Risk Governance 2020: From Satisfactory To Effective and Sustainable
Risk Governance 2020: From Satisfactory To Effective and Sustainable
Risk Governance 2020: From Satisfactory To Effective and Sustainable
Risk Governance
Americas
Peter Davis
Principal
2020
Ernst & Young LLP
+1 212 773 7042
From satisfactory to
[email protected]
effective and sustainable
Tom Campanile
Partner
Ernst & Young LLP
+1 212 773 8461
[email protected]
Ted Price
Senior Advisor
Ernst & Young LLP
+1 416 943 3597
[email protected]
Mark Watson
Executive Director Executive summary
Ernst & Young LLP After years of regulatory reform, the jurisdictions for repeated or egregious
+1 617 305 2217 financial services industry is experiencing offenses. In addition, supervisors
[email protected] a palpable shift in focus by regulators away are holding executives and directors
from improving the financial strength to personally accountable, unless the firm
EMEIA governance, structure and operations can demonstrate that it took all reasonable
concerns. These issues are central to steps to prevent the breach. In some
Chris Bowles countries, executives can be jailed for major
maximizing risk-adjusted performance and
Partner transgressions, and the potential impact on
enabling resiliency and resolvability. A core
Ernst & Young LLP the businesses of further transgressions in
concern in this context has been what can
+44 20 7951 2391 terms of reduced opportunities and more
be described as “nonfinancial” risks, such
[email protected] costly funding makes conduct a prudential
as conduct, compliance and operational risk
Patricia Jackson more broadly. The change in emphasis can concern for regulators as well.
Senior Advisor, Risk Governance Lead be easily explained.
Furthermore, investors anticipate real
Ernst & Young LLP change to continue. They are expecting
First, regulators are demanding significant
+44 20 7951 7564 firms to reset their business models and
enhancements to risk governance in
[email protected] cost bases in light of new regulatory
the industry because they will no longer
tolerate major control or conduct failures. expectations and market pressures. Current
Asia-Pacific A firm could lose its license in one or more low returns on equity are unsustainable.
David Scott
Partner
Ernst & Young Advisory Services Limited
+852 2629 3614
[email protected]
Rob Walsh
Partner
Ernst & Young
+61 2 9248 4861
[email protected]
Moreover, firm-level fines and settlements have escalated to the point Whereas firms once addressed risk governance issues in isolation,
where they can threaten the institution’s credit standing, and firms they now need to work on issues collectively. Ongoing control failures
that cannot meet supervisory expectations run a higher risk of failure. highlight the interdependent elements of risk governance and show
that effectiveness lies not in the size of the risk and compliance
So what’s the answer? It cannot be ever-greater numbers of
apparatus, but in its quality.
compliance or risk officers. That will certainly increase cost but likely
not improve control. Regulators and investors recognize major changes are required
and will not wait forever. They expect change to start immediately.
The answer lies in not more but better risk governance — what EY
Approaches need to be practical, conceptually sound and
calls Risk Governance 2020. Firms have to build on valuable changes
operationalized to realize tangible results.
made in recent years but go further to embrace fully embedded risk
appetite frameworks across all dimensions of risk, strengthened risk If done well, firms can be better governed at a low cost and in a
accountability frameworks, increased control effectiveness, enhanced way that allows risk governance to enable the firm to compete
risk transparency, and an integrated approach to talent and incentives successfully, and risk governance can move from being satisfactory to
matters. Board oversight has to be further enhanced, and firms have effective and sustainable.
to fully align their culture with their risk appetite.
This is no trivial task, and the core work in building a more integrated
risk governance approach may take three to five years, though the
A need for change
journey will remain ongoing. It is critical that work starts today. Many companies are realizing that winning in today’s complex
and interconnected market means marrying global regulatory
expectations with long-term strategic objectives. The financial crisis
provided a rude awakening to boards, senior management teams and
regulators alike, resulting in significant challenges for firms trying to
adapt their business models to meet heightened financial stability
expectations of regulators and other stakeholders. Risk governance,
culture and control are now priorities for regulators; they are also the
industry’s central concerns in light of unprecedented regulatory fines.
Meanwhile, stakeholder expectations of robust governance balanced
— what EY calls Risk stronger. However, for most, regulators have concluded that current
approaches do not go far enough. Significant work remains to create
Governance 2020.
a holistic approach that reaches day-to-day behavior at all levels of
the firm and creates meaningful and sustainable change in the way
business is conducted and overseen. Going forward, companies will
have to take a more strategic approach to risk governance.
