Global risk management survey | Deloitte Insights
  • Industries
    Industries
    • Aerospace & defense
    • Automotive
    • Financial services
    • Government & public services
    • Health care
    • Higher education
    • Life sciences
    • Manufacturing
    • Oil, gas & chemicals
    • Power & utilities
    • Retail & consumer products
    • Technology
    • Telecom, media & entertainment
  • Topics
    Topics
    BUSINESS FUNCTIONS
    • Analytics
    • Digital transformation
    • Diversity & inclusion
    • Innovation
    • Leadership
    • Marketing & sales
    • Operations
    • Risk management
    • Social impact
    • Strategy
    • Talent
    • View all
    Special Focus
    • Additive manufacturing
    • AI & cognitive technologies
    • Behavioral economics & management
    • Blockchain
    • Emerging technologies
    • Future of mobility
    • Future of work
    • Industry 4.0
    • Internet of things
    • Millennials
    • View all
    Series
    • CIO Insider
    • Executive Transitions
    • Human Capital Trends
    • Patterns of disruption
    • Signals for Strategists
    • Tech Trends
  • Economics
    Economics
    • Global home
    • Weekly Global Economic Update
    REGIONS
    • Americas
    • Asia Pacific
    • Europe, the Middle East, Africa
    SERIES
    • Economics Spotlight
    • Issues by the Numbers
    • US Economic Forecast
    • Voice of Asia
  • Multimedia
    Multimedia
    EXPLORE
    • Infographics
    • Interactives
    • Press Room podcasts
    • Videos
    LEARN
    • Additive manufacturing course
    • Cognitive technology course
    • Dbriefs webcasts
    • Following the digital thread
  • Deloitte Review
    Deloitte Review
    • Latest issue
    • Past issues
  • Regions
    Regions
    • Americas
    • Asia Pacific
    • Europe, the Middle East, Africa
    • Dashboard
    • Bookmarks
    • Content feed
    • Profile/Interests
    • Account settings
  • Join | Log in
  • My Deloitte

Welcome back

Still not a member? Join My Deloitte

Global risk management survey, 11th edition executive summary

By Edward Hida
  • Add to my bookmarks
  • Highlight
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
8 minute read January 23, 2019

Global risk management survey, 11th edition executive summary

8 minute read January 23, 2019
  • Edward Hida United States
  • Add to my bookmarks
  • Highlight
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
  • Key findings

Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.

Despite the relative calm in the global economy, risk management today is confronting a series of substantial impending risks that will require financial services institutions to rethink traditional approaches. The global economy has strengthened, but storm clouds remain on the horizon in the form of tensions over tariffs between the United States, China, the European Union, and other jurisdictions that could potentially result in lower trade volumes. Global economic growth has been reduced by weak growth in Europe coupled with a more slowly growing Chinese economy burdened with increasing debt levels. With the lack of a final Brexit agreement between the European Union and United Kingdom, there remains significant uncertainty as to its impact for many firms.

Learn more

Read the full report.

Visit the previous 10th edition of Deloitte's Global risk management survey

View the entire Risk management collection

Read Edward Hida’s interview with Yahoo! Finance.

While the tsunami of regulatory change in the wake of the financial crisis appears to have crested, financial services institutions are preparing for a number of regulatory requirements that are still to be finalized and assessing the full implications of implementing those that have recently been finalized. Meanwhile, global institutions are facing an environment in which regulations are becoming increasingly fragmented across jurisdictions. The revisions of the Basel Committee on Banking Supervision (Basel Committee) to capital adequacy and other requirements under Basel III, while finalized, have yet to be adopted, and could be revised, by local regulatory authorities. The International Association of Insurance Supervisors (IAIS) is working to develop a global insurance capital standard (ICS) with many issues still unresolved, including defining a valuation basis and specifying the role of internal models in determining capital requirements. The final agreement for the withdrawal of the United Kingdom from the European Union under Brexit, which is still being negotiated, will have important impacts on the supervision of markets and financial institutions based in the United Kingdom and Europe, and for investment banking booking practices and models. The EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, places new obligations on all financial institutions that have EU citizen data to secure consumer consent for its use, among other requirements. Initiatives to increase data privacy have also been underway in India and China. There has been a greater focus on conduct risk in many jurisdictions, notably Australia’s Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry.

