HOME
Lead Articles

Metals Exchanges

Plastic Futures

Markets

The impact of delisting on the JSE

SA Equity Market Risk Premium

Instruments and Investments

Weather Derivatives as a Risk Management Tool

Earnings vs Cash Based Valuation Techniques

Regulations / Compliance

Code of Conduct into Securities Act

Securities Services Act

Global Risk Management Survey

Quants

Stock Price Volatility

Social Responsibility Issues

The Changing Landscape

How capital markets benefit the poor

Economics

ABSA Investment Overview

Education

New Treasury Module

Archives
Deloitte’s Fourth Bi-annual Global Risk Management Survey Says:

Risk Management Practices in Top Financial Firms Continue to Evolve But Enterprise Risk Management Remains Elusive
Elevation of the risk management function and Basel II compliance challenges emerge as key themes

by Edward T. Hida II, Partner & US Banking Risk Management Practice Leader, Deloitte & Touche LLP and Ingrid Goodspeed, Associate Director, Deloitte & Touche South Africa

he Sarbanes-Oxley Act in the U.S. and equivalent legislation in other countries are changing the risk management landscape. With the specter of criminal prosecution looming as a consequence of non-compliance, financial institutions are tightening their focus on the issues of corporate governance, board oversight, financial disclosures and internal controls. At the same time, they are facing growing exposure to risk from a variety of factors, including mega-mergers, off-shoring, outsourcing, and an increased volume of lending. The challenges of complying with tough regulations while containing an expanding number of risk factors were dramatically reflected in the results of Deloitte’s bi-annual Global Risk Management Survey.

Over the past 8 years, Deloitte has undertaken a rigorous analysis of and commentary on risk management issues to provide financial services firms with a global benchmark of trends and practices. This year’s survey contained responses from 162 financial institutions with assets totaling nearly $19 trillion located on five continents. Africa was not included in this Global Risk Management Survey but will be included in future The sample included responses from 12 financial services sectors in four broad categories: investment banking and related services, commercial banking, integrated financial services and retail banking. Deloitte’s last Global Risk Management Survey was conducted in 2002.

Risk Governance: The Continuing Rise of the CRO
Among the survey’s most compelling findings were the continuing ascension of the risk management function in both visibility and organizational importance. Eighty-one percent of the respondents reported that they now have a Chief Risk Officer (CRO), compared to 65% in the 2002 survey. The survey also shows that three-quarters of CROs in financial services firms now report to their chief executive or the board of directors. . We would expect the percentage of respondents having CROs to be higher in South Africa because banks are required in terms of the Banks Act to have an independent risk management function headed by an executive officer who acts as the reference point for all aspects relating to risk management within the bank. In addition the head of the risk management function is responsible for arranging training of members of the board in the different risk areas to which that bank is exposed.

The survey also shed light on the role of the CRO. Each institution’s risk appetite and culture appears to influence the job description of the CRO, resulting in some variation in the distribution of duties. However, the results of this year’s survey are broadly consistent with those from 2002 in terms of primary responsibilities assigned to the CRO or independent risk oversight function:

  • Risk analytics and reporting (85% considered primary responsibility)
  • Developing controls, policies and monitoring compliance (79%)
  • Monitoring of risk exposure versus limits (74%)
  • Independent verification of risk methodologies (70%)

Along with the growing prevalence and importance of CROs, the overall responsibility for managing risk has been elevated in many institutions to the board of directors (38%) or a board-level risk management committee (21%), making it a focal point of governance strategy. This represents a 25% increase in board-level oversight of risk management compared to the previous survey and suggests an increasing trend toward vesting responsibility at the highest level in the organization. In South Africa responsibility for managing risk is placed firmly in the hands of the board of directors. For example Regulation 38 issued in terms of the Banks Act states “The board of directors of a bank is ultimately responsible for ensuring that an adequate and effective process of corporate governance, which is consistent with the nature, complexity and risk inherent in the bank’s on-balance-sheet and off-balance-sheet activities and which responds to changes in the banks environment and conditions, is established and maintained.” In addition in terms of The King Report on Corporate Governance for South Africa, the board is responsible for the total process of risk management, as well as forming its own opinion on the effectiveness of the process.

Regulatory and Economic Capital: Basel II Progress and Challenges
The development of more sophisticated capital calculation methodologies continues due to both business and regulatory drivers – primarily Basel II. With the approaching implementation date of Basel II, organizations are increasingly turning their attention and resources toward developing the capabilities needed to meet these new requirements. The greatest emphasis has been on credit and operational risk due to the relative maturity of market risk requirements.

