Successfully reported this slideshow.

Dtt Fsi Global Risk Management Survey Fifth Edition


Published on

FSI Global Risk Management

  • Be the first to comment

  • Be the first to like this

Dtt Fsi Global Risk Management Survey Fifth Edition

  1. 1. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesFinancial ServicesGlobal RiskManagement Survey:Fifth EditionAccelerating Risk Management Practices
  2. 2. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesGlobal Risk Management Survey:Fifth EditionAccelerating Risk Management PracticesDear Colleague:We are pleased to present Deloitte Touche LLP’s Global Risk Management Survey: Fifth Edition – Accelerating RiskManagement Practices. The current survey, as in previous editions, is designed to provide an in-depth analysis of the full range ofcritical risk management issues facing financial institutions today. We believe it represents one of the most comprehensive effortsof its type conducted in the industry.The tremendous response to this year’s survey – from 130 global financial institutions with assets totaling nearly $21 trillion– continues to underscore the substantial global interest in the topic of risk management. Industry executives face the challengeof managing risk in a dynamic business environment that includes a growing range of financial products that bring new andmore complex risks.We would like to extend our appreciation to all of the participating companies for their time. We would also like to thank ourglobal financial services practitioners for their assistance with, and contributions to, this survey.On behalf of our firm, we sincerely hope this report provides you with thought-provoking information that you can use to betterunderstand the industry’s approaches in managing the critical risks of financial institutions and in benchmarking to enhance yourrisk management practices.Sincerely yours,Owen Ryan Edward HidaManaging Partner Partner, Risk Advisory Service Line LeaderCapital Markets Capital MarketsDeloitte Touche LLP Deloitte Touche LLP
  3. 3. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesTable of ContentsExecutive Summary 3Introduction 5Achieving a Strategic View of Risk 8Addressing the Full Range of Risks 0Enterprise Risk Management – A Work in Progress Looking Toward Basel II 5Addressing Key Risks 7Risk Systems and Technology Infrastructure The Road Ahead 3
  4. 4. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesExecutive SummaryIn an ever more complex and volatile business environment, risk management has continued to growin importance in the financial services industry. Roughly three-quarters of institutions now treat it asa board-level oversight responsibility and more than four out of five have a Chief Risk Officer (CRO),both increases from prior years. Institutions have made a fair amount of progress in enhancing riskmanagement capabilities, especially in traditional areas such as market, credit and liquidity risk.Although progress has been real, considerable work stillremains to be done. Most institutions have not yet createdeffective processes and systems to measure and manage lesstraditional risks, such as operational, strategic or geopoliticalrisk. And while institutions that have implemented enterpriserisk management (ERM) programs find that they havegenerated significant value, the fact remains that only aboutone-third have an ERM program in place.These are some of the most important findings of the fifthedition of our Global Risk Management Survey. The surveygathered responses from 130 financial institutions aroundthe world, with an aggregate of almost $21 trillion in assets.As in previous editions, the most recent survey looked atsuch issues as governance of risk management, ERM, Basel IIimplementation and readiness, managing risks in the extendedenterprise and how institutions are addressing individual riskssuch as credit, market and operational risk.While all companies face risks, effective risk management isespecially critical for financial institutions. As custodians ofcustomer assets, and pillars of the world’s financial system,financial institutions are held to the highest standards both bycustomers and regulators.It is clear that the financial services industry faces an increasing The key findings of the survey include the following:range of risks. Institutions have to keep up with ongoing • At 70% of the institutions participating in the survey,regulatory change and scrutiny – from Basel II to Sarbanes- oversight responsibility for risk management lies at theOxley to anti-money laundering – and meet demands for very top of the organization, with the board of directorsstrong governance and enhanced transparency. They must – an increase from the 59% reported in 2004 and 57% inbe constantly vigilant to protect data privacy and prevent security breaches. They must keep pace with the • An indication of the accepted role of the CRO in theexplosive growth of alternative investment vehicles, such as industry is that 84% of institutions now have a CRO incredit derivatives, energy products and private equity. These place, up slightly from 81% in the 2004 survey and 65%investments pose a variety of risks, including the difficulty of in 2002, while another 8% said they plan to establish thisvaluation for illiquid instruments. They must be ready for a position. The CRO typically reports at the highest levels,range of potential disasters – either man-made or natural. to the CEO at 42% of the institutions and to the board atThe list goes on. 37%. • Executives were most likely to rate risk managementThe survey showed an industry that is alert to this growing at their institutions as extremely or very effective forrange of risks, but identified a number of important areas traditional risk areas – 80% for market risk, 80% forwhere additional investment and management attention is credit risk and 73% for liquidity risk. In contrast, only 47%needed. It also highlighted some of the basic approaches firms considered their institution extremely or very effectiveare taking, areas where they have improved risk management in managing risks associated with business continuity/ITcapabilities, and areas where they are still struggling to get a security, 43% each for operational and vendor risk andgood handle on risk issues and processes. 35% for geopolitical risk. 3
