After Crisis, Risk Officers Gain More Clout at Banks U.S. Banking Industry Bends to Pressure to Make Operations Safer and Simpler



June 25, 2014 10:38 p.m. ET

At Wells Fargo WFC +0.21%& Co., some executives pushed last year to relaunch a program letting homeowners get a line of credit secured by the equity in their house—and pay only the interest due on the loan. Such credit lines have been scarce since the financial crisis, but the executives saw them as a way to boost revenue as housing prices climb.

The bank’s chief risk officer, Michael Loughlin, said no. He proposed requiring regular payments that shrink the borrower’s debt over time and didn’t budge when told Wells Fargo might lose business to other lenders. The other bankers agreed to go along with his decision.

“Five years ago, if the risk group recommended against a strategy or product, it might just be one part of a debate,” he says. Now, “when we say no, it’s usually no.”

Mr. Loughlin is an example of the naysayers who are gaining power and multiplying in number across the U.S. banking industry as financial institutions bend to pressure from regulators to make their operations safer and simpler following the financial crisis that began in 2008.

The ultimate goal is to reduce the likelihood of another round of catastrophic losses that could shake the financial system. In a report released Wednesday, the Office of the Comptroller of the Currency warned that “credit risk is now building after a period of improving credit quality and problem loan cleanup.”

Wells Fargo now has 2,300 employees in its core risk-management department, up from 1,700 two years ago, and the department’s annual budget has doubled to $500 million in the same period. The company’s overall workforce has remained flat.

In February, Goldman Sachs Group Inc. GS +0.09% put its chief risk officer on the company’s management committee for the first time in Goldman’s 145-year history. The 34-person group oversees the entire firm and is traditionally dominated by executives who made their name as traders or investment bankers.

Regulators say they don’t track the total number of risk-management or risk-control employees at the nation’s roughly 6,700 banks, though officials believe that big and small institutions everywhere are turning jobs long seen as ho-hum into front-line commanders.

Senior risk officers earn as much as 40% more than they did a few years ago, says the OCC, a federal agency that regulates units of Bank of America Corp. BAC -0.13%, Citigroup Inc., C +0.02%J.P. Morgan Chase & Co. and about 1,700 smaller institutions.

The number of people who passed a risk-management exam often required for jobs in the field nearly tripled in the four years that ended last year compared with 2004 to 2007, according to the Global Association of Risk Professionals.

“These are the basic regulations and the norms now,” says Thomas Curry, head of the OCC.

The changes are hugely expensive amid sluggish loan growth and a steep decline in trading revenue. But banks have no choice. The OCC and Federal Reserve are using leverage they got through the Dodd-Frank financial-overhaul law and other postcrisis changes to restrain risk-taking.

Under rules issued in February, the biggest U.S. bank-holding companies are required to have a chief risk officer and a risk committee on the company’s board of directors. The chief risk officer must get direct access to the board committee and chief executive to make sure the risk officer’s opinions aren’t watered down or whitewashed. The companies have until 2016 to comply, but most have already made the changes.

In addition, large banks are being prodded to produce detailed statements specifying how much risk—and what kinds—the banks are willing to take to meet financial goals. Risk officers are being urged to investigate large losses and question bankers who make unusually big profits. Either one could be a sign of risk-taking run amok, regulators say.

“We look for patterns of behavior that reinforce a strong or weak risk-management culture both within and across lines of business,” says Martin Pfinsgraff, who is in charge of large-bank examinations at the OCC.

To keep a closer eye on banks, the Federal Reserve Bank of New York says it has about 45 examiners, about twice the precrisis level, who just assess risk management at each bank-holding company overseen by the regulator. Those companies include Goldman and Morgan Stanley. MS +0.62%

Regional bank KeyCorp, KEY +0.92%based in Cleveland, has rewritten its compensation guidelines so that loan officers can lose a chunk of their bonus if they fall short of new risk-management standards. Before the financial crisis, bonuses were determined largely by profit goals.

