rebuilding trust - next steps for risk management in financial services

Rebuilding trustNext steps for risk management in financial servicesA report from the Economist Intelligence Unit

Sponsored by

Rebuilding trustNext steps for risk management in financial services

© The Economist Intelligence Unit Limited 20101

About this research

Rebuilding trust: Next steps for risk management in financial services is an Economist Intelligence Unit report that examines the steps that banks and insurers around the world are taking to

reinforce their risk management capabilities in response to the global financial crisis. The report is sponsored by SAS. The author was Rob Mitchell and the editor was Abhik Sen.

The Economist Intelligence Unit bears sole responsibility for the content of this report. Our editorial team executed the online survey, conducted the interviews and wrote the report. The findings and views expressed in this report do not necessarily reflect the views of the sponsor.

Our research for this report drew on two main initiatives:

l We conducted an online survey of 346 executives from around the world in January and February 2010. The survey included companies of a variety of sizes from the banking and insurance industries. All respondents have a primary focus on risk management.

l To supplement the survey results, the Economist Intelligence Unit conducted a programme of qualitative research that included a series of in-depth interviews with industry experts.

We would like to thank the many people who helped with this research.

May 2010



The global financial crisis had many causes but failures in risk management were clearly a contributory factor. Although there were technical shortcomings, especially related to the use of

risk models and metrics, a more widespread problem was a failure of governance, which meant that the legitimate warnings of risk managers went either unheeded or unnoticed. In the euphoria of the credit bubble preceding the crash, a culture in banking and insurance that prioritised short-term gains over prudence all too often rode roughshod over the concerns of risk managers. Many senior executives were more concerned with outperforming revenue and profit targets than paying heed to growing risk concentrations.

The crisis has changed that. Across the financial services industry, risk management has moved to the centre of strategic decision-making, and many institutions are revamping their entire approach to understanding and mitigating the risks that they face. Our 2009 report, After the Storm: A new era for risk management in the financial services industry1, found that the majority of financial institutions have been conducting wholesale reforms to the way that they manage risk. If anything, the pace of change has accelerated since then, with institutions reappraising their corporate governance structures, risk functions, data, information systems, and business processes and procedures.

Many banks and insurers have come a long way in their efforts to strengthen risk capabilities. Discussions about risk have become a key part of the boardroom agenda, chief risk officers have a prominent seat at the top table and there is a renewed zeal for instilling a greater awareness of risk principles in the front office — the so-called first line of defence.

Despite this progress, however, weaknesses remain. The enthusiasm for a large-scale overhaul of risk management in the industry has created human capital shortages as companies and regulators scramble to acquire suitable expertise. Data and information management systems remain significant impediments to an overall understanding of risk exposures, while regulatory uncertainty makes it difficult for organisations to plan for the long term.

In February 2010, the Economist Intelligence Unit conducted a global survey on behalf of SAS to track the progress of financial institutions in strengthening their risk management since the crisis. The survey attracted 346 respondents from across the banking and insurance industries. The report that follows presents the highlights of those survey findings along with related additional insights drawn

Executive summary

1 Report available at www.eiu.com/afterthestorm



from interviews with industry experts and commentators. Key findings from this research include the following:

Confidence levels are high but there is a risk of complacency. Financial institutions are feeling much more confident about the future compared with 12 months ago. Around three-quarters of respondents believe that prospects for revenue growth over the next year are good, whereas 68% are positive about the prospects for profitability. These levels of confidence, which are around double the levels reported in a similar survey conducted last year, reflect a widely held view that the financial system has stabilised. There is a risk of complacency, however. As governments withdraw stimulus packages and liquidity support for the financial sector, revenues and profitability could yet fail to meet expectations.

The focus on regulatory compliance could distract attention from emerging risks. Around the world, regulators have stepped up their scrutiny of financial institutions. While few people would argue against a tougher regulatory regime in financial services, respondents to the survey highlight uncertainty regarding regulation as the main barrier to effective risk management. There is a danger that the focus on compliance could be “crowding out” day-to-day risk management at a time when formerly low probability risks, such as sovereign debt crises, are becoming more commonplace.

A clearly defined risk strategy is in place at most institutions, but significant areas of weakness remain. Investment in risk management is increasing almost across the board, with risk processes, data, information systems and training being key areas of focus for the majority of institutions. Six out of 10 respondents now say that they have a clearly defined risk strategy in place at their organisations that is updated on a regular basis. However, this still leaves a worrying 40% whose companies do not conduct regular updates or do not have a clear risk strategy in place.