  5. 5. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices • Only 35% of executives reported that their institutions • Collateral and guarantees continue to be the most have already implemented an ERM program. However, extensively used risk mitigation methods to provide 32% said they are in the process of establishing one and support to credit facilities. 18% said they are planning to create one. • In the area of operational risk, about one-fourth of • Where ERM programs have been created, they have executives said their operational risk management yielded benefits – roughly three-quarters of executives systems were very capable in terms of reporting and data from companies with ERM initiatives said the total value gathering, and more than two-thirds said they were at of their programs had exceeded the costs. However, least somewhat capable in those areas. Lagging behind this assessment of value is only qualitative – only 4% of were exposure calculations and scenario model building. executives said their institutions quantify the benefits of their ERM programs. Effective risk management is fundamental to success in • More than 70% of executives reported that their firms had the financial services industry, and a basic expectation of established formal enterprise-wide programs to implement shareholders, regulators and customers. In a challenging Basel II. At the same time, many institutions still have and changing risk environment, however, the bar on what significant work to do in reaching key Basel II qualification constitutes effective risk management is constantly being standards, especially in the areas of validation and testing, raised. As this survey shows, most institutions have an use test requirements, analytics and calibration and use unfinished agenda when it comes to the development of of the Advanced Measurement Approach (AMA) for sophisticated risk management capabilities, enabling an modeling operational risk under Pillar I. integrated, enterprise-wide approach to managing the varied and dynamic risks they face. Financial institutions that can • Although more than 60% of executives reported that understand risk holistically – managing the full range of risks their institutions used Value at Risk (VaR) extensively for they confront – can strategically use risk-taking as a means to fixed income, foreign exchange and equity, less than strengthen their competitive position and create value. one-third said it was used extensively for a range of other instruments including asset-backed securities, structured products, credit derivatives and energy products. • Only 42% of institutions reported using stress testing extensively as a tool to understand their risk profile, although an additional 34% used it somewhat. 4
  6. 6. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesIntroductionOur Global Risk Management Survey: Fifth Edition provides a snapshot of where the global financial servicesindustry stands in the evolution of risk management and the work that remains to be accomplished.The survey addresses the key issues facing financial institutions, and many of the questions used inprior editions of the risk management survey series were retained in order to allow comparisons of howrisk management approaches are evolving. In addition, some questions were added to address newdevelopments and provide insight on risk practices from a strategic point-of-view.As in prior editions, the current survey allows executives tobenchmark their risk management practices against thoseused by other financial institutions, which can help executivesidentify practices and approaches that may improve theeffectiveness and performance of their own risk managementprograms.The survey garnered responses from financial institutionsacross a variety of regions around the world, including NorthAmerica, South America, Asia-Pacific and Europe. (See thesidebar, “About the Survey.”)Financial institutions are in the business of managing risk,but doing so has become a great deal more complicated inrecent years. Institutions now confront a proliferation of morecomplex products, more volatile markets, increased regulatoryscrutiny and external threats that include pandemics,data security breaches, identity theft and terrorism. Keydevelopments that have made effective risk management more  lternative A investments. The rapid expansion inimportant, and also more complex, include the following: both the number of hedge funds and private equity  egulatory R compliance. Complex and changing firms, which are largely unregulated, and the increase regulations are a growing burden, and non-compliance in assets under management, have increased risk for can bring large financial penalties and damage to financial institutions that do business with them as clients institutions’ reputations. Financial institutions are facing or counterparties. In addition, many major financial a variety of more stringent regulations including risk institutions have taken on additional risk by creating their management requirements from Basel II, the EU’s Markets own hedge funds and private equity funds. in Financial Instruments Directive (MiFID) and Sarbanes-  redit C derivatives. Regulators have expressed concern Oxley (for institutions listed on U.S. securities exchanges), over dramatic increases in the use of credit derivatives, as well as stricter anti-money laundering requirements in including credit default swaps, and some observers see many jurisdictions. them as a source of significant systemic risk. Driven by  ergers M and acquisitions. Consolidation among financial regulatory concerns, the industry has invested significantly institutions, especially cross-border deals in Europe and in improving its capabilities to process and document elsewhere, has been on the rise. The task of integrating credit derivatives trades. technology systems, business processes and corporate Energy  markets. Energy prices have been more volatile, cultures significantly increases both strategic risk and the which increases the risk associated with many investments complexity of risk management during the transition. across the world’s economy. What’s more, some banks and securities firms are now entering or increasing their global energy trading and buying energy firms that have physical assets, contracts and operational capabilities that compound the risk exposure for these institutions. 5
