Rebuilding trustNext steps for risk management in financialservicesA report from the Economist Intelligence UnitSponsored by
Rebuilding trust    Next steps for risk management in financial services       About this research        R   ebuilding tr...
Rebuilding trust                                Next steps for risk management in financial services                      ...
Rebuilding trust    Next steps for risk management in financial services       from interviews with industry experts and c...
Rebuilding trust    Next steps for risk management in financial services        Key points       n	 Short-term improvement...
Rebuilding trust    Next steps for risk management in financial services       corporate profitability, while new macroeco...
Rebuilding trust    Next steps for risk management in financial services       Which of the following statements best desc...
Rebuilding trust    Next steps for risk management in financial services        Key points       n	 There is a growing con...
Rebuilding trust                                      Next steps for risk management in financial services                ...
Rebuilding trust    Next steps for risk management in financial services       How effective is your organisation in each ...
Rebuilding trust                                Next steps for risk management in financial services                      ...
Rebuilding trust                                       Next steps for risk management in financial services               ...
Rebuilding trust     Next steps for risk management in financial services         Key points        n	 Enterprise risk man...
Rebuilding trust                           Next steps for risk management in financial services     Financial             ...
Rebuilding trust                              Next steps for risk management in financial services                        ...
Rebuilding trust                                   Next steps for risk management in financial services     “Institutions ...
Rebuilding trust     Next steps for risk management in financial services        Conclusion        R    isk management is ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
Appendix         Rebuilding trustSurvey results   Next steps for risk management in financial services                    ...
While every effort has been taken to verify the accuracyof this information, neither The Economist IntelligenceUnit Ltd. n...
LONDON26 Red Lion SquareLondonWC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8500E-mail: london@eiu.comNEW ...
Upcoming SlideShare
Loading in...5
×

Rebuilding trust - Next steps for risk management in financial services

361

Published on

Rebuilding trust: Next steps for risk management in financial services is an Economist Intelligence Unit report that examines the steps that financial-services firms around the world are taking to reinforce their risk management capabilities in response to the global financial crisis triggered by the ‘credit crunch’. The report is sponsored by SAS.

The Economist Intelligence Unit bears sole responsibility for the content of this report. Our editorial team executed the online survey, conducted the interviews and wrote the report. Our research for this report drew on two main initiatives:

● We conducted an online survey of 346 executives from around the world in January and February 2010.

● The survey included companies of a variety of sizes from the banking and insurance industries.

● All respondents have a primary focus on risk management.

● To supplement the survey results, the Economist Intelligence Unit conducted a programme of qualitative research that included a series of in-depth interviews with industry experts.

The author was Rob Mitchell and the editor was Abhik Sen.

Published in: Business, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
361
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Rebuilding trust - Next steps for risk management in financial services"

  1. 1. Rebuilding trustNext steps for risk management in financialservicesA report from the Economist Intelligence UnitSponsored by
  2. 2. Rebuilding trust Next steps for risk management in financial services About this research R ebuilding trust: Next steps for risk management in financial services is an Economist Intelligence Unit report that examines the steps that banks and insurers around the world are taking to reinforce their risk management capabilities in response to the global financial crisis. The report is sponsored by SAS. The author was Rob Mitchell and the editor was Abhik Sen. The Economist Intelligence Unit bears sole responsibility for the content of this report. Our editorial team executed the online survey, conducted the interviews and wrote the report. The findings and views expressed in this report do not necessarily reflect the views of the sponsor. Our research for this report drew on two main initiatives: l We conducted an online survey of 346 executives from around the world in January and February 2010. The survey included companies of a variety of sizes from the banking and insurance industries. All respondents have a primary focus on risk management. l To supplement the survey results, the Economist Intelligence Unit conducted a programme of qualitative research that included a series of in-depth interviews with industry experts. We would like to thank the many people who helped with this research. May 2010 © The Economist Intelligence Unit Limited 2010
  3. 3. Rebuilding trust Next steps for risk management in financial services Executive summary T he global financial crisis had many causes but failures in risk management were clearly a contributory factor. Although there were technical shortcomings, especially related to the use of risk models and metrics, a more widespread problem was a failure of governance, which meant that the legitimate warnings of risk managers went either unheeded or unnoticed. In the euphoria of the credit bubble preceding the crash, a culture in banking and insurance that prioritised short-term gains over prudence all too often rode roughshod over the concerns of risk managers. Many senior executives were more concerned with outperforming revenue and profit targets than paying heed to growing risk concentrations. The crisis has changed that. Across the financial services industry, risk management has moved to the centre of strategic decision-making, and many institutions are revamping their entire approach to understanding and mitigating the risks that they face. Our 2009 report, After the Storm: A new era for risk management in the financial services industry1, found that the majority of financial institutions have been conducting wholesale reforms to the way that they manage risk. If anything, the pace of change has accelerated since then, with institutions reappraising their corporate governance structures, risk functions, data, information