Risk Management Survey _PWC

8/7/2019 Risk Management Survey _PWC

http://slidepdf.com/reader/full/risk-management-survey-pwc 1/16

Risk management surveyNovember 200

PricewaterhouseCoopers Global FS e-briefing programme


As the dynamics of the market and competitive environment for the financial serviincrease in their complexity, being able to plot the right course for continued succebecomes harder. Being able to identify and adapt to the new challenges are a key sufactor for the leaders of tomorrow. As such, PricewaterhouseCoopers has developedprogramme of e-briefings aimed at addressing the key strategic issues facing our inwith the emphasis on drawing conclusions about best practice and future trends.

Working with the Economist Intelligence Unit we have already published three rep

• Wealth management at a crossroads – Serving today’s consumer

• Economic Capital: At the heart of managing risk and value, and

• Taming uncertainty: Risk management for the entire enterprise.

This special risk management survey is a follow-up to Taming uncertainty: Risk mafor the entire enterprise.

I am confident that you will find this survey thought provoking and insightful and iwould like to discuss any of the issues raised in more detail please speak with yourcontact at PricewaterhouseCoopers.

As with all of our publications we would also appreciate your feedback on this survas this helps us to ensure that we are addressing those issues that you are most focu

Jeremy Scott

Chairman, Global Financial Services Group

1




Introduction

Uncertainty is the defining characteristic of the current business environment, and ris its shadow. From financial market volatility to corporate governance scandals,geopolitical upheavals to regulatory change, global financial services institutions faa formidable array of challenges. A world-class risk management framework willunderstand and address them all.

That was the conclusion of Taming uncertainty: Risk management for the entire enterprise

launched in July 2002. The e-briefing was based on extensive interviews with seniorepresentatives of major financial services institutions as well as the initial results osurvey of enterprise risk management among 14 of the world’s leading financial serorganisations. The survey was carried out in June 2002 and respondents included a preponderance of chief risk officers. This paper presents the final results of that sur

Becoming world-classIn the Taming uncertainty e-briefing, we identified ten attributes of a world-classrisk management culture. The final survey results that we report in this paper showthat many leading financial services institutions already have acquired some of thesattributes, but that even those well-run organisations have significant opportunity fofurther improvement.

For reference, the complete list of attributes is overleaf:

2




Ten attributes of a world-class risk management culture

1 Equal attention is paid to both quantifiableand unquantifiable risks. The temptation toignore risks that cannot be quantified, suchas reputational risk, is avoided. Reputationprotection is one of five risk factors on UBS’srisk charter, for instance.

2 Risks are identified, reported and quantifiedto the greatest possible extent. This meanssetting up extensive historical risk and lossdatabases, and identifying risks precisely ratherthan burying them into general categories suchas credit and operational losses.

3 An awareness of risk pervades theenterprise. Performance measurement andpricing are risk-adjusted. Pay structures alsoreflect risk management priorities– compensation schemes encourage risk-taking behaviour that is aligned with risk

appetite. Risk-adjusted forecasts and returnsgive shareholders and analysts a fullunderstanding of the risks being run.

4 Risk management is everyone’s responsibility.Risk is not fragmented into compartments andsilos – risk management shouldn’t be either.People from IT, legal, compliance and evencommunications departments are involved indecision-making to inform senior managers of non-financial risks associated with the launchof new businesses and products.

5 Risk managers have teeth. Everyone involvedin monitoring risk, even non-financial risk,has a power of veto over new projects theyconsider too risky. Equally, the chief riskofficer has the power to drive the riskawareness and management agenda.

6 The enterprise avoids products andbusinesses it doesn’t understand. Properrisk management depends on knowingenough to comprehend the dangers thatare faced. A product or a business that isdelivering outstanding growth but is toocomplex for management to understandis a risk too far. Put another way, if you

don’t understand it, don’t do it.7 Uncertainty is accepted. Companies like

Shell use scenario planning to make suretheir strategy embraces uncertainty, not hor eliminates it. Rather than basing stratearound fixed assumptions, leading riskmanagers try to factor all possibledevelopments into decision-making.

8 Risk managers are monitored. Riskmanagement is too important to be left to

risk managers alone. Internal audit procedensure that systems are running properly the right results are being achieved.

9 Risk management delivers value. It is notdesigned to stop people from taking riskbut rather to create value, by enhancing chances of a project or product succeediand by enabling managers and shareholdto understand the level of risk they run ato manage accordingly.

10 The risk culture is defined and enshrined.The enterprise’s risk appetite is clearly awidely understood. Whether a company’culture is entrepreneurial or conservativerisk management is aligned with that culto give managers and employees therequisite freedom of manoeuvre.