  7. 7. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices Expansion  in emerging markets. Leading financial working to manage all types of risk in a holistic fashion, institutions are locating or investing in operations in and use risk to create value. Institutions that successfully emerging markets – such as Brazil, Russia, India and China achieve this level of risk capability will be able to manage – to take advantage of their enormous business potential. risk proactively and with greater precision. What’s more, But with these opportunities come an array of additional they will be in a better position to understand the balance of risks in each country that must be managed effectively. risks and rewards as they formulate strategy and pursue new opportunities.  eopolitical G concerns. The threat of terrorism has risen significantly since 2001. In addition, political instability in The fifth edition of our survey assessed the progress of a number of countries in the Middle East and the growing financial institutions in achieving a comprehensive and assertiveness of major energy producing nations – such as sophisticated approach to risk management. The most Venezuela, Russia and Iran – have the potential to disrupt important findings of the survey are described in the operations and markets. remainder of this report organized around the following areas:  atural N disasters and epidemics. While these have always been a concern, in an increasingly interconnected • Achieving a Strategic View of Risk world, events in one place can have a huge impact on • Addressing the Full Range of Risks business on the other side of the globe. Institutions have to consider potential natural disasters such as a bird flu • Enterprise Risk Management – A Work in Progress pandemic, hurricanes and earthquakes. • Looking Toward Basel II • Addressing Key Risks In response, most financial institutions participating in the – Credit Risk survey appropriately treat risk management as a board- – Market Risk level responsibility. Despite the high priority accorded risk – Operational Risk management, however, most institutions do not yet effectively – Valuation Risk manage the full range of risks, and have not yet created an – Extended Enterprise Risk ERM program to achieve a comprehensive approach to risk • Risk Systems and Technology Infrastructure management. • The Road Ahead The current survey makes clear that many institutions still have much to accomplish before they can achieve an integrated, enterprise-wide approach to managing the varied and dynamic risks they face. As these capabilities emerge, it is becoming possible – and ultimately, necessary – to take risk management to new levels. We have noted that some institutions are 6
  8. 8. Global Risk Management Survey: Fifth Edition Accelerating Risk Management Practices Exhibit 1About the Survey Participants by Primary BusinessThe Global Risk Management Survey: Fifth 3% 2% 1% 4%Edition is our most recent examination of the 5%state of risk management in the global financial Commercial bankservices industry. We solicited the participation Integrated financial organization 10% Retail bankof CROs or their equivalent at financial services Other (*) 45%firms around the world. Respondents included Government-related finance company Investment bankglobal, regional and local institutions. Investment management firm 12% Insurance company Bancassurance companyInstitutions participating in the survey, whichwas conducted online during the latter part 18%of 2006, were primarily commercial and retailbanks and diversified financial institutions. Some graphs do not total 100% due to rounding(See Exhibit 1.) Participants also came from (*) Other Development Bank Broad financial services company -- residential mortgage lending, retail banking, insurance, title, and more Retail bank, insurance broker, Western Union agent, financial Mutual Fundinstitutions headquarters in a variety of advisor Both retail and investment bank Real Estate Global Custody Bankgeographic areas around the globe. Holding company Stock and derivatives exchange 50% Retail / 50% Commercial Bank Payment network Real Estate Investment Trust Savings and loan bank, that finances the building, renovations,(See Exhibit 2.) The institutions participating etc. purposes exclusively of its own retail customers onlytended to be global in nature, with nearly two-thirds having operations in multiple countries. Exhibit 2 Participants by Headquarters LocationThe institutions participating in the survey had 5%total assets of almost $21 trillion, up from a 10%total of nearly $19 trillion in the 2004 survey. 38%The institutions had a range of asset sizes, Asia Pacificfrom smaller, regional institutions to some of South Americathe largest in the world. (See Exhibit 3.) In Europe 22% Other (*)particular, 24% of the institutions participating North Americain the survey had assets greater than $100billion. In comparison to the 2004 survey,the average asset size of the institutionsparticipating in the survey increased 38%. 25% (*) Other includes Middle East, Africa and Central America Exhibit 3 Participants By Asset Size 7% 24% 18% Greater than $100 billion $10 - $100 billion $1 - $10 billion Less than $ 1 billion 51% Some graphs do not total 100% due to rounding 7
