Focus needed for tech, governance, enterprise systems

In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.

According to Deloitte's eighth biennial survey on risk management practices, about two-thirds of financial institutions (65%) reported an increase in spending on risk management and compliance, up from 55% in 2010.

A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy, and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.

"The financial crisis has led to far-reaching changes in financial institutions' risk management practices, with stricter regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts," says Edward Hida, DTTL global lead, Risk & Capital Management Services. "That said, risk management shouldn't be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution's framework, philosophy, and culture for managing risk exposures across the financial institution."

"Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, analytical capabilities, and data quality efforts today," says Hida. "Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape."

The majority of institutions participating in the survey (58%) plan to increase their risk management budgets over the next three years, with 17% anticipating annual increases of 25% or more. This is not a trivial matter as 39% of large institutions-particularly those based in North America-reported having more than 250 full-time employees in their risk management function.

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey's results, 94% of company boards now devote more time to risk management oversight than five years ago, and 80% of chief risk officers report directly to either the board or the chief executive officer. Additionally, 98% of company boards or board-level risk committees regularly reviewing risk management reports, an increase from 85% in 2010.

"Regulators have been focusing more and more on the role of the board of directors in risk governance, including their approval of the firm's risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution's risk management of key issues," says Hida.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66% in 2010's survey results.

The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48% of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24% in 2010.

The use of institution-wide enterprise risk management programs is continuing to grow. Today, 62% of financial institutions have an ERM strategy in place, up from 52% in 2010, while a further 21% are currently building a program. The total of 82% of firms either with or building an ERM program is significantly up from 59% in 2008.

Institutions are increasingly confident about their effectiveness in managing liquidity risk (85% rate themselves as extremely or very effective vs. 77% in 2010); credit risk (83% against 71% in 2010); and country/sovereign risk (78% vs. 54% in 2010).

Stress testing has become a central plank in many institutions' risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70% said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25% of institutions rate their technology systems as extremely or very effective while 40% of institutions are concerned about their capabilities in the management of risk data.

Progress in linking risk management with compensation has changed only incrementally since 2010's survey results. Currently, 55% of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of "clawback" provisions in executive compensation, however, has increased (41% vs 26% of institutions in 2010).

"Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps," says Hida. "Where concerns linger particularly is around operational risk, with a number of recent headlines-like management breakdowns and large-scale cyberattacks-underscoring the important impacts this area can have on a firm's reputation. This is a gap that needs to be addressed."

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45% of firms rated themselves as extremely or very effective in this area, down slightly from 2010.