Rethinking risk management
Banks focus on non-financial risks and accountability
Banks are changing their approach to risk management, creating proactive methods to manage non-financial risks and making front-office staff more accountable.
For banks that are addressing cultural weaknesses and regulatory expectations, there is much opportunity to act and adapt to the new risk management order.
Our 2015 annual risk management survey of major financial institutions finds banks are building more effective and resilient risk management with six key actions.
Six ways to adapt to a new risk management order
Is it time to turn compliance and conduct into individual risk types? Many banks believe so and are developing more granular, proactive and forward-looking risk assessments of non-financial risks.
As the high cost of non-financial risks – including regulatory, conduct, money laundering, compliance, systems and reputation risk – continues to add pressure, non-financial risk is being seen as an increasingly important concern: 89% of banks report an increased focus on non-financial risks in the last 12 months. The extent to which these non-financial risks and, in particular, conduct, are being treated as a risk “type” is a major shift.
The trend is being driven by the costs and reputation damage of high-profile and ongoing conduct failures. Eighty percent of global systemically important banks (G-SIBs) attribute weak oversight and controls to their reported losses from non-financial risks (including regulatory fines and penalties) during the last three years, with 69% reporting losses of more than US$1b.
Actions being taken to prevent future non-financial risk losses effect a multitude of banking processes, systems and controls:
- Operational processes
- Product development
- Employee training
- Forensic investigations
- Drill downs
- Business-line responsibilities
- The three lines of defense
However, it is the accountability of the front office that is seen by most banks as the critical factor.
It’s a complex challenge, one that has been repeatedly cited over several years and one that most banks agree is key to transforming their firm’s culture: how to strike a balance between the sales-driven front office and the new risk management order.
Reinforcing accountability regarding risk management is the primary focus for most banks, ninety-four percent of banks now hold the front-office desk and business-line heads fully accountable for managing a wider view of risk, including non-financial risks, such as conduct and reputational risks.
Major programs are now under way in a number of banks to shift all accountability for risk to the front office, make it meaningful and ensure that controls are in place and effective – but much work remains. More than one-third of banks see accountability in the front office as a cause of risk culture deviating from board expectations.
Five steps to increased front-office accountability
- Streamlined governance structures and new committees, processes and policies that ensure that the front office is truly accountable for all risk
- Greater capacity for the front office to assess risk itself – a shift from the three-lines-of-defense approach that calls for the independence of the risk function
- More-effective communication of cultural values; supported by performance management, compensation and training
- Clarification of the range and magnitude of acceptable risk using an embedded risk appetite statement
- Alignment of incentives with risk objectives and enforceable disciplinary action for breaches in rules and misbehavior
Enforcing front-office accountability is a critical step toward transforming a bank’s risk culture, along with successfully embedding risk appetite.
Banks continue to struggle to embed risk appetite — the amount and type of risk an organization is willing to accept — into business decisions.
Despite the fact that risk appetite has been a top area of focus for boards and chief risk officers for the last several years, only 43% of banks report they have successfully integrated risk appetite; however, progress is being made – 53% report strong progress in their ability to track and enforce it.
Risk appetite is seen as an essential element to risk accountability within the business lines. The majority (70%) of executives surveyed agree that successfully executing business-wide risk appetite must be a collaborative, top-down, bottom-up approach involving the board, CEO, chief risk officer and chief financial officer in discussion with business leaders.
Banks are developing clear metrics to provide a common financial risk language and moving toward using some form of forward extreme loss as a core metric, e.g., 57% are using stress test metrics and 32% are using loss in extreme events metrics.
Measuring risk in banking
- 74% use a tailored approach for different risk types within the operational risk framework
- Only 47% use an allocation of operational risk loss to business lines
- 83% have started to create a risk appetite for non-financial risks, including conduct and compliance
The rethinking of non-financial risk in how risk appetite is embedded across the business will have long-term and lasting impact on a bank’s overall transformation of its risk culture.
High-profile conduct failings have increased board and management attention to culture. Globally, 75% of firms are in the process of changing culture, up from 66% last year. But the transformation is a work in progress, according to 81% of banks.
Just 42% of banks believe employees understand that bad behavior will be penalized despite earnings performance, and only 44% say that individual behavior is significantly reflected in career progression.
Banks are taking misbehavior seriously. Ninety-four percent of banks report that severe breaches of their risk policies result in disciplinary actions. So what is responsible for a breakdown in risk culture? Almost half of banks (46%) cite messages not being cascaded effectively throughout the organization as a major cause.
Progress will require two essential factors: clear articulation that bad behavior will be penalized and enforcement of consequences when breaches occur. Many banks say that progress is already happening: 85% report that a breach in risk conduct is immediately escalated to the risk department (an increase from 76% in 2014); while 69% say that breaches are handled by business-line or desk leaders.
Improving internal communications around conduct will do much to create positive cultural change, as will managing conduct risk through improved forward-looking risk assessment and stress testing.
Along with more detailed loss reporting and forensic investigations after an event has occurred, conducting in-depth reviews of individual operational processes and evaluating near-miss events; 57% of banks are developing more forward-looking risk assessments instead of waiting to conduct post-risk event reviews.
Banks are also working to embed new stress-testing models into business processes – but making it a management tool remains a challenge.
Eighty-one percent of respondents (up from 71% in 2014) indicate that they have created and implemented new stress-testing methodologies in the last 12 months. Only a minority of banks (20%, down from 27%) use economic capital models, with 85% calculating losses directly from scenarios and 70% stressing internal ratings-based parameters.
Extracting and aggregating data is a major challenge to improving stress testing and greater automation is critical to speeding up the process. At the same time, more granular stress testing is required. Many banks are feeling resource strain, particularly given the pressures of producing complex regulatory stress tests.
Banks are continuing to evaluate portfolios and retract their businesses to meet investor demands for better return on equity, while under pressure from the higher capital and liquid assets buffers required under Basel III.
These pressures are resulting in significant and fundamental business model change; 22% of banks have exited countries (a 100% increase from last year) and 43% have exited lines of business. This retrenchment is a major shift from the globalization seen over the last 20 years.
However, if banks are to produce sustainable returns for investors they will need a plan for how to provide services – not withdraw them.
The board has a clear role here as it balances the impact of rising litigation costs, steep fines and reputational damage with pressures from investors to improve returns.
CROs are spending more time on regulatory compliance and face strains in terms of the cost and resources needed to meet regulatory demands. Sixty-four percent of banks report increases in the size of the risk function and expect increases to continue. The most prominent area of board focus is compliance risk, followed by risk appetite.
Half of the respondents have added risk expertise to the board and created new committees at board and management levels to monitor conduct, ethics and product suitability.
If banks are to deliver sustainable returns they will need to adapt to a new risk management order.