Financial Services

Global Risk Management

Contents
Foreword 1

Introduction 3

Research findings 4

Conclusion 11

For more information 12

Contacts 13
 Financial Services
Global Risk Management

Foreword
The leaders of global financial services institutions have a
challenging job. Each day they must make decisions that will steer
these complex and wide-ranging organizations towards ever greater
success. In making these decisions, financial services executives
lean heavily on best practices, developed from experience, and
continually refined to give them the edge in a competitive market.
These leaders cannot afford to simply ‘stumble upon success’
- instead they have developed their own ‘Formulas for Success’, that
can be repeated and refined for the markets in which they choose
to compete.

But what are these ‘Formulas for Success’ and how can other
institutions learn from them? This report focuses on the ‘Formulas
for Success in Risk Management’. It builds on a recent survey of over
160 executives from a range of financial services firms, and reveals
their formulas for managing a range of risks in today’s environment,
how they are adapting to a changing regulatory environment, and
what steps they are taking to promote good risk management
practices across their organization. The report also discusses
how institutions are pursuing a more ‘holistic’ approach to risk
management and how they are integrating their capabilities into an
enterprise wide risk management process.

This report is one in a series focusing on ‘Formulas for Success in

Financial Services’. Each report includes survey data collected for
Deloitte by the Economist Intelligence Unit and the viewpoints of
Deloitte partners and professionals who specialize in each particular
area covered. I hope that you find these reports useful, that they
stimulate ideas within your organization, and help you to develop
your own ‘Formulas for Success’.

Jack Ribeiro
Managing Partner
Global Financial Services Industry
Deloitte Touche Tohmatsu

1
 Financial Services
Global Risk Management

Introduction
Despite massive regulatory and private-sector efforts to control risks in financial markets,
today’s headlines paint a picture of a landscape that is highly fraught. The International
Monetary Fund has recently estimated that the write downs by banks globally in the value
of their assets will amount to almost $1 trillion. The US is likely already in a recession as a
result of the credit crunch, and knock-on effects are continuing to be felt in a variety of areas
including commercial real estate, corporate borrowing and securitized credit card receivables.

Against this backdrop, the Economist Intelligence Unit conducted

a survey in collaboration with Deloitte to see how banks, insurers, Survey breakdown
investment banks and other financial institutions manage their
various risks—and how some of the forward-looking ones are
managing them better. This paper summarizes the results of that
research and looks at a variety of risks:
• counterparty credit and broader credit and liquidity risks
• operational and compliance risks, including rogue trader events
• competitive risks within the industry, including the growing
prominence of low-cost online-service providers.

This paper is based on an online survey of 164 financial executives,

as well as in-depth interviews with Deloitte subject matter specialists
on risk management in financial institutions.1

Source: Deloitte/Economist Intelligence Unit

For more detailed information on financial services risk management practices also refer to Deloitte’s series of risk management surveys,
1

the most recent of which is report “Global Risk Management Survey: Fifth edition, Accelerating Risk Management Practices”.

3
Financial Services
Global Risk Management

Research findings
A measured response by firms to the current market turmoil.
Despite the gravity of the current market situation, the picture Many financial services firms are evolving to a more holistic
emerging from our research is that of a measured, rather than approach to risk management, meaning they emphasize long-term
panicky, response by firms. Financial firms have been implementing solutions that encompass the entire organization. Such solutions
their responses to regulations such as Basel II for banks and, in involve senior management in operational issues and ensure that
the case of the European Union countries, Solvency II for insurers. employees at all levels know that managing risk is important to
These regulations aim to incent strong risk management and to help each aspect of the business. Firms are also taking steps to promote
ensure that financial institutions maintain sufficient capital to buffer cooperation between different parts of the organization to better
against potential exposure to their significant financial and non coordinate their management of risk.
financial risks.
Based on current market turmoil it is not surprising that financial
The survey shows that the level of importance of risk management services firms are focusing heavily on the risk of credit default.
in financial services organizations is higher than ever: 84% of However our survey shows that financial firms’ efforts to minimize
respondents have seen a more prominent role emerge for their risk this type of risk have been somewhat measured, focusing more on
management function in the past year, not only in response to the improving data flows and sharpening general forecasting capabilities
credit market turmoil, but also driven by the adoption of new risk than on upgrading technical credit analysis skills. Operational
management regulations, and the belief that good risk management risk management also attracts significant attention in our survey,
can provide a competitive advantage in today’s market. perhaps in light of recent reports of unauthorized trading activities.

