Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Global risk
management survey,
seventh edition
Navigating in a
changed world
Financial Services
Foreword
Dear Colleague.
We are pleased to present Delaine's Global n'sk management survey, seventh edff.ion. our latest assessment of the state of
risk management at financial services institutions around the world.
The financial services Industry Is emerging from an extraordinarily unsettled period. The global financial crisis was marked by
market ""Iatility, a lack of liquidity In many financial markets, and h";ghtened systemic risks. The turmoil of the last se""ral
years has underscored the critical Importance of risk management and led government offidals. regulators. and Industry
leaders alike to set new expectations for risk management.
Regulatory reqUirements are being rethought and fundamentally revised with the goal of redudng systemic risk to the
finandal system. Therefore. the boards of directors and senior management of finandallnstitutions are reexamining their
approaches to risk management. including their risk frameworks. governance, and methodologies.
At many Institutions, boards of directors are taking a more active role In providing oversight of risK management, Indudlng
establishing the risK management policy and framework and approving their institution's risK appettte. More institutions have
a Chief RisK Officer, who is often a member of the senior management team and has direct access to the board of directors
or the board's risK committee. E.nterprise risK management programs are becoming more commonplace across the Industry,
and at many institutions, espedally In E.urope and Canada, the work of implementing Basel 11 has been largely completed.
But while progress has been made, risK management now faces even more rigorous requirements. There is likely to be
wider use of tools that have been demonstrated useful In measuring risks, such as stress tests; the precision of risk models
may also be evaluated more dosely. Institutions that have not already adopted enterprise-wide risK management programs
may be more likely to do so. Senior management at many Institutions may consider how they can build a more risK·aware
culture, in part by Incorporating risK management considerations into perfonnance goals and compensation decisions for key
employees throughout the organization.
Financial services institutions may also need to be prepared to comply with fundamental regulatory change. The Basel III
framework includes requirements for higher levels of capital and greater liquidity. There are also important changes to
regulatory frameworks in Individual countries: The 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act
constitutes the most important set of changes to financial regulation in the United States since the 19305; similar regulatory
changes are proposed for the E.uropean Union; and the United KIngdom has announced plans to abolish the Rnandal
Services Authority and to have the Bank of E.ngland assume a greater role in prudential regulatory oversight.
Delaine's SUlVey provides a picture of the state of risk management as financial services Institutions respond to enormous
changes across the industry. This assessment Is based upon the responses of 131 financial Institutions from around the world
with more than $17 trillion In total assets; we wish to express our appreciation to each of the Institutions that participated.
We hope that this survey report provk:les you with useful Information about how financial Institutions are navigating the
challenges of risK management today and encourages a dialogue that can help enhance risk management in a changed world.
Sincerely,
As us~ in the document, "Delcitte" refers to Delaitte Touche TotYnatsu Umited, a U.K. private company li"nited by guarantee, and its network. of
member firms, each of which is a legally separate and i1dependent entity. Please see WVvW.deIoiUe.con'V'abollt. for a detaled description of the legal
structure of DeIoitte Touche Tohmatsu limited and its member rrms.
After the turmoil of the global finandal crisis characterized Key find ings
by financial market dislocations and loss of liquidity, I Roughly 90 percent of Institutions had a defined risk
many world economies and finandal markets appear to
governance model and approach, and 78 percent
be strengthening, but serious concerns remain. Although reported that their board of directors had approved their
the financial services sector is recovering, institutions are risk management policy or enterprise risk management
not returning to the same playing field; instead. they are (ERM) framework.
opera~ng in a changed work! marked by fundamental shifts.
The position of chief risk officer (CRO) continued to
During the last fe.w years. risk management assumptIons
become Increasingly prevalent. Eighty-six percent of
and methods have been challenged as never before.
institutions had a CRO or equivalent position, up from 73
percent in 2008 and 65 percent In 2002. The eRO has
As a result, many institutions are rethinking their risk
been ghien a high profile, reporting to the board level
management gavernance models, including a more
active role for their boards of directors in overseeing risk or to the chief executive officer (CEO), or both, at 85
management. Some risk management methodologies may percent of institutions. Fifty-one percent of institutions
need to be reassessed and validated to assess whether they reported that the board of directors conduds exerutive
adequately measure the "tail" risk from rare, but potentially sessions with the CRO, compared to 37 percent in 2008.
catastrophic, events. Many institutions are revising their In the wake of the global financial crisis, the importance
business models in response to the global financial crisis of incorporating risk management considerations into
and the regulatory changes that have resulted, and so risk performance evaluations and compensation decisions
management programs may need to adjust accordingly. A has been Widely discussed; thirty-seven percent of
wave of regulatory change will almost certainly mean greater institutions reported that they had completely or
oversight especially for Institutions that are deemed to be substantially done so for business unit personnel.
systemically Important. More institutions have adopted ERM programs, as
79 percent of institutions reported haVing an ERM
Deloitte's Global n'sk management survey; seventh program or eqUivalent in place or In progress, an
edition, assesses the state of risk management in this new Increase from 59 percent in 2008. The greatest
environment. The survey was conclUded during the third challenges in implementing an effective ERM program,
quarter of 2010: 131 financial institutions from around the cited by roughly a quarter of institutions as extremely
word, with aggregate assets of more than $17 trillkln and or very challenging, were integrating data across the
representing a range of financial services sedors, participated. organization and cultural Issues.
Institutions v.oere far along in Basel II implementation,
with 70 percent or more having fully or mostly
completed Implementation in the areas of external
agenc.y ratings (for the standardized approach),
calculation and reporting, internal audit revieY-I,
and governance and controls. Roughly one-third of
executives expected that the Basel II rule revisions
announced in July 2009 would have significant
Impacts on their strategy In such areas as entering new
geographical markets, changing their business model, or
conduding mergers and acquisltions. 2
I -A defining characteristic of the aisis was the depth and duration of the systemic liquidity disruption to k.ey funding markets-that is, the
simultaneous and protracted inability of financial institutions to roll over or obtain new short-term funding across both markets and borders:
Gfob61 FinancialStabi/ity Report SoverngM, Funding and Systemic liquidity, International Monetary Fund, October 2010.
l The Basel Committee has continued to strengthen its bank supervisory standards, particularly regarding banking regulatory capital and
liquidity requirements as noted in its December 2010 releases, Base/III: A g/obal regulatory jramework for more resilient banks and banking
systems, and Baul Iff: /nternational/rameworkjor liquidity risk measurement, standards and monitoring.
2
• For Insurance Institutions subject to Solvency II, 70 The current economic and regulatory environment poses
percent or more said they plan to focus over the next many challenges for financial Institutions and In tum for risk
12 months on program Initiation, gap analysis, and management. Having flexible risk management programs
planning; risk governance; and Own Risk and Solvency may help flnandallnstltutlons to be effective In adapting to
Assessment (ORSA). new business models and changing regulatory requirements.
• Although the percentage of Institutions that calculate Large, systemically Important financial Institutions may
economic capital Increased since 2008, the practice was also have additional steps to comply with Increased
far from universal. Roughly two-thirds of Institutions capital, IIquld~ reportIng, recovery, resolutlal, and other
calculated economic capital for credit risk, market risk, requirements.
and operational risk, while 29 pertent did so for liquidity
risk and 17 pertent for strategic risk. Strong risk governance continues to Increase In Importance,
and boards of directors will likely need to continue to be
• The use of stress testing Is Increasingly commonplace actively Involved In providing Input Into, challenging, and
across the Industry, supplementing the use of Value at
approving the risk management frame'tNork and overseeing
Risk (VaR) and ather risk analytlcs. Elghty-elght pertent
the program. The Increasing prevalence of aCRO position
of Institutions used stress testing for risk tactors affecting
as a member of the senior management team Is a positive
their credit portfolio, an Increase from 79 percent In
trend: The CRO can help darlfy accountabllJ1¥ for the risk
2008, while 74 percent conducted stress testing for
management program and can aid the board by providing a
market risk In their trading book.
vI~ Independent of management.of key risk management
• More than 80 percent of Institutions experienced Issues and the Institution's risk profile.
significant Impacts from regulatory changes In the
countries where they operate; at 40 percent of At many Institutions, risk management programs are likely
responding Institutions, these Impacts Induded the to Include a growing spectrum of risk types, such as model
need to maintain higher capital levels and the need to risk, and to use more sophisticated techniques, such as stress
maintain higher liquidity ratios. tests. Risk technology and Information systems may need to
• Progress has been made by many Institutions be upgraded to easily Integrate risk data on a consistent basis
In Implementing operational risk management across different products, geographies, and counterparties.
methodologies. Roughly 60 pertent of executives In the final analysis, an Institution's risk profile can be
considered their operational risk assessments and defined by the sum total of business decisions taken
Intemalloss event data to be extremely or very well fNery day by employees throughout the organization. The
developed, an Increase from roughly 40 pertent In 2008. linkages between business operations and effective risk
management should continue to be assessed and nurtured.
