The future of risk in financial services Executive summary 1 Evolution of risk management 3 Risk management enters a new era 4 Imperatives for managing risk in the future 6 Levers to drive change 13 Conclusion 14

Six imperatives

Increase focus on Rethink the three Do more with less Establish a formal Enhance the Strategically strategic risk lines of defense conduct and structure and manage capital and risk alignment culture program capabilities of risk and liquidity management

02 Future of risk in financial services | Executive summary

Executive summary

The future of risk management will look dramatically different than the current risk capabilities many are familiar with. Business units will have clear ownership for the risks that they take. Conduct and culture management will be pervasive throughout the organization. The role of the risk management function will also be clear — oversight and challenge. The risk function itself will be streamlined and much slimmer with a rationalized risk infrastructure that uses location and delivery models for cost optimization and leverages the power of digital for both efficiency and effectiveness.

The digital tools will include cognitive agents scanning a wide range of signals in the internal and external environment to identify new risks, emerging threats, and potential bad actors. These digital tools will not only strengthen the risk function but provide additional insight to the business and to strategy and strategic execution. Big data analytics will be used to provide deeper insight into the interactions of risks and causal factors. Robotics and process optimization will restructure processes and automate many of the processes that remain to dramatically reduce both operational risk and also improve quality of risk management — including reviewing conduct and culture risks.

Automated risk triage will occur continuously to elevate risks to risk analysts for further assessment and treatment where warranted of the more significant risk issues. To the extent that reports are needed to summarize the risk activity, natural language generation techniques will prepare draft reports, with only review and selected input performed by the risk analyst. This paper from Deloitte Global describes the challenges facing financial institutions and the approaches they can use to move to this new future of risk management.

The regulatory and business environments have become more requirements, resulting in a disjointed and inefficient structure. volatile and unpredictable than in recent memory. The wave of ever- Activities often take place in silos, making it difficult or impossible stricter regulatory requirements appears to have crested, and may to gain a comprehensive view of risk management across the even abate in some areas. Geopolitical risk has increased with the organization, while increasing cost and complexity. The current United Kingdom’s planned exit from the European Union and the volatile business environment has made it more difficult than before potential that the United States may renegotiate trade agreements for risk management capabilities to keep up. and review alliances that previously have gone unquestioned. FinTech startups are threatening to disrupt traditional financial services The new environment provides strong incentives for financial business models. institutions to transform how they manage risk to become substantially more effective and efficient. This will require institutions In the years since the financial crisis, financial institutions have faced to seize opportunities related to strategy, people, the three lines of a tsunami of new regulatory requirements. The new regulations have defense model, and technology in a coordinated way. Institutions driven up compliance costs, while increased capital and liquidity will need to embrace emerging technologies — such as robotics requirements have reduced returns. These new regulations have process automation, artificial/cognitive intelligence, natural language come in a period of slow economic growth, historically low interest processing, and machine learning — that can reduce costs, while also rates, and limited revenue opportunities, which have further reduced offering foresight into emerging risk issues. returns on equity and led institutions to seek to reduce operating costs including risk management costs.

Today, risk management is at a crossroads. Financial institutions need to decide if they will continue with business as usual or instead fundamentally rethink their approach to risk management. To date, most institutions have responded piecemeal to new regulatory

1 Future of risk in financial services | Executive summary

As they plan for the new era of risk management, institutions should consider the following six imperatives:

Increase focus on strategic risk. With Do more with less. With limited revenue Enhance risk management capabilities. greater uncertainty over the direction of growth and compressed margins, Institutions will need to integrate their regulation, the future of trade agreements institutions need to find ways to reduce siloed responses to the many regulatory and alliances, and the potential for FinTech the costs of managing risk while also requirements that have been introduced startups to disrupt traditional financial increasing effectiveness in order to meet in recent years. At the same time, they will businesses, strategic risk will demand regulatory and broader stakeholder need to leverage the power of RegTech more attention from senior executives, expectations. In addition to traditional solutions to increase their agility in supported by an improved ability to identify process reengineering, substantial efficiency responding quickly to new developments, strategic risks and analyze their potential increases can be achieved by leveraging while providing the analytics that support impact on the organization. These improved RegTech solutions. Deeper and more more effective risk management. capabilities will not only help the institution sustainable cost efficiency and improved manage strategic risk, they will also provide return-on-investment performance can insights to help the institution achieve its be realized by leveraging new capabilities strategic goals and objectives. such as using business decision modeling to assess the cost of change, cost mutualization, and cloud-based services such as platform as a service. Strategically manage capital and liquidity. Recent regulatory requirements have significantly increased capital and liquidity requirements. In the current low- Rethink the three lines of defense revenue environment, institutions will need and risk alignment. Institutions should to consider carefully the impacts of their consider restructuring and eliminating business strategy on capital and liquidity overlapping responsibilities across the Establish a formal conduct and culture so they can improve their returns on equity three lines of defense. In particular, they program. Recent instances of inappropriate by optimizing the use of these scarce should ensure that business units take full behavior by employees at financial resources. ownership of the risks in their area, while institutions have led to an increased the risk management function focuses on focus by senior management as well as by its risk control role through oversight and regulatory authorities on the importance challenge. of instilling a risk-aware culture and encouraging ethical behavior by employees. Efforts in this area will need to be enhanced to demonstrate a programmatic and sustainable approach to conduct risk.

