23993 bd In Control:23993 In control bd 7/4/08 13:27 Page a

Financial Services

In control?
Gaining competitive advantage through
governance, risk and control best practice

A Deloitte Research study

. . .
Audit Tax Consulting Corporate Finance .
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page b

Contents
Foreword 1

Executive summary 2

Work in progress? 3

Key findings 4

Implementation challenges 7

Conclusion 10

This is the First Annual Global Governance and Control Survey

– this survey was conducted in January 2007 on a ‘results-for-
participants-only’ basis. The final section of the survey covered
industry issues, which were agreed to be used in public. The survey
involved responses from 32 financial institutions based in 11 countries
and included 13 out of the top 20 financial institutions in the world
by market capitalisation.
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 1

In control?

Foreword
Governance, risk and control is one of the biggest issues facing For the purposes of our work we have defined governance, risk and
financial institutions today. As the credit crunch continues to present control as:
a number of challenges, to CEOs and entire corporations, it is
imperative all financial institutions reappraise their enterprise-wide • a process, implemented by the board of directors, management
control and governance systems and hierarchies. and other personnel, designed to provide reasonable assurance
regarding the achievement of business objectives in the following
Reactions to some of the issues emerging from the 2007/2008 areas:
credit crunch include: tightening individual controls; building
liquidity risk into models and business plans; identifying where credit – Maintaining compliance with applicable laws and regulations
and market risks really originate from; more sophisticated stress
– Safeguarding the assets of the organisation
testing, and scenario analysis. These are clearly necessary steps and
laudable aims. However, the questions that arise are whether they – Promoting the effectiveness and efficiency of operations,
will address the underlying problems that resulted in businesses including the effective management of risk
expanding into riskier products and sectors, and the aggregate
exposure exceeding the risk appetite of organisations. – Ensuring the reliability of financial reporting.

The purpose of this paper is to shed some light on the progress of A key to success lies in the introduction of more coherent risk and
major financial institutions around the world in developing control systems with appropriate governance structures spanning all
governance and control systems. We have looked at actual related procedures. As financial services organisations continue to
operational data for 32 major financial institutions from around the focus on operational improvements and cost control, together with
globe, which has enabled us to examine the state of the major mergers and acquisitions transactions, it is equally vital that
governance, risk and control systems within financial institutions. priority is given to strengthening the control environment.
Opportunities for improvement exist in the overall coherence of
policies, procedures and operations and spotting the ways in which
risks interact with each other, for example, credit and market risk.

A key issue is the lack of clarity in the taxonomy around governance

and control. This opacity of definition is causing, on occasion, a failure Russell Collins
in strategies. Co-leader, Deloitte EMEA Financial Services

1
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 2

In control?

