ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø

The objective of the Internal Audit (IA) roundtable is to discuss new trends, developments, and leading practices for the financial services industry. During the event there is an opportunity for participants to network and share best practices. 

Representatives of IA of financial institutions, insurance companies and market infrastructure gathered on the 7th of February 2025 for a discussion on risk culture and the intersection of internal audit and DORA.

Risk culture is the blend of collective mindsets, shared norms, attitudes, and behaviors that guide how risks are identified, assessed, and managed across all tiers of a bank. Risk culture touches every aspect of decision-making by staff and leadership, steering the way risks are approached and handled daily. By assessing an organization’s risk culture, it becomes possible to gain deeper insight into how employees identify and address the risks they encounter in their roles.

In today's dynamic and fast-paced environment, organizations are facing numerous ‘push factors� that motivate a deep-dive into their risk culture. Examples of those push factors are the importance of ESG and its focus on governance and the intensification of public and regulatory scrutiny. At the same time, organizations face risks due to economic uncertainties. This increases the importance of creating a strong risk culture that allows corporations to promote ethical behavior, facilitate the reporting of internal incidents, reduce the risk for fraud and integrity incidents, make employees feel more engaged and create a setting that fosters innovation, which in turn allows institutions to improve their reputation with the general public, attract talent and enhance financial performance.

Over the last few years, there has been a noticeable trend in which incidents receive widespread media coverage, provoking strong responses from the public, politicians, and regulatory bodies.

Common factors seem to be deficiencies in internal governance and risk culture that can be seen as early warning signs of difficulties ahead. Although the European Central Bank (ECB) has noted progress in this field for financial institutions, there is still room for improvement. That is why the ECB sets out key supervisory expectations on governance and risk culture, as recently published in the draft Guide on Governance and Risk Culture ^[i].

The ECB has long striven to improve the quality of banks� internal governance and risk management. Historically this has been the element of the Supervisory Review and Evaluation Process (SREP) where banks have scored worst, with little sign of improvement in recent years. This has led to growing frustration among supervisors � and increasingly intrusive investigations.

In its Supervisory Priorities for 2024 the ECB therefore promised further action to tackle persistent deficiencies in the quality of banks� management. To that end, on 24 July 2024 the ECB published its new draft Guide on Governance and Risk Culture (for consultation until 16 October). The Guide, which draws on the results of a series of risk culture deep-dives conducted last year, as well as wider thinking by the ECB and national central banks, updates the ECB’s 2016 Supervisory Statement on Governance and Risk Appetite.

The Guide’s most significant innovation is its focus on behavioral aspects of risk culture: how employees act in practice when taking and managing risks. ECB Supervisory Board Vice-Chair Frank Elderson described informal behavioral norms as the ‘software� of governance (complementing the ‘hardware� of committee structures and formal policies) in a speech last September.

In the latest Guide, the ECB sets out an expectation for bank leadership to articulate and encourage a healthy risk culture at all levels of the organization. That should begin with bank leadership setting a clear ‘tone from the top� on the importance of prudent risk management, as well as encouraging constructive challenge and welcoming diverse perspectives before decisions are taken.

This culture of prudence should be rooted in appropriate management structures. Boards and committees should be sufficiently large and diverse to accommodate a range of perspectives and expertise. In our view, banks should clearly allocate roles and responsibilities to allow for individual accountability. Risk management and other internal control functions must be independent of first-line business units and must be given sufficient resources and status within the organization to be effective. Finally risk management goals should be reflected in banks� compensation and reward policies to create strong individual incentives for prudence. The Guide does not prescribe precisely how banks should meet these expectations, but it does list both good practices and ‘red flags� for governance and risk culture that the ECB has observed in the course of its supervisory activities.

Source: Cultural evolution: The ECB launches a new Guide to Governance and Risk Culture

At ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø, we leverage over 30 years of experience in assessing, measuring, and monitoring the risk culture of financial institutions and leading corporates. Simultaneously, we identify the root causes of incidents within these organizations. Our approach is comprehensive: we start by assessing the risk culture and governance to pinpoint the organization’s strengths and areas for improvement. Once identified, we provide clear and practical recommendations as well as hands-on support for strengthening and maturing the risk culture.

We have the capability and experience to measure, monitor and enhance an organization's risk culture � whether it encompasses the full spectrum or is focused on specific elements � through various established techniques, proven methods, and strategic interventions.

Central to our work is our robust and scientifically validated Risk Culture Model. Adaptors of this model include regulators such as the European and Dutch Central Bank, as well as many other (international) financial institutions and leading corporates in various sectors.

