Andrew Sheen February 24, 2021

Don't Tell Your Regulator (4): We have an ORM framework but can't show

This blog is one of a series designed to identify common mistakes made by firms. It explains why the mistake is damaging and could lead to regulatory sanctions, a capital add-on and even a skilled persons review (S166). If you are making this mistake then you need to change your practice.

blank page shows absence

Absence of evidence is evidence of absence

 Many years ago, I was discussing with a firm the use and embedding of its Operational Risk Framework. While the firm was adamant that its framework was being used, it was unable to prove it. I have since had similar experiences with numerous firms covering various elements of Operational Risk and Risk Governance Frameworks, and have often heard apologetic statements like the following:

  • We’ve taken a decision based on our Operational Risk Framework but I can’t prove it;
  • Our Board Risk Committee has taken decisions using Operational Risk information but I can’t…;
  • We capture all our risks but I can’t…;
  • We monitor our losses but I can’t…;
  • We review external events but I can’t…;
  • We consider controls effectiveness during the scenario process but I can’t…

Let’s be clear: Absence of evidence is evidence of absence. This means that if you can’t provide evidence that you do something, the conclusion will be that you don’t do it. Certainly, an auditor or regulator will not take your verbal assertion as confirmation. Proof is required.

Demonstrating use

So, how can a firm demonstrate that it is using its Operational Risk or Risk Governance Frameworks? For Governance Committees, including the Board, Board Risk Committee and Executive Risk Committee, the answer is by recording the issue, discussion and decision in the approved minutes for the meeting.

Of course, some decisions are taken outside of the formal governance and the formal minuting process. For example, the senior management may elect not to introduce a change following a risk analysis. As the proposal had not yet gone through formal governance there is no formal record. Nevertheless, a written record of the decision should be made and retained, for example via email.

The ‘absence of evidence’ mantra applies beyond the Operational Risk and Governance Framework; for example, it applies to staff captured under the 'UK Senior Managers & Certification Regime'. These staff need to show they have taken reasonable steps to discharge their accountabilities and must provide evidence that they have done so. Once again, absence of evidence is evidence of absence.

We hope you find this blog helpful. When Chapelle Consulting benchmarks a firm’s Operational Risk or Risk Governance Framework, the firm must demonstrate that the various framework components are used and embedded. This is a pre-requisite to achieve a favourable assessment. For a full overview of our approach to framework improvements, please  contact us.