South Africa is to implement Basel II on 1 January 2008. Errol Kruger the Registrar of Banks states that South Africa complies with all the generally accepted pre-conditions for the adoption of Basel II by a particular country because

  • its banking industry strives for best practice in risk management and is continuing to entrench a culture of risk management;
  • Effective supervision of banks exists and South Africa complies with the Basel Core Principles for Effective Supervision. In addition legislation relating to companies, banks insolvency and anti-money laundering is by and large up to international standards. South Africa also complies with the standards of the Basel Committee on Payments and Settlement Systems; and
  • South Africa has clear rules for disclosure and moving to greater transparency. The country complies with and applies International Financial Reporting Standards and International Auditing Standards.

Credit Risk Measurement
For credit risk, the Basel II Framework has encouraged banks to develop more sophisticated regulatory capital calculation frameworks based upon economic capital techniques. The Internal Ratings Based (IRB) approaches – i.e., Foundation and Advanced IRB (AIRB) – are the predominant methods that respondents plan to use for their credit risk regulatory capital frameworks. Yet, only a small minority of respondents consider their current capabilities adequate to implement IRB Approaches (10% of respondents stated that they are currently Foundation IRB capable, and 7% consider themselves to be AIRB ready). Based on current capabilities and stated plans, we expect Basel II related activities to continue to gather momentum within the credit risk functions of large internationally active banks.

From an implementation perspective, significant numbers of respondents report that more progress is needed around data and system issues, underscoring the fact that the Basel II Framework places tremendous importance on data (i.e. availability, granularity, and validity) and system infrastructure. In our view, the data-related challenges are not entirely unexpected given the extensive M & A and consolidation activity within the banking industry over the last two decades. A myriad of disparate legacy systems and data infrastructure continue to exist at most large banks where integration-related interim solutions and tactical fixes have become institutionalized. Basel II data requirements are exposing the limitations of such solutions.

Process refinements and methodology development are also inherently required in support of Basel II compliance efforts. In addition to extensive reliance on data, the IRB Approach has considerable process-oriented qualification requirements (e.g., risk rating processes, underwriting, credit administration, credit review and control, collateral management, etc.). In many instances, gap assessments vis-a-vis qualification standards and implementation requirements are forcing banks to modify policies and procedures, change credit and documentation processes, and review governance and control structures.

Operational Risk Measurement
For operational risk, the Basel II Framework has helped spur substantial development of quantitative measures for this difficult-to-measure risk type. A majority of respondents (54%) indicated that they plan to implement the most sophisticated operational risk approach available in the Basel II Framework – the Advanced Measurement Approach (AMA). Similar to credit risk results, only a small minority believe they are in a position to currently comply with the AMA requirements (6%) or with the intermediate Standardized Approach (18%). Consistent with our expectation, operational risk measurement is still widely considered a much more immature field than credit risk measurement, perhaps implying that relatively more work needs to be done in the area of operational risk than credit risk.

Respondents’ concerns regarding operational risk measurement issues are distributed fairly evenly across a host of issues. A majority of respondents indicate that quantitative metrics and associated data acquisition issues are of major concern to them. In our view, this response emphasizes the fact that the firms feel less confident in their ability to implement AMA due to issues with availability and analysis of internal loss data (or lack thereof) and key risk indicators that are aligned in a Basel II Framework fashion (i.e., across defined Basel business lines and loss event categories).

Also, the Basel II Framework is much less prescriptive with respect to operational risk AMA requirements relative to those for credit risk AIRB. Accordingly, 57% of respondents identified understanding regulatory expectations as a “major concern,” while other quantitative issues such as “loss history data” (60%), “data integrity” (61%), and “capital allocation” (54%) were also viewed as critical issues. Although the Basel II Framework allows banks to be more flexible and unique in their respective approach for AMA compliance, it also may not provide sufficient guidance with respect to these requirements. Given that formalized operational risk measurement and management is still in a stage of infancy in most banks, there appears to be a lack of clarity with respect to the tactical aspects of Basel II requirements for operational risk AMA.

These results emphasize that Basel II compliance represents a significant challenge for financial institutions. There is no quick fix. It is an evolutionary process that requires substantial, ongoing investment.

While compliance with regulatory requirements is an imperative itself, we see major institutions using this opportunity to transform the way they look at economic capital and even their finance functions. A continuing challenge is the applicability and practicality of these efforts for smaller and mid-size institutions that may feel pressure from the development of more sophisticated capital approaches at larger institutions.

Other Areas of Investment and Development
Beyond Basel II compliance, business factors and a tougher overall regulatory environment are also driving continued investment and development more broadly across the risk management space. Areas in which this evolution is particularly evident include credit risk management, risk systems and technology, and extended enterprise solutions.

