Recover, adapt, advance

Back to business in an uncertain world

A survey of the world’s largest banks
Contents
1 Executive summary

4 Top challenges

16 Rethinking risk strategies

24 Risk appetite: the Ernst & Young perspective

28 Realigning roles, responsibilities and rewards

34 Recalibrating risk processes

41 Costs and budgeting

44 Final thoughts
Executive summary
The title of our 2010 annual survey on risk governance, Recover, adapt, advance: back
to business in an uncertain world, aptly reflects the current mindset of this year’s
survey participants.
The good news is that most of the executives we spoke with believe that recovery is
underway. No one, however, is optimistic that this recovery will be quick or easy. In fact,
many are bracing for another dip in the form of commercial real estate defaults and
anticipating that another wave of bank closures may follow. Executives, particulary in the
West, are picking up the pieces and are working diligently to clean up the distressed assets
and debt on their balance sheets. As one respondent told us, “It’s been an exhausting and
debilitating 12 months.”
But all agree the challenges are far from over. While the worst of the downturn seems to
be behind us, the global markets are far from stable. Although the economy is showing
signs of recovery in most parts of the world, unemployment remains stubbornly high.
Worldwide, consumer trust and confidence in governments in general and in the financial
industry in particular are at an all-time low. Politicians and regulators are rallying to
tighten controls significantly, and executives are preparing for an onslaught of new
restrictions that have the potential to affect some very fundamental aspects of the way
they run their firms.
Recovering and adapting would seem to be more than a full-time job for senior management;
however, as one executive told us, “Uncertainty aside, we still have a business to run.”
Around the globe, banks reported that they are buckling down and getting back to the
day-to-day tasks. Most have adopted a back-to-basics philosophy — exiting products and
markets that overextended their capabilities and diluted capital, and returning to their core
businesses. Not surprisingly, attitudes in general are cautious and risk averse.
As the dust settles, boards and senior management are taking the time to reflect
strategically on the big picture — clarifying growth objectives, basic business models, and
organizational philosophy and culture. They are extremely cognizant of the glaring lessons
of the crisis: the vital importance of managing for liquidity; the need to strengthen and
institutionalize an appropriate risk culture; and the imperative to always be prepared for
the unexpected. As a result, many have enhanced capital planning and tightened controls,
policies and procedures; elevated and strengthened risk governance; and upgraded
forecasting, reporting and assessment capabilities.
Many executives are hopeful that the lessons of the downturn will drive positive and
lasting change in the industry. As one respondent told us, “I think memories will be a
little longer this time than perhaps they were in the past.” Despite the preponderance of
issues still facing the industry, we came away with a growing feeling of hope about the
possibilities ahead.

1
 Key observations
Preparing for the new regulatory realities. In response to the pending regulatory
requirements, particularly the potential restrictions on capital, banks are underway with a
variety of initiatives — raising capital and liquidity levels, assessing the impact of proposed
regulations on business strategies, and addressing risk management weaknesses exposed by
increased supervisory expectations — to prepare for the anticipated changes.
Rethinking risk strategies. Respondents unanimously agreed that risk governance
must remain a top priority on senior management agendas. In an effort to build a more
comprehensive, consistent and collaborative approach to risk, boards and senior teams are
starting at the top by defining, articulating and enforcing an organizational risk appetite and
working to cascade it throughout the business.
Realigning roles, responsibilities and rewards. Survey respondents consistently expressed
the view that companies underestimated the vital importance of the human factor in
managing risk. To institute and reinforce a strong risk culture, risk must become everyone’s
business, from boards to front-line decision-makers. As a result, banks are redefining roles
and responsibilities for risk management throughout the enterprise — strengthening board
oversight duties and significantly elevating the CRO’s stature and organizational influence.

This is the third in a series of proprietary surveys on evolving risk management at global
banking and capital markets institutions conducted by Ernst & Young since 2007. The
goal is to identify key challenges organizations are facing around risk management
and control, and to assess the state of risk management in a turbulent environment.
Ernst & Young again commissioned Broderick & Company, an independent market
strategy firm, to conduct in-depth, qualitatively rich interviews with senior executives
in global banking and capital markets institutions. From October 2009 through
January 2010, Broderick interviewed 39 senior executives from 30 major banking
institutions around the world. The interviewees included a mix of senior executives in
each organization. Among them were: chief financial officers and chief risk officers, as
well as heads of functional divisions such as operational risk, market risk, credit risk,
internal audit and compliance.

2
 Recalibrating risk procedures. Across the banking industry, “I think any financial
initiatives are underway to achieve a more holistic, integrated
approach to identifying high-impact risks and factoring them into institution that says
decision-making. Better, faster and more transparent reporting they haven’t had lessons
and more sophisticated, forward-looking forecasting capabilities
are viewed by respondents as two critical success factors in learned is not being
enterprise-wide risk management. honest. I hope to never
Streamlining technology. Leveraging technology to more see anything like this
effectively support risk management remains a work in progress
for most banks. While executives seem to have a clear vision again in my career. It’s
for how technology can be deployed to better support risk not over. We’re still on
management, they reported ongoing challenges in implementing
effective technology platforms. As a result, technology remains a the carousel.”
major area of investment.
Coping with rising costs. More than 80% of respondents across
regions are bracing for significant increases in costs. Heightened
regulatory requirements and workout expenses in the aftermath
of the meltdown are predicted to drive costs up for at least the
next 12 to 24 months.

Participating North America Europe Asia-Pacific

institutions American Express Banco Santander ANZ
included:
Bank of America Barclays Bank of China
CIBC Credit Suisse Bank of Tokyo-Mitsubishi UFJ
Citigroup HSBC ICBC
Fannie Mae Intesa Sanpaolo Macquarie Group
Goldman Sachs ING National Australia Bank
Northern Trust Lloyds Banking Group Sumitomo Trust & Banking Co. Ltd.
PNC Nordea Westpac
State Street Bank SEB
TD Bank Société Générale
Swedbank
VTB Bank

3
 Top
challenges

4
Five challenges dominate
senior management agendas
Executives are grappling with regulatory and economic uncertainty

When respondents were asked to identify the top two risk management and control challenges
facing their organizations, five themes quickly surfaced and reverberated throughout our
discussions. Taken together, they form an image of an industry striving to regain its footing in
a still-fluid economic and regulatory landscape.
The overwhelming top-of-mind issue — cited by 72% of respondents — is regulatory uncertainty.
New regulations are expected to impose restrictions on capital, liquidity, risk management and
compensation practices, but how strict they will be and how soon they will take effect remains to be
seen. Anticipating and addressing the potential impact of these new rulings on their organizations is
a time-consuming and often frustrating task for company leaders.
Still focused on the regulatory theme, more than 40% of respondents are grappling with the
business implications of the pending new requirements for capital and liquidity levels, placing it
second on the list of top concerns. More than one-third (38%) of survey interviewees say they are
working hard to upgrade their risk governance policies and procedures with the goal of instilling
a risk awareness culture throughout their organizations. Worries that the economy will stagnate,
or worse, dip back into recession, were cited by 36% as a continuing challenge. And finally, in the
aftermath of the crisis, 28% of the executives surveyed are dealing with the tough task of removing
distressed assets and debt from their balance sheets (See Exhibit 1).

Dealing with regulatory uncertainty

72%
Anticipating new capital requirements
Dealing with regulatory
41% uncertainty is the
Shifting the risk culture top concern
38%
Navigating the fluid economy

36%
Repairing the balance sheets

28%
Exhibit 1: Top challenges facing senior management

5
Challenge 1
Dealing with regulatory uncertainty

Anticipating new capital requirements

41%
Evolving the risk culture

38%
Navigating the fluid economy

36%
Repairing the balance sheet

28% “Many different regulatory

changes are being floated
around. But when they’re going
to be brought in, and whether
they’re going to be brought in
on a uniform, global basis is
difficult to assess.”

