Sie sind auf Seite 1von 48

Recover, adapt, advance

Back to business in an uncertain world

A survey of the world’s largest banks
1 Executive summary

4 Top challenges

16 Rethinking risk strategies

24 Risk appetite: the Ernst & Young perspective

28 Realigning roles, responsibilities and rewards

34 Recalibrating risk processes

41 Costs and budgeting

44 Final thoughts
Executive summary
The title of our 2010 annual survey on risk governance, Recover, adapt, advance: back
to business in an uncertain world, aptly reflects the current mindset of this year’s
survey participants.
The good news is that most of the executives we spoke with believe that recovery is
underway. No one, however, is optimistic that this recovery will be quick or easy. In fact,
many are bracing for another dip in the form of commercial real estate defaults and
anticipating that another wave of bank closures may follow. Executives, particulary in the
West, are picking up the pieces and are working diligently to clean up the distressed assets
and debt on their balance sheets. As one respondent told us, “It’s been an exhausting and
debilitating 12 months.”
But all agree the challenges are far from over. While the worst of the downturn seems to
be behind us, the global markets are far from stable. Although the economy is showing
signs of recovery in most parts of the world, unemployment remains stubbornly high.
Worldwide, consumer trust and confidence in governments in general and in the financial
industry in particular are at an all-time low. Politicians and regulators are rallying to
tighten controls significantly, and executives are preparing for an onslaught of new
restrictions that have the potential to affect some very fundamental aspects of the way
they run their firms.
Recovering and adapting would seem to be more than a full-time job for senior management;
however, as one executive told us, “Uncertainty aside, we still have a business to run.”
Around the globe, banks reported that they are buckling down and getting back to the
day-to-day tasks. Most have adopted a back-to-basics philosophy — exiting products and
markets that overextended their capabilities and diluted capital, and returning to their core
businesses. Not surprisingly, attitudes in general are cautious and risk averse.
As the dust settles, boards and senior management are taking the time to reflect
strategically on the big picture — clarifying growth objectives, basic business models, and
organizational philosophy and culture. They are extremely cognizant of the glaring lessons
of the crisis: the vital importance of managing for liquidity; the need to strengthen and
institutionalize an appropriate risk culture; and the imperative to always be prepared for
the unexpected. As a result, many have enhanced capital planning and tightened controls,
policies and procedures; elevated and strengthened risk governance; and upgraded
forecasting, reporting and assessment capabilities.
Many executives are hopeful that the lessons of the downturn will drive positive and
lasting change in the industry. As one respondent told us, “I think memories will be a
little longer this time than perhaps they were in the past.” Despite the preponderance of
issues still facing the industry, we came away with a growing feeling of hope about the
possibilities ahead.

Key observations
Preparing for the new regulatory realities. In response to the pending regulatory
requirements, particularly the potential restrictions on capital, banks are underway with a
variety of initiatives — raising capital and liquidity levels, assessing the impact of proposed
regulations on business strategies, and addressing risk management weaknesses exposed by
increased supervisory expectations — to prepare for the anticipated changes.
Rethinking risk strategies. Respondents unanimously agreed that risk governance
must remain a top priority on senior management agendas. In an effort to build a more
comprehensive, consistent and collaborative approach to risk, boards and senior teams are
starting at the top by defining, articulating and enforcing an organizational risk appetite and
working to cascade it throughout the business.
Realigning roles, responsibilities and rewards. Survey respondents consistently expressed
the view that companies underestimated the vital importance of the human factor in
managing risk. To institute and reinforce a strong risk culture, risk must become everyone’s
business, from boards to front-line decision-makers. As a result, banks are redefining roles
and responsibilities for risk management throughout the enterprise — strengthening board
oversight duties and significantly elevating the CRO’s stature and organizational influence.

This is the third in a series of proprietary surveys on evolving risk management at global
banking and capital markets institutions conducted by Ernst & Young since 2007. The
goal is to identify key challenges organizations are facing around risk management
and control, and to assess the state of risk management in a turbulent environment.
Ernst & Young again commissioned Broderick & Company, an independent market
strategy firm, to conduct in-depth, qualitatively rich interviews with senior executives
in global banking and capital markets institutions. From October 2009 through
January 2010, Broderick interviewed 39 senior executives from 30 major banking
institutions around the world. The interviewees included a mix of senior executives in
each organization. Among them were: chief financial officers and chief risk officers, as
well as heads of functional divisions such as operational risk, market risk, credit risk,
internal audit and compliance.

Recalibrating risk procedures. Across the banking industry, “I think any financial
initiatives are underway to achieve a more holistic, integrated
approach to identifying high-impact risks and factoring them into institution that says
decision-making. Better, faster and more transparent reporting they haven’t had lessons
and more sophisticated, forward-looking forecasting capabilities
are viewed by respondents as two critical success factors in learned is not being
enterprise-wide risk management. honest. I hope to never
Streamlining technology. Leveraging technology to more see anything like this
effectively support risk management remains a work in progress
for most banks. While executives seem to have a clear vision again in my career. It’s
for how technology can be deployed to better support risk not over. We’re still on
management, they reported ongoing challenges in implementing
effective technology platforms. As a result, technology remains a the carousel.”
major area of investment.
Coping with rising costs. More than 80% of respondents across
regions are bracing for significant increases in costs. Heightened
regulatory requirements and workout expenses in the aftermath
of the meltdown are predicted to drive costs up for at least the
next 12 to 24 months.

Participating North America Europe Asia-Pacific

institutions American Express Banco Santander ANZ
Bank of America Barclays Bank of China
CIBC Credit Suisse Bank of Tokyo-Mitsubishi UFJ
Citigroup HSBC ICBC
Fannie Mae Intesa Sanpaolo Macquarie Group
Goldman Sachs ING National Australia Bank
Northern Trust Lloyds Banking Group Sumitomo Trust & Banking Co. Ltd.
PNC Nordea Westpac
State Street Bank SEB
TD Bank Société Générale
VTB Bank


Five challenges dominate
senior management agendas
Executives are grappling with regulatory and economic uncertainty

When respondents were asked to identify the top two risk management and control challenges
facing their organizations, five themes quickly surfaced and reverberated throughout our
discussions. Taken together, they form an image of an industry striving to regain its footing in
a still-fluid economic and regulatory landscape.
The overwhelming top-of-mind issue — cited by 72% of respondents — is regulatory uncertainty.
New regulations are expected to impose restrictions on capital, liquidity, risk management and
compensation practices, but how strict they will be and how soon they will take effect remains to be
seen. Anticipating and addressing the potential impact of these new rulings on their organizations is
a time-consuming and often frustrating task for company leaders.
Still focused on the regulatory theme, more than 40% of respondents are grappling with the
business implications of the pending new requirements for capital and liquidity levels, placing it
second on the list of top concerns. More than one-third (38%) of survey interviewees say they are
working hard to upgrade their risk governance policies and procedures with the goal of instilling
a risk awareness culture throughout their organizations. Worries that the economy will stagnate,
or worse, dip back into recession, were cited by 36% as a continuing challenge. And finally, in the
aftermath of the crisis, 28% of the executives surveyed are dealing with the tough task of removing
distressed assets and debt from their balance sheets (See Exhibit 1).