“Before, you threw something over the wall, and the risk managers said yes or no,” says William Hartmann, KeyCorp’s chief risk officer. “Now we’re more involved in the development of the strategy or the plan.”

Partly as a result, KeyCorp has sharply reduced its loan commitments for construction and real-estate development. Bankers there also work harder to judge the overall riskiness of a borrower, instead of one project at a time.

It is too soon to tell if any of the changes will make a difference in the long run. Regulators say banks still have a long way to go before complying fully with the toughened standards, known as “heightened expectations.”

Last year, none of the 21 largest banks subject to the requirements were deemed “strong” overall by the OCC in all categories. The number climbed to two earlier this year.

Another big challenge is the slippery nature of risk itself. Before the financial crisis, for example, many lenders believed they had properly weighed the dangers of subprime mortgages—and had set aside a financial cushion of reserves that was big enough to absorb losses on the loans. Those predictions were disastrously wrong.

“Our abilities to measure market risk are akin to where medicine was in the 1700s,” says Damian Handzy, chairman and chief executive of Investor Analytics, a New York firm that operates risk-control systems. “Everyone is honestly trying to get better at this, but we’re still in the laboratory. The old systems do not address systemic risk at all. Traditional banking tools are just not designed for that.”

Jeffrey Wallis, president of SunGard Consulting Services, a unit of SunGard Data Systems Inc. that sells risk-management software and systems to banks, says financial firms are “still developing the right technology, the processes and the right people to do this.”

“At the individual bank level, I think we’re safer,” Mr. Wallis adds. “I don’t know that on the macro level we really have a better handle on things. A lot of the risks that could hurt us are still not fully understood, or we don’t know how to detect them.”

Other bank-industry veterans are more optimistic. Donald Lamson, a partner at law firm Shearman & Sterling LLP who worked for 30 years at the OCC, predicts that the rise of risk managers “will change the world for banks because now they have to speak this language, they have to go through this process.” Under the new rules, “the point is you cannot have a system where an intermediary manager can block a recommendation by the risk manager.”

By some measurements, the banking industry has become less vulnerable. At the end of 2013, five of the largest bank-holding companies by assets had $792.83 billion in combined equity capital, a buffer against possible losses. The total is up 19% from $666.91 million in 2009, according to the OCC.

The same companies’ combined value at risk, an estimate of a securities firm’s exposure to losses in any given trading day, fell 64% to $381 million from $1.05 billion during the same period.

Part of the shift reflects regulatory cudgels like the Volcker rule, part of Dodd-Frank that curbs banks’ ability to bet with their own capital and led to an exodus of swing-for-the-fences traders. The 30 largest institutions also must pass annual “stress tests” by the Federal Reserve to raise dividends and buy back shares. Inside those companies, chief risk officers help lead the grueling, anxious process.

For decades, risk managers spent most of their time worrying about types of trouble seen as relatively easy to measure, such as vulnerability to interest-rate changes, stock-market swings or loan losses. Ambitious young executives often saw the risk-management department as a dead end.

At many banks, the number of employees responsible for steering clear of bad surprises is now climbing by more than 15% a year, recruiters say. “This is a real career path now, something people want to get into, not something they fall into,” says Jeanne Branthover, a financial-industry recruiter at Boyden Global Executive Search in New York.

Near the top of the corporate ladder, chief risk officers can earn roughly as much as a chief financial officer or general counsel. Before the financial crisis, chief risk officers got about one-third less, according to Ms. Branthover.

Federal regulators are tracking the pay figures as a gauge of how serious banks are about improving risk oversight. “Pay is how we can ensure these are people of stature and they’re competent,” says Mr. Curry, the OCC chief.

At Goldman, Chief Risk Officer Craig Broderick’s ascent to the management committee in February signaled the growing importance of the New York securities firm’s risk police since it became a bank-holding company during the crisis.

