While banks have materially strengthened their risk management approach from the board level down across risk, compliance and controls since the financial crisis, the industry is still searching for the appropriate blueprints to establish effective risk accountability across the three lines of defense. This is according to EY's 2016 global banking risk management survey, "A set of blueprints for success."
The global survey of banks carried out by EY (No. 3 on the DiversityInc Top 50 Companies for Diversity list) and the Institute of International Finance (IIF) follows the industry's progress in improving risk management by surveying senior risk executives. This year, 67 banks from 29 countries participated in the survey. This includes 23 of the 30 institutions described as "global systematically important banks" (G-SIBS).
Tom Campanile, Partner, Financial Services Office, Ernst & Young LLP, says:
"Banks have made considerable strides in terms of risk management enhancements since the crisis. However, regulations are still changing and industry approaches on emerging or evolving areas such as non-financial risks and increased IT security threats are still maturing. This suggests a long road ahead for banks. Finding a sustainable risk management operating model that will be flexible through this current market environment will be essential to success."
Although the survey highlighted that significant progress has been made so far, banks may be halfway through what could be a 15-year journey of substantial work to enhance risk management processes. Additionally, increased investor pressure to achieve higher, stable returns have resulted in banks converging toward an industry norm of three-year ROE targets of 10 percent to 15 percent across G-SIB and non-G-SIB banks, forcing banks to adapt their business models to meet these targets.
Andrés Portilla, Managing Director of the Regulatory Affairs Department at the IIF, says: "Banks are still under huge pressure on different fronts, and the risk management function is evolving rapidly to cope with the changes in the economic and regulatory environments. As this report shows, it is about embedding the concept of risk throughout all the processes and business of the organization, for which a period of regulatory stability is essential."
EY and the IIF have also identified the continued significance of non-financial risks that pose major financial strains on the business. Specifically, focus on a wide range of conduct areas has increased – money laundering (increased to 72 percent from 52 percent in 2015) and sanctions (increased to 52 percent from 30 percent in 2015) have moved significantly up the agenda. Cybersecurity has surged with almost half of respondents (48 percent) highlighting cybersecurity as one of the three most important risks for their board over the next year.
Effective implementation of the three lines of defense blueprint
According to the survey, banks have greatly stepped up their efforts to make a fully functioning three-lines-of-defense approach to risk management work, but there is still no agreed blueprint within the industry on the balance of responsibilities across the first and second lines – with many firms working to enhance the responsibility of the first line.
More than 60 percent of banks highlighted that they are currently changing their three lines of defense model. Top reasons for doing this includes significant focus on the first line including:
- Making the first line accountable for end-to end risk (38 percent)
- Making the first line more clearly accountable for non-financial risk (28 percent)
- To make the first line more clearly accountable for financial risk (27 percent)
Banks are also looking at the effectiveness and efficiency of the second line functions – in particular better technology and more advanced data analytics are essential, as are properly implemented centralized teams for common, repeatable tasks (such as testing). Such approach would allow firms to deliver the right risk outcomes cost-effectively.
Developing a working blueprint to address non-financial risks
The industry, and G-SIBs in particular, continue to focus on addressing non-financial risks more effectively. Banks recognize that they need the management of risk to be part of everyone's job, not just those in risk and control roles, and are testing and enhancing controls frameworks.
Significant changes have been made to improve the management of non-financial risk. Banks are attempting to reduce non-financial risk by reducing complexity of products (57 percent); exiting products (63%); improving employee training (67 percent) and strengthening risk culture and employee behavior by enhancing messaging and tone from the top (90 percent). Importantly, they are also enhancing their forward looking and analysis of intrinsic non-financial risks and embedding non-financial risk into other risk management initiatives.
In addition to addressing conduct issues, banks are focusing on three main areas: operational risk, cybersecurity and vendor risks. Firms report clear focus on operational risk (with 77 percent of them reporting devoting more time to it as compared to last year). Cybersecurity has shot up to the top of the CRO agenda, ranking second (51 percent) in the list of top five concerns over the next year.
Navigating toward a blueprint for a sustainable, long-term business model
The report highlights the combined effect of lower profitability because of economic conditions and low interest rates and higher regulatory capital on ROEs. Respondents say their investors are pushing for higher ROEs (82 percent) and reduced costs (79 percent). Banks express major concerns about the regulatory proposals to increase capital further and reduce risk sensitivity. Overall it would have the effect of making yet more areas of core lending activity unprofitable.
- The capital, liquidity and leverage changes under Basel III have led banks to rethink their business model as a large percentage of G-SIBs (83 percent) and non-G-SIBs (67 percent) are evaluating asset portfolios. Over 48% of respondents are exiting business lines and 27 percent are exiting countries.
- It is projected that the cumulative reforms to the Basel III capital framework – often referred to as "Basel IV" – could have a particularly negative impact on banks. The survey highlights that changes to internal ratings-based (IRB) models are a major concern as 63 percent of respondents highlighted that the models could change the economics of some areas of business. Concerns also exist regarding fundamental changes proposed on the treatment market and operational risks.
- Additional changes including the standardized measurement approach (SMA) for operational risk will drive up capital, especially for G-SIBs – with 67 percent expecting a significant or moderate increase; and the fundamental review of the trading book (FRTB) will greatly impact trading and investment banks.