Dealing with regulatory uncertainty

Anticipating new capital requirements
Dealing with regulatory
41% uncertainty is the
Shifting the risk culture top concern
Navigating the fluid economy

Repairing the balance sheets

Exhibit 1: Top challenges facing senior management

Challenge 1
Dealing with regulatory uncertainty

Anticipating new capital requirements

Evolving the risk culture

Navigating the fluid economy

Repairing the balance sheet

28% “Many different regulatory

changes are being floated
around. But when they’re going
to be brought in, and whether
they’re going to be brought in
on a uniform, global basis is
difficult to assess.”

Multiple regulatory proposals complicate planning as banks
anticipate systemic reform

72% The rapidly changing regulatory landscape was cited by the majority of respondents as the
top challenge their organizations face around risk management and control. As regulators
and legislators around the world tighten regulatory oversight in response to the financial
crisis, banks are preparing for what one executive called “draconian” regulations that have
the potential to affect some very fundamental aspects of the way they run their business.
Financial institutions are, of course, accustomed to dealing with a host of regulations
across all of the jurisdictions in which they operate, but the heightened political scrutiny
and the rush to respond in the wake of the financial crisis are creating a complex and
sometimes contradictory web of proposals from regulators around the world. Banks are
struggling to navigate through the multiple pieces of legislation from multiple regulators
to determine the impact on their global operations. As one executive summed it up, “You
have the G20 coming up with things; you have the Europeans coming up with things;
you have the British coming up with things; and all not necessarily coordinated and not
necessarily all saying the same thing. It’s exceedingly difficult.”
Plotting a course through this landscape is extremely challenging and intensely time
consuming for internal teams. Banks are diverting a huge amount of senior time to
meet and work with regulators, redeploying teams of people to deal with the growing
documentation requirements and investing in new systems and processes to stay a step
ahead of anticipated changes.

Challenge 2
Dealing with regulatory uncertainty

Anticipating new capital requirements

Evolving the risk culture

Navigating the fluid economy

Repairing the balance sheet

28% “If you change the amount of

capital and liquidity required,
there will be big consequences
as to what is an appropriate
and viable business model.
The cost of funding and the cost
of capital mean that there are
certain types of lending and
other activities we probably
won’t do.”

Stricter regulatory proposals are driving banks to reallocate
capital, rebalance portfolios and rethink market strategies

72% Of the array of regulatory changes under consideration, the expected increase in
capital and liquidity requirements represents the most formidable challenge to many
institutions. While many respondents claim they have historically taken a conservative
approach to allocating capital, 50% did indicate that they are in the process of adjusting
their approaches to capital allocation across their business units (See Exhibit 2).
Many banks have raised their capital levels and ratios above the minimums in
anticipation of the new requirements. But the way it will all sort out from a regulatory
standpoint and the ultimate impact on the business decisions of boards and senior
management are still unclear. Some companies are striving to align economic capital
with regulatory capital models to make certain that regulatory requirements are
adequately captured or, as one respondent explained, “We are trying to switch our
organizational mindset from economic to regulatory capital.”
Even banks that are not changing their capital allocation process acknowledge they
are enhancing governance policies and procedures around capital management:
augmenting reporting requirements, particularly to the board and senior management;
strengthening their forecasting methodologies using scenario planning and stress
tests to evaluate impacts on capital positions; and formalizing and documenting capital
contingency plans.
Many institutions are seriously re-evaluating their portfolios — exiting more
capital-intensive, less-profitable lines of business and geographies, and shifting
out of more complex, less-liquid instruments into simpler, more-liquid products
with less risk and, of course, less return. Executives worry that the impact
of these decisions could potentially restrain lending and ultimately
slow economic growth and recovery.

Half have changed
their approach to
capital allocation

Exhibit 2: Changes in approach to capital allocation

Challenge 3
Dealing with regulatory uncertainty

Anticipating new capital requirements

Shifting the risk culture

Navigating the fluid economy

Repairing the balance sheet

28% “Working through the crisis,

we gained insights into
how to strengthen our risk
management and control. It
allowed us to shore up our
weaknesses and further develop
the risk management team.”

Banks are strengthening their risk culture and governance
processes with greater senior management involvement

72% and reinvigorated risk procedures

In the Ernst & Young 2009 study — conducted at the height of the crisis — senior
executives listed “shifting the risk culture” as their second most important initiative
to tackle once the short-term firefighting and damage assessment were over. One
year later, shifting the culture is still very much top of mind for senior executives.
The good news is that the aspiration is slowly becoming a reality. Banks have
undertaken a host of initiatives to institutionalize comprehensive, consistent and
collaborative approaches to risk. Effective risk governance has risen to the top
as a core business imperative, and organizations are mobilizing to identify and
address deficiencies. Boards and senior management are now fully engaged in
the risk process, determining and articulating the organizational risk appetite and
parameters; strengthening and clarifying governance policies and procedures; and
clearly establishing risk responsibilities and accountability across all levels of the
organization from board members to front-line managers. The power and influence
of the risk team have been significantly elevated, and in several institutions, the
CRO has a dual-reporting relationship — to both the CEO and the board — as well as a
strong voice in strategic decision-making.
The changes required to institutionalize a strong risk culture are fundamental and
far-reaching. For many banks, making risk “everyone’s business” represents a
significant shift in mindset, policies, systems and processes. As one executive told us,
“It is an enormous, multiyear march to accomplish.”

Challenge 4
Dealing with regulatory uncertainty

Anticipating new capital requirements

Evolving the risk culture

Navigating the fluid economy

Repairing the balance sheet

28% “If I add it all up, the uncertainty

in the environment and how you
manage for that strategically
and in the day-to-day are my
biggest concerns.”

Uncertainty about the economy poses a challenge to
long-term and short-term planning

72% While a few survey respondents used the terms “recovery” and claimed “the worst is
behind us,” the optimists were outweighed by the more cautious executives who remain
concerned about the depth of the recession and the pace of economic upturn. But,
regardless of their viewpoint, all agreed the uncertain market environment is making
business planning and decision-making — both short- and longer-term — extremely difficult.
There is no doubt that serious challenges are still ahead for the industry, and organizations
are bracing for what one executive called the triple threat: the economic, political and
regulatory aftershocks of the crisis.

Challenge 5
Dealing with regulatory uncertainty

Anticipating new capital requirements

Evolving the risk culture

Navigating the fluid economy

Repairing the balance sheets

28% “The other thing is that a lot of

assets are still sitting on the
bank’s balance sheets. Bad
debts tend to lag the economic
position, so things start looking
a lot better, but bad debts keep
coming through.”

Many banks are still dealing with fallout from the crisis
Senior banking executives continue to be occupied with the cleanup of the distressed

assets and debt on their balance sheets. In particular, many are keeping a vigilant eye
on their levels of commercial real estate loan defaults in areas where market conditions
continue to weaken.
Some banks reported progress in selling troubled assets, but acknowledge that most
potential purchasers of debt are still waiting on the sidelines to see if the market will
decline further and reduce prices, especially in the commercial real estate sector. Several
banks have deployed teams of qualified workout specialists to keep up with and manage
the portfolio deterioration.

risk strategies
Banks are rethinking their strategic approach to risk
Executives are adjusting approaches to defining, identifying and prioritizing risk
Many executives believe that the industry’s heightened focus on risk governance is one of the most positive
outcomes of the crisis. It has forced senior management to fundamentally rethink their strategic approach to risk,
an exercise survey participants believe is pivotal to preventing another disaster.
The evolution in strategy starts at the top, with a clear definition of the organization’s risk appetite and parameters
for doing business. A well-defined risk appetite is the cornerstone of an effective risk governance framework that
links the organizational strategy and objectives to day-to-day business decisions and operations.
To ensure their position remains within acceptable risk limits, banks are reviewing internal control systems,
evaluating risk portfolios and significantly upgrading emerging risk identification policies to spot and address
problems more systematically before they escalate.
Navigating across the many categories of risk confronting an organization is challenging in today’s dynamic
environment. Senior executives are expanding their strategic management of risks beyond the traditional focus on
credit and market to include such emerging risk types as operational, liquidity and reputational. And, as the industry
has learned, problems in one area of the bank can reverberate throughout the institution. As a result, executives
are working to better understand the correlations and the interrelationships across risk classes.