Officials won’t say how many employees work in risk management or compliance, but managers in that unit are known throughout Goldman as the “Federation,” a nod to the benevolent forces in “Star Trek” responsible for protecting members from intergalactic marauders.

The nickname was around before the crisis but seldom used outside the group. “If anyone ever wondered how important the Federation is to the firm, they don’t have to wonder anymore,” Lloyd Blankfein, Goldman’s chairman and chief executive, wrote in an email to The Wall Street Journal.

Mr. Broderick, a 55-year-old former assistant scoutmaster of his son’s troop, says his duties have grown far beyond quantitative risk management. They also include areas such as assessing and controlling exposure from Goldman’s digital infrastructure, derivatives-clearing operation, litigation and malfeasance by traders and other employees.

“People sometimes talk about building an airplane while it’s flying,” Mr. Broderick says. “To me, it feels like we’re turning a two-engine plane into a four-engine plane in flight.”

Wells Fargo’s Mr. Loughlin, 58, has had his office near John Stumpf, the fourth-largest U.S. bank’s chairman, president and CEO, since before the financial crisis. But Mr. Loughlin has gained even more authority.

After being promoted to chief risk officer in 2010, his duties expanded to include oversight of market-related risks and potential dangers that could hurt the entire company. “I’m afraid I brought the mood of the party down somewhat,” Mr. Loughlin told investors at a meeting in May. “That is my job.”

He also knows how to say yes. In February, Mr. Loughlin agreed to lower the minimum credit score for certain mortgages eligible for backing by the Federal Housing Administration, which helps first-time and low-income families buy homes. Wells Fargo said it would make loans to borrowers with credit scores as low as 600, down from its previous limit of 640. Borrowers with scores below 620 have traditionally been considered subprime.

Mr. Loughlin says the move doesn’t expose Wells Fargo to greater risk because the bank requires ample documentation of an applicant’s income and carefully scrutinizes the ability to make loan payments.

Write to James Sterngold at



Creating A Compliance Culture Should Include: The CEO and The Board of Directors ?

At JPMorgan, Trying to Do the Right Thing Isn’t Enough

Michael Reynolds/European Pressphoto Agency

Stephen Cutler, center, formerly the chief of enforcement for the S.E.C., is now on the receiving end of lectures from his successor.


Published: September 20, 2013
  • As the Securities and Exchange Commission’s chief of enforcement from 2001 to 2005, the era of landmark fraud settlements with Enron, WorldCom and Tyco, Stephen Cutler earned a reputation as a tough and, at times, feared regulator. He was particularly dismayed by chief executives, chief financial officers, general counsels and compliance officials who, even if not directly implicated in wrongdong, created a culture in which it was ignored, tolerated, or even worse, tactily encouraged.

In a speech in 2004 to the General Counsel Roundtable, he said: “You’ve got to talk the talk; and you’ve got to walk the walk. Both are critical to maintaining a good tone at the top.” And he called for more accountability: “Hold all of your managers accountable for setting the right tone. That means disciplining or even firing them when they have failed to create a culture of compliance. Human nature being what it is, there will be those who break the rules. But if managers don’t do enough to prevent those violations, or let them go unaddressed for too long, then they should be held responsible — even in the absence of direct involvement in those violations.”

How times have changed.

As general counsel of JPMorgan Chase & Company, Mr. Cutler is now on the receiving end of the lectures, which this week came from George S. Canellos, a successor to Mr. Cutler and currently the co-chief of enforcement at the S.E.C. On Thursday, the S.E.C. and other regulators announced that JPMorgan had agreed to admit wrongdoing and pay nearly $1 billion in fines for its conduct in the “London Whale” matter, in which the bank’s chief investment office lost more than $6 billion and bank officials misled regulators about the losses. The S.E.C. faulted JPMorgan’s “egregious breakdowns in controls” and said that “senior management broke a cardinal rule of corporate management” by failing to alert the board to the full extent of the problem.

