Global risk management survey, ninth edition Operating in the new normal: Increased regulation and heightened expectations

Foreword

Dear colleague,

We are pleased to present the ninth edition of Global risk management survey, the latest installment in Deloitte’s ongoing assessment of the state of risk management in the global financial services industry. The survey findings are based on the responses of 71 financial institutions from around the world and across multiple sectors, representing a total of almost US$18 trillion in aggregate assets. We wish to express appreciation to all the survey participants for their time and insights.

Financial institutions continue to make progress in many areas of risk management. Boards of directors are devoting more time to risk management and most boards are addressing key issues such as approving the risk appetite statement and aligning corporate strategy with the organization’s risk profile. Having a chief risk officer position and an enterprise risk management program is becoming prevailing practice. In the area of capital adequacy, almost all the banks surveyed that are subject to Basel III requirements already meet the minimum capital ratios. Further, the tidal wave of regulatory developments ushered in by the global financial crisis shows no signs of abating, especially for large institutions deemed to be systemically important.

Risk management must respond to “the new normal”—an environment of continual regulatory change and ever more demanding expectations. In the United States, the Federal Reserve has introduced the Enhanced Prudential Standards and the Comprehensive Capital Adequacy Review. In Europe, the European Central Bank assumed responsibility for the prudential supervision of the region’s banks, and has conducted its comprehensive assessment asset quality review and stress tests. In addition, a new European Union Capital Markets Union is under development. The Basel Committee for Banking Supervision is introducing higher standards for capital adequacy and liquidity. The Solvency II capital adequacy regime is due to become effective for European insurers at the beginning of 2016, while the International Association of Insurance Supervisors is developing a global insurance capital standard. These are just a few of the many new regulatory initiatives underway around the world.

Two emerging risks in particular are receiving increased attention from financial institutions and their regulators. Cyber attacks on corporations, including financial institutions, have increased dramatically in the last few years, requiring institutions to strengthen the safeguards for information systems and customer data. Regulators are more closely scrutinizing how institutions manage conduct risk and the steps they are taking to create a risk culture and incentive compensation programs that encourage ethical behavior.

Financial institutions must not only comply with these new regulatory requirements and priorities, they also need the flexibility to respond to the next round of regulatory developments that is likely over the coming years. This will require strong risk management capabilities, robust risk infrastructures, and timely, high-quality risk data that are aggregated across the organization.

We hope that this comprehensive examination of risk management at financial institutions around the world provides you with helpful insights into today’s challenges and stimulates your thinking on how to further enhance your organization’s risk management.

Sincerely,

Edward T. Hida II, CFA
Global leader, Risk & Capital Management
Global Financial Services Industry
Deloitte Touche Tohmatsu Limited

Executive summary

The global financial crisis was the catalyst for an era of sweeping regulatory change that shows little sign of abating. Across the financial services industry, regulatory requirements are becoming broader in scope and more stringent.

After new regulations are enacted, it can take years before their practical implications become clear. Although the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in the United States and Basel III were introduced several years ago, their rules are still being finalized. New regulatory developments include the US Federal Reserve’s Enhanced Prudential Standards (EPS), the European Central Bank (ECB) becoming the prudential supervisor of Eurozone banks, a new Banking Standards Review Council in the United Kingdom, and Solvency II becoming effective for European insurers in 2016.

The new regulatory landscape is placing demands on financial institutions in such areas as corporate governance, risk appetite, capital adequacy, stress tests, operational risk, technology data and information systems, and risk culture, to name only some areas of focus. As institutions prepare to comply, they will need the flexibility, in both their business models and compliance programs, to respond to the seemingly inevitable next round of reforms.

Deloitte’s Global risk management survey, ninth edition assesses the industry’s risk management practices and challenges in this period of reexamination. The survey was conducted in the second half of 2014 and includes responses from 71 financial services institutions around the world that operate across a range of financial sectors and with aggregate assets of almost US$18 trillion.

Key findings

More focus on risk management by boards of directors. Reflecting increased regulatory requirements, 85 percent of respondents reported that their board of directors currently devotes more time to oversight of risk than it did two years ago. The most common board responsibilities are approve the enterprise-level statement of risk appetite (89 percent) and review corporate strategy for alignment with the risk profile of the organization (80 percent).

Broad adoption of CRO position. During the course of this global risk management survey series, the existence of a chief risk officer (CRO) position has grown to be nearly universal. In the current survey, 92 percent of institutions reported having a CRO or equivalent position, up from 89 percent in 2012 and 65 percent in 2002. Although it is considered a leading practice¹ for the CRO to report to the board of directors, only 46 percent of respondents said this is the case, while 68 percent said the CRO reports to the CEO.² In a positive sign, 68 percent of respondents said the CRO has primary oversight responsibility for risk management, an increase from 42 percent in 2012. Three responsibilities of the independent risk management program led by the CRO were cited by more than 90 percent of respondents: develop and implement the risk management framework, methodologies, standards, policies, and limits; oversee risk model governance; and meet regularly with board of directors or board risk committees. Yet only 57 percent of respondents said their risk management program had the responsibility to approve new business or products.

ERM becoming standard practice. It has become a regulatory expectation for larger institutions to have an enterprise risk management (ERM) program, and this is reflected in the survey results. Ninety-two percent of respondents said their institution either had an ERM program or was in the process of implementing one, an increase from 83 percent in 2012 and 59 percent in 2008. Another positive development is that among these institutions, 78 percent have an ERM framework and/or ERM policy approved by the board of directors or a board committee.

Progress in meeting Basel III capital requirements. Eighty-nine percent of respondents at banks subject to Basel III or to equivalent regulatory requirements said their institution already meets the minimum capital ratios. The most common response to Basel III’s capital requirements was to devote more time on capital efficiency and capital allocation (75 percent).

Increasing use of stress tests. Regulators are increasingly relying on stress tests to assess capital adequacy, and respondents said stress testing plays a variety of roles in their institutions, including enables forward-looking assessments of risk (86 percent), feeds into capital and liquidity planning procedures (85 percent), and informs setting of risk tolerance (82 percent).

Low effectiveness ratings on managing operational risk types. Roughly two-thirds of respondents felt their institution was extremely or very effective in managing the more traditional types of operational risks, such as legal (70 percent), regulatory/compliance (67 percent), and tax (66 percent). Fewer respondents felt their institution was extremely or very effective when it came to other operational risk types such as third party (44 percent), cybersecurity (42 percent), data integrity (40 percent), and model (37 percent).

More attention needed on conduct risk and risk culture. There has been increased focus on the steps that institutions can take to manage conduct risk and to create a risk culture that encourages employees to follow ethical practices and assume an appropriate level of risk, but more work appears to be needed in this area. Sixty percent of respondents said their board of directors works to establish and embed the risk culture of the enterprise and promote open discussions regarding risk, and a similar percentage said that one of the board’s responsibilities is to review incentive compensation plans to consider alignment of risks with rewards, while the remaining respondents said these were not among the board’s responsibilities. Only about half of respondents said it was a responsibility of their institution’s risk management program to review compensation plan to assess its impact on risk appetite and culture.

Increasing importance and cost of regulatory requirements. When asked which risk types would increase the most in importance for their institution over the next two years, regulatory/compliance risk was most often ranked among the top three, and 79 percent felt that increasing regulatory requirements and expectations were their greatest challenge. The most important impact of regulatory reform was noticing an increased cost of compliance, cited by 87 percent of respondents.

Risk data and technology systems continue to pose challenges. Again in 2014, the survey results indicated a need for continued improvement to risk data and information systems. Sixty-two percent of respondents said that risk information systems and technology infrastructure were extremely or very challenging, and 46 percent said the same about risk data. Issues related to data quality and information systems were also considered by many respondents to be extremely or very challenging in complying with Basel III (56 percent) and Solvency II (77 percent), and in managing investment management risk (55 percent). Going forward, 48 percent of respondents were extremely or very concerned about the ability of the technology systems at their institution to be able to respond flexibly to ongoing regulatory change.

Introduction: Economic and business environment

Deloitte’s Global risk management survey, ninth edition assessed the risk management programs and challenges at 71 financial services institutions representing a range of geographic regions, asset sizes, and industry sectors. (See “About the survey.”) The survey was conducted as regulatory changes continued to sweep over the industry and amid an uncertain outlook for the global economy.

Economic storm clouds

Although the US and UK economies continued to grow, economies in the Eurozone and Japan remained weak. Emerging markets, especially China, are also growing more slowly than in the past. The strength of the US dollar is having major but unpredictable impacts on many economies. By March 2015, the US dollar had increased in value by 25 percent compared to a basket of commonly used international currencies since the US Federal Reserve announced in 2013 that it would phase out quantitative easing.³ As a result, debt service has become an increasing burden for companies outside the United States that have borrowed in US dollars, while exporters in these countries have become more competitive. Another important trend has been the dramatic fall in energy prices. Lower energy prices are expected to benefit many economies, but will have adverse effects on certain oil-producing countries, such as Russia, and on financial institutions with exposures to these countries or to companies in or dependent on the energy sector.

The US GDP grew 2.4 percent in 2014, and the World Bank predicts the US recovery will continue, with growth at 3.2 percent in 2015.⁴ Although the United States had its strongest year for job growth since 1999, real wages have not advanced.⁵ In 2014, average hourly wages increased only 1.65 percent, roughly the same as the inflation rate.⁶

The UK recovery has continued, with growth of 2.8 percent in 2014, and a similar pace is anticipated for 2015.⁷

The outlook is darker in other regions. Although the Eurozone economies are no longer contracting, GDP grew by only 0.9 percent in 2014 and is expected to expand by 1.1 percent in 2015.⁸ In January 2015, the ECB launched a $1.25 trillion package of quantitative easing in an effort to prevent deflation and stimulate growth.⁹ A new government was elected in Greece in early 2015, promising to end austerity policies and demanding forgiveness of debt by external creditors, renewing concerns that the country may exit from the euro. The economy in Japan was stagnant, with no growth in 2014 and growth of only 1.2 percent anticipated in 2015.¹⁰

Emerging markets, especially China, are not growing at the blistering pace they once were, due to weaker demand from developed countries that has not been replaced by demand from their internal markets. Growth in the Chinese economy slowed to 7.4 percent in 2014 and is predicted to decline further to 7.1 percent in 2015.¹¹ Falling demand from China is expected to have a negative impact on commodity-producing countries such as Australia, Brazil, and Russia.

Continuing regulatory reform

The focus of regulators on such issues as capital adequacy, liquidity, operational risk, governance, and culture is driving change throughout the financial industry. The impacts have been widespread as new requirements continue to be proposed by regulators around the world, even as the final rules to implement existing laws are still being written. Complying with multiple, sometimes conflicting, regulatory requirements implemented by different regulatory authorities poses a significant challenge for global financial institutions.

Applicable to US bank-holding companies with $50 billion or more in consolidated assets, the Federal Reserve’s Comprehensive Capital Adequacy Review (CCAR) has among its objectives to increase the likelihood that institutions have sufficient capital to continue operations throughout times of economic and financial stress.¹² The CCAR also applies to larger foreign banks operating in the United States.

The focus of regulators on such issues as capital adequacy, liquidity, operational risk, governance, and culture is driving change throughout the financial industry.

Regulators have extended the scope of CCAR to cover all the dimensions that could potentially impact capital adequacy.¹³ Under CCAR, the Federal Reserve reviews an institution’s capital planning processes to assess whether they are adequate to identify, measure, assess, and control risks; incorporate strong internal controls; and include effective oversight by the board of directors and management.¹⁴ The Federal Reserve has indicated that it expects to continually raise its expectations for CCAR, requiring banks to constantly upgrade their capabilities.

In 2014, the US Federal Reserve announced the final EPS covering banks with more than $10 billion in consolidated assets and places additional requirements on banks with assets of $50 billion or more. These standards codify regulatory requirements on risk management topics including capital, debt-to-equity ratio, liquidity, counterparty limits, risk governance, stress testing, and early remediation. Many financial institutions will need to enhance their capabilities to meet these requirements.

The Federal Reserve also introduced EPS for foreign banks (FBOs) and for nonbank systemically important financial institutions (SIFIs). Foreign banks that have total global assets of $50 billion or more and also have $50 billion or more in US non-branch assets are required to hold minimum levels of capital, maintain minimum levels of highly liquid assets, and conduct stress tests, as are US banks. Some foreign banks are building up their US operations to comply, while others are evaluating which of their businesses should remain in the United States.