  9. 9. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices Achieving a Strategic View of Risk With the increasing variety of risks – and the potentially huge negative impact they can have in terms of both financial and reputational loss – risk management has become an ever higher priority for financial institutions. The survey found that this trend is continuing – 70% of the executives surveyed said that ultimate responsibility for risk management lies at the very top of the organization with the board of directors. That compares to 59% in the 004 survey and 57% in the 00 survey. In addition, 60% of executives in the current survey said In terms of how the risk management function is organized, the board takes at least a “somewhat active” role in risk institutions took a variety of approaches. Forty-four percent management, including 18% calling the board’s role “very of executives said their institutions had taken a centralized active.” Understandably, board risk management committees approach, and 35% said they used a decentralized approach played even more active roles, with 76% of executives – 16% saying they were organized by risk type, 14% by describing them as at least somewhat active and 32% business unit and 5% by region. (See Exhibit 5.) The remaining describing them as very active. (See Exhibit 4.) 21% of executives reported using a mix of a centralized and decentralized approach. The growing strategic importance of risk management is underscored by the continuing rise of the position of the CRO, Exhibit 5 as institutions work to move away from siloed approaches and Risk Oversight Approach integrate the management of diverse types of risk. The CRO position has become an accepted and key role in financial 21% institutions – 84% of executives reported that their companies have a CRO or equivalent position – up slightly from 81% Centralized in the 2004 survey and substantially from 65% in the 2002 Decentralized - Business-unit level 44% survey – while another 8% said they plan to create one. A combination of centralized and decentralized Decentralized - Regional level 16% CROs appear to genuinely have the backing and buy-in of Decentralized - Risk-type level senior management, with 42% reporting directly to the CEO and 37% reporting to the board or a board committee. 14% 5% And most CROs have regular access to the board and senior management. Forty-four percent of executives said their CRO Some graphs do not total 100% due to rounding meets with the board at least quarterly, and 33% said they met at least monthly. The CROs’ interaction with the CEO appears to be even closer, with 40% of executives saying the CRO meets with the chief executive at least weekly, and 8% citing daily meetings. Exhibit 4 Risk as Board Responsibility 100% 90% 80% 70% 70% 59% 60% 57% 50% 40% 30% 20% 10% 0% 2002 2004 2006 Some graphs do not total 100% due to rounding 8
  10. 10. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesEach approach has its advantages and disadvantages.A centralized approach offers the potential to achieve acommon risk management vision across the institution, Regional Perspective: Responsibility forfaster implementation once decisions have been made, and Risk Managementeconomies of scale. Yet, centralized risk management canface slower decision-making, difficulties in capturing data and While roughly three-quarters of institutionsreporting on a consistent basis and the potential to overlook saw risk management as the responsibility ofrisks in specific products, functions or customers. the board of directors, this was most commonOn the other hand, a decentralized approach can offer among institutions in Asia-Pacific, cited bygreater understanding of the risks in specific aspects of the about eight out of 10 respondents. In Europe,business and the ability to respond flexibly to these risks. Yet, North America and South America, that figurea purely decentralized approach may lead to inconsistent risk dropped to six out of 10. About one-third ofpolicies, strategies and reporting and create the potential that executives form South American institutionsconsolidated risks may be missed. Some institutions employ a said the primary responsibility lay with thehybrid approach in an attempt to capture the best elements of CRO, whereas 19% named the CRO in Europeeach approach. and North America, and only 4% did in Asia Pacific.In our experience, there is no one approach that is appropriatefor all institutions. The key issue is that the organizationof the risk management function should be tailored to theinstitution’s governance approach, organizational structure,size and overall operating philosophy. 9
  11. 11. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices Addressing the Full Range of Risks A critical challenge facing risk management is achieving a comprehensive view of all the varied risks a financial institution faces, yet many institutions have much more to accomplish in this regard. While some institutions seem to take a broad view of managing the full range of risks, others appear to still be primarily focused on the traditional areas of market, credit and liquidity risk. When executives were asked about the likelihood of specific Although executives acknowledged their institutions faced risks, they felt their institutions were at least somewhat a wide range of risks, executives were less likely to report likely to be affected by credit (80%), operational (71%), that their institutions were effective in managing the less market (65%) and business continuity/IT security (60%) risks. traditional risks. Fully 80% of executives said their institutions In addition, areas such as liquidity, reputation, strategic, were extremely or very effective in managing market risk and regulatory/compliance, litigation, privacy and hazard/insurable credit risk, and 73% said the same about liquidity risk. (See risk were each cited by a third or more of the executives as at Exhibit 