Executive summary

THE years since the global financial crisis have seen a wave of regulatory change that increased both the scope and the level of stringency of regulatory requirements. New legislation and regulations have included the Dodd-Frank Wall Street Reform and Consumer Protection Action (Dodd-Frank Act) in the United States, Basel 2.5 and III, the US Federal Reserve’s Enhanced Prudential Standards (EPS), the European Market Infrastructure Regulation (EMIR) and Solvency II capital standards. In the years since the global financial crisis, financial institutions have had more time to understand the practical implications of these new regulations and what is required to comply.

Today, risk management is becoming even more important; financial institutions confront a variety of trends that have introduced greater uncertainty than before into the future direction of the business and regulatory environment. Economic conditions in many countries continue to be weak, with historically low interest rates. The UK referendum to leave the European Union (Brexit vote), coupled with US President Donald Trump’s pledge to renegotiate trade agreements with China and Mexico, raise the possibility that trade volumes may decline.

The continual increase in regulatory requirements may abate or even be reversed in 2017 as President Trump and others have questioned whether regulatory oversight has gone too far. Strategic risk is increasing as entrepreneurial fintech players are competing with traditional firms in many sectors. The rapidly changing environment suggests that risk management programmes may need to increase their ability to anticipate and respond flexibly to new regulatory and business developments and to emerging risks, for example, by employing predictive analytics tools.

Deloitte’s Global risk management survey, 10th edition assesses the industry’s risk management practises and the challenges it faces in this turbulent period. The survey was conducted in the second half of 2016—after the Brexit vote in the United Kingdom but before the US presidential election—and includes responses from 77 financial services institutions around the world that conduct business in a range of financial sections and with aggregate assets of $13.6 trillion.

Key findings

Cybersecurity. Only 42 per cent of respondents considered their institution to be extremely or very effective in managing cybersecurity risk. Yet, cybersecurity is the risk type that respondents most often ranked among the top three that would increase in importance for their institution over the next two years (41 per cent). In recognition of the broad senior management and board awareness of cybersecurity risks, most respondents did not report challenges in securing funding or in communicating with senior management or the board. However, many boards of directors face the challenge of securing sufficient technical expertise to oversee the management of cybersecurity risk. The issues cited most often as extremely or very challenging were hiring or acquiring skilled cybersecurity talent (58 per cent) and getting actionable, near-real-time threat intelligence (57 per cent).

Institutions less effective at managing newer risk types. Roughly 80 per cent or more of respondents said their institution is extremely or very effective at managing traditional risk types such as liquidity (84 per cent), underwriting/reserving (83 per cent), credit (83 per cent), asset and liability (82 per cent), investment (80 per cent) and market (79 per cent). Newer risk types present more challenges and fewer respondents rated their institution highly at managing model (40 per cent), third party (37 per cent) and data integrity (32 per cent). Given the heightened geopolitical uncertainty and change during the period when the survey was conducted, as evidenced by the UK Brexit referendum and the discussion of US trade policies during the US presidential campaign, it is notable that the percentage of respondents who considered their institution to be extremely or very effective at managing geopolitical risk was only 28 per cent, a sharp drop from 47 per cent in 2014.

Significant challenges posed by risk data and IT systems. Few respondents considered their institution to be extremely or very effective in any aspect of risk data strategy and management, such as data governance (26 per cent), data marts/warehouses (26 per cent) and data standards (25 per cent). Even fewer respondents rated their institution this highly in other areas including data sourcing strategy (16 per cent), data process architecture/workflow logic (18 per cent) and data controls/checks (18 per cent). Many respondents also had significant concerns about the agility of their institution’s risk management information technology systems. Roughly half of the respondents were extremely or very concerned about risk technology adaptability to changing regulatory requirements (52 per cent), legacy systems and antiquated architecture or end-of-life systems (51 per cent), inability to respond to time sensitive and ad-hoc requests (49 per cent) and lack of flexibility to extend the current systems (48 per cent).

Battle for risk management talent. With the increase in regulatory requirements, there has been greater competition for professionals with risk management skills and experience. Seventy per cent of respondents said attracting and retaining risk management professionals with required skills would be an extremely or very high priority for their institution over the next two years, while 54 per cent said the same about attracting and retaining business unit professionals with required risk management skills. Since cybersecurity is a growing concern across all industries, the competition is especially intense for professionals with expertise in this area. As noted above, when asked how challenging various issues in managing cybersecurity risk were, the item cited third most often as extremely or very challenging was hiring or acquiring skilled cybersecurity talent (58 per cent).

Greater use of stress testing. Regulators are increasingly using stress tests as a tool to assess capital adequacy and liquidity, and 83 per cent of institutions reported using capital stress testing and the same percentage reported using liquidity stress testing. For both types of stress tests, more than 90 per cent of institutions reported using it for reporting to the board, reporting to senior management and for meeting regulatory requirements and expectations. For both capital and liquidity stress tests, the two issues most often rated as extremely or very challenging concern IT systems and data: stress testing IT platform (66 per cent for capital stress testing and 45 per cent for liquidity stress testing) and data quality and management for stress testing calculations (52 per cent for capital stress testing and 33 per cent for liquidity stress testing).

Increased importance and cost of compliance. Thirty-six per cent of respondents cited regulatory/compliance risk as among the three risk types that will increase the most in importance for their business over the next two years, the risk named second most often. Seventy-nine per cent of respondents said that regulatory reform had resulted in an increased cost of compliance in the jurisdictions where it operates and more than half the respondents said they were extremely or very concerned about tighter standards or regulations that will raise the cost of doing existing business (59 per cent) and the growing cost of required documentation and evidence of programme compliance (56 per cent).

Increasing oversight by boards of directors. Eighty-six per cent of respondents said their board of directors is devoting more time to the oversight of risk management than it did two years ago, including 44 per cent who said it is devoting considerably more time. The most common risk management responsibilities of boards of directors are review and approve overall risk management policy and/or ERM framework (93 per cent), monitor risk appetite utilisation including financial and nonfinancial risk (89 per cent), assess capital adequacy (89 per cent) and monitor new and emerging risks (81 per cent). However, there is more work to do in instilling a risk culture, where no more than roughly two-thirds of respondents cited as board responsibilities help establish and embed the risk culture of the enterprise (67 per cent) or review incentive compensation plans to consider alignment of risks with rewards (55 per cent).

CRO position almost universal. Ninety-two per cent of institutions reported having a CRO position or equivalent, yet there remains significant room for improvement in the role. The CRO does not always report to the board of directors (52 per cent), which provides important benefits and is generally a regulatory expectation. Although the CRO meets regularly with the board of directors at 90 per cent of institutions, many fewer institutions (53 per cent) reported that the CRO meets with the board in executive sessions. The CRO is the highest level of management responsible for risk management at about half of the institutions (48 per cent), with other institutions placing this responsibility with the CEO (27 per cent), the executive-level risk committee (16 per cent), or the chief financial officer (CFO) (4 per cent). The most common responsibilities for the CRO were to develop and implement the risk management framework, methodologies, standards, policies and limits (94 per cent), identify new and emerging risks (94 per cent) and develop risk information reporting mechanisms (94 per cent). Despite the increasing importance of strategic risk and the related need for risk management of business strategy and decisions, fewer respondents said the CRO has the responsibility to provide input into business strategy development and the periodic assessment of the plan (65 per cent), participate in day-to-day business decisions that impact the risk profile (63 per cent), or approve new business or products (58 per cent). And while regulators have placed greater focus on the importance of conduct and culture, review compensation plan to assess its impact on risk appetite and culture was identified as a responsibility by 54 per cent of the respondents.

Steady increase in the adoption of ERM. Seventy-three per cent of institutions reported having an ERM programme, up from 69 per cent in 2014 and more than double the 35 per cent in 2006. In addition, another 13 per cent of institutions said they are currently implementing an ERM programme and 6 per cent said they plan to create one. An institution's ERM framework and/or policy is a fundamental document that should be approved by the board of directors and 91 per cent of institutions said this had occurred, up from 78 per cent in 2014. Two of the issues frequently cited as extremely or very high priorities for their risk management programmes over the next two years concerned IT systems and data: enhancing the quality, availability and timeliness of risk data (72 per cent). Another issue considered to be an extremely or very high priority by a substantial majority of respondents was of risk management

Over the 20 years that Deloitte has been conducting its Global risk management survey series, the financial services industry has become more complex with the evolution of financial sectors, the increased size of financial institutions, the global interconnectedness of firms, and the introduction of new products and services. At the same time, regulatory requirements and expectations for risk management have broadened to cover a wider range of issues and also become more stringent, especially in the years since the global financial crisis. Deloitte's survey series has assessed how institutions have responded to these developments, the substantial progress that has occurred in the maturity of risk management programmes and their challenges. In general over this period, risk management programmes have become almost universally adopted and programmes now have expanded capabilities. Boards of directors are more involved in risk management and more institutions employ a senior-level CRO position. The following are some of the key areas where the survey series has documented an increasing maturity in risk management programmes.

More active board oversight. In 2016, 93 per cent of respondents said their board of directors reviews and approves the overall risk management policy and/or ERM framework, an increase from 81 per cent in 2012.

More use of board risk committees. It is a regulatory expectation that boards of directors establish a risk committee with the primary responsibility for risk oversight. The use of a board risk committee has become more widespread, increasing from 43 per cent of institutions in 2012 to 63 per cent in 2016, although there is clearly room for further adoption (figure 1).

Increased adoption of CRO position. Over the years, there has been a continual increase in the percentage of institutions with a CRO position or equivalent, from 65 per cent in 2002 to become almost universal with 92 per cent in 2016 (figure 2). At the same time, the CRO is a more senior-level position reporting to higher levels of the organisation. In 2016, 75 per cent of respondents said the CRO reports to the CEO, a substantial increase from just 32 per cent in 2002. Similarly, the CRO more often directly reports to the board of directors—at 52 per cent of institutions in 2016 up from 32 per cent in 2002. Seventy-seven per cent of institutions reported that the CRO is a member of the executive management committee, an increase from 58 per cent in 2010.

Wider set of responsibilities for the CRO. Over time, the CRO and the independent risk management programme have been given a wider set of responsibilities at many institutions. For example, 92 per cent of respondents said a responsibility of the CRO was to assist in developing and documenting the enterprise-level risk appetite statement compared with 72 per cent in 2008. Similarly, 76 per cent said a CRO responsibility is to assess capital adequacy, while this was the case at 54 per cent of the institutions in 2006.

Widespread adoption of ERM programme. The adoption of ERM programmes has more than doubled, from 35 perc ent in 2006 to 73 per cent in 2016 (figure 3). The implementation of ERM programmes moved upwards in 2010, which was likely due to post-financial crisis focus on enhancing risk management.

While there has been considerable progress in the continued development and maturation of risk management programmes, there remains considerable work to do. The specific areas where risk management programmes need to further enhance their capabilities and effectiveness, and the likely future challenges, are detailed in the body of this report.

Introduction : Economic and business environment

Deloitte’s Global risk management survey, 10^th edition was conducted as a variety of trends were having a dramatic impact on the financial services industry, in some cases with their future direction difficult to predict.

Low-revenue environment

Financial institutions are struggling to generate returns in an environment of historically low interest rates and slow economic growth, coupled with increasing regulatory requirements. The weak economic conditions provide less opportunity to generate revenue and may also increase credit risk. The result has been a greater focus on controlling the cost of risk management programmes, with institutions looking to increase efficiency by creating centres of excellence and by rationalising and consolidating processes, especially in the second line of defence (the independent risk management function).

Global growth in 2016 was expected to be 3.1 per cent and then increase to 3.4 per cent in 2017, according to the International Monetary Fund (IMF). ² The outlook was more modest for developed economies with growth projected to be 1.6 per cent in 2016 and 1.8 per cent in 2017.

The US economy was expected to grow 1.6 per cent in 2016 and 2.2 per cent in 2017, while the Euro area was expected to have growth of 1.7 per cent and 1.5 per cent in these two years. In the wake of the Brexit vote, the United Kingdom was projected to see its growth rate slow from 1.8 per cent in 2016 to 1.1 per cent in 2017. In Japan, growth was projected to be just 0.5 per cent in 2016 and 0.5 per cent in 2017. GDP growth in China was predicted to be 6.6 per cent in 2016 but slow somewhat to 6.2 per cent in 2017.

Weak economic conditions have created challenges for financial institutions. Return on average equity for US banks was 9.0 per cent in the third quarter of 2016, compared to 12.2 per cent in 2006-2007. ³ The performance of European banks was even weaker, with average return on equity of 5.9 per cent in the first quarter of 2016, which was below the cost of equity. ⁴ An analysis by the IMF found that banks in the European Union were earning less than half of their average 2004–2006 profits.

The IMF found that more than one-quarter of the banks in advanced economies, with about $11.7 trillion in assets, would remain weak and face continued structural challenges even if a cyclical recovery occurred, with the greatest problems at institutions in Europe and Japan. ⁵ Similarly, the ongoing period of low interest rates could call into question the solvency of many insurers.

