an economist intelligence unit research program sponsored by protiviti. restoring confidence: risk...

Restoring Confidence: Risk Management Capabilities in the Wake of the Financial CrisisAn Economist Intelligence Unit Research Program Sponsored by Protiviti

IntroductionThe financial crisis of 2008 did more than expose weaknesses in the capital reserves and liquidity risk management of financial institutions. It also revealed profound weaknesses in many financial institutions’ three lines of defense: business operations, risk management controls and indepen-dent assurance.

Financial institutions rely on these to protect against risk; each of these lines had many questions to answer. First and foremost: What failed? On close examination, failure in each line of defense bears some responsibility for the crisis.

To assess the progress of, opportunities for and shortcomings of financial institutions in meeting new requirements, and to determine areas demanding more focus, the Economist Intelligence Unit (EIU) conducted a survey sponsored by global consulting firm Protiviti of 350 senior-level executives at financial institutions across the United States, Europe, the Asia-Pacific, and the Middle East and Africa. To further understand the complexities of wider compliance, the EIU also spoke to specialists in the field, and conducted extensive desk research.

Biggest challenges organizations face in improving risk management and compliance performance*

21%

25%28%

27%

30%

32%Resource limitations

Enterprisewide aggregation

Adequacy of management skill sets

Access to information

Risk culture

Integration of risk appetite in day-to-day activities

* Survey respondents could select up to three challenges.

1 Restoring Confidence: Risk Management Capabilities in the Wake of the Financial Crisis

The survey, conducted in March 2013, included responses from executives in a number of roles in the financial services industry. Nearly half (46 percent) are C-level executives or board members, and another 21 percent are senior VPs, VPs or directors. Respondents are located mainly in Western Europe (47 percent) and North America (38 percent), with the bulk of the remainder in the Asia-Pacific and Eastern Europe. One-third (33 percent) work for firms with global annual revenue of US$5 billion or more. Survey respondents include executives from each of the principal financial industry sub-sectors, with about half (53 percent) engaged in banking, one-quarter (23 percent) in insurance, and the balance in capital markets and private investment funds.

Not surprisingly, the survey found that increased regulatory pressure ranks as the greatest risk management priority for executives in the financial services industry. Yet just a small minority of respondents rate their risk management systems as fundamentally sound. While many respondents believe that they have largely completed certain foundational tasks to address risks, including restructuring organizations and revising business strategies, much work remains to fully inculcate a risk management culture across their organizations – particularly in the front office. In short, financial institutions are struggling to find the best means to successfully embed a strong culture of risk management across their organizations, with their most oft-cited stumbling block a shortage of human and financial resources.

To meet current and future regulatory requirements, respondents indicate that some resource- and culture-based tasks are not yet complete. Overall, those polled note compliance costs, resource shortfalls, a lack of clarity regarding rules and regulations, and thorny internal challenges as critical constraints. Tellingly, few respondents cite as strengths proactive communications between their risk management and business operations, or a corporate culture of risk awareness. Among sub-sectors, nonbanks note a higher likelihood of making changes in the future.

Put simply, the glass is half full – and half empty. Despite many improvements, those polled believe that to build on the foundational progress made, efforts must now focus on the more granular day-to-day details in the areas of culture, accountability, team- and skill-building, and communication – particularly in the front office.

JUST A SMALL MINORITY OF RESPONDENTS RATE THEIR RISK MANAGEMENT SYSTEMS AS

FUNDAMENTALLY SOUND.


The regulatory challenge

In the wake of the financial crisis, regulators realized two important facts. First, many financial institutions lacked the necessary controls to identify and respond to the risks embedded in their businesses. Second, many failed to set aside adequate capital reserves to cover potential losses. Regulators are now focusing their attention on both of these deficiencies.

Although well intentioned, the deluge of new regulations is overwhelming regulators and financial institutions. Global financial institutions must now simultaneously comply with Basel III, the Dodd-Frank regulatory package and the European Union’s EMIR framework, as well as various national reform packages. Meanwhile, looming requirements of the U.S. Federal Reserve’s foreign banking organization proposals, the Financial Stability Board’s (FSB) bank crisis contingency plan project (the “living wills” initiative) and the FSB’s common data template initiative are being developed.

Most challenging regulatory changes (in terms of complexity but not necessarily cost)*

Inconsistencies in regulatory requirements in the different jurisdictions where our organization operates

New regulations aimed at protecting consumers

New requirements for recovery and resolution planning

13%

12%21%

29%

33%

41%

43%

New regulations designed to reduce the probability of failure (e.g., capital and liquidity)

Increased scrutiny from a range of different regulators

Bank restructuring and restrictions

New regulations designed to limit the consequences of failure (e.g., OTC derivatives and other market reforms)

* Survey respondents could select up to three regulatory changes.


Protiviti Insights: Progress and Room for Improvement

“Governance.”

It’s a word that most financial services industry executives and board members see in their sleep. Financial services organizations, especially larger ones, have notched impressive progress in stress tests, model governance and other areas of risk oversight in recent years. That said, the constant state of global regulatory change has generated a steady stream of new governance challenges that must be addressed.