There have also been significant changes in the European regulatory environment. These include the ECB becoming the prudential supervisor of Eurozone banks, the creation of the Single Resolution Board to address the resolvability of cross-border banks, and a new Banking Standards Review Council in the United Kingdom.¹⁵

The implementation of Basel III continues with new requirements for capital adequacy and liquidity. New requirements proposed by the Basel Committee on Banking Supervision (Basel Committee) for operational risk and credit risk would replace existing standardized approaches and bring these methodologies closer to the advanced approaches. In October 2013, the Basel Committee issued a consultative paper containing a revised framework for market risk.¹⁶

In response to the allegations of misconduct in setting the LIBOR rate and in the foreign exchange markets, both the Financial Stability Board (FSB) and the International Organisation of Securities Commissions (IOSCO) have worked on standards of behavior related to rate fixing. IOSCO has also released a policy recommending that financial institutions assess the suitability of wholesale and retail clients when selling complex products.

Banks are also facing new regulations that require them to restructure their operations. Under the Federal Reserve’s FBO EPS, foreign banks operating in the United States that have total global assets of $50 billion or more and also have $50 billion or more in US non-branch assets are required to form an intermediate holding company and run their US operations as a standalone bank.

In Europe, several structural reform initiatives may require banks to revise their business models and restructure their operations due to restrictions placed on businesses such as proprietary trading and requirements for ring-fencing their retail operations and their investment banking and trading operations into separate subsidiaries.¹⁷ Legislation now exists in France, Germany, Belgium, and the United Kingdom. In the United Kingdom, the largest banks were required to submit preliminary plans in January 2015 to the Bank of England’s Prudential Regulation Authority for how they will implement ring-fencing of their retail banking operations.¹⁸ In 2014, the EC issued a proposal to ban proprietary trading and require ring-fencing for EU-headquartered global systemically important banks (G-SIBs) as well as other banks with substantial trading activities in the European Union, even if headquartered elsewhere.¹⁹ Under the EC proposal, national regulatory authorities would retain substantial discretion on the application of the rules. The final form of the ring-fencing rules remains unclear, and in December 2014, a draft report by the European parliament proposed that the new rules should remove the presumption that deposit-taking and trading should be separated and instead provide regulators with the flexibility to use other tools to reduce risk.²⁰

Higher capital requirements

Concerned about the solvency of financial institutions in times of financial stress, regulators have been requiring them to hold more capital. The Basel Committee is pursuing multiple efforts to transform the current Basel III capital regime. These efforts include proposals to revamp the capital charge regimes for both credit and operational risk, and a new requirement for Total Loss-Absorbing Capacity (TLAC), which will require additional financial resources.

The US Federal Reserve has also increased its capital requirements, as well as adopted a requirement for TLAC. One estimate is that US banks will need to add as much as $68 billion in additional capital to comply.²¹ In Australia, the Financial System Inquiry has also recommended adopting a standard for TLAC.

Solvency II, a capital adequacy regime for European insurers, is due to come into effect on January 1, 2016. The International Association of Insurance Supervisors (IAIS) is also developing a risk-based global Insurance Capital Standard, which is expected to be completed by the end of 2016.

Stress testing

There has been a trend for regulators to rely more on stress tests to assess capital adequacy. In the United States, stress tests have become the primary capital constraint for banks, with the Federal Reserve requiring stress tests of all banks with $10 billion or more in assets to assess how well they could withstand a major downturn in the economy and the financial markets. “Stress testing ... holds great promise as a capital tool, a risk-sensitive capital tool, for big institutions,” said Daniel K. Tarullo, a governor of the Federal Reserve who sits on the Federal Reserve’s financial stability committee.²²

The ECB conducted stress tests of European banks in 2014. Considered less rigorous than the US stress tests, only 13 of 130 banks failed to pass once measures taken in 2014 to improve their capital are taken into account.²³For its next round of stress tests, the ECB is planning a more intensive examination of the region’s banks that focuses on the risks and viability of their business models.²⁴ The Bank of England also conducts stress tests and told its banks that the tests in 2015 would be more exacting and focus more on risks from overseas markets.²⁵In Australia, the Australian Prudential Regulatory Authority conducted stress tests in 2014 of banks’ mortgage books across the industry, concluding that the country’s banks were poorly prepared to recover from another financial crisis.²⁶

With stress tests being required by the US Federal Reserve, the ECB, the Bank of England, and other regulators, some large global institutions will be subject to stress tests conducted by multiple regulators.

For European insurance companies, stress tests in 2014 required by the European Insurance and Occupational Pensions Authority (EIOPA) concluded that one in seven insurers in the European Union did not have the level of capital that will be required under Solvency II by 2016.²⁷

Volcker Rule

The final Volcker Rule under the Dodd-Frank Act was released by US regulators in December 2013. It prohibits various forms of proprietary trading by banks operating in the United States and reduces their permitted investments in hedge funds and private equity activities. Implementing the Volcker Rule is a complex task. Market-making, hedging, and underwriting are still allowed, but it can be difficult to determine if a trade is permissible or not. The five major US banking regulatory bodies charged with implementing the Volcker Rule will be issuing a report, as mandated by the Dodd-Frank Act, which will list which activities are allowed.²⁸

Banks covered by the Volcker Rule must comply by July 21, 2015.²⁹ However, in December 2014, the Federal Reserve announced that banks would have until 2017 to divest their stakes in hedge funds and private equity funds.³⁰Banks subject to the Volcker Rule will need rigorous policies and procedures, including automated workflows, that will enable them to comply, including documenting their policies on hedging and justifying the classification of their inventories related to market-making.³¹ Institutions with greater than $10 billion in assets will be required to subject their compliance with the Volcker Rule to independent testing, while institutions with greater than $50 billion in assets will also be required to furnish an attestation by the firm’s CEO. Some foreign banks are considering whether to limit their participation in US capital markets to take advantage of the “solely outside the United States” exemption.

European regulators have also proposed restrictions on trading activities by banks. The EC issued a proposal in 2014 that would ban the largest banks operating in the European Union from engaging in proprietary trading or having certain relationships with hedge funds.³² The rules would apply to EU-headquartered G-SIBs and also to banks that have large or complex trading operations in the European Union.

Systemically important financial institutions

The Financial Stability Oversight Council (FSOC), comprised of US regulators, was established by the Dodd-Frank Act and charged with identifying and addressing risks to the US financial system. When the FSOC designates a firm as a “systemically important financial institution” (SIFI), it is subject to stricter regulatory oversight and capital requirements. Several nonbanks have also been designated as US SIFIs. Designation of a bank as a SIFI depends on its asset size, but the criteria are more complex for insurers and other nonbank financial institutions.³³ The process for designating an institution as a US SIFI has been criticized for a lack of transparency and clear criteria, and one institution has challenged its designation in court.

One objective of the Dodd-Frank Act was to address the problem that some financial institutions were considered “too big to fail” during the global financial crisis and received government bailouts. In response, SIFIs are required to develop recovery and resolution plans (“living wills”). In August 2014, however, the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC) rejected the living wills submitted by all the major US financial institutions, saying they were unrealistic and their corporate structures remained too complex to recover or resolve in the event of financial distress.³⁴The institutions will need to revise these plans and rethink their underlying structures.

European regulators are also focusing on resolution. Beginning in 2015, the Single Resolution Board within the Banking Union in the European Union will begin working with national authorities on resolution planning, resolvability assessments, and the setting of loss absorbency.³⁵ In addition, the EU’s Bank Recovery and Resolution Directive (BRRD) gives regulatory authorities wide-ranging powers to mandate banks to change their legal, operational, and financial structures to improve their resolvability, including requiring the EU operations of a bank headquartered elsewhere to operate under an EU holding company.³⁶

Record level of fines

Regulatory fines levied on banks have mounted to unprecedented levels. Banks around the world paid a record $56 billion in fines to regulatory authorities in 2014 and more than $200 billion over the last several years.³⁷ Given the size of the fines being levied, the regulators may need to consider the impact that fines could have on the capital of individual institutions and on the financial system as a whole.

Regulatory fines levied on banks have mounted to unprecedented levels.

These fines were the result of a variety of incidents, including allegations that banks misled investors about mortgage-backed securities during the global financial crisis, manipulated foreign exchange markets and LIBOR interest rates, and violated sanctions imposed on foreign governments including Cuba, Iran, and Sudan. Some have argued that regulators are using fines as a covert strategy to restrain the size of large financial institutions, in an effort to address the problem of “too big to fail.”

More regulatory changes on the horizon

There is every indication that the next few years will bring further regulatory change. In October 2014, the Basel Committee announced proposals to revise the standardized approach for measuring operational risk capital, moving from using gross income as a key input to determine the operational risk charge to what they believe is a statistically superior approach.³⁸ In December 2014, it released a consultative document to revise the standardized approach for credit risk. Among other changes, the proposal would reduce the reliance on ratings by credit rating agencies, require more granularity and risk sensitivity, and provide more comparability with the internal ratings-based (IRB) approach for similar exposures.³⁹ Over the next three years, the Basel Committee is expected to raise the risk-based capital ratio, revise risk weighting, and decrease the use of models for assessing risk and setting capital requirements.⁴⁰

Although the Dodd-Frank Act was passed in 2010, establishing the required rules has been a slow process. As of December 1, 2014, only 58 percent of the 398 total required rulemakings had been finalized, while 23.6 percent had not yet been proposed.⁴¹

The European Commission (EC) has launched the Capital Markets Union (CMU) to develop a single market for capital. These principles apply to all 26 EU member states. One of the principal goals of the initiative is to maximize economic growth by creating more integrated and deeper capital markets. Although Europe’s capital markets have grown in recent decades, those in the United States remain far larger.⁴² The debt securities markets, including the markets for corporate and government bonds, are three times larger in the United States than in the European Union, while the US market for private placements is almost three times as large as its EU counterpart.⁴³ In February 2015, the EC published its first green paper (GP) identifying five early initiatives for the CMU agenda: review of the prospectus regime, high-quality securitization standards, pan-European private placements, improving credit information for small and medium-sized enterprises, and encouraging the uptake of European Long Term Investment Funds.⁴⁴ There are also indications that the CMU will place a new focus on nonbank forms of finance, often termed “shadow banking,” in an effort to stimulate jobs and growth, and this may be reflected when the Money Market Funds Regulation is proposed. Although the new EU Regulations and Directives was passed by the EC and Parliament, the European Supervisory Authorities still have to publish the detailed implementing standards.⁴⁵

After a uniform trend of ever-stricter regulatory requirements, there were some developments in 2014 and early 2015 that moved in the opposite direction in the United States. The US Congress repealed a provision of the Dodd-Frank Act requiring banks to “push out” the trading of derivatives into subsidiaries that do not benefit from deposit insurance.⁴⁶ There were steps to slow the implementation of the Volcker Rule and narrow its scope. Smaller US banks won relaxation of a number of requirements of the Dodd-Frank Act, including a relaxation of restrictions on lending and acquisitions, an exemption from stricter post-crisis rules on mortgage lending, and a proposal by the Federal Reserve to allow small banks to assume more debt to finance mergers and acquisitions.⁴⁷

Profitability predicament

These developments have placed conflicting pressures on financial institutions. Institutions are facing significantly increased compliance costs due to new regulatory requirements, more frequent and intrusive examinations, and greatly expanded fines. Potentially adding to these costs, in early 2015, European finance ministers from 11 countries were considering imposing a harmonized tax on financial transactions.⁴⁸ At the same time, institutions are required to hold higher levels of capital under the capital adequacy standards of Basel III, the US CCAR, and Solvency II, as well as a surcharge on G-SIBs imposed by Basel III and an additional G-SIB surcharge imposed by some countries such as the United States and Switzerland. The introduction of minimum levels of TLAC by the Basel Committee and the US Federal Reserve will further increase the capital requirements. The higher capital requirements have spurred banks to move away from activities that require more capital, such as trading. The percentage of bank assets dedicated to trading dropped from 41 percent in 2006 to 21 percent in 2013, according to analysis by the International Monetary Fund.⁴⁹

But higher compliance costs and increased capital levels are not all. Many institutions also have fewer revenue-generating opportunities due to restrictions on proprietary trading, bank interchange fees, and the loss of market-making for over-the-counter derivatives due to a requirement that derivatives be traded on exchanges and centrally cleared with lower margins. The net result of rising compliance costs coupled with limitations on business activities is a squeeze on revenues and profitability. For example, revenues at US banks have been flat since 2010.⁵⁰

Cyber risk

Cyber risk continues to increase in importance for financial services institutions and other companies, which have been targeted by sophisticated hacker groups. Some of these groups are believed to be well-financed criminal organizations, while others appear to be state-sponsored actors. In 2014, hackers gained access to customer data at several major US banks in a series of coordinated attacks, stealing checking and savings account information, while another attack during the same year resulted in a data breach impacting millions of insurance customer records.⁵¹ In recent years, banks have been subject to distributed denial of service (DDoS) attacks in which their networks are flooded with so much traffic that they slow or stop completely. These attacks have been blamed on, among others, China, Russia, North Korea, Iran, and extremist Islamic groups.⁵²

Risk data

Financial institutions face the complex task of complying with stricter regulatory requirements concerning risk data quality and the ability to aggregate data in a timely fashion across the enterprise. The Basel Committee’s principles for risk data aggregation and reporting (BCBS 239) currently apply only to G-SIBs, but there are indications that regulators will require these principles to be adopted by a wider group of institutions. Many large banks have indicated they are facing significant challenges to achieve compliance by the deadline of January 1, 2016, and smaller institutions may find it even more difficult to adhere to these principles. These data standards apply to the full range of risks facing the organization.