In recent years, financial institutions have improved the capabilities of their risk management programs to manage traditional risk types such as market, credit, and liquidity risk. Managing nonfinancial risk is now assuming greater importance, both for regulators and institutions. Among the many nonfinancial risks, increasingly sophisticated cyberattacks by individuals and nation states have made cybersecurity a top concern. Well-publicized instances of inappropriate behavior at major financial institutions have underscored the importance of managing conduct risk. Risk events at third parties employed by financial institutions can result in significant financial losses and reputational damage.

Financial institutions should consider re-engineering their risk management programs to develop the capabilities required to meet these challenges, and some have already undertaken efforts to enhance these programs. The three lines of defense risk governance model should be re-examined to clarify the responsibilities of each line of defense, especially the business units and functions that comprise Line 1. Risk data governance at many institutions will likely need to be enhanced to provide the accessible, high-quality, and timely data required for stress testing, operational risk management, and other applications.

Financial institutions should also consider leveraging the power of digital technologies—such as RPA, machine learning, cognitive analytics, cloud computing, and natural language processing—to increase both the efficiency and effectiveness of risk management. These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions. They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors.

Finally, risk management needs to be infused into strategy so that the institution’s risk appetite and risk utilization are key considerations in the process of developing its strategic plan and strategic objectives.

Deloitte’s Global risk management survey, 11th edition is the latest edition in this ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was conducted from March 2018 to July 2018 and was completed by 94 financial institutions around the world that operate in a range of financial sectors and with aggregate assets of US$29.1 trillion.

Key findings

Continued growing importance of cybersecurity risk. There was broad consensus that cybersecurity is the risk type increasing the most in importance. Sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely effective or very effective in managing this risk. For specific types of cybersecurity risks, respondents most often considered their institutions to be extremely effective or very effective in managing disruptive attacks (58 percent), financial losses or fraud (57 percent), cybersecurity risks from customers (54 percent), loss of sensitive data (54 percent), and destructive attacks (53 percent). They were less likely to consider their institutions to be this effective when it came to threats from nation state actors (37 percent) or cybersecurity risks from third-party providers (31 percent). In managing cybersecurity risk, respondents most often cited as extremely challenging or very challenging staying ahead of changing business needs (e.g., social mobile, analytics, and cloud) (58 percent) and addressing threats from sophisticated actors (e.g., nation states, skilled hacktivists) (58 percent). The awareness of cybersecurity risk is growing, and fewer respondents than in the last survey considered several related governance issues to be extremely challenging or very challenging: getting the businesses to understand their role in cybersecurity risk (31 percent, down from 47 percent), setting an effective multi-year cybersecurity risk strategy approved by the board (31 percent, down from 53 percent), and securing ongoing funding/investment (18 percent, down from 38 percent).

Increasing focus on nonfinancial risks. Almost all respondents considered their institutions to be extremely effective or very effective in managing traditional financial risks such as market (92 percent), credit (89 percent), asset and liability (87 percent), and liquidity (87 percent). In contrast, roughly one-half the respondents said the same about a number of nonfinancial risks including reputation (57 percent), operational (56 percent), business resilience (54 percent), model (51 percent), conduct and culture (50 percent), strategic (46 percent), third-party (40 percent), geopolitical (35 percent), and data integrity (34 percent). Financial institutions should consider adopting a holistic approach to managing nonfinancial risks.

