The recent consultation PRA consultation paper 9/20, and the emphasis by Sarah Breedon in a recent speech, gave an interesting insight into the expectations of the PRA for newly authorised banks’ risk management capability. Its key message is clear in that Risk Management cannot be an afterthought and any expectations of a ‘free-pass’ on grounds on being a new bank are unfounded. The consultation paper doesn’t in itself give enough detail to guide the granular development of the risk framework but it will allow Banks to focus on what must be done. Of particular interest is the guidance of expectations at various points in time, namely at the time of authorisation, after three years, and after five years. The sub-headings below are referenced wording from the CP 9/20 document.

Year 0 - At authorisation: Risk Management Framework and policies in place but untested as the firm has not yet operated as a bank (p8 – 3rd row of table)

A key point to note here is the expectations for policies and frameworks. For many organisations the policies will state the minimum standards for the organisation whilst the frameworks will document ‘How we will meet those minimum standards here’. What this means in practice is that the design of the risk management framework must be complete at the point of authorisation. This will be a challenge for many new banks where the excitement and attention will be focused on building a customer proposition in a rapid and agile manner. The design of a new risk framework is a rare opportunity. There is the potential to not repeat the same mistakes that legacy banks are now trying to unwind. For instance, an integrated non-financial risk framework can be designed to cover Operational Risk, Conduct, Compliance, Resilience, and IT Risk seamlessly – reducing the cost of multiple frameworks and reducing friction with the business. Whilst this will take more effort up-front, it will pay dividends for many years to come.

Year 3: Bank is testing and refining framework and policies in light of experience. Risk management is fit for purpose, with a focus on developing risk management and controls for the most material risks (p8 – 3rd row of table)

Here the focus is on an iterative approach to improving the risk management capability. The Board and/or Risk Committee should be involved, and there should be at least annual reviews of the risk management framework to ensure it remains fit for purpose. New digital banks especially will be seeking to refine the most effective way for the organisation to interact with the risk management framework. We are increasingly seeing integration with messaging platforms such as Slack and Microsoft Teams, in order to create the buy-in required within the business. There is also a focus on understanding the risk profile and ‘most material risks’. This will require bringing together all the artefacts produced by the risk framework, analysing, aggregating, and understanding where time and attention should be focussed. A key mistake we see in this stage of evolution is Risk Management functions being too passive and not getting out to challenge the business. Risk management functions shouldn’t be socially distant! The ‘Risk Culture’ will need to be considered, appropriate training rolled out, and robust top-down messaging on the importance of risk management.

Year 5: Mature control environment with a fully embedded risk management framework linked into a stable business model. Framework provides forward looking view across all risk types. Continuous improvement to ensure framework remains fit for purpose given business and regulatory developments. (p8 – 3rd row of table)

Entering Year 5, all Banks will need to have fully matured and embedded their Risk Management framework. In practice this will mean everyone will have to fully understand their risk management roles and responsibilities, perform their roles consistently and appropriately, and the organisation needs to be able to verify this is happening. To date, popular mechanisms for performing this include using control testing and attestations. Whilst these approaches still have value, increasingly organisations are looking to technology solutions to automate control testing and using AI to perform controls oversight – for instance, through the use of voice behavioural analytics within contact centres. There continues to be a large amount of regulation applicable to banks which will no doubt evolve again in the future, and Banks will need to track and respond to the new requirements. Again, there is increasing use of technology platforms to assist in this regard. There is also reference to a forward looking view of risk at this stage, which will require careful thinking through causal factors of the key risks to which the Bank is exposed.

The above consultation paper is expanded within a draft supervisory statement. Some key themes are listed below:

Stress Testing and Downside Risk

Good financial risk management will be required as the Bank develops any credit or treasury products. The potential business imperative to grow a loan-book has to be carefully balanced with the need to understand exactly what segments of the market the Bank is vulnerable towards. Organisations need to understand the severe but plausible events that can cause extreme harm to the business, which ultimately may cause the business to fail. This is commonly explored in scenario analysis, stress testing, and wind-down planning and opportunities to harmonise these approached should be investigated.

Adequacy of Technical knowledge

A common challenge for new banks has been integrating a culture of technology and innovation with the more established disciplines of financial services risk management. New banks will need to make sure that they have adequate risk management technical knowledge from either third parties or internal staff members. This doesn’t mean that everything has to be done in a traditional ‘bank’ way, but that the key objectives must still be appropriately understood and met.

Accurate Data and Management Information

The quality of underlying data is often undervalued in risk management. Management decision making will be sub-optimal if the underlying information is incomplete or inaccurate. In particular, we have observed a number of newly regulated banks facing difficult conversations with the regulator over the accuracy of risk capital calculations. The use of AI, robotics, and shared-service centres are becoming increasingly common in the production of Management Information.

Control environment lagging business ambitions

There is often a friction between the agile methodologies of new banking entrants and the need to control change. Rolling out products and services to small pilot groups can mitigate some risks, but the reality of risk management exposure is much more complex than that. Risk and regulatory exposure assessment needs to be built in to an agile change process, with sufficient 2nd line challenge to the 1st line.


The aims of the consultation paper and supervisory statement for risk management are clear. The needs to be sufficient thought given to Risk Management early in a bank’s evolution. This cannot be seen purely as a cost of doing business which must be minimised. Whilst cash-flow may be tight in new banks, more investment in Risk Management at an earlier stage may avoid a considerable amount of pain at a later stage in the bank’s development. There are significant opportunities to develop a more holistic and technology-led Risk Management approach early in the lifecycle, especially as costs and disruption will increase markedly once risk management processes are up and running. Risk Management for new banking entrants should be made smarter not just leaner.