In the United States, the Office of the Comptroller of the Currency (OCC) has issued heightened standards for certain large national banks and a liquidity-coverage rule that will require many institutions to upgrade their data capabilities. European insurers will face more stringent data and reporting requirements as a result of Solvency II, with preparatory Pillar III reporting disclosures expected in 2015, prior to implementation on January 1, 2016. The European Securities and Markets Authority is expected to publish new requirements for reporting by securities firms on post-trade reporting, transaction reporting, and commodities derivatives positions reporting requirements under the Markets in Financial Instruments Regulation (MiFIR).

Conduct risk and risk culture

Recently, regulators have increased their attention on conduct risk, that is, behavior that is perceived to have detrimental impacts on customers, whether retail or wholesale, or that could harm market integrity. Supporting their focus on conduct risk, regulatory authorities are also increasing their scrutiny of the broader qualitative issues that comprise an institution’s risk culture, such as its ethical standards, its compensation practices, and the role of the board of directors and senior management in promoting ethical behavior. Commenting on the importance of conduct risk and risk culture, William Dudley, the president of the Federal Reserve Bank of New York, said, “There is evidence of deep-seated cultural and ethical failures at many large financial institutions. Whether this is due to size and complexity, bad incentives, or some other issues is difficult to judge, but it is another critical problem that needs to be addressed.”⁵³

In its report on risk governance in February 2013, the FSB identified the importance for regulators to assess business conduct and the suitability of products, both the type of products and whom they are sold to.⁵⁴ Since then there have been a variety of developments by regulators around the work addressing conduct risk and risk culture.

Regulators in the United Kingdom have been especially active in this area. The Senior Managers Regime introduced for banking and insurance will result in more supervisory scrutiny of individuals, while the Prudential Regulation Authority has placed a premium for institutions to manage conduct risk and also to create and embed risk culture. In 2013, a new Financial Conduct Authority (FCA) was created with the goal of ensuring that the financial industry is run with integrity and that consumers are treated fairly. Among the FCA’s priorities for 2015–2016 are to review culture change programs in retail and wholesale banks, inducements and conflicts of interest relating to retail investment advice, and retirement sales practices.⁵⁵ The Fair and Effective Markets Review (FEMR) was established in 2014 with the goal of restoring trust in wholesale financial markets in the wake of recent abuses, and the Banking Standards Review Council was launched in 2015 with the mission of promoting high standards of behavior across the industry. Elsewhere in the European Union, supervisory authorities have also been encouraged to increase the focus on consumer protection.

In the United States, enforcement actions by the Consumer Financial Protection Bureau have resulted in large restitution requirements and fines levied on financial institutions. The US Federal Reserve has placed a new emphasis on how financial institutions can encourage ethical behavior by their employees through appropriate hiring, compensation, promotions, and demotions, as well as by having senior management stress the importance of ethical behavior.⁵⁶ The US Comptroller of the Currency, Thomas Curry, has said that assessment of a bank’s culture could significantly affect the OCC’s CAMELS rating for capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.⁵⁷

The US Federal Reserve, the OCC, and the FDIC are working to implement regulatory requirements for incentive compensation as mandated by the Dodd-Frank Act. There are indications that these rules may require that institutions employ clawbacks in cases of fraud or excessive risk-taking and also retain a significant portion of compensation for a period.⁵⁸

In Asia, Singapore’s Financial Advisory Industry Review Panel completed a comprehensive review of the financial services industry in 2013 and released a consultation paper on legislative amendments for comment in October 2014.⁵⁹ One of its principal objectives was to promote a culture of fair dealing in the distribution of investment and life insurance products.⁶⁰ The Hong Kong Monetary Authority has launched a Treat Customers Fairly initiative designed to improve corporate culture and customer practices among retail banks.⁶¹

Banks are responding to the regulatory focus on culture by establishing new committees, conduct-risk functions, and policies.⁶² While no one disputes its importance, financial institutions are struggling to develop approaches to measure and quantify risk culture through such tools as employee surveys and scorecards as well as the use of more innovative techniques.⁶³

About the survey

This report presents the key findings from the ninth edition of Deloitte’s ongoing assessment of risk management practices in the global financial services industry. The survey gathered the views of CROs or their equivalents at 71 financial services institutions around the world and was conducted from August to November 2014.

The institutions participating in the survey represent the major economic regions of the world, with most institutions headquartered in the United States/Canada, Europe, or Asia Pacific (figure 1). Most of the survey participants are multinational institutions, with 68 percent having operations outside their home country.

The survey participant companies provide a range of financial services offerings, including insurance (58 percent), banking (55 percent), and investment management (48 percent) (figure 2).⁶⁴

The institutions have total combined assets of $17.8 trillion and represent a range of asset sizes (figure 3). The survey participants that provide asset management services represent a total of US$5.6 trillion in assets under management.

Where relevant, the report compares the results from the current survey with those from earlier surveys in this ongoing series.

Analysis by asset size

In this report, selected survey results are analyzed by the asset size of participating institutions using the following definitions:

Small institutions—institutions with total assets of less than US$10 billion

Mid-size institutions—institutions with total assets of US$10 billion to less than US$100 billion

Large institutions—institutions with total assets of US$100 billion or more

Risk governance

Role of the board of directors

The central role of the board of directors in providing oversight of a financial institution’s risk management program has been a regulatory expectation for some time. In October 2010, the Basel Committee issued principles designed to enhance governance that addressed the role of the board of directors in risk management, the qualifications of the board members, and the importance of an independent risk management function. The US OCC issued its heightened standards requiring that large banks have a board-approved risk-governance framework. For US insurers, in 2014 the National Association of Insurance Commissioners (NAIC) approved a framework for adoption by the states that requires insurers to file an annual report about their corporate governance practices, including their governance framework, the policies and practices of their board of directors and committees, and their management policies and practices.⁶⁵

More than six years after the global financial crisis, risk management continues to demand greater attention from boards of directors. Eighty-five percent of respondents said their board of directors currently devotes more time to oversight of risk than it did two years ago; only 1 percent said it spends less time than before. However, the pace of increasing board activity on risk management appears to be slowing. Forty-four percent of respondents said their board of directors spends considerably more time than before on risk management, compared to 67 percent in the 2012 survey.⁶⁶ Molly Scherf, a deputy US comptroller in the OCC, commented in early 2015 about large US banks, “There’s clear evidence across all large institutions that boards of directors are more actively overseeing banks they supervise.”⁶⁷

“With regard to changes in risk governance, if we start from the top at the board level, there is a lot more interest in the risk management policy. Risk-focused discussion is getting a lot more air time than it did five years ago.” Chief risk officer, insurance

Among subgroups of participants, both European respondents and those from small institutions were more likely to say their board of directors is devoting considerably more time than before to oversight of risk. Fifty-two percent of European respondents said their board now spends considerably more time on risk management than two years ago, compared to 39 percent among respondents in the United States/Canada.⁶⁸ Among small institutions, 56 percent said their board devotes considerably more time to risk management than before, compared to 41 percent for mid-size institutions and 38 percent for large institutions. These trends are consistent with the focus on board risk oversight, which began with large institutions, followed by mid-sized and then smaller institutions.

Most boards of directors have a wide variety of risk management responsibilities. The board responsibility cited most often was approve the enterprise-level statement of risk appetite (89 percent), which is up from 78 percent in 2012, and reflects the emphasis that regulators have placed on the board’s responsibility in this area (figure 4). Although almost all respondents said their board of directors approves a risk appetite statement, fewer said it engages in several other monitoring and planning activities that are needed for the risk appetite statement to inform the institution’s decisions, including review corporate strategy for alignment with the risk profile of the organization (80 percent), monitor risk appetite utilization including financial and non-financial risk (77 percent), and monitor new and emerging risks (71 percent).

Fewer boards of directors are active in other areas, although there has been some progress since 2012. Sixty percent of respondents said their board of directors works to establish and embed the risk culture of the enterprise and promote open discussions regarding risk, which is an increase from 51 percent in 2012. This is consistent with the increased focus by regulators around the world on managing conduct risk and embedding a risk culture that promotes ethical behavior by employees.

Reviewing incentive compensation is another area where board involvement has become more common but where there is still room for improvement. Sixty-three percent of respondents said a responsibility of their board of directors is to review incentive compensation plans to consider alignment of risks with rewards, which is up from 49 percent in 2012.

With increasing regulatory expectations for boards of directors, institutions may find it more difficult than before to identify qualified board members when seats become vacant. Today, board members need more knowledge of the business and greater skills, especially for those serving as designated risk experts. At the same time, potential board members may conclude that serving on the board of a financial institution or on the board risk committee entails greater personal risks than before.

Board risk committees

There has been a continuing trend toward the board of directors placing oversight responsibility in a board risk committee. This structure is a regulatory expectation and has come to be seen as a leading practice. The EPS issued by the Federal Reserve in March 2014 requires that US publicly traded banks with consolidated assets of $10 billion or more have a risk committee of the board of directors that is chaired by an independent director.⁶⁹ The risk committee is expected to review and approve the risk management policies of the bank’s global operations. For US banks with consolidated assets of $50 billion or more, the risk committee must be an independent committee of the board and have exclusive oversight of the bank’s risk management policies and risk management framework for its global operations. The Federal Reserve’s EPS for foreign banks requires foreign banking organizations that have total global assets of $50 billion or more and also have $50 billion or more in US non-branch assets to establish a US risk committee overseeing all US operations.⁷⁰ This committee may either be placed at the intermediate holding company for its US operations, or else at the board of directors of the parent. In either case, this committee is required to have at least one independent director.

Respondents most often said the board of directors assigns its primary oversight responsibility to the board risk committee (51 percent), which is an increase from 43 percent in 2012. An additional 23 percent of respondents said oversight is assigned to other board committees: audit committee (10 percent), combined audit and risk committees (7 percent), or multiple board committees (6 percent).

Yet, the second most common structure is to have oversight responsibility lodged in the full board of directors (23 percent).

Placing responsibility in a board risk committee is much more common in the United States/Canada (61 percent) than in Europe (30 percent), which reflects the emphasis that the Federal Reserve and the OCC have placed on this approach. Among small institutions, only 19 percent assign primary oversight to a board risk committee, compared to 55 percent for mid-size institutions and 65 percent for large institutions. Among small institutions, 25 percent of respondents said oversight responsibility is assigned to the audit committee of the board, while 19 percent said it was shared by the audit and risk committees.

There is a regulatory expectation that the board risk committee should contain independent directors and an identified risk management expert, and more financial institutions are following these practices. In the survey, 86 percent of respondents reported that their institution has at least one independent director on its board risk management committee, up from 58 percent in 2012, and 79 percent said the risk committee is chaired by an independent director, up from 54 percent in 2012.

