Global Risk Management Survey - 10th Edition Heightened Uncertainty Signals New Challenges Ahead
While many organizations continue to enhance their risk management practices worldwide, this year's survey revealed that leaders are focused on the regulatory impact of recent geopolitical shifts and questioning what's coming next.
We are pleased to present the 10th edition of Global risk management survey, the latest installment in Deloitte’s ongoing assessment of the state of risk management in the global financial services industry. The survey findings are based on the responses of 77 financial institutions from around the world and across multiple financial services sectors, representing a total of $13.6 trillion in aggregate assets. We wish to express appreciation to all the survey participants for their time and insights.
Overall, the survey found that leading risk management practices continue to gain wider adoption across the industry.1 Boards of directors are devoting more time and taking a more active role in the oversight of risk management. The chief risk officer (CRO) position has become almost universal, and CROs are increasingly reporting directly to the board of directors and the chief executive officer (CEO). Enterprise risk management (ERM) programs designed to identify and manage risks across the enterprise are now the norm. Almost all respondents consider their institution to be effective in managing traditional risk types such as credit, market, and liquidity risk. These and other trends over the course of Deloitte’s Global risk management survey series are summarized below in the section “Evolution of risk management.”
The progress has been undeniable, but in the years ahead risk management is likely to face a different type of challenge. In the years since the global financial crisis, financial institutions have worked hard to address ever-increasing regulatory requirements. In 2017, however, the industry may be reaching an inflection point. After the fundamental reforms of the last several years, there are indications that going forward the trend of ever-broader and more stringent regulatory requirements may slow or actually be reversed in some areas. The US Federal Reserve has eliminated the qualitative review of capital plans and stress testing for large, noncomplex firms; some European regulators and institutions have resisted recent so-called “Basel IV” proposals to establish a capital floor, and President Trump has announced steps to review and potentially cut back on requirements implemented by federal agencies under the Dodd-Frank Act.
There is also far more uncertainty than usual over the outlook for economic growth given the United Kingdom’s referendum to leave the European Union (EU); the rise of populist parties in France, Italy, and other European countries that oppose membership in the European Union; and President Trump’s decision to withdraw from the Trans-Pacific Partnership and his pledge to renegotiate trade agreements with China and Mexico. While all of these developments could depress growth, there is also the potential for increased business activity resulting from President Trump’s proposals during the campaign to reduce personal and business taxes, launch a major program of infrastructure investment, and cut regulations on businesses.
When it comes to the business environment, the more widespread emergence of fintech firms has substantially raised the level of strategic risk. These start-ups are threatening to disrupt financial sectors and services such as lending, payments, wealth management, and property and casualty products.
Financial institutions are also responding to two major emerging risks. Cybersecurity has become an ever-greater concern with breaches increasing in number and impact. Another area that has received closer attention from regulators is the need for financial institutions to take proactive steps to encourage ethical behavior among their employees and create a risk-aware culture.
Financial institutions are facing a fiercer battle for talent. The implementation of new and more stringent regulatory requirements has increased the demand for professionals that possess both risk management skills and experience in the financial industry.
The expansion of regulatory requirements over the last several years has led compliance costs to skyrocket, and financial institutions are looking to rationalize their processes and use technology applications to create greater efficiencies.
Viewed in combination, these trends mean that effective risk management is becoming increasingly important. In the current uncertain regulatory and business environment, financial institutions should consider taking their risk management programs in new directions and to a new level to meet the new challenges that lie ahead. At the same time, they will want to develop efficient business processes will be critical to restrain risk management spending in a low-growth and low-interest-rate environment. Most important, they will require agile processes and nimble risk information technology systems that will allow them to respond flexibly to potential changes in the direction of regulatory expectations or from disruption caused by fintech players.
We hope that this overall assessment of risk management at financial institutions around the world provides you with useful insights as you work to further enhance your organization’s risk management program.