To be effective, institutions will need to address these six imperatives in a coordinated program so that they do not work cross-purposes on individual initiatives. An integrated risk and regulatory change portfolio management approach will be required to advance simplification and modernization efforts yet make sure that underlying capabilities are not compromised. Institutions have the opportunity to reimagine and re-architect the risk management capability of the future.

2 Evolution of risk management

Over the past two decades, risk Post-crisis period. The financial crisis management has gone through several led to a period of “re-regulation,” with distinct phases in response to changing governments and regulatory authorities business conditions and regulatory issuing a wide variety of new or stricter requirements. requirements. Among the many regulatory developments were expanded capital Pre-crisis period. In the years before the and liquidity requirements by the Basel global financial crisis, financial institutions Committee, which revised and ratcheted benefited from generally strong global up capital and liquidity requirements; economic growth and enjoyed significantly the Dodd-Frank Act in the United States, higher returns than are available today. which had sweeping implications across There was a broad consensus among financial institutions; expanded stress the industry and regulators that risk testing requirements in the United States management appeared well equipped under Comprehensive Capital Analysis and to identify and mitigate risks affecting Review (CCAR), which introduced a stringent individual institutions and, by extension, stressed capital assessment regime; greater the financial system as whole. Given this focus on risk data driven by the Basel consensus, the extent of risk-focused Committee on Banking Supervision BCBS regulatory requirements was more modest 239, which caused a significant focus on risk than it would become after the financial data quality and data management; and crisis. new requirements and proposals by the Basel Committee for key risk types including Financial crisis period. The global financial credit, market, liquidity, and operational crisis led to the need for governments and risk that seek to wholly revise risk-based regulatory authorities to provide additional capital calculation methodologies. To capital to stabilize the financial system. Risk comply with these and other new regulatory management during this period was largely requirements, institutions have dramatically engaged in tactical responses needed to expanded their risk management function maintain orderly operations during the and budgets. capital and liquidity crisis. These tactical responses included responding to urgent But risk management has now reached requests by management, boards of an inflection point, presenting financial directors, and regulators, and often quickly institutions with a fresh set of demands. assessing risk exposures to areas of concern such as specific markets or counterparties.

33 Future of risk in financial services | Risk management enters a new era

Risk management enters a new era

Today’s environment presents risk area, and the responsibilities between the management with a unique set of demands. business and risk management are not Slower economic growth and declining defined clearly. A legacy risk technology margins have placed a premium on infrastructure and the difficulty in gaining increasing the efficiency and reducing access to timely, accurate, and aggregated the cost of risk management. Due to the risk data create complexity and additional increased regulatory requirements, the costs. Efforts to restrain compliance implications of an institution’s business spending have consisted of headcount strategy on capital adequacy and liquidity reduction, offshoring, and traditional demand greater attention. Geopolitical process re-engineering, typically achieving developments and competition from only modest savings that are difficult to FinTech startups have made strategic sustain. risk a greater concern. The march toward ever-greater regulatory oversight may be Competing in the new environment requires coming to an end, with the potential that financial institutions to rethink how they some requirements may be rolled back. manage risk. Institutions will need to Characterizing all the developments is a make sure risk management is an active heightened level of volatility and uncertainty participant in setting strategy, that there is in the business, geopolitical, and regulatory an effective program to create a risk-aware environment. culture and manage conduct risk, and that risk management responsibilities are clearly In this new era, institutions will need to defined across all three lines of defense. decide whether they will continue with In addition, they need to leverage the new their traditional methods or instead rethink technologies available to substantially their approach to risk management. reduce costs by automating repetitive To keep up with the breakneck pace of manual activities, while simultaneously regulatory change since the financial crisis, improving monitoring and response. institutions have often implemented a number of systems to address specific Rather than engaging in an expensive, multi- regulations, rather than taking a holistic view year transformation program, institutions of the risks and regulatory requirements can instead employ an agile approach, by facing the organization. The result has first addressing the highest priorities. been a disjointed structure with activities conducted in silos, making it difficult To move forward, institutions should ask to gain a clear view across the entire themselves the following questions. risk management value chain. At some (see Figure 1) institutions, business units have not taken full ownership for managing risks in their

