Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. ENTERPRISE RISK MANAGEMENT – SHAPING THE RISK REVOLUTION Hans Helbekkmo, Alok Kshirsagar, Andreas Schlosser, Francesco Selandari, Uwe Stegemann, and Joyce Vorholt LN9663_Risk management in global banks today_131202HMB_02.indd 1 04.12.2013 16:39:07
  2. 2. LN9663_Risk management in global banks today_131202HMB_02.indd 2 04.12.2013 16:39:07
  3. 3. 3 ENTERPRISE RISK MANAGEMENT – SHAPING THE RISK REVOLUTION LN9663_Risk management in global banks today_131202HMB_02.indd 3 04.12.2013 16:39:07
  4. 4. Over the past few years, risk management in the banking industry has faced tremendous chal- lenges and increasing scrutiny. Both factors are leading to fundamental changes in the demands on the risk function. Risk is now being asked to shift from its traditional focus on measurement, compliance, and control to providing a forward- looking view at the heart of decision making, from the board room down into the organization. Getting out in front of this fundamental change in risk management is critical for banks. By its own admission, the financial industry struggles to integrate a view and a practice of risk man- agement into a coherent whole that can reliably inform enterprise-level decisions. To tackle these challenges, a strategic and holistic approach to risk management has become essen- tial. Enterprise Risk Management (ERM) has been around for several years now and has grown into a complex and multifaceted set of ideas. But practices and understanding vary widely among banks, slowing the development of ERM. To help banks develop a common understanding of ERM and to articulate its current state of the art, the Risk Management Association (RMA) and McKinsey conducted an extensive research effort: “Global ERM Banking Survey – Shaping the Risk Revolution.” The survey covered more than 50 banks, among them leading institutions in the Americas, Europe, the Middle East, and Asia-Pacific regions. The survey sample is roughly equally distributed among these regions, and also with respect to size, regulatory regime, and business model. Altogether, participants repre- sented 42 percent of global banking assets. A key element of the survey was an intensive syn- dication of the results with the majority of par- ticipants, including an exchange of key insights developed by the banks themselves, participant workshops on potential areas of improvement, and the presentation of the findings at various international conferences and roundtables. The survey was designed to explore banks’ prac- tices in ERM and structured around five dimen- sions that our research and experience have identified as core capabilities of ERM (Exhibit 1; see also “The five elements of ERM” on page 5). INTRODUCTION Source: RMA; McKinsey 2 1 3 5 4 ERM Ensure that risk becomes a core part of your culture Set up Risk optimally to both safeguard your organization and support value creation Understand the risks your bank is taking Proactively decide for which risks your bank is the natural owner and define risk appetite and strategy accordingly Ensure risk management is really embedded in the processes of your business and day-to-day decision making Enterprise Risk Management (ERM) is based on five core capabilities Exhibit 1 4 LN9663_Risk management in global banks today_131202HMB_02.indd 4 04.12.2013 16:39:07
  5. 5. 5Enterprise risk management – Shaping the risk revolution The goal of this effort is to contribute to banks’ efforts to improve communication and interac- tion on risk and return across the organization. Such interaction is a two-way process vertically, by connecting the board room with the engine room, such that senior management is better able to articulate what it needs from risk man- agement to substantiate and support strategic and operational business decisions; and hori- zontally, by connecting all lines of defense to ensure frontline activities are in line with risk strategies and risk management capabilities. In the following chapter, we discuss the current state of play in ERM as well as banks’ priorities for the future. We then present eight important findings from the survey, and in the final chap- ter, we outline the implications of these findings for banks. The five elements of ERM Our research,1 our work with banks and other financial institutions during and after the crisis, and our work with firms in other sectors suggest that ERM has five essential elements. Risk transparency and insight aims at improving risk identification, risk-return measurement, assessment, and evaluation. It covers activities such as data aggregation, risk/finance IT and data infrastructure and management, risk/financial modeling (including stress testing and risk-based pricing), the align- ment of various groups’ assessment of risk and return, and risk-return reporting. Done right, risk insight and transparency should clearly articulate risk-return trade-offs and help to support and steer strategic as well as operational business decisions. Natural ownership, risk appetite, and strategy covers areas such as the question whether or under which conditions a bank is a good owner of a specific risk, the development and specifications of the risk appetite statement, the metrics it uses, the approach through which the statement is “cascaded” through an organization, and the strategy to plan for and make decisions about the risk-return profile of the bank and its businesses. Risk-related decisions and processes covers the ways that banks’ views on risk are embedded in the company at strategic, operational, and transactional levels, for example, through explicit reflection of risk or through process differentiation according to risk type. This includes all major processes and decisions including corporate strategy development; capital allocation; limit setting and controlling; risk policies definition; credit underwriting, monitoring and workout; counterparty, market, liquidity and operational risk management; loss forecasting; product pricing; as well as people and performance management. Risk organization and governance covers designs and structures that allocate the final responsibility for the different elements of risk management, both horizontally and vertically in the organization. Risk culture encompasses the mechanisms and approach an institution deploys to strengthen mind- sets and behaviors, for example, by fostering an open and respectful atmosphere in which employees feel encouraged to speak up when observing new risks. 