In 2014, 60 percent of respondents said the board risk committee contains an identified risk management expert, up slightly from 55 percent in 2012, with this being more common in the United States/Canada (68 percent) than in Europe (43 percent). One reason for the differences between regions is that while US regulations have the expectation that the board risk committee contains an identified risk management expert, European regulations contain a more general requirement that risk committee members “... shall have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the institution.” ⁷¹

A separate study of US banks with more than $50 billion in assets by the Deloitte Center for Financial Services found that institutions having board risk committees that review and approve the firm’s risk management framework and also those that require a risk expert on the risk committee each had a higher average return on average assets (ROAA) than other institutions.⁷² Although these practices may not directly cause higher performance, they may indicate that a connection exists between good risk governance and stronger performance.

Role of the CRO

Although the board of directors has ultimate oversight responsibility for risk management, senior management is responsible for managing the risk program, including fostering effective coordination with other functions, such as finance and human resources, and with the lines of business. Senior management is also the key player in fostering a culture that integrates risk considerations when making business decisions and promotes ethical behavior.

The existence of a CRO or an equivalent position that has management oversight for the risk management program across the organization is a leading practice and a regulatory expectation. Over the more than 10 years of Deloitte’s global risk management survey series, the CRO position has become almost universal. In 2014, 92 percent of respondents said their institution has a CRO or equivalent position,⁷³ up slightly from 89 percent in 2012 and up sharply from 65 percent in 2002 (figure 5). The existence of a CRO is closely related to the size of the institution. All the respondents at large institutions and 97 percent of those at mid-size institutions reported having a CRO, compared to 69 percent at small institutions.

It is also considered a leading practice for the CRO to report directly to the board of directors, but this practice is not widespread. Most respondents said the CRO reports to the institution’s CEO (68 percent), while only 46 percent said the CRO reports to the board of directors.⁷⁴ Both figures are similar to the results in 2012.

When it comes to the management-level oversight of the risk management program, regulatory expectations and leading practice suggest the CRO should have primary oversight responsibility, and more institutions are moving in this direction. In the current survey, respondents were most likely to report the CRO is primary oversight responsibility (55 percent), an increase from the 2012 survey (42 percent). At the same time, the percentage of respondents that said the CEO has primarily responsible for risk management oversight dropped to 23 percent from 39 percent in 2012.

Assigning primary responsibility for risk management to the CRO is less common among institutions providing investment management services (44 percent) than among those in banking (67 percent) or insurance (66 percent). These differences are likely shaped by industry practices driven by prevailing business models and regulatory expectations. As expected, the risk management program is also less likely to be overseen by the CRO at small institutions (38 percent) than at mid-size (62 percent) or large institutions (58 percent).

What roles do institutions assign to their firm-wide, independent risk management group? Leading the list of responsibilities is develop and implement the risk management framework, methodologies, standards, policies, and limits (98 percent). The items cited next most often were oversee risk model governance (94 percent) and meet regularly with board of directors or board risk committees (94 percent).

More work is needed to establish a consistent set of risk responsibilities for boards of directors. Risk should be considered when setting strategy or establishing company objectives, but 32 percent of respondents said the head of the firm-wide risk management group does not serve as a member of the executive management committee. Although it is important for organizations to understand the risks they are assuming when they enter new lines of business or introduce new products, only 57 percent of respondents said approving these initiatives is a responsibility of their risk management group. Since the global financial crisis, the role of compensation in risk management has received close attention from both regulators and investors, but just 51 percent of respondents said a responsibility of the independent risk management group is to review compensation plan to assess its impact on risk appetite and culture.

Risk appetite

The development of a written statement of risk appetite plays a central role in clarifying the level of risk an institution is willing to assume. It can serve as important guidance for senior management when setting the institution’s strategy and strategic objectives, as well as for the lines of business when seeking new business or considering their trading positions.⁷⁵ Since the global financial crisis, the importance of a risk appetite statement has received greater attention. In 2009, the Senior Supervisors Group, which is composed of the senior financial supervisors from seven countries,⁷⁶ released a report that identified the failure of some boards of directors to establish the level of risk acceptable to their institution, ⁷⁷ and the following year released a series of recommendations regarding the issue.⁷⁸ The FSB issued principles for an effective risk appetite framework in November 2013.⁷⁹ In the United States, the OCC issued enforceable guidance for heightened standards that require banks with more than $50 billion in consolidated assets to have a comprehensive risk appetite statement that is approved by the board of directors.

Given the key role of the risk appetite statement, it is a prevailing practice for it to be reviewed and approved by the board of directors. Three-quarters of respondents said their institution has a written enterprise-level statement of risk appetite that has been approved by the board of directors, an increase from 67 percent in 2012. An additional 13 percent said their institution was currently in the process of developing a risk appetite statement and seeking board approval.

Most respondents at large and mid-size institutions said their organization has a board-approved risk appetite statement, and this was more common than in 2012: large institutions (85 percent versus 67 percent in 2012) and mid-size institutions (79 percent versus 61 percent in 2012).

It is a regulatory expectation that both banks and insurance companies have a risk appetite statement approved by their board of directors and almost all banks (95 percent) and insurance companies (97 percent) either have a board-approved statement of risk appetite or are in the process of developing one and seeking approval. This was somewhat less common for investment management firms (83 percent).

Regulatory expectations regarding the application of the risk appetite statement have been relatively modest. Regulators have indicated they want institutions to have a risk appetite statement and to use it and report on it, but have not been specific about its characteristics.

Developing an effective statement of risk appetite can pose a variety of challenges. It can be difficult for institutions to define their risk appetite separately for individual risk types and then measure risk in each area. The two issues that respondents most often considered to be extremely or very challenging were defining risk appetite for strategic risk (55 percent) and defining risk appetite for reputational risk (55 percent) (figure 6). Measuring strategic risk requires an institution to assess the overall risk posed by, and to, its business strategy. Reputational risk is typically a secondary risk that is the consequence of other types of risk events such as market, credit, or operational risk. Both are difficult to measure and establish limits for. The issue cited next most often as extremely or very challenging was defining risk appetite for operational risk (38 percent), which poses similar measurement difficulties.

An encouraging sign was that several important tasks in developing and implementing a risk appetite statement were considered challenging by relatively few respondents: integrating stress testing results when defining risk appetite (21 percent), gaining the active participation of business units in implementing the risk appetite and risk limits (18 percent), and complying with regulatory expectations regarding risk appetite (11 percent). In some cases, business unit management may resist the use of risk appetite as limiting their ability to manage their business activities and generate profits, but this does not appear to be common.

Three lines of defense risk governance model

Employing a “three lines of defense” approach to risk management is increasingly accepted as a leading practice that specifies the risk management roles played by different parts of the organization.

The three lines of defense governance model can be summarized as follows:

• Line 1: Business units own and manage risks
• Line 2: Control functions for risk provide oversight and control
• Line 3: Internal audit function validates the risk and control framework

The three lines of defense risk governance model has become widely adopted. In 2014, 94 percent of respondents reported that their institution employs this model, up from 88 percent in 2012.

Respondents said the most significant challenge in employing the three lines of defense model is defining and maintaining the distinction in roles between line 1 (the business) and line 2 (risk management), with 51 percent of respondents citing this as a significant challenge.⁸⁰ In addition, 36 percent of respondents said getting buy-in from line 1 (the business) presents a significant challenge. This proved especially challenging for small institutions (54 percent) compared to mid-size (31 percent) and large institutions (32 percent).

Enterprise risk management

An ERM program is designed to provide a comprehensive assessment of the risks an institution faces and a process for managing them. By taking an integrated view across the organization, ERM programs assist institutions in understanding the full range of risks they face and how these compare to its risk appetite. They also help identify interrelationships among risks in different lines of business or geographies that might have gone undetected. Both large and mid-size financial institutions are being encouraged by regulatory authorities to implement ERM programs and integrate their findings into business decision-making.

Ninety-two percent of respondents said their institution either has an ERM program in place or is in the process of implementing one, an increase from 83 percent in 2012 and 59 percent in 2008 (figure 7). As expected, having an ERM program in place or implementing one is more common in large (85 percent) and mid-size institutions (72 percent) than in small institutions (38 percent).

Among institutions that have an ERM program or are implementing one, 92 percent have an approved ERM framework and/or an ERM policy, including 78 percent that have it approved by the board of directors or a board committee. A positive trend is that both figures have increased significantly since 2012 when 73 percent reported having an ERM framework and/or policy and 59 percent said it was approved by the board or a board committee.

Key challenges

Complying with new regulations was seen by respondents as by far the greatest challenge, with 79 percent of respondents saying increasing regulatory requirements and expectations is extremely or very challenging for their institution (figure 8).

Other issues that were often seen as extremely or very challenging were risk information systems and technology infrastructure (62 percent) and risk data (46 percent). Regulators are expecting financial institutions to provide timely information on such issues as capital, liquidity, stress testing, resolution planning, consumer protection, and Volcker Rule compliance. Data on these and other areas need to be timely, accurate, and aggregated across the enterprise.

Staying current on the changing nature of the risks facing an institution is difficult, and 35 percent of respondents considered identifying and managing new and emerging risks to be extremely or very challenging.

The increasing attention by regulators to risk culture was reflected in the fact that establishing and embedding the risk culture across the enterprise was considered to be extremely or very challenging by 35 percent of respondents.

Following these issues were two items related to talent. Roughly one-third of respondents said it is extremely or very challenging to attract and retain business unit professionals with required risk management skills and a similar percentage said the same about attracting and retaining risk management professionals. Some commentators have noted the lack of an adequate supply of talent with risk management skills in such areas as operational, reputational, and regulatory risk.⁸¹

A positive indication was the fact that few respondents considered several important issues to be extremely or very challenging for their institution, including collaboration between the business units and the risk management function (17 percent), active C-suite involvement (15 percent), and active involvement of the board of directors (7 percent). Although progress has been made, institutions often face challenges in implementing the three lines of defense model and having their business units fully embrace their role as the first line of defense in owning and managing risks.

Given all these challenges, it is not surprising that 65 percent of respondents expected their institution would increase spending on risk management over the next three years by 5 percent or more, including 37 percent who expected spending to rise by 10 percent or more.

Aligning compensation

In recent years, there has been increased scrutiny on whether incentive compensation at financial institutions is aligned with risk appetite and whether compensation plans may encourage excessive risk taking. Among its other provisions, the heightened standards guidance issued by the OCC in 2014 requires banks with more than $50 billion in consolidated assets to have well-specified talent management and compensation programs.

Responding to changing expectations by regulatory bodies, as well as by investors and the general public, in recent years there has been a tremendous shift in compensation practices. Many financial institutions have enhanced their governance processes and increasingly use such tools as multiple incentives, clawbacks, and payment in stock. Although improved compensation practices on their own cannot prevent employees from taking inappropriate risks, the economic incentive to do so for personal gain has been severely curtailed.

Given the focus on aligning compensation with a firm’s risk appetite, it was surprising that only 63 percent of respondents said their board of directors or board risk committee reviews incentive compensation plans to consider alignment of risk with rewards.

Some leading compensation practices are relatively common among management, including require that a portion of the annual incentive be tied to overall corporate results (72 percent), balance the emphasis on short- and long-term incentive (64 percent), use of multiple incentive plan metrics (62 percent), and deferred payouts linked to future performance (61 percent) (figure 9). However, relatively few respondents said their institution uses other compensation practices designed to align employee incentives with the institution’s risk management objectives such as caps on payouts (30 percent), establish for employees identified as material risk takers a maximum ratio between the fixed and the variable component of their total remuneration (29 percent), use of individual metrics tied to the implementation of effective risk mitigation strategies (28 percent), and match the timing of payouts with the term of the risk (19 percent). It is likely that many of these practices will become more widespread over time as regulators focus on compensation as part of their increased attention to risk culture.

Economic capital

Many financial institutions calculate economic capital to assess their risk-adjusted performance and allocate capital. All the respondents reported that their institutions calculate economic capital, an increase from roughly 80 percent in 2012, and said they most often calculate it for market risk (72 percent), credit risk (68 percent), and operational risk (62 percent). Economic capital is used much less often for other risk types such as liquidity risk (30 percent), strategic risk (20 percent), reputational risk (17 percent), or systemic risk (8 percent).

The most common uses of economic capital are at the senior management level for strategic decision-making (67 percent) and at the board level for strategic decision-making (63 percent). It is used less often at lower levels such as at the business unit level to evaluate risk-adjusted performance (53 percent), at the transaction level for risk-based pricing (54 percent), or at the customer level to support risk-based profitability analysis (32 percent).

