The Financial Industry’s ERM Focus for 2016
With all the turmoil and uncertainty around the world facing financial institutions, leading Enterprise Risk Management officials describe the most significant issues they now confront, and how the issues will impact the immediate future of ERM at their firms.
A new Deloitte Survey questioned Chief Risk Officers (or their equivalent) from 71 major financial institutions from around the world about which types of risk they think will increase the most in importance for their business over the next two years. Noted below are their top concerns.
Not surprisingly, fifty two percent (52%) of the respondents ranked regulatory compliance as the top future challenge. Since 2008, the regulatory environment has increasingly more difficult for banking institutions including the requirements from the Basel Committee, the United States Dodd-Frank Act, and European Union Regulations.
The responsibilities extend to higher capital requirements, restrictions on business activities, additional documentation for regulators, and new standards on risk data and infrastructure. Regulators are also turning their attention to qualitative issues, such as risk culture and the effectiveness of internal controls.
The risk officers described that the regulatory requirements have increased costs, as seen in their most recent financial statements. However, their biggest concern seems to be that the compliance costs will continue to escalate, and the regulations will limit the ability of many institutions to grow revenue. Over forty three percent (43%) said they were “extremely” or “very concerned” over new restrictions or prohibitions on profitable activities, and that the regulations may require a significant change in their business model or legal structure.
With the almost constant threat of cyber-attacks worldwide, thirty nine percent (39%) of the respondents ranked this issue as the second most important challenge. The frequency and severity of the attacks have shown “exponential growth” according to one corporate security chief, with the financial services industry as a top target. In response to these threats, expect to see double digit growth in bank security budgets over the next two years.
Cybersecurity has also been a major focus for regulators. For example, both the US Security and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations and the Financial Industry Regulatory Authority (FINRA) have announced that cybersecurity will be examination priorities in 2015.
Forty-two percent of the survey respondents indicated their institution is “extremely” or “very effective” in managing cybersecurity, roughly similar to the percentage who said the same about managing third-party risk (44 percent). Third-party and cybersecurity risk are sometimes closely related since there have been security breaches involving third parties that have affected the confidentiality of customer information.
Officers at large institutions (63 percent) were more likely to consider their organization to be “extremely” or “very effective” in this area than those at mid-size (35 percent) or small institutions (25 percent).
Only a little more than a quarter (28%) of the respondents ranked this issue as the third most important challenge. The two issues that were most often considered to be “extremely” or “very challenging” for the firms were defining risk appetites for strategic (55 percent) and reputational risks (55 percent).
Measuring strategic risk requires defining the uncertainties and untapped opportunities within the business plan. Reputational risk is typically a secondary risk that is the consequence of other types of risk events such as market, credit, or operational risk. Both types of risk are difficult to quantify, and are most likely measured by the public through stock trading and other activity. The issue cited next most often as “extremely” or “very challenging” was defining risk appetite for operational risk (38 percent), which poses similar measurement difficulties.
With the objective of improving strategic and operational risk management, boards of directors are devoting more time to risk management and most boards are addressing key issues such as approving the risk appetite statement and aligning corporate strategy with the organization’s risk profile. Having a chief risk officer position and an enterprise risk management program is becoming a normal practice. Financial institutions have unique challenges to deal with the new age of risk management. Significant investment in risk management staff and systems will be necessary to meet regulatory changes and business strategies, now and in the immediate future.
Please feel free to call us for more information about your specific questions and needs.