The S.E.C. didn’t name any of those senior managers, but made reference to the “chief executive,” who is Jamie Dimon. Mr. Cutler oversaw both the legal and compliance departments during those events. (Mr. Cutler no longer oversees compliance.)

And the London Whale affair isn’t JPMorgan’s only regulatory problem. The bank faces multiple other regulatory actions and investigations, ranging from manipulating energy markets, to mortgage-backed securities fraud, to failing to disclose suspicions about the Ponzi scheme operator Bernard Madoff, to conspiring to fix rates in the setting of the global benchmark interest rate informally known as Libor. As the allegations have mushroomed, JPMorgan has gone with almost dizzying speed from one of the world’s most admired banks to one tainted by scandal.

And all of this happened on Mr. Cutler’s watch. “You have to say, he didn’t run a tight enough ship,” said John C. Coffee Jr., a professor of law and expert in corporate governance at Columbia University. “It’s not just the London whale episode. I wouldn’t call that the crime of the century. But taken with everything else, the energy manipulation, the mortgage fraud cases, the Libor rigging, it suggests that there was not enough investment in compliance and the general counsel was not proactive enough. He’s done a very good job at defending the firm but not enough at preventing it in the first place.”

A lawyer whose company was an S.E.C. target during Mr. Cutler’s tenure said this week, “I have to admit to a certain amount of schadenfreude,” adding: “At the time, he did a lot of grandstanding about lawyers being gatekeepers and the moral compass for the organization and how we should have prevented all this. He sounded great on the soapbox. Now I’ve been following JPMorgan and it’s pretty ironic.”

This lawyer was among the many I contacted who didn’t want to be named. Indeed, I quickly realized that I was wasting my time trying to get people to offer unconflicted comments about Mr. Cutler or anyone else at the bank, since a) their firm represents JPMorgan; b) they represent someone for whom JPMorgan is paying the legal bills; or c) they’re trying to get into category a or b. James Cramer joked on CNBC’s “Mad Money” this week that JPMorgan should just buy the Manhattan law firm Paul, Weiss, Rifkind, Wharton & Garrison, famed for its high-stakes litigation practice.


Brad S. Karp, chairman of Paul, Weiss, worked with Mr. Cutler when he headed S.E.C. enforcement and has represented JPMorgan in various matters over the years. “JPMorgan is fortunate to have Steve lead its legal function during this period of unprecedented regulatory activity,” he said. “Steve is an extraordinary talent, with absolute integrity, an unwavering ethical compass and seasoned judgment. There is no better general counsel on Wall Street.”

Speaking on background, nearly all the lawyers I interviewed praised Mr. Cutler’s judgment, experience and legal skills. He remains a trusted adviser to Mr. Dimon. And the lawyers stressed that no one person, not even the general counsel or head of compliance, can prevent all wrongdoing in a company the size of JPMorgan. As the country’s largest bank, it is only to be expected that it’s going to have its share of regulatory and compliance issues, the lawyers said.

Still, Mr. Cutler acknowledged that the array of regulatory issues at JPMorgan had been “humbling.” When I visited him this week at his office at the bank’s Park Avenue headquarters, there was a surprising atmosphere of hushed calm given that the bank had announced the settlement and acknowledged wrongdoing that morning. He told me he hadn’t changed the view he articulated as enforcement chief. “You have to get the culture right,” he said. “It’s critical. That was true when I was at the S.E.C., and now I’ve seen it from the inside. I totally believe this. But I’ve discovered that it’s necessary but not sufficient.”

Institutions like JPMorgan, he said, and their senior managers can never lose sight of execution. “Just because you haven’t had any problems doesn’t mean you can stop testing and auditing. You have to trust but verify.” To that end, JPMorgan said this week that it would spend an additional $4 billion and commit as many as 5,000 employees to compliance and risk-management functions, including a new office of oversight and control. “We made mistakes,” Mr. Cutler acknowledged. “But we’ve spent a lot of time on self-reflection. What lessons can we learn? How can we do better? We’re trying to implement that.”