Many banks and insurance companies also need to comply with regulatory requirements for capital adequacy. (See “Sector spotlight: Banking” and “Sector spotlight: Insurance.”)

Stress testing

Regulatory authorities, including the Federal Reserve, the ECB, the Bank of England, and EIOPA for insurers, require financial institutions to conduct stress tests. In the United States, the stress tests under CCAR assess a wide range of issues including capital adequacy, risk appetite, data, and financial planning, among others. It also requires that banks clearly document their risk management processes and internal controls.⁸² In recent years, regulatory authorities have been expanding the scope of stress tests beyond solely quantitative results to also encompass qualitative issues such as the effectiveness of the risk management control environment and information systems, the quality of risk data, whether all relevant risks are addressed, the adequacy of risk models, and the ability of the risk management program to identify and manage emerging risks.

Facing a variety of different stress testing mandates from different jurisdictions, some global financial institutions respond piecemeal to each set of requirements, which can lead to duplication of effort and increase the potential for control failures. Institutions can benefit from developing a consolidated approach that will allow them to use consistent procedures to comply with the distinct stress requirements imposed by the different regulators in the jurisdictions where they operate.

With the regulatory focus on stress testing, it is not surprising that 94 percent of respondents said their institution uses stress testing, the same percentage as in 2012, although stress testing is less widespread among small institutions (75 percent).⁸³

In 2014, respondents were more likely to say stress testing plays a wider range of roles in their organization than was the case in 2012, indicating that this tool appears to be more embedded in planning and operations. Respondents most often said stress testing enables forward-looking assessments of risk (86 percent versus 80 percent in 2012), feeds into capital and liquidity planning procedures (85 percent versus 66 percent), informs setting of risk tolerance (82 percent versus 70 percent), informs setting of capital and liquidity targets (80 percent versus 61 percent), and supports the development of risk mitigation and contingency plans (77 percent versus 57 percent).

To strengthen their stress-testing programs, some institutions are working to better integrate data from risk management and finance and improve the coordination of these two functions. Typically, the finance function is responsible for financial projections, capital management, and reporting to regulators, while the risk management function is responsible for calculating risk levels. To be effective, stress testing must be a shared effort, but at some institutions these functions operate as separate silos, with incompatible information systems and with distinct cultures.

Although the vast majority (94 percent) of respondents use stress testing in some capacity, the specific uses vary widely (figure 11). Leading the list of areas where institutions use stress testing either extensively or somewhat were reporting to the board (94 percent), understanding firm’s risk profile (92 percent), and reporting to senior management (92 percent).  At the lower end of practice, only 40 percent of respondents reported using stress testing for merger and acquisition decisions.

However, the area where respondents most often said their institution extensively uses stress testing results was assessing the adequacy of regulatory capital (52 percent up from 45 percent in 2012). This is consistent with the increased reliance by regulators, including the Federal Reserve and the ECB, on stress tests to assess whether financial institutions have sufficient capital to withstand a severe economic downturn.

Several other uses of stress testing results were also cited more often in 2014 as being used, either extensively or somewhat, than in 2012: assessing adequacy of economic capital (74 percent up from 58 percent in 2012), assessing concentrations and setting limits (77 percent up from 67 percent), strategy and business  planning (78 percent up from 68 percent), and defining/updating risk appetite (83 percent up from 73 percent).

The key challenges in using stress testing concern data quality and the validation of models. Conducting stress tests requires high-quality, aggregated, and timely data, but this is a challenge for many institutions. The item most often rated as extremely or very challenging in using stress testing was data quality and management for stress testing calculations (44 percent).

Regulatory authorities are requiring that all models employed in stress testing be validated, and 40 percent of respondents said implementing formal validation procedures and documentation standards for the models used in stress testing was also extremely or very challenging. In a large institution, validation could cover hundreds of models and require a major commitment of resources. Further, the level of rigor now required by the Federal Reserve is higher when testing the underlying models. The Federal Reserve has expanded the definition of the “models” that need to be tested, which has increased the size of the task and expanded the required scope of stress testing.

The greater attention by regulators on stress testing and its expanded use by financial institutions have made it more difficult to secure professionals with the skills and expertise required. Eighty-eight percent of respondents said attracting and retaining risk management professionals with the required skills is at least somewhat challenging, including 32 percent that considered securing talent to be extremely or very challenging.

With greater attention by regulators on stress testing at banks, respondents from these institutions were more likely to say they found issues to be challenging than those from other institutions. For example, 44 percent of respondents at banks said that attracting and retaining risk management professionals with the required skills is extremely or very challenging with respect to stress testing, compared to 34 percent among insurance companies. Similarly, implementing formal validation procedures and documentation standards for the models used in stress testing was considered to be extremely or very challenging by 50 percent of respondents at banking institutions compared to 37 percent of those at insurers.

Sector spotlight: Banking

Banks have been subject to an array of new regulatory requirements, which have increased their costs of compliance while placing new limits on their business activities. These have included the Dodd-Frank Act in the United States, the US Federal Reserve’s EPS, Basel III capital and liquidity requirements, and stress tests required by the Federal Reserve and the ECB. Given the volume of regulatory changes, it is not surprising that respondents in banking (51 percent) were more likely to report that their board of directors is devoting considerably more time to the oversight of risk management than before than were those in investment management (38 percent) and insurance (37 percent).

Basel III

Basel III introduced a higher capital requirement, with banks required to hold capital equivalent to at least 6 percent of tier 1 risk-weighted assets and a “capital conservation buffer” of 2.5 percent. There are indications that the Basel Committee will issue additional requirements for global systemically important banks (G-SIBs). In 2014, the FSB, in consultation with the Basel Committee, issued a public consultation with proposed requirements for G-SIBs that include a minimum level of TLAC of 16 to 20 percent of risk-weighted assets, which is double the current Basel III capital level, and a minimum 6 percent leverage ratio, which is also twice the Basel III leverage requirement.⁸⁴ The Basel Committee is also expected to issue new guidelines that will reduce the discretion banks currently have regarding the level of risk they assign to their assets and will standardize the methodologies used to assign risk weightings, potentially increasing the required capital for some banks.⁸⁵  The Basel Committee has indicated that it will propose a “floor” on the minimum amount of capital banks are required to hold, even if they use their own models to assess the risk of their assets, which may reduce the capital relief provided by using internal models.⁸⁶

In December 2014, the Federal Reserve proposed that the eight largest US banks, which are designated as G-SIBs, be subject to an additional capital surcharge ranging from 1 to 4.5 percent above the capital requirements under Basel III, with the size of the surcharge depending on the extent to which an institution relies on short-term funding such as overnight loans.⁸⁷ Under the proposal, the new requirements would be phased in by 2019, although the Federal Reserve said that almost all the banks already meet the stricter requirements. The eight largest US banks are also required by the Federal Reserve to increase their total TLAC to a minimum of 3 percent to 5 percent of assets.

Some countries have also set higher capital standards than contained in Basel III. Switzerland has imposed a higher requirement for its systemically important banks of 19 percent of total capital through the so-called “Swiss Finish” compared to 13 percent mandated by Basel III.⁸⁸ China added a 1 percent capital buffer for G-SIBs above the Basel III requirement, and Singapore imposed a higher requirement of 10.5 percent for its tier 1 capital ratio.⁸⁹

The Basel III deadlines for regulatory capital are being phased in through 2019, and almost all the banks participating in the survey are well along in complying.⁹⁰ Eighty-nine percent of respondents said their bank already meets the minimum capital ratios, while 8 percent expect to meet them well before the deadlines and 3 percent expect to meet them by the deadlines.

Complying with the Basel III capital requirements can have substantial impacts on a bank. By far, the most common actions that banking respondents said their institution had taken, or were planning to take in order to respond was to devote more time on capital efficiency and capital allocation (75 percent). The steps cited next most often were improve ongoing balance sheet management (47 percent) and migrate to internal modeling approaches (42 percent up from 27 percent in 2012). In contrast, scale back on capital-intensive portfolios was mentioned by 22 percent of banking respondents in 2014, down from 43 percent in 2012, suggesting that some institutions have already restructured their businesses and portfolios in response to the new capital requirements.

Relatively few respondents said their bank had taken or was intending to take more strategic responses to Basel III such as exit or reduce an existing business area (22 percent), assess the continuing economic viability of individual trading businesses (14 percent), adjust business models (14 percent), or enter into a merger (3 percent). In sharp contrast, 49 percent of respondents in 2012 said their bank expected to change its business model in response. While some of the planned changes to business models may have already taken place, the continuing revisions to Basel III over the next few years in such areas as capital adequacy requirements and leverage ratios may lead some banks to reconsider whether they need to adjust their business model or activities.

Liquidity

Banks are also responding to new regulatory requirements addressing liquidity. Basel III introduces two new liquidity ratios: the Liquidity Coverage Ratio (LCR) and the Net Stable Funding Ratio (NSFR).

The LCR requires banks to maintain a specified level of cash and liquid assets that would be available to survive a 30-day severe downturn. On January 1, 2015, the LCR required banks to have high-quality liquid assets (HQLA) equal to at least 60 percent of total expected cash outflows in a specified stress scenario over the next 30 days.⁹¹ The LCR will increase by 10 percentage points each year to reach 100 percent on January 1, 2019. In times of financial stress, banks will be allowed to fall below the minimum by using their stock of HQLA.

The NSFR requires banks “to maintain a stable funding profile in relation to their on- and off-balance sheet activities.”⁹² In October 2014, the Basel Committee issued the final NSFR, which among other provisions covered the required stable funding for short-term exposures to banks and other financial institutions and for derivatives exposures.⁹³ The NSFR will become a minimum standard by January 1, 2018.

In the United States, in September 2014 the Federal Reserve, the OCC, and the FDIC issued the final version of the Liquidity Coverage Rule, which requires the largest internationally active banks⁹⁴ to maintain enough HQLA, such as cash or treasury bonds, to fund themselves for 30 days during a crisis, which could require some banks to hold more liquid assets.⁹⁵ The Federal Reserve said the largest banks would need to hold $1.5 trillion in highly liquid assets by 2017, about $100 billion more than they do today.⁹⁶ Banks with more than $250 billion in assets will eventually have to calculate their liquidity needs daily.⁹⁷

Banks have made less progress in meeting the Basel liquidity ratios than in complying with the capital requirements. Sixty-nine percent of respondents said their bank already meets the liquidity ratios, while another 26 percent said they expect to meet them well before the deadlines. Since the Basel III liquidity requirements have been issued more recently, most banks are still developing the capabilities and operational infrastructure needed to comply.

Banks should also consider their organizational structure to manage liquidity. Although regulatory requirements for liquidity and capital are both designed to increase safety and soundness, these areas are typically managed separately, with information systems that are not integrated. Banks could benefit by developing a consistent approach to evaluate liquidity and capital requirements.

Basel III challenges

The issues that pose the greatest challenges for banks in complying with Basel III concern data and information systems. Respondents most often considered data management (56 percent) and technology/infrastructure (55 percent) to be extremely or very challenging in implementing these new requirements (figure 12). It can also be difficult to understand clearly what Basel III demands. Forty-four percent of respondents said the clarity/expectations of regulatory requirements for Basel III is extremely or very challenging, although this figure declined from 53 percent in 2012.

A related issue is that banks must manage multiple Basel III requirements in such areas as the minimum capital ratio, Common Equity Tier One ratio, NSFR and LCR leverage ratios, and G-SIB requirements, among others. Not only have they served to increase compliance costs, banks often struggle to develop a consistent approach to complying with the diversity of requirements, in part due to divided responsibilities and to the difficulty of obtaining aggregated, high-quality risk data.