Banks and insurers are filling gaps in risk expertise with investment in training and recruitment. Respondents recognise that shortfalls in the quality and quantity of risk experts have been an important part of the problem in risk management. Asked about key areas in which shortcomings need to be addressed, respondents list issues related to expertise as three of their top four priorities. More than one-half of respondents say that they are increasing their investment in training, both of risk professionals and across the broader business, and a similar proportion say that they are spending more on recruitment.

The silo-based approach to risk management continues to pose problems. In the days leading up to the financial crisis, the separation of risk management into separate departments led many financial institutions to underestimate risk concentrations and correlations. Even now, less than one-half of respondents to our survey are confident that they understand the interaction of risks across business lines and poor communication between departments is seen as a key barrier to effective risk management.

Financial institutions need to further improve data quality and availability. An over-reliance on risk models, and problems with the data used to populate those models, have been widely seen as a key failure in financial risk management. Financial services firms recognise that data quality and availability need to improve further. Collecting, storing and aggregating data is an area of weakness for many institutions, with only 39% of respondents believing that they are effective at all these activities.



The financial services industry entered 2010 on a much more stable footing than last year. Since the darkest days of the financial crisis, the share prices of major banks have rebounded,

economic conditions have improved and the industry has benefited from a surge in liquidity facilitated by the actions of policymakers around the world.

These short-term improvements in the economic landscape have fostered a mood of surprising optimism among the respondents questioned for our survey. Three-quarters see their prospects for revenue growth over the next year as positive, while 68% feel the same on the outlook for profitability. In last year’s Economist Intelligence Unit survey for SAS, just 34% saw the prospects for revenue growth, and 33% for profitability, as being positive.

Optimism is particularly high within the Asia-Pacific region where financial institutions have been less affected by the crisis and where economic growth remains relatively robust. Within the region, 86% of respondents see prospects for revenue as positive, and 77% think similarly on the outlook for profit.

Although the outlook has undoubtedly improved significantly across the whole industry, it would be wrong to be complacent. Sluggish economic growth in developed countries, combined with stubbornly high unemployment, are likely to lead to further difficulties in mature markets. New regulations and the imposition of more conservative capital and liquidity buffers will drive down

The new risk landscape

Revenue growth

Profitability

Share price

Relations with customers

Relations with investors

Capital adequacy

How do you currently rate the prospects for your business in the following areas over the next year?Please rate 1 to 5 where 1 is significantly positive and 5 is significantly negative and 3 signifies no change. (% respondents)

110145123

113185018

16414210

5275216

8374212

111294613

1 Significantly positive 2 3 No change 4 5 Significantly negative

Key points

n Short-termimprovementsinmarketconditionsandliquidityhavemadethebankingandinsuranceindustriessurprisinglyoptimisticabouttheirprospectsforthecomingyear.

n Theemphasisinregulationisshiftingfromissuesrelatedtoindividualinstitutionstomoremacro-prudentialconcernsassociatedwithsystemicrisk.

n Whilemanyfirmshaveoverhauledtheirriskmanagementfollowingthefinancialcrisis,aworryingnumberofthemstilldonothaveaclearlydefinedriskstrategy.

Source: Economist Intelligence Unit survey, February 2010.


© The Economist Intelligence Unit Limited 2010�

corporate profitability, while new macroeconomic risks, such as the sovereign debt crisis in Greece, could derail any nascent recovery.

In the medium term, policymakers will be looking to withdraw fiscal stimulus packages and return debt and equity capital holdings to private investors. Over the same period, a more stringent regulatory environment will emerge. Banks, for example, face the prospect of tighter restrictions on capital reserves under proposals dubbed as the “Basel 3 rules”.

The emphasis in regulation is shifting from issues related to individual institutions towards macroprudential ones associated with systemic risk. “Previously, regulators were just not focused on systemic issues,” says Viral Acharya, professor of finance at the New York University Stern School of Business. “It was almost as if the micro objective of making each bank safe was somehow clouding the focus of regulation from what it really should be doing, which is to guard the system as a whole.”

63

37

30

17

16

10

5

Regulators

Board of directors

Investors

Rating agencies

Government bodies

Creditors

Media

With which of the following stakeholders of your company has there been the most change in the transparency of communication on risk issues over the past 12 months? Select up to two. (% respondents)

39

38

32

29

26

21

21

12

5

6

Uncertainty over future regulation

Poor communication across departments

Insufficient data

Risk management function lacks authority

Lack of confidence in existing risk management tools

Inadequate real-time (intra-day) risk management

Lack of adequate investment

Use of spreadsheets in risk management

Others, please specify

There are no barriers

What do you consider to be currently the main barriers to effective risk management in your organisation? Select up to three. (% respondents)




Regulators look at riskThis is not to say, however, that regulators are downplaying their micro-prudential responsibilities. In the past 18 months, supervisors have been carefully scrutinising the way in which individual institutions identify, monitor and mitigate risk, and the steps they are putting in place to ensure that boards are fulfilling their mandates on governance and oversight.