Donald Langevoort, a professor at Georgetown University School of Law who has written about compliance issues, said, “JPMorgan is throwing manpower at the problem, but whether a body count can be effective remains to be seen.” He said he knows Mr. Cutler, “and I have confidence in him, and I’m sure he did whatever he could.”

The problem, from his vantage point, is that Wall Street attracts risk-takers, which is how banks like JPMorgan make money. “JPMorgan is by no means unique,” he said. “None of these big banks really want compliance people causing traders and investment bankers to second-guess themselves too much because that gets in the way of making money. No one will say this, but it’s more effective to run the risk of noncompliance and pay a few fines, which is just a cost of doing business.”

Mr. Cutler disputed that: “I can’t tell you the number of times I’ve heard Jamie Dimon tell someone to do the right thing, and I don’t care what it costs.”

Mr. Cutler said that two of his “proudest days” as general counsel were May 10 of last year, when JPMorgan publicly disclosed the London Whale problem and acknowledged that it was the result of a badly conceived, executed and vetted trading strategy, and two months later, on July 13, when the bank told investors what had gone wrong and restated its first quarter results. “People and companies will inevitably make mistakes,” he said. “So the question is, how do you deal with it? We may not have been perfect, but we tried to get it right.”

JP Morgan fined $920m and admits wrongdoing over ‘London Whale’

US’s biggest bank to pay penalties to US and UK regulators for ‘unsound practices’ relating to $6.2bn losses last year

JP Morgan has agreed to pay about $920m in penalties to US and UK regulators over the “unsafe and unsound practices” that led to its $6.2bn London Whale losses last year.

The US’s biggest bank will pay $300m to the US office of the comptroller of the currency, $200m to Federal Reserve, $200m to the securities and exchange commission (SEC) and £137.6m ($219.74m) to the UK’s financial conduct authority.

JP Morgan admitted wrongdoing as part of the settlement, an unusual step for a finance firm in the crosshairs of multiple legal actions.

“JP Morgan failed to keep watch over its traders as they overvalued a very complex portfolio to hide massive losses,” co-director of the SEC’s division of enforcement, George Canellos, said.

“While grappling with how to fix its internal control breakdowns, JP Morgan’s senior management broke a cardinal rule of corporate governance and deprived its board of critical information it needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators.”

In a statement the OCC blamed “unsafe and unsound practices related to derivatives trading activities conducted on behalf of the bank by the chief investment office (CIO)”, for the fine.

The OCC said its inquiries had found inadequate oversight and governance to protect the bank from material risk, inadequate risk management, inadequate control over pricing of trades, inadequate development and implementation of models used by the bank, and inadequate internal audit processes.

The US authorities are still pursuing JP Morgan. The Justice Department is pursuing criminal charges against some of the bankers responsible for the massive loss. In an indictment unsealed in federal court this week Javier Martin-Artajo, who oversaw trading strategy at the bank’s London office, and Julien Grout, a trader who worked for him, were charged with securities fraud, conspiracy, filing false books and records, wire fraud and making false filings to the SEC.

Grout’s lawyer said this week that his client was being “unjustly played as a pawn in the government’s attempt to settle its highly politicized case against JP Morgan Chase”.

The bank also faces another fine from the commodity futures trading commission which is still investigating whether the bank is guilty of market manipulation.

Jamie Dimon, the bank’s chairman and chief executive, initially dismissed the mounting losses at the bank’s London offices as a “tempest in a teapot”. In a statement Dimon said: “We have accepted responsibility and acknowledged our mistakes from the start, and we have learned from them and worked to fix them. Since these losses occurred, we have made numerous changes that have made us a stronger, smarter, better company.”

This week in a letter to staff he warned: “Unfortunately, we are all well aware of the news around the legal and regulatory issues facing our company, and in the coming weeks and months we need to be braced for more to come.”