China has been undergoing a transition towards an economy that is more based on consumption and services and less dependent on manufacturing activity and investment. In addition, it has moved to rely more on markets to set interest rates and exchange rates. However, concerns remain over its rapid increase in debt, including a significant fraction considered at risk, often to state-owned enterprises. ⁶

Increasing regulatory requirements for capital and liquidity

Capital requirements include Basel 2.5 and III, the US Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act Stress Tests (DFAST). From mid-2011 through the end of 2015, 91 leading banks around the world have increased their common equity by $1.5 trillion, with the ratio of equity to risk-weighted assets rising from 7.1 per cent to 11.8 per cent. This puts the equity capital ratios of banks substantially above the Basel III minimum of 4.5 per cent. ⁷

There have been wide variations across banks in the calculations of required capital due to each bank’s choice of internal models, which raises questions about transparency and whether some calculations appropriately reflect underlying risk. The Basel Committee on Banking Supervision (Basel Committee) has issued several proposals (the so-called “Basel IV” proposals) to introduce enhanced standardised approaches to eliminate or reduce the role of internal models in calculating minimum capital charges and establish a minimum capital floor. The proposed changes could lead risk-weighted assets to rise by an average of 18 per cent to 30 per cent, requiring more capital, according to an analysis by Morgan Stanley. ⁸

However, there has been some resistance to establishing a capital floor from European banks and officials who believe this would require European banks holding large amounts of low-risk assets such as mortgages to hold more capital, putting them at a competitive disadvantage. ⁹ Concerns have also been expressed by the Japan Financial Services Agency (JFSA) and the Reserve Bank of India. ¹⁰

US institutions and other global banks operating in the European Union also face a new proposal that would require their EU operations to have separate intermediate holding companies that will be subject to consolidated capital and liquidity requirements.

In the United States, the Federal Reserve has eliminated the qualitative examination portion of its annual Comprehensive Capital Analysis and Review (CCAR) for institutions with less than $250 billion in assets, $10 billion in foreign exposure and $75 billion in nonbank assets. The Federal Reserve has also indicated it will issue a proposed rule to effectively embed stress-test results into current capital requirement buffers and implement the surcharge buffer for global systemically important banks (GSIBs).

Among insurers, institutions active in Europe must comply with Solvency II capital requirements, which took effect on 1 January 2016. US insurers must comply with similar Own Risk Solvency Assessment (ORSA) capital requirements put in place by state regulators. US companies subject to ORSA are required to submit an annual filing to their state department of insurance detailing the company’s own assessment of its risk profile, the processes in place to manage risks, the potential impact of those risks and a view on solvency. ¹¹ In January 2017, the Treasury Department, acting through the Federal Insurance Office and the Office of the US Trade Representative, announced the successful completion of negotiations for a “covered” agreement with the European Union on prudential measures regarding insurance and reinsurance. ¹² Under the agreement, which covers three areas of insurance oversight—reinsurance, group supervision and the exchange of insurance information between supervisors—US and EU insurers operating in the other market will only be subject to oversight by the supervisors in their home jurisdiction. ¹³

Financial institutions have also faced an increasing set of liquidity requirements in the years since the global financial crisis. Liquidity requirements introduced or in the process of implementation include the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR) introduced in Basel III. Under the enhanced prudential standards (EPS), the US Federal Reserve recently implemented additional liquidity reporting requirements for both US and foreign banks operating in the United States with total consolidated assets of $50 billion or more. These requirements impact treasury, risk and operations, particularly around risk management, cash flow forecasting, contingency funding planning, limit setting, stress testing, liquidity buffer sizing and management, and governance, among other areas. ¹⁴ In addition, the Federal Reserve 2052a reporting requirement places an additional emphasis providing detailed information to allow the Federal Reserve to monitor the overall liquidity profile of institutions. ¹⁵ These and other liquidity requirements are still being finalised or fully implemented and their implications and linkages are still being studied.

Uncertain outlook for regulatory requirements

There are significant questions regarding whether the continual ratcheting up of regulatory requirements since the global financial crisis will continue. As noted above, some European regulators and financial institutions are pushing back on Basel plans to implement a regulatory capital floor. In the United States, President Trump criticised the Dodd-Frank Act during the presidential campaign and in February 2017 issued an executive order instructing the Treasury Department to review financial regulations to determine whether they are consistent with the administration’s goals such as enhancing the competitiveness of American companies. ¹⁶ There have also been various proposals by the US Congress to scale back or eliminate the Dodd-Frank Act that are expected to be refined and re-introduced as legislation in 2017. Although repealing the Dodd-Frank Act would likely not be possible without some Democratic support (since new legislation would require 60 votes in the Senate to overcome a filibuster and Republicans only have a 52-48 majority), the Trump administration could still make substantial regulatory changes through other means. These include attaching policy riders to appropriation bills or through the budget reconcilliation process (which only requires a simple majority in the Senate); changes to agency rules or regulatory guidance within the limitations of the governing laws; and changes to the approaches to rulemaking, supervision and enforcement at the federal level.

President Trump will also make a number of appointments to regulatory bodies that have substantial discretionary authority to change regulatory requirements, such as capital and liquidity requirements, including the Federal Reserve, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Consumer Financial Protection Bureau and the Financial Stability Oversight Council.

In February 2017, President Trump signed a memorandum instructing the Department of Labour to conduct an updated legal and economic analysis of the proposed Conflict of Interest rule, which had been slated for implementation in April 2017 and rescind or revise the rule if it is found to have adverse impacts. ¹⁷ Among the other rules and guidance that fall under the discretionary authority of the associated agencies are the requirements of the CCAR/DFAST programmes and designations of nonbank financial institutions as systemically important.

In another kind of regulatory uncertainty, institutions occasionally receive unexpected regulatory feedback. In their most recent review, the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC) determined that certain resolution plans submitted by the eight GSIBs were “not credible or would not facilitate an orderly resolution” under the US Bankruptcy Code. The agencies provided explicit guidance regarding expectations for the next full resolution plan submissions due by
July 1, 2017. The Federal Reserve also extended the resolution plan submission deadline for other filers.

Geopolitical uncertainty

In addition to the potential impact on financial regulations, the political developments in major western economies in 2016 have ushered in a period of geopolitical uncertainty, with potentially far-reaching implications for the future of globalisation and trade.

The Brexit vote for the United Kingdom to leave the European Union could have substantial impacts on financial institutions, even those that do not have operations in this region, due to a slowdown in economic activity. In January 2017, UK Prime Minister Theresa May indicated the intention to negotiate a clean break with the European Union.¹⁸ It is expected that there may be more trade friction between the United Kingdom and the European Union after separation, less free movement of people across these borders, and a more complex and uncertain regulatory environment. Among other impacts, the uncertainty may make it more difficult to predict returns on equity with confidence from UK and EU operations, earnings could decline due to weaker economic activity in Europe and regulatory standards in the United Kingdom could diverge from those in the European Union.

One consequence of Brexit is that UK-based firms will lose the “passport” ability to distribute their products across the European Union, which is important to the United Kingdom’s role as a financial centre. The potential remains that financial firms may be able to continue to distribute some products across the European Union where the UK regulatory regime is considered to be “equivalent.”¹⁹ If firms with UK-based operations lose the ability to distribute their products across the EU market, significant restructuring and relocation may be required across Europe, with firms needing to decide if the related expenditures and disruptions fit their strategic plans.

These impacts on trade would be heightened if other countries join the United Kingdom in deciding to leave the European Union. Populist parties that oppose EU membership have gained ground in France, the Netherlands, Austria and Italy. In 2017, France will hold a presidential election, in which the National Front, which opposes EU membership, is one of the leading parties. In the wake of the rejection by Italian voters of a constitutional reform parcel, Italy may also hold an election in 2017, where the populist Five Star Movement that opposes Italy’s membership in the European Union has been gaining ground.

In his first days in office, President Trump signed an executive order withdrawing the United States from the TPP, while during the presidential campaign he supported renegotiating trade agreements with Mexico and China and proposed placing a tariff on the goods of US companies that move operations outside the country.

Global trade in goods and services is far below its historical pace, having grown just 3 per cent since 2012, less than half the average rate over the previous three decades, which may be the result of the simultaneous slowdown in economic growth across both developed and emerging economies. Another factor is the slowdown in China’s economy and the fact that it is coming to rely more on consumption and less on manufacturing investment, which has reduced Chinese imports of commodities and other goods. There had been a rapid increase in Chinese imports over the previous decade and China now is among the top importers for more than 100 countries that account for roughly 80 per cent of world GDP.²⁰ With the possibility that additional countries may leave the European Union and that the United States may renegotiate its trade agreements, it remains to be seen whether additional trade restrictions will be put in place that could further slow global trade and what impact this may have on economic growth.

Focus on role of business in risk management

Institutions are working to more effectively and efficiently implement the three lines of defence risk model governance framework. Under the model, business units (the first line of defence) manage the risks in their areas in order to increase accountability, while the risk management programme (second line of defence) is responsible for oversight and challenge. Placing primary responsibility for managing risk in the business units as the first line of defence increases the effectiveness of risk management by leveraging their knowledge of their business activities and operations, while also helping to instil a culture of owning inherent risk in the business.

While this model is conceptually simple and appealing, over time the actual practises implemented have become inefficient, with redundancies and in some cases ineffective areas due to gaps. As a result, institutions are seeking to clearly define the roles and responsibilities of each line, ensure their business units carry out their risk management responsibilities, and align business activities with the institution’s risk appetite and risk management policies. At the same time, institutions are looking to simplify and rationalise the risk management processes across the lines of defence.

Growing cybersecurity risk

Improving management of cybersecurity risks has been an increasing concern of financial services institutions and has also been receiving greater attention from regulators and policy setters. There is a wide range of types of cyber risks including attacks on operating systems; locking users out of their computers and data; theft or corruption of data and systems; and release of confidential data, intellectual property, or corporate strategy.

Banks, securities companies, investment management firms, insurers and payment and clearing systems are prime targets for cybercriminals looking to steal money or data, or compromise critical infrastructure, spurred by the large amounts of money involved and the increased use of online and mobile banking. Cyberattacks increased by 50 per cent in the second quarter of 2016 compared to the second quarter of 2015 and the number of cyberattacks against financial institutions is estimated to be four times greater than against companies in other industries.²¹ A study in the first quarter of 2016 found that there had been a 40 per cent increase in cyberattacks targeting financial institutions.²²

In 2016, the Federal Reserve, the FDIC and the Office of the Comptroller of the Currency (OCC) issued an advanced notice of proposed rulemaking regarding enhanced cyber risk management and resilience standards for large banks, which may lead to a more formal proposed rule in 2017. The regulators in the European Union are expected to follow suit. In insurance, in 2015 the National Association of Insurance Commissioners (NAIC) issued a document setting out principles for effective cybersecurity and cybersecurity has now been integrated into insurance regulatory examinations. Also in the United States, the New York State Department of Financial Services (DFS) proposed prescriptive cybersecurity requirements for banks and insurance companies, which it describes as a “first-in-the-nation cybersecurity regulation.”²³

Managing cyberthreats is also a priority for regulators in Asia Pacific. In May 2016, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative, which includes a mandatory self-assessment of cybersecurity risks faced by financial services institutions, simulation exercises, a professional development programem and the launch of a Cyber Intelligence Sharing Platform.²⁴ The Cybersecurity Law of China, which will take effect on June 1, 2017, will impose obligations on “critical information infrastructure operators” and “network operators” to, among other requirements, keep personal information and important business data collected or generated in China within China, have appropriately qualified dedicated cybersecurity staff, report incidents to data owners and authorities, and conduct annual reviews and assessments of cybersecurity threats. Regulators in Japan, Singapore and Australia are also focussing on the need for institutions to implement cybersecurity frameworks, predict potential threat scenarios, regularly test security measures and address any weaknesses identified.²⁵

Central role of conduct and culture

Encouraging ethical conduct among employees and instilling a risk management culture throughout the organisation has been a focus of regulators since the global financial crisis. Recently, there have been notable instances of inappropriate behaviour at major financial institutions, both in retail markets and wholesale markets, which could lead regulators to give even more attention than before to conduct and culture. Institutions need to address instances of poor culture, lack of accountability and misaligned incentive compensation policies, or face the potential for intervention by regulatory authorities.

The European Banking Authority (EBA) has revised guidelines on internal governance, placing more emphasis on conduct, culture and conflicts of interest. EBA’s stress tests in 2016 assessed an additional €71 billion in losses under an adverse conduct risk scenario, while the Bank of England’s stress tests identified £40 billion of additional conduct risk costs for the seven banks participating.

European insurers should prepare for the implementation of the Insurance Distribution Directive standards on product governance, disclosures and conflicts of interest. The European Insurance and Occupational Pensions Authority (EIOPA) has made consumer protection a strategic priority for 2017.

In the United States, the Federal Reserve has placed an emphasis on the importance of financial institutions encouraging ethical behaviour by their employees through hiring, incentives/compensation and setting an appropriate ‘tone at the top.’ The Federal Reserve Bank of New York (FRBNY) has held three conferences on culture and behaviour in the financial services industry and continues to stress the importance of the issues. US regulators have twice proposed rules on incentive compensation.

Australian regulators are also placing a heavy focus on conduct and culture in the financial services industry. The Australian Prudential Regulation Authority (APRA) released an information paper in late 2016 that assessed risk culture within the industry as being at a very early stage of maturity, called for a deeper analysis and understanding of risk culture across the entire sector and set out a detailed regulatory work plan that will include pilot reviews and a stocktake of remuneration practises.²⁶

Hong Kong’s Securities and Futures Commission (SFC) recently articulated its expectations with regard to senior management accountability, including the designation of fit and proper individuals to be “managers-in-charge” of core functions and a requirement to submit management structure information and organisational charts.²⁷ The increased focus on this area has made it important for financial institutions to have a formal programme for risk management conduct and culture with appropriate resources. To address the complex of conduct, culture and ethics management, institutions may need to redouble their efforts to align their business practises and incentives/compensation with risk management and integrate risk management considerations throughout day-to-day business practises. Institutions can benefit from employing a risk control self-assessment (RCSA) process in these areas so that management and staff at all levels identify and evaluate the conduct and culture risks facing the institution and the effectiveness of the associated controls. Other institutions have improved their governance and oversight over key business areas that impact conduct. Some institutions are using predictive analytics tools to identify employee behaviour patterns that warrant further investigation.