The dynamic between regulators and individual firms has changed immeasurably, according to Barrie Wilkinson, a partner in risk and finance at Oliver Wyman, a consultancy. “In the UK, the Financial Services Authority is recruiting very aggressively and has armies of people coming in almost every day to inspect the banks,” he says.

The extent of dialogue with regulators emerges as a key concern for respondents to our survey. Asked about the stakeholders with whom transparency of communication on risk issues had changed most over the past 12 months, respondents cite regulators by a significant margin. They also point to regulatory uncertainty as the main barrier to effective risk management.

Pressure from regulators and other stakeholders, along with the sheer scale of the recent crisis, means that very few financial institutions now take risk management for granted. As highlighted in our 2009 report, more than one-half of institutions said that they were conducting a thorough overhaul of their risk management. Today, there is greater confidence that some issues have been resolved. Six out of 10 respondents say that they have a clearly defined risk strategy in their organisations that is regularly updated, although this still leaves a worrying 40% that either do not have such a strategy in place or have significant work to do to make the necessary changes. In the case of organisations with less than US$500m in assets, just 43% have a clearly defined strategy in place.

60

21

9

10

We have a clearly defined risk management strategy that is updated on a regular basis

We have a clearly defined risk management strategy, but it is not updated on a regular basis

We do not have a clearly defined risk management strategy

We are creating a new model for our risk management strategy after the financial crisis

Which of the following statements best describes the situation regarding the risk management strategy at your company? (% respondents)




There is an emerging consensus that good risk management starts at the top of the organisation. Board members need to have sufficient knowledge and information to be able to challenge

and question executive management, and they need to devote an appropriate amount of time to understanding the business. “If you are going to have a risk culture that is embedded within an organisation, it has to start from the top,” says Richard Apostolik, president of the Global Association of Risk Professionals, a trade association.

Survey respondents consider board-level expertise to be one of the top three risk management issues that they would like to address. Yet somewhat surprisingly, less than one- half say that they are devoting resources to improving risk governance by board members.

Many institutions are addressing these shortcomings by forming board-level risk committees. This is one of the key changes proposed by the UK government-sponsored Walker Review of corporate governance in the banking industry. There is also a strong focus on board competencies in the US. Proposed rules from the Securities and Exchange Commission will require disclosure of the board’s

Setting the tone

Training of risk professionals

Training of general workforce in risk

Training of board members in risk

Recruitment of specialised risk professionals

Improvement of risk processes at strategic level

Improvement of risk processes at operational level

Data quality and integrity

IT systems

Third-party risk advisory services

In the past 12 months, what change has there been to the amount of investment your firm has made in the following areas?Please rate 1 to 5 where 1 is significantly more and 5 is significantly less and 3 signifies no change. (% respondents)

2

2

4414014

5424110

1347409

24433812

14255119

12255418

3344913

13384314

2861244

1 Significantly more 2 3 No change 4 5 Significantly less


Key points

n Thereisagrowingconsensusthatgoodriskmanagementatorganisationsstartsatthetop.

n ItisincreasinglycommonforCROstohaveadualreportinglinetothechiefexecutiveandtotheriskcommitteeorequivalent.

n Thereisstillplentyofroomforimprovementinriskmanagementandreportingpracticesatmostcompanies.



qualifications and its role in risk management.Among respondents to our survey, almost three-quarters say that they have a board-level risk

committee in place. Not everyone believes, however, that stand-alone risk committees are essential in every organisation. “It depends what the firm is doing and the scope and depth of its activities,” says Mr Apostolik. “In some cases, this role can be performed perfectly adequately as part of an audit committee.”

More important than the existence of a risk committee is the content of the board’s discussions and their interaction with executive management and the risk function. “The board needs to know what they don’t know and they need to find a way of finding out what that information is,” notes Andy Clinton, managing director of Protiviti, a risk consultancy.

Boards across the industry are facing a significant increase in their workload and responsibilities. Key among these is the need to set and monitor the overall risk appetite, which should articulate the institution’s willingness to take risk in order to pursue business objectives.

