Global risk management survey | Deloitte Insights
United States
  • Services
    What's New
    • Deloitte's 2020 Global Marketing Trends

      Learn more
    • Register for Dbriefs webcasts

    • Listen to our podcasts

      From tech tips to financial risks
    Tax
    • Global Business Tax Services
    • Global Employer Services
    • Multistate Tax
    • Operations Transformation for Tax
    Consulting
    Audit & Assurance
    • Audit Innovation
    • Accounting Standards
    • Accounting Events & Transactions
    Deloitte Private Company Services
    Mergers & Acquisitions
    • Total M&A Solution
    • Post-merger Integration
    • Divestiture & Separation
    Risk & Financial Advisory
    • Assurance & Internal Audit
    • Cyber Risk
    • Financial Risk, Transactions & Restructuring
    • Forensic
    • Regulatory & Operations Risk
    • Risk Intelligence
    Analytics
    Cloud
  • Industries
    What's New
    • Read our latest thinking

      Visit Deloitte Insights
    • Register for Dbriefs webcasts

    • Industry Outlooks

      Key opportunities, trends, and challenges
    Consumer
    • Automotive
    • Consumer Products
    • Retail, Wholesale & Distribution
    • Transportation, Hospitality & Services
    Energy, Resources & Industrials
    • Industrial Products & Construction
    • Mining & Metals
    • Oil, Gas & Chemicals
    • Power & Utilities
    Financial Services
    • Banking & Capital Markets
    • Insurance
    • Investment Management
    • Real Estate
    Government & Public Services
    • Civil Government
    • Defense, Security & Justice
    • Federal Health
    • International Donor Organizations
    • State, Local & Higher Education
    • Transport
    Life Sciences & Health Care
    • Health Care
    • Life Sciences
    Technology, Media & Telecommunications
    • Technology
    • Telecommunications, Media & Entertainment
  • Insights

    Deloitte Insights
    What's New
    • Deloitte Review

      Looking ahead, staying ahead
    • Daily executive briefing

      Timely insights to inform your agenda.
    • Deloitte Insights app

      Get daily updates on your mobile device
    By topic
    • AI & cognitive technologies
    • Analytics
    • Blockchain
    • Digital transformation
    • Diversity & inclusion
    • Economics
    • Human capital
    • Innovation
    • Leadership
    • Private companies
    • Risk management
    • Strategy
    By sector
    • Automotive
    • Consumer products & retail
    • Financial services
    • Government & public services
    • Health care
    • Industrial products
    • Life sciences
    • Oil, gas & chemicals
    • Power & utilities
    • Technology
    • Telecom, media & entertainment
    • Transportation & hospitality
    Spotlight
    • Daily Executive Briefing
    • Deloitte Review
    • Economic weekly update
    • Future of mobility
    • Future of work
    • Industry 4.0
    • Internet of Things
    • Smart cities
  • Careers
    What's New
    • Your Future: Explored

      Experience Deloitte in a new way through our augmented reality app.

    • Life at Deloitte Blog

      Discover Deloitte and learn more about our people and culture.

    • Candidate Profile

      Have you already applied for a job? You can now update your candidate profile here.
    Careers
    • Our Purpose
    • Audit & Assurance
    • Consulting
    • Risk and Financial Advisory
    • Tax
    • Internal Services
    Students
    • Undergraduate
    • Advanced Degree
    • Professional Development
    • Recruiting Process
    • On Campus
    Experienced Professionals
    • Recruiting Process
    • Executives
    • Industries
    Job Search
    • Student Jobs
    • Experienced Professional Jobs
    • Recruiting Tips
    • Explore Your Fit
    • Labor Condition Applications
    Life at Deloitte
    • Life at Deloitte Blog
    • Meet Our People
    • Inclusion
    • Corporate Citizenship
    • Leadership Development
    • Empowered Well-Being
    • Deloitte University
    Alumni Relations
    • Update Your Information
    • Events
    • Career Development Support
    • Marketplace Jobs Dashboard
    • Alumni Resources
  • US-EN Location: United States-English  
    • Contact us
    • US-EN Location: United States-English  
      • Contact us
        • Dashboard
        • Bookmarks
        • Content feed
        • Subscriptions
        • Profile/Interests
        • Account settings

