Deloitte survey: Financial institutions increasing focus on risk management

Thursday 22, August 2013 by Robin Amlôt

Deloitte survey: Financial institutions increasing focus on risk management

 

Heightened regulatory scrutiny and greater concerns over risk governance have led financial institutions to elevate their focus and attention on risk management, a new global survey from Deloitte finds. In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.

 

According to Deloitte’s eighth biennial survey on risk management practices, titled “Setting a Higher Bar,” about two-thirds of financial institutions (65 per cent) reported an increase in spending on risk management and compliance, up from 55 per cent in 2010.

 

A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.

 

“The financial crisis has led to far-reaching major changes of doing business in financial institutions’ risk management practices, with stricter and ruled based regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts,” said Joe El Fadl, Financial Services Industry Leader at Deloitte Middle East. “That said, risk management shouldn’t be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution’s framework, philosophy and culture for managing risk exposures across the organisation.

“Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, enhancing management capabilities with better risk awareness using data analytics, and improving in data quality,” added El Fadl. “Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape.”

The majority of the institutions participating in the survey (58 per cent) plan to increase their risk management budgets over the next three years, with 17 per cent anticipating annual increases of 25 per cent or more. This is not a trivial matter as 39 per cent of large institutions – particularly those based in North America – reported having more than 250 full-time employees in their risk management function.

 

Risk management moves up the boardroom agenda

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey’s results, 94 per cent of company boards now devote more time to risk management oversight than five years ago, and 80 per cent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 per cent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 per cent in 2010.

 

“Regulators have been focusing more and more on the role of the board of directors in risk governance, engaging them to approve the institution’s risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution’s risk management of key issues,” said Fadi Sidani, partner in charge, Enterprise Risk Services at Deloitte Middle East.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010’s survey results.

 

The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.

The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.

 

Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).

 

Stress testing has become a central plank in many institutions’ risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.

 

Progress in linking risk management with compensation has changed only incrementally since 2010’s survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of “clawback” provisions in executive compensation, however, has increased (41 percent vs. 26 percent of institutions in 2010).

 

“Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps,” said Sidani. “Where concerns linger particularly is around operational risk, with a number of recent headlines – like management breakdowns and large-scale cyber-attacks – underscoring the important impacts this area can have on an institution’s reputation. This is a gap that may trigger significant operational risk combined with reputational risk that needs to be properly addressed.”

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 per cent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.

 

Deloitte’s survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers – or their equivalent – at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.

 

The report may be viewed at http://www.deloitte.com/us/globalrisksurvey

 

Eight Ways to Move Toward a Culture of Compliance

Originally Published June 7, 2013, 12:01 AM ET

Eight Ways to Move Toward a Culture of Compliance

More than just a set of policies and procedures, effective compliance risk management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organization. An effective way to get there is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared among all employees.

“A risk intelligent framework can be a radical shift from the way most companies see compliance today,” says Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “To move a company in that direction, the chief compliance officer will need to gain the backing and support of stakeholders from across the organization, including executive peers, business-unit and functional leaders, and the board of directors.”

Following are eight initiatives a Chief Compliance Officer (CCO), working with the CFO, can lead to help bring about a more holistic program of compliance risk management through a risk intelligent approach and elevate awareness at the enterprise level.

1. Get the Top Brass on Board

The road to holistic risk compliance can be much smoother if the CEO, CRO and the board of directors understand what the CCO is trying to do and why they should want to help. Risk intelligent compliance requires clear channels of communication between the compliance risk management program and the enterprise risk management (ERM) program, and the CRO’s engagement is critical. Luckily, the CRO’s shared interest in improving risk management effectiveness can make risk intelligent compliance a relatively easy sell.

The CEO’s role in supporting risk compliance is to empower the CCO with the authority needed to drive meaningful change, as well as to provide the necessary investment, political support, and, if needed, enforcement. Gaining the CEO’s support can require the CCO to make clear the risk management benefits of robust compliance processes, as well as collateral benefits of cost reduction and revenue enhancement. Any up-front investments must also be addressed early, such as the purchase of more effective technology to replace spreadsheet-based tracking and reporting.

The board of directors can play a role in holding management accountable for results of the enhanced programs. “The CCO’s task is to set expectations, develop metrics and establish milestones that are both substantive and realistic, as well as establish a multiyear master plan,” says Scott Baret, partner, Governance, Regulatory and Risk Strategies, Deloitte & Touche LLP, who also serves as global leader, Financial Services Enterprise Risk Services. “Many boards prefer to spend time on risk management rather than on compliance, so CCOs may want to consider framing board discussions in the context of ERM.”

