global risk management survey 2013

7/27/2019 Global Risk Management Survey 2013

1/48

Global risk management survey,eighth editionSetting a higher bar

Financial Services


2/48

As used in this survey report, Deloitte means Deloitte Touche Tohmatsu Limited and its member rms.

Contents

Foreword 1

Executive summary 2

Introduction 5

Risk governance 8

Enterprise risk management 14

Regulatory and economic capital 17

Management o key risks 24

Credit risk 24

Market risk, liquidity risk, and asset liability management 26

Operational risk 27

Investment management risk 29

Insurance risk 30

Regulatory risk 32

Risk management systems and in rastructure 34

Conclusion 37

Contacts 40


3/48Global risk management survey, eighth edition: Setting a higher bar 1

Foreword

Dear Colleague,

We are pleased to present Deloittes Global risk management survey, eighth edition , the latest assessment o the state

o risk management in the global nancial services industry. The ndings are based upon the responses o 86 nancialinstitutions rom around the world, across multiple sectors, representing a total o more than US$18 trillion in combinedassets. We wish to express appreciation to all survey participants or their time and insights.

The surveys ndings reveal that the nancial services industry continues to respond to challenges posed by the globalnancial crisis and subsequent market and regulatory developments, with many nancial institutions continuingto increase their ocus on liquidity, counterparty, and systemic risk. Strengthening risk governance is also receivingheightened attention: many institutions have increased the role o the board o directors in providing direction to andapproval o the institutions risk appetite and risk policy. The Chie Risk O cer (CRO) position continues to become morecommonplace, providing a senior-level executive who has overall responsibility or the organizations risk managementactivities and who can provide counsel to the CEO and the board o directors on its risk exposures. More institutionshave created enterprise risk management programs to develop a comprehensive view o the various risks acing theirorganizationsand their interrelationshipsacross businesses, products, and geographies.

Over the past several years, there has been a wave o ar-reaching regulatory changes in multiple geographies around theworld. The Basel III ramework or banking regulation1, which will be implemented in stages rom 2013 to 2019, will requirehigher quality and levels o capital and greater liquidity. The Dodd-Frank Wall Street Re orm and Consumer Protection Act(Dodd-Frank)2, passed in 2010, undamentally rewrote nancial regulation in the United States: among its many provisions,the Act requires periodic stress testing or many institutions, mandates most derivatives trading to be conducted onexchanges, bans proprietary trading by banking institutions, and creates a new Consumer Financial Protection Bureau,Financial Stability Oversight Council, and O ce o Financial Research. The European Market In rastructure Regulation willrequire many derivatives contracts to be cleared through central counterparties. The United Kingdom has reorganized itsnancial regulatory agencies, including creating a new agency or consumer protection. In many countries, the requencyand intensity o regulatory examinations and related en orcement activities have also increased.

Despite major regulatory changes already accomplished, institutions should be prepared to respond to a continuingseries o uture developments as regulators and others set a higher bar or risk management across the nancial services

industry. For some o the newer and more sweeping laws and regulations, speci c rules are s till being developed:there ore, what institutions will need do to comply, and possible impacts on strategy and business models, remains to beseen. In response, nancial institutions may well need added analytical capabilities, enhanced in ormation and technologysystems, and access to the right underlying data to allow them to respond fexibly to these continuing changes.

Many institutions may also need to upgrade other key aspects o risk management. In particular, many institutions areexpanding the use o stress tests to assess their ability to withstand a uture severe downturn, increasing their ocus ona wider range o risk types including operational, reputational, and regulatory risk, and enhancing their risk data andtechnology in rastructure.

We believe that Deloittes risk management survey series continues to be one o the most comprehensive periodicexaminations o risk management at nancial institutions. We hope that this report provides you with help ul insights intohow nancial institutions are responding to todays challenges and osters discussion that will help to urther enhance riskmanagement across the industry.

Sincerely,

Edward T. Hida II, CFAPartner, Deloitte & Touche LLPGlobal Leader Risk & Capital ManagementGlobal Financial Services IndustryDeloitte Touche Tohmatsu Limited


4/482

Executive summary

The global nancial crisis has led to dramatic and ongoingchanges in risk management among nancial institutionsaround the world. Major regulatory re orms have beenenacted with the goal o creating a more stable andtransparent nancial system. Among the most importantdevelopments were passage o Dodd-Frank in the UnitedStates, the European Market In rastructure Regulation(EMIR)3, and issuance o the global Basel III regulatoryramework. These and other initiatives are changing theregulatory requirements or nancial services players inareas such as systemic risk, regulatory capital, liquidity,derivatives, proprietary trading, and nancial activities withindividual consumers.

Although the extent o change has been enormous,regulatory developments thus ar seem to mark only an

intermediate step, rather than the end, o a period oongoing change: a higher bar continues to be set orrisk management across the industry. Almost three yearsa ter Dodd-Frank and Basel III were rst introduced,many speci c rules are still being developed. Additionalregulatory initiatives that could have important implicationsor risk management are also being put orward, suchas the proposal to centralize supervision or Europeanbanks under the European Central Bank. At the sametime, nancial institutions continue to enhance their riskmanagement programs by strengthening governanceand upgrading their capabilities in such areas as riskmanagement models, stress testing, and risk managementin ormation and technology systems.

As a result o these events, risk management continuesto experience signi cant change. To manage the resultinguncertainty, institutions should look or fexibility inadjusting business strategies, business processes, and riskmanagement programs as new regulatory requirementsare introduced or new risk issues emerge.

DeloittesGlobal risk management survey, eighth edition ,assesses the state o risk management as the nancialservices industry con ronts this new reality. The surveywas conducted rom September to December 2012: 86

nancial institutions rom around the world participated,representing a range o nancial services sectors and withaggregate assets o more than US$18 trillion.

Main fndingsBoard approval o risk policy and risk appetite. Atroughly 80 percent o the institutions participating in thesurvey, the board o directors reviews and approves the riskmanagement policy and/or enterprise risk management(ERM) ramework and the risk appetite statement.

Role o the CRO. The existence o the Chie Risk O cerposition has steadily grown over the course o our riskmanagement survey series. The percentage o institutionswith a CRO is 89 percent in the current survey, up rom 65percent in 2002 and a slight increase over the 86 percentreported in 2010. The CRO has a strategic, senior-level roleat most institutions and reports to either the CEO or theboard o directors at roughly 80 percent o participatinginstitutions. At 87 percent o institutions, the CRO assists

in developing the risk appetite statement; at roughly 80percent, the CRO participates in executive sessions withthe board o directors and/or board risk committee, andprovides input into the development o business strategy.

Incentive compensation. There has been extensivediscussion about how some incentive compensation plansmay inadvertently encourage excessive risk taking. Yet, onlyabout hal o the institutions, 49 percent, said their boardo directors reviews the compensation plan to consider thealignment o risks with rewards; this percentage increasedin 2012 rom 35 percent in 2010. Other actions relatedto compensation planning were reported more o ten: 83

percent o institutions said they use multiple incentive planmetrics, 73 percent require that a portion o the annualincentive be tied to overall corporate results, and 58 percenthave de erred payouts linked to uture per ormance. Moreinstitutions also reported using clawback provisions41 percent in 2012, versus 26 percent in 2010.



Enterprise risk management. Sixty-two percent oinstitutions reported having an ERM program, up rom52 percent in 2010, while 21 percent are currentlyimplementing one. Almost 60 percent o institutions saidthey expect to increase their ERM budgets during the nextthree years.

Eurozone crisis. Seventy-nine percent o institutions havetaken actions in response to the Eurozone crisis, includingmore than 90 percent o large institutions. By ar the mostcommon action taken was to evaluate counterparties moreclosely (89 percent), ollowed by ceasing trading withspeci c counterparties (42 percent) and preparing or thepotential unwinding o the euro (33 percent). However,while 58 percent o institutions in the United States/ Canada reported having taken action in preparation or

the possible unwinding o the currency, only 33 percento institutions in Europe and 22 percent o those in AsiaPaci c have done so.

Basel II and III. Institutions subject to Basel II reportedthey had made signi cant progress in implementing theserequirements, with roughly three-quarters saying theyhad either completed or largely completed the work onBasel IIs three pillars: I (Minimum Capital Requirements),II (Supervisory Review Process), and III (Market DisciplineRequirements). Institutions have made less progress onmeeting the requirements o Basel III: 45 percent hadlargely completed the work or Pillar I: Enhanced CapitalStandards, while 35 percent had made equal progress on

Pillar I: Enhanced Risk Coverage. Roughly 30 percent oinstitutions said they had largely completed the work onBasel IIIs requirements regarding the Liquidity CoverageRatio, Leverage Ratio, or Net Stable Funding Ratio.