1. See for example several papers in our series McKinsey Working Papers on Risk (MWPR), all available at “The risk revolution,” MWPR Number 1, September 2008; “A board perspective on enterprise risk,” MWPR Number 18, February 2010; “Top-down ERM: A pragmatic approach to managing risk from the C-suite,” MWPR Number 22, August 2010; “Enterprise risk management: What’s different in the corporate world and why,” MWPR Number 40, December 2012; and “Getting to ERM: A roadmap for banks and other financial institutions,” MWPR Number 43, March 2013. LN9663_Risk management in global banks today_131202HMB_02.indd 5 04.12.2013 16:39:07
  6. 6. 1 LN9663_Risk management in global banks today_131202HMB_02.indd 6 04.12.2013 16:39:09
  7. 7. 7 ERM PERFORMANCE AND PRIORITIES To understand the state of play of ERM in the banking industry, we asked participants how strong they perceive their ERM practices to be (for survey methodology, see box on page 11). Exhibit 2 shows how participants perceived the quality of their risk management in several compo- nents of the five elements of ERM, and highlights those where perceived quality was lowest. The trouble spots are broadly the same as those where banks intend to invest the most effort in coming years: Data and information as well as infrastructure and applications have moved rapidly up the agenda in the past few years as regulators such as the Financial Stability Board (FSB), the Senior Supervisors Group, and the Basel Commit- tee on Banking Supervision (BCBS) have focused their attention on these areas (see also page 8 for more on banks’ ERM priorities). Additional trouble spots highlighted in the exhibit are planning and strategic decisions as well as regulatory processes. An area with clear room for improvement is risk talent and capabilities. More specifically, banks think they need to do better at attracting, retaining, and managing talent in the Risk function as well as increasing the awareness, literacy, and account- ability for risk in other “lines of defense”, including the business front line. This area was also men- tioned in numerous follow-up discussions with participants as one of their top priorities. The survey asked about banks’ priority areas for improvement (Exhibit 3). The top priority areas are the strategic aspects of risk management: getting risk appetite and strategy right as well as embedding risk in the daily processes and decision making. We heard similar views in our discussions with CROs of leading institutions: ƒƒ “Risk has to have a seat at the table when top managementdevelopsthestrategyandthebusi- ness model, and risk has to assume accountabil- ity for the overall success of the institution in the marketplace, not just for avoided risks.” – CEO of a leading US universal bank. Source: Global ERM Banking Survey 2012/13 1 Average of survey respondents on a scale of 1 to 6. All figures are rounded Risk trans- parency and insight Risk appetite and strategy Risk-enabled decisions and processes Risk organi- zation and governance Risk culture 1 2 3 4 5 Performance management and incentives Measurement and monitoring (general) Measurement and monitoring (stress testing) Insight Reporting and synthesis Data and information Infrastructure and applications Identification Risk environment Risk appetite and ownership Risk strategy Business decisions and processes Planning and strategic decisions Compliance and external stakeholder processes Organizational structure Roles and responsibilities Board governance Risk talent and capabilities Risk culture and management 4.4 4.6 4.5 3.7 4.7 4.7 5.1 4.0 4.2 4.0 4.9 4.5 3.9 4.0 4.2 4.5 4.4 4.6 4.4 Average score by attribute1 Survey average Perceived overall quality1 Survey average Areas of lowest perceived strength 4.4 4.5 4.1 4.6 4.6 Basic Distinctive Advanced Banks do not think they have reached excellence in ERM yet Exhibit 2 Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 7 04.12.2013 16:39:10
  8. 8. 8 Source: Risk Minds Conference 2011; Global ERM Banking Survey 2012/13 1 Poll of ~ 30 CROs at Risk Minds Conference 2011 2 Results from Global ERM Banking Survey 2012/13 3 Regulatory management is a key priority 2011 priorities1 2013 priorities2 Risk appetite and strategy1 Risk appetite and strategy1 Risk transparency and insight5 5 Risk organization and governance Risk culture4 Risk transparency and insight4 Risk organization and governance3 Risk culture3 Risk-enabled decisions and processes2 Risk-enabled decisions and processes3 2 Source: Risk Minds Conference 2011; Global ERM Banking Survey 2012/13 1 Poll of ~ 30 CROs at Risk Minds Conference 2011 2 Results from Global ERM Banking Survey 2012/13 3 Regulatory management is a key priority 2011 priorities1 2013 priorities2 Risk appetite and strategy1 Risk appetite and strategy1 Risk transparency and insight5 5 Risk organization and governance Risk culture4 Risk transparency and insight4 Risk organization and governance3 Risk culture3 Risk-enabled decisions and processes2 Risk-enabled decisions and processes3 2 Banks’ ERM priorities have not shifted significantly in the past 2 years Exhibit 3 ƒƒ “You can’t have a successful strategy unless you recognize and understand your own abilities and manage the risks around that strategy.” – CRO of a European universal bank with global reach. The survey found that risk organization is moving down the list of banks’ priority areas. However, our work with banks has shown a recent revival of interest in this topic, especially in the context of several risk and compliance mishaps and the performance improvement programs, focused on embedding new accountability