DNB has been accelerating in recent years when it comes to deepening and making supervision specific. A number of recent DNB publications show what that supervision will look like in the future. These include the recently released DNB publication "Vision on supervision 2021 - 2024." This is an interesting publication for supervised institutions because it indicates how a supervised institution can respond to this changing way of supervision. After reading this publication, it is clear that there is quite some work to be done for these institutions.
A brief summary of supervisory changes:
- Supervision in the Netherlands will increasingly be driven by European developments, by laws and regulations from the European Commission and publications from various European financial regulators;
- Data quality and information (cyber) security are and remain very important topics. Earlier, DNB issued the Good Practice Information Security and the Guidance Data Quality. Complying with these normative publications is an enormous task. It is precisely here that the competencies of the risk manager and the internal auditor can be deployed for the benefit of the entire organization. DNB previously required the performance of Control Self Assessments, in which the 1st and 2nd lines examine themselves for compliance with the standards. It is expected that DNB will make more use of assessments and analyses of the institution's risk management, preferably validated by the internal auditor;
- In the coming years it will be data, data and more data. DNB itself will demand access to data from the institution. These will supplement and possibly even partially replace the periodic reports that are already required. Realize well what it says there: DNB is going to look into the data itself! Data quality will inevitably become the most important issue in the coming years. This means that both risk management and internal audit can be expected to pay considerable attention to that topic, each from their own role in the organization. In many cases this change will mean that extra capacity, but especially also additional knowledge will be necessary;
- DNB can discover errors in the data itself, and it goes without saying that the institution is better off preventing them. Data quality partly depends on "data quality by design" and can only be achieved through optimal internal control and development under architecture;
- Cyber security specifically and information security in general must be in order. DNB expects a continuous investment in resilience and (managerial) awareness and that institutions "demonstrate that they have their information security in order". By this DNB means that Control Self Assessments are carried out and (again) validated by the Internal Auditor. It is expected that many institutions will have difficulty demonstrating that they are "in order. We expect a strong influence from the 2nd line to help the 1st line to implement the measures properly, but also to demonstrate themselves that the measures have worked. Risk management can support the 1st line in implementing the controls and Control Self Assessments, while Internal Audit can use its role in the 3rd line to provide the (bread) necessary independent assurance;
- This same requirement of demonstrability applies to institutions' suppliers. Outsourcing thus becomes one of the next major issues, with the necessary ISAE3402 statements from service providers and the implementation of service level management for all outsourced services;
- Directors and supervisory board members are expected to have an increased level of knowledge about information security. Referring to the IT security manager when asked a question about IT security is unlikely to be accepted;
- Artificial Intelligence, already regularly present in the form of chatbots, but also increasingly in business processes, requires the necessary control measures. The algorithmization of business processes cannot and should not lead to lesser degrees of control and functioning of business processes;
- Outsourcing, of IT or business processes, remains a focus of DNB. DNB even (and this is exceptional) mentions a positive development, namely the more frequent use of independent IT auditors in the assessments of cybersecurity and outsourcing measures;
- Sustainability risks are a relatively new spearhead. DNB is not yet very concrete about this, but the expectation is that DNB will primarily seek cooperation precisely to make this more concrete;
- Change capability is a new spearhead, coupled with matching the business model to the risk profile. Developments are rapid and DNB sees the difference between IT companies and financial institutions blurring. Risk management must always be safeguarded, both in stable environments and dynamic ones. Fintech is not the future, Fintech is the present.
ARC People assists a significant number of banks, insurers and pension funds with these issues from both the risk management and internal audit perspectives. Curious about our vision? Then contact one of our partners >