Solvency II. For insurance institutions subject to SolvencyII, 92 percent said they plan to ocus over the next 12months on Own Risk and Solvency Assessment (ORSA),while many institutions also said they are intending towork on issues related to review o data quality (77percent) and documentation/reporting (69 percent).

Stress testing. Stress testing has become a morecommonly used tool to help institutions assess their ability

to withstand severe economic and market conditions.Further, periodic stress tests are required by a number oregulatory authorities. Many institutions reported usingstress testing in their planning processes, saying that itenables a orward-looking assessment o risk (80 percent),in orms the setting o risk tolerance (70 percent), and eedsinto capital and liquidity planning procedures (66 percent).However, the most common uses o stress tests wereor regulatory complianceassessing the adequacy oregulatory capital (86 percent) and responding to inquiriesrom regulators (84 percent).

Economic capital. Roughly 80 percent o participatinginstitutions reported calculating economic capital androughly 60 percent said they use economic capital, orcredit risk, market risk, operational risk, and interest raterisk o the balance sheet.

Impacts o regulatory re orm. More institutionsreported an increase in the cost o compliance (65percent, up rom 55 percent in 2010) and said it hadcaused them to revise product lines or business activities(48 percent in 2012, a doubling rom 24 percent in2010). Many institutions also said that regulatory re ormresulted in their maintaining higher levels o both capital(54 percent) and liquidity (37 percent).

Operational risk. Roughly 60 percent o institutions ratedtheir operational risk methodologies as well developed

or both risk assessments and or their internal loss eventdatabase. However, in these and other areas, operationalrisk methodologies were not more ully developed thanhad been reported in 2010; constancy here may be theresult o heightened ocus by regulators on other areassuch as governance, stress testing, and liquidity risk inrecent years.

Risk technology systems and data. As was true inthe 2012 survey, the need or signi cant improvementin risk management technology and in rastructure wasreported by many institutions. Less than one-quarter oinstitutions rated their systems as extremely e ective orvery e ective in data management/maintenance, dataprocess architecture/workfow logic, or data governance.The leading concern regarding risk technology continuesto be the quality and management o risk data, where 40percent o respondents were extremely or very concernedabout the capabilities at their institution, ollowed byroughly one-third who said the same about the abilityo their risk technology to adapt to changing regulatoryrequirements and the lack o integration among risksystems. The highest priorities or investment in risktechnology systems were or improvements to risk dataquality and management (cited by 63 percent in thecurrent survey, versus 48 percent in 2010) and enterprise-wide risk data-warehouse development (mentioned by 51

percent now versus 35 percent in 2010).


6/484

Key implications or managementAs in past years, Deloittes risk management surveyexamined a wide range o issues including governance,management o diverse risk types, methodologies, regulatoryrequirements, and risk data and technology in rastructure.The ndings rom the current survey suggest a number oimportant issues that nancial institutions should examine.

Managing regulatory change. The unrelenting paceo regulatory change is having important impacts onnancial institutions through new requirements inmany jurisdictions in areas such as regulatory capital,liquidity, restrictions on proprietary trading, and theuse o exchanges or most derivatives trades. There hasbeen a particular ocus on those institutions designatedas systemically important, with requirements or higher

capital levels, living wills, and enhanced regulatoryreporting, among others. The stricter regulatoryrequirements are demanding more attention rommanagement, a ecting the pro tability o di erent lineso business, and increasing the costs o compliance.Financial institutions should consider how their businessmodels will be a ected by current and potential uturenew requirements, and whether their risk managementprograms have the ability to respond fexibly to theongoing process o regulatory change.

Strengthening governance. Given the strategicimplications o risk management, it has become even

more important that the board o directors and seniormanagement provide strong leadership and promotea risk-aware culture throughout the organization.The board o directors has the nal responsibility orapproving the organizations risk policy and risk appetiteand or providing oversight o the risk managementprogram. Many nancial institutions have alsorecognized the value provided by a CRO positionasenior-level executive responsible or overseeing therisk management activities o the organization andwho can advise the CEO and the board o directorson the organizations risk pro le and risk appetite, thee ectiveness o the risk management program, and therisk implications o strategic decisions.

Examining incentive compensation. Ultimately, aninstitutions risk pro le is the result o the many decisionsmade each day as employees seek to accomplish businessobjectives. Although the risk management unctionsets standards and provides oversight, employees in thebusiness units are on the ront line in terms o taking andmanaging risk. For this reason, institutions should considerreviewing their per ormance management and incentivecompensation plans to ensure their alignment with theorganizations risk appetite.

Managing a wider range o risk types. Institutionsshould consider whether they have su cient capabilitiesto manage a wide range o risk types in addition tomore common risks such as market and credit risk.Developments in nancial markets during the credit crisisraised the priority o managing liquidity risk. The paceo regulatory change has increased the importance oregulatory risk. Institutions are paying more attention toreputational risk given the potential or negative publicityand reputational damage i an institution ails to complywith regulatory requirements or becomes the target oan en orcement action. A varying series o managementbreakdowns at major nancial institutions has alsounderscored the impacts rom operational risk events.Finally, many institutions are also giving a higher priorityto managing model risk.

Improving stress testing capabilities. The increasedemphasis on stress testing or banks and certainsystemically important nancial institutions, especiallyamong U.S. regulators, will require risk managementprograms to have the capabilities to employ thistechnique on scenarios stipulated by their regulators aswell as on their own scenarios. An e ective stress testingprogram requires governance structures and controlsto oversee data integrity, the selection o stress testingmodels, and model validation. Financial institutionsmay also consider their capabilities in stress testingmacroeconomic variables and orecasting potentiallosses at the loan level. When stress testing is used toassess capital adequacy, institutions should considerwhether it is part o a broad, well-documented internalcapital adequacy assessment process.

Upgrading risk data quality and technologyin rastructure. Managing risk e ectively requiresinstitutions to be able to aggregate and analyze riskson a consistent basis across the organization in order toprovide timely reporting to management and regulatoryauthorities. Institutions should consider whether theymay need to improve the quality and consistency o riskdata and also upgrade their risk technology systems inorder to gain such an enterprise-wide view o risk.

Despite the time that has passed since the global nancialcrisis, the risk management challenges acing nancialinstitutions remain daunting. Financial institutions that havethe ability to respond fexibly to the continuing series oregulatory changes, coupled with e ective risk governance,strong analytical capabilities, and clear and consistent riskdata, may be better placed to steer a steady course thoughthe ever-shi ting risk management landscape.



DeloittesGlobal risk management survey, eighth edition ,assessed the risk management programs, plannedimprovements, and continuing challenges at 86 nancialinstitutions representing a range o geographic regions,asset sizes, and industry sectors. (See About the survey.)The survey was conducted in the second hal o 2012, at atime o continuing change in the nancial industry and thebroader economy.

Slow economic recovery. At the time this report waswritten, most regions continued to recover slowly roma period o prolonged economic weakness, althoughsigni cant concerns remain. In the United States, theeconomy resumed modest growth and equity marketsposted record nominal highs, but the unemployment rateremained at a historically high level. The Eurozone was

in recession as it struggled to manage the debt crisis inseveral o its member states including Greece, Cyprus,and Ireland, as well as address concerns about the scalhealth o Italy and Spain. In Japan, Prime Minister ShinzoAbes economic stimulus policies, called Abenomics,ueled aster economic growth in early 2013 and highershare prices, while the yen lost value.4 Economic growthslowed somewhat in China, although rising demand andincreasing labor shortages led to worries about increasinginfation. 5 Several other important emerging markets, suchas India and Brazil, have also seen economic growth slow.6

Some monetary stimulus continues. Countries have

been winding down the nancial assistance programsor nancial institutions implemented during the globalnancial crisis. While direct nancial assistance to nancialinstitutions has largely been eliminated, central banksin the United States and Europe continue to maintainhistorically low interest rates in an e ort to stimulatethe economy. The U.S. Federal Reserve announced inSeptember 2012 that it would maintain short-terminterest rates near zero until at least mid-2015, and that itwould not consider raising rates until unemployment haddropped below 6.5 percent. 7 In an e ort to spur growth,the U.S. Federal Reserve has also pursued less traditionalmeasures. In 2012, it announced that it would continue itspolicy o quantitative easing (QE3) until employment hadsubstantially improved.8

