The banking industry has been transforming the way it manages risk. Over the last seven years, EY, in collaboration with the Institute of International Finance (IIF), has monitored the industry’s progress in improving risk management through a series of annual surveys.
Our most recent installment, A set of blueprints for success showed that, in reality, the industry may be only halfway through a 15-year risk management transformation. If anything, the next half may be even more difficult.
In the first half, it was relatively easy to find budget for upgrading risk management. It was often not an option — a new regulation or supervisory finding compelled change. Shareholders had to accept heavily depressed return on equity (ROE) for a host of reasons, not least of which was to support the necessary recapitalization of the industry.
Harder days ahead
Going forward, while risk management improvements are needed to improve efficiency and cost-effectiveness, in many cases, it’s now a management decision, not simply something regulators mandate. In that environment, new risk investments have to be stacked up against competing demands for budget, for example, major consumer-facing platform upgrades or growth initiatives.
Additionally, shareholders are very impatient. Our recent surveys have shown the industry has been converging on median forward three-year ROE targets of 10%-15%. Now shareholders expect banks to deliver those promises, with less volatility.
What’s been interesting is the industry’s reaction to the survey findings. Few debate it will be a 15-year journey. Most accept there’s a lot more to do, it will take a long time and it will be harder.
Bank executives acknowledge the industry finds itself in a far from ideal situation. They cite common problems. Typically, a patchwork approach has been taken to build out risk and compliance — there was little time to do otherwise. Regulators demanded action. This has led to duplication, redundancies, and significant costs and known inefficiencies.
Assessment and testing fatigue is commonplace. Even though first-line business leaders know they are now fully accountable for risks their units bring into the firm, they feel pummeled by various control functions. Risk has just been in asking whether risk-and-control-self-assessments are complete, when internal audit or compliance arrives. For them, it’s as frustrating as multiple, uncoordinated visits from disparate regulators.
Depending on three lines of defense
A central imperative over the second half of the risk management journey is properly embedding the three lines of defense model.
Some industry participants bristle at talk of three lines: some view it as outmoded, while others say it’s conceptual. Every now and then, an article gets published setting out an alternative model.
Smart people can agree to disagree. But it would be a mistake to think this one is optional. Regulators globally have clearly concluded the model is right. They could have opted for a new model, post crisis. They didn’t. If anything, they have doubled down on the three-lines model.
As a result, a majority of banks are changing their approach.
No kidding businesses: you own the risks
Regulators definitely want to see business leaders held accountable for risk.
The first line needs to own the risks and ensure they have in place effective controls to keep residual risk within bounds approved by the board. This means they need the right tools, people and resources to identify, measure, monitor and mitigate those risks.
The cost of doing risks needs to be borne by the first line for three important reasons. First, the full cost of delivering revenues should be baked in at source. Second, the desire to bring products and services to market should be balanced with the need to do so with proper controls in place. Third, and perhaps most importantly, when the first line carries the full cost, they will find ways to cost-effectively control risks. Our survey showed banks still depend too heavily on adding headcount. That’s not sustainable long-term. Rather, automation, firmwide common frameworks and tools, centers of excellence (e.g., for control testing), and other such efforts are needed to deliver more control for less.
The action is all in nonfinancials
The second line, too, has to complete its transformation.
First, it has to properly embed the firm’s risk appetite framework. The chief challenge is defining parameters for nonfinancial risks. Everyone gets financial risks. But what risk metrics should be used to set appetite for legal, compliance, money laundering, cyber, reputation and strategic risks? How can these metrics be tied together with financial metrics to truly show the firm’s enterprise-wide capital at risk? How can nonfinancial risk appetite statements be driven down, ultimately, to product, service and desk levels? What quantitative metrics are sufficiently forward-looking — even predictive — to enable banks to proactively stay within their appetite?
The second line also has to master its broadening set of independent challenge roles.
Take vendor risk. Regulators have stepped up their focus on third parties to ensure consumer protection laws are adhered to, to ensure resiliency of vendors from a recovery and resolution perspective and to protect against cyberattacks.
Certainly, the first line needs to step up its game — the function may still be called procurement, but it has to manage vendor risk, not just manage vendors. But the second line has an ever-more important role in developing the overall vendor risk management framework, in challenging and testing the first line’s application of the framework, and increasingly in focusing real horsepower on critical vendors.
However, it’s not just vendor risk. A second line challenge build-out will be required for cyber, legal, model, conduct and other risks. While the roles are similar in kind — framework development, effective challenge, focusing attention on major firmwide risks — each risk requires different approaches. There’s no one-size-fits-all approach to nonfinancial risks.
There are three lines: don’t forget the internal audit
All too often when industry practitioners talk about the three lines transformation, they are talking about the first and second lines. Indeed, our survey suggested only 7% were enhancing internal audit.
Those in internal audit see it very differently. Perhaps more than others, they appreciate the three lines model is a system — it’s not just three distinct lines, it’s how they work together. In part, that’s because regulators have elevated internal audit’s role in assessing the effectiveness of the firm’s overall risk governance framework.
More broadly, internal audit recognizes that as the roles of the first and second lines evolve materially, inevitably, so too will theirs. EY’s Are we nearly there yet? outlined where changes may take place.
Evolution meet revolution
The forecasting business is fraught with risks of being wrong most of the time.
However, if I were to predict what the headlines of a 15th annual global EY/IIF bank risk management survey could be, I wonder if industry participants will still be saying this has all been part of a natural evolution of risk management; continuous improvement is part of the game.
A betting man might predict that, by then, practitioners will have finally realized the industry has been through a risk management revolution, not evolution.
For more information, please go to: Global Bank Risk Management Survey 2016