In a notification the RBI has asked the boards of this entities to draw up a policy on RBIA to be implemented by March 31 2022.
The risk assessment framework should cover risks at corporate, branch, portfolio and individual transactions levels and associated processes. It should include identification of inherent business risks and drawing-up a risk-matrix for both the factors inherent business risks and control risks, the RBI said.
The central bank’s move is in response to failures in large NBFCs and UCBs in recent times like IL&FS and Punjab and Maharashtra Co-operative Bank (PMC) which did not throw up risks in their internal audits.
The RBI had mentioned about NBFCs and UBCs transitioning to a new risk based audit framework post its monetary policy review in December. Banks have been on a RBIA framework since December 2002.
NBFCs and UCBs have to constitute a committee of senior executives with the responsibility of formulating a suitable action plan. “The committee may address transitional and change management issues and should report progress periodically to the Board and senior management. This circular should be placed before the Board in its next meeting. The implementation of these guidelines as per timeline specified should be done under the oversight of the board,” RBI said.
The senior management has been made responsible for ensuring adherence to the internal audit policy guidelines as approved by the board and development of an effective internal control function that identifies, measures, monitors and reports all risks faced.
“The senior management is responsible for establishing a comprehensive and independent internal audit function which should promote accountability and transparency. It shall ensure that the RBIA Function is adequately staffed with skilled personnel of right aptitude and attitude who are periodically trained to update their knowledge, skill and competencies,” RBI said.
A consolidated position of major risks faced by the organization have to be presented at least annually to the board, based on inputs from all forms of audit. The internal audit function should assess and make appropriate recommendations to improve the governance processes on business decision making, risk management and control.
People responsible for the audit have to be given authority, be competent and have to be given at least a three year tenure, RBI said adding that these people have to directly report to the CEO or the board.