Stepping Back to Move Forward

New survey results on Enterprise Risk Management ("ERM") practices at global financial institutions was released last week by Deloitte.  The survey points to the changing attitudes towards ERM as well as the continued challenges many institutions face as they implement ERM programs.  Here is a summary of the survey results.

The seventh edition of the report, titled "Navigating in a Changed World," surveyed chief risk officers–or their equivalent – from 131 financial institutions from around the world, with aggregate assets of more than $17 trillion and representing a range of financial services sectors including banks, insurers and asset managers.

Among other major findings in the survey:

• While the majority considered their institution to be either extremely or very effective in risk management overall, one-third of survey participants graded themselves below that level.


• Not only is the chief risk officer (CRO) role more prevalent at financial institutions, but he or she is reporting to higher levels in the organization. According to the survey, 86 percent of institutions had a CRO in place, up from 73 percent in 2008, and reports to the board level or to the CEO (or both) at 85 percent of institutions. In addition, they are playing a more strategic role.


• More institutions have adopted enterprise risk management (ERM) programs -- 79 percent of institutions reported having a program or equivalent in place or in progress, an increase from 59 percent in 2008.


• While the value of ERM has increased, so have the challenges of implementing the information and technology infrastructures to support a comprehensive program; the importance of information and technology management in effective risk management has only been emphasized by the events of the global financial crisis.


• The top-rated risk management technology challenge among those surveyed was integrating risk data across the organization, which was rated as an extremely or very significant issue by 74 percent of executives.


• More than 80 percent of institutions experienced significant impacts from regulatory changes in the countries where they operate; at 40 percent of responding institutions, these impacts included the need to maintain higher capital levels and the need to maintain higher liquidity ratios.

It seems that while ERM is gaining in prominence within these organizations, the primary challenges to a successful ERM implementation remain.  Many companies will find themselves needing to take a step back to streamline ERM processes before trying to tackle the gaps in information and technology.

Added Stress in the United Kingdom

Last week, the Wall Street Journal reported that financial institutions in the UK are being subjected to even more stringent stress testing requirements than their US counterparts. The Financial Services Authority (FSA) is requiring the largest financial institutions to conduct what it calls "reverse stress testing". These tests are designed to determine what an institution will need to recover from a catastrophic operational risk event such as a natural disaster or pandemic. Evidently, the UK bankers are none too pleased with the request according to the following report.

Bankers call it the latest example of regulatory overkill. Executives protest that they are wasting countless hours dreaming up outlandish doomsday scenarios. The chief executive of a major U.K. bank said the tests are predicated on "a massive confluence [of] absurd scenarios" in which executives passively watch events unfold rather than trying to stabilize the situation. Bankers are especially worried that the process could result in them being forced to hold more capital. The FSA said in a planning document that the tests "may result indirectly in changes to the levels of capital held by firms" if the exercise "identifies business model vulnerabilities that have not previously been considered."

An FSA spokeswoman defended the exercise. "It might seem outlandish to them, but the point is that it pushes the business model to the point it collapses," the spokeswoman said. She said the banks also should be evaluating relatively mundane situations like what they would do in the event of a major internal fraud.

What is somewhat surprising by this report is the fact that these financial institutions should have already conducted similar scenario planning and testing as part of the Basel II Capital Accord requirements. However, since the Basel II requirements were largely self-regulated, it appears that the banks did not do their homework the first time around. For those bankers in the US who did not do their homework as well, you might want to get started before the teacher asks for it.

Incentive Pay & Risk Back in the Spotlight

Yesterday, the Federal Deposit Insurance Corporation (FDIC) approved a proposal to limit excessive risk taking that is tied to incentive programs at large financial institution. The proposed rules are a result of the Dodd-Frank Act of 2010. Here is a summary of the new rules from the FDIC's website.

The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved a joint proposed rulemaking to implement Section 956 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 956 prohibits incentive-based compensation arrangements that encourage inappropriate risk taking by covered financial institutions and are deemed to be excessive, or that may lead to material losses.

Consistent with Dodd-Frank, the proposed rule does not apply to banks with total consolidated assets of less than $1 billion, and contains heightened standards for institutions with $50 billion or more in total consolidated assets. For these larger institutions, the rule requires that at least 50 percent of incentive-based payments be deferred for a minimum of three years for designated executives. Moreover, boards of directors of these larger institutions must identify employees who individually have the ability to expose the institution to substantial risk, and must determine that the incentive compensation for these employees appropriately balances risk and rewards according to enumerated standards.

Chairman Bair said "This proposed rule will help address a key safety and soundness issue which contributed to the recent financial crisis – that poorly designed compensation structures can misalign incentives and induce excessive risk-taking within financial organizations. Importantly, we believe the rule will accomplish its objectives in a way that appropriately reflects the size and complexity of individual institutions. Importantly, this inter-agency proposal will apply across all types of US financial institutions, limiting the opportunity for regulatory arbitrage. Similarly, it will better align US compensation standards with those which have been adopted internationally under the framework approved by the Financial Stability Board in 2009."

Public comment will be accepted for 45 days prior to final approval. In addition, the rules are a joint effort of the Federal Financial Institutions Examination Council (FFIEC), the Securities & Exchange Commission (SEC) and the Federal Housing Finance Agency (FHFA) who each must also approve the rules. These rules are a step in the right direction for those more interested in long-term results, but they will certainly be the subject of intense debate.

Risk Won't Wait

After several years of delaying funding on risk management and IT security due to economic pressures, more and more companies are realizing that they cannot wait any longer. The stakes are simply too high to rely on outdated technology and a bare-bones approach to addressing ever-increasing risks.  Here is what was reported in InformationWeek magazine earlier this week,

A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies' IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

Don't be left behind. With leaps in technology occurring in a matter of months rather than years, no company can afford to delay their improvements in risk management.