principles that many banks have installed in response. Other dimensions such as risk culture and transparency and insight are growing in importance. To make the priority areas more tangible, we looked in greater detail into the attributes underly- ing each of the five elements of the ERM frame- work. At this level, too, a number of insights come out (Exhibit 4). First, a significant share of the banking industry views the necessary adjustments to most of the ERM elements as “transformational”, that is, far reaching and often difficult to implement, requir- ing substantial change and investment, project management capabilities, and top management attention – at a time when all of these are scarce. Second, banks intend to place a greater focus on translating the enterprisewide risk appetite down into the organization to operational levels in the business units. In so doing, they hope to shift the development oftheriskappetitestatementfromapurelyregulatory- driven exercise, conducted at the executive level, into a new role as the backbone of operational bankwide risk management. This structuring role will integrate theriskappetitestatementwithboththesettingoflim- itsinthedailybusiness,andevenmoretightlywiththe steering of the business at the front line. A third priority need is regulatory change manage- ment. This too seems natural; many banks remain in more or less constant “firefighting” mode, as the financial crisis has morphed into a sovereign crisis in Europe, and regulatory requirements con- tinue to change and become stricter. The situation is unlikely to ease and in fact may become even more challenging, as key provisions of Dodd-Frank and new rules on leverage, capital, liquidity, fund- ing, asset quality, and risk IT continue to emerge. The pressure will ultimately require banks to take a more holistic and integrated view on the impli- cations of regulatory change on strategy, busi- ness model design, and risk management overall. Making incremental change is often no longer suf- ficient; moreover, individual requirements cannot be managed independently, as banks have learned in recent attempts to improve leverage ratios at the expense of their liquidity and funding ratios. As already mentioned, one additional priority not shown in Exhibit 4 above but brought up by par- LN9663_Risk management in global banks today_131202HMB_02.indd 8 04.12.2013 16:39:11
  9. 9. 9 Source: Global ERM Banking Survey 2012/13 1 Percentage calculated by taking a ratio of transformation priorities over the entire priorities on every topic "What are your priorities for ERM for the next 12 months?" Respondents listing the area as a transformation priority, percent1 ≥ 35 ≥ 25 ≥ 25 ≥ 35 ≥ 25 ≥ 25 ≥ 25 ≥ 25 ≥ 25 ≥ 15 ≥ 25 ≥ 25 ≥ 15 Regulatory change management (including compliance) Translate enterprisewide risk appetite down to individual BU Role of risk culture in strengthening control environment Operational risk management Stress testing Structure risk limits to enable day-to-day management of risk appetite Break down risk strategy into incentive systems, KPIs, etc. Develop forward-looking modeling capabilities Improve data governance effectiveness, risk data repository, and infrastructure Improve stress-testing capabilities Integrating risk management across risk silos Operational risk and business controls – governance, controls Legal entity governance and controls Risk trans- parency and insight Risk appetite and strategy Risk-enabled decisions and processes Risk organi- zation and governance Risk culture Making the risk appetite more specific and improving regulatory change management are top priorities Exhibit 4 ticipants in numerous discussions is talent man- agement in Risk. This topic is considered to be par- ticularly challenging in several regards, such as the long-standing difficulty of attracting talent to the Risk function and developing skills in risk managers. A new concern is avoiding the loss of exceptional tal- ent to other parts of the bank or to the market. Of the remaining priorities shown on Exhibit 4, some have been on the agenda for years now, but obviously are still being worked on. One such is the desire to improve data governance, the risk data repository, and the data infrastructure. Sound data is a clear-cut prerequisite for more effective and efficient work further downstream in the risk value chain, such as risk modeling and stress test- ing. Additionally, many of these improvements are now required under new BCBS regulations on risk aggregation and reporting that significantly increase the risk IT capabilities banks must have and sets an aggressive timeline to develop them.2 2. ”Principles for Effective Risk Aggregation and Risk Reporting,” Bank for International Settlements,, January 2013. Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 9 04.12.2013 16:39:11
  10. 10. 10 Survey methodology McKinsey & Company, together with the Risk Management Association, conducted a survey of banks in 2012 and early 2013. The intention was to establish a joint language and a global standard of ERM, build an understanding of the global perception of ERM, show where the banking industry currently stands with respect to ERM, as well as identify the best practice for each element of ERM along the framework described above. More than 50 leading large- and medium-sized banks participated in the survey, with good representation of all major geographies, business models, sizes, and regulatory regimes. The survey was structured in two parts. The first was a qualitative self-assessment. The section was completed by either the chief risk officer or the head of ERM and comprehensively covered all elements and attributes of the ERM framework. The second part was designed to develop an objective fact base on the status of ERM in each bank and was built on a series of objective questions on all elements of ERM. This part was completed by both the CRO and head of ERM, as well as specialists in each area covered. These included the degree to which the bank can transparently measure, monitor, and report its risks and generate new insights; the clarity of its risk appetite, strategy, and limits; the degree to which it considers risk-related factors in budgeting, business decisions, strategic planning, as well as compliance and regulatory processes; the structure of its risk management department, risk committees, reporting lines, and degree of board oversight; and the ways in which its culture supports its risk management practices. LN9663_Risk management in global banks today_131202HMB_02.indd 10 04.12.2013 16:39:11