4 Future of risk in financial services | Risk management enters a new era

Is risk management doing the right How should risk management be How can transformation be delivered things? Institutions should consider organized to deliver effectively? As through digitization and ecosystems? whether they have clearly defined the scope institutions examine their organizational Institutions should examine how they of the activities that risk management structure for risk management, including can employ digital technologies—such as performs, aligned the responsibilities of resources allocated to risk management and robotics process automation, cognitive the lines of defense and the business units, the business units, they should also assess analytics, advanced analytics, and big data— assessed whether additional activities whether increased efficiencies can be to automate repetitive manual tasks, provide should be provided, and considered achieved through such strategies as shared decision support, and improve the ability to whether there should be increased services or centers of excellence for some proactively identify and manage risks. transparency of risk management. capabilities, or by moving some activities to lower-cost locations or outsourcing them to third-party service providers.

Figure 1

Is risk management doing How should risk management be How can transformation be the right things? organized to deliver effectively? delivered through digitization • Is there a clear definition of the • What is the optimal organizational and ecosystems? activities and services it should structure for risk management? • Application of robotics to reduce perform according to its core • Is the resourcing structure manual processes, reduce human mandate and regulatory optimized between the lines of resource requirements, and improve requirements vs, those performed defense and business units? central environment by the lines of business? • Are there efficiencies that can be • Application of cognitive to provide • Is the function able to plan, assess, achieved through shared services of better automated decision support and manage increased demands centers of excellence for some risk and data filtering (e.g., credit from regulators and the business? capabilities? underwriting, surveillance) • Should other additional activities • Should lower cost locations or • Increase use of big data, advanced and services be performed? outsourcing be considered for some analytics, and visualization for better • Is there an appetite to provide capabilities? data management and decision increased transparency for the support function? • Partner with external ecosystems (collaboration of different firms working together) to transform, innovate, and provide core CRO services

5 Future of risk in financial services | Imperatives for managing risk in the future

Imperatives for managing risk in the future

Effectively managing risk in the current European Union, and uncertainty over of profitability. Financial institutions are uncertain and volatile environment will whether the Trump Administration will increasingly searching for new avenues for demand new capabilities and a rethinking seek to renegotiate trade agreements and growth — developing increasingly customer- of how risk management operates. No two other alliances. centric service strategies including leveraging financial institutions will take the same new technologies to provide a more targeted approach since each organization has a • The direction of regulation is more and pervasive customer experience. While distinctive business strategy, geographic uncertain given recent developments failing to innovate in this environment may footprint, organizational structure, and level in Europe and the United States. Some place financial institutions at a competitive of maturity. European regulators and financial disadvantage, pursuing innovation without institutions have criticized the plans of the aligning business strategies with sound risk As institutions consider how to enhance their Basel Committee to institute a regulatory management capabilities may also heighten ability to manage risk effectively in today’s capital floor and implement so called Basel strategic risks.3 environment, they will benefit by considering IV updates. In the United States, President the following six imperatives for the future of Trump issued executive orders calling for In addition to having integrated strategic risk. (see Figure 2) review of financial regulations to determine thinking and risk awareness, regulators whether they are consistent with expect institutions to have formalized administration goals such as enhancing processes to assess strategic risks to the competitiveness of US companies,1 the business model stemming from technology Orderly Liquidation Authority (OLA) under and other changes in the external Title II of Dodd-Frank, and the Financial environment, as well as from their strategic Stability Oversight Council’s (FSOC) choices. Increase focus on strategic risk processes for designating companies for enhanced supervision and regulation2. Effectively managing strategic risks requires The drivers of change in the external In the post-crisis environment, country financial institutions to better integrate the environment that can impact financial regulators have also increasingly moved stakeholders responsible for strategy and institutions have become more uncertain to protect their own national interests risk management; put in place processes than ever. In these volatile and uncertain resulting in regulatory fragmentation due that allow for independent oversight and times, financial institutions need to assess to increasingly divergent regulations which challenge of strategies; train risk leaders and understand their impact and then model increases the complexity and costs for in forward-looking risk management potential outcomes as these drivers interact. global financial institutions. approaches; and implement frameworks to While strategic risk is not easily measured, understand how change and uncertainty will it is necessary to understand the potential • FinTech startups, which leverage impact key business attributes. impact of strategic uncertainties since technology capabilities to compete with they provide an opportunity for financial traditional financial institutions, threaten Financial institutions will need to conduct institutions to differentiate themselves as to disrupt the industry in areas such flexible planning including analysis of “what they plot their course through an uncertain as loans, payment products, wealth if” scenarios that consider the potential future. management, and property and casualty impact of strategic risk events on revenues insurance. In addition, there is increased and capital, and how the institution would Institutions are entering a period of competition between banks and non- respond. The ability to act timely on the substantially greater strategic risk from a banks, for example in areas where non- results of the “what if” scenarios will require number of sources. banks “own” the customer relationship and sufficiently nimble risk infrastructure can leverage this relationship to provide an capabilities. Institutions should also consider • Geopolitical risk has increased with the integrated customer financial experience. establishing “owners” of specific strategic Brexit vote in the United Kingdom to leave risks such as geopolitical, economic, and the European Union, the potential that At the same time, the ongoing low-growth, FinTech risks, who are responsible for populist parties in other EU countries may low-interest rate economic environment tracking and managing these risks. gain power and seek to withdraw from the is putting pressure on traditional sources 6 Future of risk in financial services | Imperatives for managing risk in the future