systems, and business processes and procedures. Many banks and insurers have come a long way in their efforts to strengthen risk capabilities. Discussions about risk have become a key part of the boardroom agenda, chief risk officers have a prominent seat at the top table and there is a renewed zeal for instilling a greater awareness of risk principles in the front office — the so-called first line of defence. Despite this progress, however, weaknesses remain. The enthusiasm for a large-scale overhaul of risk management in the industry has created human capital shortages as companies and regulators scramble to acquire suitable expertise. Data and information management systems remain significant impediments to an overall understanding of risk exposures, while regulatory uncertainty makes it difficult for organisations to plan for the long term. In February 2010, the Economist Intelligence Unit conducted a global survey on behalf of SAS to track the progress of financial institutions in strengthening their risk management since the crisis. The 1 Report available at www. survey attracted 346 respondents from across the banking and insurance industries. The report that eiu.com/afterthestorm follows presents the highlights of those survey findings along with related additional insights drawn © The Economist Intelligence Unit Limited 2010
  4. 4. Rebuilding trust Next steps for risk management in financial services from interviews with industry experts and commentators. Key findings from this research include the following: Confidence levels are high but there is a risk of complacency. Financial institutions are feeling much more confident about the future compared with 12 months ago. Around three-quarters of respondents believe that prospects for revenue growth over the next year are good, whereas 68% are positive about the prospects for profitability. These levels of confidence, which are around double the levels reported in a similar survey conducted last year, reflect a widely held view that the financial system has stabilised. There is a risk of complacency, however. As governments withdraw stimulus packages and liquidity support for the financial sector, revenues and profitability could yet fail to meet expectations. The focus on regulatory compliance could distract attention from emerging risks. Around the world, regulators have stepped up their scrutiny of financial institutions. While few people would argue against a tougher regulatory regime in financial services, respondents to the survey highlight uncertainty regarding regulation as the main barrier to effective risk management. There is a danger that the focus on compliance could be “crowding out” day-to-day risk management at a time when formerly low probability risks, such as sovereign debt crises, are becoming more commonplace. A clearly defined risk strategy is in place at most institutions, but significant areas of weakness remain. Investment in risk management is increasing almost across the board, with risk processes, data, information systems and training being key areas of focus for the majority of institutions. Six out of 10 respondents now say that they have a clearly defined risk strategy in place at their organisations that is updated on a regular basis. However, this still leaves a worrying 40% whose companies do not conduct regular updates or do not have a clear risk strategy in place. Banks and insurers are filling gaps in risk expertise with investment in training and recruitment. Respondents recognise that shortfalls in the quality and quantity of risk experts have been an important part of the problem in risk management. Asked about key areas in which shortcomings need to be addressed, respondents list issues related to expertise as three of their top four priorities. More than one-half of respondents say that they are increasing their investment in training, both of risk professionals and across the broader business, and a similar proportion say that they are spending more on recruitment. The silo-based approach to risk management continues to pose problems. In the days leading up to the financial crisis, the separation of risk management into separate departments led many financial institutions to underestimate risk concentrations and correlations. Even now, less than one- half of respondents to our survey are confident that they understand the interaction of risks across business lines and poor communication between departments is seen as a key barrier to effective risk management. Financial institutions need to further improve data quality and availability. An over-reliance on risk models, and problems with the data used to populate those models, have been widely seen as a key failure in financial risk management. Financial services firms recognise that data quality and availability need to improve further. Collecting, storing and aggregating data is an area of weakness for many institutions, with only 39% of respondents believing that they are effective at all these activities. © The Economist Intelligence Unit Limited 2010
  5. 5. Rebuilding trust Next steps for risk management in financial services Key points n Short-term improvements in market conditions and liquidity have made the banking and insurance industries surprisingly optimistic about their prospects for the coming year. n The emphasis in regulation is shifting from issues related to individual institutions to more macro- prudential concerns associated with systemic risk. n While many firms have overhauled their risk management following the financial crisis, a worrying number of them still do not have a clearly defined risk strategy. The new risk landscape T he financial services industry entered 2010 on a much more stable footing than last year. Since the darkest days of the financial crisis, the share prices of major banks have rebounded, economic conditions have improved and the industry has benefited from a surge in liquidity facilitated by the actions of policymakers around the world. These short-term improvements in the economic landscape have fostered a mood of surprising optimism among the respondents questioned for our survey. Three-quarters see their prospects for revenue growth over the next year as positive, while 68% feel the same on the outlook for profitability. In last year’s Economist Intelligence Unit survey for SAS, just 34% saw the prospects for revenue growth, and 33% for profitability, as being positive. Optimism is particularly high within the Asia-Pacific region where financial institutions have been less affected by the crisis and where economic growth remains relatively robust. Within the region, 86% of respondents see prospects for revenue as positive, and 77% think similarly on the outlook for profit. Although the outlook has undoubtedly improved significantly across the whole industry, it would be wrong to be complacent. Sluggish economic growth in developed countries, combined with stubbornly high unemployment, are likely to lead to further difficulties in mature markets. New regulations and the imposition of more conservative capital and liquidity buffers will drive down How do you currently rate the prospects for your business in the following areas over the next year? Please rate 1 to 5 where 1 is significantly positive and 5 is significantly negative and 3 signifies no change. (% respondents) 1 Significantly positive 2 3 No change 4 5 Significantly negative Revenue growth 23 51 14 10 1 Profitability 18 50 18 13 1 Share price 10 42 41 61 Relations with customers 16 52 27 5 Relations with investors 12 42 37 8 Capital adequacy 13 46 29 11 1 Source: Economist Intelligence Unit survey, February 2010. © The Economist Intelligence Unit Limited 2010
