Contacts

Risk Governance
Americas
Peter Davis
Principal
2020
Ernst & Young LLP
+1 212 773 7042
From satisfactory to
[email protected]
effective and sustainable
Tom Campanile
Partner
Ernst & Young LLP
+1 212 773 8461
[email protected]

Ted Price
Senior Advisor
Ernst & Young LLP
+1 416 943 3597
[email protected]

Mark Watson
Executive Director Executive summary
Ernst & Young LLP After years of regulatory reform, the jurisdictions for repeated or egregious
+1 617 305 2217 financial services industry is experiencing offenses. In addition, supervisors
[email protected] a palpable shift in focus by regulators away are holding executives and directors
from improving the financial strength to personally accountable, unless the firm
EMEIA governance, structure and operations can demonstrate that it took all reasonable
concerns. These issues are central to steps to prevent the breach. In some
Chris Bowles countries, executives can be jailed for major
maximizing risk-adjusted performance and
Partner transgressions, and the potential impact on
enabling resiliency and resolvability. A core
Ernst & Young LLP the businesses of further transgressions in
concern in this context has been what can
+44 20 7951 2391 terms of reduced opportunities and more
be described as “nonfinancial” risks, such
[email protected] costly funding makes conduct a prudential
as conduct, compliance and operational risk
Patricia Jackson more broadly. The change in emphasis can concern for regulators as well.
Senior Advisor, Risk Governance Lead be easily explained.
Furthermore, investors anticipate real
Ernst & Young LLP change to continue. They are expecting
First, regulators are demanding significant
+44 20 7951 7564 firms to reset their business models and
enhancements to risk governance in
[email protected] cost bases in light of new regulatory
the industry because they will no longer
tolerate major control or conduct failures. expectations and market pressures. Current
Asia-Pacific A firm could lose its license in one or more low returns on equity are unsustainable.
David Scott
Partner
Ernst & Young Advisory Services Limited
+852 2629 3614
[email protected]

Rob Walsh
Partner
Ernst & Young
+61 2 9248 4861
[email protected]
Moreover, firm-level fines and settlements have escalated to the point Whereas firms once addressed risk governance issues in isolation,
where they can threaten the institution’s credit standing, and firms they now need to work on issues collectively. Ongoing control failures
that cannot meet supervisory expectations run a higher risk of failure. highlight the interdependent elements of risk governance and show
that effectiveness lies not in the size of the risk and compliance
So what’s the answer? It cannot be ever-greater numbers of
apparatus, but in its quality.
compliance or risk officers. That will certainly increase cost but likely
not improve control. Regulators and investors recognize major changes are required
and will not wait forever. They expect change to start immediately.
The answer lies in not more but better risk governance — what EY
Approaches need to be practical, conceptually sound and
calls Risk Governance 2020. Firms have to build on valuable changes
operationalized to realize tangible results.
made in recent years but go further to embrace fully embedded risk
appetite frameworks across all dimensions of risk, strengthened risk If done well, firms can be better governed at a low cost and in a
accountability frameworks, increased control effectiveness, enhanced way that allows risk governance to enable the firm to compete
risk transparency, and an integrated approach to talent and incentives successfully, and risk governance can move from being satisfactory to
matters. Board oversight has to be further enhanced, and firms have effective and sustainable.
to fully align their culture with their risk appetite.

This is no trivial task, and the core work in building a more integrated
risk governance approach may take three to five years, though the
A need for change
journey will remain ongoing. It is critical that work starts today. Many companies are realizing that winning in today’s complex
and interconnected market means marrying global regulatory
expectations with long-term strategic objectives. The financial crisis
provided a rude awakening to boards, senior management teams and
regulators alike, resulting in significant challenges for firms trying to
adapt their business models to meet heightened financial stability
expectations of regulators and other stakeholders. Risk governance,
culture and control are now priorities for regulators; they are also the
industry’s central concerns in light of unprecedented regulatory fines.
Meanwhile, stakeholder expectations of robust governance balanced

The answer lies in with improved profitability are increasing.

Financial institutions began focusing on governance, risks and

better risk governance controls as soon as the fog of the crisis began to lift, and many
have taken significant strides in the right direction. Firms are

— what EY calls Risk stronger. However, for most, regulators have concluded that current
approaches do not go far enough. Significant work remains to create

Governance 2020.
a holistic approach that reaches day-to-day behavior at all levels of
the firm and creates meaningful and sustainable change in the way
business is conducted and overseen. Going forward, companies will
have to take a more strategic approach to risk governance.