Over the past year, has risk management grown more

important to your organization?

Source: Deloitte/Economist Intelligence Unit

4
 Financial Services
Global Risk Management

Risk management is growing in importance within financial services organizations.

A decisive majority of respondents (84%) say that risk management practice Risk and Capital Management service line.“Implementing
has grown more important to their companies over the past year. Basel II involves a significant increase in sophistication when it
Only 13% said it has not, suggesting that financial institutions comes to measuring and managing regulatory capital, and increased
are acutely aware of the need to tighten their control of risk sophistication in the bank’s risk management capabilities in general.”
management capabilities.
Indeed, Basel II has offered a competitive advantage to those who
Somewhat surprisingly, survey respondents pointed to requirements were forced to implement it early, notes Leon Bloom, Deputy
with long-term implications such as the implementation of Basel Managing Partner of Deloitte’s Global Financial Services Industry
II, Solvency II, and Sarbanes-Oxley requirements, as the main practice. “Keep in mind that the sub-prime mortgage situation
reasons for their increased focus on risk management. The largest originated in the US, and Basel II has not yet been implemented
number of participants indicated that regulatory pressures are the in the US. Among other things, Basel II requires banks to assess
main drivers for risk management focus, followed by competitive counterparty risk, and to set aside adequate capital to act as a
pressures, agreeing that proactive risk identification and tight risk buffer against the potential failure of a counterparty.”
control provides a competitive edge, particularly in uncertain times.
Nonetheless, the complexity of regulations such as Basel II and
Interestingly, only 19% cited recent lapses as the main reason for Sarbanes-Oxley have made financial institutions wary of what rules
their increased focus on risk management. The implication is that may be issued in the future. Vishal Vedi, a UK based Deloitte Risk
risk management is seen as a fundamental requirement of running and Capital Management partner, says financial firms are monitoring
the business, rather than a response to recent events. developing regulations, both to influence the rule-making process
and to ensure full compliance once new rules are issued: One rule
For bankers, Basel II (risk based capital adequacy rules) have loomed under review, for example, deals with changing the percentage of
large for nearly a decade. The rules took effect in Canada and liquid assets required in a bank’s portfolio, defined by the maturity
Australia in 2007 and in the EU and Japan on January 1st, 2008. At date of each asset. Monitoring such debates helps institutions to
this point in time, US banks have until 2009 to comply. Basel II has manage their regulatory risk. Among other things, they can discuss
had a positive influence on risk management, says Edward Hida, the likely impact with the regulator, and also the best approaches to
Partner and leader of Deloitte’s Global Financial Services Industry compliance.”

What is the main reason risk management has grown more important to your organization?

Source: Deloitte/Economist Intelligence Unit

5
Financial Services
Global Risk Management

Risk managers pay relatively more attention to operational risk than to other types of risk
exposure.

Of the various types of risks monitored by financial firms, The focus on operational risk could well be a result of an increased
operational risk gets the most attention, with 77% of survey regulatory burden, much of which deals with ensuring adequate
respondents saying they monitor such risks on an ongoing basis. and effective internal control. It may also result from the large
potential exposure associated with lapsed controls.
Risks arising from shifts in financial markets, such as movements in
interest rates and changes in market liquidity, are also high on the Then, too, the current focus on operational risks may result from
list. In our survey, 73% of respondents said they follow interest- the fact that monitoring this type of risk represents a greater
rate movements, while 69% monitor liquidity levels (however the challenge than monitoring other types of risk, perhaps because it
responses for these risks were much higher for banks than for others often results from a dangerous, difficult to identify, combination of
given the importance of managing these risks for banks). About 6 in risks rather than a single risk issue. Many firms have quantitative risk
10 respondents said they regularly monitor other exposures such as measurement models in place allowing them to respond to currency
the risks associated with faulty strategy, unexpected equity markets and interest-rate movements with speed and precision. On the
swings, sudden acute currency shifts, and counterparty default risk. other hand, although most operational risks are of low impact and
Political risk, on the other hand, is a lesser concern, with only 35% relatively high frequency, some are like earthquakes. They are costly
of respondents regularly monitoring this variable. and their historical lack of frequency makes them hard to predict.