• Many Institutions reported that they have additional
In addition to a focus on risk management methodologies
work to do In Improving their risk technology systems.
and reporting, senior management may need to further
Whllethree-quarters of executives considered their
develop a risk-aware culture throughout the organization.
Institutions to be extremely or very effective In managing
One Important consideration In this effort Is the closer
credit, market, and liqUidity risk, a lesser 60 percent
alignment of performance management and inCEntive
considered their technology systems to be very effective
compensation with risk considerations and accountabllJ1¥.
In supporting the management of credit and market
BeginnIng with strong governance by the board of directors
risk, and 47 percent expressed the same concemlng
and senior management. and continuing with afocus on
the management of liquidity risk. In terms of likely
risk management by every employee, Institutions may be
risk management technology Improvements dUring
better positioned to navigate effectively the challenges of a
the coming year, data quality and management and
changed world for risk management.
enhanced risk reporting were the two areas given the
highest priority by survey respondents, at 48 pertent and
44 pertent, respectively.
Delaine's Global risk management strVey. seventh edition, These Initiatives have led to concerns about rising levels of
was conducted during the third quarter of 2010, as the public debt. According to the IMF, gross government debt
finandal markets and the world economy were dimbing in the world's developed economies. which was 70 percent
bad< from the Impacts of the global financial crisis. The of GOP in 2007. rose to 97 percent in 2009 and is expected
survey assessed the ament status of risk management to reach 110 percent by 2015' In 2010. Greece required
programs in the finandal services industry--<ommon a S145 billion financial rescue package from the European
practices, enhancements being made, and remaining Union and the IMF. while Ireland reqUired a package of $112
challengl3-based on responses from 131 financial billion. There were also concerns about so~relgn debt in
Institutions from across geographic regions and industry other countries such as Portugal, Spain, and italy. On the
sectOr1, and of varying asset sizes. (See "About the survey.' other hand, interest rates on U.S. Treasuries and German
government bonds remained below three percent These
Growth returns conflicting signals have fueled a vigorous debate about
After contracting by 0.6 percent in 2009. the work:! whether go~mments should take immediate action to
economy retumed to growth: The IMF estimated the world bring down debt levels or whether the shorHerm priority
economy grew by 5.0 percent in 2010 and that ~ will grow should be to further stimulate the economy. The dedslon
by 4.5 percent In 2011. largely due to expected growth of by the U.S. Federal Re5erve In November 2010 to purchase
6.5 percent In emerging economies this year.] During 2010. $600 billion In Trea5U1Y securities in a second round of
the recovery remained tenuous in the United States and In "quantitative easlng" generated additional controversy over
many other developed economies, and there were concerns the potential Impact on the value of the dollar and on asset
about whether growth could be sustained and the pos51bllity prices In other markets, espedally In developing markets.
01 a double-dip recession In some economies.
StabiliZing the financial sector
Although the markets for securitized assets, such as COOs. In many countries, governments provided assistance to
remained a fraction of their size as compared to before the their financlallnsl~utlons. Indudlng through the Troubled
crisis, securities Issuance broadly has recommenced and Asset Relief Program (TARP) In the Un~ed States. By the end
corporate M&A activity has returned. Equity markets have of 2009, Tier 1 capital among global financial Institutions
posted positive retums. ~h the MSCI World Index for had risen to more than 10 percent, with more than half the
developed countries gaIning 9.55 percent in the 12 months capital coming from go~mments, according to the IME'
through December 31, 201 D.' In OCtober 2010, the IMF estimated total write-downs and
loan provisions from the global finandal crtsis by banks at
In response to the global financial crisis, many major S2.2 trillion, with three-quarters of this amount already
economies undertook fiscal stimulus programs in an effort reported and S550 billion estimated still to be realized.'
to spur economic growth, although a significant number of While these government initiatives helped to stabilize
these programs are now winding down. On the monetary the financ~1 system. they have al50 led 10 public aitlcism
front, the U.S. Federal Reserve and the Bank of Japan of financial assistance being provided to major financial
reduced short·term government interest rates to at or near institutions. In the wake of the crisis, there have also been
zero percent a number of regulatory investigations and legal actions
InvolvlnglndMduals and firms.
4
Many financial firms have recovered from the crisis and are More regulation and government oversighL There
now returning to profitability. In the United States, many of has been a wave of regulatory change, with stricter
the major bankIng institutions have now repaid the financial requirements and enhanced scrutiny In many countries;
assistance they received under the TARP program, although there has been a shift In mind set with regard to regulatory
balances remain among other redpients in housing finance, supervision-more aggressive and with higher demands
insurance. and the auto Industry. In addition, significant for data and information to supp:>rt representations made
unrepaid balances remain among Institutions in Europe by financial institutions to their regulators. The United
that received government capital infusions. In 2009, the States has been an early mover on finandal regulatory
U.S. Federal Reserve and other bank supervisors conducted reform and in a quite sweepIng way. relative to many other
a stress test based assessment of the capital held by the junsdictlons: The Dodd-Fr.lnk Act was the greatest change
19 largest u.s. bank holding companies, which Increased to finandal regulatlon in the United States since the 1930s.
transparency and appeared to bolster confidence among In the United Kingdom, the government announced In
investors. In 2010, the Committee of European Banking 2010 a major reorganization of regulatory ove,,;ght, with
Supervisors also conducted stress tests of European banks. In the Financial Servkes Authonty (FIA) being abolished and
late 2010, a new round of stress tests In both the U.S. and its prudential regulatory responsibll~les being assumed by
Europe was announced. a subsidiary of the Bank of England. In both the Un~ed
States and the United Kingdom, new regulatory agencies
A changed world are being created to monitor compliance with consumer
The responses to the global financial cnsls on the part protec1ion regulations.' Additional regulatory changes are
of governments, regulatory authoritJes, and financial also anticipated by the European Union.
institutions are leading to fundamental changes in the
environment for finandal services. The Basel III requirements, originally proposed in December
2009 and issued in December 2010, may have the greatest
Industry restructuring. The global financial cnsls spurred impact. The new requirements include higher levels of
further consolidation of the Industry as some major capital, with a focus on requlnng a higher "quality" of
institutions closed and others merged with stronger capital such as common equity, as lNell as new leverage and
competitors. Increasing regulatory capital requirements liqUidity ratios for instiMlons. Basel III builds on the Base/II
for larger finandallnstitutions could potentially lead to framework. with the Intent of strengthening the regulation.
additional growth for nonbank financial Institutions subject supervision, and risk management of banks.
to less stringent regulation.
There has been an active debate on the possible Impact that
New btlslness models. In the United States, the 2010 the changes In Basel III would have on economk growth.
Dodd-Frank Wall Street Reform and Consumer Protection In June 201 0, the Institute of International Finance Issued
Act (Dodd-Frank Act) prohlb~ed most propnetary trading an analysis that concluded the proposed changes could
by banks and required that most derivative products be reduce the absolute level of GOP In developed countries
traded on exchanges and centrally cleared. This may lead by approximately three percent by 2015.' In August 201 0,
some banks to spin off their hedge funds and private equity the Basel Committee on Banking Supervision issued its own
subsidiaries and to close their proprletary trading desks. It analysis, concluding that absolute GOP would be 0.6 percent
may also create opportunities for small and mid-size firms to lower dUring an assumed four year Implementation than it
compete in the "white space" vacated by the major players. otherwise would have been, but then would be higher over
These changes may also pose additional risks---operationa~ the long term due to fewer financial crises. IO The eventual,
counterparty credit and/or funding-for those that interact full impact of Basel III and other regulatory changes remains
with these newly separate entities. to be seen and will depend to a great extent on the spedfic
regulations that are put in place to Implement them.
• ·UK Banking after the Crisis," presentation by Charles Randelt Slaughter and May. October 2010
, "Super Model: T~ Economjst. August 19. 2010
10 Ibid.
6
Agure 1
Partldpants by headquarters location About the survey
8" This r~polt pI-=-s.-:nl, ttl-=- I,,:,',' illldll1'}) 110m 11'102'
sev-?nth edltl,:on ':'/ 002'10:'111-=-', ,:,n';l'JII1'J ,)S)';-'Stll,:"IH
• US. & Canada .~tinAmeric:a Survey p,ll llC1pants al',o le~'1':"5,:,nl",,:l a v,'lII·!I ...