While boards have developed more constructive ways to engage with executive management on risk oversight matters, there are significant opportunities for improving the position of the risk management organization effectively within the larger enterprise.

To this end, while the CRO function continues to increase in stature – as evidenced by the growing number of CROs who report directly to the CEO and/or the board – there are also signs that many risk functions need to evolve beyond operating as merely a compliance function and/or a reporting and measurement function. In organizations where this evolution has occurred, the following CRO success factors tend to be present:

1. The CRO is viewed as a peer with business line leaders in virtually all respects (e.g., compensation, authority and direct reporting to the CEO) and likewise down through the business hierarchy and across the organization.

2. The CRO has a dotted reporting line to the board or a committee of the board and faces no constraints of any kind in reporting to the board.

(continued on page 7)

The new regulations, which cover a swath of activities, have forced financial institutions to move from, in some cases, self-regulated systems to one based on an explicit regulatory framework.

A key challenge is time. Tight compliance deadlines to meet the raft of new financial industry regulations may be aimed at preventing prevarication, but completing the job in the mandated time frame is challenging, risk managers say.

At the same time, financial institutions face the demands of more assertive national regulators. “Each country’s regulator wants a stand-alone picture of [our] risk profile and [each regulator] wants to see that [our firm] can operate independently from the head office,” a risk manager in New York complains.

These regulatory changes create a significant burden for financial institutions. About half (49 percent) of financial services executives we polled consider their top risk management priority to be dealing with these increasingly complex regulatory pressures. A significant number also singled out increasing scrutiny from several different regulators, which they found to be more burdensome than new regula-tions or additional costs.

Financial institutions are expending “huge amounts of time and energy coming to grips with the profound cumulative changes required,” avers David Schraa, regulatory counsel at the Institute of International Finance. “Each is dealing with a different set of priorities, given its business model and risk profile, and the jurisdictions in which it operates.”

6Restoring Confidence: Risk Management Capabilities in the Wake of the Financial Crisis

Protiviti Insights (continued from page 6)

3. The board, senior management and operating personnel believe that managing risk is an organizational imperative and everyone’s job.

4. Management values risk management as an equal discipline to opportunity pursuit.

5. The CRO is clearly viewed as undertaking a broader risk focus than compliance.

6. The CRO’s position and how it interfaces with senior line and functional management is clearly defined.

In short, the CRO is a significant executive within the organization’s broader risk management function and is integral to the foundation of the institution’s risk culture.

Financial services organizations also must consider the significant changes in the model governance infrastructures driven by Basel III and the European Market Infrastructure Regulation (EMIR), along with guidance issued for U.S. institutions by the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC). These changes and guidance reflect the fact that regulators expect a more expansive approach to model risk.

The 20 or so largest U.S. banks generally have made significant progress in putting mature model governance infrastructure in place. This headway enables many of the largest organizations to focus on upgrading the quality of their model documentation and model validation processes. Despite this progress, though, many of the largest banks still have difficulty obtaining specialized skills and completing large model building (or model validations) in a timely manner.

Midsize companies face similar challenges, as well as many others. Many of these firms are just beginning to build their model risk infrastructure. This process typically begins with a model risk oversight committee or the equivalent, consisting of members of risk management, modelers and business owners. Since many of these efforts are starting from scratch, finding the talent and specific skill sets necessary to fuel these efforts represents a major challenge. Similarly, few smaller banks can afford to hire full-time personnel with the skills necessary to fulfill new model risk management requirements.

As financial services executives address model governance, CRO positioning and other governance improvements, they and all of their organizations’ stakeholders will sleep better.

PROTIVITI SOURCES (available at www.protiviti.com/EIUriskresearch):

Effective Positioning of the Risk Management Organization (Enabling the Chief Risk Officer’s Success: Second in a Series)

Board Perspectives: Risk Oversight

• Issue 32: “Communicating Critical Enterprise Risks to the Board”

• Issue 38: “Focus on the ‘Tone of the Organization’”

• Issue 39: “Shaping the 2013 Risk Oversight Agenda”


Significant changes for financial institutions

Financial institutions believe they’ve made substantial improvements. These include changes to system components (22 percent), and implementing or enhancing comprehensive enterprisewide risk management systems (15 percent). Most financial institutions seem to have done so because they judged their legacy risk management systems to be inadequate. Only a small minority believe their systems were fundamentally sound (31 percent) or performed well during the financial crisis (20 percent). Among sub-sectors, banking executives are more likely to have made substantial risk management strategy changes in the wake of the financial crisis. Insurance executives, however, are more confident: they are twice as likely as executives in other sub-sectors, with the exception of equity and venture capital firms, to say that their traditional risk management systems had performed well.