6
 Multiple regulatory proposals complicate planning as banks
anticipate systemic reform

72% The rapidly changing regulatory landscape was cited by the majority of respondents as the
top challenge their organizations face around risk management and control. As regulators
and legislators around the world tighten regulatory oversight in response to the financial
crisis, banks are preparing for what one executive called “draconian” regulations that have
the potential to affect some very fundamental aspects of the way they run their business.
Financial institutions are, of course, accustomed to dealing with a host of regulations
across all of the jurisdictions in which they operate, but the heightened political scrutiny
and the rush to respond in the wake of the financial crisis are creating a complex and
sometimes contradictory web of proposals from regulators around the world. Banks are
struggling to navigate through the multiple pieces of legislation from multiple regulators
to determine the impact on their global operations. As one executive summed it up, “You
have the G20 coming up with things; you have the Europeans coming up with things;
you have the British coming up with things; and all not necessarily coordinated and not
necessarily all saying the same thing. It’s exceedingly difficult.”
Plotting a course through this landscape is extremely challenging and intensely time
consuming for internal teams. Banks are diverting a huge amount of senior time to
meet and work with regulators, redeploying teams of people to deal with the growing
documentation requirements and investing in new systems and processes to stay a step
ahead of anticipated changes.

7
Challenge 2
Dealing with regulatory uncertainty

Anticipating new capital requirements

41%
Evolving the risk culture

38%
Navigating the fluid economy

36%
Repairing the balance sheet

28% “If you change the amount of

capital and liquidity required,
there will be big consequences
as to what is an appropriate
and viable business model.
The cost of funding and the cost
of capital mean that there are
certain types of lending and
other activities we probably
won’t do.”

8
 Stricter regulatory proposals are driving banks to reallocate
capital, rebalance portfolios and rethink market strategies

72% Of the array of regulatory changes under consideration, the expected increase in
capital and liquidity requirements represents the most formidable challenge to many
institutions. While many respondents claim they have historically taken a conservative
approach to allocating capital, 50% did indicate that they are in the process of adjusting
their approaches to capital allocation across their business units (See Exhibit 2).
Many banks have raised their capital levels and ratios above the minimums in
anticipation of the new requirements. But the way it will all sort out from a regulatory
standpoint and the ultimate impact on the business decisions of boards and senior
management are still unclear. Some companies are striving to align economic capital
with regulatory capital models to make certain that regulatory requirements are
adequately captured or, as one respondent explained, “We are trying to switch our
organizational mindset from economic to regulatory capital.”
Even banks that are not changing their capital allocation process acknowledge they
are enhancing governance policies and procedures around capital management:
augmenting reporting requirements, particularly to the board and senior management;
strengthening their forecasting methodologies using scenario planning and stress
tests to evaluate impacts on capital positions; and formalizing and documenting capital
contingency plans.
Many institutions are seriously re-evaluating their portfolios — exiting more
capital-intensive, less-profitable lines of business and geographies, and shifting
out of more complex, less-liquid instruments into simpler, more-liquid products
with less risk and, of course, less return. Executives worry that the impact
of these decisions could potentially restrain lending and ultimately
slow economic growth and recovery.

50%
Half have changed
their approach to
capital allocation

Exhibit 2: Changes in approach to capital allocation

9
Challenge 3
Dealing with regulatory uncertainty

Anticipating new capital requirements

41%
Shifting the risk culture

38%
Navigating the fluid economy

36%
Repairing the balance sheet

28% “Working through the crisis,

we gained insights into
how to strengthen our risk
management and control. It
allowed us to shore up our
weaknesses and further develop
the risk management team.”

10
 Banks are strengthening their risk culture and governance
processes with greater senior management involvement

72% and reinvigorated risk procedures

In the Ernst & Young 2009 study — conducted at the height of the crisis — senior
executives listed “shifting the risk culture” as their second most important initiative
to tackle once the short-term firefighting and damage assessment were over. One
year later, shifting the culture is still very much top of mind for senior executives.
The good news is that the aspiration is slowly becoming a reality. Banks have
undertaken a host of initiatives to institutionalize comprehensive, consistent and
collaborative approaches to risk. Effective risk governance has risen to the top
as a core business imperative, and organizations are mobilizing to identify and
address deficiencies. Boards and senior management are now fully engaged in
the risk process, determining and articulating the organizational risk appetite and
parameters; strengthening and clarifying governance policies and procedures; and
clearly establishing risk responsibilities and accountability across all levels of the
organization from board members to front-line managers. The power and influence
of the risk team have been significantly elevated, and in several institutions, the
CRO has a dual-reporting relationship — to both the CEO and the board — as well as a
strong voice in strategic decision-making.
The changes required to institutionalize a strong risk culture are fundamental and
far-reaching. For many banks, making risk “everyone’s business” represents a
significant shift in mindset, policies, systems and processes. As one executive told us,
“It is an enormous, multiyear march to accomplish.”

11
Challenge 4
Dealing with regulatory uncertainty

Anticipating new capital requirements

41%
Evolving the risk culture

38%
Navigating the fluid economy

36%
Repairing the balance sheet

28% “If I add it all up, the uncertainty

in the environment and how you
manage for that strategically
and in the day-to-day are my
biggest concerns.”

12
 Uncertainty about the economy poses a challenge to
long-term and short-term planning

72% While a few survey respondents used the terms “recovery” and claimed “the worst is
behind us,” the optimists were outweighed by the more cautious executives who remain
concerned about the depth of the recession and the pace of economic upturn. But,
regardless of their viewpoint, all agreed the uncertain market environment is making
business planning and decision-making — both short- and longer-term — extremely difficult.
There is no doubt that serious challenges are still ahead for the industry, and organizations
are bracing for what one executive called the triple threat: the economic, political and
regulatory aftershocks of the crisis.

13
Challenge 5
Dealing with regulatory uncertainty

Anticipating new capital requirements

41%
Evolving the risk culture

38%
Navigating the fluid economy

36%
Repairing the balance sheets

28% “The other thing is that a lot of

assets are still sitting on the
bank’s balance sheets. Bad
debts tend to lag the economic
position, so things start looking
a lot better, but bad debts keep
coming through.”

14
 Many banks are still dealing with fallout from the crisis
Senior banking executives continue to be occupied with the cleanup of the distressed

72%
assets and debt on their balance sheets. In particular, many are keeping a vigilant eye
on their levels of commercial real estate loan defaults in areas where market conditions
continue to weaken.
Some banks reported progress in selling troubled assets, but acknowledge that most
potential purchasers of debt are still waiting on the sidelines to see if the market will
decline further and reduce prices, especially in the commercial real estate sector. Several
banks have deployed teams of qualified workout specialists to keep up with and manage
the portfolio deterioration.