Executive summary
Competitive advantage through compliance? Leaders and laggards
Five years since the introduction of Sarbanes Oxley financial services We have identified three distinct clusters based on financial
institutions continue to face an avalanche of regulation. Seldom are institutions’ governance and control performance – leaders,
compliance and competitive advantage mentioned together within a followers and laggards. The key difference between the groups is
financial institution – until now. To create greater value, institutions that leaders are likely to take a pro-active approach to governance
must consolidate, standardise and align their governance and and control, while laggards can tend to view compliance as a
control systems. This is an issue that must combine compliance and ‘necessary evil’ rather than a means to mitigate risk and/or confer
business approaches. The goal: developing corporate agility and business benefits. Followers take a middle path. Distinct groups also
flexibility to absorb new regulatory demands while accruing cost emerge across geographic locations and across sectors, whilst there
efficiencies and, in time, competitive advantages. As the bar of are best practices in all locations. Certain Anglo-American financial
regulation and control continues to rise, senior executives must institutions are leading the rest of the world, while Asian-Pacific
demonstrate to the relevant authorities they are in control. financial institutions are lagging. By sector, banks are ahead of
insurers. Perhaps this merely reflects the risk appetite and risk profile
The ‘hundred billion dollar’ challenge of the relevant businesses, as illustrated by the recent losses related
Much has been said about the market costs of regulation.1 Similarly to US sub-prime exposure.
volumes have been devoted to the cost of major initiatives such as
Basel II, Sarbanes Oxley and IFRS. Little has appeared, however, Next generation
about the total costs for financial institutions. This report is a first Our work on good practice suggests that even financial institutions
step to correcting this balance. According to our survey,2 the top applying current best practice have a significant way to go before
100 financial services institutions by market capitalisation have seen they achieve optimal return on governance and control investments.
expenditure in this area increase by over 30 per cent in the To achieve this, next generation institutions are likely to build
past three years to £28 billion ($56 billion). Further, this cost burden significantly stronger risk and control cultures throughout their
is yet to peak. Projecting from the results of our survey, the cost for organisations; have a fully accountable, board-level individual
governance and control for the top 100 institutions could reach overseeing controls; effectively integrate governance, risk
£50 billion ($100 billion) by 2010.3, 4 management and compliance into daily operations; efficiently use
technology to automate controls and monitor transactions in real
Unlevel playing field? time to avoid errors and inefficiencies, and properly implement tools
There has been much debate around the issue of the exact business that allow managers and risk experts to collaborate in making
impact of increased regulation in financial markets. Our survey decisions and to evidence control of significant risks from all sources
suggests economies of scale apply to the enterprise-wide and at all levels. In sum, competitive advantage will be conferred on
implementation of governance and controls systems. Larger financial those institutions best able to adapt to new governance and control
services institutions, although they tend to operate in a higher systems, which blend efficiency and effectiveness with accountability
number of jurisdictions, with greater compliance demands, spend and alignment, thus optimising capital.
on average four per cent of their total expense base on governance
and compliance activities. By contrast, smaller financial institutions
on average spend six per cent of their total expenses. In essence, it
appears growing regulatory demands could be creating an uneven
regulatory environment potentially acting as a competitive
disadvantage to smaller financial institutions.

2
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 3

In control?

Work in progress?
Almost to the day, on the fifth anniversary of the Securities and Are economies at play in compliance with the introduction of myriad
Exchange Commission’s (SEC) introduction of the Sarbanes-Oxley Act new rules? Are geographical or sectoral differences evident across the
financial markets suffered one of the most significant tightenings in industry? Who has responsibility within financial institutions for
credit markets in a generation. In the aftermath, many financial governance and control? And, finally, what does best practice look like?
institutions and senior executives have had to take huge write-downs
– already totalling in excess of £600 billion ($1.2 trillion)5 – a sum The financial services industry has been hit by a deluge of regulation
which may become even higher. Senior executives have also found since the turn of the Millennium. This has included measures to
their job security has been threatened. address capital adequacy such as Basel II and Solvency II, and
measures addressing market practices, such as Treating Customers
Above all, it is clear that financial institutions are still seeking to find Fairly (TCF) in the United Kingdom, and the Markets in Financial
the correct balance between risk and reward amongst the upheaval Instruments Directive (MiFID) in the European Union, as shown in
of financial innovation. And governance and control mechanisms Figure 1. Investment banks, commercial banks and insurers have all
developed to identify and eradicate uneconomic investment been affected by regulations from a variety of jurisdictions.
decisions are clearly a work in progress.
More important for investors is the ability of a financial institution
The purpose of this paper is to shed some light on the progress of not only to focus on compliance but also to deliver bottom-line
major financial institutions around the world in developing business benefits from governance and control activities. These
governance and control systems. Further, it endeavours to provide benefits can include increased shareholder confidence, better credit
answers to some significant questions that have hovered over the ratings, a lower cost of capital, strengthened risk management
industry for some time: Has the burden of implementation cost practices, including evidencing of control, and an overall, stronger
peaked? How much is the annual cost of compliance? sense and comfort of being in control.