Credit Risk Management
Since our last survey in 2002, credit risk management is an area that has received significant attention at financial institutions. The influence of Basel II requirements, commercial credit market difficulties, and increased lending volume spurred by low interest rates in the consumer sector have caused management to focus more of their attention on strengthening their credit risk capabilities. In addition, most organizations are constantly looking to place available capital in the areas with the greatest return per unit of risk. For financial institutions with commercial and/or consumer credit risk, many have realized that improvements in credit infrastructure are an excellent area for investment that can improve bottom line results.

Much of this effort has focused on core capabilities. These core capabilities include benchmarking of internal ratings where 72% of survey participants report that they regularly engage in this exercise (up from 54% in the prior survey). Respondents are also using more sophisticated portfolio management methodologies and credit mitigation techniques. These include a 20% increase in usage of on/off balance sheet netting while use of credit derivatives increased significantly, especially among the largest firms.

New to the survey this year were questions inquiring about investment priorities in both commercial and consumer credit risk management capabilities over the next 12-24 months. In the commercial credit area, 62% of respondents are planning a high or moderate level of investment in the next 12-24 months. The most critical areas appear to be “active portfolio management” (71% plan high or moderate investment), Basel II (70%), reporting and management review of credit decisions (70%), and consistent data/corporate aggregation (70%). These top areas seem to point to increased sophistication, but also a need to attend to basic issues around credit data, which would be required to properly use more sophisticated credit techniques and to meet the advanced requirements of Basel II.

In the consumer credit area, 53% of respondents are planning a high or moderate level of investment in the next 12-24 months. The area receiving the most attention is “global consistency of underwriting processes and standards” where 36% of respondents plan a high level of investment, and 27% see moderate investments in the near future. A focus on movement toward risk-based collections and the usage of scoring and collections results in customer profitability measures are also important as a majority of respondents plan moderate or high levels of investment in these capabilities. These areas of top investment seem to make sense in a marketplace where hyper-growth has taken place due to low interest rates and competitive pressures leading to several recent consumer-focused mergers. As large volume growth and mergers occur, consistency of processes and underwriting becomes critical to gaining efficiency and controlling risk. Moreover, as competition increases, measures of customer profitability and high-impact collections activities can become key differentiators.

Risk Systems and Technology
Another area that has advanced considerably since our last survey is risk systems and technology. Changes in the pricing and design of hardware, the expansion of open source operating systems and applications and the ongoing increase in the use of advanced delivery mechanisms have continued to have a profound impact on the design and functionality of risk systems. Despite these advances, respondents report a host of continuing challenges in developing adequate risk systems. System integration continues to be the biggest challenge facing firms, with more than half (52%) citing a lack of integration among systems as a major concern and (42%) citing it as a minor concern. Respondents also cited concerns with methodologies becoming out-dated, existing platforms that are perceived to be inflexible and difficult to extend, insufficient product coverage, lower performance and rising maintenance costs.

In addition, the importance of regulatory reporting has grown markedly since our last survey, and it is no surprise that it ranks the highest in our participant’s ratings, marginally ahead of the requirement for operational risk and advanced credit risk systems. The impact of the Sarbanes-Oxley requirements in the United States and equivalent requirements elsewhere, the ongoing efforts to achieve Basel II compliance and the growing demands to address anti-money laundering and related issues have focused business attention on this area – 75% of respondents identified regulatory risk-reporting as a moderate or high priority. When the results for advanced credit risk systems (39% “high priority”) and operational risk measurement (39% “high priority”) are also considered, the impact that advanced regulatory reporting requirements such as Basel II are having and will continue to have on the risk platforms of respondents becomes readily apparent.

Extended Enterprise Solutions
With each of our global risk management surveys, we identify new areas that are garnering meaningful attention across the financial services industry and consider whether they should be included. In this year’s survey, the topic of Extended Enterprise (EE) solutions was selected due to its high visibility and the potential challenges and risks in managing these business arrangements.

When it comes to off-shoring or near-shoring arrangement (i.e., the movement of business processes from developed economies to lower cost offshore locations) and outsourcing arrangements across a variety of corporate functions, survey respondents reported that information technology and application management was the only area where a majority (61%) employed an extended enterprise solution. Call centers and back-office processes were areas where a near majority (47%) employed one or more EE solutions, while “human resources” and “collections and payment processing” were cited by around 40% of respondents.

Although EE solutions often provide significant benefits to an organization in terms of cost reduction and efficiency, these arrangements create a new set of risks that must be managed. Respondents indicated that operational (83%), and IT (82%) risks were of highest concern (sum of medium plus high-risk categories). This is not surprising given the technical and process complexities of employing EE solutions for one or more functions within a company. Of some concern to respondents were confidentiality, regulatory and reputation risks (all ranging between 60% and 70% for the sum of medium plus high-risk responses). Interestingly, respondents did not consider geopolitical risk to be a significant concern with 63% rating it a low risk.