2. Take the Company’s Bearings

Like any transformation, the pursuit of risk intelligent compliance begins with understanding the current state. Important questions include:

What are the company’s current compliance obligations and risks?

Who owns each risk?

What controls are in place against them?

How does the organization respond to control failures?

How are remediation priorities set?

What supporting technologies are used?

3. Develop the ERM-aligned Compliance Risk Management Program

Coordinating compliance risk management with ERM provides CCOs the operational basis for establishing, strengthening and validating the link between compliance and enterprise value. How a CCO accomplishes this at any particular company will depend greatly on internal organizational dynamics. “For insights on how to maintain effective cross-communication with ERM, the CCO may want to look at the way the internal audit function interacts with ERM to evaluate company risks,” says Mr. Baret.

4. Align the Compliance Function

The process of aligning compliance activities and investments with business priorities starts with the compliance function itself. The CCO should allocate the compliance function’s activities across the company’s compliance risks according to the relative importance of each compliance risk to enterprise value. In some cases, this may mean deploying people and infrastructure to countries, programs and/or activities where greater investment seems counterintuitive. In others, it may mean scaling back on one or more “sacred cows.” In either case, the CCO should be able to back up his or her decisions with reasons that tie solidly back to ERM priorities.

The corollary is that CCOs themselves should prioritize requests for investments in the compliance function based on their expected risk management benefit. Barring obvious infrastructural or resource gaps, the choice of what to ask for first may sometimes come down to a frank judgment call.

5. Lobby Hard for Effective Technology

The “right” technology and data architecture, both within and outside the compliance function, can go a long way toward improving compliance efficiency and effectiveness. Automating controls, for instance, can help lower costs and increase reliability, especially if the controls are first rationalized to reduce duplication. Companies can also avail themselves of a growing array of tools to support the compliance risk management process, some stand-alone, some sold as part of larger “enterprise governance, risk and compliance” solutions.

Some of the newer compliance tools feature: automated monitoring of regulatory releases; workflow capabilities to facilitate compliance process execution and tracking; and integrated “front end” interfaces that allow users to execute, document and track compliance activities in multiple areas from a single point of access.

6. Piggyback on Each Other’s Work

Looking for ways to reduce duplication of effort with other internal groups can help a CCO stretch the compliance function’s limited budget and resources. In particular, the CCO should enlist internal audit in supporting compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can advise internal audit on what tests would be most useful to the compliance function, as well as on what tests might be better left to the compliance function’s specialists to perform.

7. Foster a Culture of Compliance

Changing corporate culture can take years. CCOs should expect to work with the office of the CEO—as well as human resources, legal and communications—to supervise the change initiative and supply compliance-specific guidance as needed. Important areas to address include:

Performance management and compensation

Training

Leadership development

Communications

8. Participate in Strategic Planning

The risk intelligent CCO should help leaders set a strategy that takes compliance into appropriate account by bringing relevant compliance perspectives to the strategic planning process. For instance, the CCO should explain what compliance obligations are associated with each of the strategic options being considered, help evaluate the likely compliance risk associated with each option and describe the nature and extent of the investments that may be needed to maintain compliance risk exposures within acceptable tolerances under a variety of conditions. “Once the strategy is set, the CCO should help the company understand and prepare to address compliance obligations that are expected to arise in execution,” adds Ms. Epps.

Related Resources

Aligning Compliance Risk Management to Business Priorities

The Risk Intelligent Chief Compliance Officer

This publication contains general information only and Deloitte LLP and its subsidiaries (“Deloitte”) are not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2013 Deloitte Development LLC.

The 3 Ms of Risk Management

The 3 Ms of Risk Management

 

 

 

Recent market event have pointed to increasing volatility. As has happened all too many times in the past, risk management disasters continue to plague the industry and show up on the front page of the newspapers. Given the potential for these disasters to occur, lets discuss some required risk management capabilities.

 

Consider the following scenarios:

 

A major market move occurs. The Chief Risk Officer (“CRO”) of a broker/dealer wants to know right now what effect this has on the firm. Are they better or worse off? What actions should be taken? To determine the best course of action the CRO needs to know real-time what the positions are and the potential P&L effect. The CRO must also be able to perform a risk analysis immediately. As we have seen, inability to do this will consume resources, raise the firm’s risk profile and possibly cause losses as a result of the market move.

