In an age of heightened and evolving regulatory expectations, financial institutions must not only comply with regulations, but also find the flexibility to respond quickly and effectively to future regulatory developments. The global financial crisis was the catalyst for an era of sweeping regulatory change that shows little sign of abating. Across the financial services industry, regulatory requirements are becoming broader in scope and more stringent.
After new regulations are enacted, it can take years before their practical implications become clear. Although the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in the United States and Basel III were introduced several years ago, their rules are still being finalized. New regulatory developments include the US Federal Reserve’s Enhanced Prudential Standards (EPS), the European Central Bank (ECB) becoming the prudential supervisor of Eurozone banks, a new Banking Standards Review Council in the United Kingdom, and Solvency II becoming effective for European insurers in 2016.
The new regulatory landscape is placing demands on financial institutions in such areas as corporate governance, risk appetite, capital adequacy, stress tests, operational risk, technology data and information systems, and risk culture, to name only some areas of focus. As institutions prepare to comply, they will need the flexibility, in both their business models and compliance programs, to respond to the seemingly inevitable next round of reforms.
Deloitte’s Global risk management survey, ninth edition assesses the industry’s risk management practices and challenges in this period of reexamination. The survey was conducted in the second half of 2014 and includes responses from 71 financial services institutions around the world that operate across a range of financial sectors and with aggregate assets of almost US$18 trillion.
- More focus on risk management by boards of directors: Reflecting increased regulatory requirements, 85 percent of respondents reported that their board of directors currently devotes more time to oversight of risk than it did two years ago. The most common board responsibilities are approve the enterprise-level statement of risk appetite (89 percent) and review corporate strategy for alignment with the risk profile of the organization (80 percent).
- Broad adoption of CRO position: During the course of this global risk management survey series, the existence of a chief risk officer (CRO) position has grown to be nearly universal. In the current survey, 92 percent of institutions reported having a CRO or equivalent position, up from 89 percent in 2012 and 65 percent in 2002. Although it is considered a leading practice1 for the CRO to report to the board of directors, only 46 percent of respondents said this is the case, while 68 percent said the CRO reports to the CEO. In a positive sign, 68 percent of respondents said the CRO has primary oversight responsibility for risk management, an increase from 42 percent in 2012. Three responsibilities of the independent risk management program led by the CRO were cited by more than 90 percent of respondents: develop and implement the risk management framework, methodologies, standards, policies, and limits; oversee risk model governance; and meet regularly with board of directors or board risk committees. Yet only 57 percent of respondents said their risk management program had the responsibility to approve new business or products.
- ERM becoming standard practice: It has become a regulatory expectation for larger institutions to have an enterprise risk management (ERM) program, and this is reflected in the survey results. Ninety-two percent of respondents said their institution either had an ERM program or was in the process of implementing one, an increase from 83 percent in 2012 and 59 percent in 2008. Another positive development is that among these institutions, 78 percent have an ERM framework and/or ERM policy approved by the board of directors or a board committee.
- Progress in meeting Basel III capital requirements: Eighty-nine percent of respondents at banks subject to Basel III or to equivalent regulatory requirements said their institution already meets the minimum capital ratios. The most common response to Basel III’s capital requirements was to devote more time on capital efficiency and capital allocation (75 percent).
Increasing use of stress tests: Regulators are increasingly relying on stress tests to assess capital adequacy, and respondents said stress testing plays a variety of roles in their institutions, including enables forward-looking assessments of risk (86 percent), feeds into capital and liquidity planning procedures (85 percent), and informs setting of risk tolerance (82 percent).
- Low effectiveness ratings on managing operational risk types: Roughly two-thirds of respondents felt their institution was extremely or very effective in managing the more traditional types of operational risks, such as legal (70 percent), regulatory/compliance (67 percent), and tax (66 percent). Fewer respondents felt their institution was extremely or very effective when it came to other operational risk types such as third party (44 percent), cybersecurity (42 percent), data integrity (40 percent), and model (37 percent).
- More attention needed on conduct risk and risk culture: There has been increased focus on the steps that institutions can take to manage conduct risk and to create a risk culture that encourages employees to follow ethical practices and assume an appropriate level of risk, but more work appears to be needed in this area. Sixty percent of respondents said their board of directors works to establish and embed the risk culture of the enterprise and promote open discussions regarding risk, and a similar percentage said that one of the board’s responsibilities is to review incentive compensation plans to consider alignment of risks with rewards, while the remaining respondents said these were not among the board’s responsibilities. Only about half of respondents said it was a responsibility of their institution’s risk management program to review compensation plan to assess its impact on risk appetite and culture.
- Increasing importance and cost of regulatory requirements: When asked which risk types would increase the most in importance for their institution over the next two years, regulatory/compliance risk was most often ranked among the top three, and 79 percent felt that increasing regulatory requirements and expectations were their greatest challenge. The most important impact of regulatory reform was noticing an increased cost of compliance, cited by 87 percent of respondents.
- Risk data and technology systems continue to pose challenges: Again in 2014, the survey results indicated a need for continued improvement to risk data and information systems. Sixty-two percent of respondents said that risk information systems and technology infrastructure were extremely or very challenging, and 46 percent said the same about risk data. Issues related to data quality and information systems were also considered by many respondents to be extremely or very challenging in complying with Basel III (56 percent) and Solvency II (77 percent), and in managing investment management risk (55 percent). Going forward, 48 percent of respondents were extremely or very concerned about the ability of the technology systems at their institution to be able to respond flexibly to ongoing regulatory change.#
Figure 01: Does your organization currently have a CRO or equivalent?
Figure 02: How challenging is each of the following in defining and implementing your organization's enterprise-level risk appetite statement?
Figure 03: How challenging is each of the following for your company when managing risk?
Figure 04: For which of the following risk types does your organization calculate economic capital?