      Welcome back

      Still not a member? Join My Deloitte

      Global risk management survey, 11th edition executive summary

      By Edward Hida
      • Add to my bookmarks
      • Highlight
      • Download
      • Share
        • Share on Facebook
        • Share on Twitter
        • Share on Linkedin
        • Share by email
      Deloitte Insights
      • By topic
        By topic
        By topic
        • AI & cognitive technologies
        • Analytics
        • Blockchain
        • Digital transformation
        • Diversity & inclusion
        • Economics
        • Human capital
        • Innovation
        • Leadership
        • Private companies
        • Risk management
        • Strategy
      • By sector
        By sector
        By sector
        • Automotive
        • Consumer products & retail
        • Financial services
        • Government & public services
        • Health care
        • Industrial products
        • Life sciences
        • Oil, gas & chemicals
        • Power & utilities
        • Technology
        • Telecom, media & entertainment
        • Transportation & hospitality
      • Spotlight
        Spotlight
        Spotlight
        • Daily Executive Briefing
        • Deloitte Review
        • Economic weekly update
        • Future of mobility
        • Future of work
        • Industry 4.0
        • Internet of Things
        • Smart cities
      • US-EN Location: United States-English  
        • Contact us
          • Dashboard
          • Bookmarks
          • Content feed
          • Subscriptions
          • Profile/Interests
          • Account settings
        8 minute read 23 January 2019

        Global risk management survey, 11th edition executive summary

        8 minute read 23 January 2019
        • Edward Hida United States
        • Add to my bookmarks
        • Highlight
        • Download
        • Share
          • Share on Facebook
          • Share on Twitter
          • Share on Linkedin
          • Share by email
        • Key findings

        Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.

        Despite the relative calm in the global economy, risk management today is confronting a series of substantial impending risks that will require financial services institutions to rethink traditional approaches. The global economy has strengthened, but storm clouds remain on the horizon in the form of tensions over tariffs between the United States, China, the European Union, and other jurisdictions that could potentially result in lower trade volumes. Global economic growth has been reduced by weak growth in Europe coupled with a more slowly growing Chinese economy burdened with increasing debt levels. With the lack of a final Brexit agreement between the European Union and United Kingdom, there remains significant uncertainty as to its impact for many firms.

        Learn more

        Read the full report.

        Visit the previous 10th edition of Deloitte's Global risk management survey

        View the entire Risk management collection

        Read Edward Hida’s interview with Yahoo! Finance.

        While the tsunami of regulatory change in the wake of the financial crisis appears to have crested, financial services institutions are preparing for a number of regulatory requirements that are still to be finalized and assessing the full implications of implementing those that have recently been finalized. Meanwhile, global institutions are facing an environment in which regulations are becoming increasingly fragmented across jurisdictions. The revisions of the Basel Committee on Banking Supervision (Basel Committee) to capital adequacy and other requirements under Basel III, while finalized, have yet to be adopted, and could be revised, by local regulatory authorities. The International Association of Insurance Supervisors (IAIS) is working to develop a global insurance capital standard (ICS) with many issues still unresolved, including defining a valuation basis and specifying the role of internal models in determining capital requirements. The final agreement for the withdrawal of the United Kingdom from the European Union under Brexit, which is still being negotiated, will have important impacts on the supervision of markets and financial institutions based in the United Kingdom and Europe, and for investment banking booking practices and models. The EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, places new obligations on all financial institutions that have EU citizen data to secure consumer consent for its use, among other requirements. Initiatives to increase data privacy have also been underway in India and China. There has been a greater focus on conduct risk in many jurisdictions, notably Australia’s Royal Commission into Misconduct in the Banking, Superannuation, and Financial Services Industry.

        In recent years, financial institutions have improved the capabilities of their risk management programs to manage traditional risk types such as market, credit, and liquidity risk. Managing nonfinancial risk is now assuming greater importance, both for regulators and institutions. Among the many nonfinancial risks, increasingly sophisticated cyberattacks by individuals and nation states have made cybersecurity a top concern. Well-publicized instances of inappropriate behavior at major financial institutions have underscored the importance of managing conduct risk. Risk events at third parties employed by financial institutions can result in significant financial losses and reputational damage.