Leading practices in banking risk management

There have been many areas where expectations have risen and banks have enhanced risk management capabilities. Some of the leading practices and other important areas for banks to consider include:

• Strengthening risk governance by enhancing the board risk committee with a board risk expert and independent directors
• Providing effective challenge of the risk and capital management processes by the board risk committee
• Enhancing the bank’s risk appetite framework and statement in ways that clearly articulate the business activities the firm is willing to engage in and the types and levels of risk it is willing to assume throughout the organization
• Integrating the assumptions used in strategic planning, capital planning, and risk management
• Improving risk culture and conduct risk management by establishing clear business practices guidance and oversight mechanisms
• More fully integrating risk management into the compensation process by enhancing risk-based incentive structures for management and risk-taking personnel
• Operationalizing enterprise-wide stress-testing infrastructure and capabilities into bank business-as-usual processes
• Evaluating impact of and planning for proposed revisions to regulatory capital calculation methodologies
• Integrating liquidity and capital management planning processes
• Strengthening the bank’s three lines of defense framework by better defining roles and responsibilities of each, including escalation procedures, to provide appropriate checks and balances that are well understood and implemented across the organization
• Building capabilities to practically implement and operate recovery and resolution plans across business areas
• Enhancing the model development and validation framework and capabilities to cover all models of the bank that drive finance, risk, and capital results
• Evaluating and improving end-to-end risk and finance data from transaction origination and reference data to analytics, aggregation, and reporting

Sector spotlight: Insurance

The impacts of regulatory reform on insurers have been significant. According to a Deloitte analysis, the European insurance industry spent between $5.7 and $6.6 billion in 2012 to comply with new regulations being phased in from 2012 to 2015, and similar amounts had been spent in the two previous years.⁹⁸ For European insurers, these costs were equivalent to a 1.01 percent point impact on return on equity (ROE). Fundamental regulatory reform is also underway in the United States and internationally, as led by the IAIS.

Movement toward group-based regulation

While regulation in Europe regulates insurers on a consolidated group basis, regulation in some jurisdictions is on a legal-entity basis. For example, insurance regulation in the United States has been the domain of the individual states, which regulate the legal entity operating in their state. There is now a movement in the United States and elsewhere to increase group-based supervision.

The US Federal Reserve has been given additional regulatory authority over insurers. In addition to its regulatory authority over bank holding companies, which may include insurance operations, it also regulates insurance companies designated as systemically important, and it has now designated three insurance companies as SIFIs. Both the Federal Reserve and the NAIC are reviewing approaches for a group insurance capital standard. The first US insurers likely to be affected by the trend toward group-based supervision are those that conduct business in multiple jurisdictions or have a nature, scale, size, or complexity that attracts additional regulatory expectations.

In addition to the movement toward group-based supervision, regulators have also required insurers to implement ERM programs. Insurers have responded by taking a total balance sheet view of risk, which assesses all the risks across the enterprise. Among the insurance companies participating in the survey, 95 percent either have an ERM program (73 percent) or are currently implementing one (22 percent).

Regulators are also encouraging insurance companies to adopt stronger risk governance practices such as creating a CRO position, and this was reflected in the survey results. All the insurance institutions participating in the survey reported having a CRO or equivalent position.

Increased capital requirements

As with banks, insurers are facing increased regulatory capital requirements. In Europe, Solvency II is a capital adequacy regime developed by EU regulators for insurance companies, which is due to come into effect on January 1, 2016. The goal of the initiative is to implement solvency requirements that better reflect the risks companies face, as well as develop a system that is consistent across all member states. As with Basel II, Solvency II has a three-pillar structure addressing quantitative capital adequacy requirements, supervisor review, and market discipline. Solvency II is requiring European insurers to assess comprehensively all their risks and consider stress scenarios when assessing capital adequacy.

Countries in Asia-Pacific are also moving toward adopting Solvency II including Australia, Japan, Malaysia, and Taiwan.⁹⁹

At the international level, the IAIS is developing a risk-based group-wide global Insurance Capital Standard (ICS) for global systemically important insurers (G-SIIs) and for Internationally Active Insurance Groups, which is due to be completed by the end of 2016. In addition, global G-SIIs will have a High Loss Absorbency (HLA) layer of additional capital. It is not clear at this stage of the consultation process what the HLA will look like and whether this additional capital layer will focus on any non-traditional insurance activity or extend beyond this, but any additional layer of capital will provide a further “bite” from regulators. The second round of IAIS Field Testing will commence at the end of April 2015, and this should further help inform the Basic Capital Requirement (BCR), ICS, and the HLA. Field Test participants will help provide insights to regulators as they develop these standards.

Roughly 60 percent of survey respondents reported that their institution was either subject to Solvency II requirements or to equivalent revised regulatory capital requirements. Among these respondents, the area cited most often as a planned area of focus related to Solvency II was Own Risk and Solvency Assessment (ORSA) (87 percent). Regulatory authorities are requiring insurance companies to regularly perform ORSAs to assess their capital adequacy and solvency and then to report the results. This requirement is one of the most important regulatory changes in decades for insurance companies and involves taking a forward-looking, holistic assessment of risk and its expected impacts. US insurers are required to file ORSAs with their state regulators. Other regulators around the world are also at different stages of development in this area.

Issues related to risk data are additional areas of attention since few insurers have invested sufficiently in data quality, data aggregation, and advanced analytics, with many still relying on manual processes. The issue cited second most often was data infrastructure and data handling processes, mentioned by 78 percent of respondents, up sharply from 31 percent in 2012. On the other hand, 57 percent of respondents mentioned review of the quality of the data used, down from 77 percent in 2012.

Assessing insurance risk

Respondents said the most common approach to assessing insurance risk is actuarial reserving, which is used by 91 percent of institutions, including 64 percent that use it as a primary methodology. The second most common method is regulatory capital, used by 87 percent of institutions, including 59 percent that use it as a primary methodology (figure 13).

Stress testing is also widely used. Seventy-eight percent of insurance respondents said their institution uses stress testing to assess insurance risk, either as a primary methodology (36 percent) or a secondary methodology (42 percent).

Among respondents at insurance firms that conduct stress testing, the insurance risk factor on which they most often conduct stress tests is interest rate (94 percent), followed by mortality (67 percent) and lapse (61 percent). Less than half of insurance respondents said their institution performs stress testing on property and casualty claim cost (48 percent) or morbidity (45 percent).

Leading practices in insurance risk management

As global regulatory bodies and boards of directors increasingly turn their attention to how insurance entities are managing risk, there are a number of areas where insurers should focus their efforts to meet these challenges.

• Finalizing development and implementation of a sustainable ORSA process that is fully integrated into business strategy and decision making
• Improving linkages of quantitative risk measures to risk limits and tolerances implemented in business operations
• Enhancing methods to measure and react to emerging reputational and strategic risks
• Establishing improved risk governance to reflect increased regulatory expectations for an effective second line of defense risk management function
• Continuing to monitor and evaluate potential impact of proposed insurance regulatory group capital standards
• Advancing current methods for evaluating operational risk through development of enhanced key risk indicators, more robust loss event data collection, and industry-appropriate quantitative measurement methodologies
• Investing in risk data quality and systems to enable more effective risk monitoring, reporting, and analytics
• Further strengthening risk culture by embedding risk management in business strategy and adding insights into risk-taking activities

Sector spotlight: Investment management

The investment management sector is diverse, comprising not only large and boutique stand-alone asset management firms but also subsidiaries of diversified banks and insurance companies. Depending on their structure, investment management operations can be subject to a variety of requirements imposed by regulators for the parent banking or insurance company.

Respondents from investment management firms were asked how their organization assesses investment risk. By far the most common approach is performance attribution against a benchmark (97 percent). Other measures are employed by half or more of investment management institutions: mandate breaches (72 percent), absolute return (69 percent), and Sharpe ratio (50 percent).

Investment management firms are typically strong in managing market risk since this is central to their business. Many are now addressing risk management areas where they may not be as strong such as IT applications, data management, and oversight of the extended enterprise. Respondents were asked to rate how challenging each of a series of issues is for the investment risk management function in their organization (figure 14).

Risk technology and data

The technology and data used to monitor and manage risk continue to be top priorities and concerns for investment management firms. In the period following the global financial crisis, many asset managers’ investments in risk technology reflected a best-of-breed approach, addressing gaps in coverage and the depth of risk analytics across asset classes and products through the use of multiple risk engines or service providers. Increasing the depth and coverage of risk analytics addressed one need but inadvertently created additional issues by increasing the sources and volume of risk data. The proliferation of risk data has challenged the ability of asset managers to aggregate risk measures and exposures across multiple products, funds, and strategies to achieve a holistic view of risk.

Further magnifying this challenge is the demand by regulators for additional data and reporting by asset managers. In Europe, the Alternative Investment Fund Managers Directive (AIFMD) established detailed requirements for reporting liquidity, risk profiles, and leverage. US pension funds are now subject to accounting regulatory changes that have prompted a need for significant enhancements in data quality and analysis. Additionally, recent remarks by a member of the Board of Governors of the Federal Reserve in the United States point to the focus of both the FSB and the FSOC on assessing the magnitude of liquidity and redemption risk within the asset management sector as a tool for macro-prudential regulation.¹⁰⁰ This will require many asset managers to invest in their capabilities around liquidity risk measurement and monitoring.

Some institutions have invested in data warehouses in an effort to improve the availability and quality of risk data, but have faced the challenge of making sure the data placed into them are “clean” and accurate. Some organizations have not implemented error-detection processes or assigned responsibility for data quality when creating their data warehouses. As a result, data governance is emerging as an important focus for investment managers, and some organizations have created a chief data officer position to help address it.

With the increasing complexity of risk data infrastructure and the focus of regulators on risk technology and data, it is not surprising that significantly greater percentages of respondents said they consider these issues to be extremely or very challenging for their investment management activities than was the case in 2012. The issue most often rated as extremely or very challenging was IT applications and systems (55 percent up from 23 percent in 2012), while data management and availability was cited third most often (42 percent up from 35 percent). Although 30 percent of respondents considered risk analytics and reporting to be extremely or very challenging, 88 percent said it is at least somewhat challenging, an increase from 71 percent in 2012.

Regulatory compliance

With greater scrutiny from regulators, 48 percent of investment management respondents considered regulatory compliance to be extremely or very challenging, up from 29 percent in 2012. Investment management firms have been subjected to a variety of new regulatory requirements. The SEC is paying greater attention to investment managers and funds including introducing expanded stress testing, more robust data reporting requirements, and increased oversight of the largest institutions.¹⁰¹ In 2014, the SEC also amended its rules to require a floating net asset value for institutional prime money market funds.¹⁰² In Europe, the AIFMD introduced new regulations governing the marketing of funds and deal structure for private equity and hedge funds operating in the European Union.¹⁰³

These and other new regulations affect a wide range of risk management issues for investment management firms.

Governance and accountability

Regulators expect investment management firms to implement strong governance of their risk management programs.¹⁰⁴ Investment management firms need to clearly define the roles, responsibilities, and decision-making authority across the three lines of defense to help ensure there are no ambiguities that can create gaps in control or a duplication of effort. In particular, stand-alone investment management firms may need to reexamine the role of the boards of directors of their funds, their committee structure, and the process in place to identify and escalate key risks.

Compliance risk management program

Investment management firms should have a rigorous program in place to identify and manage evolving compliance risks. The objective of a compliance risk management program is to help ensure the firm is in compliance with regulatory guidelines and is making consistent and accurate disclosures related to business practices and conflicts of interest. Firms should periodically evaluate the effectiveness of their compliance program including examining such issues as the following: governance and the use of the three lines of defense risk governance model; supporting infrastructure (including human resources, business processes, and technology); management of third-party providers; the organization’s risk culture; management of conflicts of interest; strength of internal controls; accuracy and consistency of disclosures and communications; integration of compliance risk management with ERM; and the understanding by the organization and its personnel of how fiduciary duty is implemented.

Investment compliance monitoring

Investment management firms can benefit from an investment compliance monitoring program. Such a monitoring program can help identify and address any breakdowns in controls used to comply with regulatory requirements, operational inefficiencies regarding trade monitoring, inconsistent or inadequate processes used to monitor client portfolios, and inconsistent data usage or poor processes to integrate new data.

Conflicts of interest

Reducing conflicts of interest among investment management and other financial institutions is a priority for regulators around the world. The SEC announced that one of its examination priorities for 2015 would be to assess the risks to retail investors including such issues as fee selection, sales practices, suitability of investment recommendations, and products offered by alternative investment companies.¹⁰⁵ In January 2015, the OCC issued a handbook for use by its examiners regarding conflicts of interest among banks that offer investment management services.¹⁰⁶ In Europe, the Markets in Financial Instruments Directive (MiFID) II requires that investment firms put in place organizational and administrative procedures with a view to taking “all reasonable steps” to prevent conflicts of interest.¹⁰⁷ In an effort to increase transparency for clients, in December 2014, the European Securities and Markets Authority (ESMA) recommended to the EU Commission that portfolio managers only be able to accept broker research where they pay for it directly or from a research account funded by a specific charge to their clients.¹⁰⁸ In the United Kingdom, the Financial Services Authority requires that investment management firms must manage conflicts of interest fairly and that their boards of directors must establish effective frameworks to identify and control conflicts of interest.¹⁰⁹

Conflicts of interest can affect nearly all aspects of investment management including product development, client on-boarding, portfolio management, personal trading, and managing service providers. Investment management firms may need to enhance their processes to identify, record, analyze, and disclose conflicts of interest. Since conflicts of interest can arise as regulations change and a firm’s products and strategies evolve, it is helpful to conduct a compliance review at least annually to identify any new conflicts of interest that may have arisen.