15
Rethinking
risk strategies
16
Banks are rethinking their strategic approach to risk
Executives are adjusting approaches to defining, identifying and prioritizing risk
Many executives believe that the industry’s heightened focus on risk governance is one of the most positive
outcomes of the crisis. It has forced senior management to fundamentally rethink their strategic approach to risk,
an exercise survey participants believe is pivotal to preventing another disaster.
The evolution in strategy starts at the top, with a clear definition of the organization’s risk appetite and parameters
for doing business. A well-defined risk appetite is the cornerstone of an effective risk governance framework that
links the organizational strategy and objectives to day-to-day business decisions and operations.
To ensure their position remains within acceptable risk limits, banks are reviewing internal control systems,
evaluating risk portfolios and significantly upgrading emerging risk identification policies to spot and address
problems more systematically before they escalate.
Navigating across the many categories of risk confronting an organization is challenging in today’s dynamic
environment. Senior executives are expanding their strategic management of risks beyond the traditional focus on
credit and market to include such emerging risk types as operational, liquidity and reputational. And, as the industry
has learned, problems in one area of the bank can reverberate throughout the institution. As a result, executives
are working to better understand the correlations and the interrelationships across risk classes.

17
Reassessing and integrating risk appetite
Boards and senior management are clearly defining risk tolerance and limits

Most respondents acknowledged that their company needs

to do a better job defining, articulating and instilling their Most have clearly
organizational risk appetite into the company. Challenged
by both regulatory bodies and boards of directors, senior
defined statements of 60%
executives have elevated risk appetite to a top priority on their risk appetite
very busy agendas.
While 60% of respondents gave themselves relatively high
marks for having a clearly articulated risk appetite, most
agreed that defining the risk position and embedding it 36%
throughout the organization are two distinct activities
(See Exhibit 3). The process is complicated by the absence of a
risk-appetite statement that applies to all business lines.
The level of acceptable risk must be assessed and determined
for each risk type and line of business. Disparate business
goals, weak communication and spotty enforcement can cause
a disconnect between the risk parameters set at the board and
senior management level and the day-to-day management of
4%
the business. Cascading the risk appetite down to the business
Not clearly Under Clearly
unit and desk level is critical to putting risk appetite into effect defined way defined
throughout the organization.
Exhibit 3: Statements of risk appetite
As we have noted, shifting the risk culture is not an easy task
and several interviewees describe multiyear, highly collaborative
and iterative processes to integrate disparate risk tolerances and
create a unified company-wide position.

“We always had a squishy risk appetite

philosophy that everyone interpreted
differently. Now we are codifying and
formalizing it.”

18
Strengthening risk-identification processes
Banks are looking at risk holistically and assuming a more
vigilant stance on risk-identification policies and procedures

In the aftermath of the crisis, banks moved quickly to take control

of their risk agendas with the immediate goal of identifying and
mitigating vulnerabilities and reducing high-risk behavior and problem Activities underway
areas. The control-tightening initiatives have led many institutions
to incorporate more rigorous processes for evaluating their risk Identifying
portfolios and introduce more stringent controls to ensure that the emerging risks
bank’s position is solidly within the accepted parameters of risk.
Respondents reported a wide range of
Survey participants indicated that they have greatly strengthened their
activities to identify emerging risks more
early warning procedures to spot emerging risks and deal with them
systematically:
quickly before they escalate into major issues. Banks reported a host of
rigorous policy and procedure improvements in this area including: daily • C
 onducting more frequent and more
real-time monitoring of risks; stricter portfolio risk-grading systems; formal risk discussions
and tighter screening of on-boarding procedures for new clients.
• I nstituting emerging-risk identification
Several institutions have formed new cross-functional risk identification
committees
committees composed of managers from finance, risk, technology,
compliance, treasury, accounting and the business units. These come • S
 trengthening stress testing, using
together regularly to share their respective insights on emerging risks more forward-looking scenarios
that could potentially have a negative impact on the company.
• Adopting more rigorous screening and
The industry has learned the painful lesson that problems in one area on-boarding procedures for new clients
of the bank can reverberate throughout the institution, creating and
• Utilizing advanced information
exacerbating problems in totally unrelated businesses. As a result,
technology to conduct real-time
executives said they are doing a better job of understanding the
monitoring of risks of subsidiaries
correlations of different risks — conducting more integrated forecasting
and branches
scenarios that look beyond the traditional silos to assess emerging
issues more systematically and holistically. Finally, many companies • U
 pgrading portfolio risk grading systems
have upgraded their product-approval policies and procedures,
• I ssuing early warning indicator reports
increasing the involvement of the risk group in developing, approving
and monitoring products throughout their life cycle. Some now require • R
 einforcing product-approval policies
the risk organization to sign off both at the initiation of a new product and procedures
and on an annual basis to ensure the product is still acceptable on a
risk/return basis and from a reputational standpoint. As one executive
sums it up, “Early identification of risks has become the holy grail in
our organization.”

“I’ve got a weekly escalation that flags any new

risks in the business. You’ve got to have your
eyes and ears open 100% of the time.”

19
Shifting focus on risk classes
New areas of risk are surfacing on senior management agendas

As the focus on risk intensifies, companies are enhancing their Credit risk: the top of the agenda
management of key risks. This is true not only for traditional
At the end of our interviews in January 2010, the economy,
risks classes, such as credit and market risk, but also for
particulary in the US and Europe, was still in flux. High
emerging areas, such as operational, liquidity and reputational
unemployment and low consumer confidence persisted, and the
risk, which have become more important. As one executive
credit markets remained contracted. While cautiously optimistic
told us, “It’s not that we weren’t cognizant and careful of these
that things were stabilizing, respondents expressed concern
risks before; it’s that the consequences of getting them wrong
that the turnaround would be sluggish or the economy might dip
today are much more severe.” When asked to prioritize the types
again into recession. As a consequence, credit risk was top of
of risk that are currently receiving the most attention in their
mind for most interviewees (See Exhibit 4).
businesses, executives placed credit (67%), operational (44%),
liquidity (38%), market (33%) and reputational (26%) risks at the
top of their lists.

Credit Credit risk is at

67% the top of senior
management agendas
Operational
44%
Liquidity 44%
38%
Market
33%
Reputational
26%
Exhibit 4: Risks at top of senior management agendas

20
Executives agreed that making sound credit approval and
pricing decisions is even more critical than ever in today’s
environment, and many are initiating a variety of activities to
manage exposures and mitigate risk. More specifically, banks
are conducting stringent independent credit analysis both
for borrowers and for credit providers and guarantors. They
are deploying special workout teams that will manage loan
portfolios more rigorously to resolve remnant structural
credit positions and monitor deterioration in credit quality,
charge-offs and related delinquencies. And they are
strengthening their credit risk management function and
team. The impact of tail risks, especially for structured credit
products, emerged as a particular area of concern, and many
said they were upgrading their forecasting capabilities to
assess risk in stressed market conditions.
Operational risk: assessing the nuts and bolts
Attention to operational risk is on the rise, especially in the
Americas. Almost half of the executives interviewed voted it a
top priority, making it management’s second greatest concern.
Financial institutions have, of course, managed operational risks
for years and understand the need to maintain tight controls
and low error rates. However, the heightened scrutiny from
both regulatory bodies and governments, the new operational
risk management framework and measurements required
under Basel II, and the sheer difficulty of navigating today’s
environment have all intensified the focus on operations.
Banks are examining the nuts and bolts of the business —
evaluating, defining and quantifying the people, systems and
process risks embedded throughout the enterprise. Initiatives
include: standardizing documentation of processes and controls;
improving data gathering, quality and timeliness; developing
methodologies and metrics to quantify risks; and conducting
scenario analysis by risk type. Several companies have created
a new management position focused exclusively on operational
risk oversight, and many are developing risk awareness and
training programs for all units and functions.
“Operational risk is the ‘cause du jour’
with regulators.”
21
84%
Most banks have made Liquidity risk: the biggest lesson learned
changes to their approach In Ernst & Young’s 2009 survey, 88% of respondents viewed
to managing and liquidity — more specifically the loss of liquidity — as the single
largest lesson learned from the disastrous ripple effect of the
controlling liquidity risk downturn across global markets.
In this year’s study, there was still widespread agreement that
Exhibit 5: Approach to managing and controlling liquidity risk the industry underestimated the difficulties of measuring and
forecasting liquidity, and all concurred that liquidity must be
factored more fully into risk management. The good news
is that the liquidity lesson appears to have been taken to
heart — 84% of banks interviewed indicated that they have