 

A major firm announces a significant profit restatement. The CRO of a major retail brokerage wants to know which accounts will be affected the most. The CRO needs to know real-time which accounts have concentrations in that industry and SIC code. Since it isn’t clear yet what the full effect of the restatement will be on security prices, can the CRO perform a what-if analysis on specific accounts to determine the potential effects on the firm and the accounts so that proper actions can be taken? Inability to do this real-time will consume resources and increase the risk profile of the firm and the accounts.

 

In both cases, could the CRO have set up early warnings so that the risk systems would have generated alerts as to problem positions or accounts when specific actions occur so that the CRO can spend less time finding risks and more time managing risks?

 

The industry has spent many dollars effecting comprehensive risk management capabilities. Ultimately risk management is, however, a process that requires tools and the right mindset, not just a system that measures risk. The purpose of risk management is the following: minimize the probability that an error occurs AND that it goes unnoticed. To do that, a firm must have all the components of effective risk management. The firm must have the ability to perform the 3 Ms of Risk Management: Measurement, Monitoring and Management of risk. In this paper, we will outline the basic capabilities of each of the three areas.

 

 

Risk Measurement

 

All firms must have the capability to measure their risks. Most firms have risk measurement systems. However, there is a lot more to it than that. Risk measurement involves ALL aspects of the capability to measure risk, not just having systems. To measure risk effectively and accurately, the firm must have accurate and timely information as to its positions, its counterparties and all relevant information regarding its positions and counterparties. This information should ideally be available on a real-time basis as markets move very rapidly and soon the risk analysis may no longer be valid. Measuring this information solely on an overnight (or end of day) basis will not be sufficient as market conditions change during the day, and customer and counterparty activity changes the firm’s risk profile constantly. It is also not sufficient to simply do this several times a day. As market conditions change, the value of the firm’s and its customers’ positions changes accordingly, either favorably or unfavorably. In addition, as customers do trades during the day the firm must be able to track its customers’ accounts as they transact business. This information must be accurate, accessible in a timely manner and able to be retrieved from the firm’s computers and sent to the relevant analytical models for risk evaluation. During some recent risk events, many firms learned that they could not do this effectively, much to their dismay.

 

So what does effective risk measurement entail? Several key components are required:

 

The risk measurement methodologies used must accurately measure the risks. There are many different ways to measure risks and firms use most of them. The two basic necessities for a risk measurement methodology to be effective are that they must reflect the risks they measure and all relevant parties must understand them.

 

Different kinds of firms will require different kinds of risk measures. The measures needed for a portfolio-based approach to risk measurement are not exactly the ones needed for a retail operation. The portfolio approach requires position, position attribute, counterparty and counterparty attribute data. A retail operation will require all that and extensive information at the account level so it can see what individual accounts are doing real-time.

 

The firm must be able to examine its risks at any level and aggregate up or drill down to any desired degree. For example, a broker dealer must be able to measure risk by security, security type, counterparty and type, industry or SIC classification, currency, geographical location, etc. The B/D should then be able to aggregate up or drill down in any direction (for example by country by currency or vice versa). A retail brokerage should be able to measure risk by account, by account type, by industry, SIC code, etc, and aggregate up. They should also be able to drill down to the account level after starting with a portfolio approach. In addition, a retail brokerage needs to perform sophisticated margin calculations on a wide variety of products. Also, they would need to be alerted when specific activities occur in selected accounts, e.g., large trades or prohibited activities.

 

The firm must be able to perform scenario and what if analysis on a real time basis for any of its risk measurement categories. For a retail operation, this means even at the account level.

 

The analytical models used to measure risk must be accurate and measure the right risks. The models must be appropriate to the business and the products. Different products may require different kinds of models and there is nothing wrong with that. Use as many models as is necessary and no more.

The inputs to the models must be accurate. Many firms have a problem with their data and getting it to the right system at the right time. The data must be accurate, clean, and timely. This applies to model-generated data (including the results of risk analysis) as well as historical market data. Without accurate inputs, the model will give misleading results, leading to inaccurate decision-making.

 

The connections between the systems must be accurate. Feeder systems must feed the inputs to the risk model on a timely and accurate basis, just as the risk system must feed other systems in the same manner.

 

The systems must work automatically. You should not have to do anything extra for the system to be measuring risk accurately and timely.

 

The firm should periodically assess its systems and their ability to perform, effecting updated capabilities when necessary.