• Europe • Middle East & Africa
(,f flnalKkll sector~" ','':1111 Ill,:'sl h"'llll.lIl1TtO"JI.lt",,:l
.Asia Pacific
frnan(lal or9aI1l.':ath)ns. InSLJr~lnc-: comp.llll"" riO-TJ11
Agure2 bani '>, ,lnd comlllo:-fCk11 1:0,1111 '> '5"'';- FI9Ut,:. 21
Partldpants by primary business
4% 2% The rn~tltutlons pt,:ovldllllJ .:lSSO:-I111Jn,19E'llh?nl had
total c1SS\?ts und .. r IIkln,19L'll1l:?l1t 01 S14 1 111111,:on
""
• Integrated fnandal organization • Ass!!t milna<Jernent
.Insu-ance company GOYernment-feiated
• Retail bank finance carpany
• Commercial bank .Othe<
Agure 3
Partldpants by asset size
Figure 4
Which of the following steps has your organization taken In response to recent
concerns regarding risk governance?
Note: Percentages total to rTlO(e tNn 10096 because respondents could make multiple selections.
8
Institutions are also devoting more resources to risk In the risk management policy and ERM framework and
management. Committing an adequate number of should establish risk governance and oversight, define the
professionals with the appropriate skills and at the Institution's risk management roles and responsibilities,
appropriate levels provides the foundation for effective risk define the role of business units In risk management,
management and has been an area of focus for regUlators and specify the process for ongOing monitoring of risk
over the last several years. looking ahead, almost 80 management." Roughly two-thirds of InstiMions said their
percent of executives expeded their Institution's spending boards of directors had approved the organization's risk
on risk management to increase over the next three years, appelhe slalemenl or the risk policy framework adopted by
with 29 percent expecting increases of 25 percent or more. management.
Review and approval of overall risk management polky and/or ERM flilmework
Oth"
Note: Percentages total to more than 100% because respondents could make multiple selections.
11 Getting Bank Govemance Right, £>e.Ioitte Center for Banking Solutions, August 2009, Deloitte Development LLC.
,.
Centralization of risk management
Regional perspective
Most institutions had a risk management structure
Ther-:- ·.·.·i:r~ some slgnlllc,lnt (jllf",l",nces am,:ong
that was either centralized or a mix of centralized and
r"'910ns 111 the respome~ of IllstllU11,:,n:; to 90veln,)llcoO-
dea'"tral~ed_ with few following a highly decent",l~ed
",nllanc",rn",nts Institutions In th.,. Unll-:-d Statt'sl
approach. Roughly 70 percent of institutions reported using
Canad.-; '.·;~r.,. more IIh;,.l".. to h.ll:,;o "lad", chang",,; to
a centralized approach to setting risk policy and standards,
their rnan,lgement r1Sl c,:ommltt':'t' Among InStitutions
and to defining their risk appetlle and setting IImlls_ while
In tht' Ul1lkd Staks/Cana,j,l, 6.:.\ perct?111 r",YIE'w-:-d
two-thirds did so for reviewing their compensation plan
the ';lructure 01 the mana'Jement rlS~ e,:ommltte",.
to consider the Impact of risk factors. The areas where
comp"If.;...:1 wIth 45 perc",nt amOIl'.! European
institutions were most likely to follow a mixed approach
lI1';tltullon5 ,llld 1",5S than 40 p':'f(",rH In ASla/PaClflC
were in identifying and assessing key risks (47 percent),
and Latll1 Arn",nca In thE' UI1It",ol Sta\o;,.s/Cana,ja.
selecting and implementing risk mitigation strategies (44
83 p",rcent ,:of institutions Incr'o'.ls",d !he reportlll'~
percent), and monitoring and identifying emerging risks (47
(lj mlor rn~ltlon to the management r1Sl cornmlttt-e.
percentl.
while 61 p>?lcent In EUiope. and hJlt or jewer III Cother
f>?glons. did so In contrast, 73 pelc",nt 01 EUlo:,pean
Since 2008, a number of Institutions moved from a
institutions updat>?fj th';'lr Iisl app·:.-tlt", statement.
decentralized to a more centralized approach; the latter
comp,lr-:-d ~'.'Ith 39 percent m th", UI1It"-'d Stat€<.1
may help support more consistent polley and supporting
Canada. .:.\0 perc",nt In ASia/Pacillc, and 33 p""rc>?nt
methodologies across organizations. Seventeen percent of
In Latin AOl>?t1ca. It IS posslbl>? tllat m')te EUlop>?an
Institutions took a decentralized approach to monitoring
institutions may have updated tht?1I f1sl~ appetite
compliance with risk limits. down from 28 percent in
statements III conJUIlCtion \,.mh 8.15",111 Pillar IIlnlel nal
2008, while 24 percent took a decentralized approach to
Capital Ad>?quJcy ASS>?SSllloO-lll Pruces:, IICAAP) ,lnd
assessing the effectiveness of risk mitigation and controls,
Solvency II ORSA efforts, whete Ewop>? IS generally
compared with 33 percent in 2008.
ah..;,-ad of otht?llE'glo)ns
Infusing risk management throughout the The current survey's results identified that 37 percent of
organization institutions have completely or substantially incorporated
risk management considerations into performance goals
New business Inltiatfves
across their organizations. For senior management. 56
One of the decisions that can have Important Implications
percent of institutions have incorporated risk management
for risk management is deciding to introduce a new product
responsibilities Into their performance process, increasing
or enter a new business. and both financial institutions
somewhat from 49 percent in 2008. For business unit
and regulators are increasing their focus in this area. In
personnel, 37 percent of institutions have incorporated risk
their busIness and product approval process, almost all
management responsibilities into performance evaluations.
Institutions reported considering more traditional major risk
types---<lperatlonal (94 percent). regulatory (91 percent).
12
The survey revealed that many Institutions are stili in on short-term versus long-term Incentives, 57 percent
the process of adopting changes recommended by paid their Incentive In company stock. and 52 percent
regulators and others to better integrate risk management deferred payouts linked to future performance. Further.
into Incentive compensation. For senior management, a comparatively lower 31 percent of Institutions matched
82 percent of institutions reported that they required the timing of payouts to senior executives to the term of
that a portion of the annual Incentive be tied to overall the risks Involved. and 26 percent had InstiMed c1awback
corporate results (see Figure 8). For senior management, provisions In the event of misconduct or the overstatement
64 percent of institutions sought to balance their emphasis of earnings.
AgureB
Do you Incorporate the following risk management considerations Into your Incentive plans for
senior management?
Caps on payouts
Note: Percentages total to more than 100% because respondents could make multiple sele<:tions.
The survey found that adoption of ERM has Increased ERM program coverage
sharply. Fifty-two percent of institutions reported haVing Among survey respondents, ERM programs almost always
an ERM program (or equivalent), up from 36 percent in covered the major risk categories of operational risk
2008 (see Figure 9). large institutions are more likely to (98 percent), credit risk (96 percent), and market risk
face more complex and interconnected risks, and among (93 percent).I. Uquldity risk was covered by 92 percent of
institutions with total assets of $100 billion or more, 91 ERM programs, up from 82 percent in 2008; this increase
percent reponed either having an ERM program in place or seems understandable given the liqUidity concerns dUring the
In the process of Implementing one. global financial crisIs. The coverage of a wide range of risks
by an ERM program allQl/ols the risk function to contribute
Agure9 more effectiYeIy to strategic dedsions, because it has a more
Does your organization have an ERM program, comprehensive viM of risk across the organization.
or equivalent?
Other risk categories were induded in fewer ERM programs.
1("l'l6
The importance of managing the risk that models may not
accurately assess the probability or severity of potential
risk events was highlighted In the global finandal crisis.
7996
Fony-eight percent of Institutions reported that their ERM
""" programs addressed model risk, which was down from 58
70% 67%
percent in 2008. However, 72 percent of larger institutions in
the survey said that their ERM programs did cover model risk.
60%
1& This and the remaining questions related to ERM were only asked of those institutions that reported having an ERM program or an equivalent.
14
Risk appetite Risk management data challenges
To support the effectiveness of an ERM program. an While the value of ERM has increased, so have the challenges
institution should consider having an approved enterprise· of implementing an effective program. The top-rated issue
levei statement of ris.
appetite. Forty-eight percent of was integrating risk data across the organization. which was
institutions reported having an approved. wrinen. enterprise- rated as an extremety or very significant ctIallenge by 74
level statement of risk appetite, while another 24 percent percent of executives. Sixty percent of executives gave this
were in the process of defining their risk appetite statement rating to data integrity, an Increase from 45 percent In 2008.
or having It approved. Rnanciallnstitutions can benefit from Institutions need tre ability to integrate accurate ris' data
having an explicit statement of risk appetite. reviewed and in a timety fashion to support risk reporting and business
approved l7; the board of directors as an important part of decision making. Establishing common data standards
their oyersight responsibilities. The risk appetite statement and definitions are an important element In successful
can then be translated into specific limits and tolerances for data integration. (See "Risk management systems and
businesses and for spedfic risk categories. Infrastructure"iater in this report.)
