Heightened regulatory scrutiny and greater concerns over risk governance have led According to Deloitte's eighth biennial survey on risk management practices, titled "Setting a Higher Bar," about two-thirds of financial institutions (65 percent) reported an increase in spending on risk management and compliance, up from 55 percent in 2010.
A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.
"The financial crisis has led to far-reaching changes in financial institutions' risk management practices, with stricter regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts," said Edward Hida, DTTL Global Lead, Risk & Capital Management Services. "That said, risk management shouldn't be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution's framework, philosophy and culture for managing risk exposures across the financial institution."
"Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, analytical capabilities, and data quality efforts today," explained Hida. "Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape."
The majority of institutions participating in the survey (58 percent) plan to increase their risk management budgets over the next three years, with 17 percent anticipating annual increases of 25 percent or more. This is not a trivial matter as 39 percent of large institutions particularly those based in North America reported having more than 250 full-time employees in their risk management function.
Risk management moves up the boardroom agenda
Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey's results, 94 percent of company boards now devote more time to risk management oversight than five years ago, and 80 percent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 percent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 percent in 2010.
"Regulators have been focusing more and more on the role of the board of directors in risk governance, including their approval of the firm's risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution's risk management of key issues," said Hida.
Other major findings in the survey include:
- Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010's survey results.
- The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.
- The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.
- Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).
- Stress testing has become a central plank in many institutions' risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.
- Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.
- Progress in linking risk management with compensation has changed only incrementally since 2010's survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of "clawback" provisions in executive compensation, however, has increased (41 percent vs 26 percent of institutions in 2010).
"Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps," said Hida. "Where concerns linger particularly is around operational risk, with a number of recent headlines like management breakdowns and large-scale cyberattacks underscoring the important impacts this area can have on a firm's reputation. This is a gap that needs to be addressed."
According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 percent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.
Deloitte's survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers or their equivalent at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.
The report can be found online at www.deloitte.com/us/globalrisksurvey.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity.Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has nearly 200,000 professionals, all committed to becoming the standard of excellence.