Risk management at regulatory authorities: A practitioner’s view

Build out of risk management capabilities at regulatory authorities has gained increasing momentum over the past decade as evidenced by several advancements:

  • Formal prioritization of the commitment to strengthening the risk management functions as part of authorities’ strategic business plans.
  • Organizational elevation of the risk management mandate through the establishment of standalone risk management function, often led by dedicated Chief Risk Officers and reinforced through direct reporting lines to the CEO and the Board.
  • Shift towards more comprehensive disclosure of authorities’ risk management practices and priorities as well as articulation of the evolving risk landscape either as part of annual reporting or via separately issued risk outlooks and in some cases even transparent publication of the authority’s risk appetite statement.

Increasing adoption of an enterprise-wide approach to risk management.

For many authorities, the experience of the pandemic has furthermore provided a hook to reconsider the role and benefits of an effective risk management function.

Despite these encouraging developments, effective delivery of risk management at regulators is not a trivial task. While in principle the logic of internationally recognized risk management frameworks such as COSO and ISO applies to authorities as well, the unique nature of authorities’ operating model requires careful considerations beyond just the structural design of the framework. From a practical point of view, several pitfalls can impair the effective design and delivery of the risk management program if not proactively addressed. This article discusses five of them.

1. Underestimating risk portfolio and ownership complexity and interrelations

Viewed holistically, a regulator’s risk portfolio is heterogeneous and multifaceted. Risks span across multiple different categories ranging from external financial system risks at regulated entities and the sector, risks related to regulatory policy making, the delivery of supervisory and enforcement activities, to the more human resource and operational type of risks. As the financial sector continues to transform at a high pace, the risk portfolio is ever-growing.

Three particular complexities arise:

  • A significant subset of the risk portfolio is composed of risks that are slower-moving and more qualitative in nature, making them harder to gauge through a traditional risk impact and frequency lens and measure via quantitative risk indicators, thus demanding alternative solutions.
  • Many risks exhibit a high degree of interrelation and can, if materialized, mutually reinforce each other. If not appropriately considered, risk prioritization and control design decisions may be ill-informed.
  • Inherent policy conflicts in the regulator’s mandate may cascade and translate into risk management conflicts.

A further layer of complexity results from intricacies related to risk ownership allocation. Many regulatory and supervisory processes are of transversal nature and rely on contributions from multiple stakeholders within and in some cases outside of the organization. The question who bears ultimate responsibilities often is not clear from the outset, nor is the question where the accountability of the regulator ends. This can result in blurred accountabilities and a lack of risk ownership mentality. The complexity is compounded in settings where regulatory fragmentation due to a country’s unique regulatory architecture design is higher, with multiple different authorities in place and possible overlaps in their mandates.

While there is no silver bullet solution, several practices can be adopted to navigate these complexities:

  • Creating risk matrices that indicate the degree of interrelation and potential conflicts and that serve as a reference during risk decision-making processes to ensure critical links are not overlooked
  • Engaging in scenario analysis exercises during which risk paths and interlinkages can be explored on the basis of plausible risk scenarios
  • Conducting risk-stakeholder landscape mapping exercises, identifying the long list of all involved stakeholders involved in the management of a given risk
  • Transparently designating a lead risk owner who is accountable for the end-to-end oversight of the risk’s management and the liaison with all involved stakeholders
  • Where external stakeholders are involved, seeking dialogue to align on the delineation of risk management responsibilities and establish a shared view on ownership

Beyond this, a further consideration must be the interplay between the second line of defense risk and financial stability function. While the financial stability function applies a macro-view and relies on a different menu of controls, many of the risk types under its purview are consistent with those of the risk function. Neglecting these overlaps could lead to duplication of efforts and inconsistent risk narratives. Here and again, it is critical that both functions establish an effective relationship and work in tandem to source relevant risk data and information as well as align on their interpretation and risk response options.

2. Not unlocking the strategic potential of the risk management function

Risk function identity crises are not a new phenomenon. Situations where risk management activities are treated as tick-the-box exercise and risk is viewed as a purely operational function and reduced to its reporting role, remain far too common. The same applies to risk management at regulatory authorities. While this may happen inadvertently, it must be addressed heads on and requires coordinated effort across the organization.

The basic premise is the notion that the genuine value of the risk function is only realized if risk management information and considerations are embedded into and inform operational and strategic decision-making processes. In other words, risk must have a seat at the table. While this seems easy enough, some practical considerations are important. A useful starting point is the identification of those decision-making processes with a clear link to the risk function’s mandate. In each case, the specific role and contributions of the risk function must be defined jointly with other stakeholders. Flexibility is key and there should no one-size-fits-all approach to involving risk. Indeed, in some instances, an “active observer role” whereby the risk function contributes to the dialogue and provides challenge as necessary yet abstains from decision-making may be the most appropriate solution to maintain independence while in other situations the risk function may be granted a formal voting right. Yet again, there may be decision-making fora where risk should only be invited on an as need basis in the interest of governance effectiveness. Documenting the role of risk function in relation to each process in policies and terms of references is key to maintaining consistency over time. An important added consideration is that the risk function’s involvement can serve a double purpose. Besides its contributions, participation in the process allows the function holder to source relevant information that can feed into other risk management processes. This can save efficiencies down the line and avoid duplicate information requests or misunderstandings in interpreting risk information as well as enrich the risk function’s perspective and lead to more informed conclusions.

Foundational, yet often overlooked, is the cultural dimension in this context. It is not enough for the risk function to have the self-conception of “adding value” but this view and message must be shared and consistently reinforced by other key stakeholders, most notably authority leadership including the board and senior management in the first line. In organizations where the risk management framework maturity is in a nascent stage, this support system is particularly critical to achieving risk integration. This support, however, must be earned and the risk function is on point to demonstrate the value it can bring to the table.