In translating the risk appetite Into spedflc risk limits. Institutions also recognized that they may need
roughly three-quarters of institutions set limits for market, methodologies and metries that have the flexibility
credit. and liqUidity risk at the enterprise level. About half to respond to the evolving requirements of boards of
the Institutions established limits at the level of business directors, senior management. and regulators. DeYeloping
units for marlcet risk: (49 percent), credit risk (56 percent), risk technology systems and haVing appropriate risk
and liquidity ris' (40 percenO. and even fewer had limits at methodologies and mettles were each considered to be
the trading des. level for mar"t ns' (45 percent). credit ris' extremely or very significant challenges by roughly 60
(30 percent), and Iiquld~y rls' (11 percent). Establishment percent of executives, compared to one-third for each Issue
of risk limits for different categories of risk can be an in 2008.
important step towards monitoring that an Institution's
activities are consistent with its risk appetite. Institutions These findings are understandable. Periods of economic
may set limits for important risk categorles at the enterprise or market Instability, such as the global financial crisis
level, and many institutions may also benefit from having can severely test the Information capabilities of financial
limits at the business unit level. institutions. Such times help highlight the importance of the
ability to aggregate risk data across the organization from
Value ofERM different lines of business to achieve a consolidated view of
ERM programs allow institutions to achieve a holistic view an organization's risk profile-for example, when assessing
of risk across risk categories and lines of business. Fully 85 counterparty risk or exposures to partlrular markets which
percent of executives fett the value of their ERM program impact different business areas.
was greater than its cost; yet, many executives found
the value of ERM difficuit to quantify. While 48 per",nt
of executives said that the overall value of their ERM
program was much greater than its cost, 23 percent said
the same about its quantifiable financial value. Although
the full value may not be quantified, most executives
felt ERM provided significant value In specific areas-an
improved understanding of risks and controls (81 percent),
an increased ability to escalate critical Issues to senior
management (76 percent), an enhanced risk rulture and
a better balance of risks and reYlards (73 percent), and
improved perceptions by the regulators (72 percent).1S For
each of these items, executives were more likely to believe
that their ERM programs provided significant vaiue. Three-
quarters or more of the executives felt that their ERM
programs provided significant value as compared with no
more than half In 2008.
Agu'.10
Which of the follO\Nlng Individuals or groups receive risk reporting at the enterprise level for each risk type?
lOll'll> .,%
.."
-
90% 88%
8S%
8'%
•• CRO
Business unit neads (exeo.Jtive leve~
• Other
Note: Percentages total to more than 100,*, bKause respondents crold mal::e multiple selections.
1.
The scope of risk management Information commonly and stress testing, while two-thirds reported on new
reported to the board of dlredors is Indicative of and emerging risks and on utilization versus limits
the range and depth of risk management oversight. (see Figure 11). Given the growing risk management
While this is a new area of forus in our survey, based oversight responsibilities of boards illustrated by this
on changes in market practices, our expectation was survey's findings and the Importance of these Issues,
that risk reporting to the board of directors would be one may expect more Institutions to report this
increased. The survey found that roughly three-quarters information to their boards of directors more frequently
of institutions reported risk information to the board in the future, based on the business mix and relevant
of directors on risk concentrations, operational failures, risks for the institution.
Rgure 11
Which of the following types of risk Information does your organization currently report to the
board of directors?
Risk concentrations
Operational failures
Stress testing
Systemic risk.
Shareholder/customer complaints
None 196
Note: Percentages total to more than 10096 because respondents could make multiple selections.
101 Brief Summary of the Dodd-Frank Wall Street Reform and Consumer Protection Act, U.S. Senate, httpJlbanking.senate.govlpublicJjilesJ070110_
OoddJran~WaILStreeCReform_comprehensil.oe_summaryJinal.pdf; financial Servkes Act 2010, Rnanciil Services Authority, http://www.fsa.
grN.ulclPageslAboutJWholAcccx.ntability/fsact_20101index.shtml
'8
Regulatory and economic capital
11 Bas~ I/!:.A global (~u1atO(Yfram~wo'kformor~ ,~silient banks and bonJdng sys"r~ms was issued by the Basel Committee on Banking
SuperviSIon. December 16, 2010,http://www.bis.Ofglpubl/bcbsI89.htm
II Bas~ fll: Inr~'notional J,a~ Jor liquidity ,is/( mNSU'~~nt. standards and monitoring was issued by the Basel Committee on Banking
Supervision, December 16, 2010, http://www.bis.orglpresslpl01216.htm
Operational Risk
19 Theremaining questions
related to Baselll.......ere asked
of institutions that either .AOianced Mea5lJn!metltApproaches
were SLtlject to Basel II Of had • StandardlzeGlAllematl\le Starrlardllt'd Approach
adopted Basel II although not • Basic: Indicator
subject to it.
Base: Respondents at institutions subject to Basel II
20
With the benefit of two additional years since the last Standardized Approach), calculation and reporting, Internal
Deloitte risk management survey, most institutions were audit review, securitizations, and gO'-lemance and controls
now much farther along in their implementation of Basel (see Figure 13). For other items, such as scenario analysiS,
II than they were in 2008. Seventy percent or more of technology Infrastructure, and analytlcs and calibration,
institutions reported that worle had been completed about half of the institutions reported having completed
or Is mostly done on external agency ratings (for the most of the reqUired work.
Rgure 13
What level of progress has your organization made with respect to Implementing each of the following areas
for the purposes of Basel II?
Securitizations
Stress testing
Incorporation of CRM
PiILu IIJ1CAAP
Equity <M"Id au
Technology nfr.ntructure
Scenario analysis
Rgure 14
Which Impacts do you expect the July 2009, Basel II rule revisions will have on your business?
No impacts eJCPected
096 1096 20'6 30% 40% 50% 6096 70% 8096 9096 100%
Note: Percentages total to more th.. n 100% bec..use respondents could make multiple selections.
22
Figure 15
How much of an impact do you expect each of the following aspects of the regulatory changes proposed by
the Basel Committee on Banking Supervision In December 2009 would have on your organization?
In December 2009, the Basel Committee issued new strengthened counter party capital requirements, Introduction
proposed gUidance around tighter capital and liquidity of countercydlcal capital adjustments, and Introduction of
standards in an effort to promote a more resilient banking mInimum liquidity requirements.
system, and many executives also anticipated that these
would have important impacts. Roughly 40 percent Although most institutions vvere '#ell along in their Basel
of executives expected that the following proposed II implementation. challenges remain (see Rgure 16).
changes would have a substantial or significant impact Implementing Basel II requires significant expertise and
on their InstitutIons-Introduction of a leverage ratio, resources, as well has haVing broad impacts on an Institution's
enhancements of the capital base, and strengthened infrastructure In such areas as data, technology systems,
counterparty capital requirements (see Figure 15). busIness processes, analytics, and reporting. The areas that
Executives at large institutions vvere more likely to expect were most often considered by executives to be extremely or
significant impacts than were those across the entire survey very challenging in their Basel II Implementation "",re Internal
population, with more than half expecting substantlal resources and budget (55 percent), technology infrastructure
or significant impacts from an enhanced capital base, (46 perCEnt). and internal models (40 perCEnt).
Figure 16
How challenging are each of the following Issues for your organization in relation to your Basel II
Implementation effort?
HomeA1ost SlJpervlslon
MbA ~tegralJon
Strict de~dlnes
Ac.countabllty!oWrlE!Mlp '9'16
24
performance reporting (87 percent), capital management and 20 percent for executive compensation decisions.
and planning (87 percent), and management Information In particular, the requirements to meet the Solvency II
on nsk profile (80 percent), while roughly two-thirds cited use test, as well as the requIrements laid out In Solvency
declslons on asset mix strategy and also on strategy and II with res pea to the need to embed risk management
planning (see Figure 17). Among the institutions that In executive remuneration, tend to encourage the
Intended to use Internal models for Solvency 11,40 percent consideration of Internal model results In these areas.
planned to use them to prioritize risk management activity
Figure 17
In which areas do you plan to use your Internal model as part of the dedslon-maklng process for Solvency II?
Pricing of business
Product development
Executive corTllensation
0% 10% 20% 30% 40% 5<m 60% 70% 80% 90% 100%
Base: Companies that provide insurance services and are subject to Solvency II.
Note: Percentages total to mor-e than 100% because respondents could make multiple selections.
Agure 18
For which of the following risk types do you calculate economic capital?
68%
Market
~tional
Counter-party aedit
Mortality
fv10rbidity
liquidity
Catastrophe
Strategic
$tptemic
0% 10% 20% 30% 40% 5096 60% 7096 80% 90% 100%
Note: PetCeIltages total to more than 100% because respondents could make multiple sele<:tions.
2.
economic capital for credit risk (68 percent), market risk (65 senior management 65 percent at the business unit level
pertent), Intel1!5t rate risk of the balanm sheet (61 percent), to evaluate risk-adjusted performance, and 40 pertent to
and operational risk (60 pertent). For other Important make compensation decisions.
risk types, the pertentages of Institutions calculating
economic capital were much 1000er. T\Yenty-nlne percent Economic capital was also used more widely by Institutions
of Institutions reported calaJlatlng economic capital for In Europe than by those In other regions. For example, 77
liquidity risk and 17 pertent for strategic risk. percent of European Institutions used emnomlc capital
for strategic decision making at the level of the board of
To gain an assessment of risks across the organization, directors and senior management, compared with 63
60 percent of Institutions used a summation approach. percent In AsiaJPadfic and 48 percent In the United states!