Figure 2 The new environment provides strong incentives for financial institutions to transform how they manage risk to become substantially more effective and efficient. As they plan for the new era of risk management, institutions should consider the following six imperatives.

Increase focus on Rethink the three lines Do more with less strategic risk of defense model and • Establish Global Risk Management (GRM) • More frequent identification of risk alignment Centers of Excellence and resource strategic risks • Realign responsibilities of business sharing • Greater degree of consideration and risk processes • Process re-engineering which would of disruption • 1st Line of defense (LOD) manages include rationalize and standardize • Focus on survival and earnings risk to improve accountability from processes stability disruption an end-to-end ownership of the • Offshoring, nearshoring, outsourcing, (e.g., technology) controls infrastructure headcount reduction • Looking for “owners” of strategic • 2nd LOD focuses on oversight and • Embracing emerging technologies such risk to improve management effective challenge as robotics process automation, artificial/ • Greater knowledge of operations cognitive intelligence, natural language for effective risk management processing, and machine learning • Set up 1st LOD for further process • Leveraging new capabilities such as using simplification and cost reduction business decision modeling to assess the cost of change, cost mutualization, and use of cloud based services

Establish a formal conduct Enhance risk management Strategically manage & culture program capabilities capital & liquidity • Increasing refinement and • New regulations addressing • Initial focus on technical combination of culture, conduct specific non-financial risk related compliance capabilities and ethics management concerns such as conduct risk, • Address processes and • Greater alignment and capital adequacy, cybersecurity, governance after technical integration of compliance and data quality capability delivery risk management to address • Rationalized processes will need • An operating model for conduct risk to comply with different regulatory capital, liquidity and • RCSA and eGRC being used for all requirements in different markets. provisioning to reflect active processes including compliance • Leverage the power of RegTech management enabled • Employ cognitive technologies to solutions to increase agility and by greater alignment or identify patterns of behavior that the ability to respond quickly to integration of capital and warrant future investigation, new developments, while providing liquidity management assess cultural changes, and the analytics that support more identify misconduct effective risk management

7 Future of risk in financial services | Imperatives for managing risk in the future

executives and consider how to incorporate these expectations in planning and in performance reviews.

In addition, at many institutions duplicative Rethink the three lines of defense responsibilities result in an overly complex Do more with less model and risk alignment and inefficient structure, with a lack of clear accountability. For example, some Financial institutions are competing in a low- Emerging technologies for testing, institutions have in effect split Line 1 into revenue environment due to slow economic monitoring, and surveillance present the business unit risk management activities growth coupled with historically low interest opportunity for a more integrated and (Line 1A) and testing activities (Line 1B), and rates and restricted revenue opportunities. effective model of oversight. Financial similarly split risk management activities An analysis by the International Monetary institutions that truly embrace the next into Line 2A and Line 2B. The effect of this Fund (IMF) found that return on average generation of technology and analytics will be structure results in what some call the equity for European banks in the euro area able to not only automate existing activities five lines of defense. In addition, there are plummeted from 15.2 percent in 2006-2007 but also build in controls and monitoring in other approaches being adopted by some to 3.7 percent in 2012-2015, while during the a new structure optimized around the data institutions. In short, there is no universal same period the returns for US banks fell and analytics rather than traditional front to model for implementing the three lines of from 12.2 percent to 9.3 percent and those back process flows. There could be a future defense. for Japanese banks dropped from 8.6 percent where the three lines of defense model as we to 6.9 percent.4 Yet, at the same time that know it looks dramatically different. While most financial institutions face the returns are decreasing, risk management same need for increased efficiency and budgets have increased dramatically in Under the three lines of defense model effectiveness of risk management, the response to the many new regulatory employed by most financial institutions, responses of individual institutions vary requirements put in place since the financial business units own and manage their risks; based on their needs. For each institution crisis. the risk management function provides moving staff from the 2nd line into the 1st independent oversight and challenge; and line for strengthened 1st line ownership of Driven by these pressures, financial internal audit reviews the effectiveness of risk, there is another institution that is re- institutions are seeking strategies to the risk and control framework. Even if the thinking the role of risk professionals in the reduce risk management costs without three lines of defense model is conceptually 1st line and whether the 2nd line should be impairing effectiveness. It is important sound, many institutions have faced practical strengthened. that these cost control efforts are done challenges in implementation resulting in in a strategic manner so that they do not gaps in risk coverage and also duplication A common overall sentiment is frustration impair the risk management capabilities and inefficiencies. that the current investment in risk and required. Institutions are employing process compliance is not delivering intended results. reengineering to rationalize, standardize, In particular, business units may fail to For some institutions, the effectiveness and consolidate their processes, including take full ownership and management of of risk has been weakened, even as the identifying overlapping and redundant their risks. Although this improves the resources devoted to it have increased. responsibilities across business activities and effectiveness of risk management and is a functions. However, reengineering efforts regulatory expectation, it may not occur for While different institutions may move to often focus on reducing “Run the Bank” cost a variety of reasons including the demands different risk management structures, a and miss addressing “Change the Bank” and to meet business targets and the difficulty common focus remains— institutions need “Change Control” cost, which have become in hiring a sufficient number of professionals to reassess the roles and responsibilities of the faster growing cost for the industry. There that possess skills in both risk management each of the three lines of defense to reduce are multiple levers to lower cost of change and also in the business. Institutions will unnecessary complexity and redundancy, such as model-driven development, central need to clearly communicate the risk reduce costs, and increase risk management change governance, zero-based budgeting, management responsibilities of business unit capabilities. project portfolio management, agile 8 Future of risk in financial services | Imperatives for managing risk in the future