Addressing risk data and IT systems is a top priority. A theme that runs throughout the survey results is the importance of enhancing risk data and IT systems. This has been a continuing issue for financial institutions and the financial services industry for some time and indicates the deep-seated difficulty of providing quality data from source through many systems and processes to its ultimate users. When asked about the risk management priorities for their institutions over the next two years, the issues cited most often as being an extremely high priority or very high priority were enhancing the quality, availability, and timeliness of risk data (79 percent) and enhancing risk information systems and technology infrastructure (68 percent). This is consistent with results showing roughly one-third of respondents felt their institutions were extremely effective or very effective regarding data governance (34 percent) and data controls/checks (33 percent). When asked about the challenges in stress testing, data quality and management for stress testing calculations was most often considered to be extremely challenging or very challenging both for capital stress testing (42 percent) and liquidity stress testing (30 percent).

The potential of digital risk management. Continued advances in a range of emerging technologies present a significant opportunity to dramatically transform the efficiency and effectiveness of risk management. Much of this opportunity is still to be realized; relatively few institutions reported applying some of these emerging technologies to risk management.

The technologies that institutions most often reported using were cloud computing (48 percent), big data and analytics (40 percent), and Business Process Modeling (BPM) tools (38 percent). Although much attention has been given to RPA to reduce costs and improve accuracy by automating repetitive manual tasks without human involvement, only 29 percent of respondents said their institutions are currently using it. RPA usage is most common in risk data (25 percent), risk reporting (21 percent), and regulatory reporting (20 percent).

Although adoption is currently fairly low, respondents believed that emerging technologies will deliver very large benefits or large benefits in many areas such as increasing operational efficiency/reducing error rates (68 percent), enhancing risk analysis and detection (67 percent), and improving timely reporting (60 percent).

Addressing the challenges in the three lines of defense risk governance model. Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but said they face significant challenges. The challenges most often cited as significant typically involved the role of Line 1 (business units) including defining the roles and responsibilities between Line 1 (business) and Line 2 (risk management) (50 percent), getting buy-in from Line 1 (the business) (44 percent), eliminating overlap in the roles of the three lines of defense (38 percent), having sufficient skilled personnel in Line 1 (33 percent), and executing Line 1 responsibilities (33 percent). These challenges are consistent with our experience with financial institutions, as many have been, or are in the process of, clarifying the roles of the 1st and 2nd lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model.

Increasing reliance on stress testing. Almost all institutions reported using capital (90 percent) and liquidity (87 percent) stress tests, and are placing greater reliance on them. Capital stress tests are being used more often as a key tool for boards and management, with more respondents saying that they are being used extensively in many areas than was the case in the prior survey. These tests include reporting to the board (64 percent, up from 46 percent), reporting to senior management (61 percent, up from 49 percent), defining/updating capital capacity requirements for risk (47 percent, up from 24 percent), and strategy and business planning (38 percent, up from 26 percent).

Liquidity stress tests are also being used more extensively in several areas: assessing adequacy of excess liquidity (57 percent, up from 39 percent), meeting regulatory requirements and expectations (65 percent, up from 52 percent), and setting liquidity limits (56 percent, up from 44 percent).

Stronger board oversight. Reflecting the slower pace of regulatory change, only 28 percent of respondents said their boards of directors were spending considerably more time on risk management compared to two years ago, which is down from 44 percent in the previous survey. Many institutions are following leading practices1 in board oversight, with 61 percent of respondents saying that the primary responsibility for risk oversight is placed on a risk committee of the board of directors, and 70 percent saying the risk committee is composed either entirely (35 percent) or of a majority (35 percent) of independent directors, while 84 percent said the committee is chaired by an independent director.

Widespread adoption of the CRO position. The prevalence of the CRO position continues to expand over the course of the survey series, with 95 percent of institutions now having a CRO. However, there remains room for improvement in CRO reporting relationships by having the CRO report both to the CEO and the board of directors. One-quarter of respondents said their CRO did not report to the institution’s CEO, and roughly one-half said the CRO did not report to the board of directors or a board committee.

