---
title: "The Silent Underlying Revolution in Governance: RBI&#8217;s Integrated Approach to Risk, Compliance &#038; Internal Audit"
date: 2026-07-17
author: "King Stubb &amp; Kasiva"
url: https://ksandk.com/newsletter/rbi-risk-compliance-internal-audit-directions/
---

# The Silent Underlying Revolution in Governance: RBI’s Integrated Approach to Risk, Compliance & Internal Audit

Posted On - 17 July, 2026 • By - King Stubb & Kasiva

The Reserve Bank of India (RBI) issued new Directions on 10 June 2026 to strengthen and streamline the governance of **risk management, compliance, and internal audit functions** in regulated entities. By consolidating and harmonising several existing regulatory requirements into a unified framework, the RBI seeks to promote greater coordination among these control functions while preserving their functional independence.

## Scope of Application

The framework reshapes how risk management, compliance, and internal audit functions report to senior management and the Board. It applies to the following **regulated entities**:

- Scheduled commercial banks
- Small finance banks
- Specified non-banking financial companies

## Why a Unified Framework Is Needed

As financial institutions operate in an increasingly complex and interconnected environment, organisational risks have become more **dynamic and multifaceted**. Mere compliance with legal and regulatory requirements is no longer sufficient to effectively manage enterprise-wide risks.

Greater coordination, timely communication, and integrated risk assessment are essential to identifying emerging risks at an early stage. The new framework seeks to address this governance gap.

## Structural Core of the Framework

The consolidated Directions are built around **three key themes**:

- Horizontal synchronisation across control functions
- Segregation of duties and independence of key officers
- Focus on digital and systemic vulnerabilities

### Horizontal Synchronisation

The Board requires a **holistic view** of the institution’s risk profile. Fragmented functioning of the risk, compliance, and internal audit functions can result in incomplete reporting to the Board and reduce the effectiveness of governance and control measures.

The Directions therefore encourage greater coordination among these functions while maintaining their functional independence. By improving information sharing and coordination, institutions can develop a more integrated view of enterprise-wide risks and address potential control gaps more effectively.

### Segregation of Duties and Independence

The **Chief Risk Officer (CRO)**, Chief Compliance Officer (CCO), and Head of Internal Audit (HIA) continue to head separate control functions. They are required to function independently of business units and revenue-generating responsibilities while having appropriate access to records and information necessary to discharge their responsibilities.

To promote stability, these officers are generally required to have a **minimum tenure of three years**, and specified changes relating to these positions are required to be reported to the RBI.

The governance framework is further strengthened through periodic interactions between the Board and the heads of the risk, compliance, and internal audit functions, without the presence of executive management, wherever prescribed under the Directions.

The CRO is also required to be a **permanent member of the credit sanction committee**, without voting rights. Where the CRO’s risk advice is not accepted, the matter is required to be escalated to the next higher authority within the organisational hierarchy for appropriate consideration.

### Focus on Digital and Systemic Vulnerabilities

The Directions formally incorporate the **Risk-Based Internal Audit (RBIA)** framework into the broader regulatory framework. Regulated entities are required to implement the following measures:

- A Risk Exposure Matrix
- A Risk Audit Prioritisation Matrix
- Quality Assurance and Improvement Programmes

These measures are intended to strengthen the internal audit function by moving beyond traditional retrospective compliance reviews towards a more risk-based assessment of operational resilience and emerging vulnerabilities.

## Conclusion

The unified Directions strengthen the governance framework by clearly defining and expanding the roles and responsibilities of the Board and senior management in **enterprise-wide risk management**.

The Board is responsible for approving the enterprise-wide risk appetite framework, while senior management is accountable for its implementation, ongoing compliance, timely reporting, and corrective action where necessary. Overall, the framework seeks to strengthen the ability of regulated entities to identify, monitor, and mitigate risks while enhancing organisational resilience.

*Last Updated on 16 July, 2026*

Get King Stubb & Kasiva’s legal updates in your Google feed[![Add King Stubb & Kasiva as a preferred source on Google](https://ksandk.com/wp-content/uploads/google_preferred_source_badge_light_en@2x.png)](https://www.google.com/preferences/source?q=https://ksandk.com/)

---

## Office Locations                                                                                                                                                     
                                               
  - [New Delhi](https://ksandk.com/locations/top-corporate-law-firm-in-delhi/) (HQ): +91-11-41318190 | info@ksandk.com                                                    
  - [Mumbai](https://ksandk.com/locations/top-corporate-law-firm-in-mumbai/): 3 offices (Nariman Point, Lower Parel, Andheri) | mumbai@ksandk.com
  - [Bangalore](https://ksandk.com/locations/top-corporate-law-firm-in-bangalore/): bangalore@ksandk.com                                                                  
  - [Chennai](https://ksandk.com/locations/chennai/): chennai@ksandk.com                                                                                                  
  - [Hyderabad](https://ksandk.com/locations/hyderabad/): hyderabad@ksandk.com                                                                                            
  - [Pune](https://ksandk.com/locations/pune/): pune@ksandk.com                                                                                                           
  - [Kochi](https://ksandk.com/locations/kochi/): kochi@ksandk.com
                                                                                                                                                                          
  ## Contact                                   
                                                                                                                                                                          
  - [Contact Page](https://ksandk.com/contact-us/)
  - General: info@ksandk.com | +91-11-41318190
  - WhatsApp: +91-7428567444
  - [Privacy Statement](https://ksandk.com/privacy-statement/)                                                                                                            
  - [Terms of Use](https://ksandk.com/terms-of-use/)