Figure 1: An avalanche of regulation – some examples

Law of the PRC on FFIEC Internet

Banking Regulation and Banking
Supervision (China) Authentication (US)

Financial Services Sarbanes Financial Reinsurance

and Market Act Oxley Conglomerates Directive (EU)
(UK) (US) Directive
(EU & UK)

Patriot Act UCITS III Payment Services

Transparency
(US) Directive Directive (EU)
Directive (EU)
(EU)

IFRS Basel II MiFid IFRS Solvency II

(EU) (EU) (EU) phase 2 (EU)

2000 2002 2004 2006 2008 2010 2012

e-Privacy TCF UCPD

directive (UK) (EU)
(EU)

Consumer 3rd Money Basel II

Market Abuse Credit for Consumer
Credit Laundering (US)
Directive (EU) Directive (EU)
Act (UK) Directive
(EU)

Insurance Law Securities Law Financial Instruments IFRS

of the PRC, of the PRC, & Exchange Law (FIEL) convergence with
revised (China) revised (China) (Japan) GAAP (US)

• The regulations included in the above illustration are not a comprehensive list of regulations influencing the global financial services industry.
• The timeline indicates when a regulation was or is due to be implemented.
Source: Deloitte Research, 2007

3
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 4

In control?

Key findings
The governance and control burden is growing rapidly, Each of these sectors differs in terms of the steps it is now likely to
and is likely to peak at £50 billion in 2010 take. Banks will be attempting to use their investments in
Most senior executives realise that one of the fastest growing line implementing Basel II to gain business benefits, principally through
items on the expense base over the last five years has been regulatory capital relief and improved pricing. European insurers are
governance and control, but often this is not highlighted separately likely to be accelerating their investment and upgrading of systems
in profit and loss accounts. Significant programmes have been to reach compliance with Solvency II, with International Financial
established, and resources diverted, to redesign control Reporting Standards (IFRS) giving all insurers opportunities for
infrastructure, procedures and processes to ensure compliance benefits by improving the reporting of risk. Finally, investment banks
across the business. We estimate that major financial institutions are likely to be investing in enterprise-wide controls to become more
have seen the costs for governance and control between 2003 and compliant and efficient following the credit crunch.
2006 rise by around a third on average.
Economies of scale are at play, as big appears to
Contrary to established wisdom, our research shows that the be best
financial burden of compliance has not yet peaked and is likely to Little is known about how the burden of compliance has been
reach nearly £50 billion ($100 billion) in 2010. Over half of the distributed across the financial services industry. This is a fiendishly
respondents do not expect to see any deceleration of reform until difficult area to investigate, but it is critical to understanding the
2010, compared with only a fifth who think reform will slow. impact of the regulatory avalanche on business performance.
In 2007, costs for the largest 100 financial institutions were between
£21 billion and £28 billion ($42 billion and $56 billion). By 2010 Our survey of governance and control has found that larger financial
these will likely rise to between £35 billion and £48 billion services institutions have costs as a percentage of operating
($70 billion and $96 billion). The most significant increases are likely expenses 2.5 per cent lower than smaller counterparts.6 Larger
to be in compliance activities, risk management and business unit institutions appear to be benefiting from economies of scale – this
control. despite the fact that on average they operated in 36 markets
compared with just six for smaller institutions.
The very different evolution of compliance demands across the
industry is leading to different cost trajectories within banking, This may be because larger institutions are more likely to leverage
insurance and capital markets. The principal impact of Basel II economies of scale in governance, control and risk specialists in
spending has been on banks in the middle of this decade, but setting global standards. The ability to implement, cost-effectively,
completion deadlines are now in effect in most markets with the flexible systems for governance and control, which can cope with
exception of the United States. Solvency II, however, is still very much significant variation in compliance responsibilities across borders,
in its infancy. Figure 2 illustrates these different sector expense profiles. will increasingly become a hallmark of success.
The graphic shows the financial services industry is unlikely to pass
the peak of the compliance burden until well into the next decade. Trends in international regulation, particularly the use of a ‘lead
supervisor’ to co-ordinate peer jurisdictional authorities could
significantly cut costs for larger institutions. The insurance sector,
Figure 2: Regulatory burden yet to peak for example, believes that the supervision of groups operating in
a number of jurisdictions should be co-ordinated and led by the
supervisory authority of the jurisdiction where the group is
Cost headquartered.7 Further, the European Commissioner, Charles
McCreevy, announced that regulatory authorities would be
co-ordinated, where possible, across all areas of the current Level 3
arrangements.8
Estimate
The long-term implications of this potentially are highly significant.
If the regulatory burden is falling more heavily on smaller
institutions, they will increasingly be operating at a competitive
2001 2004 2007 2010 2013 disadvantage. This unintended consequence of the regulatory
Universal/retail banks Investment banks deluge may therefore need to be reviewed within the context of
Insurers principal-based regulatory regimes.
Source: Deloitte Research, 2007

4
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 5

In control?