  11. 11. 11Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 11 04.12.2013 16:39:11
  12. 12. 2 LN9663_Risk management in global banks today_131202HMB_02.indd 12 04.12.2013 16:39:13
  13. 13. 13 EIGHT KEY INSIGHTS The survey identified eight key industry-wide findings (Exhibit 5). In this chapter, we offer a high-level discussion of these insights, again using the five elements of ERM to organize the discussion. RISK TRANSPARENCY AND INSIGHT 1. Banks are increasingly exposed to nontradi- tional risks, but many do not cover or assess these adequately. Meanwhile, a few long-standing risks continue to pose problems. Interviews with CROs of leading banks confirm this view. As the CRO of a leading Canadian bank said, “Information technology risk and cyber risk are at the top of the list of things where we have imperfect trans- parencyorunderstandingoftherisks.”Otherimportant nontraditional risks are regulatory risk, with respect to both intended and unintended consequences of new regulation; changing customer behavior (for example as a consequence of a shift in interest rates); and new forms of macro-risks, for example, second-order expo- sures to commodity or real estate markets. Banks find the identification and measurement of these risks extremely challenging. Often, banks do not identify the risk until after they have already accumulated; the size of these risks is hard to quantify and is dependent from banks’behavior. Meanwhile, some traditional risks remain trouble spots. Despite much investment, risk IT and data inte- gration, infrastructure, and security still lag behind otherareasofERM. Mostbanksidentifiedtheseareas as weak spots. Recent events attest to this: for exam- ple,amajorITincidentatalargeuniversalbankhugely affected its retail business; a trading system failed at a leading global investment bank, again with significant impact; and several systems failures at a global Euro- pean bank led to losses of more than USD 1 billion. Survey findings indicate that most of the banks had concernsaboutbankwidedatanotbeingclean,com- prehensive, as well as quickly and easily accessible when needed. On infrastructure, concerns were about flexibility and meeting requirements for effec- tive risk control and management.3 On top of this, banks highlighted some concerns about IT security and risks arising from the pervasive nature of IT. While these concerns were consistent across EMEA and the Americas, Asian banks were not yet under the same regulatory pressure. 2. Most banks successfully integrate stress testing to include revenue, cost, and credit-loss modeling into strategic decision making. However, follow-up interviews suggest that the level of integration at many European banks is in fact not very high, and remains a regulatory-driven exercise of filling in templates that are not linked to strategic decisions. These interviews and our field experience indicate that in fact, most banks need to significantly improve their basic stress- testing capabilities. In particular, they will need to include stress testing in their capital allocation pro- cess, at the request of the European Central Bank. Ultimatelybankscanaspiretoastress-testingprocess thatisassmoothandwell-functioningastheircalcula- tions of risk-weighted assets are currently. Most banks surveyed also feel a need to advance significantly their skills at modeling secondary and higher-order effects, and get better at linking stress teststothecorepillarsoftheirspecificbusinessmodel (“managerial stress testing”). As the survey shows, many participants consider their stress tests to be sufficiently integrated, in that they consider capital, liquidity, the income statement, and the balance sheet at the same time. However, a question remains: how can banks transform stress testing from an exercise driven mostly by the need for regulatory compliance into a fully integrated process at the heart of strategic decision making? In other words, how can they move from regulatory to managerial stress testing? Interestingly, two groups did not fully agree: Small Asian banks and some larger US banks were less positive about the level of integration of their stress testing. The rationale for this is twofold. In Asia, stress testing is not yet a primary focus or concern of banks, not least because of low levels of regula- tory attention to the topic. As a result, we think it is fair to say that Asian banks’ lesser experience 3. See also the contribution of the Institute of International Finance and McKinsey & Company to this discussion, in “Risk IT and Operations: Strengthening Capabilities,” and, June 2011. Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 13 04.12.2013 16:39:15
