The Silent Underlying Revolution in Governance: RBI’s Integrated Approach to Risk, Compliance & Internal Audit
The Reserve Bank of India (RBI) issued new Directions on 10 June 2026 to strengthen and streamline the governance of risk management, compliance, and internal audit functions in regulated entities. By consolidating and harmonising several existing regulatory requirements into a unified framework, the RBI seeks to promote greater coordination among these control functions while preserving their functional independence.
Scope of Application
The framework reshapes how risk management, compliance, and internal audit functions report to senior management and the Board. It applies to the following regulated entities:
- Scheduled commercial banks
- Small finance banks
- Specified non-banking financial companies
Why a Unified Framework Is Needed
As financial institutions operate in an increasingly complex and interconnected environment, organisational risks have become more dynamic and multifaceted. Mere compliance with legal and regulatory requirements is no longer sufficient to effectively manage enterprise-wide risks.
Greater coordination, timely communication, and integrated risk assessment are essential to identifying emerging risks at an early stage. The new framework seeks to address this governance gap.
Structural Core of the Framework
The consolidated Directions are built around three key themes:
- Horizontal synchronisation across control functions
- Segregation of duties and independence of key officers
- Focus on digital and systemic vulnerabilities
Horizontal Synchronisation
The Board requires a holistic view of the institution’s risk profile. Fragmented functioning of the risk, compliance, and internal audit functions can result in incomplete reporting to the Board and reduce the effectiveness of governance and control measures.
The Directions therefore encourage greater coordination among these functions while maintaining their functional independence. By improving information sharing and coordination, institutions can develop a more integrated view of enterprise-wide risks and address potential control gaps more effectively.
Segregation of Duties and Independence
The Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Head of Internal Audit (HIA) continue to head separate control functions. They are required to function independently of business units and revenue-generating responsibilities while having appropriate access to records and information necessary to discharge their responsibilities.
To promote stability, these officers are generally required to have a minimum tenure of three years, and specified changes relating to these positions are required to be reported to the RBI.
The governance framework is further strengthened through periodic interactions between the Board and the heads of the risk, compliance, and internal audit functions, without the presence of executive management, wherever prescribed under the Directions.
The CRO is also required to be a permanent member of the credit sanction committee, without voting rights. Where the CRO’s risk advice is not accepted, the matter is required to be escalated to the next higher authority within the organisational hierarchy for appropriate consideration.
Focus on Digital and Systemic Vulnerabilities
The Directions formally incorporate the Risk-Based Internal Audit (RBIA) framework into the broader regulatory framework. Regulated entities are required to implement the following measures:
- A Risk Exposure Matrix
- A Risk Audit Prioritisation Matrix
- Quality Assurance and Improvement Programmes
These measures are intended to strengthen the internal audit function by moving beyond traditional retrospective compliance reviews towards a more risk-based assessment of operational resilience and emerging vulnerabilities.
Conclusion
The unified Directions strengthen the governance framework by clearly defining and expanding the roles and responsibilities of the Board and senior management in enterprise-wide risk management.
The Board is responsible for approving the enterprise-wide risk appetite framework, while senior management is accountable for its implementation, ongoing compliance, timely reporting, and corrective action where necessary. Overall, the framework seeks to strengthen the ability of regulated entities to identify, monitor, and mitigate risks while enhancing organisational resilience.
Last Updated on 16 July, 2026
By entering the email address you agree to our Privacy Policy.