The admission of wrongdoing is a major victory for the SEC. US judges in recent years have questioned fines where banks were allowed to neither admit nor deny wrongdoing. Judge Jed Rakoff blocked a 2011 SEC settlement with Citigroup because he said the lack of an admission of wrongdoing made it impossible for him to determine whether the fine was “fair, reasonable, adequate and in the public interest”. © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved. | Use of this content is subject to ourTerms & Conditions | More Feeds


Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance


Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance

SEP 17, 2013 10:42am ET

WASHINGTON — JPMorgan Chase (JPM) is focusing on simplifying its businesses and improving compliance with regulatory requirements, Jamie Dimon said in an e-mail to employees on Tuesday.

The bank’s chairman and chief executive said that its recent exit from the student lending business and elimination of its physical commodities sales and trading businesses was an attempt to “refocus our priorities.”

“We have been asking our senior people to eliminate products and services that are not essential to serving our customers and are not core to our business,” Dimon wrote.

In the lengthy e-mail, Dimon said the bank is also working to confront the regulatory challenges facing it, including reviewing its foreign correspondent banking business, improving oversight of outside vendors, and adding regulatory compliance staff.

The e-mail comes as JPMorgan Chase nears a $750 million to $800 million settlement with regulators related to last year’s “London Whale” trading scandal. An announcement could come as early as this week.

It also is yet another sign of a newly resurgent Dimon who, after the criticism he took over the Whale incident, successfully fought off an attempt by shareholders to strip him of his chairman title earlier this summer. Since then, he has become more outspoken about the issues facing the industry and his institution.

The regulatory settlement is expected to include an admission of wrongdoing by the bank. Although Dimon did not reference it directly, he said in his e-mail that if “you don’t acknowledge mistakes, you can’t fix them and learn from them.”

“So now, as in the past, we are recognizing our problems, rolling up our sleeves and fixing them,” Dimon wrote.

That includes a renewed focus on the bank’s foreign correspondent banking business, an area that has gotten several large banks, including HSBC and Standard Chartered, into trouble recently with U.S. regulators.

JPMorgan Chase was slapped with a consent order from the Office of the Comptroller of the Currency in January over “critical deficiencies” with respect to its anti-money laundering practices. Many observers expect regulators to impose a monetary penalty on the bank soon over those failures.

Dimon said JPMorgan Chase is strengthening its internal controls “particularly around ‘Know Your Customer’ and transaction monitoring.”

He also said the bank is stepping up supervision of outside vendors, yet another area that has tripped up the bank.

“If a vendor or partner engages with our customers, we need to be as vigilant about their practices as we are about our own, particularly if they interact directly with customers,” Dimon wrote. “We are also proactively trying to decrease the number of vendors we have, which reduces complexity in our business and creates more jobs internally.”

Earlier this summer, JPMorgan Chase halted most sales to third-party collectors of credit card debts amid regulatory concerns over how it pursues payments from customers who are delinquent.

Dimon said that the bank has significantly boosted compliance resources, adding roughly 3,000 employees this year that are dedicated to risk, compliance and control efforts. The bank has also provided 750,000 hours of regulatory and control-related training related to topics like anti-money laundering and Dodd-Frank implementation, he said.

Dimon added that he has also tried to build a “more open and transparent relationship with our regulators.” He held town halls for examiners with the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corp. in May and June. He also held a corporate town hall with bank employees who “regularly interact with regulators.”

“We discussed our culture of transparency, stressing the necessity of fully and accurately reporting material issues to our regulators in a timely manner and responding promptly to their requests,” Dimon said.

Dimon concluded by pledging to create a “best-in-class operating system” for the bank.

“Never before have we focused so much time, effort, brainpower, technological power and money on a single, enterprise-wide objective,” Dimon wrote. “Make no mistake — we are going to get this right.”


Deloitte survey: Financial institutions increasing focus on risk management

Thursday 22, August 2013 by Robin Amlôt

Deloitte survey: Financial institutions increasing focus on risk management


Heightened regulatory scrutiny and greater concerns over risk governance have led financial institutions to elevate their focus and attention on risk management, a new global survey from Deloitte finds. In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.