Fintech disruption

Another source of strategic risk is the more widespread emergence of fintech start-ups, which leverage technology capabilities to compete with traditional banks, investment management firms and insurers in such areas as loans, payment products, wealth management, and property and casualty insurance. Although still a small segment of the market, fintech firms are expanding at a rapid clip. The investment in fintech has grown from $1.8 billion in 2010 to $19 billion in 2015 and in 2015, Goldman Sachs estimated the market to be worth $4.7 trillion.²⁸ Fintech firms have been able to innovate at a faster pace than traditional institutions, for example, creating loan origination platforms that pull information directly from customer tax records and other financial providers, resulting in a faster, cheaper, less burdensome and yet more accurate process.

Regulators around the world are examining the impact of fintech on financial regulation. The US OCC announced in December 2016 that it would develop a process for issuing limited special-purpose national bank charters for fintech firms and subject them to prudential supervision.

In Europe, the Financial Stability Board (FSB) is monitoring the potential risks and benefits to financial stability of fintech, with a particular focus on distributed ledger technologies (including blockchain), peer-to-peer lending and artificial intelligence.²⁹ The European Commission established an internal task force on financial technology and plans to produce policy recommendations during 2017.³⁰ In the United Kingdom, the Financial Conduct Authority (FCA) has launched a “call-for-input” on crowdfunding, indicating its intention to consider rule changes on the risks in the sector, including the mismatch between the maturity of the loans and the promises of liquidity made to investors.³¹

Asia-Pacific regulators have launched a range of initiatives to nurture and manage the growth of fintech in the region. Many jurisdictions have taken a “regulatory sandbox” approach that allows fintech firms to carry out their activities in a more relaxed regulatory environment (for example, Australia, Hong Kong, Indonesia, Singapore and South Korea). The Monetary Authority of Singapore is a leader in the region and has outlined various innovation initiatives including regulatory sandbox guidelines, plans to consult on algorithms for robo-advisers, establishing a national “know-your-customer” utility and partnering with R3 to develop blockchain.³² In December 2016, the Australian Securities and Investments Commission (ASIC) issued a licencing exemption for fintech firms that it described as “a world first.”³³

Traditional financial institutions are also partnering with fintech firms. For example, in 2015, JPMorgan Chase announced that it would make small business loans through OnDeck Capital, a fintech lending platform.³⁴ Other financial institutions are seeking to adopt the entrepreneurial ways of the fintech firms within their own organisations, for example, by creating online wealth management applications to compete with the new fintech players.

To respond to the shifting business environment brought by fintech and other disrupters, it will be important to have robust strategic risk programmes and some institutions may need to conduct their identification and response planning for strategic risks more frequently. These programmes may also need to develop a new mind-set that considers the potential for a greater degree of disruption than may have been seriously considered in the past. The goal should be to focus on the ability to maintain stable earnings and survive potential disruption scenarios.

Risk governance

Role of the board of directors

Regulators expect a financial institution’s board of directors to play a fundamental role in providing oversight of the risk management programme. The Basel Committee has issued principles specifying that a bank’s board of directors should have overall responsibility for risk management and that a bank should have an effective independent risk management function.³⁶ The EPS rule issued by the Federal Reserve in March 2014 requires that US publicly traded banks with consolidated assets of $10 billion or more have a risk committee of the board of directors chaired by an independent director.³⁷ For US banks with consolidated assets of $50 billion or more, EPS requires that the risk committee must be a stand-alone committee of the board that meets at least quarterly and has at least one independent director knowledgeable of risk management in large, complex banks.³⁸ The US OCC has issued standards requiring large banks to have a board-approved risk-governance framework. For US insurers, in 2014 the NAIC approved a framework for adoption by the state insurance commissioners that requires insurers to file an annual disclosure about their corporate governance practises including the policies and practises of their board of directors.³⁹

In Australia, APRA Prudential Standard CPS 220 Risk Management sets out comprehensive requirements for regulated institutions (for example, banks and insurers). These include stipulations that boards ensure there is a risk management framework for addressing material risks, that the framework include strategic and business planning, and that there is a clearly articulated risk appetite statement that is actively developed and reviewed by the board and communicated appropriately throughout the business operations. Additional requirements are that the regulated institutions have a risk management function, a separate board risk committee, a designated CRO who reports directly to the CEO and a sound risk management culture that includes ongoing risk education and processes to ensure behaviour is monitored and managed within the risk appetite.⁴⁰

Boards of directors are expected to provide active oversight including approving the risk management framework and risk appetite. Rather than merely receiving periodic briefings, they should be prepared to challenge management decisions and recommendations where appropriate.

Given the increased scope and intensity of regulatory requirements, coupled with a volatile economic environment, most respondents reported that their board of directors is devoting more time to the oversight of risk management compared to two years ago. Forty-four per cent of respondents said their board spends considerably more time overseeing risk management than it did two years ago, while 42 per cent said it spends somewhat more time.

Respondents at banks were more likely to report their board of directors is spending considerably more time on risk management than it did two years ago (57 per cent) than those at investment management firms (43 per cent) and insurance companies (44 per cent). This is not surprising given the pace and scope of changing regulatory requirements and guidance in the banking sector, a large part of which either is focussed specifically on risk management or else has large effects on risk management.

Boards of directors and their risk committees, have a wide range of risk management responsibilities. A number of traditional risk management functions are responsibilities of boards at almost all institutions including review and approve overall risk management policy and/or ERM framework (93 per cent), monitor risk appetite utilisation including financial and nonfinancial risk (89 per cent), assess capital adequacy (89 per cent), and monitor new and emerging risks (81 per cent) (figure 7).

On the other hand, there is room for improvement at many institutions on a number of issues that have recently received attention. Strategic decisions can have a substantial impact on an institution’s risk profile and one might have expected that more than about two-thirds of institutions would say their board’s activities include review corporate strategy for alignment with the risk profile of the organisation (68 per cent). And while regulators have recently placed greater focus on the important role that culture plays in effective risk management, the board oversight activities at many institutions did not include help establish and embed the risk culture of the enterprise (67 per cent) or review incentive compensation plans to consider alignment of risks with rewards (55 per cent).

Board risk committees

Placing oversight responsibility for risk management with a board risk committee is a general regulatory expectation and has come to be seen as a leading practise. The Basel Committee issued guidance in 2010 that stressed the importance of a board-level risk committee, especially for large banks and internationally active banks and revised guidance in 2015 specifying the appropriate role of the risk committee.⁴¹ As noted above, the EPS issued by the Federal Reserve establishes certain requirements for US banks to have a risk committee of the board of directors, with some requirements phased in based on size of institution.

Sixty-three per cent of institutions reported they have a risk committee of the board of directors with primary responsibility for risk oversight, up from 51 per cent in 2014. As a result of the ascendance of the board risk committee, only 16 per cent said the full board has primary responsibility, down from 23 per cent in the prior survey. Some respondents said oversight was a combined responsibility of the board audit and risk committees (8 per cent) or other board committees (9 per cent).

Placing primary responsibility in a board risk committee is much more common in the United States/Canada (89 per cent, up from 61 per cent in 2014), than in Europe (65 per cent), Asia Pacific (52 per cent), or Latin America (63 per cent). This may be a response to the requirements of the Federal Reserve’s EPS and OCC’s heightened standards regarding board risk committees.

A prominent role for board risk committees is more common at banks (74 per cent compared to 56 per cent in 2014), although it also rose at investment management firms (65 per cent up from 44 per cent) and insurers (61 per cent up from 49 per cent).

As noted, there has been a trend for regulators to require that financial institutions include independent directors in their board risk committees. The Federal Reserve’s EPS requires that the risk committee include at least one independent director, while the US OCC regulations increased the required number to two independent directors.

The survey found that the trend towards independent directors on the board risk committee has become pronounced. Forty-five per cent of institutions reported that their board risk committee includes two or more independent directors (as well as other directors), while 36 per cent said it is composed entirely of independent directors (figure 8). Only 5 per cent of institutions said their board risk committee contains only one independent director, while at 13 per cent of institutions the risk committee does not contain any independent directors.

Having the risk committee chaired by an independent director and having the participation of a risk management expert are becoming regulatory expectations for larger institutions. Many institutions find that in practise it is easier to have independent directors as members of their risk committee, or even be chaired by an independent director, than to secure the participation of an identified risk management expert. Seventy-two per cent of institutions reported that their board risk committee is chaired by an independent director, while 67 per cent have a risk management expert on their committee.

Having an identified risk management expert is most common in the United States/Canada (78 per cent), Asia Pacific (72 per cent), and Latin America (86 per cent) and is less common in Europe (52 per cent). One reason for the lower prevalence in Europe is that European regulations contain a more general requirement that risk committee members “... shall have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the institution.”⁴²

Role of the CRO

Having an independent risk management function headed by a CRO is a regulatory expectation. The Basel Committee guidance on governance recommends that large banks and internationally active banks have a risk management function and a CRO position with “sufficient authority, stature, independence, resources and access to the board.” ⁴³

Adoption of a CRO position is almost universal, with 92 per cent of institutions reporting that they have a CRO or equivalent position. The CRO position is more common at institutions in the United States/Canada (89 per cent) and Europe (92 per cent) than in Asia Pacific (73 per cent) or Latin America (63 per cent).

There are significant benefits and a general regulatory expectation, for the CRO to report directly to the board of directors as well as to the CEO, but this is not the case at many institutions. The CRO reports to the board of directors at 52 per cent of the institutions surveyed, up slightly from 48 per cent in 2014. Further, the CRO reports to the CEO at 75 per cent of institutions, meaning that at one quarter of the institutions the CRO does not report to the most senior management executive in the organisation. It appears that many institutions have more work to do to improve the reporting structure for their CRO.

At 90 per cent of institutions, the CRO meets regularly with the board of directors or board committees responsible for risk management, although fewer (53 per cent) reported that their CRO meets in executive sessions with the board. Affording the CRO the opportunity to meet with the board of directors or the board risk committee without the CEO or other members of senior management present can provide the board with an opportunity to receive a frank assessment of the state of the risk management programme and the specific challenges the institution faces.

Latin American institutions were least likely to say their CRO reports to the board of directors (14 per cent), compared to 50 per cent or greater in other regions and 52 per cent of Latin American institutions said their CRO reports to the CEO, while this figure is more than two-thirds in other regions. Twenty-nine per cent of respondents at Latin American institutions said the CRO reports to the CFO, while this is the case with less than 10 per cent of institutions in other regions.

It is a leading practise for the CRO to be the most senior management position responsible for the risk management programme, but the CRO does not universally have this role. Only 48 per cent of institutions reported that the CRO or equivalent is the highest level of management responsible for the risk management programme, similar to the percentage in 2014. Other common responses were the CEO (27 per cent), the executive-level risk committee (16 per cent), or the CFO (4 per cent). Assigning primary responsibility for risk management to the CRO is more common among institutions in the United States/Canada (78 per cent) than in Europe (50 per cent), Asia Pacific (38 per cent), or Latin America (25 per cent).

Institutions assign a broad range of responsibilities to the firm-wide, independent risk management group headed by the CRO. Many oversight activities were nearly universal including develop and implement the risk management framework, methodologies, standards, policies and limits (94 per cent), identify new and emerging risks (94 per cent) and develop risk information reporting mechanisms (94 per cent).

However, a number of other important oversight activities are in place at no more than two-thirds of institutions including provide input into business strategy development and the periodic assessment of the plan (65 per cent) and participate in day-to-day business decisions that impact the risk profile (63 per cent). Risk management considerations need to be infused into both strategy and business decisions to consider their risk implications and more progress still needs to be made in these areas.

Another area that a relatively low percentage of respondents said was a responsibility of the risk management programme was approve new business or products (58 per cent). This may be partly explained by the fact that relatively few new products are being introduced in the current economic and regulatory environment.

Finally, regulators and industry leaders have devoted considerable attention to the role that incentive compensation and culture play in risk management, yet the activity review compensation plan to assess its impact on risk appetite and culture was identified as a responsibility by 54 per cent of respondents. This was more often a risk management responsibility at institutions in the United States/Canada (75 per cent) and Europe (62 per cent) than in Asia Pacific (38 per cent) and Latin America (43 per cent).

Risk appetite

A written risk appetite statement provides guidance for senior management when setting an institution’s strategic objectives and for lines of business when making business decisions. The idea of a risk appetite has been around for some time but has received renewed attention since the global financial crisis. The FSB issued principles for an effective risk appetite framework in November 2013. ⁴⁴ In 2015, the Basel Committee issued guidance that stressed the role of the board of directors in establishing, along with senior management and the CRO, the institution’s risk appetite. ⁴⁵

There is now wide adoption of a written, enterprise-level risk appetite statement approved by the board of directors. Eighty-five per cent of institutions reported they have such a statement approved by the board of directors, up from 75 per cent in 2014. The regulatory focus on risk appetite began in banking, where 91 per cent reported either having a risk appetite statement approved by their board of directors or being in the process of developing a statement and securing approval. But risk appetite statements have now also become common in investment management firms (83 per cent) and insurance companies (85 per cent).