7.) least somewhat likely. (See Exhibit 6.) In contrast, only 47% of executives rated their institution as Some aspects of traditional risks are spurring additional focus. extremely or very effective in managing risks associated with For example, institutions are examining their liquidity risk due business continuity/IT security, 43% for operational or vendor to what some call “crowded trades” and the related modeling risk and 35% for geopolitical risk. With an increasing variety of liquidity risk for their positions subject to this type of risk. of potential severe risks, many financial institutions will need to broaden their risk management horizons. An example of another emerging risk that is increasing in industry and regulatory attention, in our experience, is Exhibit 7 model risk, which results from an institution’s dependence Risk Management Effectiveness on models. Institutions are analyzing what are the key model Market 26% 54% 19% 1% assumptions, who made them, whether they have been Liquidity 25% 48% 25% 2% independently tested and how these models interact in Credit 23% 57% 18% 2% reporting and decision making, among other issues. This is a Budgeting/ Financial 17% 40% 36% 7% 2% topic demanding increased scrutiny. Regulatory / Compliance 15% 45% 37% 3% Priv acy 14% 43% 36% 7%1% Exhibit 6 Strategic 13% 30% 43% 12% 2% Reputation 13% 33% 47% 7% Risk Likelihood Litigation 12% 40% 42% 7% Credit 12% 27% 41% 17% 3% Geopolitical 11% 24% 47% 12% 6% Business Market 10% 21% 34% 30% 6% continuity 10% 37% 46% 7% Operational /IT security 9% 19% 43% 28% 1% Operational 10% 33% 47% 10% Liquidity 3% 11% 26% 50% 10% Vendor 7% 36% 43% 13% 2% Reputation 2% 14% 26% 55% 3% Hazard or 6% 35% 43% 15% 1% Business insurable continuity / 2% 15% 43% 38% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% IT security Ex tremely effective Very effective Somew hat effective Not v ery effective Not at all effective Geopolitical 2% 2% 24% 52% 20% Some graphs do not total 100% due to rounding Strategic 2% 10% 35% 49% 4% Regulatory / compliance 2% 15% 32% 46% 6% Litigation 1% 8% 32% 51% 7% Priv acy 1% 6% 28% 51% 15% Vendor 6% 25% 55% 15% Hazard or insurable 5% 34% 48% 13% Budgeting/ 19% Financial 5% 65% 11% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Ex tremely likely Very likely Somew hat likely Not v ery likely Not at all likely Some graphs do not total 100% due to rounding 0
  12. 12. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesEnterprise Risk Management –A Work in ProgressEnterprise risk management (ERM) continues to command a great deal of attention in the financialservices industry. The appeal is clear: ERM aims to bring holistic, organization-wide and standardized riskmanagement processes to financial institutions and provide them with an integrated view of the rangeof risks they face. The goal is to have consistent reporting of information across the enterprise, perhapsthrough a risk dashboard that provides relevant information for individuals in varying roles throughoutthe organization based on standardized information.Despite its appeal, however, ERM implementation is still To begin to understand risk exposures, the riskfairly limited. Only 35% of executives surveyed reported that function starts conducting risk assessments andtheir institution has an ERM program in place, although an looking at quantitative risk measurement tools, whereadditional 32% said they are establishing an ERM program, available. Typically, the most challenging work thenand 18% said they are planning to create one. (See Exhibit begins – attempting to roll out the risk framework to8.) On the other hand, executives at institutions that have or business units, consolidate risk exposures across theare creating ERM programs are increasing their investment organization and build risk management approaches– roughly three-quarters said they had increased investment into everyday business decision making and strategicin their ERM effort over the past 24 months, and a similar planning. This is a simplified description that providespercentage expect increased spending over the next 24 an overview of some of the common steps tomonths. (See Exhibit 9.) developing and implementing an ERM program.There are many steps to implementing an ERM program, and Exhibit 8in our experience each ERM program needs to be tailored to Integrated, Enterprise-Wide Risk Management Programthe institution. Often, organizations begin by establishing their or Equivalentobjectives for ERM, which may lead to developing an ERM 15%framework and ERM policy. Many institutions then developERM governance structures such as a risk committee, CRO 35%position and business-unit risk champions. Yes, program in place No, but plan to create one 18% Yes, currently implementing one No, and do not plan to create one Regional Perspective: Risk Management Expenditures 32% Across regions, more than two-thirds of the executives reported increases in risk management expenditures over the last 24 Some graphs do not total 100% due to rounding months. However, in looking ahead, there were significant differences from region to region. Exhibit 9 In South America, about half the executives foresaw substantial increases in expenditures Expenditures on Risk Management - Summary of Responses in the coming 24 months, while 30% in North Nex t 24 months 26% 48% 23% 1% 2% America expected substantial increases and only 19% each in Europe and in Asia Pacific. Past 24 months 36% 42% 20% 3% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Substantial increase Some increase About the same Some decrease Substantial decrease Some graphs do not total 100% due to rounding
