Viewing offline content

Limited functionality available

Dismiss
Deloitte UK
  • Services

    Highlights

    • CFO Advisory

      Bringing together the best of Deloitte to support CFOs. Whether developing skills or navigating business challenges, CFO Advisory can support.

    • Deloitte Ventures

      Connecting our clients to emerging start-ups, leading technology players and a whole raft of new Deloitte talent.

    • Towards net zero together

      Discover the people leading the change and what could be possible for your business.

    • Audit & Assurance

      • Audit
      • Audit - IASPlus
      • Assurance
    • Consulting

      • Core Business Operations
      • Customer and Marketing
      • Enterprise Technology & Performance
      • Human Capital
      • Strategy, Analytics and M&A
    • Financial Advisory

      • Mergers & Acquisitions
      • Performance Improvement
    • Legal

      • Legal Advisory
      • Legal Managed Services
      • Legal Management Consulting
    • Deloitte Private

      • Family Enterprises
      • Private Equity
      • Emerging Growth
    • Risk Advisory

      • Accounting and Internal Controls
      • Cyber and Strategic Risk
      • Regulatory and Legal
    • Tax

      • Global Business Tax Services
      • Indirect Tax
      • Global Employer Services
  • Industries

    Highlights

    • Ecosystems & Alliances

      An engine to embrace and harness disruptive change

    • Resilience Reimagined

      Resilient organisations thrive before, during and after adversity. How will you become more resilient?

    • Consumer

      • Automotive
      • Consumer Products
      • Retail, Wholesale & Distribution
      • Transportation, Hospitality & Services
    • Energy, Resources & Industrials

      • Industrial Products & Construction
      • Mining & Metals
      • Energy & Chemicals
      • Power, Utilities & Renewables
      • Future of Energy
    • Financial Services

      • Banking
      • Capital Markets
      • Insurance
      • Investment Management
      • Real Estate
      • FinTech & Alternative Finance
    • Government & Public Services

      • Health & Human Services
      • Defence, Security & Justice
      • Central Government
      • Infrastructure, Transport and Regional Government
    • Life Sciences & Health Care

      • Health Care
      • Life Sciences
    • Technology, Media & Telecommunications

      • Telecommunications, Media & Entertainment
      • Technology
  • Insights

    Deloitte Insights

    Highlights

    • Deloitte Insights Magazine

      Explore the latest issue now

    • Deloitte Insights app

      Go straight to smart with daily updates on your mobile device

    • Weekly economic update

      See what's happening this week and the impact on your business

    • Strategy

      • Business Strategy & Growth
      • Digital Transformation
      • Governance & Board
      • Innovation
      • Marketing & Sales
      • Private Enterprise
    • Economy & Society

      • Economy
      • Environmental, Social, & Governance
      • Health Equity
      • Trust
      • Mobility
    • Organization

      • Operations
      • Finance & Tax
      • Risk & Regulation
      • Supply Chain
      • Smart Manufacturing
    • People

      • Leadership
      • Talent & Work
      • Diversity, Equity, & Inclusion
    • Technology

      • Data & Analytics
      • Emerging Technologies
      • Technology Management
    • Industries

      • Consumer
      • Energy, Resources, & Industrials
      • Financial Services
      • Government & Public Services
      • Life Sciences & Health Care
      • Technology, Media, & Telecommunications
    • Spotlight

      • Deloitte Insights Magazine
      • Press Room Podcasts
      • Weekly Economic Update
      • COVID-19
      • Resilience
      • Top 10 reading guide
  • Careers

    Highlights

    • Hear from our people

      At Deloitte, our people are at the heart of what we do. Discover their stories to find out more about Life at Deloitte.