Ongoing euro crisis. Although some concerns havelessened, the euro crisis continues and its ultimateresolution remains unclear. The European Union (EU) andthe International Monetary Fund (IMF) have providedbailout packages to Ireland, Portugal, Greece, and Cyprus.The EU also provided a nancial assistance package to ourmajor Spanish banks, requiring them to layo sta andclose o ces. 9 The ongoing debt crisis, coupled with weakeconomic conditions throughout the continent, has led

Introduction

many European nancial institutions to retrench: Europeanbanks have reduced their cross-border lending by US$3.7trillion since the nancial crisis, and the IMF predicts theymay cut their assets by US$2.8 trillion in 2013.10

Un olding impact o regulatory re orm . In the UnitedStates, the 2010 Dodd-Frank Act constituted the greatestchange to U.S. nancial regulation since the 1930s. Yet,substantial uncertainty remains over the impact o Dodd-Frank because the process o issuing the estimated 398rules required by the legislation has proceeded slowly.11 Inthe EU, EMIR came into orce in August 2012 and requiresthe central clearing o standardized OTC derivatives12, thereporting o derivative transactions to trade repositories,and risk mitigation measures or all non-centrally-clearedOTC derivatives. The EU is also considering providing the

European Central Bank (ECB) with increased supervisoryresponsibilities or banks, although concerns have beenraised about providing it with these additional powers. 13 In the United Kingdom, in April 2013, a reorganization oregulatory oversight went into e ect, with the FinancialServices Authority (FSA) being abolished and its prudentialregulatory responsibilities being assumed by a subsidiaryo the Bank o England (Prudential Regulatory Authority),while a new Financial Conduct Authority was created toaddress consumer protection.

Pressures on proftability. While returns on equity (ROE)or the nancial industry once ranged rom 20 to 25

percent, ROE or the largest investment banks has droppedto an estimated 10 percent in Europe and 13 percent inthe United States, and may decline urther due to newregulatory restrictions on lines o business and regulatoryrequirements or higher levels o capital. 14 Dodd-Frankprohibited proprietary trading by banks (Volcker Rule),which Standard & Poors estimates could reduce pretaxearnings or the eight largest U.S. banks by up to $10billion annually.15 Restrictions on proprietary trading couldhave substantial impacts on the business strategies ornancial institutions that operate in the United States,potentially leading institutions to close their proprietarytrading desks and divest their hedge unds and private-equity subsidiaries. New rules on derivative trading inDodd-Frank and in EMIR will require more centralizationand clearing o derivatives trades on exchanges and ewerover-the-counter trades, which are typically more pro tableor nancial institutions.

Increased ocus on systemically important institutions. Regulators have placed increased attention on large banksand nancial institutions considered to be systemicallyimportantthose having the potential to threaten thestability o the nancial system as a whole i they shouldail. Dodd-Frank imposes additional reporting requirements


8/486

on institutions designated as systemically important, andalso requires that these institutions create recovery andresolution plans. In December 2011, the U.S. FederalReserve proposed enhanced prudential standards orsystemically important nancial institutions that includednew risk-based capital and leverage requirements, liquidityrequirements, and limits on credit exposure to a singlecounterparty. 16 The U.S. Federal Reserve also issued similarproposed rules increasing oversight or U.S. operationso oreign banks with total U.S. assets o US$50 billionor more. 17 Internationally, the G20 tasked the FinancialStability Board (FSB) with developing a policy rameworkto address issues related to systemically importantnancial institutions. The Basel III ramework includesthe requirement that systemically important nancialinstitutions18 be required to hold additional capital.

Stricter regulatory capital requirements. In an e ort toincrease the sa ety and stability o the nancial system,regulators are also requiring institutions to maintain higherlevels and quality o capital. Required capital levels inBasel II are based on risk-weighted assets, either using astandard ormula or internal models or larger banks. BaselIII, which will be implemented in a phased approach rom2013 to 2019 (subject to national regulator timelines),will urther increase capital requirements. Basel II is ullyimplemented among European, Canadian, and Japanesebanks, but adoption has been slower in other countriessuch as the United States, China, and India. To de neadequate levels o capital, the U.S. Federal Reserve andthe O ce o the Comptroller o the Currency conduct aprogram that requires annual stress tests by major nancialinstitutions to assess their ability to withstand a severerecession, and this requirement is being expanded in 2013to include all banks with assets greater than US$10 billion.

For European insurers, Solvency II introduces risk-weightedcapital requirements similar to those in Basel II. Theimplementation o Solvency II has been subject to variousproposals and review periods, delaying its e ective date,which is now expected to occur in 2016. 19

While institutions with a larger capital base will be betterable to withstand a severe downturn, they will alsotend to have lower shareholder returns. Higher capitalrequirementswhether as the result o Basel III or stresstestsmay cause banks to re-evaluate their strategy.For example, some institutions may decide to shrink orexit their capital markets-related businesses due to thehigher capital requirements associated with these activitiesand ocus instead on wealth management and assetmanagement.

Liquidity requirements. For the rst time, Basel IIIintroduces two liquidity ratios. Under the LiquidityCoverage Ratio (LCR), banks will be required to maintaina speci ed level o cash and liquid assets that wouldbe available to survive a 30-day severe downturn thatprevents them rom accessing unding markets. In January2013, the Basel Committee responded to concerns overthe impact o these new requirements by extending thee ective date rom 2015 to 2019, counting a wider rangeo assets as highly liquid, and assuming a less drasticwithdrawal o deposits and income over a 30-day periodduring a stress situation.20 Basel III also includes a netstable unding ratio (NSFR) designed to promote moremedium- and long-term unding o banking organizationsby ensuring that long-term assets are unded with atleast a minimum amount o stable liabilities in relation totheir liquidity risk pro les and by limiting over-relianceon short-term wholesale unding during times o buoyantmarket liquidity.21

Limits on executive compensation. Following thegovernment assistance provided to nancial institutions inrecent years, there has been public criticism against whathas been perceived as lavish executive compensation, aswell as a belie among many that compensation practiceshad encouraged excessive risk taking. In March 2013,the EU moved to limit the bonuses that can be paid tobank executives to no larger than the executives salaryor else no more than double the salary i shareholdersexplicitly agree.22 In March 2013, Swiss citizens approveda re erendum that gave shareholders a binding say on theoverall pay o executives and directors, and prohibitedcompanies rom awarding bonuses when executives joinedor le t the company, or when the company was acquired. 23

Operational risk events. The importance o strengtheningrisk management capabilities within nancial institutionshas been underscored by a series o events thathave resulted in substantial nancial losses and legalsettlements. These include legal settlements resulting romen orcement actions, major losses rom ailed investmentstrategies, misuse o client unds, computer mal unctions,and cyberattacks that incapacitated websites.

Several years a ter the global nancial crisis, regulatorychange remains one o the key drivers o risk management.Financial institutions are acing increased costs ocompliance as regulatory requirements and reportingbecome more stringent, especially or large, systemicallyimportant institutions. Institutions are being required tomaintain more capital, which can increase s tability in thecase o a severe downturn but can also depress returns.



Risk-weighted capital requirements, coupledwith new restrictions on proprietary trading,derivatives trading, and other lines obusiness, may lead institutions to revise theirbusiness models in an e ort to reduce theamount o capital they are required to hold.

Financial institutions had traditionally ocusedtheir risk management programs on market,credit, and operational risk. The recentbreakdowns at several institutions havehighlighted the need to upgrade operationalrisk management at many institutions. Inaddition to reexamining their approachesin these traditional areas, institutions arealso now devoting more attention to a

wider range o risks including liquidity risk,regulatory risk, and reputational risk.

Although major revisions to laws andregulations were instituted soon a ter thecrisis, many o the necessary related changeshave not yet been ully implemented.How rules are written during the currentimplementation phase may well have asgreat an impact on nancial institutions asthe re orms that were initially signed into lawor announced by regulatory authorities.

About the surveyThis report presents the key ndings rom the eighth edition o

Deloittes ongoing assessment o risk management practices in theglobal nancial services industry. The survey gathered the views oCROs or their equivalents at 86 nancial services institutions aroundthe world and was conducted rom September to December 2012. The institutions participating in the survey represented the

major economic regions o the world, with most institutionsheadquartered in the United States/Canada, Europe, or Asia Paci c(Figure 1). Most o the survey participants were multinationalinstitutions, with 65 percent having operations outside their homecountry.

The survey participants represented a variety o nancial sectors,with the largest concentrations among integrated nancial

institutions, commercial banks, retail banks, and insurancecompanies (Figure 2).

The institutions had total combined assets o US$18.7 trillion andrepresented a range o asset sizes (Figure 3). Among the surveyparticipants, 53 percent provided asset management services, witha total o US$9.2 trillion in assets under management.