        Financial institutions should consider re-engineering their risk management programs to develop the capabilities required to meet these challenges, and some have already undertaken efforts to enhance these programs. The three lines of defense risk governance model should be re-examined to clarify the responsibilities of each line of defense, especially the business units and functions that comprise Line 1. Risk data governance at many institutions will likely need to be enhanced to provide the accessible, high-quality, and timely data required for stress testing, operational risk management, and other applications.

        Financial institutions should also consider leveraging the power of digital technologies—such as RPA, machine learning, cognitive analytics, cloud computing, and natural language processing—to increase both the efficiency and effectiveness of risk management. These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions. They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors.

        Finally, risk management needs to be infused into strategy so that the institution’s risk appetite and risk utilization are key considerations in the process of developing its strategic plan and strategic objectives.

        Deloitte’s Global risk management survey, 11th edition is the latest edition in this ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was conducted from March 2018 to July 2018 and was completed by 94 financial institutions around the world that operate in a range of financial sectors and with aggregate assets of US$29.1 trillion.

        Key findings

        Continued growing importance of cybersecurity risk. There was broad consensus that cybersecurity is the risk type increasing the most in importance. Sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely effective or very effective in managing this risk. For specific types of cybersecurity risks, respondents most often considered their institutions to be extremely effective or very effective in managing disruptive attacks (58 percent), financial losses or fraud (57 percent), cybersecurity risks from customers (54 percent), loss of sensitive data (54 percent), and destructive attacks (53 percent). They were less likely to consider their institutions to be this effective when it came to threats from nation state actors (37 percent) or cybersecurity risks from third-party providers (31 percent). In managing cybersecurity risk, respondents most often cited as extremely challenging or very challenging staying ahead of changing business needs (e.g., social mobile, analytics, and cloud) (58 percent) and addressing threats from sophisticated actors (e.g., nation states, skilled hacktivists) (58 percent). The awareness of cybersecurity risk is growing, and fewer respondents than in the last survey considered several related governance issues to be extremely challenging or very challenging: getting the businesses to understand their role in cybersecurity risk (31 percent, down from 47 percent), setting an effective multi-year cybersecurity risk strategy approved by the board (31 percent, down from 53 percent), and securing ongoing funding/investment (18 percent, down from 38 percent).

        Increasing focus on nonfinancial risks. Almost all respondents considered their institutions to be extremely effective or very effective in managing traditional financial risks such as market (92 percent), credit (89 percent), asset and liability (87 percent), and liquidity (87 percent). In contrast, roughly one-half the respondents said the same about a number of nonfinancial risks including reputation (57 percent), operational (56 percent), business resilience (54 percent), model (51 percent), conduct and culture (50 percent), strategic (46 percent), third-party (40 percent), geopolitical (35 percent), and data integrity (34 percent). Financial institutions should consider adopting a holistic approach to managing nonfinancial risks.

        Addressing risk data and IT systems is a top priority. A theme that runs throughout the survey results is the importance of enhancing risk data and IT systems. This has been a continuing issue for financial institutions and the financial services industry for some time and indicates the deep-seated difficulty of providing quality data from source through many systems and processes to its ultimate users. When asked about the risk management priorities for their institutions over the next two years, the issues cited most often as being an extremely high priority or very high priority were enhancing the quality, availability, and timeliness of risk data (79 percent) and enhancing risk information systems and technology infrastructure (68 percent). This is consistent with results showing roughly one-third of respondents felt their institutions were extremely effective or very effective regarding data governance (34 percent) and data controls/checks (33 percent). When asked about the challenges in stress testing, data quality and management for stress testing calculations was most often considered to be extremely challenging or very challenging both for capital stress testing (42 percent) and liquidity stress testing (30 percent).

        The potential of digital risk management. Continued advances in a range of emerging technologies present a significant opportunity to dramatically transform the efficiency and effectiveness of risk management. Much of this opportunity is still to be realized; relatively few institutions reported applying some of these emerging technologies to risk management.