Reassessing and integrating risk appetite
Boards and senior management are clearly defining risk tolerance and limits

Most respondents acknowledged that their company needs

to do a better job defining, articulating and instilling their Most have clearly
organizational risk appetite into the company. Challenged
by both regulatory bodies and boards of directors, senior
defined statements of 60%
executives have elevated risk appetite to a top priority on their risk appetite
very busy agendas.
While 60% of respondents gave themselves relatively high
marks for having a clearly articulated risk appetite, most
agreed that defining the risk position and embedding it 36%
throughout the organization are two distinct activities
(See Exhibit 3). The process is complicated by the absence of a
risk-appetite statement that applies to all business lines.
The level of acceptable risk must be assessed and determined
for each risk type and line of business. Disparate business
goals, weak communication and spotty enforcement can cause
a disconnect between the risk parameters set at the board and
senior management level and the day-to-day management of
the business. Cascading the risk appetite down to the business
Not clearly Under Clearly
unit and desk level is critical to putting risk appetite into effect defined way defined
throughout the organization.
Exhibit 3: Statements of risk appetite
As we have noted, shifting the risk culture is not an easy task
and several interviewees describe multiyear, highly collaborative
and iterative processes to integrate disparate risk tolerances and
create a unified company-wide position.

“We always had a squishy risk appetite

philosophy that everyone interpreted
differently. Now we are codifying and
formalizing it.”

Strengthening risk-identification processes
Banks are looking at risk holistically and assuming a more
vigilant stance on risk-identification policies and procedures

In the aftermath of the crisis, banks moved quickly to take control

of their risk agendas with the immediate goal of identifying and
mitigating vulnerabilities and reducing high-risk behavior and problem Activities underway
areas. The control-tightening initiatives have led many institutions
to incorporate more rigorous processes for evaluating their risk Identifying
portfolios and introduce more stringent controls to ensure that the emerging risks
bank’s position is solidly within the accepted parameters of risk.
Respondents reported a wide range of
Survey participants indicated that they have greatly strengthened their
activities to identify emerging risks more
early warning procedures to spot emerging risks and deal with them
quickly before they escalate into major issues. Banks reported a host of
rigorous policy and procedure improvements in this area including: daily • C
 onducting more frequent and more
real-time monitoring of risks; stricter portfolio risk-grading systems; formal risk discussions
and tighter screening of on-boarding procedures for new clients.
• I nstituting emerging-risk identification
Several institutions have formed new cross-functional risk identification
committees composed of managers from finance, risk, technology,
compliance, treasury, accounting and the business units. These come • S
 trengthening stress testing, using
together regularly to share their respective insights on emerging risks more forward-looking scenarios
that could potentially have a negative impact on the company.
• Adopting more rigorous screening and
The industry has learned the painful lesson that problems in one area on-boarding procedures for new clients
of the bank can reverberate throughout the institution, creating and
• Utilizing advanced information
exacerbating problems in totally unrelated businesses. As a result,
technology to conduct real-time
executives said they are doing a better job of understanding the
monitoring of risks of subsidiaries
correlations of different risks — conducting more integrated forecasting
and branches
scenarios that look beyond the traditional silos to assess emerging
issues more systematically and holistically. Finally, many companies • U
 pgrading portfolio risk grading systems
have upgraded their product-approval policies and procedures,
• I ssuing early warning indicator reports
increasing the involvement of the risk group in developing, approving
and monitoring products throughout their life cycle. Some now require • R
 einforcing product-approval policies
the risk organization to sign off both at the initiation of a new product and procedures
and on an annual basis to ensure the product is still acceptable on a
risk/return basis and from a reputational standpoint. As one executive
sums it up, “Early identification of risks has become the holy grail in
our organization.”

“I’ve got a weekly escalation that flags any new

risks in the business. You’ve got to have your
eyes and ears open 100% of the time.”

Shifting focus on risk classes
New areas of risk are surfacing on senior management agendas

As the focus on risk intensifies, companies are enhancing their Credit risk: the top of the agenda
management of key risks. This is true not only for traditional
At the end of our interviews in January 2010, the economy,
risks classes, such as credit and market risk, but also for
particulary in the US and Europe, was still in flux. High
emerging areas, such as operational, liquidity and reputational
unemployment and low consumer confidence persisted, and the
risk, which have become more important. As one executive
credit markets remained contracted. While cautiously optimistic
told us, “It’s not that we weren’t cognizant and careful of these
that things were stabilizing, respondents expressed concern
risks before; it’s that the consequences of getting them wrong
that the turnaround would be sluggish or the economy might dip
today are much more severe.” When asked to prioritize the types
again into recession. As a consequence, credit risk was top of
of risk that are currently receiving the most attention in their
mind for most interviewees (See Exhibit 4).
businesses, executives placed credit (67%), operational (44%),
liquidity (38%), market (33%) and reputational (26%) risks at the
top of their lists.

Credit Credit risk is at

67% the top of senior
management agendas
Liquidity 44%
Exhibit 4: Risks at top of senior management agendas

Executives agreed that making sound credit approval and Operational risk: assessing the nuts and bolts
pricing decisions is even more critical than ever in today’s
Attention to operational risk is on the rise, especially in the
environment, and many are initiating a variety of activities to
Americas. Almost half of the executives interviewed voted it a
manage exposures and mitigate risk. More specifically, banks
top priority, making it management’s second greatest concern.
are conducting stringent independent credit analysis both
Financial institutions have, of course, managed operational risks
for borrowers and for credit providers and guarantors. They
for years and understand the need to maintain tight controls
are deploying special workout teams that will manage loan
and low error rates. However, the heightened scrutiny from
portfolios more rigorously to resolve remnant structural
both regulatory bodies and governments, the new operational
credit positions and monitor deterioration in credit quality,
risk management framework and measurements required
charge-offs and related delinquencies. And they are
under Basel II, and the sheer difficulty of navigating today’s
strengthening their credit risk management function and
environment have all intensified the focus on operations.
team. The impact of tail risks, especially for structured credit
products, emerged as a particular area of concern, and many Banks are examining the nuts and bolts of the business —
said they were upgrading their forecasting capabilities to evaluating, defining and quantifying the people, systems and
assess risk in stressed market conditions. process risks embedded throughout the enterprise. Initiatives
include: standardizing documentation of processes and controls;
improving data gathering, quality and timeliness; developing
methodologies and metrics to quantify risks; and conducting
scenario analysis by risk type. Several companies have created
a new management position focused exclusively on operational
risk oversight, and many are developing risk awareness and
training programs for all units and functions.

“Operational risk is the ‘cause du jour’

with regulators.”