Client on-boarding

In Deloitte’s experience, many compliance violations can be traced back to the client on-boarding process. “Know your customer” and customer classification requirements are incorporated into numerous regulations including MiFID II, European Market Infrastructure Regulation (EMIR), the Dodd-Frank Act, and the Foreign Account Tax Compliance Act (FATCA). In August 2014, the Financial Crimes Enforcement Network (FinCEN) published proposed rules that would enhance customer due diligence requirements to identify and verify the identity of an institution’s customers and beneficial owners.¹¹⁰

As investment management firms and their products become more complex, it can be difficult and time-consuming to monitor whether guidelines have been followed as new clients are acquired. In some institutions, business functions or lines of business may be segregated, making it difficult to access complete information on client accounts. Investment management firms need an integrated structure that provides clear authority for and transparency into decision-making; cross-functional participation in product development; a strong technology infrastructure that supports analytics and monitoring of client and product profitability; and strong governance and oversight of the on-boarding process. Given the complexity of the task, institutions can benefit from automated compliance systems that work in tandem with strong manual oversight when setting up accounts for new clients.

Cybersecurity

Cybersecurity has been an increasing focus of regulators that supervise institutions of all types, including investment management firms. (See “Operational risk” section for a discussion of this issue.)

Model risk

Regulators are scrutinizing the models used by financial institutions including investment managers. The SEC charged several entities of one firm with securities fraud for concealing a significant error in the computer code of the quantitative investment model that it used to manage client assets.¹¹¹

Model risk can arise in a number of different areas, including investment decision making, trade implementation and monitoring, exposure management, and performance evaluation. Institutions should examine the oversight of their models and the responsibilities, policies, and procedures; validate models; employ ongoing monitoring programs; and increase the rigor of their process for developing models.

Extended enterprise risk

Managing the risks from third-party service providers across the extended enterprise is a growing concern. Third-party service provider oversight was considered to be extremely or very challenging for the investment management risk function by 41 percent of respondents, almost double the 21 percent in 2012.

Third parties can pose risks for many different risk types such as cyber, financial, credit, legal, strategic, operational, and business continuity. Adverse events in any of these areas can damage a firm’s reputation, undermining its ability to attract and retain clients and assets under management. The potential negative impacts of a risk event at a third party can quickly extend to an institution’s reputation and are only magnified today as social media and globalization catapults news around the world at lightning speed.

The impact of third parties on cyber security is a particular concern. Cyber threats continue to increase, and third parties are often their point of entry. One analysis across multiple industries found that attackers gained access through third-party systems in 40 percent of data breaches.¹¹²

There are a number of reasons for the increased focus on extended enterprise risk. Although the use of third parties by investment management firms is not new, it has become increasingly pervasive and complex as the emergence of unbundled services has created more diverse options to outsource specific functions or sub-functions. As firms continue to search for efficiency and focus on their core competencies, the expanded use of third parties is appealing to more areas of the business.

Managing the risks posed by third parties is also more complex than ever before. Third parties may in turn subcontract some of their services to additional providers, making it difficult for investment management firms to gain visibility into the risk management practices of these sub-service providers (also referred to as “fourth parties”) and raising the potential for concentration risk if several of their third parties use common sub-service providers. Adding to the complexity, more intermediaries that distribute funds, such as broker/dealers, are also becoming service providers by employing an omnibus accounting model in which they maintain account information and transaction histories for their customers through sub-accounting systems and charge for these services. Finally, even when an investment management firm has a third-party relationship with an affiliated entity within the same parent company, it must still take steps to assess the effectiveness of the affiliated entity’s risk management program and controls, keeping in mind the potential for conflicts of interest.

Regulatory authorities have increased their attention to third-party risk. For investment management operations that are subsidiaries of banks, the Federal Reserve and the OCC are focused on the risks posed by these relationships in such areas as consumer protection and business continuity.¹¹³ US banking regulators expect that effective risk management of third-party relationships will include written contracts and plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. The SEC has required investment companies to designate a chief compliance officer who reports to the board of directors, and one of their duties is to oversee the compliance programs of the organization’s service providers.¹¹⁴ The SEC has also focused on the omnibus and intermediary fee payment models to assess “distribution in guise” conflicts as well as board and fund management oversight of these arrangements.

The SEC’s 2014 examinations focused on cybersecurity and encompassed vendors that have access to an institution’s networks, customer data, or other sensitive information.¹¹⁵ The Financial Industry Regulatory Authority (FINRA) announced that outsourcing will be a priority area of review for its 2015 examinations, including an analysis of due diligence and risk assessment of third-party providers and the supervision of activities that are outsourced.¹¹⁶ The COSO framework stresses that organizations retain full responsibility for managing the risks associated with engaging third parties and must implement a program to evaluate the effectiveness of their system of internal control over the activities performed by their service providers.¹¹⁷

The foundation of an effective program is to consider how the institution’s existing risk management governance and strategy can be leveraged to enhance transparency and accountability for third-party risk. The board of directors and the executive committee should be actively involved in overseeing the strategy and direction of the effort. In developing a third-party risk management strategy, challenges include clearly defining roles and responsibilities for managing third-party risks across the three lines of defense, assigning responsibility for leading the program, and ensuring accountability.

Some organizations focus only on specific aspects of third-party relationships, such as procurement. But investment management operations need to develop a holistic approach to extended enterprise risk that encompasses the entire lifecycle of third-party relationships from initial procurement through contracting, service-level agreements, implementation, metrics, monitoring, and off-boarding. Considering the risk management aspects associated with each of these stages in the lifecycle of third-party relationships may lead institutions to rethink their current approaches. For example, in selecting and evaluating potential vendors, selection criteria should include not only cost but also such issues as the provider’s risk management program and transparency. Ongoing monitoring should encompass the effectiveness of the vendor’s risk management program and how they are managing emerging risks.

Institutions can benefit from having established processes and a set schedule with which to assess these risks. Most respondents at institutions providing investment management services said they review the risks from their relationships with different types of vendors at least annually: administrators (89 percent), technology vendors (75 percent), custodians (68 percent), distributors (65 percent), transfer agents (62 percent), and prime brokers (73 percent). The type of vendor relationship that is least often subjected to an annual review is consultants (55 percent).

Institutions should create an inventory of all their third-party relationships and develop a formal process to assess and rank them based on the importance of the services provided and the risks associated with each relationship. As part of this examination, the assessment should identify the material, non-public information about the institution and the personal identifying information regarding customers that each third party has access to.

Leading practices, including the OCC framework, include segmenting third-party providers based on risk rankings such as low, medium, high, and critical. Although it is important for institutions to focus on critical relationships, an effective third-party risk management program should evaluate and oversee to some extent the risks posed by all third parties. Institutions should assess the trade-offs between the level of risk posed by each of its third parties and the cost, both in time and money, to monitor and manage the risks associated with each relationship.

Resourcing

Resourcing of the investment management risk management function was considered to be extremely or very challenging by 33 percent of respondents (roughly similar to 29 percent in 2012). Managing resource constraints is a perennial issue and investment management organizations are increasingly shifting to risk-based resourcing, which allocates resources to key areas based on strategic risk assessments. This approach can maximize impact and value by taking a holistic view of where the organization faces the greatest risk and where additional resources can help meet its strategic goals. It can also identify gaps in skills and inform hiring decisions to more effectively manage key risk areas.

Risk governance

Many investment management firms are examining the role of the board of directors in overseeing risk, including which issues and decisions should be referred to the full board. They are also considering which management committees should be established to manage risk and how to implement an effective process to identify and escalate key risks. While 24 percent of respondents said risk governance is extremely or very challenging for their investment management function, 85 percent described it as at least somewhat challenging.

Leading practices in investment management

As is true across other parts of the financial services industry, the risk management practices of asset management firms are evolving and under increasing scrutiny. Some of the leading practices and other important areas for investment management firms to consider include:

Governance

• Reexamining and fine-tuning the mandate and responsibilities of boards of directors and the structure of management committees to help increase their effectiveness in overseeing and managing risks
• Identifying key risks and implementing effective oversight, including appropriate escalation and reporting practices
• Reviewing the  three lines of defense and the roles and responsibilities of each

Behavior

• Promoting risk culture by establishing clear business practices, guidance, and oversight mechanisms
• Reviewing methods to identify new and changing conflicts of interest
• Enhancing client on-boarding processes to help promote regulatory compliance and risk management in an increasingly complex global environment

Execution

• Implementing a comprehensive extended enterprise risk management program that allows for more effective risk management of third-party providers
• Enhancing investment compliance monitoring to improve risk identification, increase operational efficiencies, and improve the client experience
• Conducting trade analytics to improve overall monitoring and surveillance and to identify areas of improvement

Infrastructure

• Strengthening the overall effectiveness of data management as a key enabler for risk management and reporting
• Increasing the maturity of cyber risk programs to accommodate the evolving threat landscape and integrating cyber risk oversight into the extended enterprise (third-party providers)
• Addressing the limitations of aging infrastructure to more effectively manage risk in an increasingly complex and global operating environment

Management of key risks

When asked to assess how their institution manages risk overall, 75 percent of respondents felt it was extremely or very effective, similar to the results in 2012. The reason may be that there have been no major stresses since the global financial crisis to challenge the belief that institutions are managing risk effectively.

Respondents were most likely to consider their institution extremely or very effective in managing more traditional risk types such as credit (92 percent), asset and liability (89 percent), liquidity (89 percent), counterparty (80 percent), and market (80 percent). For these risk types, institutions typically have more well developed risk methodologies, data, and infrastructure. In addition, regulatory requirements and expectations are well defined and understood.

Fifty-six percent of respondents considered their institution to be extremely or very effective in managing operational risk, which reflects the fact that operational risk is a diverse risk type firms find difficult to define and measure.

“We expect that not only do we need to continue to improve our ability to manage risk but also, maybe more importantly, we have to improve our ability to demonstrate that we have managed the risk. You can add the best internal controls in the world but if you didn’t have the documentation to prove the controls exist, it doesn’t mean anything.” Director of enterprise risk management, insurance

Respondents also gave lower ratings as being extremely or very effective to several other risk types: country/sovereign (68 percent), reputation (66 percent), strategic (60 percent), systemic (55 percent), and geopolitical (47 percent). These risk types are newer, and as a result there are fewer accepted methodologies and tools, risk data may not be available, and regulatory expectations are less clearly defined.

Respondents were asked which three risk types they believed would increase the most in importance to their institution over the next two years. Given the depth and breadth of regulatory change, it was not surprising that the risk type most often ranked among the top three was regulatory/compliance risk (51 percent) (figure 16).

The risk type cited next most often as increasing in importance was cybersecurity risk (39 percent). Although many respondents expected cybersecurity risk would be one of the risks to increase most in importance over the next two years, only 42 percent felt their institution is extremely or very effective in managing it.

Although credit risk is a mature risk type, there are a number of reasons that may explain why 26 percent of respondents felt it would be one of the risk types to increase the most in importance over the next two years. Credit risks are cyclical, and there are increased concerns over the economic slowdown in Europe and emerging markets. In the United States, banks have abundant liquidity and some have sought to improve earnings and increase returns by extending credit to borrowers with lower credit quality.

Credit risk

Regulators are expecting financial institutions to closely monitor their credit exposures, which can be a formidable task. The credit risk issue most often rated as extremely or very challenging by respondents was obtaining sufficient, timely, and accurate credit risk data (33 percent). This issue poses a greater challenge at small institutions (46 percent) than at mid-size (35 percent) or large institutions (25 percent).

Institutions need to aggregate their risk data and calculations across the enterprise to gain a consolidated view of overall credit risk, and this was the area cited next most often. Thirty-one percent of respondents said consistently aggregating the results of credit risk calculations across portfolios and business areas is extremely or very challenging.