  6. 6. Rebuilding trust Next steps for risk management in financial services corporate profitability, while new macroeconomic risks, such as the sovereign debt crisis in Greece, could derail any nascent recovery. In the medium term, policymakers will be looking to withdraw fiscal stimulus packages and return debt and equity capital holdings to private investors. Over the same period, a more stringent regulatory environment will emerge. Banks, for example, face the prospect of tighter restrictions on capital reserves under proposals dubbed as the “Basel 3 rules”. The emphasis in regulation is shifting from issues related to individual institutions towards macroprudential ones associated with systemic risk. “Previously, regulators were just not focused on systemic issues,” says Viral Acharya, professor of finance at the New York University Stern School of Business. “It was almost as if the micro objective of making each bank safe was somehow clouding the focus of regulation from what it really should be doing, which is to guard the system as a whole.” With which of the following stakeholders of your company has there been the most change in the transparency of communication on risk issues over the past 12 months? Select up to two. (% respondents) Regulators 63 Board of directors 37 Investors 30 Rating agencies 17 Government bodies 16 Creditors 10 Media 5 What do you consider to be currently the main barriers to effective risk management in your organisation? Select up to three. (% respondents) Uncertainty over future regulation 39 Poor communication across departments 38 Insufficient data 32 Risk management function lacks authority 29 Lack of confidence in existing risk management tools 26 Inadequate real-time (intra-day) risk management 21 Lack of adequate investment 21 Use of spreadsheets in risk management 12 Others, please specify 5 There are no barriers 6 Source: Economist Intelligence Unit survey, February 2010. © The Economist Intelligence Unit Limited 2010
  7. 7. Rebuilding trust Next steps for risk management in financial services Which of the following statements best describes the situation regarding the risk management strategy at your company? (% respondents) We have a clearly defined risk management strategy that is updated on a regular basis 60 We have a clearly defined risk management strategy, but it is not updated on a regular basis 21 We do not have a clearly defined risk management strategy 9 We are creating a new model for our risk management strategy after the financial crisis 10 Source: Economist Intelligence Unit survey, February 2010. Regulators look at risk This is not to say, however, that regulators are downplaying their micro-prudential responsibilities. In the past 18 months, supervisors have been carefully scrutinising the way in which individual institutions identify, monitor and mitigate risk, and the steps they are putting in place to ensure that boards are fulfilling their mandates on governance and oversight. The dynamic between regulators and individual firms has changed immeasurably, according to Barrie Wilkinson, a partner in risk and finance at Oliver Wyman, a consultancy. “In the UK, the Financial Services Authority is recruiting very aggressively and has armies of people coming in almost every day to inspect the banks,” he says. The extent of dialogue with regulators emerges as a key concern for respondents to our survey. Asked about the stakeholders with whom transparency of communication on risk issues had changed most over the past 12 months, respondents cite regulators by a significant margin. They also point to regulatory uncertainty as the main barrier to effective risk management. Pressure from regulators and other stakeholders, along with the sheer scale of the recent crisis, means that very few financial institutions now take risk management for granted. As highlighted in our 2009 report, more than one-half of institutions said that they were conducting a thorough overhaul of their risk management. Today, there is greater confidence that some issues have been resolved. Six out of 10 respondents say that they have a clearly defined risk strategy in their organisations that is regularly updated, although this still leaves a worrying 40% that either do not have such a strategy in place or have significant work to do to make the necessary changes. In the case of organisations with less than US$500m in assets, just 43% have a clearly defined strategy in place. © The Economist Intelligence Unit Limited 2010
  8. 8. Rebuilding trust Next steps for risk management in financial services Key points n There is a growing consensus that good risk management at organisations starts at the top. n It is increasingly common for CROs to have a dual reporting line to the chief executive and to the risk committee or equivalent. n There is still plenty of room for improvement in risk management and reporting practices at most companies. Setting the tone T here is an emerging consensus that good risk management starts at the top of the organisation. Board members need to have sufficient knowledge and information to be able to challenge and question executive management, and they need to devote an appropriate amount of time to understanding the business. “If you are going to have a risk culture that is embedded within an organisation, it has to start from the top,” says Richard Apostolik, president of the Global Association of Risk Professionals, a trade association. Survey respondents consider board-level expertise to be one of the top three risk management issues that they would like to address. Yet somewhat surprisingly, less than one- half say that they are devoting resources to improving risk governance by board members. Many institutions are addressing these shortcomings by forming board-level risk committees. This is one of the key changes proposed by the UK government-sponsored Walker Review of corporate governance in the banking industry. There is also a strong focus on board competencies in the US. Proposed rules from the Securities and Exchange Commission will require disclosure of the board’s In the past 12 months, what change has there been to the amount of investment your firm has made in the following areas? Please rate 1 to 5 where 1 is significantly more and 5 is significantly less and 3 signifies no change. (% respondents) 1 Significantly more 2 3 No change 4 5 Significantly less Training of risk professionals 14 40 41 4 2 Training of general workforce in risk 10 41 42 5 2 Training of board members in risk 9 40 47 31 Recruitment of specialised risk professionals 12 38 43 4 2 Improvement of risk processes at strategic level 19 51 25 41 Improvement of risk processes at operational level 18 54 25 2 1 Data quality and integrity 13 49 34 3 IT systems 14 43 38 31 Third-party risk advisory services 4 24 61 8 2 Source: Economist Intelligence Unit survey, February 2010. © The Economist Intelligence Unit Limited 2010