Edward T. Hida II, CFA
Risk & capital management leader
Deloitte & Touche LLP
The years since the global financial crisis have seen a wave of regulatory change that increased both the scope and the level of stringency of regulatory requirements. New legislation and regulations have included the Dodd-Frank Wall Street Reform and Consumer Protection Action (Dodd-Frank Act) in the United States, Basel 2.5 and III, the US Federal Reserve’s Enhanced Prudential Standards (EPS), the European Market Infrastructure Regulation (EMIR), and Solvency II capital standards. In the years since the global financial crisis, financial institutions have had more time to understand the practical implications of these new regulations and what is required to comply.
Today, risk management is becoming even more important; financial institutions confront a variety of trends that have introduced greater uncertainty than before into the future direction of the business and regulatory environment. Economic conditions in many countries continue to be weak, with historically low interest rates. The UK referendum to leave the European Union (Brexit vote), coupled with US President Donald Trump’s pledge to renegotiate trade agreements with China and Mexico, raise the possibility that trade volumes may decline.
The continual increase in regulatory requirements may abate or even be reversed in 2017 as President Trump and others have questioned whether regulatory oversight has gone too far. Strategic risk is increasing as entrepreneurial fintech players are competing with traditional firms in many sectors. The rapidly changing environment suggests that risk management programs may need to increase their ability to anticipate and respond flexibly to new regulatory and business developments and to emerging risks, for example, by employing predictive analytics tools.
Deloitte’s Global risk management survey, 10th edition assesses the industry’s risk management practices and the challenges it faces in this turbulent period. The survey was conducted in the second half of 2016—after the Brexit vote in the United Kingdom but before the US presidential election—and includes responses from 77 financial services institutions around the world that conduct business in a range of financial sections and with aggregate assets of $13.6 trillion.
The external micro and macroeconomic environment is getting more volatile.
— Chief risk officer, large diversified financial services company
Cybersecurity. Only 42 percent of respondents considered their institution to be extremely or very effective in managing cybersecurity risk. Yet, cybersecurity is the risk type that respondents most often ranked among the top three that would increase in importance for their institution over the next two years (41 percent). In recognition of the broad senior management and board awareness of cybersecurity risks, most respondents did not report challenges in securing funding or in communicating with senior management or the board.
However, many boards of directors face the challenge of securing sufficient technical expertise to oversee the management of cybersecurity risk. The issues cited most often as extremely or very challenging were hiring or acquiring skilled cybersecurity talent (58 percent) and getting actionable, near-real-time threat intelligence (57 percent).
Institutions less effective at managing newer risk types. Roughly 80 percent or more of respondents said their institution is extremely or very effective at managing traditional risk types such as liquidity (84 percent), underwriting/reserving (83 percent), credit(83 percent), asset and liability (82 percent), investment (80 percent), and market (79 percent). Newer risk types present more challenges, and fewer respondents rated their institution highly at managing model (40 percent), third party (37 percent), and data integrity (32 percent). Given the heightened geopolitical uncertainty and change during the period when the survey was conducted, as evidenced by the UK Brexit referendum and the discussion of US trade policies during the US presidential campaign, it is notable that the percentage of respondents who considered their institution to be extremely or very effective at managing geopolitical risk was only 28 percent, a sharp drop from 47 percent in 2014.
Significant challenges posed by risk data and IT systems. Few respondents considered their institution to be extremely or very effective in any aspect of risk data strategy and management, such as data governance (26 percent), data marts/warehouses (26 percent), and data standards (25 percent). Even fewer respondents rated their institution this highly in other areas including data sourcing strategy(16 percent), data process architecture/workflow logic (18 percent), and data controls/checks (18 percent). Many respondents also had significant concerns about the agility of their institution’s risk management information technology systems. Roughly half of the respondents were extremely or very concerned about risk technology adaptability to changing regulatory requirements (52 percent), legacy systems and antiquated architecture or end-of-life systems(51 percent), inability to respond to time sensitive and ad-hoc requests (49 percent), and lack of flexibility to extend the current systems (48 percent).