The previous edition o this risk management survey report serieswas released in early 2011, based on a survey conducted in the thirdquarter o 2010. Where relevant, this report compares the currentresults with those rom the 2010 survey.

Figure 1. Participants by headquarters location

U.S. & CanadaEurope

Asia PacicLatin AmericaMiddle East & Africa

19%

39%

35%

6% 1%

Integrated nancial institutionCommercial bank

Retail bankInsurance companyAsset managementGovernment-related nance companyInvestment bankBancassuranceOther

33%

21%

14%

2% 6%2%

3%

5%

14%

Greater than US$100BUS$10-US$100BLess than US$10B

35%

41%

24%

Figure 2. Participants by primary business Figure 3. Participants by asset size

Analysis by asset sizeIn this report, selected survey results are analyzed by the asset size o participating institutions using theollowing de nitions:

Small institutions = Institutions with total assets o less than US$10 billion Mid-size institutions = Institutions with total assets o US$10 billion to less than US$100 billion Large institutions = Institutions with total assets o US$100 billion or more


10/488

Risk governance

Role o the board o directorsRegulators are paying increased attention to the role othe board o directors in risk governance, i.e., providingdirection to and approval o the institutions risk appetiteand risk policy, and overseeing their implementationby management.

In October 2010, the Basel Committee on BankingSupervision issued principles or enhancing corporategovernance that addressed such issues as the role o theboard o directors, the quali cations o board members,and the importance o an independent riskmanagement unction.

In the United States, the proposed enhanced prudentialstandards issued by the U.S. Federal Reserve requires

that systemically important nancial institutions andbank holding companies with more than US$50 billionin assets and publicly-traded bank holding companieswith more than US$10 billion in assets must establisha risk committee o the board o directors that willbe responsible or overseeing enterprise-wide riskmanagement practices. 24 In addition, the board riskcommittee is required to include at least one independentdirector and at least one risk management expert.

As an indication o the increasing importance o theboards risk management responsibilities, 94 percent o theinstitutions surveyed said their board o directors devotedmore time to the oversight o risk compared to ve yearsago, with 67 percent saying it committed considerablymore time than be ore. None o the institutionsparticipating in the survey said their board spent less timeon the oversight o risk management than it didve years ago.

Most institutions also reported that their boardso directors took an active role in oversight o riskmanagement (Figure 4). For example, 98 percent oinstitutions said their board o directors or board riskcommittee(s) reviews regular risk management reports,up rom 85 percent in the 2010 survey, and 81 percentsaid it reviews and approves the institutions overall riskmanagement policy and/or ERM ramework (up rom 78percent in 2010). Seventy- ve percent o institutions saidtheir board o directors reviews individual risk managementpolicies, e.g., or market, credit, liquid ity, or operationalrisk, up rom 65 percent in 2010.

A written enterprise-level statement o risk appetite oran organization (or a more speci c one written or amajor line o business) is a key document that can in ormindividual business decisions regarding how much riskthe organization is prepared to assume in pursuit o its

business objectives. The importance o board approvalo the risk appetite statement is refected in the higherproportion o the institutions that reported this to be thecase, 78 percent o the institutions surveyed, up rom 67percent in 2010.

There has been increased scrutiny o whethercompensation plans are aligned with the institutionsoverall risk tolerance and whether they may encourageexcessive risk taking. Although there has been progressin this area since 2010, only about hal the institutionsreported that their board o directors considers the riskimplications o the incentive compensation plan. In 2012,49 percent o institutions said their board o directorsreviews the compensation plan to consider alignmento risks with rewards (up rom 35 percent in 2010). The

increasing number o boards o d irectors that reviewcompensation plans rom a risk perspective suggests thatsome boards are taking a more active role in assessing thepotential relationship between compensation andrisk taking.

As the expectations or the boards role in riskmanagement have increased, many management teamshave responded by providing their boards with additionalin ormation. In some cases, these enhancements haveresulted in greater insights, while in others more data hassimply been provided in the name o transparency. Someboards may nd the volume o risk-related in ormation to

be overwhelming, lacking in context, or too granular tobe use ul. Deciding what in ormation to provide to theboardand when to provide itremains challenging ormany nancial services companies.

Weve been running more training sessions orthe board to give them a better view as to whatexpectations are: outside o regularly scheduledmeetings, we are ocused on providing tutorialsto keep them up to speed on the changes thatare taking place within our risk in rastructureand to help them ulfll their obligations.CRO, large global fnancial institution



Board risk committees

When it comes to how boards o directors assign theprimary responsibility or risk oversight, only 24 percento the institutions surveyed reported that this is theresponsibility o the ull board o directors. Instead, mostinstitutions (62 percent) assign this responsibility to one ormore board committees that oversee risk management,including risk policies and the organizations risk appetite.The most common approach, adopted by 43 percento the institutions surveyed, is to place the responsibilityor risk oversight with a risk management committeeo the board. Other approaches taken were assigningresponsibility to the audit committee (7 percent), making ita combined responsibility o both the risk committee and

the audit committee (7 percent), and assigning it to anindividual member o the board (8 percent).

Large institutions were more likely to have a board riskcommittee, with 53 percent o large institutions having onecompared to 24 percent o small institutions. Institutionsin the the United States/Canada were also more likely tohave such a committee: 71 percent reported having aboard risk committee, compared to 39 percent in Europeand 37 percent in Asia Paci c. This is likely due to the actthat Dodd-Frank requires publicly-traded bank holdingcompanies with total assets o US$10 billion or more andsystemically important publicly-traded nonbank nancialcompanies to have a board risk committee.

Fi ty- our percent o institutions said their board risk

committee was chaired by an independent director, and 55percent reported that it contained at least one identi edrisk management expert. These are considered leadingindustry practices and are required by U.S. enhancedprudential standards regulatory rules that are currentlyin dra t. Including independent directors was morecommon among large institutions. While 67 percent olarge institutions had at least one independent director ontheir board risk committee and 59 percent had their riskcommittee chaired by an independent d irector, only 29percent o small institutions had an independent director.

Structural changes appear to have created a need orbetter coordination among committees and the ullboard. For example, discussions by the compensationcommittee related to executive remuneration programsneed to be in ormed by the actions and activities o therisk committee. In addition, the ull board needs to remaindiligent and risk-aware, resisting the urge to delegate all itsresponsibilities to one or more committees. Acknowledgingthe need or more ormalized communication is animportant rst step. Beyond that, boards can considercross-committee membership, periodic joint committeemeetings, and robust committee reports to the ull boardas options or improving coordination.

43%

49%

51%

57%

58%

68%

73%

75%

78%

81%

98%

0 10 20 30 40 50 60 70 80 90 100

Review regular risk management reports

Review and approve overall risk managementpolicy and/or ERM framework

Approve the risk appetite statement

Review individual risk management policies, e.g.,for market, credit, liquidity, or operational risk

Review corporate strategy for alignmentwith the risk prole of the organization

Review managements steps to remediate anynoncompliance with risk management policy

Dene risk management reporting linesand independence

Conduct executive sessions with CRO

Help establish and imbed the risk culture of theenterprise; promote open discussions regarding risk

Review incentive compensation plans toconsider alignment of risks with rewards

Review the charters of management-levelrisk committees

Figure 4. Which o the ollowing risk oversight activities does your companys board o directors or board risk committee(s) per orm?


12/4810

Risk policy The board o directors should be responsible or providinginput to management in setting the organizations riskmanagement policy and or providing oversight over itsimplementation. Some topics are widely accepted as areaswhere the board risk committee (or equivalent) shouldprovide oversight. For example, most institutions reportedthat their board risk committee had de ned responsibilitiesor risk oversight (81 percent), risk appetite (69 percent),and risk management policies (68 percent). Risk appetiteis an important area or board risk committees to provideinput, oversight, and ongoing monitoring, but this can bechallenging or non- nancial risks which are less readilyquanti able. Reviewing and overseeing risk policies is acore unction o a board risk committee, and one wouldexpect more risk committees to per orm this unctionover time.

Reviewing and approving management risk committeecharters is another important role o a board riskcommittee, and it is notable that only 45 percent oinstitutions reported this as one o their committeesresponsibilities. Only 24 percent o United States/Canadianinstitutions cited management risk committee charters asa responsibility o their board risk committee, compared to53 percent in Europe and 44 percent in Asia Paci c. Theseresults suggest that the United States/Canadian institutionshave more work to do in this area.

Risk ramework and risk appetite In the survey, 73 percent o institutions reported havingan ERM ramework and/or an ERM policy. The importanceo board input on the ERM ramework and/or ERM policywas refected in the act that 59 percent had it approvedby their board o directors while another 17 percenthad it approved by their management risk committee. Inaddition, another 20 percent o institutions said theydid not have an ERM ramework/policy but plan todevelop one.