Most banks have made Liquidity risk: the biggest lesson learned
changes to their approach In Ernst & Young’s 2009 survey, 88% of respondents viewed
to managing and liquidity — more specifically the loss of liquidity — as the single
largest lesson learned from the disastrous ripple effect of the
controlling liquidity risk downturn across global markets.
In this year’s study, there was still widespread agreement that
Exhibit 5: Approach to managing and controlling liquidity risk the industry underestimated the difficulties of measuring and
forecasting liquidity, and all concurred that liquidity must be
factored more fully into risk management. The good news
is that the liquidity lesson appears to have been taken to
heart — 84% of banks interviewed indicated that they have

changed their approach to managing and controlling liquidity
risk (See Exhibit 5). Changes ranged from very fundamental
shifts out of businesses and products to tactical internal
adjustments to liquidity management practices.
Seventy percent of banks have adjusted their viewpoints on
More than two-thirds have liquidity buffers, and many have significantly increased their
cash reserves to comply with, and in some cases exceed,
adjusted their viewpoint on
regulatory requirements (See Exhibit 6). Many have made
liquidity buffers changes to the structure and composition of the risk group,
recruiting more senior people and strengthening their authority
and clout. New liquidity risk committees, comprising very senior
executives and, often including the chairman, meet weekly in
Exhibit 6: Point of view on adequate liquidity buffer
some institutions to track and monitor liquidity positions. Basic
risk governance policies and procedures have been reviewed
and strengthened, common terminology established, data
quality and collection upgraded and reports improved. Liquidity

stress testing has become an important part of forecasting,
providing valuable input into the capital and strategic planning
process. Over two-thirds of executives reported adjustments to
testing — extending the time horizons and including more “worst
of the worst” case scenarios (See Exhibit 7).

More than two-thirds have

changed their approach to
liquidity stress testing

Exhibit 7: Approach to liquidity stress testing

Market risk: calming down Reputational risk: an erosion of trust
Market risk has been taken off the front burner of senior Not surprisingly, effective management of reputational risk
management risk agendas. The extreme volatility in the market has become increasingly important, and respondents are
is calming down and respondents are breathing a collective sigh brutally aware of the erosion of trust and confidence in the
of relief. But the contagion impact — the extent of the crisis and industry. Stakeholders, including shareholders, counterparties,
speed with which it swept through the industry — is very much customers, current employees and potential recruits, gauge
on everyone’s minds. Banks are working to hone their tools and their interactions with the company based on their individual
processes to better predict their firm’s sensitivity to shocks perceptions of the company’s soundness, reliability and
and volatility in the market. They are supplementing traditional performance — an important factor in maintaining a strong
VaR measures with stress testing and scenario analysis — some institutional brand.
investment banks are even conducting daily and weekly tests Many executives discussed the intensity of the political,
on their trading books. They are also closely monitoring the public and media scrutiny, and its extremely negative impact
size, concentration and liquidity of positions, and applying good on everyone in the industry — including the people and
business judgment to the results of the quantitative models. organizations that managed prudently. One executive noted
Several executives reported that they are focusing on the sadly, “You don’t go to a dinner party and tell people you work in
correlation between market risk and credit risk and are merging a bank anymore.”
the two functions under the control of one senior executive.

“Market risk doesn’t kill institutions. It’s

generally either credit risk or liquidity risk
that brings you down.”

Ernst & Young perspective

Risk appetite
Setting the rules of the road
As regulators and bankers step back and the firm’s vision and strategy and sets including active monitoring of the level of
ponder what went wrong — and how to the rules of the road for the entire risk exposure for the institution versus the
prevent it from happening again — risk organization, clarifying the board and parameters set in the risk appetite.
appetite has emerged as a critical senior management’s overarching views
CEO. Ultimately the CEO is responsible
foundation of the risk management on what constitutes acceptable risk at
for managing risk throughout the
process. While the expectation of having all levels within the business. A clear,
organization. The CEO, together with the
a board of directors approve risk appetite well-defined statement provides the
board, is responsible for creating the risk
has been around for some time, boards connection between the overall business
framework, and articulating and enforcing
and senior management, at the urging strategy and the risk governance of the
the appropriate risk appetite.
of regulators, are taking a fresh and far organization, and is the cornerstone of
more rigorous approach to defining and an effective risk framework. Far too often, CRO. The chief risk officer plays a central
institutionalizing a robust risk appetite. As the risk strategy doesn’t translate into the role in the risk appetite development
they move through the process, they are day-to-day management of the business. and monitoring process — driving the
discovering that risk appetite is a As one executive told us, “At our bank discussions between the board, business
powerful management tool that, when there is good top-of-the-house articulation. management and independent control
properly applied, creates a strong linkage It’s pushing it into the DNA of the business groups. The CRO is concerned with
between strategy, risk, business and that’s hard.” Creating a risk framework identifying disconnects between strategy
capital management. that is meaningful to management and operations. This role owns the
and translates to actionable limits and internal assessment of tolerances, limits
Risk appetite is the amount and type
escalation triggers at the business unit and indicators to support measurement
of risk a company is willing to tolerate
and desk level is a tough job. against the risk appetite, as well as
to achieve its strategic and business
the implementation plan development,
objectives. It is a reflection of the board
execution and management.
and senior management’s vision for how
the company fundamentally wants to do
Who is responsible for Business unit leaders. Business unit
business and how it wishes to be perceived risk appetite? leaders must communicate their business
by key stakeholders — customers, and competitive imperatives and related
Ownership of risk appetite starts at
shareholders, employees, regulators and inherent risks to achieving those objectives
the very top of the organization and
rating agencies. The amount and type of during the risk appetite development phase.
systematically cascades downward to the
risk an organization is willing to accept Once the risk appetite is formulated and
front-line business managers. The key
varies from bank to bank depending on communicated, they are accountable for
players in the risk appetite development
its management philosophy, growth goals, ensuring that limits, escalation triggers and
and implementation process include:
business focus and geographic reach. other provisions are aligned with the risk
Even within the company itself, there is Board of directors. The role of the appetite and meticulously observed in the
no one-size-fits-all measure of risk. Each board in risk management has evolved execution of strategy.
business unit and risk type will dictate significantly post-crisis, from pure
Independent risk management and
a different level and approach to risk. A oversight to active participation in defining
control groups. Control and oversight
bank’s appetite for credit risk in consumer risk appetite and approving the broad risk
groups must have sufficient knowledge of
lending, for example, is often very parameters for the enterprise.
the business activities of the organization
different from its appetite for market risk Risk committee. More and more banks and have the clout to force a review or
in its investment banking organization. are adding or strengthening the mandate escalation when risk parameters have
A bank’s statement of risk appetite should of board risk committees to focus and been breached.
be expressed in a way that complements enhance their risk oversight responsibilities,

Risk appetite governance responsibilities
Regulatory oversight

Board of

approves approves
strategy risk appetite

Risk measures and
profile appetite reports risk

Senior management Independent

and lines identifies and monitors
risk and
of business manages risk risk control group