  9. 9. Rebuilding trust Next steps for risk management in financial services qualifications and its role in risk management. Among respondents to our survey, almost three-quarters say that they have a board-level risk committee in place. Not everyone believes, however, that stand-alone risk committees are essential in every organisation. “It depends what the firm is doing and the scope and depth of its activities,” says Mr Apostolik. “In some cases, this role can be performed perfectly adequately as part of an audit committee.” More important than the existence of a risk committee is the content of the board’s discussions and their interaction with executive management and the risk function. “The board needs to know what they don’t know and they need to find a way of finding out what that information is,” notes Andy Clinton, managing director of Protiviti, a risk consultancy. Boards across the industry are facing a significant increase in their workload and responsibilities. Key among these is the need to set and monitor the overall risk appetite, which should articulate the “There is much to institution’s willingness to take risk in order to pursue business objectives. be said for having A recent report from the Senior Supervisors Group—a collection of financial regulators from Canada, a risk committee France, Germany, Japan, Switzerland, the UK and US— found that financial institutions still have some to look over the progress to make in setting and monitoring a robust risk appetite2. Until recently, risk appetite was horizon while the generally regarded as a mechanical, compliance-driven activity that required the approval of boards board steers the but little active involvement from them. “Most of the risk appetite work that we see now is trying to ship, but economic get boards to own the risk profile of the organisation, and talk openly about what kind of risks the storms arrive company should be running and under what circumstances it might need to take certain precautionary unexpectedly” actions,” comments Andrew Rear, head of European insurance at Oliver Wyman. – David Allen, partner at Mayer David Allen, a partner at law firm Mayer Brown, says that an organisation’s risk appetite should be Brown, a law firm informed by the broader economic outlook, but he warns that this could be a source of tension. “There is much to be said for having a risk committee to look over the horizon while the board steers the ship, but economic storms arrive unexpectedly, and it will take robust committee members to persuade the board to reduce its risk exposure when the waters still appear calm,” he says. Role of the CRO Many financial institutions are changing reporting lines for the chief risk officer (CRO) in order to strengthen their overall risk governance. It is increasingly common for CROs to have a dual reporting line to the chief executive and to the risk committee or equivalent. Among our survey respondents, 57% say that their companies have a CRO with a direct reporting line into the board. A dual reporting line ensures that the CRO has access to executives at the very top of the company Does your organisation currently have the following? (% respondents) Yes, already have No, but intend to recruit No plans to recruit Chief Risk Officer 65 12 22 Risk committee 73 11 17 Board member with expertise in risk 67 11 22 2 Risk management lessons CRO reporting to board or executive directors frequently from the global banking 57 14 29 crisis of 2008, October 2009 Source: Economist Intelligence Unit survey, February 2010. © The Economist Intelligence Unit Limited 2010
  10. 10. Rebuilding trust Next steps for risk management in financial services How effective is your organisation in each of the following areas? Please rate 1 to 5 where 1 is very effective and 5 is not effective at all. (% respondents) 1 Very effective 2 3 4 5 Not effective at all Aggregating risks at firm-wide level 16 42 27 13 3 Applying risk management to support broader strategic goals 10 44 34 12 1 Understanding the interaction of risk across business lines 8 39 38 14 1 Managing real-time (or intra-day) risk 8 29 38 21 5 Instilling a culture of risk more broadly in the company 13 37 34 14 2 Providing timely, relevant risk reports to the board 8 39 38 12 3 Collecting, standardising and storing risk data 8 31 40 19 3 Using human judgment to supplement quantitative tools 13 46 28 12 1 Constructing a governance, risk and compliance framework 14 44 29 11 2 Managing the pace and amount of change 5 33 44 16 2 Source: Economist Intelligence Unit survey, February 2010. and it also enables an open and unfettered access to the board, with an information exchange that flows both ways. “The CRO needs to be at the top table and be involved in the strategic decisions the company makes, so that he or she can provide an independent view over whether they fit with the risk appetite of the company,” says Bruce Munro, group CRO of National Australia Bank, who himself reports into the CEO and has a veto over any decision in the organisation. Reporting The success of these new reporting lines and governance structures depends on a robust, two-way communication between the board and senior risk managers. A key area of focus for many firms has been the strengthening of their management information systems and responding to the more diverse and frequent reporting requirements of the board. “It becomes a much more two-way interactive process rather than a mechanical monthly meeting where you just talk about whatever has come through the system that month,” says Mr Munro. Axel Lehmann, group CRO of Zurich Financial Services, one of the world’s largest insurers, says that boards are typically requesting more forward-looking data, and expect both a holistic overview of the key risk exposures as well as more granular information on specific risk categories. “They also want to have a better awareness of the risk models that the company is using and a good understanding of the assumptions that go into those models,” he adds. Yet respondents to our survey admit that they still have improvements to make in risk reporting. Just 47% say that they are effective at providing timely and relevant risk reports to the board. Given that boards expect to get both greater detail from reports and an insightful summary of overall risk exposure—all in a highly accelerated time frame—it seems clear that many organisations still have some way to go to satisfy these new requirements. © The Economist Intelligence Unit Limited 2010