There are challenges in developing a risk appetite statement that provides useful guidance to the business. Respondents most often said that it is extremely or very challenging to define risk appetite for newer risk types such as reputational risk (49 per cent), strategic risk (48 per cent), model risk (48 per cent) and cybersecurity risk (46 per cent) (figure 9). Each of these risk types poses challenges in defining and measuring risk. For example, strategic risk requires an assessment of the risk posed by an institution’s business strategy, while reputational risk is typically a secondary risk that results from market, credit, operational, or other types of risk events that spread to have wider impacts to the organisation and is thus difficult to measure and establish limits for.

Operational risk has been an area where many institutions had struggled to develop appropriate analytical approaches that would allow them to measure and set risk limits. However, more attention has been paid to this area and it appears that progress is being made. Twenty-seven per cent of respondents said that defining risk appetite for operational risk is extremely or very challenging, down from 38 per cent in 2014.

In contrast, the issues that were least often seen as extremely or very challenging were defining risk appetite for traditional risk types such as liquidity risk (12 per cent), market risk (10 per cent) and credit risk (7 per cent). Institutions generally have many years of experience in these areas and have developed data and analytical methods that allow them to quantify the risk and set appropriate risk limits.

Respondents at European institutions were more likely than those in other regions to say that a number of issues were extremely or very challenging including defining risk appetite forstrategic risk (58 per cent compared to 38 per cent in United States/Canada) and defining risk appetite for reputational risk (63 per cent compared to 38 per cent in United States/Canada and 36 per cent in Asia Pacific). On the other hand, defining risk appetite for operational risk was more often seen as extremely or very challenging by institutions in the United States/Canada (50 per cent) and Latin America (43 per cent) than those in Europe (24 per cent) and Asia Pacific (19 per cent).

It is also challenging to further allocate and delegate risk appetite from the overall risk appetite statement down to risk limits in the various operations and business unit activities of an institution. In some institutions, the development of risk appetite allocations and delegations to business units remains a work in progress as more granular measures are developed. Other important activities were less often considered to be extremely or very challenging but still pose difficulties for many institutions such as allocating the risk appetite among different business units (38 per cent), translating the risk appetite for individual risk types into quantitative risk limits (37 per cent) and integrating risk appetite with stress testing including defining risk appetite for stressed conditions (34 per cent).

Three lines of defence risk governance model

A “three lines of defence” risk governance model is a regulatory expectation and has been accepted as a leading practise so that business units, the risk management programme and internal audit each play their appropriate role in risk management. The three lines of defence model comprises the following components:

• Line 1: Business units own and manage their risks
• Line 2: Independent risk function provides oversight and challenge
• Line 3: Internal audit function validates the risk and control framework

The three lines of defence model is now essentially universally adopted, with all the institutions participating in the survey reporting that they employ it.

Although this model is conceptually sound, practical implementation can present difficulties, especially in large institutions with multiple business units and locations. For a start, an institution needs to have enough skilled personnel in each line of defence. The industry-wide competition for experienced risk management professionals has made it more difficult to hire employees with risk management skills. Business units in particular may find it difficult to attract professionals who have experience both in risk management and also in the business. In fact, having sufficient skilled personnel in all three lines of defence (64 per cent) was the issue most often considered to be a significant challenge in implementing the three lines of defence risk governance model.

The other issues rated as significant challenges revolved around the business units (Line 1) and their interaction with risk management (Line 2). The issue cited next most often as extremely or very challenging was defining and maintaining the distinction in roles between Line 1 (the business) and Line 2 (risk management) (55 per cent, up from 51 per cent in 2014). Business units need to buy into the process and have good collaboration with the risk management function. Too often the three lines of defence model can result in duplication of controls and reviews across the three lines (resulting in so-called “checkers checking the checkers”), and eliminating this redundancy requires clarifying the roles and responsibilities of each group involved.

A third issue cited frequently as extremely or very challenging was getting buy-in from Line 1 (the business) (44 per cent up from 36 per cent in 2014). The business unit executives in Line 1 need to assume responsibility for risk in their daily activities, rather than simply delegating risk management to specific personnel in “risk” roles. Business units need to ensure that material risks associated with their activities are assessed and that there are adequate control mechanisms to manage them, including compliance and conduct testing processes, quality assurance procedures and problem escalation processes.

Yet, getting buy-in from business units can be difficult since business units are measured on the revenue generated rather than specifically on risk management activities. Overcoming this resistance requires instilling a culture throughout the organisation that communicates that identifying and managing risks is an important responsibility of the businesses.

There is a longer tradition of employing the three lines of defence model in the United States/Canada and Europe, which was reflected in the survey. For example, having sufficient skilled personnel in all three lines of defence was more often cited as extremely or very challenging by respondents at institutions in Asia Pacific (77 per cent) and Latin America (75 per cent) than those in United States/Canada (56 per cent) or Europe (46 per cent). Similarly, respondents less often considered getting buy-in from Line 1 (the business) to be extremely or very challenging for the United States/Canada (44 per cent) and Europe (42 per cent) than in Latin America (63 per cent). On the other hand, institutions in the United States/Canada are still struggling with defining and maintaining the distinction in roles between Line 1 (the business) and Line 2 (risk management), where 78 per cent rated it as extremely or very challenging compared to less than 60 per cent in other regions.

Institutions have taken different approaches to the three lines of defence model, with some centralising more activities and others decentralising more activities into the business units. One of the decisions that institutions need to make is where to locate the enterprise control testing function of the risk and control framework. Institutions that take a more decentralised approach have, in effect, split Line 1 into business unit risk management activities (Line 1A) and testing activities (Line 1B), with Line 2 handling monitoring, policy and challenge, and Line 3 conducting additional testing. However, this can lead to redundancy in the testing programme.

A strict interpretation of the three lines of defence model would suggest that the testing function should be centralised in internal audit (Line 3), but this is only the case at 31 per cent of institutions. The remaining institutions take a variety of approaches: embedded within the second line of defence centralised control testing function (23 per cent), performed in various functions (20 per cent), embedded within the second line of defence risk team (17 per cent) and embedded within the first line of defence in the business unit (7 per cent).

A similar organisational challenge is presented by specific risk types. For management of each risk type (or “stripe”), should there be executive accountability where a single individual is responsible for oversight of the risk across the organisation or should responsibility be decentralised to individual business units? Most institutions have a single individual accountable for risk oversight of traditional risk types such as liquidity risk (76 per cent), regulatory/compliance risk (76 per cent), market risk (75 per cent) and credit risk (72 per cent). Banks are more likely to have a single individual accountable for these traditional risk types—liquidity (87 per cent), regulatory/compliance (84 per cent), market (89 per cent) and credit (81 per cent)—compared to less than 80 per cent for investment management firms and insurance companies. This established executive accountability is logical, given the greater regulatory focus on bank risk management programmes.

Substantial majorities of institutions also have a single individual accountable for cybersecurity risk (67 per cent) and operational risk (65 per cent). Cybersecurity risk has received increased attention recently and 100 per cent of the institutions in the United States/Canada reported having a single individual responsible compared to fewer in Europe (62 per cent), Asia Pacific (60 per cent) and Latin America (75 per cent). The risk where oversight is least likely to be centralised is third-party risk, where 44 per cent of institutions have a single individual accountable for oversight, including just 26 per cent of European institutions and only 32 per cent of insurance companies.

Enterprise risk management

An ERM programme is designed to create an overall process to identify and manage risks facing an institution. Establishing an enterprise-wide programme helps prevent important risks from being overlooked, identifies interrelationships among risks in different lines of business or geographic areas and aligns risk utilisation with the organisation’s risk appetite. Regulatory authorities are encouraging financial institutions to implement ERM programmes and leverage their insights when setting business strategy or making important business decisions.

The adoption of ERM programmes is widespread, with 73 per cent of institutions reporting they have an ERM programme. In addition, another 13 per cent of institutions said they are currently implementing an ERM programme, while 6 per cent said they plan to create one in the future.

ERM programmes are more common in the United States/Canada (89 per cent) and Europe (81 per cent), where this has been a focus of regulatory authorities, than in Asia Pacific (69 per cent) or Latin America (38 per cent). However, 50 per cent of the respondents at institutions in Latin America said their institution is currently implementing an ERM programme.

The ERM framework and policy are fundamental documents governing risk management in an institution and should be reviewed and approved by the board of directors or the board risk committee and this now occurs at almost all institutions. Ninety-one per cent of institutions reported having an ERM framework and/or policy that has been approved by the board of directors, indicating the maturity of the large majority of ERM programmes. The board role in approving the ERM framework and/or policy is less common in Latin America (71 per cent) than in the United States/Canada (100 per cent), Europe (95 per cent) and Asia Pacific (91 per cent).

Institutions have a wide range of priorities for their risk management programmes over the next two years. Two of the issues rated frequently by respondents as extremely or very high priorities involved IT systems and data: enhancing risk information systems and technology infrastructure (78 per cent) and enhancing the quality, availability and timeliness of risk data (72 per cent) (figure 10).

Another issue considered to be an extremely or very high priority by a substantial majority of respondents was collaboration between the business units and the risk management function (74 per cent), which is essential to having an effective three lines of defence model. This result is consistent with the fact that 55 per cent of respondents said that defining and maintaining the distinction in roles between Line 1 (the business) and Line 2 (risk management) was a significant challenge in implementing the three lines of defence risk governance model. (See the section “three lines of defence risk governance model.”)

With the increase in regulatory requirements, financial services institutions have expanded their risk management personnel both in the risk management function and in business units, and as a result the competition for these professionals has been intense. Seventy per cent of respondents said that attracting and retaining risk management professionals with required skills would be an extremely or very high priority for their institution.

Reflecting the fact that regulatory authorities have increased their attention to the importance of instilling a risk management culture, 70 per cent of respondents cited establishing and embedding the risk culture across the enterprise as a high priority.

In the current low-revenue environment for financial institutions, there is pressure to reduce risk management costs and 43 per cent of respondents said that securing adequate budget and resources will be an extremely or very high priority. Institutions are looking for opportunities to increase efficiency by rationalising and consolidating their risk management programmes. An emerging trend is for institutions to leverage new technologies in this effort such as cognitive and advanced analytics techniques to identify behaviour patterns and predictive analytics to identify emerging risks. Robotics process automation (RPA), such as automated workflow and decisioning tools triggered by a robot function, is also being used to reduce costs and improve quality by automating routine tasks. The use of these new technology tools is still nascent, although some institutions are pursuing the use of fully automated compliance testing by levering these RPA technologies.

The drive to restrain costs is challenged by increased regulatory expectations for risk management. Forty-four per cent of respondents expected their institution’s annual spending on risk management would increase by 10 per cent or more over the next two years, including 13 per cent who expected an increase of more than 25 per cent. These figures are an increase from 2014, when 37 per cent of respondents expected an increase of 10 per cent or more and 9 per cent expected an increase of 25 per cent or more.⁴⁶

The issues that relatively few respondents rated as challenging were also instructive. Only 33 per cent of respondents said that increasing the role and involvement of C-suite in risk management was an extremely or very high priority, and the percentage was the same for increasing the role and involvement of the board of directors in risk management, suggesting that most institutions have already addressed these issues. The lowest-rated issue was aligning compensation and incentives with risk management (26 per cent). Although there had been considerable attention paid to compensation issues in the immediate aftermath of the global financial crisis, it appears that most institutions have decided that other issues are more pressing. Given the continuing focus on conduct and culture, more focus may be needed on compensation and incentives.

There were a number of interesting differences in the priorities for risk management across regions. In the United States/Canada (100 per cent) and Europe (81 per cent), respondents were more likely to cite increasing regulatory requirements and expectations as a priority over the next two years than were respondents in Asia Pacific (52 per cent) and Latin America (25 per cent), which reflects the pace of regulatory change in these regions. Enhancing the quality, availability and timeliness of risk data is also more often a priority in the United States/Canada (100 per cent) and Europe (88 per cent) than in Asia Pacific (56 per cent) and Latin America (50 per cent). Increasing the role and involvement of the board of directors was most often cited as a priority in Europe (42 per cent) and least often in the United States/Canada (11 per cent), where this has been a focus of attention for the last several years.

The issue most often cited as a priority by respondents in Asia Pacific (71 per cent) was establishing and embedding the risk culture across the enterprise, which was also named often in the United States/Canada (78 per cent) and Latin America (75 per cent) but less often in Europe (58 per cent).

In Latin America, respondents most often cited collaboration between the business units and the risk management function (100 per cent) compared to roughly three-quarters in the United States/Canada and Europe and 60 per cent in Asia Pacific.

When it came to financial sectors, respondents at banks were more likely to cite securing adequate budget and resources (50 per cent) as a priority, than were those in investment management firms (44 per cent) and insurance companies (42 per cent), which is expected given the low-revenue environment for the banking industry. The role of compensation and incentives in risk management has received attention from bank regulators and respondents at banks were also more likely to cite as a priority aligning compensation and incentives with risk management (37 per cent) than were those in investment management firms (18 per cent) or insurance companies (18 per cent).

Economic capital

Economic capital is a tool employed by many financial institutions to assess their risk-adjusted performance and allocate capital, and all the financial institutions participating in the survey said they calculate economic capital. Institutions most often calculate economic capital for traditional risk types including credit (93 per cent, up from 68 per cent in 2014), operational (82 per cent, up from 62 per cent), market (79 per cent, up from 72) and counterparty credit (64 per cent, up from 51 per cent) (figure 11).

Economic capital is used much less often for some newer risk types, where it is more challenging to model risks, including cybersecurity risk (15 per cent), reputational risk (13 per cent) and systemic risk (7 per cent).

