## Auditing a Bank's Risk Management Framework

### Why Risk Management Matters in Bank Audits

Banks operate in an environment of high leverage and systemic interconnectedness. An effective risk management system is a key component of internal control. The statutory auditor must evaluate whether management's risk controls are adequate.

### Five Components of an Effective Bank Risk Management System

1. Governance Oversight

Those charged with governance (Board of Directors / Managing Director) must approve written risk management policies. These policies should be:

Consistent with the bank's business objectives and strategies
Aligned with the bank's capital strength
Informed by management expertise
Compliant with regulatory requirements
Reflective of the types and acceptable amounts of risk

2. Risk Identification, Measurement, and Monitoring

Risks that could significantly impact the bank's goals must be:

Identified and measured
Monitored against pre-approved limits and criteria

3. Control Activities

A bank should have controls to mitigate risks, including:

Effective segregation of duties (especially front office vs. back office)
Accurate measurement and reporting of positions
Verification and approval of transactions
Reconciliation of positions and results
Setting up limits; reporting and approval of exceptions
Physical security and contingency planning

4. Monitoring Activities

Risk management models, methodologies, and assumptions used to measure and mitigate risk should be regularly assessed and updated — often by an independent risk management unit.

5. Reliable Information Systems

Banks require information systems that:

Provide adequate financial, operational, and compliance information
Deliver data on a timely and consistent basis
Present risk information in a form that is easily understood by governance and management
Enable assessment of the changing nature of the bank's risk profile

### How the Auditor Evaluates These Components

For each component, the auditor asks: (a) Does a policy/control exist? (b) Is it designed effectively? (c) Is it operating effectively in practice?

Worked example

### Example 1

Scenario (Q7): Smile Bank — CA Sweety's Evaluation

CA Sweety reviewed management's controls and performance indicators for key risks. She should evaluate adequacy by checking all five components:

1. Governance: Are risk policies approved by the Board? Are they aligned with the bank's strategy and capital?

2. Identification/Measurement: Are material risks identified and monitored against approved limits?

3. Control Activities: Is there segregation between front and back offices? Are transactions independently verified?

4. Monitoring: Is there an independent risk management unit reviewing model assumptions periodically?

5. Information Systems: Are risk reports timely, consistent, and presented in a way that allows governance to track the changing risk profile?

If any of these five components is absent or ineffective, the risk management system is inadequate in that dimension.

⚠️ Common exam mistakes

Evaluating only the existence of a risk policy without testing whether it is actually followed in practice.
Overlooking the segregation of duties between front office (deal execution) and back office (settlement and recording) — a common source of fraud and error in banks.
Treating the independent risk management unit's periodic review as an optional feature rather than a necessary monitoring activity.
Failing to assess information systems adequacy — even good controls fail if management receives risk data that is late, inconsistent, or difficult to interpret.

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

Evaluating a Bank's Risk Management System

Worked example

⚠️ Common exam mistakes