A recent report from the Senior Supervisors Group—a collection of financial regulators from Canada, France, Germany, Japan, Switzerland, the UK and US— found that financial institutions still have some progress to make in setting and monitoring a robust risk appetite2. Until recently, risk appetite was generally regarded as a mechanical, compliance-driven activity that required the approval of boards but little active involvement from them. “Most of the risk appetite work that we see now is trying to get boards to own the risk profile of the organisation, and talk openly about what kind of risks the company should be running and under what circumstances it might need to take certain precautionary actions,” comments Andrew Rear, head of European insurance at Oliver Wyman.

David Allen, a partner at law firm Mayer Brown, says that an organisation’s risk appetite should be informed by the broader economic outlook, but he warns that this could be a source of tension. “There is much to be said for having a risk committee to look over the horizon while the board steers the ship, but economic storms arrive unexpectedly, and it will take robust committee members to persuade the board to reduce its risk exposure when the waters still appear calm,” he says.

Role of the CROMany financial institutions are changing reporting lines for the chief risk officer (CRO) in order to strengthen their overall risk governance. It is increasingly common for CROs to have a dual reporting line to the chief executive and to the risk committee or equivalent. Among our survey respondents, 57% say that their companies have a CRO with a direct reporting line into the board.

A dual reporting line ensures that the CRO has access to executives at the very top of the company

Chief Risk Officer

Risk committee

Board member with expertise in risk

CRO reporting to board or executive directors frequently

Does your organisation currently have the following? (% respondents)

221265

171173

221167

291457

Yes, already have No, but intend to recruit No plans to recruit

2 Risk management lessons from the global banking crisis of 2008, October 2009 Source: Economist Intelligence Unit survey, February 2010.

“There is much to be said for having a risk committee to look over the horizon while the board steers the ship, but economic storms arrive unexpectedly” – David Allen, partner at Mayer Brown, a law firm



and it also enables an open and unfettered access to the board, with an information exchange that flows both ways. “The CRO needs to be at the top table and be involved in the strategic decisions the company makes, so that he or she can provide an independent view over whether they fit with the risk appetite of the company,” says Bruce Munro, group CRO of National Australia Bank, who himself reports into the CEO and has a veto over any decision in the organisation.

ReportingThe success of these new reporting lines and governance structures depends on a robust, two-way communication between the board and senior risk managers. A key area of focus for many firms has been the strengthening of their management information systems and responding to the more diverse and frequent reporting requirements of the board. “It becomes a much more two-way interactive process rather than a mechanical monthly meeting where you just talk about whatever has come through the system that month,” says Mr Munro.

Axel Lehmann, group CRO of Zurich Financial Services, one of the world’s largest insurers, says that boards are typically requesting more forward-looking data, and expect both a holistic overview of the key risk exposures as well as more granular information on specific risk categories. “They also want to have a better awareness of the risk models that the company is using and a good understanding of the assumptions that go into those models,” he adds.

Yet respondents to our survey admit that they still have improvements to make in risk reporting. Just 47% say that they are effective at providing timely and relevant risk reports to the board. Given that boards expect to get both greater detail from reports and an insightful summary of overall risk exposure—all in a highly accelerated time frame—it seems clear that many organisations still have some way to go to satisfy these new requirements.

Aggregating risks at firm-wide level

Applying risk management to support broader strategic goals

Understanding the interaction of risk across business lines

Managing real-time (or intra-day) risk

Instilling a culture of risk more broadly in the company

Providing timely, relevant risk reports to the board

Collecting, standardising and storing risk data

Using human judgment to supplement quantitative tools

Constructing a governance, risk and compliance framework

Managing the pace and amount of change

How effective is your organisation in each of the following areas?Please rate 1 to 5 where 1 is very effective and 5 is not effective at all. (% respondents)

31327

1

1

1234

1438

42

44

39

16

10

8

52138298

21434

31238

37

39

13

8

31940318

112284613

211294414

21644335

1 Very effective 2 3 4 5 Not effective at all




War for talent

G reater expectations from boards, combined with sustained pressure from regulators and other stakeholders, are placing significant pressure on risk functions. With many financial institutions

actively recruiting and embarking on major risk projects, risk expertise is becoming a scarce and expensive commodity. According to a report in Risk magazine3, shortages of risk professionals in the UK are forcing salaries to rise by between 20% and 30%.

Among our respondents, 50% say that their organisations are spending more on recruiting risk professionals, and just over half say their companies are increasing investment in training programmes to improve the risk function’s skills. Asked about the areas where shortages are most acute, respondents list compliance and governance by a considerable margin.