  11. 11. Rebuilding trust Next steps for risk management in financial services Key points n Shortage of risk professionals with the right expertise is forcing most companies to spend significantly more on recruitment and training. n The scarcity of talent is most acute in the areas of compliance and governance. n Companies are looking for risk experts with not just technical capabilities but also softer skills like the ability to communicate across functional silos and reporting lines. War for talent G reater expectations from boards, combined with sustained pressure from regulators and other stakeholders, are placing significant pressure on risk functions. With many financial institutions actively recruiting and embarking on major risk projects, risk expertise is becoming a scarce and expensive commodity. According to a report in Risk magazine3, shortages of risk professionals in the UK are forcing salaries to rise by between 20% and 30%. Among our respondents, 50% say that their organisations are spending more on recruiting risk professionals, and just over half say their companies are increasing investment in training programmes to improve the risk function’s skills. Asked about the areas where shortages are most acute, respondents list compliance and governance by a considerable margin. The problem is compounded by the fact that recruiters are becoming increasingly demanding. “Before the collapse of Lehman Brothers, banks hired candidates who ticked seven out of 10 boxes,” says Blair Cashin, a risk management consultant at Joslin Rowe, a recruitment firm. “Now they want In which of the following areas has there been most change – if any – in the need for expertise in personnel and technology in your organisation over the past 12 months? Select up to three. (% respondents) Compliance and governance 44 Stress-testing 32 Firm-wide risk 31 Liquidity risk 31 Credit portfolio management 26 Asset liability management 26 Risk forecasting 22 Fraud risk 15 Credit scoring (if applicable) 14 Others, please specify 1 3 Risk magazine, December 1st, 2009 Source: Economist Intelligence Unit survey, February 2010.10 © The Economist Intelligence Unit Limited 2010
  12. 12. Rebuilding trust Next steps for risk management in financial services people who tick eleven out of ten.” The development of a formal certification programme, established by organisations such as the Global Association of Risk Professionals, is helping risk management to gain more recognition as a business discipline, and gives financial institutions a better yardstick for measuring expertise.“ Banks need to know from an objective point of view that the people they are entrusting their risk management function to possess the baseline competencies to perform their role,” says Mr Apostolik. But beyond the technical capabilities required by risk professionals, there is also a growing emphasis on softer skills. “You have to be able to take a relatively complex activity and describe it in “Even the smartest simple terms so that people on the board or in the business can quickly understand it and be able to act risk managers will on it,” says Mr Apostolik. “Even the smartest risk managers in the world will fail in the role if they don’t fail if they can’t have the ability to communicate.” communicate” Many commentators believe that greater movement of managers between the front and back offices – Richard Apostolik, president, can help to address talent shortages and, perhaps more importantly, build bridges between the risk Global Association of Risk Professionals function and the business at large. “You’ve got to get more movement between the two,” says Mr Munro. “I think companies ought to insist that their top talent have significant stints in risk during their career. I also think it’s important that people who want a career in risk spend time in the business so they understand one another better.” Enforcer or enabler? and act on it,” says Mr Munro. Instilling this relationship requires strong leadership and professionals in the risk function and front office who respect each The financial crisis has dramatically changed perceptions of the risk other. Rather than relying on the risk function to manage risk, function, giving it unprecedented power over the lines of business. financial institutions need to hold accountable and empower the While few would dispute that this is generally a positive development, first line of defence—the sales teams, underwriting functions or the question is whether there is a danger that the risk function could trading floors—to make decisions in a more risk-aware way. “The best wield too much power, and say “no” to the front office too often. enterprise risk management practice is to have business managers, “You’ve got to use authority carefully,” says Bruce Munro, group chief profit centres, business unit heads and functional heads really risk officer of National Australia Bank. “It’s easy to overreact in the assuming full responsibility and accountability for the risks they current circumstances, but you can’t say ‘no’ to everything.” take,” says Axel Lehmann, group CRO of Zurich Financial Services. This highlights the importance of forming a positive working Risk management currently enjoys an unprecedented level of relationship between the risk function and the business, so that the authority within organisations, but this could prove temporary when front office sees risk as making a positive contribution—more than confidence returns and there is a renewed focus on performance and just as an enforcer. “Risk functions need to shift towards being an investor returns. “That is the $64,000 question,” says Mr Munro. “It’s enabler, developing an external and independent view and finding a not hard at the moment to get risk around the table. The challenge will way of convincing the business that it has value, to listen to that view be to keep risk at the table once conditions demonstrably improve.”11 © The Economist Intelligence Unit Limited 2010