The perceptions of the nature of these changes vary considerably by region and company size, however. Respondents in North America, for example, attribute less importance to nearly every category of risk than do their peers in other regions. The gap is particularly large on the topic of global economic instability. Only one-third (33 percent) of North American respondents rank global economic instability as a top-three risk versus nearly half in both Europe (48 percent) and the Asia-Pacific (47 percent). Also, North American respondents are roughly half as likely as those in the other two regions to rate reputational risk as a top priority.

As for size, those at large companies say they are more likely to have made fundamental changes to their risk management strategies as a result of the financial crisis than their peers at smaller companies. Firms with more than US$100 billion in assets under management, for example, are much more likely than the smallest firms to indicate that they have implemented substantial or fundamental changes to business models (29 percent versus 14 percent), to organizational structure (37 percent versus 21 percent), and to traditional risk management components (39 percent versus 15 percent).

This greater perception of fundamental change among large firms is logical based on another finding: A much smaller percentage of larger firms believes that their traditional risk management systems performed well during the financial crisis (11 percent) than smaller firms (30 percent).

0% 10% 20% 40%30% 50%

Confining our operations to a smaller number of regulatory jurisdictions

to reduce compliance costs

15%

Refocusing on high-growth markets where profit potential is greatest

21%

Fortifying financing through new solutions, deposit financing,

or other more stable forms

Downsizing to reduce our most difficult exposures

42%

26%

Expanding in our core activities through consolidation while

dropping high-risk product lines

45%

Exiting or divesting non-core business(es)

49%

Title text below reference only-Do not include with chart art: 4a. You indicated above that your organisation has implemented or considered fundamental changes to business models. Which paths are your organisation most likely to follow? Please select up to three.

Most likely paths to implementing changes to business models*

* Survey respondents who are considering fundamental changes to their business models (22 percent) could select up to three paths.


The changes often involve adding new roles and resources to the risk function. “Our risk manage-ment function has entirely changed [since the crisis],” says Brian Peters, senior managing director in the enterprise risk management group at AIG. Mr. Peters, who joined AIG from the Federal Reserve Bank of New York two years ago, points to a significant expansion of AIG’s risk function and its global depth of expertise since 2010. Moreover, risk management staff are now aligned with and embedded within the business. Finally, CROs have been appointed for each business. They report directly to AIG’s CRO, Mr. Peters relates, adding that risk is also reviewed and assessed as close to origination as possible.

Many financial institutions are also responding to the financial crisis by changing their business models (22 percent), largely by consolidating their businesses around core activities. Nearly half (49 percent) say they have exited or divested non-core businesses, while nearly as many (45 percent) have expanded core activities while dropping high-risk product lines. Others (42 percent) have downsized to reduce their most difficult exposures.

Credit Suisse is one of the firms that has made significant changes to its risk assets, according to Dan Miller, managing director and head of strategic risk management at Credit Suisse in New York. It has gradually rebalanced its risk-weighted assets (RWAs) towards private banking and wealth management. In its investment banking division, Credit Suisse has allocated the majority of capital to more profitable businesses, while diverting capital from capital-intensive businesses as they are defined under Basel III.

Protiviti Insights: CFPB Compliance and the Brave New World of Regulatory Requirements

“Regulatory burden.”

This age-old phrase is being redefined with a 21st century twist.

The vast majority of so-called “legacy regulators” focused primarily on whether financial institutions 1) had the right compliance processes in place, and 2) executed and maintained compliance with applicable laws and regulations. However, a number of new regulations, and regulators, place a greater emphasis on practices that extend beyond their specific technical requirements.

For example, in the United States, the newly created Consumer Financial Protection Bureau (CFPB) is keenly interested in the extent to which customers “understand” the products and services a financial institution offers. The CFPB’s growing scrutiny of organizational intent and behavior (through the formal examinations of financial institutions the bureau conducts) and the fact that it continues to enact new rules make it a model of the 21st century active regulatory body.

As such, compliance with CFPB rules contains useful object lessons for managing a new form of regulatory risk. To comply with the CFPB’s requirement that customers understand the products and services a financial institution offers, a financial institution’s executives and managers should begin by asking questions that may elude the kind of cut-and-dried responses that may have satisfied legacy regulators previously:

• Does our institution disclose the risks and drawbacks clearly, along with the benefits of our offering?




• Do we help customers select products that are most appropriate for them and avoid products that are potentially inappropriate for them, but more profitable for the institution?

• Do we go above and beyond existing disclosure requirements to ensure that our customers understand how the product works?

To be sure, CFPB compliance also requires a technically sophisticated approach; for example, the regression-based statistical analysis that compliance and legal departments used to monitor for anti-discriminatory practices must be closely examined. As a 21st century regulatory body, the CFPB demands more intense and rigorous scrutiny of tangible processes as well as less tangible areas.

For many financial institutions, the questions that the CFPB poses represent a major transformation in how financial services companies must look at regulatory compliance. And in the brave new world of global risk in the financial services industry, CFPB compliance is far from the only set of regulations driving the transformation.

Beyond the United States, Basel III and the EMIR pose new requirements that require affected financial institutions to wade deeper into intra-enterprise relationships, “risk cultures,” and other, less tangible aspects of governance. In 2012, the Group of 30 (G30) released a special report, Toward Effective Governance of Financial Institutions, which focuses on banking governance. The report discusses the “values” that influence “behavior” of those with governance responsibilities.