Additionally, other approaches to aggregating risks were canada. Similarly, economic capital was used by 47 percent
used-28 pertent used variance/covariance approach, 17 of European Institutions In compensation decisions, while
pertent used the hybrid approach (square root of sum of It was used In this WfrJ by only 26 percent of Institutions
correlated squares), while roughly 10 pertent each used In AslalPadflc and 23 pertent of Institutions In the United
copulas and square root of sum of squares.a Among large StateslCanada. The responsibility for reviewing and
Institutions, about one-third used one or more of these approving economic capital reporting and results was placed
techniques. with the board of directors at 47 percent of Institutions,
while 23 percent chose senior management The remaining
Use of economic capital 30 percent plamd this responslblUtywlth functional groups,
The uses of economic capital are now more widespread such as flnanm or risk management. Given Its Importance,
than was true In the 2008 survey, Ingrained In both risk one would expect the responsibility to review economic
and broader management arenas and Indicating that capital reporting and approve results would be placed with
economic capital Is now a more mature technique. In the the board of directors or senior management.
current survey, 64 percent of Institutions used economic
capital at the boardlsenlor management level for strategic economic compared to regulatory capital
decision maldng, and 62 permnt at the enterprise level to Economic capital was now reported as greater than
allocate economic caplta~ compared to 53 permnt and 56 regulatory capital at most Institutions, In contrast to survey
percent, respectively, In 2008. Similarly, roughly 4S percent results In 2008. Sixty-three percent of Institutions reported
used economic capital at the transaction level for risk- that economic capital was higher than regulatory capital,
based pricing and at the desk/product level for riskJreturn up from 46 pertent In 2008, and 26 percent said that
optimization of product mix, up from about 30 percent each regulatory capital was greater, a drop from 42 pertent In
In 2008. While the use of economic capital In compensation the prior survey. This shift towards higher economic capital
decisions was reported at 30 percent of Institutions, this was Is consistent with a better recognition by many Institutions
double the figure of 15 percent In 2008. of the greater risk associated wlth their businesses due
to economic cycle factors: Economic capital levels are
Large Institutions reported making more use of economic typically more volatile and sensitive to risk conditions, while
capital In their dedslon making. Among Institutions with regulatory capital tends to be more stable. It may be, too,
$100 billion or more In assets, n percent used It at the that Institutions have generally strengthened the coverage
enterprise level to evaluate/allocate economic capital, 74 and assumptions In their economic capital models during
pertent for strategic decision maldng by the board and the recent period.
n Percentages total to more than 10096 because respondents could make multiple sefections.
Agure 19
How effective do you think your organization Is In managing each of the following types of risks?
Percent responclng extremely or very effective
Uquidity _
Regulatory/compliance ~::::::::::::::::::::r 77.,.
76%
74"
Credit
l'9'I=~71"
Budgetil'9'finandal
Mortally
7196
71%
I:::::::::::==-
Uabitity minagement
BusinessCountrylsotereign
continuityJ1T security
rislt
Fraud
Roputati""
Stritegic
,-Ii
47'"
lap"
Data integrity
Vendorlservice provider
='43'"
!-timan resource
Mod~
(,"",oph.
Geopolitical
Sy5temic
0%
!iiiiiiiiii~~_~ __ L_~ ~
1096 20% 30% 4096 50%
L __
70% 80"
__ _ _'
9O'l6 100'l6
Note: Percentages total to more than 100% becau5e respondents could make multiple selections.
2.
Several risks that became more apparent in the global their institution's credit risk management function. The
financial crisis continue to present challenges for most items cited most often as primary responsibilities were
Institutions. Forty-four percent of executives rated their risk Identification, analytics, and reporting (80 percent);
institution as extremely or very effective in managing developing and Implementing the risk management
risks due to problems with data Integrity, and 41 percent framework, methodologies, and standards (76 percent);
rated their InstiMion highly for managing model risk. At monitoring risk exposures (74 percent); and escalating
the Individual institution level, there may be difficulty in risk issues to the CEO and the board of directors where
addressing systemic risk; however, 37 percent of executives appropriate 01 peroent).
Indicated steps were being taken to do so and considered
their Institution to be extremely or very effective in Credit risk mitigation
managing this risk type. For underlying and issuer credit risk, the most commonly
used credit risk mitigation tools were collateral (65 percent),
Credit risk guarantees (60 percent), the default management process
The global finandal crisis led to large credit losses being (48 percent), and syndication and partidpation (45 percent).
Incurred In some segments of the market, although these Among survey respondents, 34 percent of Institution used
losses appear to have been abating over the last year. The credit derivatives as a credit risk mitigation tool, although
2010 review of large 'yndicated credits by U.s. regulators 57 percent of institutions with S100 billlon or more In
conduded that cred~ qual~y in the Untted State' remained assets did so. The survey found a signIficant Increase since
weak, although the volume of criticized loans decreased 2008 in the use of several credit risk mitigation tools for
by more than 30 percent from the record levels reported counterparty credit risk. The use of collateral Jumped to 88
In 2009. 23 In Europe, concerns about sovereign debt and percent of institutions from 54 percent in 2008, while the
potential sovereign defaults haVe galvanized attention, use of guarantees rose to 65 percent from 45 percent, and
as well as having knock·on effects to Individual finandal the use of syndication and participation (e.g., whole loan
institutions. In the United States, precarious finances among sales) rose to 47 percent from 34 percent.
state governments and their potential Impact on municipal
debt markets are starting to gain attention. In China and Credit risk measurement
some of the other developing markets, there Is concern In measuring counterparty credit exposures, Institutions are
about the potential for asset bubb~, and the future fallout using a number of techniques, more than were observed
on loan collateral if asset bubbles do form and then correct In the 2008 survey. For measuring counterparty credit risk,
themselves. the use of prlndpallnotional (e.g., by industry, sector, or
geography) increased to 81 percent of Institutions from
eredtt risk management roles and responsibilities 61 percent in 2008, the sum of potential exposures for
The credit risk function has a broad mandate, and as the individual transactions Jumped to 75 percent from 51
survey results show, the mandate is increasing. Views in percent, and potential exposure by counterpartyllssuer
the industry on the role of credit risk management are using analytical method to 62 percent from 48 percent
not consistent, and there are different roles and operating
models. Because many of the losses sustained by financial For assessing underlying and Issuer credit risk:. the most
institutions over the past three years were a result of common approach was prindpaVnotional, used by 79
write-downs in their investment and trading portfolios, the percent of Institutions, an increase from 69 percent in 2008.
credit risk management function in many Institutions has However, there were a number of additional analytics that
extended its focus to include both Issuer and counterparty were included in the 2010 survey for the first time that were
risk. Credit risk management responsibilities increasingly wdeiy used-probabil~ of defau~ (65 percentJ. los, given
Include issuer and counterparty measurement. limit setting, default (63 peroent). and exposure at defautt (60 peroentJ.
and reporting. Such activities help prOVide enterprise-wide These analytlcs allow Institutions to assess credit risk and are
control of credit exposure that Includes the totality of credit consistent with the efforts by many institutions to employ
risk, encompassing loans, investments, and off·balance economic capital and to comply with the requirements
instruments. of Basel II. A continuing area of credit risk measurement
development is the ability of institutions to get a complete,
At least half the institutions participating In the survey single view of customer exposure across different regions,
Included 10 different areas as primary responsibilities of product areas, business units, and legal entities.
lJ 5ha~d National Cr~dits Program: 2010 Rnt~w. Board of Governori of the Federal Reserve System, Federal Deposit Insurance Corporation
Office of the COf'rlItroiler of the Currency. and Office of Thrift Supel'Vision, September 2010 '
Global risk management survey. seventh edition Navigating in ill changed world 29
Scress cescing across che encerprise has evolved and become
much more robusc for us, coming chrough our Basel II
implemencacion. We've improved che rigor of our scress
cescing and now work chrough numerous variables and
correlacions co arrive ac a comprehensive sec of scenarios;
chese help drive our capical planning process and are a cencral
feacure of lJuarcerly reponing co che board risk commiccee.