The western hemisphere is forging ahead of

Asia Pacific Sidebar: Major regulations affecting the financial
Medicine rarely tastes good. The introduction of Sarbanes Oxley services industry
was, for many, accompanied by significant distaste for the idea. Basel II provides a regulatory capital framework that is more
In the longer term, it does appear that those institutions exposed to sensitive to the risks that banks face. It is designed better to
the rigours of more exacting compliance regimes have made more align regulatory capital levels with a bank’s risk profile.
progress with developing integrated governance and controls This offers the potential for firms to be able to release for other
frameworks. purposes any capital in excess of regulatory capital requirements.
It is likely to affect the product development and investment mix
Financial institutions in the western hemisphere are ahead of their of banks and provide significant incentives for firms to improve
eastern colleagues. Our analysis shows only a quarter of financial their risk management practices. So far, the European Banking
firms operating worldwide have a reasonably integrated compliance industry is estimated to have invested £9 billion ($18 billion/
and controls framework – all of these firms are from the west. These €13 billion) in its implementation.10
results suggest there is much to do in the Asia Pacific region both in
continuing to create regulatory regimes and continuing to raise the Solvency II broadly follows the approach of Basel II. Larger
quality of internal governance and control systems. insurers in particular are already tending to align themselves to
Basel II standards for their operational risk.11 Solvency II will aim
to promote sound risk management, align supervisory
Banks and capital market players lead the way
requirements with market practices and reward financial services
A similar picture emerges across sectors of the financial industry.
institutions that are good at managing risk. For the first time,
Banking and capital markets tend to be the most advanced in their
insurers will be required to hold capital against their operational
risk management control structures. This is most likely driven by the
and market risks. This is intended to ensure that they can
fact that these institutions have had to deal with major regulatory
withstand adverse, unexpected events and can protect their
demands such as Basel II and MiFid.
policyholders and the financial system as a whole. Analysts have
All the major sectors of the financial services industry are facing a suggested that up to 40 per cent of insurers’ buffer capital
significant, and seemingly ongoing, governance and control requirements could be shaved off when the regulation comes
challenge. Banks, insurers and investment banks have all seen the into force.
costs for governance and control rise by around a third between
MiFID has introduced significant changes to the European
2003 and 2006. Each of these sectors differs in terms of the steps
regulatory framework for investment banks and aims to
it is now likely to take. Banks will be attempting to use their
complete the process of creating a single EU market for
investments to finalise the implementation of Basel II to gain
investment services. The FSA’s cost-benefit analysis indicates that
business benefits. European insurers are likely to be accelerating
MiFID should lead to a one-off investment of £925 million –
their investment and upgrading of systems to reach compliance
£1 billion ($1850 million – $2 billion), with subsequent ongoing
with Solvency II, with IFRS giving all insurers opportunities for
costs of £100 million ($200 million).12 However, it also estimated
benefits by improving the reporting and disclosures to market
that it will reduce compliance and transaction costs for cross-
participants on regulatory capital levels and risk management
border firms by £200 million ($400 million).13
procedures. Finally, investment banks are likely to be investing in
enterprise-wide controls to become more compliant and efficient,
and will be trying to gain advantage from working in the post MiFid
environment.

Banks are ahead of investment banks and insurers in the

implementation of regulations such as anti money-laundering, IFRS,
information security and privacy legislation. The biggest regulatory
burden they face is Basel II (see Sidebar) and, unsurprisingly, at the
time of our survey nearly nine-in-ten were halfway through its
implementation. However, the Basel II Accord is complex, with many
areas of specific policy where discretion is available to supervisors.9
This could put internationally active banks under a significant burden,
as they will have to comply with multiple ‘versions’ of Basel II
following differing timelines for implementation.

5
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 6

In control?

Our survey found that insurance is currently the sector lagging in its Our research highlights fragmentation
implementation of a governance and control structure. Preparations
for compliance with Solvency II by 2012 are putting pressure on across major financial firms in who has
insurers to improve their governance, control and risk practices (see responsibility for integrating governance,
Sidebar). As well as the potential benefits from Solvency II, insurers
face opportunities from IFRS Phase 2, which will give them the risk and control systems.
chance to convey their business potential and risk appetite in
financial statements, and therefore potentially improve shareholder
confidence.