  13. 13. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices Most institutions are also creating formal statements of their Exhibit 11 risk appetite. Among executives at institutions with an ERM Most Common Risk Types Included in ERM Programs program, roughly two-thirds said they had created a formal, enterprise-level statement of their risk appetite that is either Market 89% Operational 89% quantitatively or qualitatively defined and then approved. (See Credit 88% Exhibit 10.) This highlights the continued and deep interest Liquidity 68% in ERM in the industry since such risk statements, which can Regulatory/compliance 65% be difficult to create, provide a conceptual foundation for an IT security 63% enterprise-wide approach to risk management. Business continuity 58% Legal/litigation 46% 41% A formal, approved statement of risk appetite is a key guiding Hazard or insurable risks Reputation 40% document for an ERM program. It conveys the level of risk 37% Strategic that the institution is willing to take and therefore guides Priv acy 32% decision-making by the institution’s business management. Geopolitical 19% Institutions generally take different approaches in defining risk Other(*) 3% appetite, from those based on quantitative metrics identified 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% as appropriate to their business to more qualitative statements Note: Respondents could make multiple selections. Results are scaled by the number of organizations that are imple- disclosure, physical security, natural disaster, political/govt. affairs, modeling, compliance/regulatory, governance, loss payment exposure menting or have implemented ERM (or similar) programs (all operational in nature); collateral, counterparty, credit portfolio, about relative risk taking. (*) Other include: IT Security, Business Continuity, Hazard or Insurable Risks, Privacy is captured in the definition of operational risk. internal credit rating system/reserve methodology, off-balance sheet exposure (all credit in nature); interest rate, equity price, liquidity, Global foreign exchange (all market in nature). All credit, market and Also: HR, vendor, custody of assets, accounting and financial public operational risks enterprise wide. Exhibit 10 Enterprise Level Statement of the Firms Risk Appetite At many institutions, ERM is not well integrated across the enterprise. Only about one-third of executives reported that 16% 23% risk management processes were well-integrated at the data No, we do not have a statement of our firms risk appetite and system levels, and only one-fifth said they were well- 6% We are currently defining or seeking integrated in terms of methodologies. Less than one in 10 approval for our risk appetite reported well-integrated processes at the organization level. We have an informally defined or not approved statement of risk appetite Overall, it is clear that additional effort is needed to drive more Yes, our risk appetite is qualitatively defined and approved 14% 12% extensive integration of risk management processes across the Yes, our risk appetite is quantitatively defined organization. and approved Yes, our risk appetite is both quantitatively AND qualitatively defined and approved 29% ERM is often not integrated with other key related programs, including other risk management initiatives. For example, less Some graphs do not total 100% due to rounding than half the institutions had integrated ERM with IT risk or strategic planning, and only about one-third had integrated it with budgeting or project management risk. (See Exhibit 12.) In terms of regulatory efforts, just 32% of executives said Infusing Risk Management ERM and Basel II activities were well integrated, and 13% said Across the Business the same of ERM and Sarbanes-Oxley or similar regulatory The survey highlighted some clear areas of opportunity in regimes. ERM implementation. While roughly 90% of institutions have Exhibit 12 included market, credit and operational risk under the ERM Integration of ERM Programs with Other Management Initiatives program, only 63% say IT security is covered by ERM and 58% say business continuity is. Even fewer institutions covered such IT risk 46% risks as strategic, privacy or geopolitical. (See Exhibit 11.) Strategic planning 42% Budgeting 37% ERM can provide substantial benefits such as including Project management risk 36% awareness and reporting of the institution’s complete risk Vendor risk 23% exposures and consideration of risk offsets in its total capital Project business case modeling and evaluation 23% requirements. To gain these full benefits, however, many Other(*) 5% institutions will need to continue to broaden the scope of their 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% ERM programs to include the full range of risks they face. Note: Respondents could make multiple selections. Asset Liability Management, Pricing New Products/services, policy Results are scaled by the number of organizations that are imple- development, risk management program development. menting or have implemented ERM (or similar) programs. Balanced scorecards, executive and manager individual performance (*) Other include: Information Management, Physical Security, Out scorecards, new business interactive evaluation and approval. sourcing, Business Continuity Management Investment Management,
  14. 14. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesERM Challenges Exhibit 14Why has progress with ERM been slower than one might Comparison of ERM Program Value and Cost - Summary of Responsesexpect? For one thing, ERM is still an evolving discipline,and the way forward may not always be clear. Often, many Total Value 49% 26% 16% 7% 2%also have to overcome the legacy of siloed risk managementprocesses. In terms of IT, no single solution supporting the Quantifiable Value 22% 47% 13% 10% 8%full range of ERM capabilities has emerged, and there is 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%the challenge of integrating disparate sources of relevant Much greater than the costs Somew hat greater than the costsdata. Many organizations have found it difficult to create About the same as the costs Somew hat less than the costsa solid business case for ERM, in part due to the difficulties Much less than the costsof quantifying the full range of its