These activities are especially demanding for larger institutions that have multiple lines of business and operate in numerous geographic markets. The degree of difficulty ramps up after mergers, when an institution must integrate the acquired institution’s data, which may not be in a comparable format and may cover a different time period than its existing credit risk data.

Market risk

Market risk is a mature risk type with generally well-developed methodologies, and relatively few respondents considered specific issues to be challenging. The issue most often considered to be extremely or very challenging was obtaining sufficient, timely, and accurate market risk data (23 percent), followed by aligning market risk management with overall ERM program (20 percent). In contrast to credit risk, only 12 percent of respondents considered aggregating the results of market risk data calculations across portfolios and business areas to be extremely or very challenging in managing market risk.

Liquidity risk

Respondents reported greater challenges in managing liquidity risk. Regulators have focused on this issue due to the liquidity difficulties many institutions experienced during the global financial crisis. Since these regulatory requirements are relatively recent, many institutions have less mature infrastructure and procedures for liquidity risk than for credit and market risk.

The two issues cited most often as extremely or very challenging concerned complying with Basel III liquidity requirements: investment in operational and other capabilities to comply with the Basel III NSFR (40 percent) and investment in operational and other capabilities to comply with the Basel III LCR (31 percent) (figure 17).

Roughly one-third of respondents said that developing a credible set of systemic and idiosyncratic liquidity stress scenarios is extremely or very challenging. Finally, risk data was also a concern, with 31 percent of respondents saying that obtaining sufficient, timely, and accurate risk data is extremely or very challenging.

Asset liability management

Although asset liability management has been a longstanding process at many institutions, conducting the sophisticated analyses and forecasts is complex. The issue cited most often as extremely or very challenging for asset liability management was ability to model on a dynamic basis the impact on net interest income of changing interest rates and changing balance sheet (29 percent).

Obtaining asset liability risk data is also a challenge at some institutions. The issue rated third most often by respondents as extremely or very challenging was obtaining sufficient, timely, and accurate asset and liability data (24 percent).

Operational risk

Operational risk is a difficult risk to measure and manage, with a wide range of potential operational risk events and where loss data are not easily available. Operational risk is an area of focus both for regulators and the industry.

Respondents most often said their institution places an extremely or very high priority on managing three types of operational risk events: clients, products, and business practices (74 percent up from 52 percent in 2012); business disruption and system failures (74 percent up from 46 percent); and execution, delivery, and process management (74 percent up from 45 percent).

“I see the need for more focus on operational risk, including reputation and litigation risks. In response, we need to do better modeling—perhaps thinking about it in a different way than we have in the traditional sense of managing operations risk.” Senior risk officer, banking

When it comes to operational risk methodologies, respondents most often considered them to be extremely or very well developed at their institution for risk assessments (60 percent), internal loss event data/database (48 percent), risk and capital modeling (45 percent), and key risk indicators (42 percent) (figure 18).

Some methodologies received much lower ratings. Only one-third of respondents felt that their institution’s external loss event data/database is extremely or very well developed, and 30 percent said the same about causal event analysis.

Most respondents considered their organization to be extremely or very effective in managing the more traditional types of operational risk types such as legal (70 percent), regulatory/compliance (67 percent), and tax (66 percent). In contrast, fewer respondents considered their institution to be extremely or very effective at managing other types of risks including third-party (44 percent), data integrity (40 percent), and model (37 percent).

Cybersecurity

Cybersecurity is an operational risk type that has become a high priority for financial institutions and regulators. The number and extent of cyber attacks have shown “exponential growth”¹¹⁸ according to one corporate security chief, with the financial services industry as a top target.¹¹⁹ In response, double-digit increases in bank security budgets are expected in the next two years.¹²⁰ Once seen as only an IT issue, the impacts of cyber attacks can spread across the organization and affect business lines, operations, legal, and communications, among other areas. With their widespread impacts, cybersecurity events also pose significant reputational risks to a company.

With the increase of major hacking incidents, from both criminal enterprises and potentially state-sponsored actors, cybersecurity has been a major focus for regulators. In February 2015, the SEC’s Office of Compliance Inspections and Examinations released the results of its examinations in 2014 of cybersecurity practices at more than 100 registered broker-dealers and investment advisers.¹²¹ In the same month, FINRA published its recommendations on effective cybersecurity practices, based on its 2014 examinations of member firms.¹²² FINRA has announced that cybersecurity will again be one of its examination priorities in 2015.¹²³

Given the increasing regulatory requirements and the potential reputational damage that can result from a data breach, financial institutions need a comprehensive cybersecurity program. Among the leading practices for such a program are that it places a priority on threats with the greatest potential impact and on safeguarding sensitive data and critical infrastructure; implements a formal written plan to respond to cybersecurity incidents; conducts penetration testing; has dedicated personnel; and periodically reviews the firm’s cyber insurance strategy.

Forty-two percent of respondents felt their institution is extremely or very effective in managing cybersecurity, roughly similar to the percentage who said the same about managing third-party risk (44 percent). Third-party and cybersecurity risk are sometimes closely related since there have been security breaches involving third parties that have affected the confidentiality of customer information.

Respondents at large institutions (63 percent), which have more resources to devote to safeguarding their data and information systems, were more likely to consider their organization to be extremely or very effective in this area than those at mid-size (35 percent) or small institutions (25 percent).

Regulatory risk

The wave of change since the global financial crisis has constituted the most far-reaching revision of regulatory requirements in decades, significantly increasing compliance requirements. The era of regulatory reform is far from over, with additional proposals from the Basel Committee and with final rules still to be established for many provisions of the Dodd-Frank Act in the United States and for the CMU and the EU Regulations and Directives in Europe.

The impacts of these more stringent regulatory requirements are significant for many institutions, including higher capital requirements, restrictions on business activities, additional documentation for regulators, and new standards on risk data and infrastructure. Regulators are also turning their attention to qualitative issues, such as risk culture and the effectiveness of internal controls.

One result of all these regulatory requirements has been increased costs. When asked about the impacts of regulatory reform on their institution, respondents most often mentioned noticing an increased cost of compliance (87 percent up from 65 percent in 2012) (figure 19). Other impacts cited often were maintaining higher capital (62 percent up from 54 percent in 2012) and adjusting certain products, lines, and/or business activities (60 percent up from 48 percent).

“For global organizations, a huge challenge is trying to manage responses to regulations across different regulators and jurisdictions. While we tend not to see regulators totally contradicting one another, the pace of regulatory change is often quite different in different regions, and that makes things more challenging for us.” Senior risk officer, banking

Many respondents are concerned that compliance costs will continue to escalate. Considering the potential impact on their organization of supervisory and regulatory processes, respondents were most often extremely or very concerned about issues related to cost: tighter standards or regulations that will raise the cost of doing existing business (72 percent) and growing cost of required documentation and evidence of program compliance (60 percent).

The impacts of examinations and enforcement actions were also mentioned by many respondents: regulators’ increasing inclination to take formal and informal enforcement actions (53 percent) and more intrusive and intense examinations (49 percent).

New regulatory requirements have not only increased costs, they have also limited the ability of many institutions to generate revenues. Reflecting this new reality, 43 percent of respondents said they were extremely or very concerned over new restrictions or prohibitions on profitable activities that will require a significant change in business model or legal structure.

Risk management information systems and technology

The global financial crisis underscored the need for risk data that are accurate, timely, consistent, and aggregated across the enterprise. Since then, risk data have been a priority for regulators.

In 2013, the Basel Committee issued its BCBS 239 paper, which emphasizes that banks need systems capable of producing aggregated risk data for all critical risks during times of stress or crisis.¹²⁴ Banks must also fully document and validate their aggregation capabilities and reporting practices. G-SIBs must comply by January 1, 2016, and BCBS 239 suggests that supervisors apply the same rules to domestic systemically important banks (D-SIBs).

CCAR’s stress tests require banks to aggregate risk data across regions and lines of business.¹²⁵ There are also stricter requirements for data quality and aggregation in various capital and liquidity requirements, Solvency II, the OCC’s heightened standards, and MiFIR, among other regulations.

Complying with these requirements is an arduous task for some institutions. For example, many Eurozone banks encountered difficulties in providing the accurate, timely data required by the ECB’s asset quality review.¹²⁶When asked about the challenges facing their institution, many respondents said that risk information systems and technology infrastructure (62 percent) and risk data (46 percent) are extremely or very challenging.

In response to these stricter requirements, many financial institutions have undertaken major data remediation and infrastructure programs. Progress has been made, but significant work remains to be done at many institutions.

“The three biggest challenges in risk management today are 1) having the right data and technology in place to help measure risk quickly and efficiently, 2) producing and monitoring MIS reporting that can effectively help identify risks on a timely basis, ideally with warnings before they are a problem, and 3) managing the very high demand for resources, which are increasingly hard to find and expensive to pay for.” Senior risk officer, banking

Less than half of the respondents rated their institution as extremely or very effective in any area of risk data and infrastructure, although the ratings improved since 2012: data management/maintenance (39 percent compared to 20 percent in 2012), data process architecture/workflow logic (35 percent compared to 23 percent) and data controls/checks (31 percent roughly similar to 33 percent in 2012).

The pace of regulatory change places additional demands on risk technology systems. Forty-eight percent of respondents said they are extremely or very concerned about risk technology adaptability to changing regulatory requirements, an increase from 40 percent in 2012, while 46 percent of respondents said the same about lack of integration among systems, up from 31 percent in 2012 (figure 20).

Conclusion

The era of regulatory reform sparked by the global financial crisis has become the new normal. There has been an ongoing series of new regulations affecting risk governance, capital adequacy, liquidity, stress testing, and prohibitions on proprietary trading, among other areas. Institutions are being required to enhance their capabilities for managing operational risk, with both regulators and management especially concerned about the impacts of hacking and other types of cyber attacks.

Regulators are also focusing on the qualitative aspects of risk management. They are looking beyond quantitative measures of market, credit, and liquidity risk to assess whether institutions have created a culture that encourages employees to take appropriate risks and that promotes ethical behavior more broadly. In this effort, it is essential that incentive compensation schemes are aligned with an institution’s risk appetite.

Success in all these areas depends on quality risk data and effective information systems. Yet, developing accurate, aggregated risk data on a timely basis remains a challenge. Measurement can be especially difficult for some risk types, such as operational risk, and for qualitative issues, such as risk culture. Deloitte’s Global risk management survey indicates there has been progress in many of these areas. But with the regulatory expectations being ratcheted up continually, institutions will need to keep pace by regularly upgrading their risk management capabilities:

• Many institutions have implemented strong risk governance at the level of their board of directors and senior management, including implementing an ERM program and creating a CRO position. They will now need to broaden their perspective to consider how they can manage conduct risk by embedding a risk culture throughout their organization that encourages ethical behavior by employees. Keys to this effort will be the board of directors and senior management communicating the value the organization places on treating customers fairly and also having incentive compensation practices that reward ethical behavior and appropriate risk-taking.
• As regulators rely more on stress tests to assess capital adequacy and liquidity, institutions will need to improve their stress testing capabilities and attract personnel with the required skills and experience. The talent shortage noted in this survey will make this an ongoing challenge.
• More effective management of operational risks, especially cybersecurity, will be essential. Institutions will not only need to improve their IT security processes, but also their processes for selecting vendors and assessing their security procedures.
• Institutions will need to reassess their risk data and information systems. Many institutions will need to improve their access to high-quality and timely risk data as well as their ability to quickly aggregate risk data across lines of business and geographies.

Financial institutions are adjusting to the new environment for risk management. Most institutions will need to enhance their risk management programs to stay current—improving analytical capabilities, investing in risk data and information systems, attracting risk management talent, fostering an ethical culture, and aligning incentive compensation practices with risk appetite. They will find that business strategies and models must be reassessed in response to changed regulations more often than before. Perhaps most important, institutions will need to develop the flexibility to respond nimbly to the “new normal” risk management environment of unceasing regulatory change.

About Deloitte’s financial services industry practice

A recognized leader in providing audit, tax, consulting and financial advisory services to the financial services industry, Deloitte’s clients include banks, securities firms, insurance companies, investment managers, and real estate services companies from around the world. Over 35,000 practitioners, including 4,400 partners, are dedicated to serving financial services industry clients across more than 40 member firms in the Deloitte network.