  14. 14. with stress testing means that the level of insight they derive into their strengths and weaknesses is lower. For some large US banks, the sheer size and complexity of their business can make stress testing challenging. US banks have gained experi- ence in modeling second- and higher-order effects – also through a series of very intense regulatory exercises over the last years. For example, some US banks are coming to believe that while a sig- nificant housing market crisis will obviously have a negative primary effect on mortgage businesses, secondary effects such as the retreat of aggressive foreign competition might more than compensate. The differing views on integration of stress testing point out an important insight: a single risk factor can have very different financial impact, depending on the bank’s business model and its capabilities to actively manage adverse scenarios, market dynam- ics, and competitive behavior. Integrating these aspects into stress testing – managerial stress test- ing – is the next stage for the most advanced banks. However, we should note that simply including all relevant risk factors in the stress test does not mean that they are automated and readily available for decision making. Still a significant set of banks view their stress-testing process as cumbersome and inflexible, and thus of limited use for managerial decision making and action. Ultimately, as we found in several discussions, banks that consider strategic scenario-planning and inte- grated stress-testing capabilities at the heart of their riskmanagement“engine”alsothinkthesecapabilities provide a significant competitive advantage, as they feel better positioned to address ongoing threats and captureemergingopportunities. RISK APPETITE AND STRATEGY 3. Banks feel their corporate risk appetite is ade- quately defined, and is adequately considered in enterprise-level decision making. The vast majority of banks include quantitative metrics in their risk appetite statements. Exhibit 6 shows the metrics that banks use at enterprise level; participants from the Americas make the most comprehensive use of numbers in the risk appetite statement. Banks differ slightly across geographies in their treatment of qualitative information. Almost all par- ticipants from the Americas use qualitative elements Source: Global ERM Banking Survey 2012/13 1 Banks are increasingly exposed to nontraditional risks, but many do not cover or assess these adequately. Meanwhile, a few long-standing risks continue to pose problems 2 Most banks integrate stress testing to include revenue, cost, and credit loss modeling into strategic decision making Functionally aligned Risk functions are perceived to be more effective and efficient6 7 Most banks expect to maintain or reduce their Risk function, mainly for cost/ efficiency reasons 4 … even if the parameters of the risk appetite statement are not yet fully cascaded through the organization with actionable KPIs 3 Banks feel their risk appetite is adequately defined and adequately used in enterprise-level decision making … Risk trans- parency and insight Risk appetite and strategy 5 Banks perceive that the quality of their risk-related decisions and processes varies, with surprising weaknesses in capital allocation and talent management Risk-enabled decisions and processes Risk organi- zation and governance Banks perceive risk responsiveness as the major risk culture challenge8Risk culture The survey revealed 8 key insights Exhibit 5 14 LN9663_Risk management in global banks today_131202HMB_02.indd 14 04.12.2013 16:39:15
  15. 15. 15 Banks use a number of metrics on their risk appetite statements Exhibit 6 Usage of various metrics on risk appetite statements by ~ 50 banks surveyed, percent 18 30 30 33 38 48 55 15 28 35 45 15 48 60 65 Customer satisfaction Reputation Risk-adjusted earnings Earnings at risk (e.g., relative to baseline) Target business mix Limit or exposure concentration NSFR Funding sources/mix Loan-to-deposit ratio Liquidity coverage ratio (LCR) Regulatory risk rating Economic capital Target credit rating Regulatory capital Level and volatility of earnings 0 3 5 8 8 13 13 18 20 23 23 25 30 30 43 43 45 48 Delinquencies by portfolio Size of largest loans Quality of counterparty Size of portfolio Stress losses Average credit risk losses Exposure limits Single-name exposure Collateral posted through bilateral repo Weighted portfolio duration Collateral posted with each counterparty Total return on assets Application volume/type Aggregated RAROC Origin of outstanding balance Annual growth in outstanding balance Borrower/collateral quality Economic capital by portfolio Source: 2013 McKinsey Global ERM Survey Enter- prise level Credit risk Liquidity funding Business mix Solvency Franchise Enterprise risk management – Shaping the risk revolution Source: Global ERM Banking Survey 2012/13 1 Banks are increasingly exposed to nontraditional risks, but many do not cover or assess these adequately. Meanwhile, a few long-standing risks continue to pose problems 2 Most banks integrate stress testing to include revenue, cost, and credit loss modeling into strategic decision making Functionally aligned Risk functions are perceived to be more effective and efficient6 7 Most banks expect to maintain or reduce their Risk function, mainly for cost/ efficiency reasons 4 … even if the parameters of the risk appetite statement are not yet fully cascaded through the organization with actionable KPIs 3 Banks feel their risk appetite is adequately defined and adequately used in enterprise-level decision making … Risk trans- parency and insight Risk appetite and strategy 5 Banks perceive that the quality of their risk-related decisions and processes varies, with surprising weaknesses in capital allocation and talent management Risk-enabled decisions and processes Risk organi- zation and governance Banks perceive risk responsiveness as the major risk culture challenge8Risk culture LN9663_Risk management in global banks today_131202HMB_02.indd 15 04.12.2013 16:39:16