Battle for risk management talent. With the increase in regulatory requirements, there has been greater competition for professionals with risk management skills and experience. Seventy percent of respondents said attracting and retaining risk management professionals with required skills would be an extremely or very high priority for their institution over the next two years, while 54 percent said the same about attracting and retaining business unit professionals with required risk management skills. Since cybersecurity is a growing concern across all industries, the competition is especially intense for professionals with expertise in this area. As noted above, when asked how challenging various issues in managing cybersecurity risk were, the item cited third most often as extremely or very challenging was hiring or acquiring skilled cybersecurity talent (58 percent).
You need a good combination of analytical (quant) people, especially for advanced analytics and big data. But you need people who do not blindly do advanced analytics. You need business insight and business judgment as well. I think one of the main requirements or expectations is to get much stronger rotations between business and risk management folks.
You need to have a much more rotational career to foster mutual understanding.
— Chief risk officer, large diversified financial services company
Greater use of stress testing. Regulators are increasingly using stress tests as a tool to assess capital adequacy and liquidity, and 83 percent of institutions reported using capital stress testing and the same percentage reported using liquidity stress testing. For both types of stress tests, more than 90 percent of institutions reported using it for reporting to the board, reporting to senior management, and for meeting regulatory requirements and expectations. For both capital and liquidity stress tests, the two issues most often rated as extremely or very challenging concern IT systems and data: stress testing IT platform (66 percent for capital stress testing and 45 percent for liquidity stress testing) and data quality and management for stress testing calculations (52 percent for capital stress testing and 33 percent for liquidity stress testing).
Increased importance and cost of compliance. Thirty-six percent of respondents cited regulatory/compliance risk as among the three risk types that will increase the most in importance for their business over the next two years, the risk named second most often.
Seventy-nine percent of respondents said that regulatory reform had resulted in an increased cost of compliance in the jurisdictions where it operates, and more than half the respondents said they were extremely or very concerned about tighter standards or regulations that will raise the cost of doing existing business (59 percent) and the growing cost of required documentation and evidence of program compliance (56 percent).
Increasing oversight by boards of directors. Eighty-six percent of respondents said their board of directors is devoting more time to the oversight of risk management than it did two years ago, including 44 percent who said it is devoting considerably more time. The most common risk management responsibilities of boards of directors are review and approve overall risk management policy and/or ERM framework (93 percent), monitor risk appetite utilization including financial and nonfinancial risk (89 percent), assess capital adequacy(89 percent), and monitor new and emerging risks (81 percent). However, there is more work to do in instilling a risk culture, where no more than roughly two-thirds of respondents cited as board responsibilities help establish and embed the risk culture of the enterprise (67 percent) or review incentive compensation plans to consider alignment of risks with rewards (55 percent).
CRO position almost universal. Ninety-two percent of institutions reported having a CRO position or equivalent, yet there remains significant room for improvement in the role. The CRO does not always report to the board of directors (52 percent), which provides important benefits and is generally a regulatory expectation. Although the CRO meets regularly with the board of directors at 90 percent of institutions, many fewer institutions (53 percent) reported that the CRO meets with the board in executive sessions. The CRO is the highest level of management responsible for risk management at about half of the institutions (48 percent), with other institutions placing this responsibility with the CEO (27 percent), the executive-level risk committee (16 percent), or the chief financial officer (CFO) (4 percent). The most common responsibilities for the CRO were to develop and implement the risk management framework, methodologies, standards, policies, and limits (94 percent), identify new and emerging risks (94 percent), and develop risk information reporting mechanisms (94 percent).