70%
changed their approach to managing and controlling liquidity
risk (See Exhibit 5). Changes ranged from very fundamental
shifts out of businesses and products to tactical internal
adjustments to liquidity management practices.
Seventy percent of banks have adjusted their viewpoints on
More than two-thirds have liquidity buffers, and many have significantly increased their
cash reserves to comply with, and in some cases exceed,
adjusted their viewpoint on
regulatory requirements (See Exhibit 6). Many have made
liquidity buffers changes to the structure and composition of the risk group,
recruiting more senior people and strengthening their authority
and clout. New liquidity risk committees, comprising very senior
executives and, often including the chairman, meet weekly in
Exhibit 6: Point of view on adequate liquidity buffer
some institutions to track and monitor liquidity positions. Basic
risk governance policies and procedures have been reviewed
and strengthened, common terminology established, data
quality and collection upgraded and reports improved. Liquidity

68%
stress testing has become an important part of forecasting,
providing valuable input into the capital and strategic planning
process. Over two-thirds of executives reported adjustments to
testing — extending the time horizons and including more “worst
of the worst” case scenarios (See Exhibit 7).

More than two-thirds have

changed their approach to
liquidity stress testing

Exhibit 7: Approach to liquidity stress testing

22
Market risk: calming down
Market risk has been taken off the front burner of senior
management risk agendas. The extreme volatility in the market
is calming down and respondents are breathing a collective sigh
of relief. But the contagion impact — the extent of the crisis and
speed with which it swept through the industry — is very much
on everyone’s minds. Banks are working to hone their tools and
processes to better predict their firm’s sensitivity to shocks
and volatility in the market. They are supplementing traditional
VaR measures with stress testing and scenario analysis — some
investment banks are even conducting daily and weekly tests
on their trading books. They are also closely monitoring the
size, concentration and liquidity of positions, and applying good
business judgment to the results of the quantitative models.
Several executives reported that they are focusing on the
correlation between market risk and credit risk and are merging
the two functions under the control of one senior executive.
“Market risk doesn’t kill institutions. It’s
generally either credit risk or liquidity risk
that brings you down.”
Reputational risk: an erosion of trust
Not surprisingly, effective management of reputational risk
has become increasingly important, and respondents are
brutally aware of the erosion of trust and confidence in the
industry. Stakeholders, including shareholders, counterparties,
customers, current employees and potential recruits, gauge
their interactions with the company based on their individual
perceptions of the company’s soundness, reliability and
performance — an important factor in maintaining a strong
institutional brand.
Many executives discussed the intensity of the political,
public and media scrutiny, and its extremely negative impact
on everyone in the industry — including the people and
organizations that managed prudently. One executive noted
sadly, “You don’t go to a dinner party and tell people you work in
a bank anymore.”
23
 Ernst & Young perspective
Risk appetite
Setting the rules of the road
As regulators and bankers step back and
ponder what went wrong — and how to
prevent it from happening again — risk
appetite has emerged as a critical
foundation of the risk management
process. While the expectation of having
a board of directors approve risk appetite
has been around for some time, boards
and senior management, at the urging
of regulators, are taking a fresh and far
more rigorous approach to defining and
institutionalizing a robust risk appetite. As
they move through the process, they are
discovering that risk appetite is a
powerful management tool that, when
properly applied, creates a strong linkage
between strategy, risk, business and
capital management.
Risk appetite is the amount and type
of risk a company is willing to tolerate
to achieve its strategic and business
objectives. It is a reflection of the board
and senior management’s vision for how
the company fundamentally wants to do
business and how it wishes to be perceived
by key stakeholders — customers,
shareholders, employees, regulators and
rating agencies. The amount and type of
risk an organization is willing to accept
varies from bank to bank depending on
its management philosophy, growth goals,
business focus and geographic reach.
Even within the company itself, there is
no one-size-fits-all measure of risk. Each
business unit and risk type will dictate
a different level and approach to risk. A
bank’s appetite for credit risk in consumer
lending, for example, is often very
different from its appetite for market risk
in its investment banking organization.
A bank’s statement of risk appetite should
be expressed in a way that complements
24
the firm’s vision and strategy and sets
the rules of the road for the entire
organization, clarifying the board and
senior management’s overarching views
on what constitutes acceptable risk at
all levels within the business. A clear,
well-defined statement provides the
connection between the overall business
strategy and the risk governance of the
organization, and is the cornerstone of
an effective risk framework. Far too often,
the risk strategy doesn’t translate into the
day-to-day management of the business.
As one executive told us, “At our bank
there is good top-of-the-house articulation.
It’s pushing it into the DNA of the business
that’s hard.” Creating a risk framework
that is meaningful to management
and translates to actionable limits and
escalation triggers at the business unit
and desk level is a tough job.
Who is responsible for
risk appetite?
Ownership of risk appetite starts at
the very top of the organization and
systematically cascades downward to the
front-line business managers. The key
players in the risk appetite development
and implementation process include:
Board of directors. The role of the
board in risk management has evolved
significantly post-crisis, from pure
oversight to active participation in defining
risk appetite and approving the broad risk
parameters for the enterprise.
Risk committee. More and more banks
are adding or strengthening the mandate
of board risk committees to focus and
enhance their risk oversight responsibilities,
including active monitoring of the level of
risk exposure for the institution versus the
parameters set in the risk appetite.
CEO. Ultimately the CEO is responsible
for managing risk throughout the
organization. The CEO, together with the
board, is responsible for creating the risk
framework, and articulating and enforcing
the appropriate risk appetite.
CRO. The chief risk officer plays a central
role in the risk appetite development
and monitoring process — driving the
discussions between the board, business
management and independent control
groups. The CRO is concerned with
identifying disconnects between strategy
and operations. This role owns the
internal assessment of tolerances, limits
and indicators to support measurement
against the risk appetite, as well as
the implementation plan development,
execution and management.
Business unit leaders. Business unit
leaders must communicate their business
and competitive imperatives and related
inherent risks to achieving those objectives
during the risk appetite development phase.
Once the risk appetite is formulated and
communicated, they are accountable for
ensuring that limits, escalation triggers and
other provisions are aligned with the risk
appetite and meticulously observed in the
execution of strategy.
Independent risk management and
control groups. Control and oversight
groups must have sufficient knowledge of
the business activities of the organization
and have the clout to force a review or
escalation when risk parameters have
been breached.
Risk appetite governance responsibilities
manages
risk/return
profile
Senior management
and lines
of business
Internal audit — test/evaluate effectiveness of risk governance framework
Defining risk appetite
Defining the organizational risk appetite is
both a qualitative and quantitative process
that requires careful review of a host of
external and internal factors.
Quantitatively, a bank’s risk appetite for
earnings volatility, liquidity position and
capital position must be assessed and
calibrated to risk drivers and their related
tolerances and risk limits. Management
must determine the organization’s appetite
for a decrease of more than a defined
amount in earnings or capital. They must
also ask themselves: ”What is the level
of tolerance for a reduction in available
liquidity?“ and ”What is the universe of risk
drivers for each of these scenarios, and
what level of tolerance should be assigned
to each?”
Economic capital can play an important
role in the quantification of and allocation
of appetite for each of these risks, and
management must carefully consider how
much capital should be allocated to the
various business objectives and strategic
Regulatory oversight
Board of
directors
approves approves
strategy risk appetite
Risk measures and
appetite reports risk
identifies and monitors
manages risk risk
activities of the organization. In addition,
other risk tolerances such as portfolio
concentrations (e.g., in a single sector,
geography, line of business or asset class),
credit quality (e.g., counterparty credit
rating, consumer credit score, delinquency
rates) or market factor sensitivities
(e.g., investment portfolio VaR, percent
change in net interest income under stress
scenarios) can be utilized to express
appetite for additional facets of risk.
Finally, the use of enterprise stress testing,
including “reverse” stress tests, is an
important tool in identifying and calibrating
additional elements of the overall risk
appetite of the firm.
On the qualitative side, banks must
consider reputational, strategic, culture
and stakeholder opinions. Stakeholder
views will undoubtedly differ on the
desired safety margins, and it is important
to understand these various viewpoints
in setting the appetite. Expectations of
regulatory and rating agencies, for example,
must be balanced with the business goals
and objectives of investors, customers
Independent
risk and
control group
and boards of directors. Organizational
philosophy, culture and values set the tone
for risk tolerance levels and play a pivotal
role in the decision-making process. And, as
has been amply demonstrated, reputational
damage can significantly impact a bank’s
philosophy on reputation and must be
considered in developing risk appetite.
These additional considerations can be
expressed in a number of ways. In many
instances, banks have used key indicators —
such as key performance indicators or key
risk indicators — as a way to numerically
express and measure some of the other,
more difficult to quantify drivers of risk
appetite components like operational or
regulatory risk. In addition, banks should
also utilize purely qualitative risk appetitive
statements as a way to express the board’s
views on items such as approved products/
businesses and compliance with external
rules and regulations. These elements,
combined with the quantitative measures,
provide for a more robust risk appetite
framework, which touches on all major
categories of risk.
25
 Ernst & Young perspective