  16. 16. 16 such as reputational risk in their risk appetite state- ment, while only about three quarters of banks else- where do. The same pattern shows with respect to differentiating clearly between risks banks are will- ing or not willing to take. Again participants in Europe and Asia are behind their peers from the Americas. 4. The risk appetite picture is not so strong, however, when it comes to integrating the risk appetite state- ment at the “top of the house” with core planning pro- cesses. Similarly, most banks say the parameters of theriskappetitestatementarenotyetfullycascaded through the organization with actionable KPIs. While most banks cover the key risk categories at the enterprise level, only a few have taken the next step and broken them down for business units, let alone smaller groups (note that some participants chose not to disclose any information here, deeming it a competitive insight). A key challenge also remains the link between the risk appetite and the related return expectations, typically brought together through the planning and budgeting exercise (Exhibit 7). This finding held up across geographies, bank sizes, busi- ness models, and regulatory regimes. Exhibit 8 shows an example of a well-developed risk appetite statement, featuring a range of metrics, and theapproachforcascadingintothebusinessunits. RISK-ENABLED DECISIONS AND PROCESSES 5. Banks perceive that the quality of their risk- related decisions and processes varies, with sur- prising weaknesses in capital allocation and tal- ent management. Traditional areas of risk management, such as credit, market, and liquidity risk management are perceived as high quality. However, on the lower end of the range, banks have questions in two areas: capital allocation, as well as people and per- formance management. Capital allocation. Questions include: ƒƒ How can we optimize risk-weighted assets (RWA) to free up capital while also achieving revenue and profit growth? ƒƒ Similarly, how can we manage all the various constraints simultaneously (including regula- tory capital requirements, minimum funding and liquidity requirements, and, most recently, a cap on leverage ratio, and best steer the bank? Organizational levels at which risk appetite is utilized Percent Source: Global ERM Banking Survey 2012/13 40 69 82 Sub-BU level BU levelEnterprise level 40 60 82 Desk levelBU levelEnterprise level 4 49 82 Depart- ment BU level Enterprise level 4 27 62 Sub-BU level BU level Enterprise level 18 44 87 Book levelBU level Enterprise level 50 63 88 Desk levelBU levelEnterprise level Liquidity riskBusiness riskOperational risk Counterparty riskMarket riskCredit risk Risk appetite is not yet deployed throughout the bank Exhibit 7 LN9663_Risk management in global banks today_131202HMB_02.indd 16 04.12.2013 16:39:16
  17. 17. 17 Source: McKinsey case example Approach to cascad- ing ▪ Not cascadable beyond group level ▪ Group risk appetite statement equiva- lent to BU risk appetite statement ▪ Group risk appetite statement disaggregated/allocated before cascading to BUs ▪ BUs are responsible for ensuring adher- ence through policies Example metrics ▪ Financial strength debt rating ▪ Capital ratios ▪ Leverage ratio ▪ Industry concen- tration ▪ Single name con- centration ▪ Market risk/total regulatory capital ▪ Earnings volatility ▪ RWA growth ▪ RWA/total assets ▪ NII at risk ▪ Liquidity buffer/survival horizon ▪ LCR/NSFR ▪ Loan-to-deposit ratio ▪ NPL ratio ▪ Business segment concentration ▪ Operational losses as percentage of revenue ▪ Operational risk ▪ Strategic reputation ▪ Customer satisfaction Description ▪ Only managed at bank or group level ▪ BUs not able to directly influence or control metric ▪ Only relevant to one specific BU (e.g., wholesale banking) ▪ Group-level appetite is driven by the aggregate risk of several/all BUs ▪ Group-level appetite cascaded through BU policies, which should be consistent and aligned 1. Group level 2. BU-specific 3. BU-shared 4. Policy-specific EXAMPLE Risk appetite metrics can be customized for BUs and countries Exhibit 8 ƒƒ How dynamic should our capital allocation pro- cess be? How often should we do it, and when? For example, if the retail bank does not utilize its funds, what should be our logic to allocate unused funds to other groups? ƒƒ Howshouldweaccountforthediversificationben- efit: some risks cancel each other out, of course, but which units should receive the benefit? To solve some of these problems, some leading banks are using a regression-based tool that takes the bank’s current balance sheet and the known con- straints and solves for expected profitability. People and performance management. Here just two questions prevail: ƒƒ How can we attract the talent we need? ƒƒ Howcanweinjectariskmindsetintothefrontline? A key focus here is attracting and retaining strong talent for the risk function and enhancing the understanding of risk at the front line. So far, banks say they have not devoted enough attention to this area (Exhibit 9). Most banks do not see experience in both Risk and business as a strong prerequisite for an individual’s success. However, at least in the Americas, almost half of the participants say that people transfer takes place between Risk and business. In Europe and Asia, these transfers seem much less common. Alternative programs, like short-term rotations, do not seem to play a major role anywhere at this time. Finding the reasons for this was not a focus of the survey. In our view, several factors might be at play. Despite the institutional benefits of talent transfers, heads of business or Risk are sometimes quite cool on the idea, as they have invested considerable time and effort to train and coach their executives and built trust with them. Some structural differences in compensa- tion continue, and may also play a significant role. Totacklethechallengesofone-waytransfers,ahand- ful of banks are trying new ideas. One interesting approach is a staff rotation program, in which mid- career and thus heavily experienced professionals from Risk and other functions spend between six months and a year either in another function or in the business, in exchange for a professional with similar seniority who transfers from business to Risk. Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 17 04.12.2013 16:39:16