benefits. Finally, some Some graphs do not total 100% due to roundingorganizations have found ERM difficult to implementmeaningfully in a timeframe that keeps business units Exhibit 15engaged and avoids institutional burnout. ERM Program ValueWhen asked to rate the significance of a range of potential Improv ed understanding of risks and controls 52% 41% 4% 3%challenges to implementing ERM, issues surrounding data, Improv ed regulator perception 44% 43% 9% 3%culture and tools/supporting technology systems were rated Reduction in losses due to risk ev ents 35% 47% 15% 3% Improv ed ratingmost often as very significant. (See Exhibit 13.) An example of agency perception 33% 51% 9% 7% Improv edanother emerging ERM challenge is the need to consolidate earnings quality 27% 48% 20% 5% Improv ement in reputation andrisk reporting through risk dashboards. One important transparency for shareholders 24% 51% 20% 5% Improv ednote: the slow uptake of ERM should be viewed against risk-adjusted returns 24% 41% 29% 6% Low er requirement 21%the backdrop of the industry’s long history of proactive, for economic capital 41% 26% 1% 1 Reduction in 3% 22% 43% 32%sophisticated risk management activities, which are typically insurance premiums Other (*) 6% 38% 3% 53%much more advanced than those found in many other 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%industries. This may lessen the sense of urgency around ERM Significant value Moderate value Minimal value No valueimplementation. Some graphs do not total 100% due to rounding Excludes “Do not have an ERM Program” answers System Development (*) Other includes: Identify value adding businesses Greater confidence around the management of Equivalent interpreted as groupwide riskExhibit 13 risk at Board and Risk Committee levels management capability across key risk disciplines Significance of ERM Implementation Challenges Data 61% 33% 6% The perception that ERM is helping firms achieve significant Culture 51% 30% 14% 5% value is consistent with our experience, which shows that ERM Tools supporting 42% 46% 12% can benefit organizations on several fronts. However, actually technology sy stems Human resources 30% 37% 25% 7% quantifying the benefits of ERM can be difficult – a reality policies and practices Organizational structure 29% 54% 16% 1% reflected in the fact that only 13% of executives said that their firms quantify ERM costs and just 4% said they quantify ERM Risk methodology 29% 48% 19% 4% value. This is clearly an area where improvement is in order. Other (*) 20% 24% 40% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very significant Somewhat significant Not very significant Not at all significant As financial services firms work to gain a clearer Some graphs do not total 100% due to rounding understanding of the value of ERM, they need to look to(*) Other includes:Keeping the effort free from clutter and unnecessary detail. an overall organisation level. Team to develop the Plan quantify its costs and benefits. In that effort, they shouldSystems that control all the risks/data Acceptance for ChangeControlsWe don’t have an resistance to formalising an ERM program. Vendor selection Numerous competing factors, budgets, skill sets, IT changes. consider the full range of tangible and intangible benefits,Its more that we are a relatively small organisation and havenot devoted the resources to it. We tend to actively manageour risks on an ongoing basis and we do have an annual Tone at the top Equivalent interpreted as groupwide risk management capability across key risk disciplines which can include everything from reducing the costs ofCorporate Governance sessions with the Board of Directors.We have risk policies outlined at a business-unit level but not at Long-term strategy regulatory compliance to enabling individuals to think beyond their immediate areas of responsibility to focus on “points of intersection” between risk types. Costs are often directlyGenerating Value measurable through the specific costs of the ERM function, but also include related costs through supporting activities byAmong the institutions that have implemented ERM, most other functions and business units.have found the effort worthwhile. Three-quarters of theexecutives from companies with ERM initiatives said that thetotal value of their program exceeded its costs. (See Exhibit14.) In terms of the kind of value ERM has brought, executivesmost often cited “improved understanding of risks,”“improved regulator perception,” “reduction in losses due torisk events,” “improvements in rating agency perception,”“earnings quality and reputation” and “transparency forshareholders.” (See Exhibit 15.) 3
  15. 15. Global Risk Management Survey: Fifth EditionAccelerating Risk Management Practices Exhibit 16 Regional Perspective: ERM Comparison of ERM Program Value and Cost - by Region When it comes to the value institutions have been Total v alue 32% 44% 15% 6% 3% Asia Pacific generating from their ERM investments, there Quantifiable 15% 45% 24% 12% 3% v alue was considerable regional variation. Nine out of 10 South American respondents, for example, said Total v alue 63% 21% 5% 11% Europe that the value their organizations had achieved Quantifiable 33% 44% 11% 11% v alue from their ERM investments had been much North America greater than the costs. North America respondents Total v alue 41% 18% 32% 5% 5% were on the other end of the spectrum, with Quantifiable 9% 55% 9% 14% 14% v alue just 41% saying their achieved value was much greater than costs. (See Exhibit 16.) Across all South America Total v alue 90% 10% regions, fewer respondents said they had seen Quantifiable 44% 44% 11% v alue substantial quantifiable value – due presumably 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% to the fact that the actual quantification of ERM Much greater than the costs Somew hat greater than the costs costs and value is challenging and still fairly About the same as the costs Somew hat less than the costs limited in the