When asked how their institution used economic capital, respondents most often said it is used at the enterprise level to evaluate/allocate economic capital (76 per cent), at the senior management level for strategic decision making (69 per cent) and at the board level for strategic decision making (64 per cent). It is used less often at lower levels for business decisions although somewhat more than in the prior survey including at the customer level to support risk-based profitability analysis (41 per cent, up from 32 per cent in 2014), at the business unit level to evaluate risk-adjusted performance (53 per cent, up from 45 per cent), at the desk/product level for risk/return optimisation of product mix (50 per cent, up from 37 per cent) and at the transaction level for risk-based pricing (53 per cent, up from 44 per cent).

However, fewer respondents than in 2014 said economic capital was used extensively in several areas including at the enterprise level to evaluate/allocate economic capital (27 per cent, down from 34 per cent), at the senior management level for strategic decision making (20 per cent, down from 24 per cent) and at the board level for strategic decision making (16 per cent, down from 23 per cent).

Economic capital received criticism after the global financial crisis for not performing as well as expected. Although economic capital was introduced as a more sophisticated approach than the regulatory capital requirements current at the time, regulatory capital requirements and specifically stressed capital requirements, such as for CCAR, have subsequently become more sophisticated and a greater focus by many institutions, especially large banks. (See “Sector spotlight: Banking” and “Sector spotlight: Insurance.”)

Stress testing

Capital stress testing

Since the global financial crisis, there has been an increased reliance by regulatory authorities on stress tests to determine whether a financial institution has sufficient capital. The Federal Reserve, the European Central Bank, the Bank of England and EIOPA for insurers are among the regulatory authorities that require financial institutions to conduct stress tests. The Federal Reserve had indicated that it will issue a proposed rule to effectively embed stress-testing results into current capital requirement buffers, although it is not clear whether the proposal will be finalised.⁴⁷ In addition, in the United States, the stress tests required under CCAR go beyond capital adequacy to address a range of issues such as risk appetite, risk identification, data quality, model validation and financial planning projections. In Australia, the APRA is tasked with ensuring bank capital ratios remain the top quartile of internationally active banks and it has extended stress testing to the life insurance sector.⁴⁸ In Japan, the JFSA has already commenced supervisory stress testing for systemically important banks using the regulator’s stress-test scenarios.⁴⁹ The JFSA has also provided examples of advanced, standard and limited stress-testing approaches for insurers, and has announced that it will expect larger Japanese insurers to incorporate advanced stress-testing practises going forward.⁵⁰

Eighty-three per cent of institutions reported using capital stress testing, with this tool more common in the United States/Canada (89 per cent) and Europe (92 per cent) than in Asia Pacific (77 per cent) or Latin America (75 per cent).

Almost all institutions reported using the results of capital stress tests in reporting to senior management (94 per cent including 49 per cent that use it extensively) and in reporting to the board (94 per cent, including 46 per cent that use it extensively).

It is apparent that regulatory requirements are the primary driver in the use of capital stress tests. In the United States, for many large banks, the post-stress requirements of the Federal Reserve’s capital plan rule have become the binding regulatory capital constraint. More than 90 per cent of institutions reported using the results of capital stress tests in meeting regulatory requirements and expectations (92 per cent, including 59 per cent that use it extensively) and assessing adequacy of regulatory capital (94 per cent, including 52 per cent that extensively use it) (figure 12).⁵¹

Regulatory stress-testing requirements, such as under CCAR, contain both quantitative and qualitative requirements. The quantitative methodologies require that an institution has sufficient capital to pass capital ratio thresholds under the current and the post-stress environment. Institutions are also required to have qualitative procedures in place that indicate an effective risk management programme such as strong internal controls, effective management challenge, documentation of policies and procedures, model validations, strong IT systems and quality data, among others. When in the past regulators failed capital plans of banks, it tended to be for weak quantitative post-stress capital levels, whereas more recently they have been focusing on the need for stronger qualitative controls and capabilities.

Many qualitative issues in capital stress testing were rated as being extremely or very challenging including capital stress testing IT platform (66 per cent) and data quality and management for capital stress-testing calculations (52 per cent), which were the two highest-rated issues.

Capital stress testing requires that information and data be integrated from across the organisation including from business units and from functional areas such as finance. Many respondents rated as extremely or very challenging coordinating multiple functional areas and activities required to conduct capital stress tests (for example, risk, treasury, business units, IT, developing and implementing models, validating models) (48 per cent).

There are no off-the-shelf, end-to-end capital stress-testing and planning platforms that institutions can employ to integrate the wide variety of required inputs. Instead, they need to develop custom systems and then use data warehouses to integrate data across the institution, which can lead to significant challenges in maintenance.

Other issues that were considered by many respondents to be extremely or very challenging in capital stress tests were implementing formal validation procedures and documentation standards for the models used in capital stress testing (47 per cent), developing capital stress-testing methodologies/models accepted by regulatory authorities, as part of supervisory stress-testing exercises (44 per cent), active engagement by senior management and the board of directors in setting capital stress-testing objectives, defining scenarios, and challenging methodologies and assumptions (40 per cent), and capital-stress- testing analytics (39 per cent).

Liquidity stress testing

Liquidity stress testing has recently emerged as an additional priority for the regulators, complementing their existing focus on capital stress testing. The focus on liquidity emerged in the Basel III requirements for the liquidity coverage ratio and the net stable funding ratio (NSFR). The US Federal Reserve has also recently implemented additional liquidity reporting requirements for large banks. Now more regulatory authorities are including liquidity-stress-testing requirements and as a result, more institutions are conducting liquidity stress tests, especially banks. Liquidity stress testing remains a new area where regulatory expectations are expected to become clearer over time and where institutions are gaining experience.

Eighty-two per cent of institutions reported that they conduct liquidity stress tests, with this being more common at banks (91 per cent) than at investment management firms (80 per cent) or insurance companies (74 per cent). A number of regulatory developments suggest that liquidity stress tests could increase in importance for investment managers in the future. The FSB has recommended that regulators require or provide guidance on liquidity stress testing for funds and the International Organisation of Securities Commissions (IOSCO) has announced that it is considering developing additional guidance on liquidity stress testing.⁵²

Almost all institutions reported using the results of liquidity stress tests in reporting to senior levels: reporting to the board (98 per cent, including 51 per cent that use it extensively) and reporting to senior management (95 per cent, including 52 per cent that use it extensively) (figure 13).

Institutions also use the results of liquidity stress tests in meeting regulatory requirements and expectations (95 per cent, including 52 per cent that use it extensively) and assessing adequacy of regulatory liquidity ratios and buffers (87 per cent, including 49 per cent that use it extensively).⁵³

Other areas where substantial percentages of institutions use liquidity-stress-testing results are defining/updating liquidity capacity requirements for risk (93 per cent, including 43 per cent that use it extensively), understanding the organisation’s risk profile (93 per cent, including 44 per cent that use it extensively) and setting liquidity limits (87 per cent, including 44 per cent that use it extensively).

As with capital stress testing, the two issues most often rated as extremely or very challenging in using liquidity stress testing concern IT systems and data: liquidity-stress-testing IT platform (45 per cent) and data quality and management for stress-testing calculations (33 per cent). The issues cited next most often were coordinating multiple functional areas and activities (31 per cent) and implementing formal validation procedures and documentation standards for models used in stress testing (30 per cent).

Sector spotlight: Banking

The Basel Committee is in the process of proposing revisions to its capital rules for market, credit and operational risk, with a general goal of providing an enhanced set of standardised approaches to lessen the reliance on internal models in the advanced approaches. Collectively, this group of revised risk-weighted asset (RWA) capital rules has been called Basel IV. These efforts are at varying stages of progress, with the market risk rules now finalised.⁵⁴

For credit risk, revisions to the standardised approach have been proposed, along with constraints on the use of internal models.⁵⁵ The Basel Committee has proposed removing the option to use internal-ratings-based approaches for certain exposures where it has concluded that the model parameters cannot be estimated sufficiently reliably. For portfolios where internal-ratings-based approaches remain available, it has proposed adopting exposure-level, model-parameter floors to ensure a minimum level of conservatism and providing greater specification of parameter estimation practises to reduce variability in risk-weighted assets.⁵⁶ These potential regulatory changes could spur some institutions to undertake a substantial revision of their methods and systems.

For operational risk, a new Standardised Measurement Approach (SMA) has been proposed, which would replace the current existing approaches.⁵⁷ The SMA would provide a single non-model-based method for estimating operational risk capital that incorporates in a standardised fashion a bank’s financial statement information and internal loss experience.

The new Basel Committee market risk rules (resulting from the Fundamental Review of the Trading Book (FRTB) including the new standardised approach for counterparty credit risk and securitisation) sets out how banks will have to assess their capital requirements for their trading portfolios. The initiative is intended to ensure that capital requirement approaches are better aligned with the trading book’s underlying risks and to reduce the variability in modelling outcomes from firm to firm.

Europe is furthest ahead in implementing the FRTB, with many institutions having already begun implementation, even though legislation to implement the FRTB has only recently been proposed. The United States has not yet proposed a corresponding rule and implementation at US banks is still in the early stages. It is currently expected that the FRTB effective date will be in 2019, which means that institutions should begin to implement the required procedures in 2017 and conduct a parallel run in 2018. Implementing the new FRTB rules will require institutions to make progress in developing data, analytics, and processes in a number of different areas and these present significant challenges.

The issues most often considered by respondents to be extremely or very challenging in implementing FRTB were technology/infrastructure (56 per cent), clarity/expectations of regulatory requirements (54 per cent) and data management (50 per cent) (figure 14).

With the United States/Canada not as far along as in Europe, US/Canadian institutions are much more likely to rate many issues as extremely or very challenging, including technology/infrastructure (100 per cent in the United States/Canada compared to 55 per cent in Europe), data management (75 per cent in the United States/Canada compared to 45 per cent in Europe) and internal resources, capabilities and budget (100 per cent in the United States/Canada compared to 36 per cent in Europe).

The Basel Committee’s new Total Loss Absorbing Capacity (TLAC) requirements for global systemically important banks (G-SIBs) are designed to increase the capital and leverage ratios of these banks so they are better able to withstand adverse financial conditions. TLAC is scheduled to take effect in 2019. As a result, the implications are still being understood. Issues often cited by respondents as extremely or very challenging in complying with TLAC include clarity/expectations of regulatory requirements (42 per cent), data management (41 per cent) and strict deadlines (38 per cent).

Sector spotlight: Insurance

Regulatory and economic capital

Insurance companies across the globe have been facing increased regulatory capital requirements for some time. The most influential capital adequacy regime has been Solvency II (SII), which was developed by EU regulators for insurance companies and is now being considered by insurance companies around the world. Eighty per cent of the companies participating in the survey are either subject to SII requirements (38 per cent), subject to similar regulatory capital requirements (40 per cent), or not subject to SII or similar requirements but have voluntarily adopted SII (3 per cent). Other regulatory regimes are looking to SII as a guidepost as they evolve their capital adequacy standards as reflected in the fact that 40 per cent of insurance companies are subject to similar regulatory requirements. Even when not a regulatory requirement, SII is becoming more accepted as a standard when companies develop the assumptions and methods in their internal economic capital models.

Insurance companies employing SII or similar requirements were overwhelmingly outside the United States/Canada, where 80 per cent of companies said they were not subject to SII or similar requirements and have not adopted them. As would be expected, insurers are more likely to be complying with SII or similar requirements (82 per cent) than are investment management firms (74 per cent) or banks (56 per cent).

When asked which areas respondents expected their company to focus on related to SII or similar regulatory capital requirements over the next two years, respondents most often named scenario analysis (66 per cent).⁵⁸ One of the most significant functions of an economic capital scenario analysis is to model stressful scenarios to determine if an organisation is sufficiently well capitalised to withstand these adverse conditions and remain solvent.

SII calculations require a wide array of data from multiple sources, and data infrastructure and data handling requirements (63 per cent, down from 87 per cent in 2014) was cited as a focus by many respondents. The fact that fewer respondents cited this issue than did so in the 2014 survey may indicate that more companies are improving their capabilities in this area.

A third issue that was often cited as a focus for SII was enhancements to risk tolerance and risk appetite (59 per cent). Many companies are enhancing their risk appetite statements and using them to inform strategic business decisions as risk exposures evolve over time.

The International Association of Insurance Supervisors (IAIS) is developing global regulatory capital standards. Respondents felt that a number of the potential requirements could have at least a somewhat significant impact on their company, although relatively few expected the impact would be extremely or very significant: recovery and resolution planning (59 per cent, with 31 per cent extremely or very significant), Insurance Capital Standard (54 per cent, with 26 per cent extremely or very significant), broader ComFrame requirements of risk management and governance (59 per cent, with 31 per cent extremely or very significant), and capital requirement and high loss absorbency standards (59 per cent, with 31 per cent extremely or very significant). In Japan, the JFSA has urged the IAIS to be careful of creating a framework that has unintended impacts, such as hindering internal risk management efforts, causing excessive risk-aversion, or leading to similar investment strategies.⁵⁹

Assessing insurance risk

The most common methods used by insurance companies as a primary methodology to assess insurance risk are actuarial reserving (72 per cent) and regulatory capital (59 per cent) (figure 15).⁶⁰ Actuarial reserving has traditionally used best estimate assumptions to determine the expected present value of future cash flows related to insurance risk, while regulatory capital represents the amount of additional capital a company should set aside to cover an extreme insurance risk event. These are prescribed metrics based on traditional actuarial, financial and statistical principles, and are widely accepted as methods to determine insurance risk.

Stress testing is used by 72 per cent of insurance companies to assess insurance risk, with 33 per cent using it as a primary methodology and 39 per cent as a secondary methodology. This is consistent with the regulatory focus on stress testing. (See the discussion above in this section.)