Internal audit — test/evaluate effectiveness of risk governance framework

Defining risk appetite activities of the organization. In addition, and boards of directors. Organizational
other risk tolerances such as portfolio philosophy, culture and values set the tone
Defining the organizational risk appetite is concentrations (e.g., in a single sector, for risk tolerance levels and play a pivotal
both a qualitative and quantitative process geography, line of business or asset class), role in the decision-making process. And, as
that requires careful review of a host of credit quality (e.g., counterparty credit has been amply demonstrated, reputational
external and internal factors. rating, consumer credit score, delinquency damage can significantly impact a bank’s
Quantitatively, a bank’s risk appetite for rates) or market factor sensitivities philosophy on reputation and must be
earnings volatility, liquidity position and (e.g., investment portfolio VaR, percent considered in developing risk appetite.
capital position must be assessed and change in net interest income under stress
These additional considerations can be
calibrated to risk drivers and their related scenarios) can be utilized to express
expressed in a number of ways. In many
tolerances and risk limits. Management appetite for additional facets of risk.
instances, banks have used key indicators —
must determine the organization’s appetite Finally, the use of enterprise stress testing,
such as key performance indicators or key
for a decrease of more than a defined including “reverse” stress tests, is an
risk indicators — as a way to numerically
amount in earnings or capital. They must important tool in identifying and calibrating
express and measure some of the other,
also ask themselves: ”What is the level additional elements of the overall risk
more difficult to quantify drivers of risk
of tolerance for a reduction in available appetite of the firm.
appetite components like operational or
liquidity?“ and ”What is the universe of risk On the qualitative side, banks must regulatory risk. In addition, banks should
drivers for each of these scenarios, and consider reputational, strategic, culture also utilize purely qualitative risk appetitive
what level of tolerance should be assigned and stakeholder opinions. Stakeholder statements as a way to express the board’s
to each?” views will undoubtedly differ on the views on items such as approved products/
Economic capital can play an important desired safety margins, and it is important businesses and compliance with external
role in the quantification of and allocation to understand these various viewpoints rules and regulations. These elements,
of appetite for each of these risks, and in setting the appetite. Expectations of combined with the quantitative measures,
management must carefully consider how regulatory and rating agencies, for example, provide for a more robust risk appetite
much capital should be allocated to the must be balanced with the business goals framework, which touches on all major
various business objectives and strategic and objectives of investors, customers categories of risk.

Ernst & Young perspective

A practical approach to defining a risk appetite

consistency Update risk
Assess between risk monitoring and
Draft risk appetite statement completeness appetite and reporting to align
and assess current risk profile of risk appetite operating limits with risk appetite

Top-down Identify strategic Draft risk appetite

objectives statement Connect Confirm Confirm
risk appetite risk appetite risk monitoring
statement with statement and reporting and
Bottom-up Inventory risk Assess current risk risk profile calibrate operating process
measurement profile, exposures parameters
tools and limits

The risk appetite Draft risk appetite and assess current • Forward-looking view of risk. Provide
risk profile a forward-looking view of risk that
development framework
reflects the firm’s strategy, business
Top-down. Boards and senior management
Ernst & Young recommends a practical model, future market conditions and
must reflect on their understanding of
approach to creating and embedding an the inherent risks, sensitivities
the potential impact of the range and
organization-wide risk appetite statement and uncertainties.
severities of key risks on the bank and its
and process. This process integrates a
strategic objectives. Taking into account • Linkages. Understand the linkages
top-down view of the firm’s overall appetite
the inherent uncertainties with forecasting between strategy and risk, and capital
and capacity for risk in the context of its
of this nature, banks must define, through and funding. How would capital and
strategic, financial and capital objectives,
both quantitative and qualitative means, liquidity be impacted by certain risk
with a bottom-up view of the infrastructure,
how much risk the firm can or is willing to events and how the firm could respond?
controls and analytic tools used to support
accept. This understanding of key risks and • Risk capacity. Understand risk
risk management within the business. The
potential severities must be translated into capacity and which shocks — to revenue,
result is a draft risk appetite statement
a top-down statement of risk appetite. reputation, capital and funding — could
that is then assessed and rationalized
to establish consistency between the In order to do this, boards and senior potentially send a bank into a downward
risk appetite, and business unit and desk management must have a robust and spiral from which it could not recover by
level operating limits. Finally, the process forward-looking understanding of the most itself. What scenarios could cause this
updates the risk monitoring and reporting significant risks faced by the institution to happen?
to align with risk appetite. relative to the achievement of its strategic • Bottom-up. A current state, or bottom-
goals. Scenario analysis and stress up, analysis of the bank’s current ability
Done successfully, this integration
testing, including so-called reverse stress to monitor and measure risk relative
establishes a new framework through
tests, along with existing aggregated to appetite is an activity that banks
which the enterprise-wide risk appetite set
risk reporting, should play a key role. should undertake. This analysis should
by the board and senior management is
Boards should challenge whether current challenge the extent to which existing
cascaded down to the business in the form
executive risk reporting and engagement processes and systems provide the
of limits and thresholds. These limits and
with management succeeds in establishing ability to sustainably identify, measure,
thresholds can be measured and monitored
a key risk inventory that fully addresses the monitor and report against the identified
by qualitative and quantitative means, with
range and potential severities of the most risks and limits.
appropriate performance reporting fed
significant risks to which the firm may be
back up to senior management. The key
exposed. Management should put in place
building blocks to this approach, therefore,
processes the will support:
aim to establish a sustainable process and
information loop that links the top-down
and bottom-up views.

Sample scope options to get started:
• Pilot one risk
• Pilot one product or business unit
• Whole enterprise — first iteration

Assess completeness of risk appetite experts to first identify specific sub-risks The definition and articulation of risk
and risk drivers at the business unit level appetite drives both strategic and day-
Once the top-down and bottom-up
that are aligned to the top-down risk. to-day business decisions, defines roles
reviews are complete, they must be
The next step is to articulate meaningful and responsibilities around risk and has a
evaluated together in order to ensure
thresholds and limits aligned to the top- positive impact on organizational culture
the completeness of the risk appetite.
down statements of appetite. and behavior. When a bank’s risk appetite is
Often, key areas have been left out, or not
properly defined and clearly communicated,
considered with appropriate thoroughness.
Update risk monitoring and reporting it becomes a powerful management tool
In this stage, teams should ensure that
to align with risk appetite to clarify all dimensions of enterprise-wide
current risk profiles, exposures and
Operational processes and controls should risk and enhance overall business and
limits are thoroughly documented with a
be refined to align ongoing business unit financial performance.
consistent level of detail throughout and
risk appetite statements connected with risk management and reporting processes
risk profile. to the threshold and limit structure. The
process of establishing an effective risk
Establish consistency between appetite framework is iterative and must be
risk appetite and operating limits refined over time. The effort in developing
and aligning the bottom-up risk framework
The next step is to decompose these
to the top-down appetite statements is
organization-wide statements into more
significant and is likely to require several
specific appetite statements linked to
reporting cycles to fully establish.
key risk types within the inventory, e.g.,
wholesale and retail credit, counterparty The full cycle will take time to mature. The
credit, market, liquidity, operational, and risk information that flows up to boards
reputational. Within each category, and senior management may challenge
define specific appetite statements the perspective of risk at the bank’s
linked to the organizational statements. highest levels with respect to risk types
These may rely on specific, quantifiable and severities that the institution can, and
limits and thresholds or broader should, accept. Additionally, the thresholds
qualitative statements. set at the various levels of the organization
will be refined over time as the quality
These specific statements should be further
of supporting information and analysis
developed and cascaded down to the
improves. Most significantly, the bank’s
operational level in the firm. This process
understanding of its appetite and capacity
will be iterative and should increasingly
for risk will change over time as the risk
draw on business unit managers and risk
appetite framework matures.