In the United Kingdom, the newly created regulatory framework (implemented on April 1, 2013, with “twin peaks” supervision for banks and insurance companies as well as the larger and more complex securities houses) also is giving sharper focus on consumer protection issues. In June 2013, the Financial Conduct Authority (FCA), the agency that regulates conduct by both retail and wholesale financial services firms, exercised its powers to ban the promotion of unregulated collective investment schemes and certain close substitutes (together to be known as non-mainstream pooled investments) to the vast majority of retail investors in the United Kingdom effective beginning January 1, 2014. The FCA has also been very public about its forward-looking approach to dealing with conduct risk issues. Although it may be too early to pass judgment, the FCA’s fining in July 2013 of one of the largest U.K. high street retail insurers for failing to treat its customers fairly is arguably an indication that the U.K. regulator’s appetite to take action continues to be whetted.

In addition to regulators’ growing focus on less tangible elements of organizational activity, the sheer volume of regulatory requirements has become more burdensome. No wonder regulatory reform rates as a top risk management concern among financial services executives.


Top Priorities for Internal Audit in Financial Services (see article on page 16, “CFPB Compliance Readiness Is a Matter of (a New) Perspective”)

Addressing the CFPB’s New Consumer Mortgage Loan Servicing Requirements


The importance of technology

Most executives believe that better IT systems and analytic technologies will allow them to signifi-cantly strengthen their risk management and compliance strategies. Nearly two-thirds (65 percent) of those polled say that improving the ability to aggregate and report a comprehensive risk profile of the organization will become increasingly important. Almost every regulatory pronouncement requires some new IT capacity and skill sets improvement, directly or indirectly.

Risk managers are also trying to paint a more complete risk picture by tying together data from a more dispersed number of entities than ever before. If institutions can successfully connect their systems and data flows, operating in a volatile, changing environment should become more manageable because institutions can access raw data across products and systems. This should, in turn, help both risk and senior managers better assess their firms’ changing risk profiles. Risk managers also stress the importance of streamlining and connecting many risk-calculation and reporting and data-capture systems. In the past, systems could not communicate, one New York-based senior risk official related, because of an insufficient focus on risk management.

Respondents are somewhat less enthusiastic about the potential for more advanced analytical techniques. They give more weight to issues of data governance and IT capacity than to developing more sophisticated risk-tracking models. But, a clear majority agree that new data mining technol-ogies and predictive modeling will facilitate the identification and assessment of emerging risks.

Protiviti Insights: Getting Tactical, and Technological

“Data governance.”

This phrase has emerged as a newly crucial enabler of the old (and true) adage that an organization cannot manage what it cannot measure. As more parts of the enterprise seek to harvest value from a growing trove of “big data” via advanced analytics, the risks associated with erroneous measurements and poor data quality soar. Not surprisingly, financial services executives express a clear desire in this survey to leverage IT systems and analytical technologies to strengthen their risk management and compliance capabilities. The effectiveness of these approaches hinges on the organization’s data governance capability.

The importance of data governance has risen as financial services organizations place greater emphasis on mobile commerce, social media, business continuity management, IT asset management, and related technologies and processes.

Data governance is the enterprisewide process (it is not a “project”) through which organizations ensure the strength of their data quality in order to achieve business objectives while meeting regulatory and other risk management requirements. The objectives of data governance include



IF INSTITUTIONS CAN SUCCESSFULLY CONNECT THEIR SYSTEMS AND DATA FLOWS, OPERATING

IN A VOLATILE, CHANGING ENVIRONMENT SHOULD BECOME MORE MANAGEABLE BECAUSE

INSTITUTIONS CAN ACCESS RAW DATA ACROSS PRODUCTS AND SYSTEMS.


supporting strategy execution; meeting regulatory reporting obligations; supporting line of business and executive decision-making; creating a sustainable framework to support long-term data management needs; supporting real-time data access while maintaining overall system performance; and ensuring data security through access controls.

The challenges obstructing data quality – including IT project backlogs, the steady influx of new systems and applications (via acquisitions and purchases), and the substantial number of legacy systems that linger in most financial services companies – are formidable. However, the benefits of strong data governance compel organizations to design, implement and maintain formal data governance programs. These benefits include:

• Meeting increasing regulatory and compliance standards pertaining to data quality and control;

• Centralizing oversight and monitoring of data quality;

• Defining clear roles and responsibilities to increase operating effectiveness and reduce administrative costs;

• Leveraging targeted metrics to address the root cause of data quality issues quickly and effectively;

• Creating efficient and effective data error remediation processes;

• Meeting market demands for flexible, timely and relevant information; and

• Efficiently and accurately deploying data for external use.

