Global risk management survey, ninth edition

Deloitte’s global risk management survey, ninth edition assesses the industry’s risk management practices and challenges in this period of reexamination. The survey was conducted in the second half of 2014 and includes responses from 71 financial services institutions around the world that operate across a range of finan­cial sectors and with aggregate assets of almost US$18 trillion. According to the report, across the financial services industry, regulatory requirements are becoming broader in scope and more stringent and companies continue to improve themselves in risk management issues.

Board of directors currently devotes more time to oversight of risk. Having a CRO and an enterprise risk management program are becoming a common practice in the industry. The most common board responsibilities are approving the enterprise-level statement of risk appetite and reviewing of corporate strategy for alignment with the risk profile of the organization. According to the survey, 92% of institutions report to either having an ERM program in place or in the process of implementing one.

Key findings:

·         More focus on risk management by boards of directors: Reflecting increased regu­latory requirements, 85% of respondents reported that their board of directors currently devotes more time to oversight of risk than it did two years ago.

·         ERM becoming standard practice: It has become a regulatory expectation for larger institutions to have an enterprise risk manage­ment (ERM) program, and this is reflected in the survey results. 78% have an ERM framework and/or ERM policy approved by the board of directors or a board committee.

·         Progress in meeting Basel III capi­tal requirements: Complying with the Basel III capital requirements can have substantial impacts on a bank. 89% of respondents at banks subject to Basel III or to equivalent regulatory requirements said their institution already meets the minimum capital ratios. The most common response to Basel III’s capital requirements was to devote more time on capital efficiency and capital allocation (75%).

·         Increasing use of stress tests: Regulators are increasingly relying on stress tests to assess capital adequacy, and respondents said stress testing plays a variety of roles in their institutions, including enables forward-looking assess­ments of risk (86%), feeds into capital and liquidity planning procedures (85%), and informs setting of risk tolerance (82%).

·         Low effectiveness ratings on managing operational risk types: Roughly two-thirds of respondents felt their institution was extremely or very effective in managing the more tradi­tional types of operational risks, such as legal (70%), regulatory/compliance (67%), and tax (66%). Fewer respondents felt their institution was extremely or very effective when it came to other operational risk types such as third party (44%), cyberse­curity (42%), data integrity (40%), and model (37%).

·         More attention needed on conduct risk and risk culture: 60% of respondents said their board of directors works to establish and embed the risk culture of the enterprise and promote open discussions regarding risk, and a similar percentage said that one of the board’s responsibilities is to review incentive compensa­tion plans to consider alignment of risks with rewards, while the remaining respondents said these were not among the board’s responsibili­ties.

·         Increasing importance and cost of regula­tory requirements: When asked which risk types would increase the most in importance for their institution over the next two years, regulatory/compliance risk was most often ranked among the top three, and 79% felt that increasing regulatory requirements and expectations were their greatest challenge.

·         Risk data and technology systems con­tinue to pose challenges: 48% of respondents were extremely or very concerned about the abil­ity of the technology systems at their institu­tion to be able to respond flexibly to ongoing regulatory change.

Financial institutions must not only comply with these new regulatory requirements and priorities, they also need the flexibility to respond to the next round of regulatory devel­opments that is likely over the coming years. This will require strong risk management capa­bilities, robust risk infrastructures, and timely, high-quality risk data that are aggregated across the organization.