May 18, 2015 - With regulators around the world hammering away at banks' risk management, culture, and incentive compensation efforts, a new survey by Deloitte Touche Tohmatsu Limited (Deloitte Global) finds that financial institutions have a great deal more work to do on this front to meet heightened regulatory expectations — especially at the top of the house.
While it varies country by country, regulators' recent focus has largely included the board of directors in communicating the importance of risk management, governance, broader ethical standards, and compensation practices.
According to the ninth biennial Global Financial Services Risk Management Survey, only 60 percent of respondents said their board has worked to establish and embed the risk culture of the enterprise and promote open discussions regarding risk. This means 40 percent have not done so, indicating more work is needed on this issue.
A similar percentage - 63 percent - said that their directors review incentive compensation plans to consider alignment of risks with rewards. In addition, only about half of respondents said it was a responsibility of their institution's risk management program to review compensation plans to assess its impact on risk appetite and culture.
Last month, Mark Carney - the chair of the Financial Stability Board, an international body that monitors and makes recommendations about the global financial system - told G20 finance ministers and central bank governors that "the scale of misconduct in some financial institutions has risen to a level that has the potential to create systemic risks." He specifically flagged risk governance and compensation structures as areas they will be focusing on in the future as part of that broader sweep.
On the positive side, 85 percent of respondents reported that their board of directors currently devotes more time to oversight of risk than it did two years ago. This continues a trend of ratcheting up involvement by boards in providing risk oversight and which we expect to continue.
"Regulators are looking beyond solely quantitative measures of market, credit, and liquidity risk to assess whether institutions have created a culture that encourages employees to take appropriate risks and that promotes ethical behavior more broadly," said Edward Hida, Deloitte Global Risk & Capital Management Leader.
"This new focus on risk culture and ethics is more than just 'buzzwords' - it is a very real thing with teeth," said Hida. "Banks are responding to the regulatory focus on culture by establishing new oversight committees, offices, and policies, while also struggling to develop the right approaches to measure and assess risk culture."
The Deloitte Global survey also finds that relatively few respondents said their institution uses other compensation practices designed to align employee incentives with the institution's risk management objectives, such as:
• Imposing caps on payouts (30 percent)
• For employees identified as material-risk takers, establishing a maximum ratio between the fixed and the variable component of their total remuneration (29 percent)
• Using individual metrics tied to the implementation of effective risk mitigation strategies (28 percent)
• Matching the timing of payouts with the term of the risk (19 percent)
There is widespread adoption, however, when it comes to more mainline measures, like requiring that a portion of the annual incentive be tied to overall corporate results, the use of multiple incentive plan metrics, and deferred payouts linked to future performance.
"There is every indication that the next few years will bring further regulatory change, including in the incentive compensation area—and it is likely that many of these other practices will become more widespread over time," said Hida.
Among other findings:
• More attention needs to be paid to operational risk. Roughly two-thirds or more of respondents felt their institution was extremely or very effective in managing traditional types of operational risks, like those related to legal and tax. While those numbers should be higher given the regulators' specific focus on this area, far fewer respondents felt their institution was extremely or very effective when it came to those around third parties (44 percent), cybersecurity (42 percent), data integrity (40 percent), and models (37 percent).
• When asked about the impacts of regulatory reform on their institution, respondents most often cited an increased cost of compliance (87 percent, up from 65 percent in 2012). Other impacts cited often were maintaining higher capital (62 percent up from 54 percent in 2012) and adjusting certain products, lines, and/or business activities (60 percent up from 48 percent).
• The greater attention by regulators on stress testing and its expanded use by financial institutions have made it more difficult to secure professionals with the skills and expertise required. Eighty-eight percent of respondents said attracting and retaining risk management professionals with the required skills is at least somewhat challenging, including 32 percent that considered securing talent to be "extremely" or "very challenging."
• Risk data and technology continue to pose challenges as well, with 48 percent of respondents extremely or very concerned about the ability of the technology systems at their institution to be able to respond flexibly to ongoing regulatory change. Sixty-two percent of respondents said that risk information systems and technology infrastructure were extremely or very challenging, and 46 percent said the same about risk data.
"For the last several years, risk data and technology has been an area that we continue to see significant challenges," said Hida. "Regulators expect financial institutions to provide timely information on such issues as capital, liquidity, stress testing, risk utilization, resolution planning, consumer protection, and Volcker Rule compliance. Data on these and other areas need to be timely, accurate, and consistently aggregated across the enterprise. More broadly, we see institutions will need to enhance their risk management programs to stay current—notably in improving analytical capabilities and attracting risk management talent."
Deloitte Global's survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The ninth edition surveyed chief risk officers—or their equivalent—at 71 financial institutions, and represents a range of financial services sectors, including banks, insurers and investment managers, with aggregate assets of nearly $18 trillion. The survey was conducted from August to November 2014.