- Chief risk officer, global bank
Cred~ risk stress testing Institutions In the current survey were using VaR
Stress testing is an important tool that tests the resiliency of somewhat less often than in 2008 for various asset
the Institution In the face of adverse economic and market classes. Sixty-four percent of institutions reported that
conditions. and it is Increasingly an area of focus by the VaR extensively covered fixed income, down from 73
r09ulators In determining cap~al adequacy. Bghty-elght percent In 2008, while 25 percent said it extensively
percent of Instttutions reported using stress tests for risk covered asset-backed securities and structured products,
factors affecting the credit portfolio, an Increase from 79 down from 38 percent. Among those using VaR,
percent In 2008. Among Institutions that employed stress more Institutions were using a variety of spe<lfic VaR
testing for their credit portfolio. 78 percent employed methodologies. The percentage of institutions using
them for default rates by underlying factors, 69 percent historical simulation with full revaluation rose to 54
for interest rate changes, and 62 percent for recovery percent from 46 percent In 2008, while the percent
rates, all higher than In 2008. Stress testing was even more using variance/covariance based on first-order Greeks
common among Institutions with $100 billion or more in rose to 38 percent from 31 percent.
assets: Ninety-seven percent used them for default rates by
underlying factors and 72 percent for re<overy rates. However, there may well be new demands for the use
ofVaR. The new rules for separation of over-the-counter
Thirty-three percent of Institutions used stress testing for (OTO derivatives businesses in the Dodd-Frank legislation
correlation risks, although 52 percent of large Institutfons in the United States, and that have been proposed in
did; this Is an application of stress testing that more Europe, will require institutions to be able to calculate
Institutions may wish to consider. However, there are market risk measures such as VaR for the entities Into
difficulties In employing stress tests to correlation risks: which OTC derivatives will be transferred.
Correlation data 15 difficult to obtain In the first. place,
and the hlstorlcal series of correlation results required to Market risk stress testing
fOnTlulate relevant stress tests are more difficult still. Some have recommended that institutions supplement
VaR with stress testing. The Basel Committee's
Market risk publication, Principles for sound stress testing practices
Value at risk (VaR) and supervision, addressed this, stating: ·Stress testing
should prOVide a complementary and Independent risk
The propriety of various tools to manage market risk has
perspective to other risk management tools such as
been under Intense scrutiny. VaR has been a Widely used
value~at-rlsk (VaR) and economic capital. Stress tests
tool to assess risk but has come undercritidsm, espedally
should complement risk management approaches
when used alone. By focusing on the potential ~latility In a
portfolio at some predefined percentage of the time. such that are based on complex, quantitative models using
as 99 percent, VaR has been critldzed for not focusing on backward looking data and estimated statistical
so-called tall or ·Slack Swan· events, which are rare but relationships. In particular, stress testing outcomes
can have devastating impacts when they occur. Further. for a particular portfolio can prOVide Insights about
because VaR Is often based on a normal distribution, it may the validity of statistical models at high confidence
underestimate how often such events may occur. intervals, for example those used to determine VaR:'J,t
lol PrindpJ~ for sound str~s tming p(Qcric~sand sup~rvision, Basl!1 Committel! on 9.1nking Supervision. May 2009.
30
Among the survey particIpants, 74 percent of Institutions order to assess a model's sensitivity to structural changes
conducted stress tests for the trading book and 51 percent and to changes in parameters and assumptions. 15 Fifty-
for the structured products book. larger Institutions 'Nere nine percent of Institutions reported haVing a model
much more likely to conduct stress tests for the structured validation function, an increase from 53 percent in 2008.
products book; 91 percent of Institutions with $100 billion Larger institutions were more likely to have a model
or more did 50, compared with 31 percent of Institutions validation function, with 79 percent of Institutions with
with assets of $10 billion or less and 43 percent of more than $100 billion in assets haVing such a function, up
institutions with assets of $10 billion to $100 billion. from 66% in 2008.
:IS ~rmptementation of Credit Risk Rating Models.~ Deloitte Development LlC, April 2008
Rgure 20
Whkh of the following steps has your organization taken in response to the liquidity environment over
the last two years?
Strengthened liquidity
53%
risk. minagement fulction
Other
0% 10% 20% 30% 4096 50% 60% 70% 8096 90% 100%
32
Asset liability management Insurers that follow a traditIonal business model based on
Institutions partldpating In the survey performed various generating premiums, rather than those that engage In
analyses for asset liability management (ALM) purposes other financial aetMUes, such as selling credit protection In
with varying degrees of frequency. For liquidity scenarios. the CDS market, may be in a more lk1uld position than other
28 percent of Institutions conducted these analyses dally Institutions. Yet. Insurers do face risk management challenges
and 11 percent weekly, with 61 percent that conducted resulting from the nature of their products, such as the
them monthly or less often. Gap analysis was conducted risks associated with variable annuity products. Maintaining
either daily orweekly by 36 percent of instttutions, while 64 effective management of liqUidity risk., managing and
percent conducted them less often. When it comes to other establishing limits for counterparty risk, and being able to
Important types of ALM analyses, roughly three-quarters aggregate risks across the organization are Important.K
of institutions reported that they conduct them monthly
or less often; this applied to earnings at risk. equity at risK. Institutions reported using a variety of techniques to
sensitivity analysis of net interest income. and sensitivity assess insurance risk. Several methods were cited by
analysis of economic value of equity. There can be roughly 60 percent of Institutions as either a primary or a
difficulties managing capital and funding structures dUring secondary methodology-stress testing, VaR, economic
periods of market turmoil, and obtaining information in capital. and dynamic financial analysis. No one method
order to do so; therefore. institutions that conduct these dominated, and many Institutions used more than one
analyses for ALM monthly, or even only quarterly or method (see Rgure 21). These methodologies can overlap
annually, may consider conducting them more frequently. because analyses of economic capital often encompass
stress testing and VaR. and market-consistent embedded
Insurance risk value is the underlying framework used for economic
Institutions that provide Insurance products were ask.ed capital at many life insurance institutions.
several questions on Insurance risk.. In the survey, 17
percent of institutions reported Insurance as their primary Most Institutions providing insurance products reported
business, with life insurance being the most common sector using stress testing to assess insurance risk. Seventy-two
(11 percenU. In addttlon, 34 percent of Instttutionsreported percent of Institutions used stress testing for mortality risk,
that they provide InsuranCE products, although insurance while 66 percent employed tt for lapse nslc, 63 percent for
was not their primary business. morbidity risk, and 59 percent for expense nsk.
Figure 21
To what extent does your company use the following methods to assess Insurance risk?
Value at risk.
Stress testing
)I Dr. Robert W. Klein, et ill., "The Flnolndoll Crisis and Lessons for Insurers, CAS, S1A, SOA Joint Risk Management Section. 50A Committee on
M
Pridng
Concentration
Catastrophe
ReinSUr<Wlce
-
Policyholder behavior % 17%
Insurable event
'0%
I
Institutions used a variety of organizational strudures focused more on measurement and capital than on helping
for overseeing insurance risks, with no function being institutions proactively identify and manage operational risk,
named by more than 39 percent of Institutions for any such as those resulting from model risk., (See "Effeaiveness
risk type. For example, for pricing risk, 37 percent of of risk management" in this report for a discussion of
institutions said the primary responsibility was placed with the survey results on model risk,) In addition, While some
actuarial, while 26 percent cited product development, Institutions have done so, many have not integrated
and lesser percentages named other areas (see Figure 22). operational risk management with related programs, such
One potential challenge In Interpreting responses to this as Sarbanes~Oxley and regulatory compliance.
question is that depending on an Institution's structure,
there may not be a separate and distinct actuarial Although operational risks can potentially have major
department, with actuaries Instead residing within ERM, negative Impacts on an Institution's reputation, they
produa development, and other areas. have typically not received as much attention from senior
management and boards of directors as other risks; the
For concentration risk, 39 percent named ERM, while impacts of the global financial crisis from credit, market.
35 percent cited actuarial and the remainder placed the and liqUidity risk events may have further reduced the
responsibility in other functions. The higher proportion relative priority placed on managing operational risk, Yet.
of Institutions placing responsibility for concentration although individual operational risk events may be small, in
risk w~hln the ERM function may be leveraging the ERM the aggregate they can be substantial.
function's ability to aggregate and analyze risk information
across the enterprise. Operational risk implementation progress
Institutions have made progress In some areas. When asked
Operational risk about the Implementation of various aspects of operational
Although Institutions have always managed operational risk management. 87 percent of Institutions reported that
risks, the importance of operational risk management was they had e~her fully or substantially completeo the work of
made a greater priority by the Indusion of operational risk in Identify;ng risk types, while 67 percent said the same about
the Basel II capital framework.. As a result, many institutions gathering relevant data and 65 percent about standardiZing
have major programs for operational risk in place. However, the documentation of processes and controls (see Figure 23),
these regulatory-driven operational risk. efforts are typically
34
Figure 23
To what extent has your organization Implemented the following aspects of operational risk management?
Standardizing documentation
of processes and controls
=====::======~67"
Developing operational risk. mitigation
strat~ies induding insurance
However, In other areas less than half the institutions The use of scenario analysis for operational risk was
have largely completed implementation: creating metrics Widespread. Roughly two-thirds of institutions reported
for monitoring each type of operational risk, rolling conducting scenario analysis for operational risk at the
out a formal training program for operational risk, and enterprise level and the business unit level. 56 percent did
developing methodologies to quantify risk. so at the level of nsk type, and roughly one-third did so
at the trading desk level and at the level of product type.