development, and automated testing. In an increasingly complex, volatile, and The impact of instances of misconduct Institutions can also consider employing uncertain world, financial institutions will need has not only been felt on bottom lines and centers of excellence and resource sharing to fully leverage these new technologies to through increased regulation; it has also such as establishing consolidated centers deliver on stakeholder expectations given the caused a significant loss of trust among for activities like testing, reporting, or model resource constraints inherent in the current customers and the public more broadly. validation. Some institutions have achieved environment. Improving conduct within industry is an cost savings by outsourcing some processes essential part of rebuilding trust and to third-party service providers or locating supporting future sustainable growth. The them offshore. trust that financial institutions historically provide is a key potential differentiator as Yet, even greater cost savings can be achieved they compete with FinTech disruptors that by employing robotics process automation lack a history of customer trust. Trust is also to automate repetitive manual activities such Establish a formal conduct and necessary for executing on the customer as regulatory reporting, assembling model culture program centric strategies many financial institutions validation documentation, or aspects of credit are focused on. scoring. As an added bonus, automation The numerous instances of poor business can also reduce error rates from manual practices within the financial services In the battle between incumbents and processes. (see Figure 3) industry that have been exposed across challengers, those who build (or re-build the globe have resulted in clients’ interests trust) faster and more effectively will gain Beyond automation, advances in artificial being disregarded, unfair, and inequitable a clear strategic advantage. Institutions intelligence, cognitive technologies, and data outcomes, considerable financial impact for that convince their shareholders that good analytics can also provide greater efficiency customers, and damage to the integrity of conduct is not only ethical but also good for by focusing the work of risk analysts on the market. Institutions are facing enhanced shareholder value in the long run will be well assessing more complex risks instead of regulation, hefty penalties, and substantial placed to win. simply sorting through and manipulating data. remediation costs as a result. Instances of These technologies can provide automated inappropriate behavior by employees have Many institutions will need to increase decision support and data filtering to led to ‘conduct costs’ in fines, legal bills, and their attention to conduct and culture. improve an organization’s ability to detect, customer compensation of US$324 billion at Communicating to employees the 5 predict, and prevent risks. For example, the 20 largest banks in recent years. expectations regarding ethical behavior and robots and cognitive agents can be taught to their responsibilities for risk management is automatically scan for new risks, raise alerts Due to these instances of unethical behavior, essential, but is only a first step. Institutions for areas of concern, and perform automated encouraging ethical conduct among should also ensure their risk control self- triage so that risk analysts focus on the risks employees and infusing a risk management assessments (RCSA) and that enterprise that really matter. culture throughout the organization has governance, risk, and compliance (eGRC) become an increasing focus of regulatory tools address conduct risk including There are numerous examples of the authorities around the world. For example, designing metrics to catch and/or prevent power of the latest technologies to improve the Senior Managers Regime in the United misconduct and assessing cultural the efficiency and effectiveness of risk Kingdom, which commenced on 7 March challenges to identifying and preventing management including: natural language 2016, focuses on individual responsibility and misconduct. processing, cognitive analytics, and pattern requires senior managers to take reasonable detection that can improve the monitoring steps to prevent regulatory breaches from Institutions should examine all the various of compliance risk by identifying suspicious occurring, or continuing to occur, in their ways in which conduct and culture can 6 behavior patterns for further review and area of responsibility. Conduct risk has affect the business. Examples include the inquiry; cognitive automation can enhance been included in stress test scenarios by the governance processes on key decisions, who credit underwriting; and cognitive voice European Banking Authority and the Bank of is involved in the processes for accepting recognition can be employed in monitoring England. new clients or introducing new products, trading desk or call center activity. and whether controls are in place to help 9 Future of risk in financial services | Imperatives for managing risk in the future