A practical approach to defining a risk appetite

Establish
consistency Update risk
Assess between risk monitoring and
Draft risk appetite statement completeness appetite and reporting to align
and assess current risk profile of risk appetite operating limits with risk appetite

Top-down Identify strategic Draft risk appetite

approach
objectives statement Connect Confirm Confirm
risk appetite risk appetite risk monitoring
statement with statement and reporting and
Bottom-up Inventory risk Assess current risk risk profile calibrate operating process
approach
measurement profile, exposures parameters
tools and limits

The risk appetite Draft risk appetite and assess current • Forward-looking view of risk. Provide
risk profile a forward-looking view of risk that
development framework
reflects the firm’s strategy, business
Top-down. Boards and senior management
Ernst & Young recommends a practical model, future market conditions and
must reflect on their understanding of
approach to creating and embedding an the inherent risks, sensitivities
the potential impact of the range and
organization-wide risk appetite statement and uncertainties.
severities of key risks on the bank and its
and process. This process integrates a
strategic objectives. Taking into account • Linkages. Understand the linkages
top-down view of the firm’s overall appetite
the inherent uncertainties with forecasting between strategy and risk, and capital
and capacity for risk in the context of its
of this nature, banks must define, through and funding. How would capital and
strategic, financial and capital objectives,
both quantitative and qualitative means, liquidity be impacted by certain risk
with a bottom-up view of the infrastructure,
how much risk the firm can or is willing to events and how the firm could respond?
controls and analytic tools used to support
accept. This understanding of key risks and • Risk capacity. Understand risk
risk management within the business. The
potential severities must be translated into capacity and which shocks — to revenue,
result is a draft risk appetite statement
a top-down statement of risk appetite. reputation, capital and funding — could
that is then assessed and rationalized
to establish consistency between the In order to do this, boards and senior potentially send a bank into a downward
risk appetite, and business unit and desk management must have a robust and spiral from which it could not recover by
level operating limits. Finally, the process forward-looking understanding of the most itself. What scenarios could cause this
updates the risk monitoring and reporting significant risks faced by the institution to happen?
to align with risk appetite. relative to the achievement of its strategic • Bottom-up. A current state, or bottom-
goals. Scenario analysis and stress up, analysis of the bank’s current ability
Done successfully, this integration
testing, including so-called reverse stress to monitor and measure risk relative
establishes a new framework through
tests, along with existing aggregated to appetite is an activity that banks
which the enterprise-wide risk appetite set
risk reporting, should play a key role. should undertake. This analysis should
by the board and senior management is
Boards should challenge whether current challenge the extent to which existing
cascaded down to the business in the form
executive risk reporting and engagement processes and systems provide the
of limits and thresholds. These limits and
with management succeeds in establishing ability to sustainably identify, measure,
thresholds can be measured and monitored
a key risk inventory that fully addresses the monitor and report against the identified
by qualitative and quantitative means, with
range and potential severities of the most risks and limits.
appropriate performance reporting fed
significant risks to which the firm may be
back up to senior management. The key
exposed. Management should put in place
building blocks to this approach, therefore,
processes the will support:
aim to establish a sustainable process and
information loop that links the top-down
and bottom-up views.

26
Sample scope options to get started:
• Pilot one risk
• Pilot one product or business unit
• Whole enterprise — first iteration
Assess completeness of risk appetite
Once the top-down and bottom-up
reviews are complete, they must be
evaluated together in order to ensure
the completeness of the risk appetite.
Often, key areas have been left out, or not
considered with appropriate thoroughness.
In this stage, teams should ensure that
current risk profiles, exposures and
limits are thoroughly documented with a
consistent level of detail throughout and
risk appetite statements connected with
risk profile.
Establish consistency between
risk appetite and operating limits
The next step is to decompose these
organization-wide statements into more
specific appetite statements linked to
key risk types within the inventory, e.g.,
wholesale and retail credit, counterparty
credit, market, liquidity, operational, and
reputational. Within each category,
define specific appetite statements
linked to the organizational statements.
These may rely on specific, quantifiable
limits and thresholds or broader
qualitative statements.
These specific statements should be further
developed and cascaded down to the
operational level in the firm. This process
will be iterative and should increasingly
draw on business unit managers and risk
experts to first identify specific sub-risks The definition and articulation of risk
and risk drivers at the business unit level appetite drives both strategic and day-
that are aligned to the top-down risk. to-day business decisions, defines roles
The next step is to articulate meaningful and responsibilities around risk and has a
thresholds and limits aligned to the top- positive impact on organizational culture
down statements of appetite. and behavior. When a bank’s risk appetite is
properly defined and clearly communicated,
Update risk monitoring and reporting it becomes a powerful management tool
to align with risk appetite to clarify all dimensions of enterprise-wide
Operational processes and controls should risk and enhance overall business and
be refined to align ongoing business unit financial performance.
risk management and reporting processes
to the threshold and limit structure. The
process of establishing an effective risk
appetite framework is iterative and must be
refined over time. The effort in developing
and aligning the bottom-up risk framework
to the top-down appetite statements is
significant and is likely to require several
reporting cycles to fully establish.
The full cycle will take time to mature. The
risk information that flows up to boards
and senior management may challenge
the perspective of risk at the bank’s
highest levels with respect to risk types
and severities that the institution can, and
should, accept. Additionally, the thresholds
set at the various levels of the organization
will be refined over time as the quality
of supporting information and analysis
improves. Most significantly, the bank’s
understanding of its appetite and capacity
for risk will change over time as the risk
appetite framework matures.
27
Realigning roles,
responsibilities
and rewards
28
Banks are clarifying
risk governance responsibilities
Senior management is reassessing and redefining
expectations for risk management
Making risk management a company-wide concern and changing deeply engrained
attitudes toward risk require significant attention to the people factor in the risk equation.
Building a strong talent base with deep risk expertise and competing successfully to recruit
and retain this expertise continue to be critical challenges industry-wide. It is evident from
respondent interviews that many banking professionals believe the crisis can be traced, in
large measure, to the lack of a strong corps of seasoned risk executives throughout the
industry with the appropriate stature and clout to anticipate and act on risk issues.
There was strong agreement that effectively managing risk across the enterprise requires
both top-down oversight and bottom-up involvement. Accordingly, many banks have
conducted reassessments of the roles and responsibilities for all key internal
stakeholders — from board members to business unit heads and their teams — to
re-evaluate and clearly articulate expectations for risk management and mitigation.
Compensation, which few respondents believe played a pivotal role in the financial crisis,
is nonetheless a major issue to be addressed, and bank boards are working proactively to
do a better job of linking pay with risk performance.
Banks are taking a variety of actions to better align their compensation practices with
actual performance, rebalancing the proportion of fixed to variable compensation and
more tightly linking variable pay to performance over longer time horizons.