Perhaps even more important, leading-edge regulatory compliance and risk management capabilities – the sort that help augment confidence in the industry – increasingly rely on a robust foundation of data governance. For example, some financial services organizations are implementing a risk index that serves as a single-number snapshot of organizational risk progress. The purpose of this snapshot is to cut through the data “smog” surrounding enterprisewide risk management to address two essential and crucial questions executive management and board members constantly ask:

1. Is our organization riskier today than it was yesterday?

2. Is our organization likely to become riskier tomorrow than it is today?

These basic questions have become daunting because of the sheer volume of data within organizations. If the data cannot be trusted, or the wrong data is used to answer these questions, executives and board members may remain in the dark about important risk information. When data can be trusted, through execution of an effective governance framework, there is no limit to what an organization can measure, and manage.


FS Insights

• Volume 4, Issue 3 – “IT Challenges: What Is Next for the Financial Services Industry?”

• Volume 3, Issue 10 – “Data Quality Index – Do You Have Faith in the Accuracy of Your Numbers?”

• Volume 3, Issue 7 – “Creating a Risk Index – The Advantage of a Single-Number Snapshot of Organizational Risk Progress”


0% 50% 60% 70% 80% 90% 100%10% 20% 40%30%

41%

29%

29%

32%

20% 45% 23%

Title text below reference only-Do not include with chart art: 12. To what extent do you believe the following actions can enable your organisation to implement more robust risk management and compliance strategies? Please rate each of the following on a scale from ‘Strongly agree’ to ‘Strongly disagree’.

Improving IT capacity will help us to

integrate a growing body of more

granular data into management reports

Use of predictive modeling will

improve our ability to anticipate changes in

risk measures

Introducing new IT systems will make it

easier for us to organize

information/analysis and streamline

reporting

Utilizing new data mining technologies will make it easier to

identify impending operational risks

before they become problematic

Improving our ability to aggregate and report a

comprehensive risk profile of the

organization will become increasingly

important

4%

17% 39% 27% 4% 5%

18% 43% 28%

2%

4%

17% 35% 31% 5%

28% 43% 20% 4%

2%

2%

3%

10%

5%

8%

6%

2%

Strongly agreeSomewhat agreeNeither agree nor disagree

Somewhat disagreeStrongly disagreeDon’t know

Actions that enable organizations to implement more robust risk management and compliance strategies


Ongoing obstacles

Respondents say that the biggest obstacle they face is a lack of resources. Although 39 percent of them cite regulatory uncertainty as a serious obstacle, even more single out a lack of human and financial resources. This includes 42 percent who cite lack of people and time, and another 24 percent who list a lack of managerial skills as a top-three obstacle. Roughly 25 percent point to inadequate funding.

Another serious obstacle faced by financial institutions is the lack of understanding of risk issues within their firms. Although institutions have done much of the heavy lifting to strengthen the effectiveness of risk management controls across their organizations, they need to do more to seed a holistic, organizationwide culture of risk awareness. Just 20 percent of survey respondents indicate that risk awareness is integrated into their corporate culture. Only about one-third (34 percent) agree that key stakeholders have a good understanding of the organization’s risk program; even fewer say they have established proactive communications between the risk management function and business operations.

9%Independent assurance (third line of defense)

1% Other

17%

31% 32%10%

Business operations (first line of defense)

Management oversight (second line of defense)

Don’t know/not sure

Every aspect should receive equal emphasis

Aspects of risk management and controls that require the most attention to strengthen risk management and compliance

Financial institutions also suffer from having varied and ill-defined responsibilities for managing risk issues. Front-line managers appear to have more risk responsibility to make necessary changes than do managers in other business areas. Survey respondents were asked to assess how much responsibility business managers, risk managers and internal auditors have within their respective functions. The results show promise but indicate some areas for improvement. Roughly 42 percent believe that business-line managers have everyday responsibilities for risk control.

Aspects of risk management and controls that require the most attention to strengthen risk management and compliance


Of concern, however, only 38 percent of respondents consider risk management roles to be clearly defined and communicated; only about one-third agree that risk officers are empowered to bring issues to the attention of higher management. And only 32 percent of respondents indicate that their companies have an effective internal audit reporting function that ensures that the board is fully informed about the organization’s risk management strategy.

Overall, respondents feel that changing the skill mix of the risk management function and setting up new teams to address ongoing regulatory change will lead to more robust risk management and compliance strategies. About 87 percent agree that a more complete command of risk management principles by managers at all levels can at least moderately enable their company’s ability to imple-ment more robust risk-identification, assessment and control systems. Only about one-third of respondents say that their firms have significantly improved their risk management skill sets, while another 25 percent say they are likely to tackle them over the next three years.

Aspects of the business operation (first line of defense against risk) that are part of the institution’s risk culture*

0%

9%

20%

23%

23%

31%

27%

34%

42%

Title text below reference only-Do not include with chart art: 9. Regarding the business operation (ie, �rst line of defence against risk), which of the following are most true of your institution’s risk culture? Please select top three.