  13. 13. Rebuilding trust Next steps for risk management in financial services Key points n Enterprise risk management remains a work in progress for most institutions in the banking and insurance industries. n The vast majority of financial institutions surveyed for this report are improving risk processes at the operational level while a smaller proportion are doing the same at the strategic level. n Major obstacles remain in integrating the management of credit and market risk. Breaking down silos W ithin the risk function itself, there is a recognition that not enough has been done to encourage communication across risk silos. In many institutions, market and credit risk were managed by different teams using separate systems, which made it difficult to gain an overall aggregate view of risk exposures, and meant that some problems inevitably fell through the cracks. Recognising these shortcomings, some banks are seeking to combine or improve co-ordination between risk departments. Last year, for example, HSBC combined its market and credit risk functions. Although financial institutions are making progress on aggregating risk exposures at the enterprise level, a firm-wide view of risk remains a work in progress for the vast majority of them. Just 47% of respondents consider themselves effective at understanding the interaction of risks across business lines, and 58% are confident in their ability to aggregate risks at the firm-wide level. Poor communication across departments is also identified as the second most significant barrier to effective risk management. In which of the following areas do you think the most significant focus should be to address current shortcomings in risk management? Select up to three. (% respondents) Risk management processes and systems 48 Business risk expertise 46 Board-level expertise 38 Risk function expertise 32 Data quality 30 Defining line responsibility for risk management 25 Risk reporting 21 Data availability 16 Real-time (or intra-day) risk 9 Others, please specify 2 Source: Economist Intelligence Unit survey, February 2010.12 © The Economist Intelligence Unit Limited 2010
  14. 14. Rebuilding trust Next steps for risk management in financial services Financial This ongoing reassessment of organisational structures reflects a general trend whereby financial institutions also institutions are examining risk processes and considering whether they are still fit for purpose. Asked recognise that about the changes to levels of investment in key aspects of risk, almost three-quarters of respondents their existing risk say that they are increasing expenditure on the improvement of processes at the operational level. structures and A slightly smaller proportion of 70% say that they are increasing investment in risk processes at processes failed the strategic level. Processes and systems are also seen as the aspect of risk that is in most need to account for the of attention. liquidity crunch There are obstacles for initiatives designed to break down risk silos, however. “Credit risk and that crippled the market risk tend to be big departments and have very different cultures,” says Mr Wilkinson from the industry following consultancy Oliver Wyman. “Trying to get those guys to work as a single team is easier said than done.” the collapse of There are significant data infrastructure challenges too, as credit risk and market risk typically operate Lehman Brothers. separate systems that cannot easily be integrated. Even if the two functions are not formally combined, better co-ordination between them can help to serve as an early warning system of emerging risk correlations. “The best way to break down a silo is to have a culture where people in different departments know each other and can figure out what links there might be between particular risks under certain circumstances,” says Mr Munro. Financial organisations also recognise that their existing risk structures and processes failed to account for the liquidity crunch that crippled the industry following the collapse of Lehman Brothers. Often liquidity was something that was managed by the treasury function, and not seen as a risk category in its own right. Even regulators tended to neglect it. “Liquidity risk was always a bit of a sleeper risk,” says Mr Munro. “Like many banks, we have given it greater focus, more sophistication in the way we manage it and more conservatism in the buffers that we hold.”13 © The Economist Intelligence Unit Limited 2010
  15. 15. Rebuilding trust Next steps for risk management in financial services Key points n Institutions are increasingly combining traditional measures of risk management with more forward- looking tools and techniques. n Collecting and analysing data to effectively manage risk is still a big challenge for many organisations. n Four out of five companies surveyed say they are increasing investment in data quality and integrity. The devil is in the data A ccurate and reliable data are the cornerstones of good risk management, yet continue to be an area of considerable weakness. As the Senior Supervisors Group noted in a recent report, many financial institutions have information management systems that are inadequate to monitor their risk exposures. The problem is especially acute at multinational banks and insurers that have grown through acquisitions. Among survey respondents, just 39% say that they are effective at collecting, standardising and storing data. Insufficient data is also seen as among the top three shortcomings preventing more effective risk management. “Data is everything,” says Mr Apostolik. “Without data you’re not going to be able to make any kind of educated risk assessment.” Signs of stress mechanical way, and were dismissive of scenarios that were seen as too outlandish. “Stress testing is vitally important,” says Gordon Scott, managing director in the financial institutions group at Fitch The financial crisis has highlighted the problems of over-reliance Ratings. “You’ve got to understand how robust your positions are on quantitative models. It is now generally agreed that techniques to alternatives of macro events and other stresses, no matter how such as Value at Risk (VaR), which are used to calculate the risk of implausible they may seem.” loss in a portfolio, should not be used in isolation. A key problem For many institutions, stress testing is increasingly being with VaR is that it is based on historical data, often of a relatively applied in a more systematic way that is linked with the overall short timeframe, that fails to account for the possibility of risk appetite. It remains a relatively unfamiliar concept for some catastrophic outcomes in financial markets. institutions, however, and an area where the necessary skills may Although some financial institutions continue to use VaR, be in short supply. According to survey respondents, stress testing it seems likely that regulators will push them towards using an is the area where there has been most change in the need for adapted measure, such as Stressed VaR, which examines how expertise after compliance and governance. a firm’s trading position changes during times of acute market While stress testing has emerged as a useful tool to explore the stress. More generally, there is a shift towards combining impact of potential scenarios, there continues to be debate around these traditional measures with more forward-looking risk how to embed the outcomes of the activity into management tools and techniques. decision-making. Qualitative tools are inherently subjective, but Stress testing is one tool that is rapidly gaining ground as an this should not prevent their adoption as an early warning system important input to understanding risk exposures. Although it designed to prepare the institution for different eventualities and is not new, financial institutions previously used it in a rather to provide an indication of trouble on the horizon.14 © The Economist Intelligence Unit Limited 2010