Because AMA modeling indudes these areas as Among institutions that employed a scenario analysis
requirements, these lower percentages are consistent with methodology for operational risk. either quantitative or a
the fact that only 23 percent of instiMions said their work mix of quantitative and qualitative scenario analysis was
under Basel II on AMA modeling was completed or largely used by roughly three-quarters for nsk type, product type,
done. (See the "Basel II" section of this report.) Large business unit and enterprise levels, and by 83% for the
Institutions have not done as much work in some areas, trading desk or eqUivalent unit level.
perhaps due to the compleXity of the task of managing
operational risk In complex organizations. While 67 percent In 2010, executives believed theIr technology systems
of all Institutions have completed or substantially completed for operational risk management were more capable In
the work of gathering relevant data, the figure was 60 several areas than they did in 2008. Forty-four percent
percent among Institutions with $100 billion or more in of executives considered theIr technology systems to be
assets. Thirty-seven percent of large institutions have extremely or very capable In supporting operational risk
largely completed the work of developing operational risk assessments. up from 23 percent in 2008. Forty percent
mitigation strategies. gave this rating to their capabilities In data gathering
compared to 27 percent in the last survey (see figure 24).
Based on Deloitte's risk management surveys. progress has
been made on implementing operational risk methodologies
since 2008. Sixty-one percent of executives rated their risk
assessments, and 54 percent rated their Intemalloss event
data, as extremely or very well developed, compared with
roughly 40 percent for each two years ago. For key nsk
indicators, 30 percent of executives considered them to be
well developed in 2010, compared with only 12 percent in
2008.
====:::;;:~===::;:-,87"
Reporting
Data gathering
Risk assessments
Scenario analysis
Agure 25
Which of the follOWing Impacts on your business have resulted from regulatory reform In the major
Jurisdictions where you operate?
Oth"
No signiflCilnt impacts
0% 10% 20% 30% 40% 50% 60% 70% 80% 9096 100%
Not~: Percentages total to more than 10096 because respondents could make multiple selections.
J1 Toney Bonsignore, ~FSA ~ and Bankof England Beefed Up in Regwtory Shake-Up.· City Wire, June 17, 2010, http:lkitywTe.co.ukl
moneylfs.1·axed-and-ban~0f-en9Iand-bee~n-regulatory-shak~pla407635
1I 'W Fmndal Reform, ~ McDermott Will & Emery, September 23, 2010, http://www.mwe.conVindex.cfmlfuseaction/pLtllications.n1detailobil!Ct
idldlb430c2-781e-409o-acda-e6302d58defa.cfm -
19 ~Bank Regulatory DewIoprneots in Switzerland in the Aftermath of the Crisis,~ Presentation by Dr. Daniel Daeniker, HornI:Iurger, October 27, 2010
)0 Th~ percentages total to more than 100% bl!Cause respondents Cl:)Ijd make rTkJltipJe sell!Ctions.
Note: Percentages total to more than 1009& because respondents could make multiple selections.
38
Risk management systems
and infrastructure
Risk management relies on robust Information and Since the global finandal crisis, many major financial
technology systems. The ability to quickly Integrate risk Institutions have undertaken significant investments
Information in a consistent format across the organization to upgrade their risk technology Infrastructure-to
will help institutions gain a comprehensive picture of help provide for the availability of more consistent and
their overall risk profile, as well as the risk associated reliable risk Infonnation, to help enhance the capabilities
with individual cQunterpartles. The global financial crisis oftedmology Infrastructure to support new functional
highlighted the importance, and the dlfflcul1ies, of requirements needed by the business, and to support
achieving an integrated and seamless approach to risk regulatory compliance, Increased stress testing, and
data. In their October 2009 report, the Senior Supervisors enhanced risk reporting capabilities.
Group cited the complexity of the financial industry's
technology Infrastructure as a key hindrance In Identifying Another trend among some institutions has been to adopt
and measurlng risk within the financial system,)' In some a shared risk technology model that provides the front
Institutions, the limitations of enterprise risk management office with the analytlcs necessary to allow it to serve as
technology systems have led Individual lines of business the "first line of defense" in risk management, while the risk
to create their own systems. leading to a potentially management function defines the spedfic risk measures.
fragmented structure. Under this approach, common pricing models are often
used for valuation and risk measurement
Institutions Increasingly need the ability to respond
to mounting requests from regulators for stress tests, Other institutions have focused on the need for both the
reporting, and ad hoc information. As regulatory finance and risk management functions to have access to
requirements evolve, institutions are likely to need the reliable and granular infonnation, such as counterparty
flexibility to reconfigure and scale their risk systems. For exposures and underlying transaetion·level data, for analysis
example, some banks are fadng challenges with credit and reporting purposes. These Institutions have undertaken
valuation adjustment analytlcs and with generating liqUidity a variety of efforts to meet shared finance and risk
stress testing reports trom their legacy asseHability management needs, such as data quality remediation efforts,
management systems. For Insurers, Solvency II may also joint systems architecture ren€'W'al, data warehousing, and
place additional demands on risk management technology reporting engines.
systems: There will be the need to calculate regulatory
capital In a timely fashion and to conduct continuous Institutions may want to devote additional focus on risk
modeling of solvency. which may prove difficun for those technology systems, supported by the fact that exeOJtives
with legacy systems. in the survey gave their Institutions somewhat higher
ratings In managing major risks than they gave to the
Structural changes to markets and new business models ability of their risk management technology systems to
are presenting additional demands on risk management support management of these risks. Roughly three-quarters
technology systems. For example, derivatives trading may of executives rated their InstiMlon as extremely or very
increasingly move to exchanges and to central clearing effective in managing credrt. market. and liqUidity risk (see
facilities. As the IndUStry's derivatives business model "Management of key risks"). When asked to rate their risk
changes, corresponding changes to the operations and management technology systems In these areas, however,
technology infrastructure may be required. As new entities a smaller proportion, 61 percent, rated them as extremely
enter into derivatives dearing activities, counterparty and or very effective in supporting credit risk management,
operational risks may need to be assessed. while 57 percent provided as high a rating for effediveness
In supporting market risk management and 47 percent for
liqUidity nsk (see figure 27).
JI -Rislt Management lessons from the Global Baridng Crisis of 2008,· Serior ~l!fVisors Group, O<:tober 21, 2009.
Market risk.
RegulatOl'}' and economic capital
calwlation and reporting
Property and casualty
underwriting risk
liquidity risk
Compliance management
life or health inSU'"ance
underwriting risk
Operational risk.
Collateral management
Enterprise risk
Funetionailimitations may exist In technology systems and Forty percent of executives surveyed rated their risk data
if so, institutions may need to do more manual work in strategy and Infrastructure as being extremely or very
gathering, reconciling, deaning. and anatyzing risk data. effective in data management/maintenance and data
Institutions may also find that they may want to improve controls/checks (see Figure 28). In the areas of data standards
their ability to easily leverage risk data consistently across and data marts/warehouses, a smaller proportion, about
functions and businesses. one-quarter, of executives considered their institutions to be
extremely or very effective.
Agur.28
How .ffoctlv. do you think your organization Is in tho following aspocts of risk data strategy and Infrastruct1Jr.7
Data gavemance
Data managementfmanteoance
Data controls/checks
Data martslwarehouses
Data standards
40
The data you need for risk management is not as well
supported as it might be. When you try to use dara
collected for other business purposes to enable risk
management, it's missing a lot of the elements you'd like
or need-it's like when you need electricity, you can't just
use the plumbing system!
- Managing director, risk management, asset management firm
Global risk m<Wlagement SUNey. seventh edition N~vJg.t1ng In ill changftf world 41
Exerutlves had the greatest concerns about risk data quality although this was an increase from 16 percent In 2008.
and management, which 43 percent described as a major For architecture standards, 18 percent of respondents
concem. The changing regulatory environment, induding considered their strategy to be well developed, up from
Basel II and III, Solvency II, and the Dodd-Frank Act, may 10 percent In 200B.
also place additional demands for data and reporting on
risk technology systems. The abilily of nsk technology Consistent with these findings, concerns about data
systems to adapt to evolving regulatory requirements was quality challenges were also expressed by many Institutions.
a major concem for 38 percent of executives. The greatest risk technology priorities cited for the next
12 months were to improve risk data quality and
Rough~ two-thirds of Institutions reported they have management, which was a high pnomy for 48 percent
strategies to address their risk Infrastructure, but In of institutions, and to enhance the reporting of risk
most cases executives said that the strategies are not information, which was a high priority for 44 percent
yet well developed. Roughly two-thirds of InstiMions (see Figure 29). Based on the survey results. more
have strategies for most areas, Including risk software institutions agree that building risk Information systems
applications, data warehousing, architecture standards, with the ability to gather consistent data from across the
and data sourcing, but less Institutions had well i organization and to quickly generate reports customized
developed strategies. For hardware, 26 percent of to spedfic requests. such as from senior management or
exerutlves considered their strategy to be well developed, regulators, should IIke~ be a priority."