Realigning roles,
and rewards
Banks are clarifying
risk governance responsibilities
Senior management is reassessing and redefining
expectations for risk management
Making risk management a company-wide concern and changing deeply engrained
attitudes toward risk require significant attention to the people factor in the risk equation.
Building a strong talent base with deep risk expertise and competing successfully to recruit
and retain this expertise continue to be critical challenges industry-wide. It is evident from
respondent interviews that many banking professionals believe the crisis can be traced, in
large measure, to the lack of a strong corps of seasoned risk executives throughout the
industry with the appropriate stature and clout to anticipate and act on risk issues.
There was strong agreement that effectively managing risk across the enterprise requires
both top-down oversight and bottom-up involvement. Accordingly, many banks have
conducted reassessments of the roles and responsibilities for all key internal
stakeholders — from board members to business unit heads and their teams — to
re-evaluate and clearly articulate expectations for risk management and mitigation.
Compensation, which few respondents believe played a pivotal role in the financial crisis,
is nonetheless a major issue to be addressed, and bank boards are working proactively to
do a better job of linking pay with risk performance.
Banks are taking a variety of actions to better align their compensation practices with
actual performance, rebalancing the proportion of fixed to variable compensation and
more tightly linking variable pay to performance over longer time horizons.

Recalibrating risk management roles and responsibilities
Boards strengthen oversight while CROs expand their influence

Well-defined and clearly articulated risk ownership roles are requesting that the CRO be given independent access to
and responsibilities are a critical component of effective risk board members, creating a more powerful system to perform
governance. Over the past 12 months, many banks have checks and balances of executive powers in the business lines.
stepped back to take an inventory of current limit structures, Unquestionably, boards are conducting deeper dives into matters
delegations of authority and existing policies and procedures. that in previous years did not reach their agendas — requiring
Many found gaps in processes and assignments throughout their more sophisticated, in-depth reports and analysis, and asking
organizations and confusion around risk oversight expectations. tougher questions about risk-related issues as they relate to
As a result, responsibilities have been clarified and positions strategic decisions.
strengthened for the key executives across the enterprise.
CEO: the buck stops here
Boards and risk committees: reinforcing responsibilities CEOs have clearly been in the hot seat during and since the
Most respondents shared the conviction that effective, high- crisis, and as everyone is aware, they are often the first to go
performing boards make an important difference to the when an organization comes under fire. Most respondents
performance of their organization. Accordingly, many are agree that the CEO is ultimately responsible for risk in their
focused on identifying the critical factors for building and organizations. It is the CEO who must ensure that the company
improving higher impact, more effective boards. Two-thirds as a whole gets it right when it comes to critical decisions on risk.
of survey participants indicated that their organizations have The CEO, together with the board, is responsible for creating the
made changes to the roles and responsibilities of the board (See risk framework and articulating and enforcing the risk appetite
Exhibit 8). Most reported that their boards are becoming more throughout the enterprise.
educated, asking more pointed questions and challenging more
assumptions. At the same time, they are now much more hands- Chief financial officers: aligned with risk
on and more fully engaged in risk policy setting and governance. Senior finance teams face new and complex challenges in
Setting strategic direction and defining the organizational risk today’s dynamic business environment. Respondents reported
appetite are now considered to be board responsibilities while that finance is changing the way it organizes and operates to
emerging issues such as capital allocation, new business risks help ensure that banks execute their global strategies effectively,
and compensation have risen in importance on the board’s manage risk appropriately, comply with regulations and —
agendas. Many of the companies we surveyed have separated bottom line — remain stable and solvent. CFOs are strengthening
risk from their audit committees and established a distinct risk the finance function’s alignment with risk management teams
committee to ensure independence and an adequate focus so that risk governance, finance and capital allocation decisions
on each of those critical areas. Several are no longer allowing reinforce each other rather than work at cross purposes.
board members to serve on both committees. More boards

“The board has taken a greater interest in

how we manage risk and a greater interest
in where the risk lies within the organization.
They’re educating themselves so when they’re
reformulating the strategy, they have a better
understanding of where we might go next.”

Chief risk officers: drivers of cultural transformation “I think there were days in the past where
With risk now playing a strategic role equivalent to that of risk people felt like they were being
growth and revenue, nearly half of the companies reported
they have changed the roles and responsibilities of their risk ignored. Now they really feel much
teams (See Exhibit 9). CROs are now seen as being on a par with more relevant.”
CFOs and have a say in important decisions impacting strategic
direction, risk appetite, product development and compensation.
As part of their new roles, CROs report spending more time with
boards and providing regular reports and intensive briefings to

help members understand and evaluate risk decisions. In some
instances, CROs report both to the CEO and to the board’s
risk committee.
Furthermore, the crisis and the move to Basel II have heightened
the need for the finance and risk teams to work closely together,
and CROs reported a much tighter alignment with CFOs and Two-thirds have made
finance organizations. Risk teams interact more frequently changes to the roles and
with internal human resource teams to develop remuneration
responsibilities of the board
policies and pay structures. Externally, they play a much
more prominent public role before regulators, analysts and
shareholder groups.
CROs are acutely aware of the increased importance of their Exhibit 8: Changes to the roles and responsibilities of the board
role in building and maintaining an effective risk governance
process and infrastructure. Philosophically, many see their role
as both influencing risk governance decisions and advising CEOs

on risk appetite and strategy. As one CRO described it, “We are
educators and drivers of cultural transformation to make risk
everyone’s responsibility.” Risk has become the busiest area
for recruiters as companies search for strong chief risk officer
talent that can truly go head-to-head with business executives.

Business unit leaders: committed to risk culture Nearly half of respondents

The senior line leaders and their teams are taking a more active have made changes to roles
role in risk management as well. Many have reinvigorated and and responsibilities of the
restructured executive risk committees at the business unit or CRO and risk team
group level to focus more strategically on risk identification
and mitigation.
Exhibit 9: Changes to the roles and responsibilities of the
CRO and risk team

Linking compensation to risk performance
Public, political and regulatory pressures have elevated compensation on the
senior management agenda

The focus of intense regulatory scrutiny and considerable public Banks are also taking a variety of actions to better align their
ire, executive compensation was described by one executive compensation practices with actual performance. Many are
as “the elephant in the room on every matter.” Another CRO rebalancing the proportion of fixed to variable compensation —
reported speaking to a “record number” of regulators on this “putting a little more on the front end rather the back” — and
topic during the week of our interview with him. Our survey are more tightly linking variable pay to performance over
participants were of course aware of the firestorm surrounding longer time horizons. Some are adding risk-based measures to
compensation and assured us that they were not sitting on the scorecards to counterbalance excessive risk-taking. Others are
sidelines waiting for the political and regulatory debate to unfold. determining compensation at the group level rather than the
Many are taking a proactive approach to assessing and, when individual business unit level, to create greater distance between
necessary, adapting compensation practices to ensure that the risk-takers and those who determine their compensation.
their pay structure does not incent the taking of excessive risks. Several are deferring payout for a significant part of executives’
Seventy-three percent of executives reported that they have bonuses or performance-related income, sometimes for as many
made, and will continue to make, changes to their compensation as five years, and a growing number are including clawback
policies to better align pay structure with risk control tolerances provisions in deferred compensation. While clawbacks in the past
and firm culture (See Exhibit 10). were typically limited to cases of fraud or criminal acts, firms are
developing standards under which a clawback may be invoked
based on portfolio performance over an extended period.
Boards of directors and their compensation committees are
spending considerably more time on pay practices. Board oversight

has been strengthened, and compensation committees have
embraced new methods for reviewing pay — delving deeper into
the employee ranks, conducting stress tests on payouts and
retaining more discretion over payments.