  16. 16. Rebuilding trust Next steps for risk management in financial services “Institutions need An important challenge for many firms is that they have multiple or disparate legacy systems that to ensure that the have built up over a period of years. “When a decision is made to launch a new product, or respond same sources of to a new regulatory initiative, the tendency is to solve that quickly and meet the requirements by data are available building a new system,” says Sam Harris, director of enterprise risk management at Teradata, a to people across technology provider. the organisation Reconciling these disparate systems across multiple borders and currencies requires a significant so that results are amount of manual intervention. This time-consuming and resource-intensive process creates a time comparable” delay in the availability of data—a major problem when an institution is trying to formulate a response – Sam Harris, director of to an unexpected event, such as the collapse of a counterparty. In recognition of these shortcomings, enterprise risk management, Teradata 62% of survey respondents say that they are increasing investment in data quality and integrity. Data quality underpins the efforts that financial institutions are making to aggregate risk exposures and break down the silos between risk categories. “Institutions need to ensure that the same sources of data are available to people in different parts of the organisation so that results are comparable across business units and different risk measures,” says Mr Harris.15 © The Economist Intelligence Unit Limited 2010
  17. 17. Rebuilding trust Next steps for risk management in financial services Conclusion R isk management is viewed as one of the culprits of the financial crisis but it should also be seen as one of the main instruments for safeguarding the future. Although actions taken now should not be expected to prevent every future crisis, some lessons have been learned and many organisations are moving towards a more sustainable approach to the balance between risk and reward. There is still significant progress to be made, not least in building a firm-wide risk culture and ensuring that there is sufficient, timely information available to make appropriate decisions. The risk function has now attained an unprecedented level of authority. With regulators, boards and executive management desperate to ensure that the mistakes of the past are not repeated, risk management has become central to the strategic agenda and few major decisions will now be taken without involving senior members of the risk function. Chief risk officers have a seat at the top table and the ear of the board, and the regulatory process points to a deeper role for risk management at every level of the organisation. But this new mantle of authority needs to be used wisely. Although risk must retain its controls and enforcement responsibilities, CROs and their reports should be careful to strike a balance between the prevention of excessive risk-taking and a more constructive role in helping the business to achieve its broader objectives. In the current environment, it may be tempting to err on the side of prevention, but the risk function must also build a more trusting, positive relationship with the revenue-generating departments while still preserving its objectivity and independence. Moreover, it should be recognised that the level of authority currently enjoyed by the risk function could be fleeting. Although risk management is at the top of the agenda now, and is attracting investment and stakeholder attention, the key question is whether this situation will endure when market conditions turn the corner and the pressure to improve financial performance returns. Efforts and investments made now will determine whether risk has a seat at the top table through the good times as well as the bad.16 © The Economist Intelligence Unit Limited 2010
  18. 18. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services Appendix: Survey results In January and February 2010, the Economist Intelligence Unit conducted a survey of 346 senior risk professionals from the banking and insurance industries. Our sincere thanks go to all who took part in the survey. Please note that not all answers add up to 100%, because of rounding or because respondents were able to provide multiple answers to questions. How do you currently rate the prospects for your business in the following areas over the next year? Please rate 1 to 5 where 1 is significantly positive and 5 is significantly negative and 3 signifies no change. (% respondents) 1 Significantly positive 2 3 No change 4 5 Significantly negative Revenue growth 23 51 14 10 1 Profitability 18 50 18 13 1 Share price 10 42 41 61 Relations with customers 16 52 27 5 Relations with investors 12 42 37 8 Capital adequacy 13 46 29 11 1 With which of the following stakeholders of your company has there been the most change in the transparency of communication on risk issues over the past 12 months? Select up to two. (% respondents) Regulators 63 Board of directors 37 Investors 30 Rating agencies 17 Government bodies 16 Creditors 10 Media 5 Which of the following statements best describes the situation regarding the risk management strategy at your company? (% respondents) We have a clearly defined risk management strategy that is updated on a regular basis 60 We have a clearly defined risk management strategy, but it is not updated on a regular basis 21 We do not have a clearly defined risk management strategy 9 We are creating a new model for our risk management strategy after the financial crisis 10 Source: Economist Intelligence Unit survey, February 2010.17 © The Economist Intelligence Unit Limited 2010