According to Deloitte’s eighth biennial survey on risk management practices, titled “Setting a Higher Bar,” about two-thirds of financial institutions (65 per cent) reported an increase in spending on risk management and compliance, up from 55 per cent in 2010.


A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.


“The financial crisis has led to far-reaching major changes of doing business in financial institutions’ risk management practices, with stricter and ruled based regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts,” said Joe El Fadl, Financial Services Industry Leader at Deloitte Middle East. “That said, risk management shouldn’t be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution’s framework, philosophy and culture for managing risk exposures across the organisation.

“Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, enhancing management capabilities with better risk awareness using data analytics, and improving in data quality,” added El Fadl. “Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape.”

The majority of the institutions participating in the survey (58 per cent) plan to increase their risk management budgets over the next three years, with 17 per cent anticipating annual increases of 25 per cent or more. This is not a trivial matter as 39 per cent of large institutions – particularly those based in North America – reported having more than 250 full-time employees in their risk management function.


Risk management moves up the boardroom agenda

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey’s results, 94 per cent of company boards now devote more time to risk management oversight than five years ago, and 80 per cent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 per cent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 per cent in 2010.


“Regulators have been focusing more and more on the role of the board of directors in risk governance, engaging them to approve the institution’s risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution’s risk management of key issues,” said Fadi Sidani, partner in charge, Enterprise Risk Services at Deloitte Middle East.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010’s survey results.


The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.

The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.


Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).


Stress testing has become a central plank in many institutions’ risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.


Progress in linking risk management with compensation has changed only incrementally since 2010’s survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of “clawback” provisions in executive compensation, however, has increased (41 percent vs. 26 percent of institutions in 2010).


“Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps,” said Sidani. “Where concerns linger particularly is around operational risk, with a number of recent headlines – like management breakdowns and large-scale cyber-attacks – underscoring the important impacts this area can have on an institution’s reputation. This is a gap that may trigger significant operational risk combined with reputational risk that needs to be properly addressed.”

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 per cent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.


Deloitte’s survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers – or their equivalent – at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.


The report may be viewed at


Eight Ways to Move Toward a Culture of Compliance

Originally Published June 7, 2013, 12:01 AM ET

Eight Ways to Move Toward a Culture of Compliance

More than just a set of policies and procedures, effective compliance risk management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organization. An effective way to get there is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared among all employees.

“A risk intelligent framework can be a radical shift from the way most companies see compliance today,” says Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “To move a company in that direction, the chief compliance officer will need to gain the backing and support of stakeholders from across the organization, including executive peers, business-unit and functional leaders, and the board of directors.”

Following are eight initiatives a Chief Compliance Officer (CCO), working with the CFO, can lead to help bring about a more holistic program of compliance risk management through a risk intelligent approach and elevate awareness at the enterprise level.

1. Get the Top Brass on Board

The road to holistic risk compliance can be much smoother if the CEO, CRO and the board of directors understand what the CCO is trying to do and why they should want to help. Risk intelligent compliance requires clear channels of communication between the compliance risk management program and the enterprise risk management (ERM) program, and the CRO’s engagement is critical. Luckily, the CRO’s shared interest in improving risk management effectiveness can make risk intelligent compliance a relatively easy sell.

The CEO’s role in supporting risk compliance is to empower the CCO with the authority needed to drive meaningful change, as well as to provide the necessary investment, political support, and, if needed, enforcement. Gaining the CEO’s support can require the CCO to make clear the risk management benefits of robust compliance processes, as well as collateral benefits of cost reduction and revenue enhancement. Any up-front investments must also be addressed early, such as the purchase of more effective technology to replace spreadsheet-based tracking and reporting.