 

 

Risk Monitoring

 

For effective risk management to take place, risks must be monitored. A firm that simply measures risk three thousand ways but does not monitor it on a timely basis will likely suffer at some point. Risk monitoring includes all aspects of ensuring that accurate risk measurement information is available to the right people on a timely and accurate basis. What does effective risk monitoring entail? Several key capabilities are required.

 

The firm must have timely and accurate risk information available to the right people at the right time.

The firm must have a set of comprehensive risk reports generated during the day. The reason that a set of reports is necessary is that different levels of management require different levels of risk information. The key criterion is that the reports reflect the degree of granularity and breadth of information required to optimize the decision-making capabilities of the party that gets the reports.

The firm must also have this information available on a real-time basis. This means that it must be available online for the parties that require it so they can see what is going on at all times. The same issues of granularity and breadth apply here.

 

The risk systems should have the capability to alert the proper manager when preset conditions occur so that proactive risk management can occur. The firm should set up a variety (as many as needed) of risk conditions that different managers are concerned with. These conditions should also be set in a variety of ways. The parties could set up criteria that will generate alerts. The relevant manager could then drill down into the alert to investigate further. The proper action could be taken.

For example, a B/D could set these alerts to show limit utilization above a certain level (e.g., 75%) and by security, currency, counterparty, trading ledger, industry or geographic location. The system alerts the appropriate level(s) of management when the condition is met. The alerts should also happen as a result of a what-if or scenario analysis, alerting the appropriate party to what could happen under certain conditions. For example, an alert could occur if a major market move would cause an X% loss in a particular security. Management can then examine the alert and take appropriate action, if any. These alerts are set by management and should reflect the conditions with which management is currently concerned.

For a retail operation, this would include all the above. It would also need to include alerts at the account level such as a big trade or an account that is utilizing an increasing portion of its credit and is heading toward a potential margin call. For example, an alert could occur if an X% market move would cause a margin call in a large (or small) account(s). Management can set up appropriate conditions for accounts it wishes to monitor and be alerted when those conditions are met. Management can then examine further and take the appropriate action, if any.

In addition to all the reports and alerts, managers must effectively communicate with each other so that they are aware of current conditions.

 

 

Risk Management

 

The first two steps in the process provide the analytics and the tools that managers at all levels must have in order to make effective decisions regarding risks. The final step in the process may be the simplest to explain. After all the risks that can be measured are monitored (those that can be measured. Not all risks can be measured and you should not try!), and after the correct monitoring systems and procedures are in place, the final step in the process is actually managing the risk. This simply means management decision-making when called for, based on the information that is available. Managers at every level must be ready to take appropriate actions when a condition exists that warrants attention. This means proactive actions. Remember that not every risk condition or situation requires action. It possible that, for example, that a limit is exceeded on a trading floor and management becomes aware of it. After reviewing the excess, determining the cause and discussing the possible harm, the appropriate managers may let it stand and take no action. Or, an alert can be generated on a specific account. After drill down and review, management decides no action is called for.

 

Some of the critical aspects of managing risk effectively are:

 

The proper analytical tools must be used so that the information to decide possible courses of action is reliable

The proper risk monitoring capabilities, including alerting capabilities that provide this information on a real time basis, must be in place

A risk-oriented mindset must exist in all employees. Senior management must drive this mindset from the top down. Everyone bears some of the responsibility, not just management and risk managers

A willingness to be proactive regarding risk management, treating risk management as a business partner, not simply part of a compliance function

 

Conclusion

 

As we all know, there are many crucial aspects to implementing effective risk management capabilities at a firm. It is critical that each phase be implemented at any firm that wishes to effectively manage its risks. This can be summarized relatively simply. The tools for measuring risk must be accurate as must be the inputs to those tools. This means models must be accurate. Data must be clean. The technology behind the system should help the risk management process by identifying risk so that managers gave increased resources for managing risks. Real-time capability is required; batch processes won’t cut it any more. The outputs of the risk measurement process must be available on a real time basis so that managers understand what is happening as it is happening and can take appropriate action. This means everyone gets the info when they need it. Systems that inform management of current conditions go a long way to helping the process. Finally, everyone should consider risk management as part of his or her job. Effective risk management is possible when these conditions are met.

 

 

Dodd Frank Collateral Exposure for a Bank

Bank Derivative Holdings = $ One Trillion

Initial Margin 10% = $ 100 Billion

Variation Margin 1%-5% = $1 to $ 5 Billion

Collateral Management is a new business process requiring investment and technology.

Bank Reorganization may be needed.

New interbank collateral trading processes need to be implemented with resultant trading agreements.

New business area for interbank brokers and central bankers.