Global risk management survey
11th edition executive summary
Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.
Despite the relative calm in the global economy, risk management today is confronting a series of substantial impending risks that will require financial services institutions to rethink traditional approaches. The global economy has strengthened, but storm clouds remain on the horizon in the form of tensions over tariffs between the United States, China, the European Union, and other jurisdictions that could potentially result in lower trade volumes. Global economic growth has been reduced by weak growth in Europe coupled with a more slowly growing Chinese economy burdened with increasing debt levels. With the lack of a final Brexit agreement between the European Union and United Kingdom, there remains significant uncertainty as to its impact for many firms.
While the tsunami of regulatory change in the wake of the financial crisis appears to have crested, financial services institutions are preparing for a number of regulatory requirements that are still to be finalized and assessing the full implications of implementing those that have recently been finalized. Meanwhile, global institutions are facing an environment in which regulations are becoming increasingly fragmented across jurisdictions. The revisions of the Basel Committee on Banking Supervision (Basel Committee) to capital adequacy and other requirements under Basel III, while finalized, have yet to be adopted, and could be revised, by local regulatory authorities. The International Association of Insurance Supervisors (IAIS) is working to develop a global insurance capital standard (ICS) with many issues still unresolved, including defining a valuation basis and specifying the role of internal models in determining capital requirements. The final agreement for the withdrawal of the United Kingdom from the European Union under Brexit, which is still being negotiated, will have important impacts on the supervision of markets and financial institutions based in the United Kingdom and Europe, and for investment banking booking practices and models. The EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, places new obligations on all financial institutions that have EU citizen data to secure consumer consent for its use, among other requirements. Initiatives to increase data privacy have also been underway in India and China. There has been a greater focus on conduct risk in many jurisdictions, notably Australia’s Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry.
In recent years, financial institutions have improved the capabilities of their risk management programs to manage traditional risk types such as market, credit, and liquidity risk. Managing nonfinancial risk is now assuming greater importance, both for regulators and institutions. Among the many nonfinancial risks, increasingly sophisticated cyberattacks by individuals and nation states have made cybersecurity a top concern. Well-publicized instances of inappropriate behavior at major financial institutions have underscored the importance of managing conduct risk. Risk events at third parties employed by financial institutions can result in significant financial losses and reputational damage.
Financial institutions should consider re-engineering their risk management programs to develop the capabilities required to meet these challenges, and some have already undertaken efforts to enhance these programs. The three lines of defense risk governance model should be re-examined to clarify the responsibilities of each line of defense, especially the business units and functions that comprise Line 1. Risk data governance at many institutions will likely need to be enhanced to provide the accessible, high-quality, and timely data required for stress testing, operational risk management, and other applications.
Financial institutions should also consider leveraging the power of digital technologies—such as RPA, machine learning, cognitive analytics, cloud computing, and natural language processing—to increase both the efficiency and effectiveness of risk management. These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions. They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors.
Finally, risk management needs to be infused into strategy so that the institution’s risk appetite and risk utilization are key considerations in the process of developing its strategic plan and strategic objectives.
Deloitte’s Global risk management survey, 11th edition is the latest edition in this ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was conducted from March 2018 to July 2018 and was completed by 94 financial institutions around the world that operate in a range of financial sectors and with aggregate assets of US$29.1 trillion
Continued growing importance of cybersecurity risk. There was broad consensus that cybersecurity is the risk type increasing the most in importance. Sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely effective or very effective in managing this risk. For specific types of cybersecurity risks, respondents most often considered their institutions to be extremely effective or very effective in managing disruptive attacks (58%), financial losses or fraud (57%), cybersecurity risks from customers (54%), loss of sensitive data (54%), and destructive attacks (53%). They were less likely to consider their institutions to be this effective when it came to threats from nation state actors (37%) or cybersecurity risks from third-party providers (31%). In managing cybersecurity risk, respondents most often cited as extremely challenging or very challenging staying ahead of changing business needs (e.g., social mobile, analytics, and cloud) (58%) and addressing threats from sophisticated actors (e.g., nation states, skilled hacktivists) (58%). The awareness of cybersecurity risk is growing, and fewer respondents than in the last survey considered several related governance issues to be extremely challenging or very challenging: getting the businesses to understand their role in cybersecurity risk (31%, down from 47%), setting an effective multi-year cybersecurity risk strategy approved by the board (31% , down from 53%), and securing ongoing funding/investment (18%, down from 38%).
Increasing focus on nonfinancial risks. Almost all respondents considered their institutions to be extremely effective or very effective in managing traditional financial risks such as market (92%), credit (89 %), asset and liability (87%), and liquidity (87%). In contrast, roughly one-half the respondents said the same about a number of nonfinancial risks including reputation (57%), operational (56%), business resilience (54%), model (51%), conduct and culture (50%), strategic (46%), third-party (40%), geopolitical (35%), and data integrity (34%). Financial institutions should consider adopting a holistic approach to managing nonfinancial risks.