In creating a statement o risk appetite, the most commonapproach was to de ne risk appetite both quantitatively

and qualitatively, which was reported by 79 percent oinstitutions. The percentage o institutions that used only aquantitative approach declined rom 22 percent in 2010 to12 percent in 2012, with a corresponding increase in thepercentage that use a mix o both methods.

Institutions use a variety o quantitative methods to de nerisk appetite, with the most common methods beingacceptable loss levels (76 percent), system o risk limits (71percent), economic capital (69 percent), and regulatorycapital (69 percent). Although adoption increased or manyquantitative methods compared to 2010, the use o net

income/loss levels dropped rom 50 percent in 2010 to 41percent in 2012; this is a positive sign because this method isconsidered a less sophisticated method to de ne risk levels.

De ning risk limits or speci c categories o risk can helpmake a risk appetite statement operational. Roughly three-quarters o institutions said they establish risk limits at anenterprise level or market risk, credit risk, operational risk,liquidity and unding risk, and asset/liability management risk.Institutions are less likely to establish such limits at a businesslevel or at the level o the trading desk (or equivalent). Forexample, 44 percent said they establish risk limits or liquidityrisk at the business level but only 22 percent at the tradingdesk level. For operational risk, 52 percent establish risklimits at the business unit level and 17 percent at the tradingdesk level. Operational risk limits can be especially di cult

to de ne. Once an institution has decided to compete in aline o business, it inevitably assumes operational risk that issubsequently not easy to limit.

Although the use o risk limits was roughly the samecompared to 2010 or most risk categories, the use o risklimits or insurance increased or the enterprise level to 53percent in 2012 rom 43 percent in 2010, and to 67 percentrom 49 percent at the business level.

Management oversight An e ective risk management program starts with seniormanagement leadership. Senior management shouldexplore ways to communicate throughout the organizationthe importance o managing risk and establish a culturein which considering and managing risk is an integralelement in all business decisions. Some o the speci c stepssenior management can take to help develop a risk-awareculture include establishing appropriate managementrisk committees, balancing the roles o the central riskmanagement unction and the individual business units,and establishing a senior-level CRO position.

Use o management risk committees Many institutions reported having a variety o management-level risk committees: asset liability management (74percent), credit risk (59 percent), enterprise risk management(59 percent), operational risk management (44 percent),market risk management (44 percent), and investment risk(42 percent).

Large institutions were more likely to have a variety omanagement risk committees, which is understandablebecause their activities and risk pro les are likely to bemore complex. For example, 72 percent o large institutionsreported having a management-level operational riskmanagement committee, compared to 43 percent omid-size institutions and 33 percent o small institutions.



Figure 5. Percentage o institutions with CRO or equivalentO course, the types o nancial services an institutionprovides will have an important impact on whichmanagement risk committees it needs. For example,institutions that are active in securities trading or insurancewill have a greater need or market risk or insurancerisk committees.

Key role o the CRO The CRO can play a key role as a senior executive withoverall responsibility or oversight o risk managementhelping to increase senior management and boardattention to risk considerations and implement consistentrisk management policies and practices across theorganization. Although the prevalence o a CRO has variedin past Deloitte global risk management surveys, it hasgenerally increased, and in 2012 89 percent o institutions

reported having a CRO or equivalent position, up rom65 percent in 2002 (Figure 5). Even 81 percent o smallinstitutions reported having a CRO or equivalent position,along with 97 percent o large institutions. In addition,93 percent o integrated nancial institutions, which tendto have more complex operations and risk challenges,reported having a CRO. Some nancial institutions havealso created the Chie Compliance O cer (CCO) as a senior-level position, in some cases hiring ormer regulators to llthese positions.

The CRO reports to the CEO at 71 percent o theinstitutions surveyed, while reporting to the board odirectors or a board committee at 43 percent. 25 The CROreports to either the CEO or the board (or both) at roughly80 percent o the institutions. Having the CRO report to theboard o directors as well as to management is considereda best practice, to provide the board with an independentsource o in ormation and reporting on the operation o theorganizations risk management program. However, evenamong large institutions, 50 percent said the CRO did notreport to the board, indicating there may be more work todo in strengthening CRO reporting.

Most institutions cited a wide range o responsibilities ortheir CRO and independent risk management group. Morethan 80 percent o institutions said these responsibilities

included escalating risk issues to the CEO and/or theboard o directors, identi ying risk concentrations, andidenti ying new and emerging risks. At many institutions,the CRO and risk management unction also have morestrategic responsibilities, indicating their higher pro le inthe organization: assisting in developing the rm-wide riskappetite statement (87 percent), participating in executivesessions with the board o directors and/or board riskcommittee (79 percent), providing input into businessstrategy development and the periodic assessment o theplan (79 percent), and approving new business orproducts (63 percent).

Striking a balance between centralized riskmanagement and business unit risk management Most institutions reported that they ollowed a centralizedapproach to risk management. For example, roughlytwo-thirds o institutions said counterparty risk limitexcess approval and credit policy exception approval weredetermined by independent risk management, while onlyabout 10 percent said these were determined by theirbusiness units; the remaining institutions said they were ashared responsibility.

However, there were several areas where institutionswere more likely to report their business units played a

leading role. For trading transaction approval, 54 percento institutions said this was determined by their businessunits compared to 28 percent who cited independent riskmanagement; or new transaction approval, 34 percentsaid this was determined by business units, while 32percent said independent risk management took the lead.

Three lines o de ense risk governance model Using a three lines o de ense governance model orrisk management has become increasingly accepted as arecognized practice in risk management in the nancialservices industry. The three lines o de ense governancemodel comprises the ollowing:

1. Business units take and manage risks2. Independent risk management unction monitors the

activities o the business units3. Internal audit unction audits the activities o the

business units and o the risk management unction

0

20

40

60

80

100

201220102008200620042002

65%

81% 84%

73%

86%89%


14/48



The survey ound that about hal o the institutionsincorporate risk management into per ormance goals andcompensation or compliance personnel (61 percent) andsenior management (55 percent), while ewer do so orbusiness unit personnel (35 percent), nance personnel(34 percent), or middle management (34 percent). Further,the percentages o institutions that incorporate riskmanagement into per ormance goals and compensationplans or di erent groups o employees have not increasedsigni cantly since the 2010 survey. This is an area wheremany institutions can continue to make progress.

However, many institutions reported that they hadtaken several steps to incorporate risk management intoincentive plans or senior management. These include useo multiple incentive plan metrics (83 percent), requiring

that a portion o the annual incentive be tied to overall

corporate results (73 percent), de erred payouts linkedto uture per ormance (58 percent), and balancing theemphasis on short- and long-term incentives (59 percent).The use o clawback provisions has become morecommon, with 41 percent o institutions reporting in 2012that these are used or senior management, compared to26 percent in 2010.

The use o many o these methods o incorporating riskmanagement considerations into the incentive plans orsenior management was more common among largeinstitutions than at small institutions: use o clawbackprovisions (55 percent versus 14 percent), matching thetiming o payouts with the term o the risk (41 percentversus 14 percent), de erred payouts linked to utureper ormance (73 percent versus 29 percent), and payments

in company stock (69 percent versus 14 percent).

Figure 6. Which risk management considerations does your company incorporate into its incentive plans for senior management personnel?

31%

33%

41%

50%

50%

58%

59%

73%

83%

0 10 20 30 40 50 60 70 80 90 100

Use of multiple incentive plan metrics

Requiring that a portion of the annualincentive be tied to overall corporate results

Balancing the emphasis on short-and long-term incentives

Deferred payouts linked tofuture performance

Caps on payouts

Payment in company stock

Use of clawback provisions

Use of individual metrics tied to the implementationof effective risk mitigation strategies

Matching the timing of payoutswith the term of the risk


16/4814

Enterprise risk management

An ERM program is intended to provide an institution withan overall ramework and methodology or managingthe risks that could prevent it rom achieving its businessobjectives. ERM assists organizations to identi y andmanage signi cant risks and to then clari y their riskappetite and risk pro le. Because ERM examines risksacross the organization, it can help identi y dependenciesand interrelationships among risks that had not beenrecognized.

Regulators are pushing large, and increasingly mid-size,nancial institutions to establish ERM programs, link theseprograms to the strategic planning process, and engagethe board o directors in considering their ndings. Inorder or the program to be most e ective, the ERMunction should be kept independent o the business

units and report into the CRO or an equivalent position.Regulators are also examining the quality and e ectivenesso ERM programs and are communicating with institutionswhere they believe these programs need to be enhanced.