Companies of different sizes vary significantly in the methods they use to assess insurance risk. Economic capital is used as either a primary or secondary methodology to assess insurance risk more often by large (82 per cent) than by mid-size (50 per cent) or small insurers (54 per cent). Larger insurers tend to have the more sophisticated capabilities required to create robust internal capital modes, which are often either loosely or tightly based on SII. The somewhat rote, but still complicated calculations in the value-at-risk analysis are used more often by mid-size insurers (67 per cent) as a primary or secondary methodology than by large (45 per cent) or small insurers (45 per cent). The simplistic claims ratio analysis is used more often as either a primary or secondary methodology by mid-size (75 per cent) and small insurers (83 per cent) than by larger insurance companies (50 per cent).

What are the most common risk factors that insurance companies are stressing? Among the insurers that conduct stress testing, stress tests are conducted most often on interest rate (83 per cent) and property and casualty cost (76 per cent). The other items cited were mortality (59 per cent), lapse (55 per cent), expense (55 per cent) and morbidity (52 per cent). However, few small companies perform stress testing on mortality (10 per cent), lapse (20 per cent), expense (30 per cent) and morbidity (10 per cent), which is likely due to a lack of resources.

Seventeen per cent of respondents said they performed stress testing on other factors, such as strategic risk. Across the insurance industry, there is a heightened awareness of the importance of managing strategic and operational risk and companies are grappling with how to credibly measure and manage these risks.

Sector spotlight: Investment management

The investment management sector comprises firms of many sizes, organisational structures, product portfolios and target customers. These firms share the fundamental processes of engaging with customers, determining investment goals and risk tolerances, and managing customer financial assets in an effort to meet or exceed the customer’s investment goals. Investment management firms often adopt a range of approaches to implementing these common investment management processes.

As fiduciaries, investment managers are fundamentally the guardians of the financial assets of their customers. They have a responsibility to place client interests ahead of their own. Clients range from sophisticated financial firms to individuals with limited financial knowledge and this diversity leads to a complicated set of risks to manage, with firms adopting risk management priorities that match their individual strategies.

Respondents were asked how challenging were a series of issues today for their firm in managing risk in its investment management business. The items most often rated as extremely or very challenging concerned IT systems and data: IT applications and systems (50 per cent, down from 55 per cent in 2014) and data management and availability (36 per cent, down from 42 per cent in 2014)⁶¹ (figure 16).

As the survey results indicate, the challenges and leading practises related to managing risk for investment managers begins with data and technology. Having an established “golden source” of data is difficult to maintain due to data replication and redundancy across multiple applications within the overall operating systems architecture. Many organisations have difficulty effectively managing the data divergences across the systems architecture. The result is often diminished confidence in the automated checks critical to efficient management of risk for an investment manager.

The solution to these problems begins with treating data as a valuable organisational asset. The first step is to create a comprehensive data dictionary, including sources and uses of the data, which many investment management firms lack. Another leading practise is to create a formal data governance committee with the responsibility to catalogue data requirements and to develop a data dictionary. Once these elements are implemented, firms should create a data model to track the usage and flow of data into and through the organisation. With these steps in place, firms can begin to tailor their risk management technology infrastructure while also streamlining the technology architecture, rather than adding to its complexity to address each new risk management function. Firms that treat data as a fundamental risk management asset and enhance their overall data governance framework can realise significant opportunities to enhance management of key risks.

The areas where respondents felt their institutions had a more mature programme to manage risk in their investment management business and were less challenging were resourcing (25 per cent, down from 33 per cent in 2014), managing investment risk and its impact on portfolio construction risk (25 per cent)⁶² and risk governance (19 per cent, down from 24 per cent in 2014).

The relatively small percentage of respondents who considered risk governance to be extremely or very challenging for their investment management business is a positive development. Given its cornerstone role in risk management, excellence in risk governance needs to be a strategic priority for firms and governance practises are increasingly being reviewed by regulators.

The risk governance approach implemented at an investment management firm represents that firm’s strategic approach to organising, reporting, controlling and mitigating risk. Everything a firm does across all three lines of defence to manage and report risk, either wittingly or unwittingly, falls under risk governance.

Risk governance leads to:

• A risk management framework
• Consistent capture, measurement and reporting of risk data
• Improved understanding of risk throughout the organisation

Within the risk management framework, strong governance practises enable identification of high risks, which enables prioritisation of risk mitigation efforts on the areas of greatest exposure. Leading practises also assign or identify clear owners of each risk in the first and second lines of defence. Finally, the risk reporting component of governance can enable an enterprise-wide view of risk that provides a clear basis for assessing the strength of the risk controls as well as the overall state of compliance.

Risks posing the greatest challenges

Looking forward over the next two years, respondents were asked to identify the three risk types that will present the greatest challenges for the investment management business in their firm. Regulatory/compliance (81 per cent), which is a constantly moving target that requires a robust compliance risk management programme, was cited most often as among the top three risk types that will present the greatest challenges. Regulatory compliance can be especially challenging since investment management firms are often subject to the jurisdiction of multiple regulatory authorities.

In the United States, significant regulatory changes cover reporting modernisation, liquidity risk management and use of derivatives. In addition, the use of derivatives is facing increased regulation across the globe, including derivatives trade reporting requirements in Canada, the Hong Kong Monetary Authority’s market reform, and the European Markets and Infrastructure Reform (EMIR). While there is considerable consistency in the overall direction of regulation, firms with a large geographic footprint have an even more difficult task in keeping up with varying regulatory requirements across countries.

The risk that was rated second most often by respondents as among their top three risks over the next two years was investment (72 per cent), which includes portfolio construction risk, credit risk, market risk and liquidity risk. Over the past couple of years, the investment management industry has been challenged by tightening operating margins driven by changes to investor behaviour and expectations, new regulations and advanced technologies. These changes have caused a strain on an already ageing investment risk management infrastructure (that is, people, process, technology, data, governance and culture). As a result, investment managers are facing more pressure for greater infrastructure efficiency and effectiveness in trying to meet day-to-day business needs.

In many firms, the investment compliance management function (ICM) plays a critical role in managing investment, financial, regulatory, operational and reputational risk. Leading ICM programmes facilitate operational readiness and organisational responses to rapidly changing market conditions, new regulatory requirements and shifting investor behaviour. Excellence in these risk management areas reflects the industry’s commitment to invest client assets in accordance with their investment objectives and guidelines, adhere to regulatory requirements and pursue operational excellence for shareholders and other stakeholders. Yet, in a difficult cost environment, investment in ICM infrastructure may not be prioritised when compared to other infrastructure investments.

Pressures in the industry are likely to continue to evolve, particularly competition for new clients in light of evolving regulations and changing investor behaviour. Focussing on the strategic importance of ICM by enhancing current capabilities can provide organisations with direct and indirect benefits to address those pressures.

Some important considerations for investment management executives to enhance the efficiency, effectiveness and extensibility of their ICM processes include:

• Assessing the current-state operating model and organisational design of the ICM function in recognition of client agreements, regulatory requirements and organisational objectives to identify enhancement opportunities
• Categorising and calculating the costs of ICM and its impact on product and client profitability
• Understanding the impact that the current organisational design and state of infrastructure has on resource capacity
• Identifying ICM process inefficiencies that drive instances of user rejection and control deficiencies
• Addressing data quality and system capabilities to effectuate new regulatory requirements and increasingly complex client guidelines
• Exploring outsourcing opportunities to manage costs, gain access to subject matter knowledge and enhance operational efficiency

Making ICM a strategic priority not only assists investment managers in living up to its customer and regulatory commitments, but can also position investment managers to be more competitive and profitable.

Despite the recent focus on cybersecurity and liquidity risk, relatively few respondents rated them as among the risks that will pose the greatest challenges to their firm’s investment management business. Only 28 per cent of respondents cited cybersecurity and 22 per cent named liquidity as one of the three risks posing the greatest challenges over the next two years.

Oversight of investment risk

Respondents reported that their firm assigned a wide range of responsibilities to the individual or individuals responsible for oversight of investment risk with the most common responsibilities being monitor compliance with investment guidelines related to investment risk (86 per cent); develop and implement the investment risk management framework, methodologies, standards, policies and limits (78 per cent); manage stress-testing process, including governance, methodology and reporting (72 per cent); and meet regularly with governance committees responsible for overseeing investment risk management (72 per cent).

Firms were least likely to give the individual responsible for investment risk management other responsibilities such as conduct back-testing of risk and related models (58 per cent), use of independent risk technologies to generate risk analytics independent of the portfolio management function (56 per cent) and provide input to the day-to-day investment decisions that impact the risk profile (44 per cent).

Managing liquidity risk in investment management

Managing liquidity risk has become a greater focus for regulators in all financial sectors, including investment management. For example, in the United States, SEC rule changes will require open-ended unit trusts to establish a formal liquidity risk management programme, designate a liquidity risk management programme administrator, categorise their assets based on how many days it would take to convert them into cash without impacting the net asset value (NAV) and require additional regulatory reporting and shareholder disclosures.⁶³ In December 2015, the IOSCO published a report on the tools available to investment management firms globally to manage liquidity risk and has indicated that it is considering developing additional guidance beyond its 2013 liquidity risk management principles.⁶⁴

However, relatively few respondents believed that liquidity risk management related to investment risk presented significant challenges for their institution. The item that was rated most often as extremely or very challenging with respect to liquidity risk management related to investment risk was classification of fund asset liquidity, including determining the assumptions used when bucketing holdings into business/calendar day categories and multiple liquidity levels of the same position (31 per cent). Several other items were considered to be extremely or very challenging by one-quarter of fewer of respondents: deploying system/technology compatibilities necessary to facilitate liquidity calculations and ongoing monitoring (25 per cent), memorialising liquidity risk management practises used to develop, monitor and periodically assess portfolio liquidity (22 per cent), and complying with requirements for regulatory reporting on liquidity (22 per cent).

Operational risk management for investment management

When asked to select the three risks that will pose the greatest challenges for their firm over the next two years, 56 per cent of respondents named operational risk, making it the risk cited third most often. When asked about specific components of operational risk management, 50 per cent of respondents at institutions providing investment management services said that responding to rising threat of cybersecurity risk and its impact on the confidentiality, availability and integrity of data and information system was extremely or very challenging, making it the highest rated issue (See the section, “Cybersecurity risk.”)

While operational risk exists in all businesses, the tough call for investment management firms is right-sizing operational risk management. When operational risks are identified prior to causing problems, they can be managed effectively. The problem for management is that identifying operational risks proactively is difficult and when risks are mitigated before they are visible, the positive impact is hard to quantify. Accordingly, 33 per cent of respondents said that securing the appropriate resources to address risks with the highest priority is extremely or very challenging for their firm in operational risk management, while 86 per cent considered it to be at least somewhat challenging. If sufficient budget authority is difficult to achieve, this suggests that many investment management firms may have an issue with their commitment to risk management. One obstacle may be that it is often difficult to make a business case that quantifies the benefits of increased investment in risk management.

Obtaining quality data is another difficult task and 33 per cent of respondents said maintaining reliable data to quantify operational risk and drive risk-based decisions was extremely or very challenging, with 89 per cent considering it at least somewhat challenging.

One approach to managing operational risk is through a steady pace of operational transformation. When people, processes and technology are refreshed, they effectively reset the clock on operational risk and during the refresh process, implementation or project risk takes its place. Alternatively, firms that maintain long-tenured systems should execute a disciplined review of their people, processes and technologies to achieve similar operational risk mitigation.

The difficulty in mitigating operational risk through review is especially true for firms that maintain more complicated best-of-breed enterprise systems architectures. Best-of-breed architectures present additional operational risk due to the tendency towards uncoordinated update schedules of the many applications and the unique fingerprint of interfaces that can occur in these approaches.

Proactively managing operational risk has its benefits beyond the obvious. Following the old cliché, “If it ain’t broke, don’t fix it,” can lead firms to miss the benefits of proactive operational risk management. Firms should not wait to experience a breakdown in operations resulting in customer, operational, or financial impact before starting to invest in managing operational risk.

Additional benefits can also accrue to firms that effectively manage operational risk. Addressing the potential operational risk in people, processes and technology can lead to greater efficiency if the review leads to fine-tuning. Training personnel can mitigate operational risk, while also improving morale, retention and innovation. Process reviews that mitigate operational risk also have the potential to improve timing and throughput. When applications and interfaces are reviewed for operational risk, the process can uncover a wide range of areas for improvement, from hardware improvements to maintenance plan adjustments.

A final operational risk issue that was rated by many respondents as extremely or very challenging for their investment management business was understanding and managing operational risk associated with new business initiatives (33 per cent). One of the risks that is especially prominent when a firm enters a new business is client onboarding, which begins in the sales process, both from the perspective of the customer experience and an operational perspective. Customer first impressions are formed at this stage and operational expertise is part of that first impression. Having the right experts in the onboarding process not only provides the prospect with clear and concise responses, but also sets the stage for operational excellence from day one. Alternatively, when client onboarding falters, it exposes the investment management firm to possible risks including incorrect portfolio management guidelines, incorrect documentation and inefficient operations.

Leading practises to manage this operational risk include:

• Formal policies and procedures for documentation, review and approval
• Investment compliance procedure development and impact assessment with operational sign-off
• Portfolio management guideline testing before funds acceptance or trading
• Workflow management tools to control and track the onboarding process

With leading practises in place at this early stage in their operational value chain, investment managers can avoid compounding errors, which can happen when initial stages of a process go poorly and can demonstrate operational excellence to potential customers at the beginning stages of the customer relationship.