2 | Risk Governance 2020

Why does it matter?
After several years of building significant risk, compliance and control However, it is clear that, whatever their sector, large financial
structures, firms now face three major challenges: service firms are facing increasingly similar regulatory
expectations on risk governance. Regulators are reinforcing
1. Regulatory pressure to improve governance and behavior:
these expectations through findings in regulatory examinations
Regulatory attention has progressed beyond financial condition
and enforcement actions.
and resiliency — that is, improved capital and liquidity, decreased
leverage, and strengthened recovery and resolution plans.
Taken together, these requirements are challenging, especially
Improving governance and conduct at large financial service
for global firms operating across multiple jurisdictions.
firms is now atop the regulatory agenda. Major control failures
and conduct violations across the industry drove this change, 2. Inappropriate behavior: A recent spate of complex market
leading regulators to conclude that stronger risk governance failures, including market manipulation, anti-money-laundering
is critical to financial reform. Regulators in certain jurisdictions and sanctions program failures, rogue trading, and mis-selling,
are leading the way by addressing this cycle of misconduct highlighted significant issues of misconduct and operational
through increased accountability and consequences for firms and failures in certain banks, which in turn revealed significant
individual employees. weaknesses in governance, controls and culture. While the
majority of these problems have been in banking, firms in other
The focus on improved risk governance is unlikely to diminish. financial service sectors have experienced similar breakdowns.
So it is imperative for organizations to clearly demonstrate that Current risk approaches may therefore be inadequate in
they are well-controlled and effective at managing all of their addressing root causes, known weaknesses or emerging risks
financial and nonfinancial risks. Greatly elevated risk governance (e.g., digital risks) and raise broader questions around firms’
expectations are a common theme across current regulations general inability to manage and control their nonfinancial risks.
and can be found in broad-based rules in specific jurisdictions The onus is now on firms to demonstrate they are taking swift
(e.g., the US Office of the Comptroller of the Currency’s and meaningful action. The resulting conduct costs and related
Heightened Standards1 and the UK Prudential Regulatory provisions have been substantial, surpassing US$270b from
Authority’s Individual Accountability Regime)2 as well as targeted 2009 to 2013 globally.5
global guidelines (e.g., incentive compensation, Financial Stability
Board’s Principles for Effective Risk Appetite,3 Basel Committee
on Banking Supervision’s revised Corporate Governance
principles,4 and standards on risk data aggregation and risk
reporting). This focus is also embedded in other requirements
(e.g., the Federal Reserve’s Comprehensive Capital Analysis and
Review and global structural reform initiatives). Some of these
regulations are sector-specific, while others are more generally
applicable.

1 “OCC Guidelines Establishing Heightened Standards for Certain Large Insured

National Banks, Insured Federal Savings Associations, and Insured Federal
Branches; Integration of Regulations (Final Rule),” Office for the Comptroller of
the Currency, September 2014.
2 “Strengthening individual accountability in banking and insurance — responses to
CP14/14 and CP26/14,” Prudential Regulatory Authority, March 2014.
3 “Principles for an Effective Risk Appetite Framework,” Financial Stability Board,
November 2013.
4 “Corporate governance principles for banks – Consultative document,” Basel
Committee on Banking Supervision, October 2014. 5 CCP Research Foundation (formerly the LSE Conduct Costs Project).

3 | Risk Governance 2020

3. Cost control: Operating with returns below the cost of capital Firms that proactively take ownership of their own agenda, instead
is not sustainable or acceptable to investors. In grappling of reacting to regulatory expectations as “compliance” matters,
with increasing regulatory expectations and fines, shortened will find themselves at a significant advantage to their competitors.
implementation timelines, and major reputational events, Strong governance and conduct will be integral to rebuilding trust in
firms have often resorted to firefighting immediate issues, the industry, providing a foundation to meet increased expectations
leading to disjointed or piecemeal implementation efforts. The
for consumer protection, investor protection and market conduct.
outcomes have been significant risk and control expenses,
Further, increased transparency around a broad array of risk
increased headcount with the potential for duplication of efforts
in managing risks and controls, lack of clarity in roles and considerations will enhance competitive agility by better informing
responsibilities, and fractured and uncoordinated infrastructure. decision-making. Beyond that, an effective governance model will
All this is the significant cost of compliance with limited return align the firm’s strategy, purpose and mission; will reinforce the core
in terms of running the businesses. Shareholder and investor values for employees; and will assist in attracting and retaining the
demands for higher returns require firms to manage risks talent required to rebuild trust. A holistic approach to risk governance
and controls in a more consistent and cost-effective manner. will force firms’ attention to matters of operational efficiency and
One way firms can begin addressing cost-of-control issues is effectiveness, thereby helping create a sustainable operating model
to use a common risk taxonomy, integrated risk assessments, that delivers value to shareholders and other stakeholders alike.
standardized control frameworks and improved management Finally, firms will manage risks more effectively by focusing on both
information systems. The ability to deliver organizational change
short- and long-term, and financial and nonfinancial, risks equally.
balanced with improved returns on equity (RoE) will be a true
distinguisher for firms in the industry.