Risk control is part of the everyday responsibilities of

business line managers

Key stakeholders have a good understanding of our

organization’s risk program

Our organization has established proactive communications

between the risk management function and business operations

Risk management is linked to strategy and business planning

Our organization’s risk management function enjoys a

high level of credibility and stature

Operational managers are systematically involved in the

creation of a comprehensive risk profile for the organization

We have integrated risk awareness into our

corporate culture

Transparency into escalation of risks is valued in our firm

30% 50%10% 20% 40%

* Survey respondents could select up to three aspects of the business operation.


Title text below reference only-Do not include with chart art: 10. Regarding management oversight (ie, the second line of defence against risk), which of the following is most true of your institution’s risk culture? Please select all that apply.

44%All relevant managers are made aware

of the definitions, performance indicators, and metrics for risk

management by senior management

38%Risk management roles are clearly

defined and communicated among our senior management team

35%Our risk management strategy

includes a set of best practices and guidelines geared toward

managers at all levels

34%Risk officers are empowered to

take action and escalate issues to higher levels of management

26%Senior management has clearly

articulated our organization’s risk management strategy to all

relevant managers

22%Senior managers regularly receive comprehensive risk management

reports that address all operational areas

21%Senior management has a set of

definitions, performance indicators, and metrics for risk management

18%Senior management has clearly

articulated our organization’s risk management strategy to managers beyond just those that are relevant

14%Our compensation system

rewards strong risk management performance by

senior managers and advisors

30% 50%10% 20% 40%0%

Aspects of management oversight (second line of defense against risk) that are part of the institution’s risk culture*

Protiviti Insights: Doing More With Less, Collaboratively

“The front office.”

This line of defense, the first line of defense, represents an increasingly important facet of enterprise risk management (ERM) at a time when compliance costs, resource shortfalls, a lack of rules clarity and the integration of risk considerations into daily activities conspire to force organizations to do more with less.


* Survey respondents could select up to three aspects of management oversight.



ERM capabilities have progressed within many organizations – notably so, according to survey respondents, in sub-sectors such as insurance. These efforts offer object lessons regarding the importance of blending client-facing business into an effective and comprehensive ERM program. Of course, ERM is a journey, not a destination; the capability develops over time and requires ongoing refinement.

The global financial crisis exposed a wide range of deficiencies in many aspects of ERM, including the first line of defense (client-facing businesses), second line (risk management) and third line (internal audit and loan review). In some cases, for example, firms established corporate risk appetite statements, but the objectives adopted at the line-of-business (LOB) level did not reflect the strategic objectives of executive management and the board. In addition, metrics used to track the level of risk at the LOB level were often inconsistent and not well defined. This led to an inability to accumulate, aggregate and advance these risk metrics to the top of the organization, which resulted in insufficient exception tracking and the absence of an effective escalation process.

The crisis also provided a real example of what ERM is intended to be able to withstand while driving home the fact that ERM remains in the early stages of its evolution. Some organizations have made significant progress, however, particularly in advancing risk appetite concepts beyond conceptual frameworks to the front office. For instance, some insurers have instituted practices that help front-office executives and managers better understand and act upon risk exposures that could potentially generate major losses. These practices include:

• Business units and key corporate business functions such as investment management and reinsurance receive clear information and guidance from senior management regarding risk tolerance and risk limits and how they relate to the firm’s risk appetite;

• Compensation for all personnel is linked to risk-adjusted performance metrics; and

• Risk management provides input into the calculation of risk-adjusted performance metrics.

These practices concern the prioritization of business risks, which represent only one of numerous key facets of an effective ERM framework. While the ERM roles and responsibilities vary at each level within the organization, every level has a responsibility to the organization to understand the corporate risk appetite statement and how that view of risk has been pushed down and adopted at each line of business.

Every LOB executive must be able to review, measure, assess and conclude on the business risk profile and be able to roll risk profile metrics up to the top of the house to ensure that the tolerances established at the corporate level are not breached. Additionally, LOB conclusions on risk should be reported throughout the organization to enable the firm to re-evaluate its risk position continually.

For an organization to advance on its ERM journey continuously, its three lines of defense must perform in a collaborative fashion. Moving forward, one of the keys to this collaboration will be the deeper, more meaningful integration of the front office into ERM capabilities.

PROTIVITI SOURCE (available at www.protiviti.com/EIUriskresearch):

Top Priorities for Internal Audit in Financial Services (see article on page 6, “A Credible Challenge: Auditing ERM”)


Beneficial outcomes

Although most respondents consider the new regulatory burdens to be challenging, they also understand their beneficial impact on their organizations. Most executives, moreover, see strong links between improved operational efficiency and robust risk management. Close to two-thirds (64 percent) believe that improved operational efficiency will directly support risk management by streamlining information flows. A majority (59 percent) feel improved operational efficiency is essential to financially support the implementation of regulatory reforms. Almost half indicate that increased regulatory scrutiny is helpful in identifying underperformance – and that such discovery can ultimately lead to improved operational efficiency.