The problem is compounded by the fact that recruiters are becoming increasingly demanding. “Before the collapse of Lehman Brothers, banks hired candidates who ticked seven out of 10 boxes,” says Blair Cashin, a risk management consultant at Joslin Rowe, a recruitment firm. “Now they want

44

32

31

31

26

26

22

15

14

1

Compliance and governance

Stress-testing

Firm-wide risk

Liquidity risk

Credit portfolio management

Asset liability management

Risk forecasting

Fraud risk

Credit scoring (if applicable)


In which of the following areas has there been most change – if any – in the need for expertise in personnel and technology in your organisation over the past 12 months? Select up to three. (% respondents)

3 Risk magazine, December 1st, 2009 Source: Economist Intelligence Unit survey, February 2010.

Key points

n Shortageofriskprofessionalswiththerightexpertiseisforcingmostcompaniestospendsignificantlymoreonrecruitmentandtraining.

n Thescarcityoftalentismostacuteintheareasofcomplianceandgovernance.

n Companiesarelookingforriskexpertswithnotjusttechnicalcapabilitiesbutalsosofterskillsliketheabilitytocommunicateacrossfunctionalsilosandreportinglines.



people who tick eleven out of ten.”The development of a formal certification programme, established by organisations such as the

Global Association of Risk Professionals, is helping risk management to gain more recognition as a business discipline, and gives financial institutions a better yardstick for measuring expertise.“ Banks need to know from an objective point of view that the people they are entrusting their risk management function to possess the baseline competencies to perform their role,” says Mr Apostolik.

But beyond the technical capabilities required by risk professionals, there is also a growing emphasis on softer skills. “You have to be able to take a relatively complex activity and describe it in simple terms so that people on the board or in the business can quickly understand it and be able to act on it,” says Mr Apostolik. “Even the smartest risk managers in the world will fail in the role if they don’t have the ability to communicate.”

Many commentators believe that greater movement of managers between the front and back offices can help to address talent shortages and, perhaps more importantly, build bridges between the risk function and the business at large. “You’ve got to get more movement between the two,” says Mr Munro. “I think companies ought to insist that their top talent have significant stints in risk during their career. I also think it’s important that people who want a career in risk spend time in the business so they understand one another better.”

Enforcer or enabler?

The financial crisis has dramatically changed perceptions of the risk function, giving it unprecedented power over the lines of business. While few would dispute that this is generally a positive development, the question is whether there is a danger that the risk function could wield too much power, and say “no” to the front office too often. “You’ve got to use authority carefully,” says Bruce Munro, group chief risk officer of National Australia Bank. “It’s easy to overreact in the current circumstances, but you can’t say ‘no’ to everything.”

This highlights the importance of forming a positive working relationship between the risk function and the business, so that the front office sees risk as making a positive contribution—more than just as an enforcer. “Risk functions need to shift towards being an enabler, developing an external and independent view and finding a way of convincing the business that it has value, to listen to that view

and act on it,” says Mr Munro.Instilling this relationship requires strong leadership and

professionals in the risk function and front office who respect each other. Rather than relying on the risk function to manage risk, financial institutions need to hold accountable and empower the first line of defence—the sales teams, underwriting functions or trading floors—to make decisions in a more risk-aware way. “The best enterprise risk management practice is to have business managers, profit centres, business unit heads and functional heads really assuming full responsibility and accountability for the risks they take,” says Axel Lehmann, group CRO of Zurich Financial Services.

Risk management currently enjoys an unprecedented level of authority within organisations, but this could prove temporary when confidence returns and there is a renewed focus on performance and investor returns. “That is the $64,000 question,” says Mr Munro. “It’s not hard at the moment to get risk around the table. The challenge will be to keep risk at the table once conditions demonstrably improve.”

“Even the smartest risk managers will fail if they can’t communicate” – Richard Apostolik, president, Global Association of Risk Professionals



Breaking down silos

W ithin the risk function itself, there is a recognition that not enough has been done to encourage communication across risk silos. In many institutions, market and credit risk were managed

by different teams using separate systems, which made it difficult to gain an overall aggregate view of risk exposures, and meant that some problems inevitably fell through the cracks. Recognising these shortcomings, some banks are seeking to combine or improve co-ordination between risk departments. Last year, for example, HSBC combined its market and credit risk functions.

Although financial institutions are making progress on aggregating risk exposures at the enterprise level, a firm-wide view of risk remains a work in progress for the vast majority of them. Just 47% of respondents consider themselves effective at understanding the interaction of risks across business lines, and 58% are confident in their ability to aggregate risks at the firm-wide level. Poor communication across departments is also identified as the second most significant barrier to effective risk management.