    • Careers Home

  • UK-EN Location: United Kingdom-English  
  • UK-EN Location: United Kingdom-English  
    • Dashboard
    • Saved Items
    • Content feed
    • Profile/Interests
    • Account settings

Welcome back

Still not a member? Join My Deloitte

Global risk management survey, 11th edition executive summary

by Edward Hida
  • Save for later
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
Deloitte Insights
  • Strategy
    Strategy
    Strategy
    • Business Strategy & Growth
    • Digital Transformation
    • Governance & Board
    • Innovation
    • Marketing & Sales
    • Private Enterprise
  • Economy & Society
    Economy & Society
    Economy & Society
    • Economy
    • Environmental, Social, & Governance
    • Health Equity
    • Trust
    • Mobility
  • Organization
    Organization
    Organization
    • Operations
    • Finance & Tax
    • Risk & Regulation
    • Supply Chain
    • Smart Manufacturing
  • People
    People
    People
    • Leadership
    • Talent & Work
    • Diversity, Equity, & Inclusion
  • Technology
    Technology
    Technology
    • Data & Analytics
    • Emerging Technologies
    • Technology Management
  • Industries
    Industries
    Industries
    • Consumer
    • Energy, Resources, & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Tech, Media, & Telecom
  • Spotlight
    Spotlight
    Spotlight
    • Deloitte Insights Magazine
    • Press Room Podcasts
    • Weekly Economic Update
    • COVID-19
    • Resilience
    • Top 10 reading guide
    • UK-EN Location: United Kingdom-English  
      • Dashboard
      • Saved Items
      • Content feed
      • Profile/Interests
      • Account settings
    8 minute read 23 January 2019

    Global risk management survey, 11th edition executive summary

    8 minute read 23 January 2019
    • Edward Hida United States
    • Save for later
    • Download
    • Share
      • Share on Facebook
      • Share on Twitter
      • Share on Linkedin
      • Share by email
    • Key findings

    Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.

    Despite the relative calm in the global economy, risk management today is confronting a series of substantial impending risks that will require financial services institutions to rethink traditional approaches. The global economy has strengthened, but storm clouds remain on the horizon in the form of tensions over tariffs between the United States, China, the European Union, and other jurisdictions that could potentially result in lower trade volumes. Global economic growth has been reduced by weak growth in Europe coupled with a more slowly growing Chinese economy burdened with increasing debt levels. With the lack of a final Brexit agreement between the European Union and United Kingdom, there remains significant uncertainty as to its impact for many firms.

    Learn more

    Read the full report.

    Visit the previous 10th edition of Deloitte's Global risk management survey

    View the entire Risk management collection

    Read Edward Hida’s interview with Yahoo! Finance.

    While the tsunami of regulatory change in the wake of the financial crisis appears to have crested, financial services institutions are preparing for a number of regulatory requirements that are still to be finalized and assessing the full implications of implementing those that have recently been finalized. Meanwhile, global institutions are facing an environment in which regulations are becoming increasingly fragmented across jurisdictions. The revisions of the Basel Committee on Banking Supervision (Basel Committee) to capital adequacy and other requirements under Basel III, while finalized, have yet to be adopted, and could be revised, by local regulatory authorities. The International Association of Insurance Supervisors (IAIS) is working to develop a global insurance capital standard (ICS) with many issues still unresolved, including defining a valuation basis and specifying the role of internal models in determining capital requirements. The final agreement for the withdrawal of the United Kingdom from the European Union under Brexit, which is still being negotiated, will have important impacts on the supervision of markets and financial institutions based in the United Kingdom and Europe, and for investment banking booking practices and models. The EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, places new obligations on all financial institutions that have EU citizen data to secure consumer consent for its use, among other requirements. Initiatives to increase data privacy have also been underway in India and China. There has been a greater focus on conduct risk in many jurisdictions, notably Australia’s Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry.

    In recent years, financial institutions have improved the capabilities of their risk management programs to manage traditional risk types such as market, credit, and liquidity risk. Managing nonfinancial risk is now assuming greater importance, both for regulators and institutions. Among the many nonfinancial risks, increasingly sophisticated cyberattacks by individuals and nation states have made cybersecurity a top concern. Well-publicized instances of inappropriate behavior at major financial institutions have underscored the importance of managing conduct risk. Risk events at third parties employed by financial institutions can result in significant financial losses and reputational damage.

    Financial institutions should consider re-engineering their risk management programs to develop the capabilities required to meet these challenges, and some have already undertaken efforts to enhance these programs. The three lines of defense risk governance model should be re-examined to clarify the responsibilities of each line of defense, especially the business units and functions that comprise Line 1. Risk data governance at many institutions will likely need to be enhanced to provide the accessible, high-quality, and timely data required for stress testing, operational risk management, and other applications.

