Financial services companies are more preoccupied than ever with exposures associated with regulatory reform in the wake of the financial crisis, according to Deloitte’s ongoing assessment of risk management practices in the industry.
The global professional services firm surveyed chief risk officers or their equivalents at 71 financial services institutions in the second half of 2014. Most companies are multinationals based in the United States/Canada, Europe, or Asia Pacific, with insurers accounting for 58 percent.
When asked which risk types would increase the most in importance for their institution over the next two years, regulatory/compliance risk was most often ranked among the top three, and 79 percent felt that increasing regulatory requirements and expectations were their greatest challenge.
In fact, 87 percent of participants said the biggest impact of regulatory reform was an increased cost of compliance.
Banks around the world paid a record $56 billion in fines to regulatory authorities in 2014, according to press reports. Deloitte said “some have argued that regulators are using fines as a covert strategy to restrain the size of large financial institutions, in an effort to address the problem of ‘too big to fail’” that emerged from the financial crisis.
Meanwhile, little over half of the required rulemakings under the Dodd-Frank Act, which was passed in response to the crisis, had been finalized as of Dec. 1.
Roughly two-thirds of survey participants felt their institution was extremely or very effective in managing the more traditional types of operational risks, such as legal (70 percent), regulatory/compliance (67 percent), and tax (66 percent). Fewer participants felt their institution was extremely or very effective when it came to other operational risk types such as third party (44 percent), cybersecurity (42 percent), data integrity (40 percent) and model (37 percent).
Sixty-two percent of participants said that risk information systems and technology infrastructure were extremely or very challenging, and 46 percent said the same about risk data.
Reflecting new regulatory requirements, 85 percent of participants reported that their board of directors currently devotes more time to oversight of risk than it did two years ago. The most common board responsibilities are to approve the enterprise-level statement of risk appetite (89 percent) and review corporate strategy for alignment with the risk profile of the organization (80 percent).
More boards are also placing oversight responsibility in a risk committee that includes independent directors and an identified risk management expert.
The survey showed 86 percent of participants reported that their institution has at least one independent director on its board risk management committee, up from 58 percent in 2012, and 79 percent said the risk committee is chaired by an independent director, up from 54 percent in 2012.
Ninety-two percent of institutions reported having a CRO or equivalent position, up from 89 percent in 2012 and 65 percent in 2002. Although it is considered best practice for the CRO to report to the board of directors, only 46 percent of participants said this is the case, while 68 percent said the CRO reports to the CEO.
Some 68 percent said the CRO has primary oversight responsibility for risk management, though, an increase from 42 percent in 2012. At the same time, the percentage of participants that said the CEO was primarily responsible for risk management oversight dropped to 23 percent from 39 percent in 2012.
Three responsibilities of independent risk management programs led by the CRO were cited by more than 90 percent of participants: develop and implement the risk management framework, methodologies, standards, policies, and limits; oversee risk model governance; and meet regularly with board of directors or board risk committees. Yet only 57 percent of participants said their risk management program had the responsibility to approve new business or products.
The existence of a CRO and their autonomy is closely related to the size of the institution. All the participants at large institutions and 97 percent of those at mid-size institutions reported having a CRO, compared with 69 percent at small institutions.
The risk management program is also less likely to be overseen by the CRO at small institutions (38 percent) than at mid-size (62 percent) or large institutions (58 percent).
Insurers, meanwhile, have been required, along with banks, to implement enterprise risk management programs. Deloitte said they’ve responded by taking a total balance sheet view of risk, which assesses all the risks across the enterprise.
Among carriers participating in the survey, 95 percent either have an ERM program (73 percent) or are currently implementing one (22 percent).
Regulators are also encouraging insurers to adopt stronger risk governance practices such as creating a CRO position, and this was reflected in the survey results—all reported having a CRO or equivalent position.
Issues related to risk data are areas of concern among carriers, Deloitte said, because few have invested sufficiently in data quality, data aggregation and advanced analytics, with many still relying on manual processes.
The issue of most concern to them after filing their Own Risk and Solvency Assessments (87 percent) was data infrastructure and data handling processes, cited by 78 percent of participants, up sharply from 31 percent in 2012. On the other hand, 57 percent of participants mentioned review of the quality of the data used, down from 77 percent in 2012.