        The technologies that institutions most often reported using were cloud computing (48 percent), big data and analytics (40 percent), and Business Process Modeling (BPM) tools (38 percent). Although much attention has been given to RPA to reduce costs and improve accuracy by automating repetitive manual tasks without human involvement, only 29 percent of respondents said their institutions are currently using it. RPA usage is most common in risk data (25 percent), risk reporting (21 percent), and regulatory reporting (20 percent).

        Although adoption is currently fairly low, respondents believed that emerging technologies will deliver very large benefits or large benefits in many areas such as increasing operational efficiency/reducing error rates (68 percent), enhancing risk analysis and detection (67 percent), and improving timely reporting (60 percent).

        Addressing the challenges in the three lines of defense risk governance model. Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but said they face significant challenges. The challenges most often cited as significant typically involved the role of Line 1 (business units) including defining the roles and responsibilities between Line 1 (business) and Line 2 (risk management) (50 percent), getting buy-in from Line 1 (the business) (44 percent), eliminating overlap in the roles of the three lines of defense (38 percent), having sufficient skilled personnel in Line 1 (33 percent), and executing Line 1 responsibilities (33 percent). These challenges are consistent with our experience with financial institutions, as many have been, or are in the process of, clarifying the roles of the 1st and 2nd lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model.

        Increasing reliance on stress testing. Almost all institutions reported using capital (90 percent) and liquidity (87 percent) stress tests, and are placing greater reliance on them. Capital stress tests are being used more often as a key tool for boards and management, with more respondents saying that they are being used extensively in many areas than was the case in the prior survey. These tests include reporting to the board (64 percent, up from 46 percent), reporting to senior management (61 percent, up from 49 percent), defining/updating capital capacity requirements for risk (47 percent, up from 24 percent), and strategy and business planning (38 percent, up from 26 percent).

        Liquidity stress tests are also being used more extensively in several areas: assessing adequacy of excess liquidity (57 percent, up from 39 percent), meeting regulatory requirements and expectations (65 percent, up from 52 percent), and setting liquidity limits (56 percent, up from 44 percent).

        Stronger board oversight. Reflecting the slower pace of regulatory change, only 28 percent of respondents said their boards of directors were spending considerably more time on risk management compared to two years ago, which is down from 44 percent in the previous survey. Many institutions are following leading practices1 in board oversight, with 61 percent of respondents saying that the primary responsibility for risk oversight is placed on a risk committee of the board of directors, and 70 percent saying the risk committee is composed either entirely (35 percent) or of a majority (35 percent) of independent directors, while 84 percent said the committee is chaired by an independent director.

        Widespread adoption of the CRO position. The prevalence of the CRO position continues to expand over the course of the survey series, with 95 percent of institutions now having a CRO. However, there remains room for improvement in CRO reporting relationships by having the CRO report both to the CEO and the board of directors. One-quarter of respondents said their CRO did not report to the institution’s CEO, and roughly one-half said the CRO did not report to the board of directors or a board committee.

        Continued increase in the adoption of ERM. Eighty-three percent of respondents said their institutions have an ERM program in place, up from 73 percent in the previous survey, with an additional 9 percent saying they were in the process of implementing one. In addition to addressing data and IT systems issues as noted above, the issues that were most often cited by respondents as being an extremely high or very high priority for their institutions’ ERM programs were collaboration between the business units and the risk management function (66 percent), managing increasing regulatory requirements and expectations (61 percent), and establishing and embedding the risk culture across the enterprise (55 percent).

        To learn about these and more responses from the survey, download Deloitte’s full report, Global risk management survey, 11th edition.

        Acknowledgments

        This report is the result of a team effort that included contributions by financial services practitioners from member firms of Deloitte Touche Tohmatsu Limited around the world. Special thanks are given to Bayer Consulting for administering the survey and assisting with the final document.