Despite the increasing importance of strategic risk and the related need for risk management of business strategy and decisions, fewer respondents said the CRO has the responsibility to provide input into business strategy development and the periodic assessment of the plan (65 percent), participate in day-to-day business decisions that impact the risk profile (63 percent), or approve new business or products (58 percent). And while regulators have placed greater focus on the importance of conduct and culture, review compensation plan to assess its impact on risk appetite and culture was identified as a responsibility by 54 percent of the respondents.
Steady increase in the adoption of ERM. Seventy-three percent of institutions reported having an ERM program, up from 69 percent in 2014 and more than double the 35 percent in 2006. In addition, another 13 percent of institutions said they are currently implementing an ERM program, and 6 percent said they plan to create one. An institution’s ERM framework and/or policy is a fundamental document that should be approved by the board of directors, and 91 percent of institutions said this had occurred, up from 78 percent in 2014. Two of the issues frequently cited as extremely or very high priorities for their risk management programs over the next two years concerned IT systems and data: enhancing risk information systems and technology infrastructure (78 percent) and enhancing the quality, availability, and timeliness of risk data(72 percent). Another issue considered to be an extremely or very high priority by a substantial majority of respondents was collaboration between the business units and the risk management function (74 percent), which is essential to having an effective three lines of defense model.
EVOLUTION OF RISK MANAGEMENT
Over the 20 years that Deloitte has been conducting its Global risk management survey series, the financial services industry has become more complex with the evolution of financial sectors, the increased size of financial institutions, the global interconnectedness of firms, and the introduction of new products and services. At the same time, regulatory requirements and expectations for risk management have broadened to cover a wider range of issues and also become more stringent, especially in the years since the global financial crisis. Deloitte’s survey series has assessed how institutions have responded to these developments, the substantial progress that has occurred in the maturity of risk management programs and their challenges. In general over this period, risk management programs have become almost universally adopted, and programs now have expanded capabilities. Boards of directors are more involved in risk management and more institutions employ a senior-level CRO position. The following are some of the key areas where the survey series has documented an increasing maturity in risk management programs.
More active board oversight. In 2016, 93 percent of respondents said their board of directors reviews and approves the overall risk management policy and/or ERM framework, an increase from 81 percent in 2012.
More use of board risk committees. It is a regulatory expectation that boards of directors establish a risk committee with the primary responsibility for risk oversight. The use of a board risk committee has become more widespread, increasing from 43 percent of institutions in 2012 to 63 percent in 2016, although there is clearly room for further adoption (figure 1).
Increased adoption of CRO position. Over the years, there has been a continual increase in the percentage of institutions with a CRO position or equivalent, from 65 percent in 2002 to become almost universal with 92 percent in 2016 (figure 2). At the same time, the CRO is a more senior-level position reporting to higher levels of the organization. In 2016, 75 percent of respondents said the CRO reports to the CEO, a substantial increase from just 32 percent in 2002. Similarly, the CRO more often directly reports to the board of directors—at 52 percent of institutions in 2016 up from 32 percent in 2002. Seventy-seven percent of institutions reported that the CRO is a member of the executive management committee, an increase from 58 percent in 2010.
Wider set of responsibilities for the CRO. Over time, the CRO and the independent risk management program have been given a wider set of responsibilities at many institutions.
For example, 92 percent of respondents said a responsibility of the CRO was to assist in developing and documenting the enterprise-level risk appetite statement compared with 72 percent in 2008. Similarly, 76 percent said a CRO responsibility is to assess capital adequacy, while this was the case at 54 percent of the institutions in 2006.
Widespread adoption of ERM program. The adoption of ERM programs has more than doubled, from 35 percent in 2006 to 73 percent in 2016 (figure 3). The implementation of ERM programs moved upwards in 2010, which was likely due to post-financial crisis focus on enhancing risk management.
While there has been considerable progress in the continued development and maturation of risk management programs, there remains considerable work to do. The specific areas where risk management programs need to further enhance their capabilities and effectiveness, and the likely future challenges, are detailed in the body of this report.