We also queried survey participants on the methods or techniques employed to manage EE risks. The most common methods, based on rates of adoption, include written contracts and service level agreements (85%), formal vendor selection and due diligence (74%), and regular internal audits (69%). Also, a majority of respondents cited the use of documented vendor oversight policies (52%) and business continuity planning as part of their EE risk management efforts.

While EE solutions are growing, and organizations are using risk management techniques, significant challenges remain regarding the level of integration between EE solutions and an institution’s risk identification management and monitoring processes. Less than a quarter (24%) of respondents considered their EE solutions’ risk management capabilities to be very integrated, while slightly less than half (45%) considered them somewhat integrated. Nearly one-third (31%) of participants thought their EE solutions and their institutional risk management programs were not integrated at all.

South Africa scores highly as an offshoring location because of its sophisticated financial services environment, high levels of industry expertise, political stability, and English proficiency

Enterprise Risk Management Remains an Elusive Goal
Despite the increasing emphasis on containing risk, the survey shows that enterprise risk management (ERM) continues to be an elusive goal for many institutions. In fact, less than one-quarter of survey participants say they are able to integrate risk across any of the major dimensions of risk type, business unit, or geography. Respondents indicated a continued focus on measuring economic risks including credit, market, operational and liquidity within their ERM frameworks. Using the integration of market and credit risk management programs as a proxy for risk consolidation progress, 38% of participants reported integrating the organizational structure for these risks, but much lower responses were received for integrating methodology, data and systems (between 15% and 16% for each).

Our survey also asked respondents to rate their most significant ERM implementation challenges. Not surprisingly, “systems integration and automation” continues its reign as the most challenging aspect of integrating market and credit risk capabilities with a majority of respondents (51%) choosing that answer. Slightly less than half of respondents (45%) indicted that “data clean-up and consolidation” was the most challenging aspect of integration. These results show that technology and data issues continue to pose the greatest barrier to achieving a consistent level of risk consolidation across the enterprise. Extending beyond market and credit risk to include other risk types will entail even greater challenges.

Tougher regulatory environment
The survey finds that a tougher regulatory environment and increased scrutiny of financial institutions in the post-Enron business environment have contributed appreciably to a greater emphasis on risk management. Apart from implementation of Basel II, additional proposed legislation that South African banks must grapple with include the National Credit Bill and the Dedicated and Co-operative Banks Bills. In addition banks and other financial services firms must deal with the implementation of the Financial Sector Charter - a voluntary commitment by the financial services industry to transformation and Black Economic Empowerment.

The Evolution Continues
Overall, the survey results reflect the fact that the financial services industry is faced with growing exposure to risk and a heightened urgency to contain it. Despite major strides forward in the areas of risk governance and regulatory compliance, the survey also reveals the enigma of risk management – effective integration of risk management methodology, data and systems remains elusive. Consequently, ERM will be a major focus within financial institutions for some time, requiring the continued evolution of processes, instruments and systems as well as the expenditure of much effort and resources to achieve a truly consolidated, enterprise-wide view of a firm’s risks.

About the Survey
Deloitte invited senior risk management officers of the world’s top financial institutions to use an online tool to complete a comprehensive set of questions about risk management. Responses were received from 162 financial institutions with assets totaling nearly US$19 trillion located on five continents. Approximately 65 percent of the responses were from firms with assets ranging from $10 billion to more than $100 billion. Respondents broke out regionally as follows: 17% percent of respondents were North American companies; 25% were South American companies; 26% were European companies; and 31% were from Asia/Pacific. Respondents answered detailed questions which addressed a range of key risk management issues facing financial institutions including: Risk Governance, Economic and Regulatory Capital, Enterprise Risk Management, Credit Risk Management, Market Risk and Asset/Liability Management, Operational Risk Management, Risk Systems and Technology and Extended Enterprise Solutions. The Global Risk Management survey, which is the largest and most comprehensive of its kind, is conducted every two years and it is envisaged that African financial institutions will be included in future surveys

To Find Out More
A complimentary copy of the complete survey report may be downloaded via www.deloitte.com.

For more information contact Ingrid Goodspeed of Deloitte South Africa’s Financial Risk Advisory Services Division (FRAS) on 011 806 5200. FRAS offers financial risk advisory services encompassing financial and operational risks, asset liability management, performance benchmarking and capital optimisation to clients in the financial services industry. In addition the division provides advisory services to corporate treasuries including treasury risk management best practice reviews.

Edward T. Hida II, a Partner with Deloitte & Touche LLP, serves large banking, derivatives and securities dealer clients, spanning the range of risk management issues from policies, procedures, governance and infrastructure to methodology, quantitative techniques and systems.

Copyright & Disclaimer , SAIFM. All Rights Reserved. Designed & Developed by [ Live Q ]