29
Recalibrating risk management roles and responsibilities
Boards strengthen oversight while CROs expand their influence
Well-defined and clearly articulated risk ownership roles
and responsibilities are a critical component of effective risk
governance. Over the past 12 months, many banks have
stepped back to take an inventory of current limit structures,
delegations of authority and existing policies and procedures.
Many found gaps in processes and assignments throughout their
organizations and confusion around risk oversight expectations.
As a result, responsibilities have been clarified and positions
strengthened for the key executives across the enterprise.
Boards and risk committees: reinforcing responsibilities
Most respondents shared the conviction that effective, high-
performing boards make an important difference to the
performance of their organization. Accordingly, many are
focused on identifying the critical factors for building and
improving higher impact, more effective boards. Two-thirds
of survey participants indicated that their organizations have
made changes to the roles and responsibilities of the board (See
Exhibit 8). Most reported that their boards are becoming more
educated, asking more pointed questions and challenging more
assumptions. At the same time, they are now much more hands-
on and more fully engaged in risk policy setting and governance.
Setting strategic direction and defining the organizational risk
appetite are now considered to be board responsibilities while
emerging issues such as capital allocation, new business risks
and compensation have risen in importance on the board’s
agendas. Many of the companies we surveyed have separated
risk from their audit committees and established a distinct risk
committee to ensure independence and an adequate focus
on each of those critical areas. Several are no longer allowing
board members to serve on both committees. More boards
30
are requesting that the CRO be given independent access to
board members, creating a more powerful system to perform
checks and balances of executive powers in the business lines.
Unquestionably, boards are conducting deeper dives into matters
that in previous years did not reach their agendas — requiring
more sophisticated, in-depth reports and analysis, and asking
tougher questions about risk-related issues as they relate to
strategic decisions.
CEO: the buck stops here
CEOs have clearly been in the hot seat during and since the
crisis, and as everyone is aware, they are often the first to go
when an organization comes under fire. Most respondents
agree that the CEO is ultimately responsible for risk in their
organizations. It is the CEO who must ensure that the company
as a whole gets it right when it comes to critical decisions on risk.
The CEO, together with the board, is responsible for creating the
risk framework and articulating and enforcing the risk appetite
throughout the enterprise.
Chief financial officers: aligned with risk
Senior finance teams face new and complex challenges in
today’s dynamic business environment. Respondents reported
that finance is changing the way it organizes and operates to
help ensure that banks execute their global strategies effectively,
manage risk appropriately, comply with regulations and —
bottom line — remain stable and solvent. CFOs are strengthening
the finance function’s alignment with risk management teams
so that risk governance, finance and capital allocation decisions
reinforce each other rather than work at cross purposes.
“The board has taken a greater interest in
how we manage risk and a greater interest
in where the risk lies within the organization.
They’re educating themselves so when they’re
reformulating the strategy, they have a better
understanding of where we might go next.”
Chief risk officers: drivers of cultural transformation “I think there were days in the past where
With risk now playing a strategic role equivalent to that of risk people felt like they were being
growth and revenue, nearly half of the companies reported
they have changed the roles and responsibilities of their risk ignored. Now they really feel much
teams (See Exhibit 9). CROs are now seen as being on a par with more relevant.”
CFOs and have a say in important decisions impacting strategic
direction, risk appetite, product development and compensation.
As part of their new roles, CROs report spending more time with
boards and providing regular reports and intensive briefings to

66%
help members understand and evaluate risk decisions. In some
instances, CROs report both to the CEO and to the board’s
risk committee.
Furthermore, the crisis and the move to Basel II have heightened
the need for the finance and risk teams to work closely together,
and CROs reported a much tighter alignment with CFOs and Two-thirds have made
finance organizations. Risk teams interact more frequently changes to the roles and
with internal human resource teams to develop remuneration
responsibilities of the board
policies and pay structures. Externally, they play a much
more prominent public role before regulators, analysts and
shareholder groups.
CROs are acutely aware of the increased importance of their Exhibit 8: Changes to the roles and responsibilities of the board
role in building and maintaining an effective risk governance
process and infrastructure. Philosophically, many see their role
as both influencing risk governance decisions and advising CEOs

52%
on risk appetite and strategy. As one CRO described it, “We are
educators and drivers of cultural transformation to make risk
everyone’s responsibility.” Risk has become the busiest area
for recruiters as companies search for strong chief risk officer
talent that can truly go head-to-head with business executives.

Business unit leaders: committed to risk culture Nearly half of respondents

The senior line leaders and their teams are taking a more active have made changes to roles
role in risk management as well. Many have reinvigorated and and responsibilities of the
restructured executive risk committees at the business unit or CRO and risk team
group level to focus more strategically on risk identification
and mitigation.
Exhibit 9: Changes to the roles and responsibilities of the
CRO and risk team

31
Linking compensation to risk performance
Public, political and regulatory pressures have elevated compensation on the
senior management agenda
The focus of intense regulatory scrutiny and considerable public
ire, executive compensation was described by one executive
as “the elephant in the room on every matter.” Another CRO
reported speaking to a “record number” of regulators on this
topic during the week of our interview with him. Our survey
participants were of course aware of the firestorm surrounding
compensation and assured us that they were not sitting on the
sidelines waiting for the political and regulatory debate to unfold.
Many are taking a proactive approach to assessing and, when
necessary, adapting compensation practices to ensure that
their pay structure does not incent the taking of excessive risks.
Seventy-three percent of executives reported that they have
made, and will continue to make, changes to their compensation
policies to better align pay structure with risk control tolerances
and firm culture (See Exhibit 10).
73%
Three-quarters
have made changes to
compensation frameworks
Exhibit 10: Changes to compensation frameworks
32
Banks are also taking a variety of actions to better align their
compensation practices with actual performance. Many are
rebalancing the proportion of fixed to variable compensation —
“putting a little more on the front end rather the back” — and
are more tightly linking variable pay to performance over
longer time horizons. Some are adding risk-based measures to
scorecards to counterbalance excessive risk-taking. Others are
determining compensation at the group level rather than the
individual business unit level, to create greater distance between
the risk-takers and those who determine their compensation.
Several are deferring payout for a significant part of executives’
bonuses or performance-related income, sometimes for as many
as five years, and a growing number are including clawback
provisions in deferred compensation. While clawbacks in the past
were typically limited to cases of fraud or criminal acts, firms are
developing standards under which a clawback may be invoked
based on portfolio performance over an extended period.
Boards of directors and their compensation committees are
spending considerably more time on pay practices. Board oversight
has been strengthened, and compensation committees have
embraced new methods for reviewing pay — delving deeper into
the employee ranks, conducting stress tests on payouts and
retaining more discretion over payments.
Risk professionals are also being drawn into evaluating the risk
dimensions of pay. In many banks, the CRO and risk team are
providing considerable input into the compensation framework, Activities underway
both directly and indirectly. Risk groups are more closely involved
in offering opinions on existing compensation plans, establishing Strengthening
new compensation policies, providing metrics for scorecards compensation
for business units and individuals, and in a few cases, actually
reviewing the compensation proposed for the top people in the
structures
organization. In some organizations, CROs now have the power to Respondents reported a range of
insist on a risk capital analysis and possible hedging decision on activities to adjust pay structures*
large trades and deals, indirectly impacting the bonus pool.
• Appropriately capital-charging
Survey participants agreed that some reform and improvement business and bonus pools
are needed for industry compensation policies and most report
progress is underway to improve the linkage between the • Retaining more discretion in payouts
governance of compensation and the company’s risk appetite, • Stress testing payouts
management and culture.
• Moving to longer vesting periods