With the increased attention by regulatory authorities on culture and conduct, investment management firms must also work to reduce potential conflicts of interest. Conflicts of interest manifest differently across the spectrum of investment firms. For investment managers with products for retail segments, sales practises, fees and commissions to intermediaries are a focus of regulatory attention. For investment managers serving sophisticated investors, such as private equity (PE) firms, conflicts of interest can be much less straightforward. One of the top tensions in PE is the assignment of expenses to the fund (impacting investment performance) or to the general partner (impacting the PE firm’s profitability).

In retail investment management, regulators are stepping in to protect the consumer. Less so in the institutional space, such as PE, where limited partners are exercising their buying power individually or through organisations such as the Institutional Limited Partners Association (ILPA). In both cases, conflicts of interest represent risk to investment managers, even though the conflicts are of a very different nature.

Extended enterprise risk

More than three-quarters of respondents at investment management firms considered risk transparency and oversight over third-party service providers as challenging, including 25 per cent who rated it as extremely or very challenging, compared to 41 per cent who rated it highly as a challenge in 2014. Thirty-one per cent of investment management respondents considered third-party risk to be one of the top three challenges over the next two years for their institution’s investment management business.

Investment managers employ a spectrum of operational models, ranging from largely insourced to almost fully outsourced. Even firms that have primarily insourced operations rely on third-party vendors for a variety of services. These vendors often subcontract to additional vendors and so on down the line. If a risk event at any one of these distant parties causes a failure, the investment manager still holds responsibility. Boards, investors and regulators increasingly focus on extended enterprise risks facing investment managers including:

• Business disruption
• Theft or inadvertent dissemination of personally identifiable information
• Dissemination of intellectual property
• Regulatory breach (investment compliance, anti-money laundering, or disclosures)
• Counterparty credit risk
• Service failure

One element of an effective risk mitigation strategy is to have backup providers for important services. In the extended enterprise risk model, it is critical to ensure these alternative suppliers have different risk profiles. Having a backup in the same geographic location or one that uses the same critical service providers is much less effective than having diversity in supplier characteristics.

Managing third-party risk also requires an ongoing monitoring programme to review the risks from the institution’s third-party relationships. For some types of third-party relationships in the investment management business, respondents reported that they monitor these vendors/service providers either continuously or three or more times a year. The types of third-party vendors that investment management respondents said were most likely to receive monitoring either continuously or three or more times a year, were pricing vendors (56 per cent) and custodians (54 per cent). The types of vendors that were least likely to receive this frequency of monitoring were reference data providers (27 per cent) and contingent workforce (35 per cent). These third parties often received monitoring one to two times a year—35 per cent for contingent workforce and 27 per cent for reference data providers.

Management of key risks

When asked to assess how effective their institution is overall in managing risk, 69 per cent of respondents felt it was extremely or very effective. Respondents in the United States/Canada were more likely to rate their risk management programme as extremely or very effective (89 per cent) compared to those in Europe (65 per cent), Asia Pacific (65 per cent) and Latin America (63 per cent).

Respondents most often rated their institution as extremely or very effective in managing traditional risks including liquidity (84 per cent), underwriting/reserving (83 per cent), credit (83 per cent), asset and liability (82 per cent), investment (80 per cent) and market (79 per cent). These risks have been the focus of regulatory attention for many years and institutions have experience in complying with regulatory requirements. The risk management programmes for these risks are more mature with better methodologies and analytics and with relevant data available.

Although financial institutions have managed operational risk for some time, fewer respondents (51 per cent) felt that their institution was extremely or very effective at managing operational risk. Beyond the challenges associated with models, risk assessments and controls for operational risk, many institutions are focussing on assessing the value that is being produced by their operational risk management programmes.

Newer risk types are even more difficult to manage, with regulatory expectations less well-defined and institutions have less advanced methodologies, analytics and systems, as well as less relevant data available. In addition, many of these risk types are inherently difficult to manage. With cybersecurity risk, for example, institutions often don’t know when their systems have been compromised and only learn much later, if at all.

Respondents considered their institution to be less effective at managing new risk types such as cybersecurity (42 per cent), model (40 per cent), third party (37 per cent), data integrity (32 per cent) and geopolitical (28 per cent).

It is somewhat surprising that only 40 per cent of respondents considered their institution to be extremely or very effective in managing model risk since this risk type has received significant attention in the last several years. In the United States, regulatory expectations are well-defined, for example, in the 2011 Federal Reserve guidance SR 11-7 and the prior OCC 2000-16 guidance. In other jurisdictions, regulatory expectations are less well-defined but the expectations of regulators have increased in this area. Managing model risk requires hiring professionals that possess both high-level mathematical skills as well as experience in how financial models work in banks and other financial institutions. This has proven difficult since the competition has been intense to hire professionals with these skill sets.

Respondents at banks were more likely to consider their institution to be extremely or very effective in managing cybersecurity risk (49 per cent), compared to those in investment management firms (41 per cent) and insurance companies (38 per cent). Cybersecurity has received increased attention by the banking regulators.

Respondents were asked to look ahead to identify the three risks that they believed would increase the most in importance for their business over the next two years. The risk most often ranked among the top three was cybersecurity (41 per cent). The percentage of respondents who ranked cybersecurity among the top three risks that would increase in importance was similar to 2014, but 18 per cent ranked it as the No. 1 risk that would increase in importance, compared to 12 per cent in 2014.

Regulatory/compliance risk was the risk second most often ranked among the top three (36 per cent), with 9 per cent ranking it as No. 1. These figures are down from 2014, when 51 per cent named it among the top three risks to increase in importance and 20 per cent ranked it as No. 1. This may reflect the fact that there had been a wave of fundamental regulatory reform in the years since the global financial crisis, but that the pace appears to be slowing, or is potentially at an inflection point.

As in 2014, the third and fourth highest-rated risks were credit (32 per cent in the top three, 16 per cent as the No. 1 risk) and strategic (32 per cent in the top three, 17 per cent as the No. 1 risk). Strategic risk may be increasing due to more uncertainty over the outlook for regulation, the political uncertainty in many developed countries and competition from new fintech firms. Institutions are especially considering the impact of regulations on capital requirements, which can impact the businesses an institution chooses to compete in. Going forward, institutions may need to review their identification of strategic risks more frequently and devote more management attention to the potential for disruption.

Respondents in the United States/Canada were least likely to rank credit risk among the top three that would grow in importance (11 per cent), while those in Europe (23 per cent), Asia Pacific (48 per cent) and Latin America (50 per cent) were much more likely to expect more focus on credit risk in the future. These responses may also reflect the relative strength of the United States and Canadian economies compared to other regions.

Geopolitical uncertainty

The survey was conducted at a time when political developments in a number of countries had increased uncertainty over the future of globalisation and trade, including the Brexit vote in the United Kingdom and the US presidential election. These developments make it even more difficult than usual to measure and anticipate geopolitical risk. This may explain why the percentage of respondents who considered their institution to be extremely or very effective in managing geopolitical risk dropped from 47 per cent in 2014 to only 28 per cent in 2016.

Respondents were asked about the likely impact on the risks facing their institution of the proposals in some countries to renegotiate trade agreements. Respondents were divided, with 48 per cent expecting that the risks facing their institution would increase (although only 6 per cent expected risks to increase significantly), while 49 per cent thought these proposals would have no impact. Executives in Europe were most likely to expect increased risk: 68 per cent expected that risks would increase, including 16 per cent who thought they would increase significantly. In the United States/Canada, however, 89 per cent of respondents thought these proposals would have no impact on risk and only 11 per cent expected increased risk.

Credit risk

With relatively weak economic conditions in many markets around the world, managing credit risk is a significant challenge for financial institutions. When asked how challenging it would be to manage credit risk over the next two years, the areas most often considered to be extremely or very challenging were collateral valuation (38 per cent), commercial property (33 per cent), unsecured credit (33 per cent) and mortgages/home equity lines of credit (30 per cent). The issues presented by collateral valuation and commercial property are connected, with regulators discussing potential challenges in commercial property, depending on the property type.

Commercial property was more often considered to be extremely or very challenging for institutions to manage credit risk in the United States/Canada (67 per cent) than those in Europe (38 per cent), Asia Pacific (24 per cent), or Latin America (29 per cent). On the other hand, respondents were more likely to see mortgages/home equity lines of credit to be extremely or very challenging in Europe (53 per cent) than in the United States/Canada (33 per cent), Asia Pacific (12 per cent), or Latin America (29 per cent). Also, unsecured credit was more often rated as extremely or very challenging in Europe (44 per cent) than in the United States/Canada (17 per cent), Asia Pacific (24 per cent), or Latin America (29 per cent). With regard to asset size, respondents at large institutions (53 per cent) were more likely to consider commercial property as extremely or very challenging than were those at mid-size (15 per cent) or at smaller institutions (38 per cent).

While regulators have continued to express concerns about oil and petrol lending due to the decline in oil prices in recent years, only 26 per cent of respondents felt that credit exposure to resource-dependent countries and organisations will be somewhat or very challenging to manage over the next two years.

Respondents reported that their institutions still have substantial work to do to comply with the new impairment measurement approaches being introduced under the US Financial Accounting Standards Board (FASB)’s Current Expected Credit Loss (CECL) model and International Financial Reporting Standards (IFRS) 9. ⁶⁵ Both CECL and IFRS 9 are meant to address the delayed recognition of credit losses that is seen as a weakness of the current incurred loss accounting guidance for the Allowance for Loan and Lease Losses (ALLL). Instead, CECL and IFRS 9 change the accounting requirement from an incurred loss approach to an expected loss approach. Under CECL, institutions will be required to estimate expected credit losses over the life of the loan, using all currently available information, including "reasonable and supportable forecasts.” IFRS 9 does not require immediate recognition of all expected losses, but proposes recognition over time.

While CECL and IFRS 9 represent a significant change in accounting for expected credit losses, current credit risk measurement approaches used for Basel regulatory capital calculations, economic capital and stress testing (CCAR/DFAST) provide some elements that can be potentially leveraged. Only 26 per cent of institutions said their existing credit risk management approaches are fully or mostly aligned with the new CECL model, while 41 per cent said they were only somewhat aligned and 33 per cent said they were mostly not or not at all aligned. The responses concerning IFRS 9 were similar, with 38 per cent saying their existing credit risk management approaches were fully or mostly aligned with the new IFRS 9 approach, while 40 per cent said they were only somewhat aligned and 23 per cent said they were mostly not or not at all aligned.

For both accounting standards, there was a dramatic difference across regions, with institutions in the United States/Canada and Europe being much more likely to report that their existing credit risk management approaches will be aligned with the new impairment models. For example, 50 per cent of institutions in the United States/Canada and 69 per cent in Europe said their credit risk management approaches will be fully or mostly aligned with IFRS 9 compared to 12 per cent in Asia Pacific and 14 per cent in Latin America. Additionally, 50 per cent of institutions in the United States/Canada expect to be fully or mostly aligned for CECL compared to only 33 per cent among European institutions.

FASB’s CECL standard applies to all US banks, savings associations, credit unions and financial institution holding companies. Forecasting expected losses over the remaining contractual life-of-loan and incorporating “reasonable and supportable forecasts” are not only modelling challenges. They require institutions to employ and document the rationale for more judgement and assumptions. Even as financial institutions move beyond implementation, robust governance and reporting processes are essential.

Market risk

Market risk is a traditional risk type where most institutions have more mature risk management methodologies and policies to manage risks in this area. As a result, relatively few respondents considered various aspects of market risk management to be very challenging. The issues related to managing market risk in the trading book that respondents most often expected would be extremely or very challenging over the next two years were complying with the Basel Committee's revised Minimum Capital Requirements for Market Risk (31 per cent), followed by consistently aggregating the results of market risk calculations across portfolios and business areas (24 per cent) and aligning market risk management with overall ERM programme (23 per cent).

The Basel Committee’s final framework for Minimum Capital Requirements for Market Risk resulting from the FRTB was released in January 2016 and European banks are further along in their preparations for compliance than are their US and Canadian counterparts. This was reflected in the fact that a larger portion of respondents in the United States/Canada (38 per cent) considered complying with the Basel Committee's revised Minimum Capital Requirements for Market Risk to be extremely or very challenging than did respondents in Europe (22 per cent).

More than half of the respondents at institutions with more than $100 billion in assets said that compliance with the final Basel market risk framework was extremely or very challenging. This is largely due to the fact that complex trading books at larger institutions increase the complexity of compliance. Consistently aggregating the results of market risk data calculations across portfolios and business areas was cited as extremely or very challenging more often by respondents in Asia Pacific (29 per cent) and Latin America (29 per cent) than by those in the United States/Canada (13 per cent) and Europe (14 per cent).

Liquidity risk

Since the global financial crisis, regulators and financial institutions have focussed significant attention on managing liquidity risk and financial institutions appear to have made progress in this area. Basel III introduced the NSFR and LCR and the Basel Committee has proposed the TLAC for G-SIBs and liquidity stress testing has become more common.

Relatively few respondents believed various aspects of liquidity risk management would be extremely or very challenging over the next two years, but in some cases, the percentage increased from 2014. This may indicate that some institutions were in the early stages of examining their liquidity risk management or that they significantly underestimated the difficulty of the effort. The areas that were most often considered to be extremely or very challenging in managing liquidity risk over the next two years were investment in cash flow forecasting and reporting capabilities (32 per cent, up from 22 per cent in 2014), controlling the consumption of liquidity on a daily basis across the whole organisation (31 per cent, up from 23 per cent) and internal allocation of the cost of liquidity buffers across the organisation (31 per cent) ⁶⁶ (figure 17). In addition, 26 per cent of respondents said that obtaining sufficient, timely and accurate liquidity risk data would be extremely or very challenging for their institution over the next two years.