4 | Risk Governance 2020

What scope of change is required?
The required scope of the change to meet regulator and other 3. Forward-looking: To date, most firms have grappled with the
stakeholder expectations for a well-controlled environment, managed challenges of meeting immediate domestic requirements, leaving
growth and an improved bottom line will likely significantly exceed them with little, if any, time to fully consider global regulatory
the scope and pace of change in these areas since the crisis. Firms trends. This tactical approach has resulted in operating models
will have to shift their thinking and approach to risk governance that may not support further changes in the global regulatory
landscape. Risk Governance 2020 will shift the current mindset
– minor refinements to existing approaches will likely not be
by recognizing the holistic nature of the journey ahead, during
sufficient. Instead, firms will need to embark on a transformative risk
which both near-term and long-term risks must be addressed.
governance journey. The required paradigm shift must surpass short- This approach to risk governance has to also be flexible enough
term regulatory expectations to be more future-proof and sufficiently to withstand changing regulatory expectations.
holistic, practical and flexible, as well as help directors and executive
manage the business more effectively. 4. Effective and efficient: Approaching risk implementation
or remediation efforts in a compartmentalized manner has
The time for transformative change has arrived, and the effort will often resulted in decentralized or overlapping governance, risk
depend on a shift in mindset and an innovative approach to risk and control processes; unclear roles and responsibilities; and
governance. To enable the firm to successfully navigate their future fragmented systems and infrastructure, contributing to high
risk governance journey, the new approach needs to be: risk and control costs without necessarily addressing the gaps in
risk identification and management. By contrast, an efficiency
1. Integrated: After the crisis, firms were forced to address and effectiveness view of risk governance – centralized risk and
complex, onerous and multifaceted regulatory requirements control approaches, clearly defined roles and responsibilities,
coupled with aggressive deadlines for compliance, which in turn integrated systems and infrastructure – leads to a sustainable
resulted in separate or siloed responses to those requirements. business model that balances regulator and stakeholder
In some cases, the resulting changes to governance, risk expectations.
and control structures did not identify the significant issues
of misconduct and control failures that followed. Firms 5. Practical: In several areas, firms have embarked on overly
need to address a broader risk governance agenda, not in a complex approaches to risk governance that are neither fit for
compartmentalized manner, but with due consideration for purpose nor sufficiently flexible to suit group and subsidiary
the underlying components that are highly connected and structures. As an example, risk appetite frameworks (RAFs)
interdependent. to date have not adequately assessed nonfinancial risks —
understandable, given the ambiguity around identifying and
2. Strategic: In the past, firms have been somewhat reactive to measuring conduct, legal, people and IT risks — and thereby
risk governance issues, often being forced into dealing with failed to address desired risk exposure levels for these risk
near-term compliance needs, which diverted necessary attention types. A practical, systematic and dynamic approach to risk
from linking governance reforms strongly to strategic decision- governance, as a whole and with recognition of each of its
making. Firms and regulators now realize that the full benefits underlying components, is required to realize tangible results.
of holistic risk governance warrant the required investment. The
new paradigm encapsulates strategic decision-making aligned to
the firm’s mission and organizational vision; a strong governance
and effective-challenge model; a comprehensive and embedded
risk appetite framework; enhanced risk and control structures;
and strong data, analytical and reporting capabilities. The new
paradigm will create an environment of higher returns and strong
growth.

5 | Risk Governance 2020

What is Risk Governance 2020?