The adoption o ERM has increased steadily over the yearsthat Deloitte has conducted its risk management surveyseries. In 2012, 83 percent o institutions reported thatthey either had an ERM program in place or were currentlyimplementing one (Figure 7). These institutions include 62percent with an ERM program in place, up rom 52 percentin 2010. This is a sign o progress as more institutionsimplement a comprehensive organization-wide approach

to setting risk and managing risk. In 2012, an additional 8percent o institutions said they were planning to create anERM program.

Adoption o ERM was most common among institutionsin the United States/Canada, where 71 percent said theyhad a program in place, compared to 67 percent in Europeand 55 percent in Asia Paci c. Integrated nancial servicesinstitutions tend to have more complex business modelsand risk management issues, and 82 percent o theseinstitutions reported having an ERM program in place,more than or any other sector.

ERM program coverage Institutions reported their ERM programs cover a varietyo risk types. Eighty percent or more said their ERMramework addressed operational risk (96 percent),market risk (94 percent), credit risk (93 percent), businesscontinuity/IT security risk (89 percent), and counterpartyrisk (88 percent). Liquidity risk has emerged as animportant issue, and 82 percent o institutions said theirERM ramework covered it. Model risk can be an important

source o risk, and 61 percent o institutions said it wasincluded in their ERM programs, including 76 percent olarge institutions.

Risk management budgets Most institutions reported having relatively small ERMoperations. Twenty-nine percent o institutions had ERMoperations with 10 ull-time employees or ewer, while46 percent had operations with 11 to 100 ull-timeemployees. As might be expected, the headcount inERM operations varied by size o the institution. While 39percent o large institutions reported having more than

Figure 7. Does your organization have an ERM program or equivalent?

I think the biggest challenge we ace is making sure that theconcept o risk appetite is integrated into both our strategic andtactical planning sessions, and that the lines o business areworking with their risk partners to ensure that plans,individually and collectively, ft within the banks overall riskappetite statement.CRO, large global fnancial institution

Yes, currently implementing one

62% 21% 8%

2006

2008

2010

2012

0 10 20 30 40 50 60 70 80 90 100

85%

82%

93%

91%62% 21% 8%

52% 27% 14%

36% 23% 23%

35% 32% 18%

No, but plan to create one

Yes, program in place



250 ull-time employees in their operation, this gurewas 13 percent or mid-size institutions; none o thesmall institutions had ERM operations this large. Amonginsurance companies, 90 percent reported having 100 orewer employees in their ERM unction, which may be theresult o a lower level o development.

Many institutions said they had expanded their ERMprograms. Over the prior 12 months, 46 percent osurvey respondents had increased headcount in their riskmanagement unction, while only 6 percent had decreasedthe number o employees.

Looking ahead, most institutions plan to expand riskmanagement budgets. Over the next three years, 58percent o the institutions surveyed expected to increase

annual spending on risk management, with 17 percentanticipating annual increases o 25 percent or more. Thisgure is down rom the 78 percent o institutions in 2010who expected to increase spending. Some institutions mayeel they have already increased their risk managementbudgets su ciently in recent years in response todevelopments in the nancial markets and the recent waveo regulatory change.

Institutions in the United States/Canada were morelikely to report increases in headcount and to expectspending to increase. Sixty percent o the United States/ Canadian institutions reported adding employees overthe past 12 months, compared to 42 percent in Europeand 38 percent in Asia Paci c. Similarly, 75 percent oinstitutions in the United States/Canada expected increasesin risk management spending over the next three years,compared to 62 percent in Europe and 40 percent in AsiaPaci c. These di erences may be the result o the pace andextent o regulatory requirements driving risk managementthat has occurred in this region, especially in the UnitedStates where Dodd-Frank is still in the process o beingimplemented.

Although large institutions may have greater riskmanagement challenges, only 40 percent o theseinstitutions expected to increase their annual spending,compared to 66 percent o mid-size institutions and72 percent o small institutions. This may be due tothe act that a number o new regulatory requirementswere applied rst to the largest institutions but are nowcascading downward and being applied to smallerinstitutions.

Risk reporting Most institutions said their board o directors receivesa wide range o risk in ormation (Figure 8). The mostrequent type o risk in ormation provided to the boardconcerns stress testing, which is provided at 83 percento institutions, up rom 72 percent in 2010, when it wasthe third most requent type o report. Stress testinghas become more important among both regulatorsand nancial institutions as a method o assessing theability to withstand a severe recession and a downturnin nancial markets. Other types o risk in ormationrequently provided to boards o directors were riskconcentrations (79 percent), utilization versus limits (73percent), compliance-related matters (71 percent), newand emerging risks (70 percent), and risk assessmentresults (70 percent).

Assessing new business initiatives The decision on which businesses to enter and which typeso products to bring to the market can have a pro ounde ect on the level and nature o risk that an organizationassumes. As a result, nancial institutions have ocusedtheir attention on how risk is considered when makingthese decisions.

Most institutions reported considering a wide rangeo risk types in their business and product approvalprocess. Leading the list o risk types considered, eachby 90 percent o institutions, were regulatory, legal,

and operational. In making these decisions, roughlythree-quarters o institutions also considered marketrisk and credit risk. Many institutions reported that theyalso consider other risk types such as systems ability (72percent), sta ng needs (70 percent), and technology (69percent). Large institutions were more likely to considersome actors than small institutions, including systemsability (83 percent versus 63 percent), product volumes (76percent versus 47 percent), and tax capacity (69 percentversus 37 percent).

Beyond entering new businesses or introducing newproducts, institutions should consider which other types

o initiatives should be subject to their approval process.Almost 90 percent o institutions said they require approvalo major changes to existing business/products, and manyinstitutions include changes to business/product risk pro le(57 percent) and business/products in new jurisdictions orto a new client base (54 percent). Many institutions alsoreview the potential risks associated with new systemsneeded to implement products or businesses (57 percent).


18/4816

Systemic risk Both Dodd-Frank and Basel III include provisions ornancial institutions designated as systemically important.Among the institutions surveyed that received thisdesignation, 48 percent elt that s igni cant preparationwill be required or them to comply with potential

increased regulatory requirements. There has been agreater ocus by regulators in the United States/Canadaand Europe on systemically important nancial ins titutionsthan in Asia Paci c. This may explain why 47 percento these institutions in Asia Paci c elt that they wouldrequire minimal preparation to comply with increasedrequirements compared to only 22 percent in UnitedStates/Canada and 29 percent in Europe.

Figure 8. Which o the ollowing types o risk in ormation doesyour organization currently report to the board o directors?

Roughly hal o the institutions participating in the surveysaid they have a recovery and resolution plan (living will)or a local equivalent, o which 32 percent said it had beenapproved by their board o d irectors. This requirement orlarge institutions is now being phased in by regulators in theUnited States, Canada, and Europe. Although this is comingto be considered a leading practice, it is typically not yet astep that most institutions would decide to take on theirown without a requirement by their regulators.

Responses to the Eurozone crisis Institutions were asked how they had responded to theongoing crisis in the Eurozone. Seventy-nine percent o theinstitutions reported having taken actions in response tothe crisis, with larger institutions much more likely to havetaken action. Among large institutions, 93 percent had taken

actions in response to the crisis, compared to 82 percent ormid-size institutions, and 52 percent or small institutions.It is likely that more large institutions conduct business inEurope, or with European counterparties or clients, andhence are more a ected by the crisis.

Among institutions that took action, by ar the mostcommon response was evaluating counterparties moreclosely (89 percent). The second most common action alsoconcerned counterparties: cease trading with counterparties(42 percent). Other responses mentioned o ten werepreparing or potential euro currency unwind (33 percent)and selling sovereign debt (27 percent).

There were several notable di erences in how institutionsin di erent regions responded. For example, 58 percent oinstitutions in United States/Canada said they were preparingor a potential unwinding o the Euro, compared to 33percent among European institutions, seeming to indicatecon dence among European institutions that the EU wouldeventually resolve the crisis. Among institutions in AsiaPaci c, only 22 percent said they were preparing or thepossible unwinding o the currency. Institutions in this regionwere less likely to take any o these actions, suggesting theymay have ewer European business relationships.

On the other hand, 58 percent o European institutionssaid they had ceased trading with certain counterpartiescompared to 25 percent in the United States/Canada and39 percent in Asia Paci c. This may be due to the act thatmore European institutions have important counterpartyrelationships with institutions in Europe that had beenadversely a ected by the crisis, such as those in or impactedby Greece, Cyprus, Ireland, and Portugal.