0% 50% 60% 70% 80% 90% 100%10% 20% 40%30%

41%

29%

29%

32%

36% 34% 3%

17% 47% 26%

1%

4%

16% 43% 28%

2%

4%

5%

7%

5%

12%

Improved operational efficiency will be

essential to generate sufficient cash flow to implement regulatory

reforms

Improved operational efficiency will directly

support risk management by

eliminating duplication and

streamlining information flow

Increased regulatory attention can help us

to strengthen operational efficiency by highlighting areas of underperformance

Title text below reference only-Do not include with chart art: 13. To what extent is improved operational eciency related to your organisation’s ability to implement more robust risk management and compliance strategies? Please rate each of the following on a scale from ‘Strongly agree’ to ‘Strongly disagree’.

10%

Strongly agreeSomewhat agreeNeither agree nor disagree

Somewhat disagreeStrongly disagreeDon’t know

Extent that improved operational efficiency relates to ability to implement more robust risk management and compliance strategies

EXECUTIVES WHO RATE THEIR CONTROLS AS ABOVE AVERAGE AT ALL THREE LEVELS OF

DEFENSE ARE NEARLY 10 TIMES MORE LIKELY THAN OTHERS TO SAY THEY ARE WELL-PREPARED

FOR FUTURE INCREASES IN REGULATORY SCRUTINY.


Notably, most also feel that this scrutiny leads to better outcomes for their clients. The largest proportion (59 percent agree versus 21 percent disagree) say that because the costs of increased regulation are inevitable, leveraging tighter controls to provide stronger assurances to customers makes sense. Nearly as many (58 percent versus 18 percent) perceive a positive program of customer assurance to be a distinct competitive advantage – and a majority has already implemented one (52 percent versus 23 percent). A smaller proportion (46 percent versus 29 percent) say they are moving ahead of regulations to offer new consumer protections as a promotional tool.

This is in keeping with an observation from a risk manager in New York. Everyone “wants to be seen as … on top of their regulatory program,” he said. Failure “speaks to the weakness of your risk and compliance programs [and for that] investors will destroy you.”

The survey results reveal a strong correlation between the perceived strength of a firm’s risk controls and the perceived level of preparedness for increased regulatory scrutiny. Remarkably, executives who rate their controls as above average at all three levels of defense are nearly 10 times more likely than others to say they are well-prepared for future increases in regulatory scrutiny. And, conversely, respondents who rate their company as well-prepared (above-average preparedness) for increased regulatory scrutiny tend to have implemented substantial improvements in their risk management strategies and consider their risk controls to be relatively strong across all three lines of risk management defense.

Whatever the source, a virtuous cycle seems to be at work, with risk management efforts to comply with regulations both raising performance and enabling financial institutions to surmount capital, liquidity and compliance cost hurdles to reassure their customers and permit financial institutions to operate more efficiently.

Certain respondents display common characteristics that indicate they are better prepared for future risk management challenges, relative to their peers. They are more likely to have revised business models than their less-prepared peers (26 percent versus 18 percent), and are more likely to have beefed up components of risk management systems (27 percent versus 16 percent). Notably, however, they have not made more substantial changes to their organizational structures (27 percent versus 27 percent). This appears to indicate that while organizational changes may contribute to certain improvements in risk systems, they don’t necessarily improve regulatory preparedness.

Protiviti Insights: Getting to Strong

“Strength.”

As financial institutions emerge from the most severe economic rupture in generations and respond to the heightened expectations of multiple stakeholder groups, the concept of organizational strength has taken on newfound importance.

The phrase “Getting to Strong” primarily originates from the U.S. Office of the Comptroller of the Currency’s (OCC) method for evaluating a bank’s risk management practices. In addition, heightened regulatory initiatives and scrutiny in Europe, where the European Commission and European Banking Authority have expressly committed to increasing the weighting of risk control for key business and risk policy decisions, are increasing the importance of financial institutions having not just a satisfactory regulatory compliance framework, but a strong one.




We believe that the initiatives around “Getting to Strong” in the United States and Europe’s heightened regulatory expectations have broader application, as an ERM concept and ethos, that applies across the entire organization with regard to managing risk.

Essentially, a “strong” risk management function is critical to having secure and reliable financial institutions, and ensures that an appropriate risk management function is in place and that risk-taking activities are controlled proactively within risk tolerance levels. The core elements revolve around accountability, effective challenge, stature within the organization, competence of staff and talent management.

It is critical for the organization to evaluate continually its risk position in terms of established tolerances, metrics and limits, but just as importantly, to also be able to identify and respond to emerging risks in its operating environment. Emerging risks are often newer to the organization or the result of macro- and/or industry-level changes. This is distinguished from the concept of evolving risks, which are changes in the risk level for already-identified risks in the institution’s risk inventory. For example, a change in interest rates is generally an evolving risk versus the impact of social media and mobility, which would typically be viewed as more emerging-type risks. For both evolving and emerging risks, a strong risk management function will have well-established transparent escalation procedures to ensure that management at the highest levels in the organization is well aware of any breach or pending breach of established risk tolerances.