Which key risks does your company monitor on an ongoing basis?

Source: Deloitte/Economist Intelligence Unit

6
 Financial Services
Global Risk Management

To minimize operational risk exposure, financial firms are developing a range of techniques
that involve the entire organization.

The sensational discovery of rogue trading and other procedural In our online survey, respondents stressed the importance of
lapses has led financial services firms to develop a range of involving senior management in operational issues (62%) and
techniques for controlling operational risk. Some of the best broadening the purview of the risk management function (62%)
practices in this area include: as ways to help control operational risk. A majority (51%) also said
a. Development of key risk indicators (KRI’s) for all major business it is important to continuously educate employees about changes
processes to assess whether the activities fall within defined in regulation to ensure compliance, including with operational
bands of tolerance standards.
b. Systematic and comprehensive collection of data about internal
Respondents’ emphasis on involving top management and enlarging
(and external) loss events
the scope of the risk management function underlines the holistic
c. Analysis of a range of risk scenarios, including extreme ones that approach they take to controlling risk. Limiting operational risk is
could threaten the organization’s solvency, and the development no longer seen as the narrow remit of a small, often centralized,
responses to counter each scenario group of technical experts, but rather a broadly shared responsibility
d. Performance of bottom-up risk and control self-assessments borne by managers and staff at all levels. This, in turn, suggests a
in which each business unit identifies its significant risks and more general shift in perception of the risk management function.
reports on how each is controlled There is recognition that to be effective, risk management must be
e. Preparation of risk-based scorecards to provide a snapshot of mandated at board level, embedded in the operating culture, and
significant operational risk exposures at all organizational levels, promulgated across the enterprise.
and aggregation of scorecard information into enterprise-wide
dashboards

Has your organization taken, or will it take in the next year, any of the following steps to better manage operational and
regulatory compliance risks?

Source: Deloitte/Economist Intelligence Unit

7
Financial Services
Global Risk Management

To control credit risks, firms are focusing on upgrading overall organizational resources—such
as improving data flows and sharpening general forecasting skills—rather than simply singling
out credit-analysis for improvement.
In view of the current liquidity crunch, one might expect financial While a holistic, organization-wide approach may be most valuable
services firms to focus mainly on improving their technical skills in in the long term, in some cases, specific credit-related policy
analyzing the creditworthiness of counterparties; however, this is not changes are in order, notes Leon Bloom. “Banks have taken massive
so. Our survey shows a more comprehensive response to the crisis, write-downs in the value of assets, which has understandably raised
one that emphasizes improving broader credit risk organizational questions about the risk capabilities of the banks involved and the
resources and capabilities. extent to which their risk practices are proactive versus reactive. The
write-downs have also raised questions about the effectiveness of
Most respondents (57%) said that improving data and developing the regulatory framework under which banks operate. Banks could
better, more risk sensitive forecasting models are the most no doubt have done a lot more to determine the quality of the
important means of improving credit control. About half (48%) underlying assets when they invested in mortgage-backed securities.
cited broadening information sources, and half (50%) also cited On reflection, many financial institutions should have avoided
creating management ‘dashboards’ of key risk indicators (KRI’s) as mortgage-backed securities altogether.”
an effective method for controlling credit risk.

Fewer than four in 10 cited ‘increasing internal ratings capability’

(39%) and ‘tightening underwriting standard’ (38%) as priority
areas in the year ahead (with the exception of insurance sector
respondents who rated underwriting highly). These results suggest
that, rather than quickly reorienting their activity to respond to
a current problem, most companies take a measured response,
focusing on upgrading overall risk management capabilities over the
long term.

What steps does your organization plan to take to better manage credit risk?

Source: Deloitte/Economist Intelligence Unit

8
 Financial Services
Global Risk Management

To deal with general business risk, financial firms emphasize improving information flows and
educating employees about competitive issues.

