Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ... / Risk Management, Work Remains in FS Sector

A 2007 survey by Deloitte shows that financial services institutions have made some real progress with risk management but, as events over the last twelve months have clearly demonstrated, more work remains to be done. Colm McDonnell explains.

In an ever more complex volatile business environment, risk management has continued to grow in importance in the financial services industry. And of course recent events in France with Société Générale only serve to prove the point more emphatically – risks are in abundance in financial services organisations and require meaningful attention at all levels within organisations.

Deloitte has undertaken a number of surveys throughout the years to ascertain how risk management is implemented in financial services organisations across the globe and how the methods used by such institutions have evolved. The results of the most recent survey in 2007 show that financial services institutions have made some real progress with their risk management policies – more and more institutions are treating it as a board-leveloversight responsibility. Similarly, we are seeing the role of chief risk officer becoming more commonplace in Irish financial institutions.

That said, considerable work still needs to be done and the results of the survey demonstrate the importance that is being placed on risk management programmes – and also the different approaches that companies are taking. The main findings of this research show that most institutions have not yet created effective processes and systems to measure and manage ‘traditional’ risks, such as operational, strategic or geopolitical risk. While institutions that have implemented enterprise risk management (ERM) programmes find that they have generated significant value, the fact remains that only about one-third have an ERM programme in place.

Addressing the Full Range of Risks All companies face risk but effective risk management is particularly critical for financial institutions who are held to the highest of standards by both customers and regulators.

Financial services institutions face the challenges of ongoing regulatory change and scrutiny – from Basel II to consumer code to Anti-Money Laundering – and must also meet growing demands for strong governance and enhanced transparency. They must be constantly vigilant to protect data privacy and prevent technology security breaches. They must keep pace with the explosive growth of alternative investment vehicles, such as credit derivatives, energy products and private equity. These investments pose a variety of risks, including the difficulty of valuation for illiquid instruments. They must be ready for a range of potential disasters – either man-made or natural. The list goes on and on.

Our survey found that while executives at financial services firms rated their risk management processes as ‘extremely’ or ‘very’ effective in the areas of market, credit and liquidity risk (each between 70 and 80%), respondents acknowledge that they have not yet created effective processes and systems to manage less traditional risks.

Only 47% considered their institution very effective in managing risks associated with business continuity/IT security, 43% each for operational and vendor risk, and 35% for geopolitical risk.

When executives were asked about the likelihood of specific risks, they felt their institutions were at least somewhat likely to be affected by credit (80%), operational (71%), market (65%) and business continuity/IT security (60%) risks.

In addition, areas such as liquidity, reputation, strategic, regulatory/ compliance, litigation, privacy and hazard/insurable risk were each cited by a third or more of the executives at least someone likely.

Achieving a Strategic View of Risk By elevating the responsibility for risk management to the top of the organisation as a board-level oversight responsibility, institutions can start to address these more complex risk management challenges. The executives surveyed found that 70% of boardrooms now have this charge, an increase from the 59% reported in 2004 and 57% in 2002.

Chief Risk Officer In addition, the number of institutions with a chief risk officer (CRO) reached new heights, with 84% of institutions reporting that they now have a CRO in place, up from 81% in the 2004 survey, while another 8% said they plan to establish this position.

When CROs are in place they appear to genuinely have the backing and buy-in of senior management, with 42% reporting directly to the CEO and 37% reporting to the board or a board committee.

Organisation of the Risk Management Function In terms of how the risk management function is organised, institutions took a variety of approaches. A centralised approach is the most popular with 44% of survey respondents adopting this approach. 35% of respondents adopted a decentralised approach, 16% said that they are organised by risk type, 14% by business unit and 5% by region. The remaining 21% of executives reported using a mix of a centralised and decentralised approach.

Each approach has its advantages and disadvantages. A centralised approach offers the potential to achieve a common risk management vision across the institution, faster implementation once decisions have been made, and economies of scale. Yet, centralised risk management can face slower decision-making, difficulties in capturing data and reporting on a consistent basis and the potential to overlook risks in specific products, functions or customers. On the other hand, a decentralised approach can offer greater understanding of the risks in specific aspects of the business and the ability to respond flexibly to these risks. Yet, a purely decentralised approach may lead to inconsistent risk policies, strategies and reporting and create the potential that consolidated risks may be missed. Some institutions employ a hybrid in an attempt to capture the best elements of each approach.

In our experience, there is no one approach that is appropriate for all institutions. The key issue is that the organisation of the risk management function should be tailored to the institution’s governance approach, organisational structure, size and overall operating philosophy.

Implementing ERM Programmes The progress in implementing enterprise risk management programmes illustrates both the progress and the remaining work to do in risk management in the industry. Only 35% of executives reported that their institutions had already implemented an ERM programme, while almost a third (32%) are in the process of establishing one.

Where ERM programmes have been created, they have yielded benefits – roughly three-quarters of executives from companies with ERM initiatives said the total value of their programmes had exceeded the costs. However, this assessment of value is largely qualitative, as only 4% of executives said their institutions quantify the benefits of their ERM programmes.

Other findings from the global risk management survey include:

-More than 70% of executives reported that their firms had established formal enterprise-wide programmes to implement Basel II. At the same time, many institutions still have significant work to do in reaching key Basel II qualification standards. -Although more than 60% of executives reported that their institutions used value at risk (VaR) extensively for fixed income, foreign exchange, and equity, less than one-third said it was used extensively for a range of other instruments including asset-backed securities, structured products, credit derivatives, and energy products. -In the area of operational risk, only about one in four executives said their operational risk management systems were very capable in terms of reporting and data gathering, and more than two thirds said they were at least somewhat capable in those areas. Lagging behind were exposure calculations and scenario model building.

So how are financial services institutions in Ireland adapting to risk management? Our advice would be to take on board these most recent findings – and ascertain as soon as possible what needs to be addressed by your organisation from a risk management perspective. We are certainly seeing that ERM is becoming an increasingly important area for financial services companies in Ireland – and this is not a moment too soon. For too long Irish-based global financial institutions have performed some ‘box ticking’ when it comes to risk management. The events that have unfolded over the last 12 months show that this is not enough and all financial institutions can learn from this. The findings of this global survey certainly re-iterate the importance of making risk management a top priority.

Looking ahead We expect financial institutions will focus on a number of different areas within their risk management initiatives. Some institutions will begin or advance their ERM programme development efforts. Others may include additional risks within their ERM programme – particularly the less traditional and emerging risks where risk methodologies are not as developed and the risks themselves less understood. Many will continue to develop more sophisticated approaches to measure and manage credit and operational risk due to the requirements such as Basel II and Solvency II. Still others will need to develop more integrated programmes to address key issues from emerging markets, hedge funds, new products, conflicts management and regulatory requirements.

Regardless of the area of focus within risk management initiatives, it is clear that all financial institutions will be pressured to reduce costs. As a result, they will look at both the efficiency and effectiveness of their major risk management programmes. We encourage financial institutions to address these cost pressures by developing more integrated risk and compliance programmes, which will save money by creating a more efficient solution and provide better and more timely risk management information through an integrated capability. ‘Assess once, satisfy many’ must be the mantra.

In a challenging and changing risk environment, the bar on what constitutes effective risk management is constantly being raised. Most institutions have an unfinished agenda. Financial institutions that can understand risk holistically – managing the full range of risks they confront – can strategically use risktaking as a means to strengthen their competitive position and create value.

Colm McDonnell, ACA, is Partner, Enterprise Risk Services with Deloitte in Dublin and a member of Deloitte’s Financial Services group. Email: cmcdonnell@deloitte.ie