    Financial institutions should also consider leveraging the power of digital technologies—such as RPA, machine learning, cognitive analytics, cloud computing, and natural language processing—to increase both the efficiency and effectiveness of risk management. These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions. They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors.

    Finally, risk management needs to be infused into strategy so that the institution’s risk appetite and risk utilization are key considerations in the process of developing its strategic plan and strategic objectives.

    Deloitte’s Global risk management survey, 11th edition is the latest edition in this ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was conducted from March 2018 to July 2018 and was completed by 94 financial institutions around the world that operate in a range of financial sectors and with aggregate assets of US$29.1 trillion.

    Key findings

    Continued growing importance of cybersecurity risk. There was broad consensus that cybersecurity is the risk type increasing the most in importance. Sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely effective or very effective in managing this risk. For specific types of cybersecurity risks, respondents most often considered their institutions to be extremely effective or very effective in managing disruptive attacks (58 percent), financial losses or fraud (57 percent), cybersecurity risks from customers (54 percent), loss of sensitive data (54 percent), and destructive attacks (53 percent). They were less likely to consider their institutions to be this effective when it came to threats from nation state actors (37 percent) or cybersecurity risks from third-party providers (31 percent). In managing cybersecurity risk, respondents most often cited as extremely challenging or very challenging staying ahead of changing business needs (e.g., social mobile, analytics, and cloud) (58 percent) and addressing threats from sophisticated actors (e.g., nation states, skilled hacktivists) (58 percent). The awareness of cybersecurity risk is growing, and fewer respondents than in the last survey considered several related governance issues to be extremely challenging or very challenging: getting the businesses to understand their role in cybersecurity risk (31 percent, down from 47 percent), setting an effective multi-year cybersecurity risk strategy approved by the board (31 percent, down from 53 percent), and securing ongoing funding/investment (18 percent, down from 38 percent).

    Increasing focus on nonfinancial risks. Almost all respondents considered their institutions to be extremely effective or very effective in managing traditional financial risks such as market (92 percent), credit (89 percent), asset and liability (87 percent), and liquidity (87 percent). In contrast, roughly one-half the respondents said the same about a number of nonfinancial risks including reputation (57 percent), operational (56 percent), business resilience (54 percent), model (51 percent), conduct and culture (50 percent), strategic (46 percent), third-party (40 percent), geopolitical (35 percent), and data integrity (34 percent). Financial institutions should consider adopting a holistic approach to managing nonfinancial risks.

    Addressing risk data and IT systems is a top priority. A theme that runs throughout the survey results is the importance of enhancing risk data and IT systems. This has been a continuing issue for financial institutions and the financial services industry for some time and indicates the deep-seated difficulty of providing quality data from source through many systems and processes to its ultimate users. When asked about the risk management priorities for their institutions over the next two years, the issues cited most often as being an extremely high priority or very high priority were enhancing the quality, availability, and timeliness of risk data (79 percent) and enhancing risk information systems and technology infrastructure (68 percent). This is consistent with results showing roughly one-third of respondents felt their institutions were extremely effective or very effective regarding data governance (34 percent) and data controls/checks (33 percent). When asked about the challenges in stress testing, data quality and management for stress testing calculations was most often considered to be extremely challenging or very challenging both for capital stress testing (42 percent) and liquidity stress testing (30 percent).

    The potential of digital risk management. Continued advances in a range of emerging technologies present a significant opportunity to dramatically transform the efficiency and effectiveness of risk management. Much of this opportunity is still to be realized; relatively few institutions reported applying some of these emerging technologies to risk management.

    The technologies that institutions most often reported using were cloud computing (48 percent), big data and analytics (40 percent), and Business Process Modeling (BPM) tools (38 percent). Although much attention has been given to RPA to reduce costs and improve accuracy by automating repetitive manual tasks without human involvement, only 29 percent of respondents said their institutions are currently using it. RPA usage is most common in risk data (25 percent), risk reporting (21 percent), and regulatory reporting (20 percent).

    Although adoption is currently fairly low, respondents believed that emerging technologies will deliver very large benefits or large benefits in many areas such as increasing operational efficiency/reducing error rates (68 percent), enhancing risk analysis and detection (67 percent), and improving timely reporting (60 percent).