For an organization to navigate a “Getting to Strong” program for ERM successfully, it must be a well-organized effort that is owned by the CEO and the board, directed by the CRO, and executed by the organization’s three lines of defense as they act in a collaborative fashion with a well-laid-out plan detailing specific objectives, milestones, lines of accountability and detailed timelines. When this occurs, the “Getting to Strong” approach can produce valuable benefits and outcomes, including:

• An ability to anticipate successfully and respond consistently to a rapidly changing risk environment where management is informed of and understands the risks they are undertaking – or just as importantly, the risks they are not taking;

• An increase in transparency and accuracy in reporting and the ability for executive management to make timely business and risk management decisions;

• An increase in consistent, long-term financial profitability and capital adequacy;

• Lines of defense that fully understand and clearly execute ERM roles and responsibilities;

• Greater transparency that fosters confidence with key stakeholders including regulators, counterparties, funds providers, rating agencies and shareholders; and

• The achievement of sustainable regulatory compliance while helping frame the view that regulators have of the institution.

PROTIVITI SOURCE (available at www.protiviti.com/EIUriskresearch):

Getting to Strong – What Banking Organizations Need to Know


Conclusion

Several years after a shake-up of the banking sector, financial services firms believe they have greatly improved their risk management means and methods to comply with broader and more complex regulatory requirements. But, as enforcement expands and intensifies without a commensurate increase in resources, the devil is in the details. To build on current progress and reap the benefits of sufficient preparedness, the focus is shifting to seeding a strong risk management culture across the enterprise. Today’s risk management efforts range from fortifying skills and teams, to further improving IT systems, to making risk management a priority through tighter controls and accountability – particularly in the front office. The result should be a more resilient and flexible financial services industry, better positioned to weather the next financial crisis.

TO BUILD ON CURRENT PROGRESS AND REAP THE BENEFITS OF SUFFICIENT PREPAREDNESS,

THE FOCUS IS SHIFTING TO SEEDING A STRONG RISK MANAGEMENT CULTURE ACROSS

THE ENTERPRISE.


In which region are your company’s global headquarters based?

What is your organization’s global annual revenue in U.S. dollars?

What are your organization’s total assets under management in U.S. dollars?

Which of the following best describes your title?

Banking (e.g., corporate, investment, diversified, retail, etc.) 53%

Insurance (e.g., life and non-life) 23%

Capital market (e.g., asset management, broker-dealer, etc.) 16%

Private investment funds (e.g., hedge fund, private equity/venture capital, real estate, etc.)

8%

Western Europe 43%

North America 41%

Asia-Pacific 11%

Eastern Europe 3%

Middle East and Africa 1%

Latin America 1%

$10 billion or more 22%

$5 billion to $10 billion 11%


$500 million to $1 billion 11%

$500 million or less 43%

$100 billion or more 25%



$500 million to $1 billion 8%

$500 million or less 34%

Board Member 4%

CEO/President/Managing Director 17%

C-Suite (CFO/CIO/CAE/CCO/CRO/Other) 25%

SVP/VP/Director 21%

Manager 23%

Other 10%

Western Europe 47%

North America 38%

Asia-Pacific 11%

Eastern Europe 4%

In which region are you personally located?

Which sub-sector of the financial services industry is your organization most engaged in?

Survey Demographics


About Protiviti

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our Financial Services Industry Team

We assist financial services companies in identifying, measuring and managing the myriad risks they face. With our commitment to service, people, resources and values, we are the service provider of choice for financial institutions of all types and sizes.

Our consultants are experienced professionals. Many have decades of experience working in the financial services industry. Located in offices across the globe, they include former industry execu-tives, former regulators and a broad range of subject-matter experts who have firsthand knowledge of the issues on which they provide advice. Our internal commitment to training ensures that our consultants remain current on important industry issues. Armed with tested tools and methodologies, our consultants provide pragmatic, cost-effective and value-added solutions to your company.

At Protiviti, we understand the challenges faced by financial services companies. Our solutions are designed to help your company turn these challenges into competitive advantages.

Contacts

Carol Beaumier Managing Director +1.212.603.8337 [email protected]

Cory Gunderson Managing Director +1.212.708.6313 [email protected]

Andrew Clinton Managing Director +44.20.7024.7570 [email protected]

Giacomo Galli Managing Director +39.02.6550.6303 [email protected]


ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbournePerthSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA

BangaloreMumbaiNew Delhi

INDONESIA**

Jakarta

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

SOUTH KOREA

Seoul

* Protiviti Member Firm ** Protiviti Alliance Member

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

CHILE*

Santiago

MEXICO*

Mexico City Monterrey

PERU*

Lima

VENEZUELA*

Caracas

© 2013 Protiviti Inc. An Equal Opportunity Employer. PRO-0713-101049Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

SOUTH AFRICA*

Johannesburg

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

UNITED ARAB EMIRATES*

Abu Dhabi Dubai

an economist intelligence unit research program sponsored by protiviti. restoring confidence: risk...

Business

risk management culture

risk management capabilities

risk management controls

risk management systems

global financial institutions

financial resources

financial crisisthe

financial services industry