        In addition, the following individuals from Deloitte in the United States conducted analysis and provided project management, editorial, and/or design support:

        Katherine Smith, senior manager, Deloitte Services LP

        Ulyana Stoyan, manager, Deloitte & Touche LLP

        Connor Keenan, senior consultant, Deloitte & Touche LLP

        Ludwig Reimmer, senior consultant, Deloitte & Touche LLP

        Cover image by: Christina Chung

        Endnotes

          1. About the term “leading practice”: For purposes of this paper, we consider industry practices to fall into a range,from leading to lagging. Some industry practices may be considered leading practices, which are generally lookedupon favorably by regulators, industry professionals, and observers due to the potentially superior outcomesthe practice may attain. Other approaches may be considered prevailing practices, which are seen to be widelyin use. At the lower end of the range are lagging practices, which generally represent less-advanced approachesand which may result in less-than-optimal outcomes. Items reflected as leading practices herein are based onsurvey feedback and the editor’s and contributors’ experience with relevant organizations. View in article

        Show moreShow less

        Topics in this article

        Financial Services , Risk management , Governance , Regulatory , Strategy , Cyber risk

        Risk and Financial Advisory

        Deloitte Risk and Financial Advisory helps organizations navigate a variety of risks to lead in the marketplace and disrupt through innovation. With our insights, you can learn how to embrace complexity and accelerate performance.

        Learn more
        Get in touch
        Contact
        • Edward T. Hida II, CFA
        • Partner | Deloitte Risk & Financial Advisory
        • Deloitte & Touche LLP
        • ehida@deloitte.com
        • +1 212 436 4854

        Download Subscribe

        Related content

        img Trending

        Global risk management survey, 10th edition

        Article 2 years ago
        img Trending

        Global risk management survey, ninth edition

        Infographic 4 years ago
        img Trending

        The Deloitte-NASCIO Cybersecurity Study

        Article 1 year ago
        img Trending

        What's next for bank board risk governance

        Article 2 years ago

        Explore more in risk management

        • Managing risk across the extended enterprise Article1 year ago
        • Stronger, fitter, better Article1 year ago
        • Taking cyber risk management to the next level Interactive3 years ago
        • Building regulatory-ready organizations Article2 years ago
        • Managed services Article2 years ago
        • Taking cyber risk management to the next level: Lessons learned from the front lines at financial institutions Interactive3 years ago

        Share article highlights

        See something interesting? Simply select text and choose how to share it:

        Email a customized link that shows your highlighted text.
        Copy a customized link that shows your highlighted text.
        Copy your highlighted text.

        Global risk management survey, 11th edition executive summary has been added to your bookmarks.

        Global risk management survey, 11th edition executive summary has been removed from your bookmarks.

        An article titled Global risk management survey, 11th edition executive summary already exists in the bookmark library

        Invalid special characters found 
        Forgot password

        OR

        Social login not available on Microsoft Edge browser at this time.

        Connect Accounts

        Connect your social accounts

        This is the first time you have logged in with a social network.

        You have previously logged in with a different account. To link your accounts, please re-authenticate.

        Log in with an existing social network:

        To connect with your existing account, please enter your password:

        OR

        Log in with an existing site account:

        To connect with your existing account, please enter your password:

        Forgot password

        Subscribe

        to receive more business insights, analysis, and perspectives from Deloitte Insights
        ✓ Link copied to clipboard
        • Contact us
        • Search jobs
        • Submit RFP
        • Subscribe to Deloitte Insights
        Follow Deloitte Insights:
        Global Office Directory
        US Office Locations
        Location: US-EN United States-English  
          About Deloitte
          • About us
          • My Deloitte
          • Deloitte Insights
          • Press releases
          • Social media
          • Email subscriptions
          • Submit RFP
          • US office locations
          • Alumni
          • Global office directory
          • Newsroom
          • CRG profiles
          • Dbriefs webcasts
          • Contact us

          Services

          • Tax
          • Consulting
          • Audit & Assurance
          • Deloitte Private Company Services
          • Mergers & Acquisitions
          • Risk & Financial Advisory
          • Analytics
          • Cloud

          Industries

          • Consumer
          • Energy, Resources & Industrials
          • Financial Services
          • Government & Public Services
          • Life Sciences & Health Care
          • Technology, Media & Telecommunications

          Careers

          • Careers
          • Students
          • Experienced Professionals
          • Job Search
          • Life at Deloitte
          • Alumni Relations
          • About Deloitte
          • Terms of Use
          • Privacy
          • Tax Privacy
          • Privacy Shield
          • Deloitte Digital Online Ad Privacy Policy
          • Cookies
          • Legal Information for Job Seekers
          • Labor Condition Applications

          © 2019. See Terms of Use for more information.

          Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.