    Addressing the challenges in the three lines of defense risk governance model. Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but said they face significant challenges. The challenges most often cited as significant typically involved the role of Line 1 (business units) including defining the roles and responsibilities between Line 1 (business) and Line 2 (risk management) (50 percent), getting buy-in from Line 1 (the business) (44 percent), eliminating overlap in the roles of the three lines of defense (38 percent), having sufficient skilled personnel in Line 1 (33 percent), and executing Line 1 responsibilities (33 percent). These challenges are consistent with our experience with financial institutions, as many have been, or are in the process of, clarifying the roles of the 1st and 2nd lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model.

    Increasing reliance on stress testing. Almost all institutions reported using capital (90 percent) and liquidity (87 percent) stress tests, and are placing greater reliance on them. Capital stress tests are being used more often as a key tool for boards and management, with more respondents saying that they are being used extensively in many areas than was the case in the prior survey. These tests include reporting to the board (64 percent, up from 46 percent), reporting to senior management (61 percent, up from 49 percent), defining/updating capital capacity requirements for risk (47 percent, up from 24 percent), and strategy and business planning (38 percent, up from 26 percent).

    Liquidity stress tests are also being used more extensively in several areas: assessing adequacy of excess liquidity (57 percent, up from 39 percent), meeting regulatory requirements and expectations (65 percent, up from 52 percent), and setting liquidity limits (56 percent, up from 44 percent).

    Stronger board oversight. Reflecting the slower pace of regulatory change, only 28 percent of respondents said their boards of directors were spending considerably more time on risk management compared to two years ago, which is down from 44 percent in the previous survey. Many institutions are following leading practices1 in board oversight, with 61 percent of respondents saying that the primary responsibility for risk oversight is placed on a risk committee of the board of directors, and 70 percent saying the risk committee is composed either entirely (35 percent) or of a majority (35 percent) of independent directors, while 84 percent said the committee is chaired by an independent director.

    Widespread adoption of the CRO position. The prevalence of the CRO position continues to expand over the course of the survey series, with 95 percent of institutions now having a CRO. However, there remains room for improvement in CRO reporting relationships by having the CRO report both to the CEO and the board of directors. One-quarter of respondents said their CRO did not report to the institution’s CEO, and roughly one-half said the CRO did not report to the board of directors or a board committee.

    Continued increase in the adoption of ERM. Eighty-three percent of respondents said their institutions have an ERM program in place, up from 73 percent in the previous survey, with an additional 9 percent saying they were in the process of implementing one. In addition to addressing data and IT systems issues as noted above, the issues that were most often cited by respondents as being an extremely high or very high priority for their institutions’ ERM programs were collaboration between the business units and the risk management function (66 percent), managing increasing regulatory requirements and expectations (61 percent), and establishing and embedding the risk culture across the enterprise (55 percent).

    To learn about these and more responses from the survey, download Deloitte’s full report, Global risk management survey, 11th edition.

    Acknowledgments

    This report is the result of a team effort that included contributions by financial services practitioners from member firms of Deloitte Touche Tohmatsu Limited around the world. Special thanks are given to Bayer Consulting for administering the survey and assisting with the final document.

    In addition, the following individuals from Deloitte in the United States conducted analysis and provided project management, editorial, and/or design support:

    Katherine Smith, senior manager, Deloitte Services LP

    Ulyana Stoyan, manager, Deloitte & Touche LLP

    Connor Keenan, senior consultant, Deloitte & Touche LLP

    Ludwig Reimmer, senior consultant, Deloitte & Touche LLP

    Cover image by: Christina Chung

    Endnotes
      1. About the term “leading practice”: For purposes of this paper, we consider industry practices to fall into a range,from leading to lagging. Some industry practices may be considered leading practices, which are generally lookedupon favorably by regulators, industry professionals, and observers due to the potentially superior outcomesthe practice may attain. Other approaches may be considered prevailing practices, which are seen to be widelyin use. At the lower end of the range are lagging practices, which generally represent less-advanced approachesand which may result in less-than-optimal outcomes. Items reflected as leading practices herein are based onsurvey feedback and the editor’s and contributors’ experience with relevant organizations. View in article

    Show moreShow less

    Topics in this article

    Financial Services , Risk management , Governance , Regulatory , Strategy , Cyber risk

    Risk and Financial Advisory

    Deloitte Risk and Financial Advisory helps organizations navigate a variety of risks to lead in the marketplace and disrupt through innovation. With our insights, you can learn how to embrace complexity and accelerate performance.