Continued increase in the adoption of ERM. Eighty-three percent of respondents said their institutions have an ERM program in place, up from 73 percent in the previous survey, with an additional 9 percent saying they were in the process of implementing one. In addition to addressing data and IT systems issues as noted above, the issues that were most often cited by respondents as being an extremely high or very high priority for their institutions’ ERM programs were collaboration between the business units and the risk management function (66 percent), managing increasing regulatory requirements and expectations (61 percent), and establishing and embedding the risk culture across the enterprise (55 percent).

To learn about these and more responses from the survey, download Deloitte’s full report, Global risk management survey, 11th edition.

Acknowledgments

This report is the result of a team effort that included contributions by financial services practitioners from member firms of Deloitte Touche Tohmatsu Limited around the world. Special thanks are given to Bayer Consulting for administering the survey and assisting with the final document.

In addition, the following individuals from Deloitte in the United States conducted analysis and provided project management, editorial, and/or design support:

Katherine Smith, senior manager, Deloitte Services LP

Ulyana Stoyan, manager, Deloitte & Touche LLP

Connor Keenan, senior consultant, Deloitte & Touche LLP

Ludwig Reimmer, senior consultant, Deloitte & Touche LLP

Cover image by: Christina Chung

Endnotes

    1. About the term “leading practice”: For purposes of this paper, we consider industry practices to fall into a range,from leading to lagging. Some industry practices may be considered leading practices, which are generally lookedupon favorably by regulators, industry professionals, and observers due to the potentially superior outcomesthe practice may attain. Other approaches may be considered prevailing practices, which are seen to be widelyin use. At the lower end of the range are lagging practices, which generally represent less-advanced approachesand which may result in less-than-optimal outcomes. Items reflected as leading practices herein are based onsurvey feedback and the editor’s and contributors’ experience with relevant organizations. View in article

Show moreShow less

Topics in this article

Financial Services , Risk management , Governance , Regulatory , Strategy , Cyber risk

Risk and Financial Advisory

Deloitte Risk and Financial Advisory helps organizations navigate a variety of risks to lead in the marketplace and disrupt through innovation. With our insights, you can learn how to embrace complexity and accelerate performance.

Learn more
Get in touch
Contact
  • Edward T. Hida II, CFA
  • Partner | Deloitte Risk & Financial Advisory
  • Deloitte & Touche LLP
  • ehida@deloitte.com
  • +1 212 436 4854

Download Subscribe

Related content

img Trending

Global risk management survey, 10th edition

Article 2 years ago
img Trending

Global risk management survey, ninth edition

Infographic 4 years ago
img Trending

The Deloitte-NASCIO Cybersecurity Study

Article 10 months ago
img Trending

What's next for bank board risk governance

Article 1 year ago

Explore more in risk management

  • Managing risk across the extended enterprise Article11 months ago
  • Stronger, fitter, better Article1 year ago
  • Taking cyber risk management to the next level Interactive3 years ago
  • Building regulatory-ready organizations Article2 years ago
  • Managed services Article2 years ago
  • Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions Interactive3 years ago

Share article highlights

See something interesting? Simply select text and choose how to share it:

Email a customized link that shows your highlighted text.
Copy a customized link that shows your highlighted text.
Copy your highlighted text.

Global risk management survey, 11th edition executive summary has been added to your bookmarks.

Global risk management survey, 11th edition executive summary has been removed from your bookmarks.

An article titled Global risk management survey, 11th edition executive summary already exists in the bookmark library

Forgot password

OR

Social login not available on Microsoft Edge browser at this time.

Connect Accounts

Connect your social accounts

This is the first time you have logged in with a social network.

You have previously logged in with a different account. To link your accounts, please re-authenticate.

Log in with an existing social network:

To connect with your existing account, please enter your password:

OR

Log in with an existing site account:

To connect with your existing account, please enter your password:

Forgot password

Subscribe

to receive more business insights, analysis, and perspectives from Deloitte Insights
✓ Link copied to clipboard
  • About Deloitte Insights
  • Terms of Use
  • Contact Us
  • Deloitte.com
  • Careers
Follow us