance is your role, why not join Oxial & PwC on September 27th, for the GRC Breakfast in Geneva. Gain insights from leaders in the GRC field, and register for free. Alternatively, Contact Us if you want to discuss how you can be compliant with these new regulations.

Author: Jeremy Lüdi