Addressing risk data and IT systems is a top priority. A theme that runs throughout the survey results is the importance of enhancing risk data and IT systems. This has been a continuing issue for financial institutions and the financial services industry for some time and indicates the deep-seated difficulty of providing quality data from source through many systems and processes to its ultimate users. When asked about the risk management priorities for their institutions over the next two years, the issues cited most often as being an extremely high priority or very high priority were enhancing the quality, availability, and timeliness of risk data (79%) and enhancing risk information systems and technology infrastructure (68%). This is consistent with results showing roughly one-third of respondents felt their institutions were extremely effective or very effective regarding data governance (34%) and data controls/checks (33%). When asked about the challenges in stress testing, data quality and management for stress testing calculations was most often considered to be extremely challenging or very challenging both for capital stress testing (42%) and liquidity stress testing (30%).
The potential of digital risk management. Continued advances in a range of emerging technologies present a significant opportunity to dramatically transform the efficiency and effectiveness of risk management. Much of this opportunity is still to be realized; relatively few institutions reported applying some of these emerging technologies to risk management.
The technologies that institutions most often reported using were cloud computing (48%), big data and analytics (40%), and Business Process Modeling (BPM) tools (38%). Although much attention has been given to RPA to reduce costs and improve accuracy by automating repetitive manual tasks without human involvement, only 29% of respondents said their institutions are currently using it. RPA usage is most common in risk data (25%), risk reporting (21%), and regulatory reporting (20%).
Although adoption is currently fairly low, respondents believed that emerging technologies will deliver very large benefits or large benefits in many areas such as increasing operational efficiency/reducing error rates (68%), enhancing risk analysis and detection (67%), and improving timely reporting (60%).
Addressing the challenges in the three lines of defense risk governance model. Virtually all institutions (97%) reported employing the three lines of defense risk governance model, but said they face significant challenges. The challenges most often cited as significant typically involved the role of Line 1 (business units) including defining the roles and responsibilities between Line 1 (business) and Line 2 (risk management) (50%), getting buy-in from Line 1 (the business) (44%), eliminating overlap in the roles of the three lines of defense (38%), having sufficient skilled personnel in Line 1 (33%), and executing Line 1 responsibilities (33%). These challenges are consistent with our experience with financial institutions, as many have been, or are in the process of, clarifying the roles of the 1st and 2nd lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model.
Increasing reliance on stress testing. Almost all institutions reported using capital (90 percent) and liquidity (87 percent) stress tests, and are placing greater reliance on them. Capital stress tests are being used more often as a key tool for boards and management, with more respondents saying that they are being used extensively in many areas than was the case in the prior survey. These tests include reporting to the board (64 percent, up from 46 percent), reporting to senior management (61 percent, up from 49 percent), defining/updating capital capacity requirements for risk (47 percent, up from 24 percent), and strategy and business planning (38 percent, up from 26 percent).
Liquidity stress tests are also being used more extensively in several areas: assessing adequacy of excess liquidity (57 percent, up from 39 percent), meeting regulatory requirements and expectations (65 percent, up from 52 percent), and setting liquidity limits (56 percent, up from 44 percent).
Stronger board oversight. Reflecting the slower pace of regulatory change, only 28% of respondents said their boards of directors were spending considerably more time on risk management compared to two years ago, which is down from 44% in the previous survey. Many institutions are following leading practices in board oversight, with 61% of respondents saying that the primary responsibility for risk oversight is placed on a risk committee of the board of directors, and 70% saying the risk committee is composed either entirely (35%) or of a majority (35%) of independent directors, while 84 percent said the committee is chaired by an independent director.
Widespread adoption of the CRO position. The prevalence of the CRO position continues to expand over the course of the survey series, with 95% of institutions now having a CRO. However, there remains room for improvement in CRO reporting relationships by having the CRO report both to the CEO and the board of directors. One-quarter of respondents said their CRO did not report to the institution’s CEO, and roughly one-half said the CRO did not report to the board of directors or a board committee.
Continued increase in the adoption of ERM. Eighty-three percent of respondents said their institutions have an ERM program in place, up from 73% in the previous survey, with an additional 9 percent saying they were in the process of implementing one. In addition to addressing data and IT systems issues as noted above, the issues that were most often cited by respondents as being an extremely high or very high priority for their institutions’ ERM programs were collaboration between the business units and the risk management function (66%), managing increasing regulatory requirements and expectations (61%), and establishing and embedding the risk culture across the enterprise (55%).