3




0 1 2 3 4 5Level of impact (scale of 1-5 with 1 being the greatest impact)

Source: PricewaterhouseCoopers 2002

Factors Impacting Risk Management Programme

4

Attribute 1

Change in Basel II

Enron bankruptcy

Terrorist attacks

Rogue trader scandal

Others

Argentine default

Equal attention is paidto both quantifiable andunquantifiable risks.The responses to the survey supportedour view that financial services institutionsneed to include non-quantifiable risks

as well as quantifiable ones in theirconsideration and management of enterprise risk. In a number of respondentorganisations, compensation structureshave been adjusted so that they are alignedwith progress attained in reaching theinstitution’s strategic objectives rather thansimply linked to current financial results.

Processes such as product approvals hbeen tightened up in almost half theorganisations surveyed as part of a rismanagement programme. Asked whawere the risks facing institutions as thsought to maintain a global capabilitytheir clients, more respondents pickedcompliance with local regulations thaany other answer. None of these areascompensation, product developmentand compliance – lend themselves tomeasurement and quantification, yet are gradually coming within the orbitrisk managers.

That’s hardly surprising given events the past year. Asked to identify theexternal events that have the greatestimpact on their risk managementprogrammes over the past year,respondents picked the Enron bankrufollowed by delays in Basel IIimplementation, followed by theSeptember 11th terrorist attacks. Eachof these events raise concerns, such areputational risk, compliance risk andsecurity risk, that are at least harder,if not impossible, to quantify than mofamiliar sources of risk.




Credit and market risk nevertheless remainthe top two areas of focus for our surveygroup, just as they were when we askedthem in 2001. Looking at risk in terms of the impact of loss, the respondents’ list of priorities makes perfect sense. Credit riskis something every lending institutionwill experience in their normal activities,after all. But if the past 12 months havetaught us anything, it is that high-impact,low-probability events do happen.

Respondents’ awareness of othersources of downside risk is consequeon the rise – issues that scored highe(though placed the same) than a yearincluded business continuity planningand rogue trader risk. Perhaps moresurprisingly, given the acknowledgedimpact of Enron, the restatement of financial results continued to rank wedown the list.

Enterprise risk management programmepriority (2001 ranking in parentheses)

1 Credit (1)2 Market (2)3 Operational (3)4 Treasury/Liquidity Planning (4)5 Changing Regulations (5)6 Insurance/Business Continuity (6)7 Rogue Trader/Fraud (8)8 E-business Security (7)9 Sovereign/Political (10)

10 Key Person Retention (9)11 Restatement of Financial Results (11)12 Pension Surplus (12)


5




Risks are identified,reported and quantified tothe greatest possible extent.The survey group comprises institutionsthat are in the vanguard of quantification.Only 15% of all respondents have systems

that are not powerful/fast enough toperform desired risk calculation withsufficient timeliness and frequency.Almost half of the group are assessingtheir performance on the basis of risk-adjusted capital (or economic capital).

But the respondents indicate that theris still room for improvement. Whilethe majority of respondents (57%) wsatisfied with their product-specific rmeasurement tools and the technologthat powers them, that still leaves a vsubstantial minority who are dissatisf

Attribute 2

Does your organisation believe that a broader, more accuraterisk aggregation across diverse portfolios and business lines

is an area for risk quantification tool improvement?

Yes 86%

No 14%


6




The biggest challenge confrontingrespondents in terms of the riskmanagement infrastructure isaggregation across different categoriesof risk. Disturbingly, basic systemsand data aggregation shortcomingspersist for a large proportion of respondents. For example, virtuallyall respondents (93%) stated thatintegrating legacy systems anddatabases remains a pressing challenge.

‘Quantification of risk has come anawfully long way over the past decade’,says Hans-Kristian Bryn, a partner at PricewaterhouseCoopers. ‘But drawing a complete picture of risk appetite and exposure at the group level is clearly a daunting task even for pioneering institutions.’

With the eventual implementation ofBasel II, which will require banks to aside capital to cover operational riskacting as an added spur for institutionto tighten up their risk managementsystems, we conclude that over thenext two to four years, we will seeincreased resources devoted to redesigand rebuilding institutions’ systems adata management infrastructure.

Are you generally satisfied with your tools for riskmeasurement and risk quantification?

No 43%

Yes 57%


7






Risk managers have teeth.To be effective, risk managers have tohave authority and the backing of theboard. The chief executive officer needsto seize the risk management agenda ashis own and make risk management astrategic priority. To judge by the survey,

that process is under way. Almost 50% of all respondents have established a newsenior level position with firm-wide riskoversight responsibilities. And almost70% have instituted a more frequent riskreporting system to help seniormanagement make strategic decisions.