Somewhat surprisingly, following recent problems in the sector,

investment banking is furthest ahead in terms of an institution’s
likelihood to have fully implemented a governance and control
structure. We found investment banks’ governance and control
investment is likely to be driven by the need to obtain improving
shareholder confidence, as opposed to the spending of banks and
insurers, which is more likely to be compliance driven. Investment
banks’ leading performances can also be partly explained by their
being in the midst of implementing Basel II, with European firms
also implementing MiFID (see Sidebar).

Fragmented responsibility and accountability

Good intentions are not enough to ensure a shift in operating
culture. Clarity on who owns what process in an integrated
governance and control architecture is therefore critical. It appears
a prime source for the losses incurred by many major banks in the
recent credit crunch was the inability of those institutions, in many
instances, to link risk and control functions together.

Our research highlights fragmentation across major financial firms in

who has responsibility for integrating governance, risk and control
systems. Just 41 per cent of firms stated their audit committees or
boards of directors have overall control of governance and controls.
Less than half (47 per cent) have undertaken consolidation of
governance and controls across borders and operational units in the
past three years.

6
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 7

In control?

Implementation challenges
Compliance and competitive advantage are seldom paired together. Next-generation institutions will be distinguished in three key areas:
Most financial institutions have kept them well apart over decades.
Until now. It is clear that developing governance and control 1) Governance. Senior management should be visibly involved in
capabilities can yield improved business performance. The focus is communicating messages about behaviour in risk and control
now on achieving next generation capabilities. culture through the organisation in a way that reflects the ‘tone
at the top’ and adopts continual improvement. The Basel
Almost no major financial institution can claim to have a fully Committee on Banking Supervision at the Bank for International
integrated and operational system of risk, governance and controls. Settlements has said that since the board of directors is
We estimate around 33 per cent of institutions are in the leaders ultimately responsible for the operations and financial soundness
category, 45 per cent in the followers cluster, with the remainder of a company, a bank’s risk profile, policies and management
in the laggards group. procedures should be understood and approved at board level.14

The focus on achieving next generation status – an intelligent risk, Action: From now on, the board and senior executives must
governance and control culture – will require those at the top of an bring clarity to who owns the integration of governance, risk
organisation to recognise the long-term benefits of improved risk and control across the institution. Different regulatory systems
management. A portfolio view of an organisation’s risk appetite may across the world mean no one position fulfils this function.
have helped many of the financial institutions that have faced Nonetheless, the common factor is the need for the board to
difficulties in the recent credit crunch for example. By moving to a appoint an individual with this responsibility. In the United
more active approach, as shown in Figure 3, rather than a passive or Kingdom the chairman could be best placed to take on this
defensive approach, all firms can gain business benefits from their responsibility. The responsibility for control may give the
governance and control. chairman the detailed management information to act as a
more effective counterweight to the executives. Gaining clarity
on the issue of accountability will be essential for success.

Figure 3: Moving to an active approach to compliance

Active control Building a control culture – risk management inherent part

6
of strategy
• Identify benefits of internal controls
• Focus on strategic risk
• Clear responsibility over risk and control

5 Risk optimisation
• Improve control operational efficiency
• Improve control effectiveness

Defensive Risk management

• Mitigate or hedge risk
4 • Protect the organisation from
operational, credit and market risks
• Improve investor confidence
• Technology
• Ease of audit
Risk assessment
3
• Identify evaluate and track risks
• Provide assurance to management
• Link the state of internal control to the
performance assessment of business executives

Passive
2 Internal controls reporting
• Consolidate internal controls across
operational units and borders
• Enhance management accountability
• Produce reliable reporting
• Self-assessment regime
1 Regulatory compliance
• Invest to avoid regulatory
non-compliance

Source: Deloitte Research, 2007

7
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 8

In control?