29%

30%

39%

44%

50%

51%

61%

70%

70%

71%

73%

0 10 20 30 40 50 60 70 80 90

Utilization vs. limits

Compliance-relatedmatters

New and emerging risk

Risk assessment results

Operational failures

Risk exceptionsreporting

New products andbusinesses

Code ofethics violations

Shareholder/customercomplaints

Model validation results

Systemic risk

Risk concentrations

Stress testing

79%

83%



Regulatory and economic capital

Many large nancial institutions calculate the amount oeconomic capital they need as a bu er in troubled economictimes. In order to enhance the measurement o economiccapital many regulators and nancial institutions are relyingmore on alternative measures o capital adequacy.

European banks, securities rms, and asset managementrms are employing Basel II to assess whether they havesu cient capital reserved. In contrast, in the United States,only the largest banking institutions have been requiredto comply with Basel II, which they are in the process oimplementing. For larger U.S. banks, the program o annualstress tests mandated by Dodd-Frank and managed by theU.S. Federal Reserve provides the key assessment ocapital adequacy.

The survey assessed the state o implementation o

Basel II and III, the use o stress tests, and calculation oeconomic capital. The survey also asked insurers about theirimplementation o Solvency II.

Basel Basel II was designed to implement a risk-based standard oregulatory capital, while improving the measurement andmanagement o credit, market, and operational risk. Largerbanks tend to use advanced approaches or Basel, and manylarge U.S. banks are currently in parallel run, reporting bothBasel I and Basel II results to the regulators. In China, theregulators are implementing Basel II and III simultaneously.

Basel III is designed to provide the nancial system with

higher levels o tangible capital, more liquidity, and greatertransparency. 26 Among other provisions, it will require banksto hold Tier 1 capital o 7 percent o risk-weighted assets,create a more stringent de nition o Tier 1 capital, introducea liquidity coverage ratio in an e ort to provide institutionswith su cient liquid assets to survive a 30-day period oa severe recession and stress in the capital markets, and

implement a NSFR designed to encourage institutions toemploy more medium and long-term unding. Basel III isscheduled or implementation in a phased approach rom2013 to 2019 (subject to national regulator timelines).

Among the institutions surveyed, 51 percent weresubject to Basel II/III regulatory capital requirements,while an additional 17 percent were not subject tothese requirements but have voluntarily adopted them.Sixty percent each o institutions in Europe and in AsiaPaci c said they were subject to Basel II/III requirements,compared to only 18 percent o U.S. institutions.

Institutions subject to Basel II regulatory capitalrequirements were asked which approach they were using,or intending to use, or credit, market, and operationalrisk (Figure 9).27 Compared to the 2010 survey, some

institutions reported using somewhat more advancedapproaches.

Credit risk. The approaches used by institutions orcredit risk were airly evenly split among Standardized (37percent), Foundation IRB (27 percent), and Advanced IRB(36 percent). Compared to the 2010 survey, the use oFoundation IRB increased (36 percent in 2012 versus 18percent in 2010) while the use o Standardized declined(38 percent in 2012 versus 52 percent in 2010). Thissuggests that institutions are migrating to somewhat moreadvanced approaches or credit risk under Basel II.

Market risk. Most institutions use the Standardized

Measurement Approach (64 percent) or market risk,ollowed by the more advanced Internal Models Approach(33 percent) and the more basic 1988 Risk Weight Rules(4 percent). The Standardized Measurement Approachincreased to 64 percent rom 51 percent in 2010, whilethe percentage using 1988 Risk Weight Rules declinedrom 13 percent to 4 percent.

Figure 9. Which approach does your organization currently use or intend to use or Basel II on a consolidated basis or credit risk,market risk, and operational risk?

Credit risk Market risk Operational risk

StandardizedFoundation IRBAdvanced IRB

37%

27%

36%

1988 Risk Weight RulesStandardized Measurement ApproachInternal Models Approach

4%

63%

33%

Basic IndicatorStandardized/Alternative Standardized ApproachAdvanced Measurement Approaches

33%

43%

24%


20/4818

Operational risk. For operational risk, 33 percent oinstitutions reported using the Basic Indicator approach,while the somewhat more advanced Standardized/ Alternative Standardized Approach was employed by 44percent. Again, more institutions reported using advancedapproaches than in the prior survey. The use o AdvancedMeasurement Approaches increased to 24 percent rom15 percent in 2010, while the percentage using the BasicIndicator approach declined to 33 percent rom 45percent in 2010.

Large institutions were more likely than small institutionsto use the most advanced approaches. For example, 50percent o large institutions used Advanced IRB or creditrisk compared to 20 percent or small institutions, while67 percent o large institutions reported using the InternalModels Approach or market risk compared to 11 percentor the small institutions.

When asked about the Internal Capital AdequacyAssessment (ICAAP) or Basel II Pillar II, 58 percent oinstitutions reported using the Economic Capital Approach,while 22 percent used the Pillar I Plus Approach and 13percent used the Expert Judgment Approach.

Counterparty credit risk is receiving signi cant attentionrom regulators and nancial institutions: roughly three-quarters o the institutions surveyed have adopted(or intend to adopt) the current exposure method/ standardized method or OTC derivatives (77 percent) andor securities nancing transactions (70 percent) in BaselII/III, while 14 percent have adopted the Internal ModelMethod (IMM) or OTC derivatives and 12 percent haveadopted it or securities nancing transactions. The InternalModel Method or OTC derivatives is a more advancedapproach that requires regulatory approval.

Institutions appear to have made signi cant progress inimplementing Basel II (Figure 10). Most institutions saidthey had completed or largely completed their work onthe three pillars o Basel IIPillar I: Minimum CapitalRequirements (81 percent), Pillar II: Supervisory ReviewProcess (78 percent), and Pillar III: Market DisciplineRequirements (71 percent).

Institutions reported less progress on Basel III, with lessthan 20 percent having completed work in any area.However, slightly more institutions said they had eithercompleted work or had little work remaining on Basel III inthe ollowing areasPillar I: Enhanced Capital Standards(49 percent), Pillar I: Enhanced Risk Coverage (35 percent),and Liquidity Standards: Liquidity Coverage Ratio(LCR) (31 percent).

Institutions have to decide how to organize their e ortsto manage and implement Basel III, and most surveyrespondents said they were basing their e orts on theirexisting Basel II e ortsmostly leveraging the exis tingBasel II program o ce structure (47 percent) or enhancingthe existing Basel II program o ce structure (14 percent).Only 11 percent o institutions indicated that they settingup a separate program o ce structure or Basel III.

Beyond organization, Basel III presents a number ochallenges. The issues most o ten cited as extremely orvery challenging in implementing Basel III were clarity/ expectations o regulatory requirements (53 percent),internal resources and capabilities and budget (52percent), data management (50 percent), and technologyin rastructure (45 percent).

Institutions were asked to estimate the percentage otheir total regulatory capital requirements or di erentrisk types. For Basel II, institutions estimated that theirregulatory capital was allocated among counterparty creditrisk (37 percent), other types o credit risk (48 percent),operational risk (11 percent), and market risk (4 percent).For Basel III (pro orma), the percentages estimated weresimilar to those or Basel II.

Although the requirement to comply with Basel III isbeing phased in, some observers believe there is a marketexpectation that institutions should comply sooner ratherthan later. In act, some large institutions already calculateBasel III regulatory capital and publish the results in theircommunications to investors and analysts, stressing theyare already in compliance. In the survey, 59 percent oinstitutions reported that they currently meet the minimumcapital ratios o Basel III, while an additional 22 percentexpect to meet these minimum capital ratios well be orethe deadlines.

Basel III has more stringent capital requirements thanBasel II and will require institutions to analyze the impacton required capital o their assets. When asked whichactions their organization has taken, or is intending totake, to mitigate adverse capital impacts rom Basel III,the most popular action was to improve ongoing balancesheet management (59 percent), while another commonresponse was to scale back on capital-intensive port olios(43 percent). Many institutions also said that Basel IIIwould lead them to reconsider their business strategy,citing they would adjust business models (49 percent), orexit or reduce an existing business area (22 percent).



Figure 10. What level o progress has your organization made with respect to implementing each o the ollowing areas o Basel II/III?