Risk Governance 2020 will help firms along the necessary Each of the core components of Risk Governance 2020 should
transformative journey that realizes the full benefits of effective risk anticipate change:
governance within a well-controlled environment, reinforcing the
• Fully embedded risk appetite frameworks: Firms have invested
firm’s culture and desired risk behaviors. This is not a reprise of a
heavily in establishing and embedding RAFs, with some notable
traditional enterprise risk management (ERM) framework — instead,
successes. They are much better placed today to manage risks.
the process helps each element of risk governance to operate
However, too few firms have embedded risk appetite for financial
efficiently and effectively, alone and in coordination with other
and nonfinancial risk down throughout the organization and
elements. This means adapting new approaches and processes to
developed robust approaches for identifying and managing
enduring components of ERM — notably risk accountabilities, risk
nonfinancial risks. Given that the root causes of recent control
appetite and control effectiveness — which have not universally been
failures are largely linked to nonfinancial risks, this is no longer
implemented across all facets of quantitative and qualitative risk. New
acceptable to regulators. Firms will need to address conduct,
elements, notably processes for establishing an appropriate culture
compliance, legal and other nonfinancial risks in an analytical and
and risk-based talent and incentives management framework, have to
forward-looking manner, regardless of historical measurement
be integrated into the new risk governance approach.
or quantification issues. Similarly, firms will need to push the
To add to the complexity, risk governance change will have to take risk appetite down into individual geographies; legal entities
place at both the group and main subsidiary levels. Host country and products; and “run the firm” limits, policies and escalation
regulators globally are increasingly advocating for local subsidiaries mechanisms.
and branches to demonstrate all the elements of effective risk
• Strengthened risk accountability/three lines of defense:
governance, including local boards influencing matters of strategy,
Although firms have often said the front line is accountable for
capital, business operations and regulatory compliance.
risks, in practice the second line has taken on responsibility for
significant aspects of financial and some elements of nonfinancial
risk oversigh
Board t risk. Furthermore, as some firms have focused almost solely on
financial risks, roles and responsibilities across the three lines
Risk culture can often be ambiguous. The perceived dissonance between
firm rhetoric and reality regarding front-line ownership of risk
has prompted regulators to send a clear message that this
Risk appetite situation is no longer acceptable. They have made front-line risk
framework
accountability a priority, expanded the definition of “first line of
defense” beyond traditional revenue-generating units, and explicitly
Risk called for a strong three-lines-of-defense model, with clear roles,
Talent and
accountability responsibilities and resources.
incentives
Risk (3LoD)
governance

Risk transparency, Controls

MIS and data effectiveness

6 | Risk Governance 2020

• Increased control effectiveness: Firms have assumed that the • Stronger board oversight: After the crisis, board oversight
enormous growth in the scope and number of controls after the has improved considerably via stand-alone risk committees and
crisis left them better protected. Yet recent failures in the industry the addition of new directors with industry and risk experience.
have highlighted problems with control effectiveness. Firms are However, board members often admit privately that they are now
often grappling with duplicative and overlapping risk assessment too focused on compliance and deluged with detailed reports
frameworks, limited focus on front-to-back controls in the and regulator-mandated approvals of complex capital, liquidity
businesses and a somewhat static view of risk. Significant effort will and resolution plans as well as related policies and procedures.
be required to institute firm-wide risk and control frameworks that The burden falls on boards in turn to be more integrated in their
are properly integrated and standardized, provide forward-looking oversight role, actively governing their firms while making more
views of risks, and avoid redundancies and gaps. These changes informed decisions, identifying new opportunities and enabling the
are critical to supporting a reinvigorated three-lines-of-defense firm to better price risks and allocate capital.
model — with an emphasis on front- and second-line validation and
• Robust risk culture: Firms have typically relied on tone-at-the-top
verification processes while avoiding traditional reliance on internal
messaging, risk-adjusted or deferred incentive pay, and second-line
audit alone to comment on effectiveness of controls.
oversight to define and reinforce a strong risk culture and address
• Enhanced risk transparency: Firms have grappled with risk conduct matters. Regulators have concluded that is not enough.
information since the crisis — risk reports have expanded Firms will need a more proactive, explicit and systematic approach
considerably, in volume and frequency, which has helped raised to diagnosing cultural problems in the various businesses and
the quality of dialogue on risks. But today, boards and senior functions and implementing comprehensive action plans — across
management can still miss important risk intelligence in masses functions and front lines — to address excessive risk taking and
of risk information. Risk data systems remain strained, unable to unacceptable behaviors.
aggregate and disaggregate data as quickly as regulators consider
necessary; manual fixes are commonplace in too many firms. It
will be important for firms to develop dynamic IT-enabled risk
data reporting that goes beyond dashboards to deliver true risk
intelligence, supported by advanced analytics, strong internal
controls, and integrated risk and finance data.