Figure 3 There are a number of automation opportunities along the entire risk management lifecycle

Risk strategy & Management & Governance planning admin

1 Risk management lifecycle

Risk approval & controls

2 Risk measurement Risk ratings 3 Risk pricing & approval 4 Limit setting & review5 7 Risk mitigation Position & exposure 8 calculation 10 Risk monitoring, 9 escalation Collateral management

14 5 Risk reporting Risk limit exceptions management 11 Policy and compliance monitoring Board reporting 12 Quality assurance/ External and regulatory quality control reporting Management reporting

Illustrative risk stripes

6 13 Credit risk Market risk Operational risk Model risk management 15

Example automation opportunities

1. Risk identification 7. Counterparty/Product/Position risk 11. Compliance testing 2. Credit rating/scoring exposure 12. Loan review 3. Product pricing 8. Limit management 13. Model validation documentation 4. Product P&L attribution 9. Collateral management 14. Risk reporting 5. Limit setting & review 10. Automated risk monitoring 15. Model governance and reporting 6. Vendor risk management

10 Future of risk in financial services | Imperatives for managing risk in the future

ensure that only appropriate products are and in monitoring employee behavior.7 In offered to each customer. Conduct risk, and many cases, RegTech provides the ability the controls in place to manage it, should to not only reduce costs but also provide be assessed when approving new products, more timely and nimble analysis required in especially high-risk products that may be the new more uncertain environment. For sold inappropriately to some customers. Enhance risk management capabilities example, by building controls into a new, While much has been done to set standards reengineered and automated environment, and restore trust, there is much more to Since the fiscal crisis, there has been a wide the need for additional testing may be do, and a desire to improve capabilities and variety of regulatory requirements and eliminated and the data may be more cost effectiveness in meeting expectations guidance addressing specific risk issues immediately usable. RegTech can also around managing conduct. With this in such as capital adequacy, conduct risk, increase the scope to provide more robust mind, there are ways in which innovative third-party/supplier risk, cybersecurity, and analysis at a reduced cost, for example technologies might be employed to manage the quality of risk data quality, to name but through the use of big data analytics to these risks. a few. Institutions have often built separate perform a full population assessment processes, data bases, or reports for each instead of sample analyses. Robotics automation can limit the possibility new requirement. As a result, while specific of conduct risk by reducing the number risk needs may have been addressed, Financial institutions will also need to of manual activities and making routine the ability to manage risk correlation and continue efforts on data management procedures more consistent. Beyond this, interactions from unexpected consequences programs such as those spurred by the cognitive technologies and data analytics of these risk issues has not been built BCBS 239 risk data requirements. While can analyze employee communications, into the risk infrastructure or governance a regulatory requirement, and a work in such as emails and text messages, to process. In many cases, investments progress for many, these requirements identify patterns of behavior that may have often been driven solely by a need represent a type of leading practice be inappropriate and warrant additional to comply with regulations rather than to standards for risk data which has the investigation. However, automation and provide business value. The regulatory capability to improve the effectiveness, analytics can also create conduct risks if the and compliance approach may include timeliness, accuracy and completeness of right types of rules are not programmed labor intensive or convoluted processes risk analytics and information for decision into the robot’s procedures or into the and procedures that increase the chance making. analyses performed. Building conduct risk of error and give people the incentive and management into automation and analytics opportunity to ignore controls that are Rationalized risk management processes is imperative. Innovation that can help to designed to prevent misconduct. will need the capability to comply with improve the effectiveness and efficiency the different regulatory requirements of conduct management programs will in To restrain costs while maintaining in different markets. This is increasingly turn create better customer and regulatory effective regulatory compliance and risk important in a world where greater outcomes. management capabilities, institutions will regulatory fragmentation is now the base need to embrace emerging technologies case. Even under the global ideal of Basel III, Financial institutions will need to embed such as robotics process automation for fragmentation was already a reality. But with conduct and culture efforts throughout the control checks and regulatory reporting, the increased likelihood of jurisdictions going organization and throughout their processes artificial/cognitive intelligence in stress their own way regarding the application of and governance structure, and especially tests, natural language processing for anti- models, rethinking existing regulations, and at key influencing points such as customer money laundering case/Suspicious Activity developing jurisdiction-specific stress tests, onboarding, new products, sales practices, Report investigation narratives, know your recovery planning, and conduct reforms, training, and incentive compensation. customer risk summary memos, and model the challenge of managing an international Financial institutions may also begin to use a validation reports. Other opportunities firm has become that much more complex. “carrot and stick” approach to drive behavior. would include automatically aggregating Agile and adaptable systems, controls and It is clear that the stakes are too high and data to assess capital and liquidity for use in governance will be critical. The corporate that business as usual will no longer work. internal models and in reports to regulators, headquarters will require consistency of 11 approach and frameworks, while allowing institutions to improve their returns on for varying local application that can still be equity. Additional regulatory requirements assessed in a holistic manner. on institutions that are determined to be systemically important are leading them to restructure their legal entities, which can drive further capital and liquidity inefficiencies including trapped capital, and also increased costs.