have made changes to
compensation frameworks

Exhibit 10: Changes to compensation frameworks

Risk professionals are also being drawn into evaluating the risk
dimensions of pay. In many banks, the CRO and risk team are
providing considerable input into the compensation framework, Activities underway
both directly and indirectly. Risk groups are more closely involved
in offering opinions on existing compensation plans, establishing Strengthening
new compensation policies, providing metrics for scorecards compensation
for business units and individuals, and in a few cases, actually
reviewing the compensation proposed for the top people in the
organization. In some organizations, CROs now have the power to Respondents reported a range of
insist on a risk capital analysis and possible hedging decision on activities to adjust pay structures*
large trades and deals, indirectly impacting the bonus pool.
• Appropriately capital-charging
Survey participants agreed that some reform and improvement business and bonus pools
are needed for industry compensation policies and most report
progress is underway to improve the linkage between the • Retaining more discretion in payouts
governance of compensation and the company’s risk appetite, • Stress testing payouts
management and culture.
• Moving to longer vesting periods

• I ncreasing deferred compensation

• Incorporating risk-weighted metrics

• Instituting clawbacks
“We are looking very carefully at our
• Increasing base salary
compensation plans to make sure they
*”Banker compensation at a crossroads,”
don’t incent inappropriate risk behavior.” Tapestry Networks research sponsored by
Ernst & Young, November 2009.

risk processes

Strengthening risk governance, systems and processes
Banks are continuing to upgrade their risk forecasting, reporting and technology

Across the banking industry, initiatives are underway to

achieve more comprehensive, integrated strategies for risk

management. Throughout 2009, executives moved aggressively
to identify and address deficiencies in their risk management
processes. Reporting, forecasting and technology were the
primary target areas for improvement, and banks put in place
the systems and people required for thorough, proactive
The majority have made approaches to managing and mitigating risk.

changes to risk management Many are well along the path to building strong risk-governance
teams and processes. Sixty percent of executives interviewed
processes and structures
have made changes to their risk management organizations, and
the remainder have either implemented changes or have begun
the process (See Exhibit 11).

Exhibit 11: Changes to corporate risk management decision-making

processes and structures

Upgrading report analysis and delivery
Risk reporting is becoming more comprehensive, actionable and timely

In the wake of the crisis, boards, stakeholders, senior Respondents agreed that effective risk reporting, in terms of
management, rating agencies and regulators are demanding both content and timeliness,is a critical step toward effective
more reliable, thorough and timely information — internally enterprise-wide risk governance. It provides senior management
about the business and externally about the universe of potential and the front-line business and risk professionals with the
risks. As a result, reporting is becoming more substantive information they need to make sound decisions in line with the
and qualitatively rich. Senior management, boards and other company’s risk appetite and business objectives. But many
stakeholders are beginning to receive management reports cautioned that aggregating risk is only the first hurdle. The
that deliver real, actionable value — a clear shift from the “data more difficult step is reviewing, analyzing and synthesizing
dump” mode that often characterized risk reporting in the past. risk reports to understand the interrelationships across the
organization. Most executives conceded there is more work to be
Seventy-one percent of executives indicated that they are well
done in this area.
underway with the development of integrated enterprise-wide
risk reports and almost one-third said their effort is nearly
complete (See Exhibit 12). But many companies still have a long

way to go. Persistent problems cited by respondents include
poor data quality, inconsistent information from disparate
systems and the sheer volume of data — all of which make it
extremely difficult to pinpoint the essential information that The majority are
management needs and present it in an actionable manner. in the process of
Once reports are upgraded to span a more comprehensive implementing
set of information from across the organization, teams are enterprise-wide
turning their attention to delivering the information more
risk reporting
quickly. Executives said that accelerating the reporting process
to support real-time decision-making is one of their biggest
challenges. As one executive describes the situation, “We
aggregate risk information quite well, but we do it slowly. We still
are working on an all-singing, all-dancing, instantaneous view
of complete risk to a particular counterparty in real time. We’re 0%
getting there.” In early Midway Nearly
stages complete
“It is the ability to, with judgment
Exhibit 12: Enterprise-wide risk reporting
and insight, connect the dots
between all of that information.”

Upgrading and reinforcing forecasting
Banks report progress in improving forecasting systems and methods

The past 18 months have demonstrated in a compelling way

an industry need for more robust risk forecasting. Banks
need more sophisticated predictive tools that will enable Most have some organization-wide
management to assess the implications of market events forecasting processes in place
on and across categories of risk. The industry has clearly
learned this lesson, and many respondents reported increased
investments in upgrading and reinforcing forecasting models, 27%
systems and processes. More than half of this year’s survey
participants (55%) indicated that they have some forecasting
capabilities within their companies (See Exhibit 13). However, 18%
only 27% characterized their banks as having formal,
enterprise-wide forecasting processes in place. Most agreed
that to become a truly effective management tool, forecasting
must be integrated and standardized across asset classes and
business lines to provide a holistic view of potential risks and Some Limited Have formal
their impact on the entire organization. processes processes organization-
in place wide processes

Exhibit 13: Status of forecasting

71% Three-quarters have changed The majority have made

the use of forecasting models to changes to stress testing
rely less on historical data and and scenario planning

Exhibit 14: Changed use of forecasting models Exhibit 15: Changed use of stress testing and scenario planning

Respondents reported some critical changes to their forecasting
processes. More than 70% have adjusted their models to Activities underway
rely less on historical data and assumptions (See Exhibit 14).
Seventy-four percent have incorporated forward-looking Risk forecasting
scenario planning and stress testing that consider outcomes
with extremely low probability but potentially high impact on the Respondents reported a wide range of
company’s own set of exposures and assumptions (See Exhibit activities to improve and upgrade risk
15). But executives cautioned that forecasting models can get forecasting:
out of hand, becoming overly complex and too difficult for senior • Establishing uniform modeling
management to understand and use effectively as decision- standards across the bank
making tools. Many emphasized that analysis must always be
• Varying stress-testing methodologies
paired with seasoned business judgment, cautioning that “you
appropriate to the bank’s risk appetite,
need to be very careful not to fall in love with your models.”
level of sophistication and current and
planned operations

• Integrating scenarios in order to cover

more than one type of risk
“I think you need both good models and good
• Ensuring analytical metrics are broad
judgment, but you need to be very careful and aligned with how risk is managed
not to fall in love with your models.” • Extending time horizons of scenarios
and forecasts

• Complementing weaknesses of VaR by

using a wider variety of methods

• Using more worst-case scenarios

• Ensuring data used in models are

consistently reliable and appropriate
for models used

• Ensuring more accountability around

forecasting of loss levels and capital

• Using historical data but placing more

emphasis on the last 6-12 month
period, which is more reflective of
current customer behavior

• Instituting more business line-specific,

bottom-up stress testing around
discrete portfolios of risk, particularly
those with tail risks attached

Streamlining technology to support efficiencies
The long march toward improved technology continues

Leveraging technology to support risk management more to enable ready access to a consistent data set across the
effectively remains a work in progress for most banks. As company. Many organizations are still in the process of
one executive told us, “You’ll never stop working on it.” More developing a common platform and centralizing the technology
than three-quarters (78%) of respondents reported that they function as they deal with fragmented and complex systems,
are mid-way through the arduous process of mobilizing their a challenge for the many companies that have grown
systems to support risk governance — a definite improvement by acquisition.
over last year’s survey results in which only 47% of participants There is strong agreement that streamlining systems is crucial
reported progress on the technology front (See Exhibit 16). to improving banks’ risk management capabilities. As a result,
While executives seem to have a clear vision of how technology remains a major area of investment. Given the high
technology can be deployed to better support risk costs involved, companies are approaching the IT challenge
management, they reported ongoing challenges in from several perspectives. Some have developed prototypes
implementing effective technology platforms. The most and are in the testing stage, others are organizing IT projects
vexing of those challenges is data management. Companies around specific systems or addressing system issues at the
are actively defining the types of data required to produce business-unit level, and a small number have committed to
useful reports and working to integrate disparate databases major system overhauls, such as rebuilding the global market
risk infrastructure.