Figure 29
Over the next 12 months. how much of a prJorlty are Improvements to the following areas of your risk
technology capabilities?
Economic capital
)l For additional discussion, see the report by the DeIoitte Center for Banking Solrtions, Vv'I"Ming in l~ rtI!W risk ~nviro~t, 2010,
Deloitt~ Development Uc.
42
Conclusion
The experiences of the global financial crisis have created a There Is increased attention to the importance of
new financial services marketplace: Economies have been managing tall risk from events that are rare, but potentially
strained. key players have changed or disappeared, and catastrophic. Many institutions may benefit from
business models and the avenues to competitive advantage reassessing their risk models and supplementing VaR
have been altered. The scale and pace of regulatory change with stress tests and other tools. Given the volatility of
has also been unprecedented. with new requirements the financial markets, some Institutions may also consider
under Basel III as well as important changes in individual conducting stress tests more frequently than they do
countries. such as the United States and United Kingdom. currently.
Responding to these new realities may require effedlve But rlsk management Is not simply a matter of models and
risk governance. Boards of directors have an Important role methodologies. Institutions may also need to consider
to play in providing active oversight of risk management. how they can infuse risk management considerations
including the approval of their Institution's risk management throughout the organization, creating a culture that places
framework and risk appetite. The eRO position can provide a value on appropriate risk taking. Another area likely to
an Important focal point, helping risk management to receive heightened attention Is how to Incorporate risk
receive adequate attention from senior management and to management considerations Into performance goals and
prClll'ide the board of directors with independent views on incentive compensation decisions.
key risk management issues.
Finally, this report on Deloitte's Global risk management
Institutions that do not have an ERM program may consider survey, seventh edition, underscores that the bar for risk
implementing one to gain a comprehensive view of risks management in financial services may continue to be
across the organization and identify interdependencies. To raised: There are still many challenges ahead to navigating
achieve such a comprehensive picture of the risks they face, in a changed world.
many institutions may need to consider upgrading their risk
management information systems so they have consistent,
quality risk data that can be easily aggregated across
prooucts, geographies, and counterparties.
Global risk managem~t suNey, seventh edition NilVlgat/ng In a c.... nged world 43
Contacts
Globill Finandotl5erviCll!s Contributors
Industry l.eadeBhlp
..-
Argentina
C~io E. Fiorilo
.."""
.Jeremy Smith
.."""
.lung In LH
..-
AustralioJ Chile Mexico Switzerland
Sean Coody
Delcitte Olile
Indonesi.J
.."""
Claudia Lauw
........ Homo""'"
Di"ector
Delcitte MexkD
. """
Philipp Kl!ller
Delaitte /IG
-+6139671 6396 +5627298150 Delaine Toudle Totrnatsu +52 55 50806295 +41 44 421 6290
-
scoady@deloltte.com.au paherrera@deloitte.com +6221 2312879. Ext. 6993 mihernandez@cleloittemxcom phkeI1er@deloitte..c:h
doILW@dek:itte.com
.
John Kidd
.."""
Hans Van Leeuwen . """
David 5tn!1iski
Delaitte SA
+41217~ 1900
Deloitte
..-
jlcidd@deloitte.com.au +86 1085207116 Delcitte Consulting S.pA +31 882883293 d~~5~~deloitte..ch
phgoeth@deloitte.comcn +390647805412 Havanl..eeu-..wn@dtloitte.nl
Mark Young pbfienza@cltloitte.it Taiwan
.."""
Richard Kirkland .."""
Benson Cheng
.."""
DeIoitte Touche Tohmatsu CPA ltd.. Deloitte
mayoung@deloitte.com.au Olina Deloitte Consulting 5.pA + 886 2 25459988, Ext.7843
Deloitte
+861085207012 +390283323131 +6444703711 bensonhdleng@deloitte.can.tw
Austria jasonlishigang@deloitte.com.m pgiantlXco@deloitte.it richardkirldand@deloitte.co.nz
Dominik Damm Thailitnd
p,-
Deloitte Rnandal Advisory GmbH
+43 1 53700 5400
ddamm@deloitte.at
.."""
Alvin Ng
-
shigeru.furusawa@totmatsu.co.jp dyap@deloitte.cORl spanya@deloitte.rom
.
Frank De Jonghe
.."""
MariaXUel'eb
.."""
lbigniew Szczerbe1lc.a
United Kingdom
William Higgins
lead Partnl'f - Risk and Regulatm
fde;onghe@deloitte.com Deloitte Central &lope DeloittellP
-+8S2 2852 1008 OaisU:e.kuwabira@tohmatsu.co.jp +44 207 303 2936
+4822 511 0799
-
mcnuereb@deloitte.comhk wtiggi'l5@de1oitte.co.uk:
lSZCZI!fbe1Ic.1@deloitte.rom
B",;J
..
Anselmo Bonservitti Denmarit
. """
SNg"" C>nori
Singapore
. """
VlShai Vecli
.."""
Jens Petel' Hoeck Delcitte Touche Totrnatsu UC
Delcitte Touche TotYnatsu -+813 6213 3170 TseGan Thio
ExtocutiYe Di"ect.or DelcittellP
+55 11 5186 6226 Delcitte & Touche Denmark SNgeru.omori@tohmatsu.co.j) +44 207 303 6737
..-
abscnservizzi@dekitte.CORl Delcitte & Touche &rterprise
+45 36 103426 wedi@deloitte.co.u.:
.."""
TsuyoshlOyama Risk: Services
jhoed:@deloitte.dk
Iws Pereira Mutler +6562163158
Unit~ Stltn
Deloitte Toudle Totmatsu UC tgthio@deloitte.o::m
""nee Edward T. Hida a, (fA
Delcitte Toudle Totmatsu -+813 6213 1945
+551937073009
imuller@deloitte.a:m .."""
Marc Van Caeneghem
TsuyoshLOflIma@tohmatsu.co.j) Spa;n
.."""
Rafael Campo Bemad
Global leader - Risk: &
Capital M¥\agEment
-
Delcitte Conseil Global Rnandal Services Indlsby
+33155616588 Lox........
Rodrigo Mendes Duarte Delcitte S.L Delcitte Toudle TotYnatsu limted
..
Delcitte Toudle Totmatsu
+5511 51866206
I1lViIncaeneghem@deloitte.fr
Gonmoy
.."""
laurent 8erliner
Delcine
+4 915145000 &1.1488
r~d@deloitte.es
+12124364854
8-lida@deloitte.rom
+352451452328
rodriganendes@delcitte.com
. """
JOrg Engefs
Ibl'ffner@deloitte.lu South Africa
Wayne Savage .."""
Robert Maant
..-
Deloitte & Touche GmbH Deloitte & Touche UP
.."""
Go.....
leon Bloom
Wrtsehaftspnjfungsgesellsc:haft
+49211 Bn22376
jengels@deloitte.de
Xaviel' Zaegel
Deloitte
.."""
Delcine & Touche
+27 11 209 8082
+1212436 7046
rmaxant@deloine.com
Deloitte & Touche +352451452748 dsavage@deloitte.con A10k Sinha
+14166016244 megel@deloitte.lu Prndpal
Ireland
lebloom@deloitte.mrn
.."""
Martin Reilly Deloine & Toudle UP
+1415783 5203
Deloitte & Touche asima@deloitte.cORl
+35314172212
mrelly@deloitteJe
Deloltte refers to one or more of Delatte Touche Tohmatsu United. a UK private company limited by
guarantee, and its netwak of member firms, each of which is a legally separate and independent entity.
Please see www.deloitte.comfabout fur a detailed desalptlon of the legal structure of Delcltte Touche
Totwna1su Umlted and its member firms.
Deloltte provides audit. tax. consulting, and filandal advisory services to plbllc and private clients spanning
ndtIple industries. WIth a globally connected network of member firms in more than 150 coun1ries, Deloitte
brings worlcklass capabilties and deep local expertise to help dlen15 succeed whereYer they operate.
Deloltte's appraldmatefy 170,000 professionals are committed to becoming the standard of excellence.
This publication contains generallnfurmatlon only, and none of Deloltte Tauche Tohmatsu United, Its member
firms, or their related entitles (collectively, the -Deloitte NetwClfk1 is, by means of 1his plbllcatlon, rendering
professional advice or services. Before malclng any decision or taldng any action 1hat may affect your finances
or ~ business, you shedd consult a qualified professional adviser. No entity in the Deloltte Network shall be
responsible for any loss whatsoever sustained by any person who refies on this plblicatlon.