• Integrated talent and incentives approach: Recent control

failures and conduct matters indicate that, however beneficial
in its own right, the strong focus on financial incentives alone,
such as risk-adjusted compensation, deferrals and claw-backs, is
inadequate to generate the level of change required in individual
employee behaviors and mindsets. Human resources (HR) has
often been viewed only as a front-line enabler. Going forward, firms
will require a more sophisticated approach to the HR dimension
of culture and control, with a much stronger focus on all stages of
the employee life cycle, utilizing both financial and nonfinancial
incentives, as well as covering competencies, recruitment,
onboarding and promotion processes, and succession planning to
achieve desired behaviors. Only a life-cycle view of talent sourcing
and development will enable the desired culture, accountability and
control environment. www.ey.com/rg2020

7 | Risk Governance 2020

 EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for

What is the way forward? our clients and for our communities.

Significant effort lies ahead. It will be critical to define a road map EY refers to the global organization, and may refer to
one or more, of the member firms of Ernst & Young
for success that is tailored to the organization; this starts with an
Global Limited, each of which is a separate legal entity.
assessment of current state followed by a structured, measurable and
Ernst & Young Global Limited, a UK company limited
integrated plan that includes the following considerations to arrive at by guarantee, does not provide services to clients.
the desired end state: Ernst & Young LLP refers to the individual client-serving
member firms of Ernst & Young Global Limited operating
• Managing risk governance holistically — Firms will need to embark
in the UK, US. Ernst & Young refers to the client-
on this journey with the understanding that risk governance serving member firm of Ernst & Young Global Limited
matters are more effectively addressed as a whole — across all operating in Hong Kong. For more information about our
dimensions of risk and considering all relevant inputs and outputs, organization, please visit ey.com.
rather than in a siloed and more limited manner using only more
traditional inputs. Formulating a road map that addresses each EY is a leader in serving the global financial services
marketplace
component in unison will recognize the strong connections and
Nearly 43,000 EY financial services professionals
interdependencies that exist.
around the world provide integrated assurance,
• Balancing regulator and other stakeholder expectations — tax, transaction and advisory services to our asset
management, banking, capital markets and insurance
Regulators expect an organization to be well-controlled, while other
clients. In the Americas, EY is the only public accounting
stakeholders expect increased returns as well. Balancing these
organization with a separate business unit dedicated
expectations will require a more efficient and effective mechanism to the financial services marketplace. Created in 2000,
to managing risks. the Americas Financial Services Office today includes
more than 6,900 professionals at member firms in
• Applying practical approaches — Identifying solutions and
over 50 locations throughout the US, the Caribbean
approaches to risk governance as a whole, and for each underlying and Latin America. EY professionals in our financial
component, will be a significant departure from legacy solutions. services practices worldwide align with key global
The new approach should be practical, dynamic and operationalized industry groups, including EY’s Global Wealth & Asset
to realize tangible results. Management Center, Global Banking & Capital Markets
Center, Global Insurance Center and Global Private
• Designing a fit-for-purpose model — The new risk governance Equity Center, which act as hubs for sharing industry-
approaches being implemented should be comprehensive yet focused knowledge on current and emerging trends
flexible. They should be customizable to the organization, its and regulations in order to help our clients address key
strategy and risk profile and applied equally at the group, parent or issues. Our practitioners span many disciplines and
provide a well-rounded understanding of business issues
subsidiary level, as well as quickly adaptable to changes on any of
and challenges, as well as integrated services to our
those fronts.
clients. With a global presence and industry-focused
• Managing the scale and pace of change — As they embark on this advice, EY’s financial services professionals provide
high-quality assurance, tax, transaction and advisory
transformational initiative, firms need to be prepared to manage
services, including operations, process improvement,
the change ahead of them. Significant effort and expertise are
risk and technology, to financial services companies
required to manage the broad-scale implementation and complex worldwide.
coordination necessary to achieve desired results. However, initial
implementation efforts do not have to be all-encompassing; firms © 2015 EYGM Limited.
can take a modular approach. All Rights Reserved.

The call for action by regulators and investors requires a prompt CK0931
response by boards and senior management, who should expect a 1504-1448694
complex journey that will take time. Therefore, it is critical that work ED none
starts today. While the task ahead is formidable, firms will rise to meet
This material has been prepared for general informational purposes
this challenge if they are to promote growth, long-term profitability only and is not intended to be relied upon as accounting, tax, or other
and their overall competitiveness. Addressing risk governance in an professional advice. Please refer to your advisors for specific advice.

innovative and holistic manner will provide tangible results when ey.com
executed in an integrated and structured manner.