48

46

38

32

30

25

21

16

9

2

Risk management processes and systems

Business risk expertise

Board-level expertise

Risk function expertise

Data quality

Defining line responsibility for risk management

Risk reporting

Data availability

Real-time (or intra-day) risk


In which of the following areas do you think the most significant focus should be to address current shortcomings in risk management? Select up to three. (% respondents)


Key points

n Enterpriseriskmanagementremainsaworkinprogressformostinstitutionsinthebankingandinsuranceindustries.

n Thevastmajorityoffinancialinstitutionssurveyedforthisreportareimprovingriskprocessesattheoperationallevelwhileasmallerproportionaredoingthesameatthestrategiclevel.

n Majorobstaclesremaininintegratingthemanagementofcreditandmarketrisk.



This ongoing reassessment of organisational structures reflects a general trend whereby financial institutions are examining risk processes and considering whether they are still fit for purpose. Asked about the changes to levels of investment in key aspects of risk, almost three-quarters of respondents say that they are increasing expenditure on the improvement of processes at the operational level. A slightly smaller proportion of 70% say that they are increasing investment in risk processes at the strategic level. Processes and systems are also seen as the aspect of risk that is in most need of attention.

There are obstacles for initiatives designed to break down risk silos, however. “Credit risk and market risk tend to be big departments and have very different cultures,” says Mr Wilkinson from the consultancy Oliver Wyman. “Trying to get those guys to work as a single team is easier said than done.” There are significant data infrastructure challenges too, as credit risk and market risk typically operate separate systems that cannot easily be integrated.

Even if the two functions are not formally combined, better co-ordination between them can help to serve as an early warning system of emerging risk correlations. “The best way to break down a silo is to have a culture where people in different departments know each other and can figure out what links there might be between particular risks under certain circumstances,” says Mr Munro.

Financial organisations also recognise that their existing risk structures and processes failed to account for the liquidity crunch that crippled the industry following the collapse of Lehman Brothers. Often liquidity was something that was managed by the treasury function, and not seen as a risk category in its own right. Even regulators tended to neglect it. “Liquidity risk was always a bit of a sleeper risk,” says Mr Munro. “Like many banks, we have given it greater focus, more sophistication in the way we manage it and more conservatism in the buffers that we hold.”

Financial institutions also recognise that their existing risk structures and processes failed to account for the liquidity crunch that crippled the industry following the collapse of Lehman Brothers.



The devil is in the data

Signs of stress

The financial crisis has highlighted the problems of over-reliance on quantitative models. It is now generally agreed that techniques such as Value at Risk (VaR), which are used to calculate the risk of loss in a portfolio, should not be used in isolation. A key problem with VaR is that it is based on historical data, often of a relatively short timeframe, that fails to account for the possibility of catastrophic outcomes in financial markets.

Although some financial institutions continue to use VaR, it seems likely that regulators will push them towards using an adapted measure, such as Stressed VaR, which examines how a firm’s trading position changes during times of acute market stress. More generally, there is a shift towards combining these traditional measures with more forward-looking risk tools and techniques.

Stress testing is one tool that is rapidly gaining ground as an important input to understanding risk exposures. Although it is not new, financial institutions previously used it in a rather

mechanical way, and were dismissive of scenarios that were seen as too outlandish. “Stress testing is vitally important,” says Gordon Scott, managing director in the financial institutions group at Fitch Ratings. “You’ve got to understand how robust your positions are to alternatives of macro events and other stresses, no matter how implausible they may seem.”

For many institutions, stress testing is increasingly being applied in a more systematic way that is linked with the overall risk appetite. It remains a relatively unfamiliar concept for some institutions, however, and an area where the necessary skills may be in short supply. According to survey respondents, stress testing is the area where there has been most change in the need for expertise after compliance and governance.

While stress testing has emerged as a useful tool to explore the impact of potential scenarios, there continues to be debate around how to embed the outcomes of the activity into management decision-making. Qualitative tools are inherently subjective, but this should not prevent their adoption as an early warning system designed to prepare the institution for different eventualities and to provide an indication of trouble on the horizon.

Accurate and reliable data are the cornerstones of good risk management, yet continue to be an area of considerable weakness. As the Senior Supervisors Group noted in a recent report,

many financial institutions have information management systems that are inadequate to monitor their risk exposures. The problem is especially acute at multinational banks and insurers that have grown through acquisitions.

Among survey respondents, just 39% say that they are effective at collecting, standardising and storing data. Insufficient data is also seen as among the top three shortcomings preventing more effective risk management. “Data is everything,” says Mr Apostolik. “Without data you’re not going to be able to make any kind of educated risk assessment.”

Key points

n Institutionsareincreasinglycombiningtraditionalmeasuresofriskmanagementwithmoreforward-lookingtoolsandtechniques.

n Collectingandanalysingdatatoeffectivelymanageriskisstillabigchallengeformanyorganisations.

n Fouroutoffivecompaniessurveyedsaytheyareincreasinginvestmentindataqualityandintegrity.