  19. 19. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services In the past 12 months, what change has there been to the amount of investment your firm has made in the following areas? Please rate 1 to 5 where 1 is significantly more and 5 is significantly less and 3 signifies no change. (% respondents) 1 Significantly more 2 3 No change 4 5 Significantly less Training of risk professionals 14 40 41 4 2 Training of general workforce in risk 10 41 42 5 2 Training of board members in risk 9 40 47 31 Recruitment of specialised risk professionals 12 38 43 4 2 Improvement of risk processes at strategic level 19 51 25 41 Improvement of risk processes at operational level 18 54 25 2 1 Data quality and integrity 13 49 34 3 IT systems 14 43 38 31 Third-party risk advisory services 4 24 61 8 2 In which of the following areas do you think the most significant focus should be to address current shortcomings in risk management? Select up to three. (% respondents) Risk management processes and systems 48 Business risk expertise 46 Board-level expertise 38 Risk function expertise 32 Data quality 30 Defining line responsibility for risk management 25 Risk reporting 21 Data availability 16 Real-time (or intra-day) risk 9 Others, please specify 2 Over the next year, what change do you expect to the geographical focus of your organisation? Please rate 1 to 5 where 1 is significantly greater focus and 5 is significantly less focus. (% respondents) 1 Significantly greater focus 2 3 4 5 Significantly less focus Domestic market 31 27 36 51 Overseas developed markets 8 29 38 15 11 Overseas emerging markets 26 29 25 10 11 Source: Economist Intelligence Unit survey, February 2010.18 © The Economist Intelligence Unit Limited 2010
  20. 20. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services How effective is your organisation in each of the following areas? Please rate 1 to 5 where 1 is very effective and 5 is not effective at all. (% respondents) 1 Very effective 2 3 4 5 Not effective at all Aggregating risks at firm-wide level 16 42 27 13 3 Applying risk management to support broader strategic goals 10 44 34 12 1 Understanding the interaction of risk across business lines 8 39 38 14 1 Managing real-time (or intra-day) risk 8 29 38 21 5 Instilling a culture of risk more broadly in the company 13 37 34 14 2 Providing timely, relevant risk reports to the board 8 39 38 12 3 Collecting, standardising and storing risk data 8 31 40 19 3 Using human judgment to supplement quantitative tools 13 46 28 12 1 Constructing a governance, risk and compliance framework 14 44 29 11 2 Managing the pace and amount of change 5 33 44 16 2 What do you consider to be currently the main barriers to effective risk management in your organisation? Select up to three. (% respondents) Uncertainty over future regulation 39 Poor communication across departments 38 Insufficient data 32 Risk management function lacks authority 29 Lack of confidence in existing risk management tools 26 Inadequate real-time (intra-day) risk management 21 Lack of adequate investment 21 Use of spreadsheets in risk management 12 Others, please specify 5 There are no barriers 6 Source: Economist Intelligence Unit survey, February 2010.19 © The Economist Intelligence Unit Limited 2010
  21. 21. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services In which of the following areas has there been most change – if any – in the need for expertise in personnel and technology in your organisation over the past 12 months? Select up to three. (% respondents) Compliance and governance 44 Stress-testing 32 Firm-wide risk 31 Liquidity risk 31 Credit portfolio management 26 Asset liability management 26 Risk forecasting 22 Fraud risk 15 Credit scoring (if applicable) 14 Others, please specify 1 Which of the following potential regulatory changes do you think would most benefit the risk management system in your organisation? Select up to three. (% respondents) Compensation linked more closely to long-term performance 42 More stringent capital and capital reserve requirements 40 More data transparency / auditing 32 Stronger macro-prudential regulation 26 Break-up of banks and insurers seen as “too big to fail” 20 Living wills (plans requiring banks to stipulate in advance how they would raise funds in a crisis and how their operations could be dismantled after a collapse) 18 Greater restrictions on derivatives and securitisation sectors 17 Greater restrictions on over-the-counter products / trading 14 Mandatory clearing and settlement of trades 9 Tax aimed at curbing speculative currency transactions 8 Other, please specify 3 None of the above 7 Source: Economist Intelligence Unit survey, February 2010.20 © The Economist Intelligence Unit Limited 2010
  22. 22. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services Does your organisation currently have the following? (% respondents) Yes, already have No, but intend to recruit No plans to recruit Chief Risk Officer 65 12 22 Risk committee 73 11 17 Board member with expertise in risk 67 11 22 CRO reporting to board or executive directors frequently 57 14 29 Where is your company headquartered? (% respondents) United States of America 23 United Kingdom 8 Australia 8 India 8 Singapore 6 Canada 4 Netherlands 4 Switzerland 3 France 2 Germany 2 Hong Kong 2 New Zealand 2 Nigeria 1 Sweden 1 China 1 Indonesia 1 Japan 1 Malaysia 1 Spain 1 Other 18 Source: Economist Intelligence Unit survey, February 2010.21 © The Economist Intelligence Unit Limited 2010
  23. 23. Appendix Rebuilding trustSurvey results Next steps for risk management in financial services What is your primary industry / sector? (% respondents) Investment banking / wholesale capital markets operations / investment management 35 Corporate / commercial banking 23 Retail banking 20 Insurance 19 Reinsurance 3 Which of the following categories best describes your organisation by revenue? (% respondents) $100 million or less 26 Between $100 million and $249 million 6 Between $250million and $499million 6 Between $500 million and $999 million 7 Between $1 billion and $4.9 billion 19 Between $5 billion and $9.9 billion 8 Between  $10 billion and $24.9 billion 8 Greater than $25 billion 21 Which of the following best describes your title? (% respondents) Board member 7 CEO/President/Managing director 16 CFO/Treasurer/Comptroller 9 CIO/Technology director 3 Other C-level executive 12 SVP/VP/Director 25 Head of business unit 3 Head of department 8 Manager 15 Other 2 Source: Economist Intelligence Unit survey, February 2010.22 © The Economist Intelligence Unit Limited 2010
  24. 24. While every effort has been taken to verify the accuracyof this information, neither The Economist IntelligenceUnit Ltd. nor the sponsor of this report can accept anyresponsibility or liability for reliance by any person onthis white paper or any of the information, opinions orconclusions set out in this white paper.Cover image - © FOTOCROMO/Shutterstock
  25. 25. LONDON26 Red Lion SquareLondonWC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8500E-mail: london@eiu.comNEW YORK750 Third Avenue5th FloorNew York, NY 10017, USTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: newyork@eiu.comHONG KONG60/F, Central Plaza18 Harbour RoadWanchaiHong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: hongkong@eiu.comGENEVABoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: geneva@eiu.com

×