    Learn more
    Get in touch
    Contact
    • Edward T. Hida II, CFA
    • Partner | Deloitte Risk & Financial Advisory
    • Deloitte & Touche LLP
    • ehida@deloitte.com
    • +1 212 436 4854

    Download Subscribe

    Related content

    img Trending

    Global risk management survey, 10th edition

    Article 5 years ago
    img Trending

    Global risk management survey, ninth edition

    Infographic 7 years ago
    img Trending

    States at risk: The cybersecurity imperative in uncertain times

    Article 2 years ago
    img Trending

    What's next for bank board risk governance

    Article 5 years ago

    Explore more in risk management

    • Managing risk across the extended enterprise Article4 years ago
    • Stronger, fitter, better Article4 years ago
    • Taking cyber risk management to the next level Interactive6 years ago
    • Building regulatory-ready organizations Article5 years ago
    • Managed services Article5 years ago
    • Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions Interactive6 years ago
    Edward Hida

    Edward Hida

    Partner | Deloitte & Touche LLP

    Edward is the Financial risk community of practice global leader and a partner in Deloitte Risk & Financial Advisory. He has more than 30 years of experience and serves some of our largest clients in various financial services sectors including banking, insurance, securities, and asset management. Edward has substantial experience consulting and providing commentary and views on a variety of governance, risk management, regulatory, and related issues. He has completed a wide range of risk management consulting assignments that have spanned the range of risk management issues from governance and infrastructure to methodology, quantitative techniques, and systems.

    • ehida@deloitte.com
    • +1 212 436 4854

    Share article highlights

    See something interesting? Simply select text and choose how to share it:

    Email a customized link that shows your highlighted text.
    Copy a customized link that shows your highlighted text.
    Copy your highlighted text.

    Global risk management survey, 11th edition executive summary has been saved

    Global risk management survey, 11th edition executive summary has been removed

    An Article Titled Global risk management survey, 11th edition executive summary already exists in Saved items

    Invalid special characters found 
    Forgot password

    To stay logged in, change your functional cookie settings.

    OR

    Social login not available on Microsoft Edge browser at this time.

    Connect Accounts

    Connect your social accounts

    This is the first time you have logged in with a social network.

    You have previously logged in with a different account. To link your accounts, please re-authenticate.

    Log in with an existing social network:

    To connect with your existing account, please enter your password:

    OR

    Log in with an existing site account:

    To connect with your existing account, please enter your password:

    Forgot password

    Subscribe

    to receive more business insights, analysis, and perspectives from Deloitte Insights
    ✓ Link copied to clipboard
    • Contact us
    • Careers at Deloitte
    • Submit RFP
    Follow Deloitte Insights:
    Global office directory Office locations
    UK-EN Location: United Kingdom-English  
    About Deloitte
    • Home
    • Press releases
    • Newsroom
    • Deloitte Insights
    • Global Office Directory
    • Office locator
    • Contact us
    • Submit RFP
    Services
    • Audit & Assurance
    • Consulting
    • Financial Advisory
    • Legal
    • Deloitte Private
    • Risk Advisory
    • Tax
    Industries
    • Consumer
    • Energy, Resources & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Technology, Media & Telecommunications
    Careers
    • Careers Home
    • About Deloitte
    • About Deloitte UK
    • Accessibility statement
    • Cookies
    • Health and Safety
    • Modern Slavery Act Statement
    • Privacy statement
    • Regulators & Provision of Services Regulations
    • Deloitte LLP Subprocessors
    • Supplier Standard Terms & Conditions
    • Terms of Use

    © 2023. See Terms of Use for more information.

     

    Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see About Deloitte to learn more about our global network of member firms.

     

    Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 1 New Street Square, London EC4A 3HQ, United Kingdom. A list of members of Deloitte LLP is available at Companies House.