2) Culture. Building a strong governance and control culture 3) Operating model and systems. The technology industry would
within a company could significantly reduce the risks of control not be what it is today without the financial sector and its huge
failure and could identify more areas where good control can purchasing power. Pressure to reduce costs means that
bring business benefits. The FSA in the United Kingdom has successful financial institutions are likely to demonstrate an
said: “there should be a clear message within [a] firm that ability to optimise technology around key priorities including
compliance risk is owned by the business and that all staff are governance and controls. Developing systems that can
responsible for adhering to the desired compliance culture”.15 intelligently review data to identify control shortfalls in real time
This message should be strengthened by explicitly considering is crucial to reducing the many and costly risks of control
the compliance behaviour in staff assessments, including staff failures. Tools now exist that allow organisations to structure
appraisal, reward and promotion processes. and store all relevant data in a central repository, including data
related to their risks, controls and procedures.16 Embedding
Action: It is clear that if a financial institution does not automated controls can give senior management the
appreciate controls as good business sense, there may be active opportunity to govern in a manner that is consistent with the
resistance to governance and control initiatives. There needs to company’s risk profile.
be a continuing work programme focused on how to embed
and reward the right policies and procedures across an Action: Building the operational infrastructure to ensure a
organisation. As one executive put it “you have to keep flexible and integrated governance and control system is a major
renewing the white blood cells”. challenge for financial institutions. Figure 4 sets out four pillars
around which to build this infrastructure:

• Organisational consistency

• Business model architecture

• Technology capacity and capability

• Information quality.

The challenge for financial institutions is to ensure such programmes

are coherent and deliver real business value. To achieve this objective
requires senior management to add control and governance
considerations to each investment decision.

8
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 9

In control?

Figure 4: Getting it right – factors that impact the cost of large scale change for controls or compliance purposes within financial institutions

Business aspect Rationale for costs

Organisational Lack of consistent approach to the organisation, business processes, technology, controls and information multiply the
consistency problem of control or compliance in proportion to the number of different ways of doing things:

• Lack of central accountability and responsibilty

• Inconsistent business processes

• Multiple systems for some functions

• Inconsistent controls

• No common information architecture.

Business model Lack of a quality definition of the products, processes, compliance requirements, risks, controls, systems and information
architecture mean that huge costs are expended to find out how the business operates in detail to enable plans to be formulated
about how to develop a compliant approach or indeed deliver any kind of cross component change.

Poor quality information around products, processes, sytems, compliance requirements, risks and controls:

• Missing

• Out of date

• Lacking relationships

• Lacking detail.

Technology Lack of technical leverage (e.g. to deliver controls) common platforms, excessive componentisation and closed systems all
capability make change very expensive, risky and complex:

• Inflexible (closed systems)

• Overly complex (many pieces linked together)

• No controls architecture or infrastructure (low technology support)

• Detailed documentation and data dictionary missing/poor

• Difficult to develop, store and handle additional information requirements.

Information quality Information that is dispersed, inconsistent, duplicated, incomplete or inadequate is very expensive to fix before
addressing the requirement – lack of an overall information architecture compounds the problem:

• Dispersed

• No information architecture

• Inconsistent and duplicated (no clear master)

• Incomplete or inadequate.

Source: Deloitte Research, 2007

9
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 10

In control?

Conclusion
Current market dynamics reinforce that there are few greater issues
for financial institutions to address than governance and control
systems. While such systems set few hearts racing until it is often
too late, increasingly they are determining the long-term winners
and losers across the world’s financial services industry. Further, they
are likely to play a central role in the individual success or failure of
senior executives whom shareholders, regulators and other
stakeholders hold accountable. Like it or not – governance and
controls should be right back at the top of the corporate agenda in
financial firms around the globe.

Projecting from the results of our survey, we estimate financial

services institutions will potentially face costs of £50 billion
($100 billion) from governance and control by 2010. In order to
tackle this challenge to cost efficiency, risk and governance,
institutions need to consolidate and redesign their systems, making
them flexible enough to adapt to a changing regulatory and
business environment. Our survey has found that some financial
institutions are already meeting this challenge, while others are likely
to require a rethink.

Larger institutions are facing proportionally lower costs for

governance and control and the possibility of a ‘lead supervisor’
model across boundaries could further their advantage. This could
spur consolidation in the industry. On the other side of the coin is
return on investment. Financial institutions that grasp the
opportunities this entails will move successfully ahead in the coming
years – fully in control.

