Pushed by regulators, shareholders and the desire for self-preservation, financial institutions have made big strides in risk management. But some critical pieces to effective risk governance, oversight and assessment are still missing.
The eighth edition of Deloitte’s Global Risk Management Survey, released Monday, shows some positive developments in banks’ attitudes and approaches toward risk management: a much higher percentage of bank boards of directors, for example, review and approve risk management policies and contribute to a firm-wide risk-appetite statement. And a larger percentage of institutions have a chief risk officer (CRO) in place (89 percent), up from 65 percent in 2002 and 86 percent in 2010.
But banks have been slower at directly addressing practices that contributed to the 2008-2009 financial crisis and caused financial institutions to fail.
The reporting structure surrounding the chief risk officer position at many global banks, for example, could leave risk executives powerless when a chief executive officer tries to run roughshod over risk limits and policies. At 71 percent of the banks Deloitte surveyed, the CRO reports to the CEO, but only 43 percent said the CRO reports to the board of directors or a board committee — a setup that gives the board an independent source of information on risk management. “Even among large institutions, 50 percent said the CRO did not report to the board, indicating there may be more work to do in strengthening CRO reporting,” according to the report accompanying the survey.
Tying bankers’ pay to risk management to prevent outsized risk-taking is another area where many banks are still lacking. Half of financial institutions have incorporated risk management into the performance goals and compensation of compliance personnel and senior management. But at lower levels of the organization those pay structures are less frequent. Many of the employees in the trenches — those that wreak havoc on trading desks and make risky decisions about individual credits, for example — do not have their compensation tied to risk metrics.
Banks that have taken action on restructuring compensation are focusing on the senior management level. Fifty-eight percent of these banks have established deferred payouts linked to future bank performance for senior management, for example, and 41 percent reported using clawback provisions for them (up from 26 percent in 2010). In general, large institutions are ahead of small ones in setting risk-management-conscious incentives, Deloitte found.
Finally, financial institutions appear to be dragging their feet on establishing practices to re-evaluate their risk models, many of which failed to “assess severe movements in credit and other markets” in the last crisis, Deloitte said. In the United States, the Federal Reserve and the Office of the Comptroller of the Currency have published new guidance on the validation of risk models. But in the United States and globally, 33 percent of the banks surveyed by Deloitte did not have an independent model-validation function, including 20 percent of large institutions.
What’s more, the much-criticized Value at Risk (VaR) model, which quantifies the level of financial risk within a portfolio or firm for a set time, is still widely used, despite its failures in spotting the meltdown of the financial markets five years ago. Seventy-nine percent of global banks reported using VaR for fixed income; 75 percent for foreign exchange; 72 percent for equity; and 61 percent for asset-backed securities and structured products. In the last category, use of VaR has actually risen since 2010.
The results of a separate survey by the Economist Intelligence Unit, released July 25, confirmed some of the points of the Deloitte study. For example, the EIU found that 55 percent of financial institutions have linked risk management with compensation for senior management, but that number was little changed since 2010.
Of the senior-level executives at 350 banks across the United States, Europe, the Asia-Pacific, the Middle East and Africa that the EIU surveyed, 20 percent said they have failed to integrate risk awareness into their corporate culture. The key barriers to progressing toward greater risk management awareness intra-organizationally were “not having enough people and time,” “a lack of appropriate skills,” and “inadequate funding,” the executives said.
Photo: Anlc0/ Wikimedia Commons / CC-BY-SA-2.0