• I ncreasing deferred compensation

• Incorporating risk-weighted metrics

• Instituting clawbacks
“We are looking very carefully at our
• Increasing base salary
compensation plans to make sure they
*”Banker compensation at a crossroads,”
don’t incent inappropriate risk behavior.” Tapestry Networks research sponsored by
Ernst & Young, November 2009.

33
34
Recalibrating
risk processes

35
Strengthening risk governance, systems and processes
Banks are continuing to upgrade their risk forecasting, reporting and technology

Across the banking industry, initiatives are underway to

achieve more comprehensive, integrated strategies for risk

60%
management. Throughout 2009, executives moved aggressively
to identify and address deficiencies in their risk management
processes. Reporting, forecasting and technology were the
primary target areas for improvement, and banks put in place
the systems and people required for thorough, proactive
The majority have made approaches to managing and mitigating risk.

changes to risk management Many are well along the path to building strong risk-governance
teams and processes. Sixty percent of executives interviewed
processes and structures
have made changes to their risk management organizations, and
the remainder have either implemented changes or have begun
the process (See Exhibit 11).

Exhibit 11: Changes to corporate risk management decision-making

processes and structures

36
Upgrading report analysis and delivery
Risk reporting is becoming more comprehensive, actionable and timely

In the wake of the crisis, boards, stakeholders, senior
management, rating agencies and regulators are demanding
more reliable, thorough and timely information — internally
about the business and externally about the universe of potential
risks. As a result, reporting is becoming more substantive
and qualitatively rich. Senior management, boards and other
stakeholders are beginning to receive management reports
that deliver real, actionable value — a clear shift from the “data
dump” mode that often characterized risk reporting in the past.
Seventy-one percent of executives indicated that they are well
underway with the development of integrated enterprise-wide
risk reports and almost one-third said their effort is nearly
complete (See Exhibit 12). But many companies still have a long
Respondents agreed that effective risk reporting, in terms of
both content and timeliness,is a critical step toward effective
enterprise-wide risk governance. It provides senior management
and the front-line business and risk professionals with the
information they need to make sound decisions in line with the
company’s risk appetite and business objectives. But many
cautioned that aggregating risk is only the first hurdle. The
more difficult step is reviewing, analyzing and synthesizing
risk reports to understand the interrelationships across the
organization. Most executives conceded there is more work to be
done in this area.

71%
way to go. Persistent problems cited by respondents include
poor data quality, inconsistent information from disparate
systems and the sheer volume of data — all of which make it
extremely difficult to pinpoint the essential information that The majority are
management needs and present it in an actionable manner. in the process of
Once reports are upgraded to span a more comprehensive implementing
set of information from across the organization, teams are enterprise-wide
turning their attention to delivering the information more
risk reporting
quickly. Executives said that accelerating the reporting process
to support real-time decision-making is one of their biggest
29%
challenges. As one executive describes the situation, “We
aggregate risk information quite well, but we do it slowly. We still
are working on an all-singing, all-dancing, instantaneous view
of complete risk to a particular counterparty in real time. We’re 0%
getting there.” In early Midway Nearly
stages complete
“It is the ability to, with judgment
Exhibit 12: Enterprise-wide risk reporting
and insight, connect the dots
between all of that information.”

37
Upgrading and reinforcing forecasting
Banks report progress in improving forecasting systems and methods

The past 18 months have demonstrated in a compelling way

an industry need for more robust risk forecasting. Banks
55%
need more sophisticated predictive tools that will enable Most have some organization-wide
management to assess the implications of market events forecasting processes in place
on and across categories of risk. The industry has clearly
learned this lesson, and many respondents reported increased
investments in upgrading and reinforcing forecasting models, 27%
systems and processes. More than half of this year’s survey
participants (55%) indicated that they have some forecasting
capabilities within their companies (See Exhibit 13). However, 18%
only 27% characterized their banks as having formal,
enterprise-wide forecasting processes in place. Most agreed
that to become a truly effective management tool, forecasting
must be integrated and standardized across asset classes and
business lines to provide a holistic view of potential risks and Some Limited Have formal
their impact on the entire organization. processes processes organization-
in place wide processes

Exhibit 13: Status of forecasting

71% Three-quarters have changed The majority have made

74%
the use of forecasting models to changes to stress testing
rely less on historical data and and scenario planning
assumptions

Exhibit 14: Changed use of forecasting models Exhibit 15: Changed use of stress testing and scenario planning

38
Respondents reported some critical changes to their forecasting
processes. More than 70% have adjusted their models to
rely less on historical data and assumptions (See Exhibit 14).
Seventy-four percent have incorporated forward-looking
scenario planning and stress testing that consider outcomes
with extremely low probability but potentially high impact on the
company’s own set of exposures and assumptions (See Exhibit
15). But executives cautioned that forecasting models can get
out of hand, becoming overly complex and too difficult for senior
management to understand and use effectively as decision-
making tools. Many emphasized that analysis must always be
paired with seasoned business judgment, cautioning that “you
need to be very careful not to fall in love with your models.”
“I think you need both good models and good
judgment, but you need to be very careful
not to fall in love with your models.”
Activities underway
Risk forecasting
Respondents reported a wide range of
activities to improve and upgrade risk
forecasting:
• Establishing uniform modeling
standards across the bank
• Varying stress-testing methodologies
appropriate to the bank’s risk appetite,
level of sophistication and current and
planned operations
• Integrating scenarios in order to cover
more than one type of risk
• Ensuring analytical metrics are broad
and aligned with how risk is managed
• Extending time horizons of scenarios
and forecasts
• Complementing weaknesses of VaR by
using a wider variety of methods
• Using more worst-case scenarios
• Ensuring data used in models are
consistently reliable and appropriate
for models used
• Ensuring more accountability around
forecasting of loss levels and capital
utilization
• Using historical data but placing more
emphasis on the last 6-12 month
period, which is more reflective of
current customer behavior
• Instituting more business line-specific,
bottom-up stress testing around
discrete portfolios of risk, particularly
those with tail risks attached
39
Streamlining technology to support efficiencies
The long march toward improved technology continues
Leveraging technology to support risk management more
effectively remains a work in progress for most banks. As
one executive told us, “You’ll never stop working on it.” More
than three-quarters (78%) of respondents reported that they
are mid-way through the arduous process of mobilizing their
systems to support risk governance — a definite improvement
over last year’s survey results in which only 47% of participants
reported progress on the technology front (See Exhibit 16).
While executives seem to have a clear vision of how
technology can be deployed to better support risk
management, they reported ongoing challenges in
implementing effective technology platforms. The most
vexing of those challenges is data management. Companies
are actively defining the types of data required to produce
useful reports and working to integrate disparate databases
78%
All are working
to upgrade
technology
16%
6%
In early Midway Nearly
stages complete
Exhibit 16: Streamlining technology to support risk management
40
to enable ready access to a consistent data set across the
company. Many organizations are still in the process of
developing a common platform and centralizing the technology
function as they deal with fragmented and complex systems,
a challenge for the many companies that have grown
by acquisition.
There is strong agreement that streamlining systems is crucial
to improving banks’ risk management capabilities. As a result,
technology remains a major area of investment. Given the high
costs involved, companies are approaching the IT challenge
from several perspectives. Some have developed prototypes
and are in the testing stage, others are organizing IT projects
around specific systems or addressing system issues at the
business-unit level, and a small number have committed to
major system overhauls, such as rebuilding the global market
risk infrastructure.
“We’ve spent a lot of money
over a period of some years in
order to be Basel-compliant.
You’ll never stop working on it.”
Costs and
budgeting

