State of Risk Management in Financial Institutions
As financial institutions continue to dig out of the financial crisis of the past few years, they are faced with a growing number of complex risks that continue to challenge their risk management effectiveness. To gain insight on the state of risk management in financial institutions around the world, Deloitte recently surveyed 71 financial institutions to learn about how they are dealing with the growing complexity of risk management issues. Key findings of their survey are included in Deloitte University Press’ recently released ninth edition of its Global Risk Management Survey titled, “Operating in the new normal: Increased regulation and heightened expectations.” That report highlights the state of risk management affecting the global financial services industry. This abstract summarizes some of the key findings in the Deloitte report.
The study finds that there is an increase in the amount time spent by boards of directors on the oversight of risk management, with 85% of respondents stating their board devoted more time than in recent years. However, the pace may be slowing down as 44% of respondents stated that their board spends considerably more time compared to 67% who responded that way in 2012.
Among the board responsibilities, the most prevalent responses about board tasks were approving the enterprise-level statement of risk appetite and review regular risk management reports on the range of risks facing the organization.
The presence of a Chief Risk Officer (CRO) or equivalent has continued to increase with 92% of respondents reporting having this or an equivalent position as compared to 89% in 2012. However, only 46% of the CROs report directly to the board of directors, despite direct reporting to the board being considered a leading practice.
Regulation and IT Risks are Greatest Challenges Today
With increasing regulation, it is no surprise that 79% of respondents reported that complying with new regulations and expectations was the greatest challenge to risk management. The increase of regulatory changes specific to information systems has always been a challenge and the survey results show this yet again. Risk information systems and technology infrastructure and risk data were reported as the second and third biggest challenge by the respondents
ERM in Financial Institutions
Established enterprise risk management (ERM) programs are continuing to rise. In 2008, only 59% of bank respondents reported having an ERM program in place or currently in the process of implementing one compared to 92% in the 2015 survey. Furthermore, of these institutions reporting an ERM program in place, 73% reported the program was approved at the board level. Of the respondents in the insurance industry, 95% report having an ERM program established or currently being implemented and 100% reported having a CRO position or an equivalent.
Stress testing is required by the Federal Reserve in the United States and requires an assessment of a variety of issues ranging from capital adequacy to the effectiveness of the risk management control environment and information systems. Despite being a requirement, many institutions recognize the benefit of stress tests. The following are the top roles respondents said stress tests play in their institution:
- Enables forward-looking assessments of risk
- Feeds into capital and liquidity planning procedures
- Informs setting of risk tolerance
- Informs setting of capital and liquidity targets
- Supports the development of risk mitigation and contingency plans
The results of the stress tests are used for a variety of reasons. Respondents reported that reporting to the board (94%), reporting to senior management (92%), and understanding the firm’s risk profile (92%) were the top three uses of the results of the stress test.
Risks of Compliance with Basel Regulations
Basel III is a major regulatory requirement for banks that is undergoing change that has proposed stricter requirements. Currently, 89% of the respondents in the banking industry reported they meet the minimum capital requirements, 8% will meet them before the deadline, and 3% by the deadline. Devoting more time on capital efficiency and capital allocation was the most common measure banks have taken or are taking to meet these requirements (75%). However, the majority of banks did not report strategic measures to comply with Basal III such as exit or reduce and existing business area (22%). In coming years banks may need to reconsider their business model in order to meet stricter requirements.
Future Focus on Risks
Respondents reported overall effectiveness of managing strategic and operational risk at 60 and 56%, respectively. Breaking this down further, respondents believed they were most effective at managing traditional operational risks such as legal (70%), regulatorytax(66%) verses third-partydata integrity (40%).
Looking forward, regulatory/compliance (51%), cybersecurity (39%), and strategic (28%) risks are viewed as having increased importance in the next two years. Eighty-seven percent of the respondents stated that the cost of compliance was a major concern and impact.
What does this mean going forward?
- Continuing emphasis will be needed on risk governance and communication at the board of directors and senior management level
- Improving capabilities of stress tests
- Improve IT security processes, processes for vendor selection, and general security assessment
- Reassessment of risk data and information systems