Global Risk Management Survey: Fifth Edition Key Findings Operational Risk Implementation and Its Impact on Financial Institutions December 11, 2007 Institute of International Bankers
Agenda About the Survey Key Findings An Operational View of Risk Basel II Targeting Operational Key Risks Challenges of Operational Risk Managing the Technology ERM and Beyond The Road Ahead
About the Survey The Global Risk Management Survey: Fifth Edition represents our most recent examination of the state of risk management in the global financial industry The survey was conducted online during the later part of 2006 We solicited participation of CRO’s or their equivalent at financial services firms around the world 130 financial services institutions participated with an aggregate asset size of almost $21 trillion (USD) Respondents included global, regional, and local institutions 2
About the Survey Participating institutions were primarily commercial and retail banks, and diversified financial institutions The range of asset size for participating institutions was from smaller, regional institutions to some of the worlds largest Headquartered in a variety of geographic areas, participating institutions tended to be global in nature
Key Findings The board of directors have increasing oversight responsibility for risk management relative to previous years CRO position and role is being further accepted in financial institutions, with the CRO reporting to the highest levels of management – board of directors & CEO Risk management for traditional risk areas such as credit, market and liquidity is considered to be very effective, while other risk areas such as business continuity/ IT security, operational, vendor and geopolitical risk was less effective Enterprise Risk Management programs have been implemented, are in the process of being implemented or are in the planning stages for the majority of the participating institutions For institutions that have implemented ERM programs, the total value exceeds the cost. However the assessment of value is mostly qualitative Majority of participants have formal enterprise-wide Basel II programs. However there is still significant work to be done in reaching Basel II qualification standards – validation & testing, use test requirements, analytics and calibration and AMA for modeling operational risk
An Operational View of Risk The Basel II Accord continues to influence the development of operational risk programs across financial institutions With over 42% of respondents reporting that they utilize operational risk “tools” to identify risks within their operations However, the primary driver in building operational risk programs continue to be to support “regulatory compliance” initiatives
Basel II While the Basel II Accord may have increased awareness of operational risk management, there continues to be more pressure and desire to focus on testing, especially with the allocation of economic capital and the use of accurate data Many institutions reported that significant work needs to be done to achieve key Basel II qualification standards – especially in the areas of: validation and testing use test requirements risk parameter analytics and calibration and AMA modeling for operational risk The focus on accurate data for Basel II purposes has also raised many larger data issues throughout organizations such as data governance, data policies and data testing. However, data quality issues will continue to garner more attention in the Basel II programs with less than half of the participating institutions considering their current state to be good or excellent.
Basel II (continued) Economic capital Institutions were more likely to calculate economic capital for risks that are well understood, such as credit, market and interest-rate risk, and less likely to do so for reputation, privacy and legal risks Larger institutions are more likely to adopt more sophisticated approaches: Advanced Internal Ratings Based (AIRB) Advanced Measurement Approach (AMA) Institutions reported Regulatory capital results often to be greater than economic capital results – possible gap primarily due to limitations in capital methodology approaches for estimating strategic and business risk
Targeting Key Operational Risks While progress has been made in implementing rigorous operational risk management processes – driven primarily by Basel II, overall results remain mixed Roughly two-thirds of institutions had substantially or fully implemented the ability to identify operational risk types, while about half had done so in documenting processes and controls and in data gathering Operational risk program drivers: 80% of executives rated the need to respond to regulatory activity, such as Basel II, as extremely or very important drivers to their institutions’ focus on operational risk To support ERM initiatives (66%) In response to a request by senior management or risk management leadership (56%) Due to loss events (55%)
Targeting Key Operational Risks Operational Risk Management Capabilities More than two-thirds of executives said their institutions were at least somewhat capable in areas reporting and data gathering Only one-half rated their institutions highly in exposure calculations and in scenario model building - many institutions have been engaged in operational risk loss data collection activities for years due to the need to build historical databases, but have only recently focused on scenario and model building Emerging Trends Integration of Risk Frameworks - there are significant benefits to be gained by integrating multiple risk frameworks such as Sarbanes-Oxley, regulatory compliance, compliance with internal policies and procedures, IT risk, risk inherent in business processed, and HR risk Operational Risk Management Technology - the growing sophistication of operational risk management technology has substantially increased the capabilities available to firms
Challenges of Operational Risk Management Developing awareness and accountability of operational risk management continues to be a struggle for most organizations. While credit and market risk programs have had track records and disciplines to support their successes, operational risk continues to be a relative newcomer with reporting to senior management a significant hurdle to manage within organizations. ORM Tools, although more abundant in today’s market place, continues to be a struggle for organizations due to the integration challenges to existing legacy systems.
Managing the Technology Technology plays a critical role in any successful operational risk program. Basel II has significantly expanded the requirements for better loss data, scenario analysis methods, capital calculations, risk and control self-assessment programs and key risk indicators. The current survey shows that financial institutions continue to struggle with many fundamental technology challenges-with integration at the top of the list of risk management concerns. The most common cited factor in the selection criteria for risk systems was the ability to integrate with existing systems. Most institutions have had credit and market risk management systems for some time. However, Basel II’s requirement for operational risk management have made this a relatively new area for risk management technology investment. Some firms are attempting to develop integrated operational risk and compliance platforms to increase efficiency and reduce their overall spending to support risk management and compliance.
ERM Landscape & Beyond While the growth of Enterprise Risk Management continues, operational risk will maintain progress toward greater emphasis of risk quantification to better understand risk exposures and to better align itself to a wider range of risks for the organization The survey highlighted some clear areas of opportunity in ERM implementation. While roughly 90% of Institutions have included market, credit and operational risk under the ERM program, only 63% say IT security is covered by ERM and 58% include business continuity. Even fewer institutions covered risks such as strategic, privacy or geopolitical. Many institutions need to continue to broaden the scope of their ERM programs to include the full range of risks they face.
The Road Ahead The fifth edition of our Global Risk Management Survey underscores the fact that risk is clearly assuming greater visibility in financial institutions, and responsibility for risk management is being placed at the highest levels of most organizations But while progress has been real, many institutions have much more to accomplish to truly achieve a comprehensive approach that actively identifies, assesses, and manages the full range of risks they face The trend toward a strategic approach to risk management is likely to continue— and we believe that the institutions that take a leading role in this evolution will be in a position to use risk management as a key competitive tool
Thank You Survey and related links: Edward Hida Partner, Risk Strategy & Analytics Service Line Leader Regulatory & Capital Markets Consulting Deloitte & Touche LLP +1 (212) 436 4854 ehida@deloitte.com Survey and related links: Survey report: www.deloitte.com/us/riskmanagementsurvey Podcast: www.deloitte.com/us/podcasts/RiskInFinancialIndustry Dbriefs webcast: www.deloitte.com/us/dbriefs-> Financial services -> “Accelerating Risk Management Practices: Applying Insights from Leading Global Institutions”
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of approximately 135,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names. In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation’s leading professional services firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than 90 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U.S. member firm’s Web site at www.deloitte.com