The enterprise avoidsproducts and businessesit doesn’t understand.Experience has, however, taught maninstitutions the importance of scrutinnew ventures and new products more

thoroughly before making a full-scalcommitment. Almost half of therespondents disclosed that they hadadopted more stringent approvalprocesses for new products. Much ofadded scrutiny comes from a cross-section of functional and businessprofessionals (from legal, tax,accounting, operations and complianwho provide valuable context to thebusiness case for the new venture, evthough they may not be directly invoin structuring or marketing the produ

Attribute 5 Attribute 6

9




Uncertainty is accepted.Risk management is all about uncertainty– accepting that risk is about likely,rather than definite, outcomes.That realisation should feed throughinto the strategic decision-makingprocess. A company’s course of action

should be flexible enough to vary withevents. As we quoted in the Taminguncertainty e-briefing, a real leader inthis sort of thinking is Royal Dutch/Shell.As Shell’s chairman, Philip Watts,says, ‘Scenarios are not predictions.They are a tool for focusing on criticaluncertainties…Those that rely solely onforecasting in their thinking about thefuture can find the consequences veryexpensive.’ In other words, you need totake risk and uncertainty into account atthe outset, and plan around them.

Risk managersare monitored.But again, more could be done. Givethe increased emphasis being placed direct board-level accountability forfinancial reporting and risk managemit is surprising that only 23% of therespondents have reaffirmed a directreporting line to the board for theenterprise risk unit, even though 62%them see the more timely disseminatiof risk information to senior executivtheir most pressing reporting priority

According to Mr Bryn: ‘A direct reportingline from the enterprise risk unit to the board, or to the board Audit Committee,facilitates both exchange of informationand effective follow-through on actionsteps mandated by the board.’

Attribute 7 Attribute 8

Has your organisation reaffirmed a direct reporting lineto the board of the enterprise risk unit?

Yes 23%

No 77%


10




Risk managementdelivers value.The skills and knowledge embedded inthe risk management function can havea tangible impact on the successfuldelivery of the strategic plan.Respondents identified a number of waysin which risk management programmeshad added value to their organisationover the past 12 months, from ensuring acorrect framework of procedures andcontrols for new businesses, productsand offices to increased understanding of risk concentration through stress-testingof credit-loss forecasts.

Many respondents are taking stepsformally to link the risks run with thereturns generated – 46% of therespondents have instituted performaanalysis based on a measure of risk-adjusted capital. But that leaves amajority of institutions still seeking away to solidify the link between riskmanagement and value creation. Onlfew of our respondents are pushing fcloser integration of the risk and finafunctions. According to one respondethe roles are very different andoccasionally in conflict; it is, therefoimportant to have two strongindependent functions. Yet, while it mnot always be optimal to merge the rimanagement and finance silos so

aggressively, closer integration of thetwo functions can only help to drive awareness and visibility of riskmanagement throughout the institutio

Attribute 9

11




Attribute 10

The risk culture is definedand enshrined.The calculation and the communicationof top management’s risk appetite –confirmed and approved by the board –is one of the most critical components of world-class risk management. Over 75%of the respondents indicated that theirorganisations formally articulate riskappetite at the group level, which is ahighly encouraging result.

Articulating risk appetite once is notenough, of course. Communicationsabout risk tolerance throughout thecompany must be frequent, timely anaccurate. Although our respondentsappeared to be sharply focused on thneed to provide timelier information the senior management team, theimportance of the flow of informatioother way seems to be less pressing.Only 36% of the respondents said thamore rapid communication of changerisk appetite and tolerance for potentlosses/earnings volatility is a priority

No 23%

Yes 77%

Does your organisation formally articulaterisk appetite at the group level?


12




Corporate scandals, regulatorydevelopments, financial market volatilityand political instability are all helping topersuade financial services institutions of the importance of a more holistic approachto risk management. Market and creditrisk remain the bread-and-butter of riskmanagement programmes but the dentingof public trust in corporate governanceand transparency increasingly requiresinstitutions to focus on non-quantifiableareas such as compensation risk andreputational risk. The forthcomingimplementation of the Basel II accord hasraised the profile of operational risk withininstitutions. And the lesson of high-impactevents such as Enron and WorldCom isthat the unthinkable can happen, and

destroy your business in the process.

Our survey shows that leading finanservices institutions are moving steatowards this more mature concept orisk management, one that aligns riswith decision-making at all levels othe company.

In PricewaterhouseCoopers view thi

represents a natural evolution in termof the risk maturity of advanced finaservices institutions.