10
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 11

In control?

Notes
1 For example, see: The cost of regulation study, Deloitte & Touche LLP, 2006 (commissioned by the Financial Services Authority in the
United Kingdom).

2 Deloitte Research undertook a survey of 32 companies in the financial services industry, together making up a third of the world’s top
100 financial services companies by market capitalisation. Governance and controls survey, January 2007.

3 This calculation is based purely on the cost base. We have not included any costs or benefits from improved risk management and
allocation of capital.

4 Deloitte Research undertook a survey of 32 companies in the financial services industry, together making up a third of the world’s top
100 financial services companies by market capitalisation. Governance and controls survey, January 2007.

5 Goldman sees credit losses totalling $1.2 trillion, www.reuters.com, 26 March 2008.

6 Larger companies have been defined as those with a market capitalisation of greater than £20 billion and operate in an average of
36 countries. Smaller companies have been defined as those with a market capitalisation of less than £20 billion and operate in an
average of six countries. Governance and controls survey, January 2007.

7 www.cea.assur.org/cea/download/publ/article258.pdf

8 McCreevy rules out super-regulator, Financial Times, 21 November 2007.

9 Deloitte & Touche LLP (China), Understanding the framework: Adopting the Basel II Accord in Asia Pacific, Deloitte Touche Tohmatsu
2005. http://www.deloitte.com/dtt/cda/doc/content/02720_Basel_II_Adopting.pdf

10 Payback time for Basel II, Oliver Wyman, 2007.

11 Management of Operational Risks in Insurance, Deloitte & I.VW-HSG, June 2007.

12 Financial Services Authority, The overall impact of MiFID. http://www.fsa.gov.uk/pubs/international/mifid_impact.pdf

13 Ibid.

14 Enhancing corporate governance for banking organisations, Basel Committee on Banking Supervision, Bank for International
Settlements, February 2006.

15 http://www.fsa.gov.uk/pubs/ceo/compliance_risk.pdf

16 Securities and Banking Update: A firm hand at the wheel, Deloitte & Touche LLP UK, July 2007.

11
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 12

In control?

Notes

12
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 13
23993 bd In Control:23993 In control bd 7/4/08 13:27 Page 14

Contacts
Chris Gentle
Associate Partner and Global Head of Research
+44 20 7303 0201

Russell Collins
Partner, Head of Financial Services Industry
+44 20 7303 2929

Kari Hale
Partner, Banking and Securities
+44 20 7303 5799

Simon Owen
Partner, Head of Enterprise Risk – Technology
+44 20 7303 7219

William Higgins
Partner, Head of Financial Services Advisory
+44 20 7303 2936

Pierre-Henri Cassou
Partner, Governance & Regulatory Compliance
+33 140 88 2504

In this publication, Deloitte refers to one or more of Deloitte Touche Tohmatsu (‘DTT’), a Swiss Verein, its member firms,
and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither DTT nor any of its member firms
has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity
operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, or other related names.
Services are provided by the member firms or their subsidiaries or affiliates and not by the DTT Verein.
In the UK, Deloitte & Touche LLP is the member firm of DTT, and services are provided by Deloitte & Touche LLP and its
subsidiaries. For more information, please visit the firm’s website at www.deloitte.co.uk
Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations;
application of the principles set out will depend upon the particular circumstances involved and we recommend that
you obtain professional advice before acting or refraining from acting on any of the contents of this publication.
Deloitte & Touche LLP would be pleased to advise readers on how to apply the principles set out in this publication to
their specific circumstances. Deloitte & Touche LLP accepts no duty of care or liability for any loss occasioned to any
person acting or refraining from action as a result of any material in this publication.
© Deloitte & Touche LLP 2008. All rights reserved.
Deloitte & Touche LLP is a limited liability partnership registered in England and Wales with registered number
OC303675. A list of members’ names is available for inspection at Stonecutter Court, 1 Stonecutter Street,
London EC4A 4TR, United Kingdom, the firm’s principal place of business and registered office.
Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
Member of
Designed and produced by The Creative Studio at Deloitte, London. Deloitte Touche Tohmatsu