70% 11%

61% 18%

6% 19%

7% 20%

8%

4% 24%

8% 24%

13% 23%

18% 27%

63% 8%

25%

27%

28%

28%

32%

36%

45%

71%

79%

0 10 20 30 40 50 60 70 80 90 100

Basel II Pillar II:Supervisory review process

Basel II Pillar III:Market discipline requirements

Basel III Pillar I:Enhanced capital standards

Basel III Pillar I:Enhanced risk coverge

Basel III Pillar III: Reviseddisclosure requirements

81%Basel II Pillar I:

Minimum capital requirements

Basel III Pillar II:Supplemental requirements

Basel III liquidity standards:Net stable funding ratio (NSFR)

Basel III:Leverage ratio

Basel III liquidity standards:Liquidity coverage ratio (LCR)

20%

Little work still neededCompleted

Solvency II Solvency II is a capital adequacy regime developed by EUregulators or insurers. As with Basel II, Solvency II uses arisk-based approach and employs a three-pillar approachacross a range o risks, in this case market, credit, liquidity,operational, and insurance risk. Solvency II has experienceda series o delays and is not expected to be implemented inull be ore 2016. 28

Twenty percent o the institutions surveyed were subjectto Solvency II or to similar revised regulatory capitalrequirements. These institutions were asked how theywere complying with these new requirements. 29

When asked how much fexibility their business unitshad in implementing the organizations strategy to meetthe requirements o Solvency II, roughly two-thirds oinstitutions said they have some fexibility, while only 13percent said they have substantial fexibility. Comparedwith 2010, the percentage that gave their business unitssubstantial fexibility declined (13 percent in 2012 versus29 percent in 2010), while the percentage that gave themsome fexibility rose (69 percent in 2012 versus 46 percentin 2010). This may be due to the act that institutions have

completed two more years o implementation, and theyare now more involved in the details o implementationthan in the overall design o how they plan to comply.

In deploying the resources needed to comply withSolvency II, hal o the institutions said they had adedicated internal risk team in place, up signi cantlyrom 35 percent in 2010. In addition, hal said that therelevant unctions were aware o Solvency II developmentsand that individuals had been designated to take on therequired responsibilities once Solvency II is closer to beingimplemented, while 36 percent said they were usingexternal assistance to prepare to comply. 30

Under Solvency II, institutions can either use a standardormula or assessing capital adequacy or instead relyon internal models. Forty-six percent o institutions saidthey intended to purse either ull or partial internal modelapproval, a decline rom 64 percent in 2010, while thoseintending to use the standard ormula approach rose rom36 percent to 50 percent. It appears that some institutionsare switching rom internal models to the s impler approacho using a standard ormula.


22/4820

Institutions were asked to estimate the percentages otheir total Pillar II capital requirement or d i erent risktypes. On average, credit risk accounted or 47 percento the capital requirement, with much lower portionsdue to other risk types such as market risk (12 percent),operational risk (9 percent), and interest rate risk o thebalance sheet (8 percent). 31

Institutions use a variety o methods to aggregate riskin order to gain a comprehensive assessment acrosstheir organizations. The most common risk aggregationapproach was summation, which was used by 61 percento the institutions participating. Other methods were usedmuch less requently, including the variance/covarianceapproach (20 percent), copulas (18 percent), hybridapproach (square root o sum o correlated squares) (14

percent), and square root o sum o squares (6 percent). 32 Large institutions were more likely than small organizationsto use more advanced approaches. For example, 38percent o large institutions used the variance/covarianceapproach compared to 8 percent o mid-sized institutionsand 7 percent o small institutions.

More institutions have their board o directors take animportant role in economic capital. In the current survey,66 percent o institutions said their board o directors wasresponsible or reviewing economic capital results, up rom47 percent in 2010. Another 20 percent o institutionssaid senior management was responsible or reviewing

economic capital, similar to 2010. As more institutionsplace this review responsibility with the board o directors,ewer gave the review responsibility to unctional areas:risk management (7 percent versus 15 percent in 2010)and nance (2 percent versus 7 percent in 2010). Thisis a positive trend, suggesting that economic capitalreporting and oversight is going to higher levels in mostorganizations, typically to the board o directors.

Large and mid-size institutions were even more likely toplace this review responsibility with the board o directors:roughly 70 percent o these institutions did so comparedto 50 percent o small institutions.

Looking ahead, when asked which areas their organizationwas planning to ocus on over the next 12 months relatedto Solvency II, the area cited most o ten was Own Riskand Solvency Assessment (ORSA) (92 percent). Progressappears to have been made on ORSA, although manyinstitutions have work remaining. For example, one-quartersaid that some material risks had not yet been considered,down rom one-hal in 2010; 58 percent said that riskmitigation and trans er arrangements (e.g., reinsuranceand derivatives) had been addressed, up rom 33 percentin 2010; and 42 percent said the business plan andplanning processes had been linked into the ORSA, uprom 21 percent in 2010.

Many o the other highly-rated items regarding SolvencyII concerned aspects o data collection and reporting:

review o the quality o the data used (77 percent),documentation (69 percent), management in ormation (46percent), data in rastructure and data handling processes(31 percent). Institutions o ten underestimate thechallenges in improving data quality and documentation,and addressing these issues can place an increasing burdenon management ocus and resources. Another issue citedrequently was validation (54 percent). Institutions arenow urther along in the process o preparing to complywith Solvency II and are con ronting the work involved inimproving data quality, reporting, and validation otheir models.

Economic capital Economic capital may be used to assess an institutionsrisk pro le and provide a tool or allocating capital andassessing risk-adjusted per ormance. Roughly 80 percento institutions reported calculating economic capital.Institutions were most likely to calculate economic capitalor credit risk (65 percent), market risk (65 percent),operational risk (61 percent), interest rate risk o thebalance sheet (60 percent), and counterparty credit risk (54percent) (Figure 11). Fewer institutions did so or other risktypes: liquidity risk (25 percent), strategic risk (21 percent),and systemic risk (12 percent).

Given the ocus on the adequacy o capital structuresand the use o economic capital in Pillar II or Basel IIand Solvency II, one might have expected that the useo economic capital would have grown. However, thepercentages o institutions that calculate economic capitalor di erent risk types were similar in 2012 and 2010.



Although there has been criticism o the use o economiccapital, many institutions continue to use it as animportant input to decision-making. The most commonuses o economic capital among the institutions surveyedwere at the enterprise level to evaluate/allocate economiccapital (60 percent), at the board/senior managementlevel or strategic decision-making (55 percent), and at thebusiness unit level to evaluate risk-adjustedper ormance (52 percent).

Regulators in many jurisdictions are requiring nancialinstitutions to maintain higher regulatory capital reservesthan be ore. This is refected in the 2012 survey in which49 percent o institutions said regulatory capital at theirinstitution was greater than economic capital, while only28 percent reported that economic capital was greater.

This is a shi t rom 2010 when only 26 percent saidregulatory capital was greater than economic capital while63 percent said economic capital was greater.

Figure 11. For which o the ollowing risk types do you calculate economic capital?

Stress testing Stress testing has become increasingly popular as a toolthat nancial institutions can use to assess their abilityto withstand extreme, but rare, events. The U.S. FederalReserve and the O ce o the Comptroller o the Currencyboth manage a program that requires annual stress testso large banking institutions. In 2013, this program will beexpanded to include all banks with US$10 billion or morein assets. More than 90 percent o the institutions surveyedreported that they use stress testing.

Implementation o stress testing Most institutions surveyed have put in place varioussteps needed to implement an e ective stress testingprogram. For example, most institutions reported theyhad in placeeither ully or partiallywritten policies

governing the stress testing program (74 percent), detaileddocumentation o the methodologies, processes, andprocedures or conducting stress tests (81 percent),senior management committees (such as Risk Committeeor Asset-Liability Committee (ALCO)) that oversee thestress testing process (77 percent), and review andapproval o stress testing results by senior managementand the board o directors (78 percent), which is aregulatory requirement. Some o the items that are moredi cult to implement were somewhat less common,although still in place at more than hal the institutions:independent reviews by internal audit o the stresstesting process, annually or more o ten (59 percent),and active engagement by senior management and theboard o directors in setting stress testing objectives,de ning scenarios, and challenging methodologies andassumptions (67 percent).

Uses o stress testing results Among institutions that use stress testing, most said theyuse it in planning and setting strategy within their riskmanagement ramework: stress testing enables orward-looking assessments o risk (80 percent), in orms settingo risk tolerance (70 percent), and eeds into capital andliquidity planning procedures (66 percent). More tacticaluses o stress testing were cited less o ten, e.g., supportsthe development o risk mitigation and contingency plans(57 percent) and mitigates limitations o models andhistorical data (54 percent).

0 10 20 30 40 50 60 70

Systemic

Reputational

Strategic

Liquidity

Morbidity

Catastrophe

Property and casualty

Lapse

Mortality

Diversication effectsacross risk categories

Counterparty credit

Interest rate risk ofthe balance sheet

Operational

Market

Credit 65

global risk management survey 2013

Documents