Strategically manage capital The first requirement is to develop a robust and liquidity capability to measure capital and liquidity, ideally on a daily basis. The analysis should The years since the fiscal crisis have go down at least to the level of the business seen a significant increase in regulatory unit, so the institution can understand the requirements for capital and liquidity. Capital relative capital and liquidity needs of each requirements include Basel 2.5, Basel III, and business unit and how the business unit the US Federal Reserve’s capital plan rule. contributes to the institution’s overall capital From mid-2011 through the end of 2015, 91 and liquidity profile. leading banks around the world increased their common equity by US$1.5 trillion, with Supported by these measurement the ratio of equity to risk-weighted assets capabilities, institutions need to strategically 8 rising from 7.1 percent to 11.8 percent. manage capital and liquidity and do so more dynamically than they have in the past. This Many financial institutions have also faced will necessitate including regular capital new liquidity requirements including the and liquidity management evaluation into liquidity coverage ratio and the net stable governance structures and decision-making funding ratio introduced in Basel III and processes. Institutions will need to build additional liquidity reporting requirements capital and liquidity measures into their under the US Federal Reserve’s enhanced strategic plans and management approaches prudential standards. and reevaluate them periodically. The impacts on capital and liquidity have become Complying with regulatory requirements key considerations when institutions are for capital and liquidity is more than deciding which businesses to compete in or simply a compliance issue. Instead, it which products to offer. has an important impact on the financial performance of the institution, given higher The six imperatives for risk management capital and liquidity requirements in tandem outlined above touch almost every part of with the current environment of lower an institution. The effort to transform and revenues and returns. Regulatory capital modernize risk management will need to requirements are now a binding constraint be based on the following four foundational and need to be managed effectively for areas.

12 Future of risk in financial services | Levers to drive change

Levers to drive change

Infuse risk management into strategy. Risk management should Leverage emergent technologies. The latest technologies have the be an active participant in setting the institution’s business objectives potential to fundamentally transform risk management. In addition to and strategic plan, assessing the impact of new products and substantially reducing operating costs, these and other technologies markets on the organization’s risk profile as well as on its capital and can provide risk management with new capabilities including building liquidity position. controls directly into processes, prioritizing areas for testing and monitoring, deploying automated monitoring of limits with defined Focus on people. Institutions should work to ensure they have escalation, addressing issues in real-time to improve the enterprise- sufficient specialists with subject matter expertise on high-risk and wide view of risk, and providing decision support. complex activities and provide adequate training to continually upgrade skills. At the same time, they need an active program to These levers should not be addressed in isolation, but instead need infuse a risk aware culture in the organization, encourage ethical to be pulled in a coordinated way. For example, the business strategy behavior by their employees, and monitor and manage conduct established will have important implications for the potential for risk. Risk needs to move from having a reactive role to a proactive conduct risk, while the responsibilities assigned to business units will role. There needs to be a shift away from a compliance-oriented determine the types of risk management skills they require. An overall risk mindset to that of a strong and proactive risk culture. Risk risk management approach needs to be developed that harmonizes practitioners across all three lines of defense need to work more the steps taken to address each of the four levers and considers their closely with senior leadership to drive cultural changes across the interaction. organization that encourage constructive challenge, ethical decision making, appropriate incentives, openness, and transparency.

Enhance three lines of defense. Institutions should clearly define the risk management responsibilities of each line of defense, streamline the governance structure by eliminating overlapping responsibilities, and ensure that business units take full ownership of the risks in their area. Too often previous risk structure efforts have been focused on process, not making sure that the right outcomes are delivered. Risk functions are being called to do more, but they should work to rationalize their capabilities using common infrastructure, data, processes, and governance and where possible leveraging these across both risk and finance.