All are working
to upgrade
“We’ve spent a lot of money
over a period of some years in
order to be Basel-compliant.
You’ll never stop working on it.”


In early Midway Nearly
stages complete
Exhibit 16: Streamlining technology to support risk management

Costs and

Banks are anticipating heavy investment in risk management
With sweeping regulatory changes in the works, executives expect the cost of
managing risk to continue to rise

As the markets stabilize, executives are bracing for steep cost to recruit people specialized in workouts, compliance, modeling
increases as they boost the time and systems dedicated to and risk forecasting — significantly driving up the people cost for
dealing with the aftermath of the crisis and the new regulatory the foreseeable future.
frontier. Executives across all geographies are in agreement: Longer term, a few optimistic executives expect costs will level
risk management costs will continue to escalate over the next off as portfolios stabilize and investments in systems pay off in
18 months and beyond, with some predicting “exponential” greater efficiencies and higher productivity. However, even the
increases (See Exhibit 17). most optimistic do not expect to see any cost stabilization before
Multiple layers of complex regulations have increased mid-2011.
documentation and reporting requirements and brought more
frequent, deeper-dive examinations into operational areas of
the organization. To support these more frequent and complex
inquiries, companies are deploying additional teams of people
and increasing investments in information management systems “I have a team of risk managers and have
and technology aimed at streamlining data gathering and
management across the organization. requested a fairly significant increase in staff.
The cost of working out troubled portfolios continues to rise I think I will get what I requested, and I’m the
at some banks as they deploy work-out terms to clean up envy of my colleagues.”
distressed assets and debts on the balance sheet. Efforts to
hire competitors’ talent has intensified, especially when trying

Increase 83%
8% Across all regions, executives
Decrease 0% expect costs to increase

Stay 17%
the same
Americas Asia-Pacific EMEIA

Exhibit 17: Costs by region

Estimating the cost of risk is complex
Centralized costs of risk management are well known but enterprise-wide costs
are more difficult to quantify

Seventy percent of respondents indicated they were able Some banks are embarking on studies to assess risk productivity
to estimate total annual expenditures for risk-and-control to gain a more sophisticated view of investments in risk across
management across their organizations (See Exhibit 18). This is the enterprise and to benchmark these costs against other
a significant improvement over the results of the Ernst & Young comparative banks. However, the wide variety of definitions of
survey two years ago in which slightly fewer than half (47%) of risk and allocations of resources to risk across the industry make
those responding claimed they were accurately able to gauge this a challenging endeavor.
total costs over a 12-month period.

However, respondents agreed that while they could estimate
the cost of the central risk organization, it is challenging to truly
understand the total enterprise-wide cost of risk management.
When “risk is everybody’s business” it is virtually impossible to
estimate accurately the amount of time people at the business-
unit level spend on managing risk. As one executive put it, “To be
The majority can
honest, if we do our jobs correctly, we’re just putting the policies
and the programs in place. It’s that front-line person who, when estimate the cost of
she sees a suspicious transaction come through on a client she’s risk management
known forever, raises her hand. That’s risk management, but we
don’t capture those costs.”

Exhibit 18: Ability to estimate cost

“We started to look at the total cost of risk

management and control about four years
ago. It has taken us about two years to get
a handle on it.”

Moving forward with a new respect for risk management
The financial crisis exposed inherent weaknesses in the risk management system: siloed infrastructures, disparate
systems and processes, fragmented decision-making, inadequate forecasting, and a dearth of cohesive reporting,
among others. The extraordinarily negative impact of these flaws on many institutions shocked the industry, and as
a result, there has been a seismic shift in attitude toward risk.
As they move beyond the crisis, reflect on its causes and results and adapt to the drastically changed and still-fluid
market and regulatory environment, banks are revitalizing strategies to reflect the enhanced focus on risk. While
each bank included in our survey is crafting a unique strategy based on its own culture, business focus and growth
goals, common themes are emerging among boards and senior executives.
Most importantly, there is a unanimous commitment to ensuring that a healthy approach to risk underlies both
short-term and long-term strategic planning. Boards and senior management are challenging themselves to
clearly define their risk appetite and drive its implementation throughout the business. As they do so, they are
aggressively reviewing and realigning the risk-related responsibility and accountability of every function in the
bank and significantly expanding the influence of the CRO and risk group along the way. Many banks are making
tremendous investments in time and technology to strengthen the processes and tools to manage risk effectively.

From forecasting to reporting to analysis, banks are recalibrating procedures and practices with an eye to providing
management with realistic, actionable and timely information.
There are many lessons to be learned from the crisis. Respondents agreed that the changes required to
institutionalize a strong risk culture are fundamental and far-reaching: risk must become everyone’s business
throughout the organization — from the front line to the functions. Responsibility and accountability for risk are
intertwined as never before. All stakeholders, from board members to business unit heads, must be more actively
committed to identifying and mitigating risks.
The question on many minds is whether these lessons will stick. As one executive said, “The real question is can
we embed this new risk management culture and processes into the organization so that they can outlast this
generation? Or will it all go wrong again the next time around?” No one knows for sure, but all are hopeful. As this
report goes to press, final regulatory guidelines are still being drawn. The market is calmer, but still volatile and the
full impact of the economic crisis is yet to be absorbed. Banks are definitely back to business — recovering, adapting
and advancing in search of the right strategic model in today’s uncertain world.

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance,
tax, transaction and advisory services.
Worldwide,our 144,000 people are united
by our shared values and an unwavering
commitment to quality. We make a difference
by helping our people,our clients and our wider
communities achieve their potential.

Ernst & Young refers to the global organization

of member firms of Ernst & Young Global
Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services
to clients. For more information about our
organization, please visit

The Global Banking & Capital Markets Center

Managing risk effectively while satisfying
an array of divergent stakeholders is a key
goal of banks and securities firms. The Global
Banking & Capital Markets Center brings
together a worldwide team of professionals
to help our clients achieve their potential — a
team with deep technical experience in
providing assurance, tax, transaction and
advisory services.

© 2010 EYGM Limited.

All Rights Reserved.

EYG no. EK0044

Ernst & Young is committed to minimizing its

impact on the environment. This document has
been printed using recycled paper and
vegetable-based ink.

This publication contains information in summary form and is

therefore intended for general guidance only. It is not intended
to be a substitute for detailed research or the exercise of
professional judgment. Neither EYGM Limited nor any other
member of the global Ernst & Young organization can accept
any responsibility for loss occasioned to any person acting
or refraining from action as a result of any material in this
publication. On any specific matter, reference should be made to
the appropriate advisor.