Three-quarters of the respondent baformally articulate risk appetite at thgroup level; more than half have revpolicies for the authorisation of riskto ensure closer alignment with theorganisation’s strategic objectives; hthe respondents have made a senior

appointment to oversee enterprise-wrisk; and just under half measureperformance on a risk-adjusted basi

And yet, worrying potholes in the pto risk maturity also become evidenthe survey results. Although financitoday are generally well understoodaccurately measured, just under halfrespondents remain dissatisfied withmeasurement tools at their disposal

85% see aggregation of data acrossbusiness lines as an area for improv

Conclusion: The path to risk maturity

Integrated across risks/businesses

1980s 1990s 2000+

Aligned to business value driver


The next step alongthe risk management continuum

Focus on lossprevention

Focus ongovernance

and reporting

Focus on riskquantification

Focus onalignment toobjectives

Focus on link toperformanceand capitalefficiency

Focus onstakeholder

value

Risk ControlFrameworks

RiskMonitoring and

Reporting

Value-at-Risk

Objectives-oriented RiskManagement

PerformanceManagementEnterprise-Wide

Risk Management

IntegratedRisk and ValueManagement

13




Conclusion: The path to risk maturitycontinued

Although a significant minority of institutions do place compensationpolicies within the risk managementarena, more do not. And, although timelycommunication of information to seniormanagement is a priority within manyorganisations, most do not have a directreporting line from the enterprise risk unitto the board.

The increased use and availability of enabling technologies such as XBRL isassisting organisations to acceleratethe timely and accurate collection,aggregation and dissemination of risk andvalue-related management information.

According to Scott Dillman, Partner in Financial Risk Management, ‘Over the next two years, XBRL will play a significant role in improving the credit measurement and management process, specifically,credit scoring for financial institutions.’

The survey reinforces the need for financialservices institutions to continue to strivefor improvements in the articulation andenforcement of risk management processes:

1 They must assess the balance betweenrisk and return, showing greater

appreciation for the risks to theirfranchise and share value that donot easily fit into the current planningand risk models.

2 Senior management must convertthis assessment into a corrective actionplan, with clear accountabilities and

deadlines reported to the boardand disseminated throughoutthe organisation.

3 The board must receive clear andtimely information about theimplementation and results of riskmanagement programmes.

4 Regular transparent stress-testing financial forecast should mitigate risk of excessive leverage or volatof earnings in the trading accounts

5 Risk-adjusted forecasts shouldbe communicated effectively toexternal stakeholders.

Finally, the implications of SarbanesOxley is currently becoming clearerinstitutions are addressing the need demonstrable improvements in theirmanagement practices. Specifically, Act’s requirements pertaining to operrisk and management sign-off (secti302 and 404) are driving new initiat

Regulators and investors will continto demand higher standards of accountability for the decisions thatfinancial institutions take. Managersincreasingly aware of the value that management can deliver to theorganisation. We anticipate that themovement towards enhanced riskmanagement in all aspects of busineconduct and shareholder value creatwill not only continue but will alsoaccelerate over the coming months.

14




The Path to Risk MaturityConclusion: The path to risk maturityContacts

Taming uncertainty e-briefing andRisk management survey editorial board

Richard Barfield44 20 7804 [email protected]

Hans-Kristian Bryn44 20 7213 [email protected]

Eric Gronningsater1 646 471 [email protected]

Tom Gunson44 20 7804 [email protected]

Miles Kennedy61 2 8266 [email protected]

Juan Pujadas1 646 471 [email protected]

Global Financial Services Leadership TeamJeremy ScottChairman, Global FinancialServices Leadership Team44 20 7804 [email protected]

Etienne Boris33 1 56 57 10 [email protected]

Javier Casas Rúa54 11 4891 [email protected]

Rahoul Chowdry61 2 8266 [email protected]

Richard Collier44 20 7212 [email protected]

Ian Dilks44 20 7212 [email protected]

Willi Grau41 1 630 2570

[email protected] Jeffreys44 20 7212 [email protected]

If you would like to discuss any of the issues raised in this survey in mdetail please speak with your usual contact at PricewaterhouseCooperscall one of the following:

15




Contactscontinued

John Masters61 2 8266 [email protected]

Bob Moritz1 646 471 [email protected]

Barry J. Myers1 416 869 [email protected]

David Newton44 20 7804 [email protected]

Arno Pouw31 20 568 [email protected]

Juan Pujadas1 646 471 [email protected]

Rick Richardson1 617 428 [email protected]

Phil Rivett44 20 7212 [email protected]

John S. Scheid1 646 471 [email protected]

Nigel Vooght44 20 7213 [email protected]

Hans Wagener49 69 9585 [email protected]

Akira Yamate81 3 5532 [email protected]

For additional copies please contact Áine O’Connor at Pricewaterhouson 44 20 7212 8839 or e-mail at [email protected]

Copyright© 2002 PricewaterhouseCoopers. All rights reserved. Designed by the studio ec4 (15

Documents

Risk Management Survey _PWC