The broader, more holistic approach to risk management also is “The main challenge is to create a set of assumed events that
evident in firms’ approach to managing general business risks, such as represent actual risks for the organization, and to regularly run these
those arising from the growing prominence of low-cost competitors through the company’s risk management systems. The stress tests
and from industry consolidation. As was the case in responding to help management to understand the nature of the risks and the
credit risk, most respondents (57%) cited improving information effect they would potentially have on the business. This process also
flows when asked about ways to control general business risk. A suggests possible responses. For example, a bank might consider the
little more than half (51%) cited upgrading employee knowledge relative merits of hedging vs. internalizing risks without hedging.
of such risks. At the same time, there was a sense that competitive Ultimately, managers need to decide how much risk to retain in the
information could be dangerous in the wrong hands: 42% advocated business; running stress tests helps them to do that.”
limiting employee access to sensitive proprietary data.

Interestingly, only 8% expect their companies to take previously Controlling strategic risks
outsourced functions back in-house as a way to limit business risk.
This suggests a level of comfort with outsourcing, even though Strategic risk arises from an organization’s directional choices. It is
outsourcing and off-shoring pose additional business risks. The the risk that senior management will go down a path not aligned
survey results reflects recognition that outsourcing may be a with investors’ requirements for risk and return. Deloitte partner
competitive necessity in a time of stiffer competition from online Leon Bloom lists some of the ways that forward-looking financial
and other low-cost service providers. companies can minimize this risk:
• Performing strategic scenario analyses
In addition, forward-looking companies build and stress test • Benchmarking with peer organizations, looking at the success
complex risk scenarios as a way to measure and control business or failure of their choices
and strategic risks. These scenarios frequently include variables
• Clearly and explicitly taking into account the risks inherent in
such as interest rates, currency values, equity and bond market
strategic choices
conditions, credit market conditions and political environments.
A key to avoiding strategic unexpected concentrations and • Considering the capital requirements associated with
exposures is to build realistic scenarios and apply company-wide different strategic choices and how these affect the
‘stress tests’. These are estimates of the impact on the company company’s overall capital position
under different scenarios, says Deloitte partner Edward Hida:

What steps does your organization plan to take to better manage other business risks?

Source: Deloitte/Economist Intelligence Unit

9
Financial Services
Global Risk Management

Organizational structures are changing in response to the greater focus on risk management,
with increasing prevalence of Chief Risk Officers and the removal of ‘risk silos’.

Risk management practices are only as good as the organizations At the same time, financial firms are broadening how they look at
which are implementing them, and here some changes are evident. risk and thereby expanding the purview of the risk management
Banks, in particular, are changing their organization structures function itself, Hida adds: “Everyone is focusing on the credit
to ensure that risk management is integrated into all business crunch, but there are broader geopolitical risks out there, such
processes. as those concerning the rise of sovereign wealth funds, regional
conflicts, and terrorism risks. Banks now systematically evaluate their
For example, most banks now have a Chief Risk Officer (CRO) operations in various countries, in addition to the creditworthiness
who establishes the risk policy framework, the processes for risk of specific counterparties. Some risk departments also have experts
measurement and risk management, and the limits that govern who consider disaster scenarios, such as health crisis that prevent
risk-taking. The CRO function is independent of the businesses that employees from getting to work. These now fall under the purview
take the risks. In addition to risk management at the business unit of risk management, while in the past they may have been managed
and CRO levels, there is typically a third line of defence in the form elsewhere.”
of a risk and control assurance function. This is usually carried out
by the internal audit function, which provides assurance that the In general, financial firms are reorganizing and formalizing the
framework and policies established by the CRO are competent and way they look at risk, with different approaches used to analyze
applied effectively throughout the organization. different types of risk, says Vishal Vedi: “Some banks are starting
to aggregate credit risks across their portfolios rather than solely
In addition, and perhaps as a result of prodding by CRO’s, financial customer by customer. This way, correlations between different
firms are learning to view risks holistically across the organization. exposures can be taken into account. On the other hand, in the
Risk-evaluation is therefore emerging from individual organizational area of business risk, banks are dividing risk into categories and
silos and being conducted more centrally, says Deloitte partner looking at them separately. For example, within mergers and
Edward Hida: “One lesson learned from the credit crunch is that acquisitions, they might separately measure the risk of a transaction
many financial products are subject to elements of both market and not being completed, the risk of the failure of one or both merging
credit risk, and that the two should be considered together. In many entities, and the risk that integration of the two firms might not go
cases it doesn’t make sense to have separate silos measuring credit smoothly.”
and market risks. Banks are looking at ways to break down the
silos and perform more comprehensive risk analyses. One approach
is to set up a joint credit and market risk oversight committee for
complex transactions subject to both market and credit risk.”