3. Insufficiently recognizing the limitations of control effectiveness assessments

Evaluating control design and effectiveness and its impact on residual risk levels is rarely a black and white exercise. The nature of a regulator’s risk portfolio and control “toolkit” however adds unique challenges to this exercise. This applies particularly to risks related to regulated entities and the financial sector as a whole.

“Controls” to manage these types of risks typically take the shape of changes to regulatory policy. Understanding the impact of such changes and thus the policy’s (i.e. control’s) effectiveness, requires an outcome-based view and evaluation whether the intended policy objectives have been met. This is however challenging as regulatory policy changes are a longer-term process with the impact taking time to materialize and often being difficult to quantify and isolate from other factors, some of which may be outside of the regulator’s control. From a control assessment point of view this means that a complete view of a control’s effectiveness in such a context cannot be fully established, limiting the conclusions that can be drawn on the impact on residual risk levels and sometimes creating the perception that risk levels are static. These limitations in the risk management process are not only important to recognize but also be transparently communicated in the reporting of those risks to stakeholders.

Absent of dedicated indicators that speak to the effectiveness of a new or changed policy, alternative approaches should be adopted. One solution involves the creation of risk narratives which are construed by combining different “points of evidence” to establish a view of the risk evolution and thus control effectiveness. These “points of evidence” can come in the form of quantitative and trend data that is sourced from regulatory returns, insights from on-site supervision, enforcement statistics and complaints data work as well as more qualitative anecdotal evidence. The key is to look for patterns across the data and information that help indicate whether a new policy is delivering the intended outcomes. While not a substitute for dedicated policy impact studies or industry surveys, such an approach can be a pragmatic solution to maintain an evidence-based risk dialogue under the existing limitations.

4. Underinvesting in capabilities building and change management

While the notion that risk management is at the heart of a regulator’s mandate is principally correct, this easily leads to the misconception that staff at regulatory authorities are by default equipped with the practical know-how in how to perform risk management activities. Driven by wrong assumptions, the second line of defense risk function can easily set the bar of expectations for existing risk management capabilities too high and take for granted that the identity and role of the risk management function within regulatory authorities are clearly understood. Rarely though this is the case and staff often exhibit an uneven baseline in terms of their risk management capabilities.

Taking the time to build an even foundation by setting risk management parameters and investing in capabilities build-up is therefore critical. This is not achieved through one-off training but requires investment over time. Authorities are best advised to adopt a bespoke training framework, anchored in an understanding of the varied risk management expertise and skill needs across different stakeholder groups, from the ground up to the Board level. The curriculum must not only break down in practical terms the risk management activities that are to be performed in the first and second line but also frame the mandate and contributions of the risk management function, the benefits it is intended to deliver, and importantly, how the risk management framework intersects with day-to-day first line operational activities. Case studies, post-mortems following materialized risk incidents and other practical exercise are valuable tools for reinforcement. Importantly, in the early stages of risk management framework maturity, risk functions must demonstrate readiness to adopt a more hands-on approach to guide the first line of defense through risk management processes.

As authorities evolve their own risk appetite from a zero/low-tolerance base to selectively higher tolerance levels to advance market and internal innovation objectives and reap their benefits, investment in the softer aspects of capabilities building through “risk culture change management” becomes even more important. The shift towards a mindset of accepting risks and (orderly) failure must be visibly role-modeled by authority leadership and managers and staff given frequent re-assurance that they bear no negative consequences in embracing the new paradigm. Here too, the risk function can help navigate the process by working in partnership with the first line of defense to translate changes in risk tolerance into implications for the practical day-to-day work and identifying change bottlenecks that can subsequently be addressed through targeted interventions.

5. Insufficiently engaging the risk function in the authority’s data transformation

Despite the varied and sometimes more qualitative nature of risks in the authorities’ portfolio, data remains the bread and butter for effective risk management. With regulators’ data management infrastructure being historically underdeveloped and significant data fragmentation a common issue, risk managers both in the first and second line face an added challenge in tapping into the data set required to perform their activities.

As many regulators engage in large-scale data transformation exercises, this presents opportunities for enhancing the risk management program – if approached right. Two scenarios are not uncommon.

On the one hand, the data management office often is already faced with a large and diversified set of internal stakeholders to engage in the transformation. With the risk management function frequently still being considered the “new kid on the block”, it may not be an intuitive candidate to be invited to the conversation unless prompted to do so. At the same time, the risk management function may be pressed to establish risk indicators absent of a coherent data environment for reporting and risk management purposes and thus is incentivized to create a parallel risk data infrastructure, which in turn risks duplication of efforts and potential data inconsistencies. While temporary workaround solutions for risk data sourcing are inevitable in such a setting, the risk function ultimately needs to be part of the data conversation. Risk data needs must be clearly articulated to determine what type of data is needed at the source and where synergies in the collection exercise can be realized as well as to ensure a single source of truth is established that can feed different analytical purposes across the first and second line of defense. Furthermore, the promise of suptech solutions equally applies to risk functions. Suptech tools that are applied by frontline supervisors and their outputs might equally serve the risk function in carrying out its oversight and independent challenger role. Such solutions should therefore be explored through active consultation of the risk function to identify common analytics needs and maximize synergies.


Enterprise risk management programs at regulatory authorities are experiencing growing momentum. If effectively embedded, the second line of defense risk function can enrich a regulator’s operational and strategic decision-making processes through new perspectives and aid in maneuvering the increasingly complex operating environment that regulators face. Achieving this, however, requires a careful and tailored approach that balances structural risk management elements with investments in people, culture and change plus a mindset where the risk function views itself and is recognized as a partner to the first line of defense.