  18. 18. 18 RISK ORGANIZATION AND GOVER- NANCE 6. Functionally aligned Risk functions are per- ceived to be more effective and efficient. An important benefit of the survey was the data col- lected on the efficiency of the Risk organization. Most participants provided detailed figures on the way their FTEs are aligned to one of two standard- ized organizational models – divisionally (or region- ally), or functionally aligned. As we discuss below, some banks use a matrix system, a hybrid of these two models. Analyzing the relation between these organizational models and some effectiveness as well as efficiency measures yields interesting results (Exhibit 10). For example, looking at risk culture, one might expect that riskculturewouldbestrongerinabankwithdivisionally aligned Risk functions, as these tend to be linked more closely to the business and more involved in daily oper- ations, while a functionally aligned Risk function might foster an attitude in the businesses that “the Risk func- tion takes care of risk management so we don’t need to bother.” One might make a similar argument about risk responsivenessinafunctionallyalignedRiskfunction. However, the survey showed that functional alignment yields better levels of perceived strength on effective- ness and efficiency. Risk culture and responsiveness tend to be higher in functionally aligned Risk groups than in divisional alignments. Functional alignments also seem to be significantly more efficient, as mea- sured by the share of Risk FTEs among all FTEs, and theratioofRiskFTEstototalassets. Hybrid Risk functions – in which Risk is “matrixed,” and reports to both divisional and functional heads – seem to ensure stronger ownership of risk by both business and Risk. Key success factors men- tioned by participants are clearly defined roles and responsibilities as well as accountabilities. Orga- nizations in which regional and divisional CROs, together with functional heads, have a “double hat” responsibility are leaner in their management approach, and also have a better ability to withstand challenges than divisionally aligned groups. 7. Most banks expect to maintain or reduce the size of their Risk function, mainly for cost and efficiency reasons. In recent years the banking industry has obviously faced very strong pressure on costs. Despite the growing volume of regulatory change, and even though Risk is an “overhead” 45 23 20 10 5 15 6 39 22 11 17 23 31 15 0 Experience in both Risk and business is perceived as a requirement for a successful executive career Lateral moves between Risk and business lines are common High-performing Risk employees may move on to business lines, but lateral moves are uncommon Short-term rotational programs exist, but permanent moves are uncommon No lateral movements Source: Global ERM Banking Survey 2012/13 How common is it for employees to move laterally between BU roles and risk organization roles, and vice versa? Percent APACEMEAAmericas Attracting and retaining talent is a challenge Exhibit 9 LN9663_Risk management in global banks today_131202HMB_02.indd 18 04.12.2013 16:39:17
  19. 19. 19 function, more than half of the banks surveyed expect to keep the size of their Risk organization stable in the future, as they seek stability in their costs. Banks also said that, as regulatory expecta- tions rose, they were concerned about efficiency. It seems clear that banks expect to balance the grow- ing demands of regulation with boosts in efficiency. Banks that planned to cut back Risk staff noted that changes in the risk profile were partly responsible. As noted, the survey has established a baseline of FTE data, on which future editions of the survey will expand. The current survey already provides sound benchmarks of organization sizing and cost. RISK CULTURE 8. Banks perceive risk responsiveness as the major risk cultural challenge; European institutions in par- ticular were more self-critical across all dimensions of riskculture.Regulatorsarealsoincreasinglyinterested in risk culture; for instance, in the United Kingdom, an industry wide diagnostic is underway. The sur- vey asked banks about four elements of risk culture: responsiveness, respect, transparency, and acknowl- edgement. Across all geographies banks saw the few- est challenges and the greatest strength in “acknowl- edgement”. Specifically, participants said that there arenorealproblemswitheitheroverconfidenceintheir risk taking, too little challenge of risks in the organiza- tion, or being insufficiently open to bad news. Responsiveness, however, was cited as a weak spot. This is particularly important given the economic and banking environment currently and in the recent past as well as the necessity to act decisively in the face of existing and emerging risks. This dimension encom- passesboththelevelofcare(orindifference)anorgani- zation has with respect to its risks, and also the speed of response between spotting a risk that might harm thebankandtakingmitigatingactions.Areasonforthis might be that accountabilities for the appropriate risk responses are still not sufficiently clear; another might be that it takes too long to organize the bank for an effective response, specifically if a multitude of stake- holders like Risk, Compliance, Legal, and businesses needtoagreeonacoordinatedapproach. One way to address this challenge could be to “pre- think” through a set of potential risk response sce- narios, explicitly define the expected decisive actions (for example, as “lighthouse” examples) for all stake- holders involved, and engage in and publish test runs that will over time strengthen and reinforce a strong risk culture in Risk and the business. Source: Global ERM Banking Survey 2012/13 1 Average of survey respondents on a scale of 1 to 6 2 Includes several hybrid structures 3 Lowest score 0%, highest score 100% BestMediumWorst Effectiveness and efficiency of ERM Survey average1 Organizational setup Hybrid2 Functionally aligned Divisionally aligned Effective- ness Efficiency3 Clarity of roles and responsibilities 4.9 5.04.4 Strength of risk culture 4.5 4.84.2 4.4 4.54.3Overall effectiveness of ERM capabilities Level of responsiveness to risks 4.4 4.64.1 5.1 3.26.2Risk FTE/total FTE (percent) Risk FTE/total assets (number/EUR billions) 5.3 3.26.6 Number of banks 18 1511 Functionally aligned Risk functions seem more effective and efficient Exhibit 10 Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 19 04.12.2013 16:39:17
  20. 20. 3 LN9663_Risk management in global banks today_131202HMB_02.indd 20 04.12.2013 16:39:19