An important challenge for many firms is that they have multiple or disparate legacy systems that have built up over a period of years. “When a decision is made to launch a new product, or respond to a new regulatory initiative, the tendency is to solve that quickly and meet the requirements by building a new system,” says Sam Harris, director of enterprise risk management at Teradata, a technology provider.

Reconciling these disparate systems across multiple borders and currencies requires a significant amount of manual intervention. This time-consuming and resource-intensive process creates a time delay in the availability of data—a major problem when an institution is trying to formulate a response to an unexpected event, such as the collapse of a counterparty. In recognition of these shortcomings, 62% of survey respondents say that they are increasing investment in data quality and integrity.

Data quality underpins the efforts that financial institutions are making to aggregate risk exposures and break down the silos between risk categories. “Institutions need to ensure that the same sources of data are available to people in different parts of the organisation so that results are comparable across business units and different risk measures,” says Mr Harris.

“Institutions need to ensure that the same sources of data are available to people across the organisation so that results are comparable” – Sam Harris, director of enterprise risk management, Teradata



Conclusion

R isk management is viewed as one of the culprits of the financial crisis but it should also be seen as one of the main instruments for safeguarding the future. Although actions taken now should not

be expected to prevent every future crisis, some lessons have been learned and many organisations are moving towards a more sustainable approach to the balance between risk and reward. There is still significant progress to be made, not least in building a firm-wide risk culture and ensuring that there is sufficient, timely information available to make appropriate decisions.

The risk function has now attained an unprecedented level of authority. With regulators, boards and executive management desperate to ensure that the mistakes of the past are not repeated, risk management has become central to the strategic agenda and few major decisions will now be taken without involving senior members of the risk function. Chief risk officers have a seat at the top table and the ear of the board, and the regulatory process points to a deeper role for risk management at every level of the organisation.

But this new mantle of authority needs to be used wisely. Although risk must retain its controls and enforcement responsibilities, CROs and their reports should be careful to strike a balance between the prevention of excessive risk-taking and a more constructive role in helping the business to achieve its broader objectives. In the current environment, it may be tempting to err on the side of prevention, but the risk function must also build a more trusting, positive relationship with the revenue-generating departments while still preserving its objectivity and independence.

Moreover, it should be recognised that the level of authority currently enjoyed by the risk function could be fleeting. Although risk management is at the top of the agenda now, and is attracting investment and stakeholder attention, the key question is whether this situation will endure when market conditions turn the corner and the pressure to improve financial performance returns. Efforts and investments made now will determine whether risk has a seat at the top table through the good times as well as the bad.

17 © The Economist Intelligence Unit Limited 2010

AppendixSurvey results


Appendix: Survey results

In January and February 2010, the Economist Intelligence Unit conducted a survey of 346 senior risk professionals from the banking and insurance industries. Our sincere thanks go to all who took part in the survey. Please note that not all answers add up to 100%, because of rounding or because respondents were able to provide multiple answers to questions.

Revenue growth

Profitability

Share price

Relations with customers

Relations with investors

Capital adequacy

How do you currently rate the prospects for your business in the following areas over the next year?Please rate 1 to 5 where 1 is significantly positive and 5 is significantly negative and 3 signifies no change. (% respondents)

110145123

113185018

16414210

5275216

8374212

111294613

1 Significantly positive 2 3 No change 4 5 Significantly negative


60

21

9

10

We have a clearly defined risk management strategy that is updated on a regular basis

We have a clearly defined risk management strategy, but it is not updated on a regular basis

We do not have a clearly defined risk management strategy

We are creating a new model for our risk management strategy after the financial crisis

Which of the following statements best describes the situation regarding the risk management strategy at your company? (% respondents)

63

37

30

17

16

10

5

Regulators

Board of directors

Investors

Rating agencies

Government bodies

Creditors

Media

With which of the following stakeholders of your company has there been the most change in the transparency of communication on risk issues over the past 12 months? Select up to two. (% respondents)




Training of risk professionals

Training of general workforce in risk

Training of board members in risk

Recruitment of specialised risk professionals

Improvement of risk processes at strategic level

Improvement of risk processes at operational level

Data quality and integrity

IT systems

Third-party risk advisory services

In the past 12 months, what change has there been to the amount of investment your firm has made in the following areas?Please rate 1 to 5 where 1 is significantly more and 5 is significantly less and 3 signifies no change. (% respondents)