10
 Financial Services
Global Risk Management

Conclusion
Risk management is becoming a more prominent concern within
financial firms, but not for the reasons one might expect. Apart
from the turmoil dominating recent headlines, it is the increased
regulatory burden and the growing prominence of new competitors
in the industry that are driving much of today’s risk management
activity. Of the various types of risk arising in financial firms,
operational exposures receive the most attention, followed by
different types of market risk (eg, interest rate movements and
market liquidity).

Evolving best practices in risk management effectively tend

to involve the entire organization, rather than only the risk
management department. Moreover, they emphasize the
development of general organizational resources and capabilities
rather than technical skills alone. Improving information flows and
providing ongoing employee training in such areas as regulatory
developments figure prominently in financial firms’ risk control
strategies.

Financial companies are also adapting their organizational structures

to respond to risks. Most now have a Chief Risk Officer and are
attempting to break down or connect organizational silos. In
general, financial services firms are taking a measured response
to risk exposures, rather than displaying panicky reactions to the
current crisis in financial markets.

11
Financial Services
Global Risk Management

For more information

Jack Ribeiro
Managing Partner
Global Financial Services Industry
Deloitte Touche Tohmatsu
1 212 436 2573
jribeiro@deloitte.com

Contributors
Leon Bloom
Deputy Managing Partner - Service Lines
Global Financial Services Industry
Deloitte Touche Tohmatsu
1 416 601 6244
lebloom@deloitte.ca

Edward Hida
Leader - Global Risk and Capital Management
Partner, Regulatory & Capital Markets Consulting
Deloitte & Touche LLP
1 212 436 4854
ehida@deloitte.com

Vishal Vedi
Partner, UK
Deloitte & Touche LLP
44 20 7303 6737
vvedi@deloitte.co.uk

Marketing
Chris Patterson
Director of Marketing
Global Financial Services Industry
Deloitte Touche Tohmatsu
1 212 436 2779
chrpatterson@deloitte.com

Michelle Chodosh
Marketing Associate
Global Financial Services Industry
Deloitte Touche Tohmatsu
1 212 436 6242
mchodosh@deloitte.com