13 Future of risk in financial services | Conclusion

Conclusion

In today’s environment of volatility and • Be agile to react quickly to the uncertainty, risk management is at an unanticipated developments inevitably inflection point. Will financial institutions arising in today’s uncertain environment continue with their traditional methods or • Leverage emerging technologies to instead fundamentally rethink how risk is create a new digital environment able managed? Institutions content with their to substantially reduce costs while existing approach will suffer from inefficient simultaneously improving the ability to processes, lack the capability to proactively proactively identify and manage risks, and identify and manage risks, and struggle to do so at a lower cost gain a holistic view of the risks facing the organization. Each institution will need to decide whether to continue with business as usual, running Institutions that instead fundamentally the risk of being unprepared for new risks transform how they manage risk can and falling behind their peers and regulatory become more dynamic and capable of expectations. Or seize the opportunity to responding quickly to new developments. In take risk management to an entirely new the new era, the risk management function level that truly provides the capabilities to will need to: support the organization’s strategic plan.

• Play a greater role in the organization’s strategic decision making • Expand risk management capabilities through all three lines of defense • Secure talent with the right risk management skills and business experience to effectively manage risk

14 End notes

1 Ben Protess and Julie Hirschfeld Davis, “Trump Moves to Roll Back Obama-Era Financial Regulations,” The New York Times, 13 February 2017, https://www.nytimes. com/2017/02/03/business/dealbook/trump-congress-financial-regulations.html 2 Eric Beech and Lisa Lambert, “Trump to Order U.S. Treasury to Delve Into Taxes, Post-Crisis Reforms,” The New York Times, 21 April 2017, https://www.nytimes.com/ reuters/2017/04/21/business/21reuters-usa-trump-financial.html 3 Office of the Comptroller of the Currency, Semiannual Risk Perspective, Washington DC, Spring 2016 https://www.occ.treas.gov/publications/publications-by-type/other- publications-reports/semiannual-risk-perspective/semiannual-risk-perspective- spring-2016.pdf 4 “Return on Average Equity for all U.S. Banks,” Federal Reserve Bank of St. Louis, 15 November 2016, https://fred.stlouisfed.org/series/USROE; Global Financial Stability Report, International Monetary Fund, October 2016, http://www.imf.org/external/pubs/ft/ gfsr/2016/02/pdf/text.pdf 5 Sean Farrell, “World’s 20 biggest banks rack up £252bn ‘conduct costs’ in five years,” The Guardian, 18 July 2016, https://www.theguardian.com/business/2016/jul/18/worlds-20- biggest-banks-racked-up-252bn-conduct-costs-in-five-years 6 Deloitte, Senior Managers Regime, Individual accountability and reasonable steps, 2016, https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/financial-services/ deloitte-uk-senior-manager-regime.pdf 7 Martin Arnold, “Market grows for ‘regtech,’ or AI for regulation,” Financial Times, 14 October 2016, https://www.ft.com/content/fd80ac50-7383-11e6-bf48-b372cdb1043a; Deloitte, RegTech Is The New FinTech: How Agile Regulatory Technology Is Helping Firms Better Understand and Manage Their Risks, 2015, https://www2.deloitte.com/content/dam/ Deloitte/ie/Documents/FinancialServices/ie-regtech-pdf.pdf 8 “Basel bust-up,” The Economist, 26 November 2016, http://www.economist.com/news/ finance-and-economics/21710808-european-banks-fear-proposed-revisions-will- penalise-them-unfairly-showdown

15 Future of risk in financial services | Contacts

Contacts

Authors:

Edward Hida Julian Leake Deloitte United States Deloitte United Kingdom [email protected] [email protected]

Global leadership:

Robert Contri JH Caldwell Global Leader, Financial Services Global Leader, Financial Services Risk Advisory Deloitte Global Deloitte Global [email protected] [email protected]

Anna Celner Neal Baumann Cary Stier Global Leader, Banking & Securities Global Leader, Insurance Global Leader, Investment Management Deloitte Global Deloitte Global Deloitte Global [email protected] [email protected] [email protected]

Acknowledgments:

This report is a result of a team effort that included contributions by financial services practitioners from Deloitte member firms around the world including:

Scott Baret Laurent Berliner Lisa Dobbin Deloitte United States Deloitte Luxembourg Deloitte Australia [email protected] [email protected] [email protected]

Dilip Krishna Jay McMahan Bruno Melo Deloitte United States Deloitte Canada Deloitte Canada [email protected] [email protected] [email protected]

Kevin Nixon Timothy Oldham Monica O’Reilly Deloitte Australia Deloitte Australia Deloitte United States [email protected] [email protected] [email protected]

Chris Patterson Rick Porter Alok Sinha Deloitte United States Deloitte United States Deloitte United States [email protected] [email protected] [email protected]

Sachin Sondhi Deloitte United States [email protected]

Special thanks are given to Bayer Consulting for providing assistance with this report. In addition, we would like to thank the following individuals from Deloitte United States for their support: Catherine Hoang, Louis Murray, and Ajanta Dutta Roy.

16 17 About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

About this publication This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2017. For information, contact Deloitte Touche Tohmatsu Limited.