Analytical capabilities are becoming increasingly important as regulatory capital allocation becomes more closely integrated with divisional/business unit management.
The three-lines-of-defense model continues to evolve as banks try to find a balance between appropriate ownership of risk, capability development within the first line, and the right operating model between a centralized risk function and divisional engagement while also trying to balance broader obligations to their external stakeholders.
The first eight years has been focused on increasing the volume of resources available in the risk function, the next seven will be focused on further development of the appropriate skills, role definitions, reporting lines, and technology enablement.
Banks should be seeking to ensure the front line is not simply passing responsibility from ‘line 1A’ to ‘line 1B’.
ADDRESSING NON-FINANCIAL RISKS
The industry is also continuing to focus on addressing non-financial risks more effectively. Banks recognise they need the management of risk to be part of everyone’s job, not just those in risk and control roles, and are testing and enhancing controls frameworks.
Focus on a wide range of conduct areas has increased. Money laundering (increased to 72 per cent from 52 per cent in 2015) and sanctions (increased to 52 per cent from 30 per cent in 2015) have moved significantly up the risk management agenda.
Cybersecurity has also surged, with almost half of respondents (48 per cent) highlighting cybersecurity as one of the three most important risks for their board over the next year – the other two being risk appetite and the implementation of new regulatory rules.
Significant changes have already been made to improve the management of non-financial risk. Banks are attempting to reduce non-financial risk by: reducing complexity of products (57 per cent); exiting products and geographies (63 per cent); improving employee training (67 per cent); and strengthening risk culture and employee behavior through enhanced messaging and tone from the top (90 per cent).
Importantly, they are also focusing on forward looking analysis of intrinsic non-financial risks and embedding this into risk appetite and other risk management initiatives.
A LONG JOURNEY AHEAD
Since (and as a result of) the 2008 crisis the financial services industry has materially strengthened its risk-management capabilities.
Good progress has been made so far, but there is still a substantial amount of work to be done, particularly in the current cost-conscious environment. ‘More with less’ and ‘efficiency’ are now common themes from risk functions across the industry.
There are still many challenges ahead which will require management and board attention and dedicated resources.
Banks have already had to substantially increase the volume of resources in their risk functions, simultaneously implement a raft of regulatory changes and work to bed down the new operating model.
All this is happening against the backdrop of a suite of new regulatory requirements, which are still in the early phases of implementation. In this environment, risk functions require a high degree of flexibility and banks will need to be prepared to continue to adapt and evolve their risk-management strategies.
Doug Nixon is EY Oceania Financial Services Partner
The views expressed in this article are the views of the author, not Ernst & Young. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.