12
Deloitte Touche Tohmatsu member firm
Financial Services Industry leaders
Americas Asia Pacific Europe, Middle East, Israel
Dan Halpern
and Africa 972 3 608 5471
Argentina Australia
Claudio Fiorillo Warren Green dhalpern@deloitte.com
Austria
54 11 43204018 61 2 9322 5454 Dominik Damm Italy
cfiorillo@deloitte.com wgreen@deloitte.com.au 43 1 53700 5440 Riccardo Motta
dodamm@deloitte.com 39 02 833 22 323
Bahamas China rmotta@deloitte.it
Raymond Winder Wade Deffenbaugh Belgium
1 242 302 4841 852 2852 6629 Frank Verhaegen Luxembourg
rwinder@deloitte.com wadeffenbaugh@deloitte.com.hk 32 3 800 88 53 Eric van de Kerkhove
fverhaegen@deloitte.com 352 451 452 468
Bermuda India evandekerkhove@deloitte.lu
Roger Titterton V.V. Subbarao Central Europe
1 441 299 1313 91 11 5562 2000 x2096 Malta
Mike Jennings Raphael Aloisio
rtitterton@deloitte.com vvsubbarao@deloitte.com 420 2 248 955 76 356 21 335290
mijennings@deloittece.com raloisio@deloitte.com.mt
Brazil Indonesia
Clodomir Félix Basar Alhuenius CIS (includes Russia) Middle East
55 11 5186 1655 62 21 2312879 x3212 Vadim Sorokin Joe El Fadl
clodomirfelix@deloitte.com balhuenius@deloitte.com 7 095 787 0626 961 1 363 005
vsorokin@deloitte.ru jelfadl@deloitte.com
Canada Japan
Cathy Bateman Yoriko Goto Cyprus Netherlands
1 416 601 5953 81 3 6213 1372 Rob Stout
Nicos Charalambous
cbateman@deloitte.ca yoriko.goto@tohmatsu.co.jp 31 20 454 7055
357 25 868740
rstout@deloitte.nl
ncharalambous@deloitte.com
Cayman Islands Yukio Ono
Norway
Dale Babiuk 81 3 6213 3630 Denmark Arve Rafteseth
1 345 814 2267 yukio.ono@tohmatsu.co.jp Lone Møller Olsen 47 23 27 97 59
dbabiuk@deloitte.com 45 33 76 38 03 arafteseth@deloitte.no
Korea lolsen@deloitte.dk
Chile Joseph Yong In Shin Portugal
Pablo Herrera 82 2 6676 1100 Finland Maria Augusta Francisco
56 2 2703 281 yishin@deloitte.com Petri Heinonen mafrancisco@deloitte.pt
paherrera@deloitte.com 358 20 755 5460
Malaysia petri.heinonen@deloitte.fi South Africa
Colombia Meng Kwai Ng Casper Troskie
Ricardo Rubio Rueda 603 7723 6560 27 11 806 5860
France
57 1 635 1910 mng@deloitte.com ctroskie@deloitte.co.za
Pascal Colin
rrubio@deloitte.com 33 1 40 88 29 62 Spain
New Zealand pcolin@deloitte.fr Fernando Ruíz
México Rodger Murphy
34 91 514 5692
Carlos A. Garcia 64 9 303 0758 José-Luis Garcia feruiz@deloitte.es
52 55 5080 6093 rodgermurphy@deloitte.co.nz 33 1 40 88 28 15
cargarcia@deloittemx.com josgarcia@deloitte.fr Sweden
Philippines Jan Palmqvist
USA Avelina Gille Germany 46 8 506 723 82
Jim Reichbach 63 2 581 9055 Friedhelm Kläs jpalmqvist@deloitte.se
1 212 436 5730 agille@deloitte.com 49 69 75695 6111
jreichbach@deloitte.com Switzerland
fklaes@deloitte.de
Singapore Philip Göth
Uruguay Prakash Desai 41 1 421 60 00
Greece
José Luis Rey 65 6530 5585 pgoeth@deloitte.ch
Nicos Sofianos
598 2 9160756 pradesai@deloitte.com 30 210 678 1219 Turkey
jrey@deloitte.com nsofianos@deloitte.gr Sibel Turker
Taiwan 90 533 583 36 92
Venezuela Peter Tsai Iceland sturker@deloitte.com
José Antonio López 866 2 2545 9988 x7441 Pall Gretar Steingrimsson
58 212 2068567 petsai@deloitte.com.tw 354 580 3065 Ukraine
josealopez6@deloitte.com psteingrimsson@deloitte.is Natalia Samoilova
Thailand 380 44 490 9000
Suttharug Panya Ireland nsamoilova@deloitte.com.ua
66 2 676 5700 x5247 Mary Fulton UK
spanya@deloitte.com 353 1 417 2379 Russell Collins
mfulton@deloitte.ie 44 20 7303 2929
rcollins@deloitte.co.uk
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries.
With a globally connected network of member firms in 140 countries, Deloitte brings world-class capabilities and deep local
expertise to help clients succeed wherever they operate. Deloitte’s 150,000 professionals are committed to becoming the standard
of excellence.

Deloitte’s professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients,
commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging
experiences, and enriching career opportunities. Deloitte’s professionals are dedicated to strengthening corporate responsibility,
building public trust, and making a positive impact in their communities.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of
Deloitte Touche Tohmatsu and its member firms.

© 2008 Deloitte Touche Tohmatsu. All rights reserved.

Designed by the DTT Communications Center.

Item: 8094