In today's interconnected business landscape, organizations increasingly rely on external entities such as vendors, suppliers, and service providers to support their operations and deliver essential services. While these partnerships offer numerous benefits, they also introduce a range of potential risks that can have far-reaching implications for an organization's resilience and regulatory compliance. This has propelled third-party risk management (TPRM) into the spotlight as a critical component of overall risk governance. Third-party risk management involves the systematic assessment, monitoring, and mitigation of risks associated with engaging external entities. From supply chain disruptions to data security breaches, the potential risks stemming from these relationships are multifaceted and can impact an organization's operational, financial, and reputational stability. Therefore, establishing robust processes and controls to address and mitigate these risks is paramount.

With the Digital Operational Resilience Act (DORA), the European Commission proposed a legislative framework introducing requirements related to outsourcing and third-party dependencies, aiming to ensure that financial institutions adequately oversee and manage the risks associated with external service providers. This includes provisions for enhanced oversight and due diligence in relationships with third-party vendors to mitigate potential disruptions and safeguard operational continuity.

DORA seeks to address the evolving challenges posed by the increasing reliance on digital systems and services, particularly in the financial and insurance industries, and aims to ensure the continued functioning of critical operations in the face of potential cyber threats, IT disruptions, and other operational risks.

Under DORA, internal audit is expected to play a critical role in reviewing and providing assurance on the governance, risk management, and internal control processes related to information and communication technology (ICT) risks.

The role of internal audit or internal controls within the DORA framework is of paramount importance in ensuring the effectiveness of risk management and the resilience of digital operations within financial institutions. Under DORA, internal audit functions are tasked with the responsibility of assessing and validating the adequacy and effectiveness of an organization's digital operational resilience measures. This encompasses evaluating the design and implementation of controls, as well as assessing the institution's ability to identify, mitigate, and respond to ICT-related threats and disruptions.

Moreover, internal audit functions are required to provide independent and objective assessments of the effectiveness of operational resilience measures, including identifying potential weaknesses or gaps in the institution's digital infrastructure and recommending appropriate remedial actions.

At the same time internal audit is faced with challenges. These challenges include the need to stay abreast of the rapidly evolving regulatory environment and potential updates or amendments to DORA. Internal control functions must also continuously navigate compliance with data security and privacy regulations in the context of digital operations, emphasizing the need for robust data governance and security measures. Additionally, integrating the requirements of DORA into the organizational culture and operational processes presents additional challenges related to change management and necessitates fostering a culture of resilience.

Nex to that, financial institutions operating across multiple jurisdictions, encountering the complexities of cross-border compliance and requiring a comprehensive approach to reconcile varying regulatory frameworks while adhering to DORA's provisions.

Internal control functions may also face resource constraints when implementing the measures necessary to comply with DORA. Ensuring adequate staffing, expertise, and technological infrastructure to effectively address regulatory requirements and maintain operational resilience can present a significant challenge, requiring efficient resource allocation and strategic prioritization.

These challenges underscore the multifaceted nature of navigating the landscape of digital operational resilience within the framework outlined by DORA, demanding a cohesive and adaptive approach to compliance, risk management, and technological acumen within internal control functions.

The roundtable discussions on the intersection of internal audit and DORA, illuminated the pivotal role of internal audit functions in fortifying digital operational resilience within financial institutions. Participants emphasized the potential for internal audit to bolster risk management, enhance control frameworks, and validate the effectiveness of operational resilience measures in the context of DORA.

While the opportunities for leveraging internal audit within the DORA framework are substantial, addressing challenges such as evolving regulatory requirements, dynamic technological landscapes, and the need for audit methodologies will be critical to maximizing the value of internal audit functions and navigating the complexities of regulatory compliance effectively.

The forum provided a rich platform for professionals to delve into the nuances of aligning internal audit practices with the imperatives of DORA. It underscored the significance of collaboration, innovation, and adaptive approaches to internal audit processes, particularly in the context of evolving digital risks and operational disruptions.

By embracing these insights, organizations can refine their internal audit strategies to align with the imperatives of DORA, contributing to a resilient and well-governed operational environment within the financial sector.

At ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø, we leverage our extensive experience and expertise to support financial institutions and internal audit functions in navigating the challenges posed by DORA and its requirements. Our approach integrates a deep understanding of regulatory compliance, risk management, and audit methodology to address the specific needs of our clients.

In response to DORA, we assist organizations in evaluating their operational resilience, internal controls, and risk management frameworks through comprehensive assessments and audits. Utilizing our established methodologies, we assess the alignment of internal controls with DORA requirements, identify areas for enhancement, and provide clear, actionable recommendations to strengthen operational resilience and compliance.

Moreover, we offer tailored support to internal audit functions in developing audit plans that align with the provisions of DORA. This includes providing guidance on risk-based auditing, evaluating the effectiveness of internal controls, and ensuring that audit processes are attuned to the evolving regulatory landscape.

Through our extensive capabilities and industry insights, we equip organizations with the knowledge and tools necessary to adapt to the requirements of DORA, enhance their internal audit processes, and fortify their operational resilience within the digital realm.

Thomas Meyer, Jens Moerman and Matthias Boeckstijns

^[i]