industry. This remains an area for Much less than the costs future work by the industry. Some graphs do not total 100% due to rounding In addition, our regional comparisons showed a range of differences across risk areas. When executives were asked which risk areas were included in their ERM programs, institutions in North America were more likely to include a range of less traditional risks. For example, regulatory compliance was reported as being included in ERM by 62% of North American institutions and 45% of European institutions, but only 29% of those in South America and 23% of those in Asia Pacific. IT security was included in ERM by 71% of the institutions in North America but much less often in Europe (41%), Asia (28%), or South America (29%). Other areas that were more likely to be included in ERM programs in North America than in other regions were business continuity, legal/litigation, hazard/ insurable risks, reputation, privacy and strategic risks. In terms of which other areas of the company are integrated with ERM, regional differences were evident in IT risk and strategic planning – areas where North American institutions were more likely to report less integration and European institutions to report greater integration. South American institutions led significantly in the integration of budgeting (86%), while Asia Pacific trailed in that area (18%). In both North and South America, 43% of respondents said project management was integrated with ERM, while just 13% of Asia Pacific executives said so. And 48% of North American executives cited vendor risk, compared to just 15% from Asia Pacific and 9% from Europe. 4
  16. 16. Global Risk Management Survey: Fifth Edition Accelerating Risk Management PracticesLooking Toward Basel IIFinancial institutions have been preparing for Basel II, which calls for enhanced risk measurementapproaches for credit, market and operational risk, and for allocating adequate capital in light of aninstitution’s risk profile. More than 70% of executives reported that their firms have established a formalenterprise-wide program to implement Basel II. Most institutions are taking a centralized approach toBasel II. Three-quarters of institutions reported that their Basel II effort was either mostly or somewhatcentralized, while 0% used a mix of a centralized and a decentralized approach.The increased focus on operational risk is a distinctive Exhibit 17feature of Basel II. When executives were asked about which Basel II - Operational Risk Approachoperational risk approach their institution was adopting tomeet Basel II requirements, the Standardized Approach was Adv anced Measurement Approach (AMA) 14% 47%most popular, cited by 44% of executives, followed by 41%naming the Basic Indicator Approach. (See Exhibit 17.) Alternativ e Standardized Approach (ASA) 7% 14%Neither of these approaches is currently planned to be Standardized 44% 19%available to U.S. institutions, where Basel II will be limitedinitially in most cases only to the largest bank holding Basic indicator 41% 2%companies with assets above $250 billion, for which theAdvanced Measurement Approach (AMA) for operational 0% 10% 20% 30% 40% 50% 60% 70%risk and Advanced Internal Ratings Based (AIRB) approach for Implement by initial implementation deadlinecredit risk will be required. Implement in the long run Some graphs do not total 100% due to roundingThe more sophisticated approaches available under Basel II Note: Respondents could make multiple selectionsprovide regulatory capital calculations that more accuratelyreflect an institution’s actual risk profile, and can result inlower required capital. European regulators have tended to less likely to do so for reputation, privacy and legal risks. (Seeaccept these approaches and the possibility that required Exhibit 18.)regulatory capital could fall for large banks. However, U.S.regulators have been concerned that Basel II may rely too Institutions that do allocate economic capital for some ofheavily on banks’ internal risk models. They have proposed these emerging risk areas tend to use less sophisticatedthat the implementation of Basel II in the United States techniques. For example, only about one-third of executivesbe delayed until 2009 and that U.S. banks be subject to described their institution’s techniques for calculatingadditional capital requirements, such as minimum leverage economic capital for liquidity and operational risk as very orratios. somewhat sophisticated.Not surprisingly, larger institutions were more likely to report Generally, the most sophisticated economic capitalusing more advanced approaches. For example, only 15% of methodologies are used at the largest institutions. However,institutions with $100 billion or more in assets reported using economic capital oversight is viewed as a board-levelthe Basic Indicator, compared to 51% for institutions with and senior management oversight responsibility at mostassets of $10 to $100 billion and 47% for institutions with institutions. Nearly eight out of 10 executives said that$1 to $10 billion in assets. However, only 31% of the largest economic capital results are reviewed by senior management,institutions were in the process of implementing the Advanced and nearly six out of 10 said results are reviewed by theirMeasurement Approach, while 62% were implementing the board.Standardized Approach. The survey also explored how the results of economic capitalThe survey found that risk coverage under the economic calculations compared to firms’ regulatory capital framework is not comprehensive, i.e., economic capital More than half the executives said that their regulatory capitalis not being allocated for all risk types. Institutions were more results were greater than their economic capital results.likely to calculate economic capital for risks that are well Another 22% said they don’t compare results, but plan to dounderstood, such as credit, market and interest-rate risk, and so regarding their Basel II requirements. 5