41
Banks are anticipating heavy investment in risk management
With sweeping regulatory changes in the works, executives expect the cost of
managing risk to continue to rise

As the markets stabilize, executives are bracing for steep cost
increases as they boost the time and systems dedicated to
dealing with the aftermath of the crisis and the new regulatory
frontier. Executives across all geographies are in agreement:
risk management costs will continue to escalate over the next
18 months and beyond, with some predicting “exponential”
increases (See Exhibit 17).
Multiple layers of complex regulations have increased
documentation and reporting requirements and brought more
frequent, deeper-dive examinations into operational areas of
the organization. To support these more frequent and complex
inquiries, companies are deploying additional teams of people
and increasing investments in information management systems
and technology aimed at streamlining data gathering and
management across the organization.
The cost of working out troubled portfolios continues to rise
at some banks as they deploy work-out terms to clean up
distressed assets and debts on the balance sheet. Efforts to
hire competitors’ talent has intensified, especially when trying
to recruit people specialized in workouts, compliance, modeling
and risk forecasting — significantly driving up the people cost for
the foreseeable future.
Longer term, a few optimistic executives expect costs will level
off as portfolios stabilize and investments in systems pay off in
greater efficiencies and higher productivity. However, even the
most optimistic do not expect to see any cost stabilization before
mid-2011.
“I have a team of risk managers and have
requested a fairly significant increase in staff.
I think I will get what I requested, and I’m the
envy of my colleagues.”

84%
Increase 83%
90%
8% Across all regions, executives
Decrease 0% expect costs to increase
0%

8%
Stay 17%
the same
10%
Americas Asia-Pacific EMEIA

Exhibit 17: Costs by region

42
Estimating the cost of risk is complex
Centralized costs of risk management are well known but enterprise-wide costs
are more difficult to quantify

Seventy percent of respondents indicated they were able
to estimate total annual expenditures for risk-and-control
management across their organizations (See Exhibit 18). This is
a significant improvement over the results of the Ernst & Young
survey two years ago in which slightly fewer than half (47%) of
those responding claimed they were accurately able to gauge
total costs over a 12-month period.
Some banks are embarking on studies to assess risk productivity
to gain a more sophisticated view of investments in risk across
the enterprise and to benchmark these costs against other
comparative banks. However, the wide variety of definitions of
risk and allocations of resources to risk across the industry make
this a challenging endeavor.

70%
However, respondents agreed that while they could estimate
the cost of the central risk organization, it is challenging to truly
understand the total enterprise-wide cost of risk management.
When “risk is everybody’s business” it is virtually impossible to
estimate accurately the amount of time people at the business-
unit level spend on managing risk. As one executive put it, “To be
The majority can
honest, if we do our jobs correctly, we’re just putting the policies
and the programs in place. It’s that front-line person who, when estimate the cost of
she sees a suspicious transaction come through on a client she’s risk management
known forever, raises her hand. That’s risk management, but we
don’t capture those costs.”

Exhibit 18: Ability to estimate cost

“We started to look at the total cost of risk

management and control about four years
ago. It has taken us about two years to get
a handle on it.”

43
 Final
thoughts
Moving forward with a new respect for risk management
The financial crisis exposed inherent weaknesses in the risk management system: siloed infrastructures, disparate
systems and processes, fragmented decision-making, inadequate forecasting, and a dearth of cohesive reporting,
among others. The extraordinarily negative impact of these flaws on many institutions shocked the industry, and as
a result, there has been a seismic shift in attitude toward risk.
As they move beyond the crisis, reflect on its causes and results and adapt to the drastically changed and still-fluid
market and regulatory environment, banks are revitalizing strategies to reflect the enhanced focus on risk. While
each bank included in our survey is crafting a unique strategy based on its own culture, business focus and growth
goals, common themes are emerging among boards and senior executives.
Most importantly, there is a unanimous commitment to ensuring that a healthy approach to risk underlies both
short-term and long-term strategic planning. Boards and senior management are challenging themselves to
clearly define their risk appetite and drive its implementation throughout the business. As they do so, they are
aggressively reviewing and realigning the risk-related responsibility and accountability of every function in the
bank and significantly expanding the influence of the CRO and risk group along the way. Many banks are making
tremendous investments in time and technology to strengthen the processes and tools to manage risk effectively.

44
From forecasting to reporting to analysis, banks are recalibrating procedures and practices with an eye to providing
management with realistic, actionable and timely information.
There are many lessons to be learned from the crisis. Respondents agreed that the changes required to
institutionalize a strong risk culture are fundamental and far-reaching: risk must become everyone’s business
throughout the organization — from the front line to the functions. Responsibility and accountability for risk are
intertwined as never before. All stakeholders, from board members to business unit heads, must be more actively
committed to identifying and mitigating risks.
The question on many minds is whether these lessons will stick. As one executive said, “The real question is can
we embed this new risk management culture and processes into the organization so that they can outlast this
generation? Or will it all go wrong again the next time around?” No one knows for sure, but all are hopeful. As this
report goes to press, final regulatory guidelines are still being drawn. The market is calmer, but still volatile and the
full impact of the economic crisis is yet to be absorbed. Banks are definitely back to business — recovering, adapting
and advancing in search of the right strategic model in today’s uncertain world.

45
Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance,
tax, transaction and advisory services.
Worldwide,our 144,000 people are united
by our shared values and an unwavering
commitment to quality. We make a difference
by helping our people,our clients and our wider
communities achieve their potential.

Ernst & Young refers to the global organization

of member firms of Ernst & Young Global
Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services
to clients. For more information about our
organization, please visit www.ey.com.

The Global Banking & Capital Markets Center

Managing risk effectively while satisfying
an array of divergent stakeholders is a key
goal of banks and securities firms. The Global
Banking & Capital Markets Center brings
together a worldwide team of professionals
to help our clients achieve their potential — a
team with deep technical experience in
providing assurance, tax, transaction and
advisory services.

© 2010 EYGM Limited.

All Rights Reserved.

EYG no. EK0044

Ernst & Young is committed to minimizing its

impact on the environment. This document has
been printed using recycled paper and
vegetable-based ink.

This publication contains information in summary form and is

therefore intended for general guidance only. It is not intended
to be a substitute for detailed research or the exercise of
professional judgment. Neither EYGM Limited nor any other
member of the global Ernst & Young organization can accept
any responsibility for loss occasioned to any person acting
or refraining from action as a result of any material in this
publication. On any specific matter, reference should be made to
the appropriate advisor.