While banks have materially strengthened their risk management approach from the board level down across risk, compliance and controls since the financial crisis, the industry is still searching for the appropriate blueprints to establish effective risk accountability across the three lines of defense, according to EY’s 2016 global banking risk management survey, “A Set of Blueprints for Success.”
The global survey of banks carried out by EY and the Institute of International Finance (IIF) follows the industry’s progress in improving risk management by surveying senior risk executives.
“Banks have made considerable strides in terms of risk management enhancements since the crisis,” says Tom Campanile, Partner, Financial Services Office, Ernst & Young LLP. “However, regulations are still changing and industry approaches on emerging or evolving areas such as non-financial risks and increased IT security threats are still maturing. This suggests a long road ahead for banks. Finding a sustainable risk management operating model that will be flexible through this current market environment will be essential to success.”
Although the survey highlighted that significant progress has been made so far, banks may be halfway through what could be a 15-year journey of substantial work to enhance risk management processes.
Additionally, increased investor pressure to achieve higher, stable returns have resulted in banks converging toward an industry norm of three-year ROE targets of 10% to 15% across G-SIB and non-G-SIB banks, forcing banks to adapt their business models to meet these targets.
Andrés Portilla, Managing Director of the Regulatory Affairs Department at the IIF, says: “Banks are still under huge pressure on different fronts, and the risk management function is evolving rapidly to cope with the changes in the economic and regulatory environments. As this report shows, it is about embedding the concept of risk throughout all the processes and business of the organization, for which a period of regulatory stability is essential.”
EY and the IIF have also identified the continued significance of non-financial risks that pose major financial strains on the business.
Specifically, focus on a wide range of conduct areas has increased – money laundering (increased to 72% from 52% in 2015) and sanctions (increased to 52% from 30% in 2015) have moved significantly up the agenda.
Cybersecurity has surged with almost half of respondents (48%) highlighting cybersecurity as one of the three most important risks for their board over the next year.
Effective implementation of the three lines of defense blueprint
According to the survey, banks have greatly stepped up their efforts to make a fully functioning three-lines-of-defense approach to risk management work, but there is still no agreed blueprint within the industry on the balance of responsibilities across the first and second lines – with many firms working to enhance the responsibility of the first line.
More than 60% of banks highlighted that they are currently changing their three lines of defense model. Top reasons for doing this includes significant focus on the first line including:
Making the first line accountable for end-to end risk (38%)
Making the first line more clearly accountable for non-financial risk (28%)
To make the first line more clearly accountable for financial risk (27%)
Banks are also looking at the effectiveness and efficiency of the second line functions – in particular better technology and more advanced data analytics are essential, as are properly implemented centralized teams for common, repeatable tasks (such as testing). Such approach would allow firms to deliver the right risk outcomes cost-effectively.