23 Dec 2016
Boards are more engaged on the issue, risk and compliance functions have increased scope and seniority. But it is far too early to claim ‘mission accomplished’.
"There isn’t a single facet of risk function that hasn’t been subject to new requirements in the past eight years."
Doug Nixon, EY Oceania Financial Services Partner
In reality, banks may only be halfway through what could be a 15-year journey to transform their risk-management processes.
From the board level down, significant investments have been made across the industry to strengthen the financial position, structure, governance and culture of individual financial institutions, with these changes often manifesting within the risk management functions in financial institutions.
In fact, there isn’t a single facet of risk function that hasn’t been subject to new requirements in the past eight years.
Dozens of new prudential requirements have or are coming into effect in the next few years: the suite of changes mandated by the Basel Committee on Banking Supervision (BCBS) to capital, liquidity, leverage, disclosure standards, enhanced prudential reporting requirements, stress testing, structural and market reforms.
While the 2008 crisis provided the impetus for much of the financial system reform agenda, the environment has continued to evolve. Events such as the LIBOR scandal, the Wells Fargo issue and the Bangladesh Bank heist continue to shape various country-based cyber, culture and conduct risk initiatives.
Banks are finding themselves caught between rising regulatory capital and liquidity requirements, increasing expectations for management of non-financial risks, and pressure from shareholders to maintain historical ROE and dividends. There is unlikely to be an end to these pressures in the short to medium term.
In this environment, the effectiveness of banks’ risk management will continue to be an essential component in their ability to achieve sustainable growth and profitability.
An effective and efficient risk management function can be vital in the search for latent profitability, limit volatility and reduce the likelihood of reputation damage or costs from conduct remediation.
This is as true within Australia and the wider Asia-Pacific region as it is globally. Right across the Asia-Pacific banks are looking to enhance the utility of risk appetite, provide early input into business and product planning, and strengthen links with the overall business strategy.
They want to tighten integration with their risk management and ICAAP frameworks and find ways to better represent non-financial risks, such as cyber and conduct.
A number of institutions across the region are also seeking to make risk appetite more user friendly – whether managing risk at a group level, providing guidance during the development of a new product within a division, or influencing the behaviors of front-line staff.
The EY 2016 global banking risk management survey A set of blueprints for success found the banking industry is still searching for the appropriate blueprint to establish effective risk accountability across the three lines of defense.
More than 60 per cent of banks surveyed said they are currently changing their three-lines-of-defense model. Their top reasons for doing so highlight a significant focus on the first line:
• Making the first line accountable for end-to end risk (38 per cent)
• Making the first line more clearly accountable for non-financial risk (28 per cent)
• To make the first line more clearly accountable for financial risk (27 per cent)
In 2015, the survey presented clear evidence banks had already started making changes to strengthen first-line accountability for risk. This trend has accelerated in the following 12 months, with banks now adopting a broader range of changes to drive accountability.
Nearly three quarters of the respondents said they were providing the first line with training on risk, as well as clarifying first-line responsibilities for risk appetite.
In addition, nearly half said they were establishing new control functions in the first line and increasing their focus on forward-looking risk, and approximately one-third said had changed the accountability of business line leaders to make their risk responsibilities clearer.
Banks are also looking at the effectiveness and efficiency of their second line functions. Better technology and advanced data analytics are essential in enabling banks to deliver the right risk insights and outcomes effectively, as are properly implemented centralised teams for common, repeatable tasks – such as testing.
Analytical capabilities are becoming increasingly important as regulatory capital allocation becomes more closely integrated with divisional/business unit management.
The three-lines-of-defense model continues to evolve as banks try to find a balance between appropriate ownership of risk, capability development within the first line, and the right operating model between a centralized risk function and divisional engagement while also trying to balance broader obligations to their external stakeholders.
The first eight years has been focused on increasing the volume of resources available in the risk function, the next seven will be focused on further development of the appropriate skills, role definitions, reporting lines, and technology enablement.
Banks should be seeking to ensure the front line is not simply passing responsibility from ‘line 1A’ to ‘line 1B’.
The industry is also continuing to focus on addressing non-financial risks more effectively. Banks recognise they need the management of risk to be part of everyone’s job, not just those in risk and control roles, and are testing and enhancing controls frameworks.
Focus on a wide range of conduct areas has increased. Money laundering (increased to 72 per cent from 52 per cent in 2015) and sanctions (increased to 52 per cent from 30 per cent in 2015) have moved significantly up the risk management agenda.
Cybersecurity has also surged, with almost half of respondents (48 per cent) highlighting cybersecurity as one of the three most important risks for their board over the next year – the other two being risk appetite and the implementation of new regulatory rules.
Significant changes have already been made to improve the management of non-financial risk. Banks are attempting to reduce non-financial risk by: reducing complexity of products (57 per cent); exiting products and geographies (63 per cent); improving employee training (67 per cent); and strengthening risk culture and employee behavior through enhanced messaging and tone from the top (90 per cent).
Importantly, they are also focusing on forward looking analysis of intrinsic non-financial risks and embedding this into risk appetite and other risk management initiatives.
Since (and as a result of) the 2008 crisis the financial services industry has materially strengthened its risk-management capabilities.
Good progress has been made so far, but there is still a substantial amount of work to be done, particularly in the current cost-conscious environment. ‘More with less’ and ‘efficiency’ are now common themes from risk functions across the industry.
There are still many challenges ahead which will require management and board attention and dedicated resources.
Banks have already had to substantially increase the volume of resources in their risk functions, simultaneously implement a raft of regulatory changes and work to bed down the new operating model.
All this is happening against the backdrop of a suite of new regulatory requirements, which are still in the early phases of implementation. In this environment, risk functions require a high degree of flexibility and banks will need to be prepared to continue to adapt and evolve their risk-management strategies.
Doug Nixon is EY Oceania Financial Services Partner
The views expressed in this article are the views of the author, not Ernst & Young. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
23 Dec 2016
19 Dec 2016
14 Dec 2016