2

2

4414014

5424110

1347409

24433812

14255119

12255418

3344913

13384314

2861244

1 Significantly more 2 3 No change 4 5 Significantly less

48

46

38

32

30

25

21

16

9

2

Risk management processes and systems

Business risk expertise

Board-level expertise

Risk function expertise

Data quality

Defining line responsibility for risk management

Risk reporting

Data availability

Real-time (or intra-day) risk


In which of the following areas do you think the most significant focus should be to address current shortcomings in risk management? Select up to three. (% respondents)


Domestic market

Overseas developed markets

Overseas emerging markets

Over the next year, what change do you expect to the geographical focus of your organisation?Please rate 1 to 5 where 1 is significantly greater focus and 5 is significantly less focus. (% respondents)

15362731

11

11

1538298

10252926

1 Significantly greater focus 2 3 4 5 Significantly less focus




Aggregating risks at firm-wide level

Applying risk management to support broader strategic goals

Understanding the interaction of risk across business lines

Managing real-time (or intra-day) risk

Instilling a culture of risk more broadly in the company

Providing timely, relevant risk reports to the board

Collecting, standardising and storing risk data

Using human judgment to supplement quantitative tools

Constructing a governance, risk and compliance framework

Managing the pace and amount of change

How effective is your organisation in each of the following areas?Please rate 1 to 5 where 1 is very effective and 5 is not effective at all. (% respondents)

31327

1

1

1234

1438

42

44

39

16

10

8

52138298

21434

31238

37

39

13

8

31940318

112284613

211294414

21644335

1 Very effective 2 3 4 5 Not effective at all

39

38

32

29

26

21

21

12

5

6

Uncertainty over future regulation

Poor communication across departments

Insufficient data

Risk management function lacks authority

Lack of confidence in existing risk management tools

Inadequate real-time (intra-day) risk management

Lack of adequate investment

Use of spreadsheets in risk management


There are no barriers

What do you consider to be currently the main barriers to effective risk management in your organisation? Select up to three. (% respondents)





44

32

31

31

26

26

22

15

14

1

Compliance and governance

Stress-testing

Firm-wide risk

Liquidity risk

Credit portfolio management

Asset liability management

Risk forecasting

Fraud risk

Credit scoring (if applicable)


In which of the following areas has there been most change – if any – in the need for expertise in personnel and technology in your organisation over the past 12 months? Select up to three. (% respondents)

42

40

32

26

20

18

17

14

9

8

3

7

Compensation linked more closely to long-term performance

More stringent capital and capital reserve requirements

More data transparency / auditing

Stronger macro-prudential regulation

Break-up of banks and insurers seen as “too big to fail”

Living wills (plans requiring banks to stipulate in advance how they would raise funds in a crisis and how their operations could be dismantled after a collapse)

Greater restrictions on derivatives and securitisation sectors

Greater restrictions on over-the-counter products / trading

Mandatory clearing and settlement of trades

Tax aimed at curbing speculative currency transactions

Other, please specify

None of the above

Which of the following potential regulatory changes do you think would most benefit the risk management system in your organisation? Select up to three. (% respondents)





Chief Risk Officer

Risk committee

Board member with expertise in risk

CRO reporting to board or executive directors frequently

Does your organisation currently have the following? (% respondents)

221265

171173

221167

291457

Yes, already have No, but intend to recruit No plans to recruit

23

8

8

8

6

4

4

3

1

1

1

1

1

1

1

18

2

2

2

2

United States of America

United Kingdom

Australia

India

Singapore

Canada

Netherlands

Switzerland

France

Germany

Hong Kong

New Zealand

Nigeria

Sweden

China

Indonesia

Japan

Malaysia

Spain

Other

Where is your company headquartered? (% respondents)





35

23

20

19

3

Investment banking / wholesale capital markets operations / investment management

Corporate / commercial banking

Retail banking

Insurance

Reinsurance

What is your primary industry / sector? (% respondents)

26

6

6

7

19

8

8

21

$100 million or less

Between $100 million and $249 million

Between $250million and $499million

Between $500 million and $999 million

Between $1 billion and $4.9 billion



Greater than $25 billion

Which of the following categories best describes your organisation by revenue?(% respondents)

7

16

9

3

12

25

3

8

15

2

Board member

CEO/President/Managing director

CFO/Treasurer/Comptroller

CIO/Technology director

Other C-level executive

SVP/VP/Director

Head of business unit

Head of department

Manager

Other

Which of the following best describes your title? (% respondents)


While every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in this white paper.

Cover image - © FOTOCROMO/Shutterstock

LONDON26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8500E-mail: [email protected]

NEW YORK750 Third Avenue5th FloorNew York, NY 10017, USTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]

HONG KONG60/F, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

GENEVABoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]