Institutions appear to have put in place procedures to comply with the Basel III liquidity requirements and these requirements were less likely to be seen as extremely or very challenging than they were in 2014: investment in operational and other capabilities to comply with the Basel III LCR (23 per cent, down from 31 per cent) and investment in operational and other capabilities to comply with the Basel III NSFR (23 per cent, down from 40 per cent).

Asset liability management

The issues cited most often as being extremely or very challenging in asset liability management were integrating the modelling of IRRBB and credit risk within the banking book to stress scenarios (34 per cent), ability to model on a dynamic basis the impact on net interest revenue of changing interest rates and changing balance sheet (29 per cent), and obtaining sufficient, timely, and accurate asset and liability data (28 per cent).

Operational risk

The Basel Committee and other regulatory authorities have focussed on operational risk for a number of years. However, changes may be on the horizon in how regulators require institutions to assess operational risk. In March 2016, the Basel Committee proposed scrapping the internal model-based method for calculating operational risk saying that it “has resulted in excessive variability in risk-weighted assets and insufficient levels of capital for some banks,” and replacing it with a single standardised method.⁶⁷

The regulatory focus on operational risk has led institutions to improve their methodologies in this area. Operational risk is inherently difficult to measure and manage, and it is likely to be a greater focus in the years ahead. Respondents were most likely to report that their institution’s operational risk management methodologies were extremely or very well-developed in risk assessments (63 per cent), which are a mature methodology that has been around for some time (figure 18).

Other methodologies that were rated as extremely or very well-developed by more than one-third of institutions were internal loss event data/database (45 per cent), risk and capital modelling (36 per cent), and scenario analysis (35 per cent).

Key risk indicators (KRIs) are less well-developed than other methods, with 30 per cent of respondents saying they are extremely or very well-developed, but more institutions are now putting them in place or enhancing them. These represent a recurring challenge due to the difficulty in finding meaningful KRIs and the lack of consistent data being available.

Several methodologies are still a work in progress such as external loss event data/database (19 per cent), causal event analysis (16 per cent), and scorecards (12 per cent). These types of operational risk analytics remain a challenge for many due to the lack of well-developed and commonly accepted methodologies.

When asked to assess the effectiveness of their institution in managing specific types of operational risk, respondents were most likely to say their institution was extremely or very effective in managing more traditional risk types including regulatory compliance (64 per cent), legal (62 per cent), tax (58 per cent) and fraud (46 per cent). In contrast, respondents were less likely to rate their institution this highly for newer risk types such as data integrity (23 per cent), third party (26 per cent), and cybersecurity (32 per cent).

Third parties present a myriad of risks including contractual nonperformance, violation of laws and unethical behaviour, data breaches, loss of intellectual property, and inability to maintain operations in case of a disaster or infrastructure breakdown, among others. Over the last several years, many institutions have outsourced more of their activities to third parties in an effort to reduce costs. Managing these risks presents special challenges since vendors and service providers are not under an institution’s direct control. Yet, they present significant risks that can result in financial loss and reputational damage.

Regulators have made it clear that institutions are responsible for managing the risks posed by third parties. For example, in 2013, the OCC issued guidance on managing the risk from third-party relationships, stressing that “a bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”⁶⁸

It is notable that a majority of respondents did not consider their institution to be extremely or very effective at managing any of the risk types related to third parties. Respondents most often rated their institution as extremely or very effective in managing third-party risk related to financial risk (47 per cent), contractual risk (46 per cent), performance and operations risk (41 per cent), and regulatory/compliance risk (40 per cent). There were also some risk types where even fewer respondents considered their institutions to be effective including reputational (31 per cent), cybersecurity and data protection (27 per cent), and resiliency and continuity (24 per cent). (See the section “Cybersecurity risk” below.)

Cybersecurity risk

Cybersecurity risk has been a growing concern for regulators and financial institutions with a number of well-publicised breaches. When asked which risk types would increase the most in importance for their institution over the next two years, respondents most often cited cybersecurity risk, with 41 per cent saying it was one of the top three risks, including 18 per cent saying it was the No. 1 risk.

Deloitte’s survey results indicate there is much more work to do in this area for most institutions. Only 32 per cent of respondents considered their institution to be extremely or very effective in managing cybersecurity risk and only 27 per cent rated their institution this highly when it came to managing cybersecurity risk in its third-party relationships.

As might be expected, when it came to specific cybersecurity threats and risks, relatively few respondents gave their institution high marks. The highest-rated items had no more than roughly half of respondents rating their institution as extremely or very effective in managing disruptive attacks (51 per cent), financial losses or fraud (51 per cent), cybersecurity risks from customers (47 per cent) and loss of sensitive data (46 per cent).

Other types of cybersecurity risks had even fewer respondents saying their institution was extremely or very effective, including insider threats (38 per cent), cybersecurity risks from third-party partners (35 per cent), threats from nation state actors (35 per cent), threats from skilled hacktivists (33 per cent) and destructive attacks (36 per cent).

Cybersecurity challenges

Institutions face a number of challenges in managing the threats of cyberattacks. Leading the list of items rated as extremely or very challenging were staying ahead of changing business needs (66 per cent) and addressing threats from sophisticated actors (61 per cent) (figure 19).

With the rise of cybersecurity attacks in financial services and other industries, attracting talent has become more difficult and 58 per cent said hiring or acquiring skilled cybersecurity talent was extremely or very challenging. Fifty-seven per cent of respondents also gave this rating to getting actionable, near-real-time threat intelligence.

On a more positive note, institutions appear to have internal support for their efforts to address cybersecurity. Several items related to organisational support had significantly fewer respondents rating them as extremely or very challenging including securing ongoing funding/investment (38 per cent), sharing threat intelligence with peers or industry groups (34 per cent) and communicating effectively with senior business management and the board (31 per cent). These items all suggest that most institutions are committing adequate resources, are communicating about the issue with senior management and the board of directors, and are ready to work with other firms and with industry groups.

Although support for cyber-related efforts clearly exists, many boards of directors face the challenge of developing sufficient expertise to oversee a technical risk type like cybersecurity. Some boards are using approaches such as engaging outside experts to provide additional technical expertise.

Many respondents said that their institution still struggles with several aspects of implementing an effective programme to manage cybersecurity risk. Roughly half the respondents said the following actions were extremely or very challenging for their institution: developing actionable metrics that describe the state of the cybersecurity programme (55 per cent), setting an effective multiyear cybersecurity risk strategy approved by the board (53 per cent) and getting the businesses to understand their role in cybersecurity risk (47 per cent).

Regulatory risk

In the time since the global financial crisis, many of the regulatory issues that institutions face are starting to look structural rather than cyclical. While regulators are inclined to preserve the reforms of recent years, political uncertainty in major western economies (as demonstrated by the Brexit vote in the United Kingdom and the US presidential election results) has increased the unpredictability of the regulatory environment. Additional proposals from the Basel Committee—as well as some remaining rules implementing the Dodd-Frank Act in the United States and the Capital Requirements Regulation and Directive in the European Union—are still pending.

Regulatory reforms have led to fundamental impacts in such areas as expectations for stronger risk governance frameworks, higher capital and liquidity requirements, restrictions on business activities, enhanced consumer protections and added regulatory documentation. More recently, regulators have also turned their attention to qualitative issues, such as risk culture/conduct, incentives and the effectiveness of internal controls.

With the many regulatory requirements that have been introduced since the global financial crisis presenting new and more stringent compliance requirements, most institutions reported that regulatory reform in the major jurisdictions where they operate has resulted in important strategic impacts, especially given the current low-revenue environment. Respondents most often cited noticing an increased cost of compliance (79 per cent, down from 87 per cent in 2014) and requirements for maintaining higher capital (71 per cent, up from 62 per cent in 2014) (figure 20). The cost of compliance has been increasing across the industry and institutions have increased their efforts to streamline processes and increase efficiency, for example, by using robotics process automation (RPA) to automate routine tasks. The higher capital requirements that have been put in place have had important implications for the lines of business that institutions choose to enter or exit in an effort to minimise their required capital.

The new requirements have important implications across an institution’s strategy including adjusting certain product lines and/or business activities (49 per cent, down from 60 per cent in 2014) and maintaining higher liquidity (36 per cent, the same as in 2014). Only 5 per cent of institutions said that regulatory reform initiatives have had no significant impact on their institution.

Institutions reporting that they are noticing an increased cost of compliance were much more likely to be in the United States/Canada (100 per cent) and Europe (92 per cent) than in Asia Pacific (65 per cent) or Latin America (50 per cent).

Looking ahead over the next two years, many respondents said that they were extremely or very concerned over the potential impact on their organisation from a number of supervisory and regulatory processes. Leading the list of concerns were tighter standards or regulations that will raise the cost of doing existing business (59 per cent) and growing cost of required documentation and evidence of programme compliance (56 per cent). The increasing demands of regulatory reporting are a topic of focus at financial institutions, which are looking to control, centralise and enhance the quality of regulatory data.

Other regulatory items that were cited as significant concerns by many respondents were increasing inclination of regulators to take formal and informal enforcement actions (42 per cent), more intrusive and intense examinations (37 per cent) and new restrictions or prohibitions on profitable activities that will require a significant change in business model or legal structure (36 per cent).

The enhanced level of regulatory scrutiny in the United States/Canada and Europe led respondents to have greater concern over the impacts on their institutions over the next two years. For example, respondents in the United States/Canada (78 per cent) and Europe (84 per cent) more often said they were extremely or very concerned about tighter standards or regulations that will raise the cost of doing existing business than were those in Asia Pacific (26 per cent) or Latin America (38 per cent). Similarly, the growing cost of required documentation and evidence of programme compliance was more often a concern among respondents in the United States/Canada (67 per cent) and Europe (92 per cent) than in Asia Pacific (22 per cent) and Latin America (38 per cent). Respondents in the United States/Canada (78 per cent) were also much likely to say they were extremely or very concerned about more intrusive and intense examinations than were those in Europe (44 per cent), Asia Pacific (13 per cent) and Latin America (25 per cent).

Risk management information systems and technology

Risk data strategy and management have posed significant challenges for many institutions for a number of years and relatively few respondents considered their institution to be effective in this area. The issues where respondents most often rated their institution as extremely or very effective were data governance (26 per cent), data marts/warehouses (26 per cent) and data standards (25 per cent). Other issues were rated this highly by even fewer respondents including data sourcing strategy (16 per cent), data process architecture/workflow logic (18 per cent) and data controls/checks (18 per cent).

The activity to improve risk data strategy and management has been largely driven by regulatory pressures in specific jurisdictions. The focus in this area in North America and Europe may explain why 44 per cent of respondents in the United States/Canada and 33 per cent in Europe considered their institution to be extremely or very effective in data marts/warehouses, compared to only 17 per cent in Asia Pacific and none in Latin America.

Most respondents also had significant concerns when it came to their institution’s risk management information technology systems. Given the pace of regulatory change, respondents were most often extremely or very concerned about risk technology adaptability to changing regulatory requirements (52 per cent). Roughly half of respondents were also extremely or very concerned about several issues related to IT systems including legacy systems and antiquated architecture or end-of-life systems (51 per cent), inability to respond to time-sensitive and ad-hoc requests (49 per cent), lack of flexibility to extend the current systems (48 per cent) and lack of integration among systems (44 per cent). Given the level of concern about these system-related issues, it appears that there is an opportunity for fintech solutions.

Respondents were least likely to have this level of concern with respect to lack of aggregation of trading and banking books (13 per cent), lack of product and asset class coverage (22 per cent) and lack of cross-asset-class risk calculations (25 per cent).

Conclusion

Looking ahead, risk management programmes face more uncertainty than they have in recent memory. Will the current environment of historically low interest rates persist or is it finally coming to an end? What will be the economic impacts of the growing opposition in many countries to free trade agreements? How will fintech start-ups disrupt traditional business models?

Perhaps the most important uncertainties address the direction of regulation. In the years since the global financial crisis, financial institutions have faced an unprecedented wave of regulatory changes that has broadened the scope of the issues addressed by regulators, as well as made regulatory requirements substantially more stringent. Each year, the trend has been towards greater regulation. The question for risk management programmes was whether they had the ability and resources required to comply with escalating regulatory requirements.

But risk management executives are now asking whether we are nearing an inflection point at which the trend towards continually more stringent regulatory requirements comes to an end or is even in some cases reversed, with some regulations being rolled back.

Yet, even if the recent breakneck pace of new regulatory requirements may not continue, financial institutions may be well-advised to not scale back their risk management programmes. Whether regulatory change will slow or requirements will lessen is far from certain. Institutions that reduce their investment in risk management may find that they are unable to easily adjust their capabilities if new requirements are imposed. Many institutions also have found that the new regulatory requirements have created a new normal and a new set of industry expectations and may not want to change this norm.

In this uncertain landscape, financial institutions are well-advised to remain vigilant in monitoring regulatory developments and building the capabilities to respond quickly to regulatory changes and remain in compliance. They should also consider being actively involved in the debate over the direction of regulation.

With the future direction of risk management more uncertain than it has been for years, perhaps the most important lesson is that many risk management programmes should become more nimble. In the coming years, risk management programmes should focus not only on being effective and efficient, but equally on acquiring the agility to respond flexibly to a new set of demands on risk management.

Regulatory, Forensics, & Compliance