  21. 21. 21 IMPLICATIONS FOR BANKS The financial crisis has exposed major shortcomings in banks’ risk management practices. Many well established risk management principles have come into question. Regulators, rating agencies, indus- try associations, and – last but not least – the banks themselves are developing new best practices in risk management, constantly raising the bar for risk management excellence. One key learning of the crisis was that risk manage- ment is not limited to the Risk function. Risk man- agement is an enterprisewide capability that needs to be effectively performed at all institutional levels and across all lines of defense. Even the new regulations resulting from the crisis hint at a revolution in risk management. Some focus on well-trodden ground, such as capital require- ments and the accuracy of banks’ estimates of their risks. Others explicitly address shortfalls identi- fied during the crisis. The Liquidity Coverage Ratio and the Net Stable Funding Ratio put a new and strong focus on liquidity and funding, two resources that were taken for granted before the crisis. The demand to trade derivatives through clearing houses as opposed to OTC is new, as is the explicit formulation of living wills as well as recovery and resolution plans for banks. Other new regulations go even further, far beyond the traditional areas of risk management; the new European Banking Authority requirements that mandate significant changes to incentive and com- pensation schemes come to mind. The sweeping nature of the new rules is indicated by banks’ use of the term “Enterprise Risk Management”: survey participants clearly think that risk management is an enterprisewide issue. All this suggests that many banks will likely need an overhaul of their approach to risk management. Incremental change will not do justice to the ris- ing level of expectations of both market partici- pants and society at large. The Global ERM Bank- ing Survey confirms this. Banks are not yet where they want to be when it comes to ERM. In fact, a lot remains to be done and as discussions of the survey results with participants have shown, most have high aspirations. Given severe constraints on resources and the many other calls on banks’ time and investment budget, banks recognize that it is hardly possible to attain the leading edge in all elements of ERM. Therefore most banks are going down one of two roads: ƒƒ Targeted high-impact interventions on selec- ted priorities. This is the option of choice if a bank’s ERM is already fairly robust and it has a good understanding of the location of its remain- ing critical “pain points.” A targeted intervention is also appropriate when external constraints, such as market developments or even a regulatory action,putaspecialemphasisonaparticulararea. ƒƒ Overall ERM transformation program. This is clearly the way to go if the bank’s ERM capa- bilities generally need to be taken to the next level. A comprehensive ERM transformation also serves as a strong signal to all parts of the bank how seriously it takes risk – and it sends the same message to regulators and supervi- sors, rating agencies, and customers. Such an overall ERM transformation program usually comprises three steps. First, banks conduct an in-depth diagnostic of the status quo. As a sec- ond step, banks can define a target state based on detailed discussions with top management and, if applicable, with the board, followed by definition and prioritization of initiatives. Third, they can design an integrated action program to execute the program of initiatives, with well- defined and closely monitored milestones and in clear reflection of available skills and resources. Experience shows that a comprehensive ERM trans- formation yields significant benefits far beyond reg- ulatory compliance: ƒƒ A clear commitment from top management to the strengthening of risk management across the whole enterprise, including the front office, vis- ibletoallmajorinternalandexternalstakeholders ƒƒ An honest assessment of the current status of ERM in comparison to external aspirations and market practices Enterprise risk management – Shaping the risk revolution LN9663_Risk management in global banks today_131202HMB_02.indd 21 04.12.2013 16:39:20
  22. 22. 22 ƒƒ An aspirational target for improvement of the enterprisewide risk management capabilities ƒƒ Better strategic management of the bank through the influence of an educated and insightful risk-return dialogue on the strategy process ƒƒ Stronger financial performance in the P&L and balance sheet, as enhanced risk management capabilities lead to better prevention, detec- tion, and response to material risks ƒƒ In some cases, competitive advantage, as stron- ger capabilities result in superior risk selection, risk pricing, and active risk management ƒƒ Improved risk governance that enhances accountability for risks across the enterprise, including the board ƒƒ Improved relationships with external stake- holders such as regulators and rating agencies; higher degrees of trust and confidence in the bank on the part of its customers.    Authors: Hans Helbekkmo is an expert principal from McKinsey’s San Francisco office; Alok Kshirsagar is a direc- tor in McKinsey’s Mumbai office; Andreas Schlosser is an engagement manager from the Munich office; Francesco Selandari is a principal from the McKinsey office in Milan; Uwe Stegemann is a director in the Cologne office, and Joyce Vorholt is an associate principal from the Düsseldorf office. The authors gratefully acknowledge the collaboration with the Risk Management Association on the Global ERM Banking Survey 2012/13 as well as the contributions of our colleagues Luigi Fierro, Daniela Gius, Alexander Gräwert, Julia Graf, Pankaj Narang, Luca Pancaldi, Mridu Singh, Derek Waldron, and Alex Wolff to this paper, as well as the editorial support of Mark Staples. LN9663_Risk management in global banks today_131202HMB_02.indd 22 04.12.2013 16:39:20
  23. 23. 23 LN9663_Risk management in global banks today_131202HMB_02.indd 23 04.12.2013 16:39:20
  24. 24. LN9663_Risk management in global banks today_131202HMB_02.indd 24 04.12.2013 16:39:20