The board of directors can play a role in holding management accountable for results of the enhanced programs. “The CCO’s task is to set expectations, develop metrics and establish milestones that are both substantive and realistic, as well as establish a multiyear master plan,” says Scott Baret, partner, Governance, Regulatory and Risk Strategies, Deloitte & Touche LLP, who also serves as global leader, Financial Services Enterprise Risk Services. “Many boards prefer to spend time on risk management rather than on compliance, so CCOs may want to consider framing board discussions in the context of ERM.”

2. Take the Company’s Bearings

Like any transformation, the pursuit of risk intelligent compliance begins with understanding the current state. Important questions include:

What are the company’s current compliance obligations and risks?

Who owns each risk?

What controls are in place against them?

How does the organization respond to control failures?

How are remediation priorities set?

What supporting technologies are used?

3. Develop the ERM-aligned Compliance Risk Management Program

Coordinating compliance risk management with ERM provides CCOs the operational basis for establishing, strengthening and validating the link between compliance and enterprise value. How a CCO accomplishes this at any particular company will depend greatly on internal organizational dynamics. “For insights on how to maintain effective cross-communication with ERM, the CCO may want to look at the way the internal audit function interacts with ERM to evaluate company risks,” says Mr. Baret.

4. Align the Compliance Function

The process of aligning compliance activities and investments with business priorities starts with the compliance function itself. The CCO should allocate the compliance function’s activities across the company’s compliance risks according to the relative importance of each compliance risk to enterprise value. In some cases, this may mean deploying people and infrastructure to countries, programs and/or activities where greater investment seems counterintuitive. In others, it may mean scaling back on one or more “sacred cows.” In either case, the CCO should be able to back up his or her decisions with reasons that tie solidly back to ERM priorities.

The corollary is that CCOs themselves should prioritize requests for investments in the compliance function based on their expected risk management benefit. Barring obvious infrastructural or resource gaps, the choice of what to ask for first may sometimes come down to a frank judgment call.

5. Lobby Hard for Effective Technology

The “right” technology and data architecture, both within and outside the compliance function, can go a long way toward improving compliance efficiency and effectiveness. Automating controls, for instance, can help lower costs and increase reliability, especially if the controls are first rationalized to reduce duplication. Companies can also avail themselves of a growing array of tools to support the compliance risk management process, some stand-alone, some sold as part of larger “enterprise governance, risk and compliance” solutions.

Some of the newer compliance tools feature: automated monitoring of regulatory releases; workflow capabilities to facilitate compliance process execution and tracking; and integrated “front end” interfaces that allow users to execute, document and track compliance activities in multiple areas from a single point of access.

6. Piggyback on Each Other’s Work

Looking for ways to reduce duplication of effort with other internal groups can help a CCO stretch the compliance function’s limited budget and resources. In particular, the CCO should enlist internal audit in supporting compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can advise internal audit on what tests would be most useful to the compliance function, as well as on what tests might be better left to the compliance function’s specialists to perform.

7. Foster a Culture of Compliance

Changing corporate culture can take years. CCOs should expect to work with the office of the CEO—as well as human resources, legal and communications—to supervise the change initiative and supply compliance-specific guidance as needed. Important areas to address include:

Performance management and compensation


Leadership development


8. Participate in Strategic Planning

The risk intelligent CCO should help leaders set a strategy that takes compliance into appropriate account by bringing relevant compliance perspectives to the strategic planning process. For instance, the CCO should explain what compliance obligations are associated with each of the strategic options being considered, help evaluate the likely compliance risk associated with each option and describe the nature and extent of the investments that may be needed to maintain compliance risk exposures within acceptable tolerances under a variety of conditions. “Once the strategy is set, the CCO should help the company understand and prepare to address compliance obligations that are expected to arise in execution,” adds Ms. Epps.

Related Resources

Aligning Compliance Risk Management to Business Priorities

The Risk Intelligent Chief Compliance Officer

This publication contains general information only and Deloitte LLP and its subsidiaries (“Deloitte”) are not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2013 Deloitte Development LLC.