Risk Governance 2020 will help firms along the necessary Each of the core components of Risk Governance 2020 should
transformative journey that realizes the full benefits of effective risk anticipate change:
governance within a well-controlled environment, reinforcing the
• Fully embedded risk appetite frameworks: Firms have invested
firm’s culture and desired risk behaviors. This is not a reprise of a
heavily in establishing and embedding RAFs, with some notable
traditional enterprise risk management (ERM) framework — instead,
successes. They are much better placed today to manage risks.
the process helps each element of risk governance to operate
However, too few firms have embedded risk appetite for financial
efficiently and effectively, alone and in coordination with other
and nonfinancial risk down throughout the organization and
elements. This means adapting new approaches and processes to
developed robust approaches for identifying and managing
enduring components of ERM — notably risk accountabilities, risk
nonfinancial risks. Given that the root causes of recent control
appetite and control effectiveness — which have not universally been
failures are largely linked to nonfinancial risks, this is no longer
implemented across all facets of quantitative and qualitative risk. New
acceptable to regulators. Firms will need to address conduct,
elements, notably processes for establishing an appropriate culture
compliance, legal and other nonfinancial risks in an analytical and
and risk-based talent and incentives management framework, have to
forward-looking manner, regardless of historical measurement
be integrated into the new risk governance approach.
or quantification issues. Similarly, firms will need to push the
To add to the complexity, risk governance change will have to take risk appetite down into individual geographies; legal entities
place at both the group and main subsidiary levels. Host country and products; and “run the firm” limits, policies and escalation
regulators globally are increasingly advocating for local subsidiaries mechanisms.
and branches to demonstrate all the elements of effective risk
• Strengthened risk accountability/three lines of defense:
governance, including local boards influencing matters of strategy,
Although firms have often said the front line is accountable for
capital, business operations and regulatory compliance.
risks, in practice the second line has taken on responsibility for
significant aspects of financial and some elements of nonfinancial
risk oversigh
Board t risk. Furthermore, as some firms have focused almost solely on
financial risks, roles and responsibilities across the three lines
Risk culture can often be ambiguous. The perceived dissonance between
firm rhetoric and reality regarding front-line ownership of risk
has prompted regulators to send a clear message that this
Risk appetite situation is no longer acceptable. They have made front-line risk
framework
accountability a priority, expanded the definition of “first line of
defense” beyond traditional revenue-generating units, and explicitly
Risk called for a strong three-lines-of-defense model, with clear roles,
Talent and
accountability responsibilities and resources.
incentives
Risk (3LoD)
governance
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for
What is the way forward? our clients and for our communities.
Significant effort lies ahead. It will be critical to define a road map EY refers to the global organization, and may refer to
one or more, of the member firms of Ernst & Young
for success that is tailored to the organization; this starts with an
Global Limited, each of which is a separate legal entity.
assessment of current state followed by a structured, measurable and
Ernst & Young Global Limited, a UK company limited
integrated plan that includes the following considerations to arrive at by guarantee, does not provide services to clients.
the desired end state: Ernst & Young LLP refers to the individual client-serving
member firms of Ernst & Young Global Limited operating
• Managing risk governance holistically — Firms will need to embark
in the UK, US. Ernst & Young refers to the client-
on this journey with the understanding that risk governance serving member firm of Ernst & Young Global Limited
matters are more effectively addressed as a whole — across all operating in Hong Kong. For more information about our
dimensions of risk and considering all relevant inputs and outputs, organization, please visit ey.com.
rather than in a siloed and more limited manner using only more
traditional inputs. Formulating a road map that addresses each EY is a leader in serving the global financial services
marketplace
component in unison will recognize the strong connections and
Nearly 43,000 EY financial services professionals
interdependencies that exist.
around the world provide integrated assurance,
• Balancing regulator and other stakeholder expectations — tax, transaction and advisory services to our asset
management, banking, capital markets and insurance
Regulators expect an organization to be well-controlled, while other
clients. In the Americas, EY is the only public accounting
stakeholders expect increased returns as well. Balancing these
organization with a separate business unit dedicated
expectations will require a more efficient and effective mechanism to the financial services marketplace. Created in 2000,
to managing risks. the Americas Financial Services Office today includes
more than 6,900 professionals at member firms in
• Applying practical approaches — Identifying solutions and
over 50 locations throughout the US, the Caribbean
approaches to risk governance as a whole, and for each underlying and Latin America. EY professionals in our financial
component, will be a significant departure from legacy solutions. services practices worldwide align with key global
The new approach should be practical, dynamic and operationalized industry groups, including EY’s Global Wealth & Asset
to realize tangible results. Management Center, Global Banking & Capital Markets
Center, Global Insurance Center and Global Private
• Designing a fit-for-purpose model — The new risk governance Equity Center, which act as hubs for sharing industry-
approaches being implemented should be comprehensive yet focused knowledge on current and emerging trends
flexible. They should be customizable to the organization, its and regulations in order to help our clients address key
strategy and risk profile and applied equally at the group, parent or issues. Our practitioners span many disciplines and
provide a well-rounded understanding of business issues
subsidiary level, as well as quickly adaptable to changes on any of
and challenges, as well as integrated services to our
those fronts.
clients. With a global presence and industry-focused
• Managing the scale and pace of change — As they embark on this advice, EY’s financial services professionals provide
high-quality assurance, tax, transaction and advisory
transformational initiative, firms need to be prepared to manage
services, including operations, process improvement,
the change ahead of them. Significant effort and expertise are
risk and technology, to financial services companies
required to manage the broad-scale implementation and complex worldwide.
coordination necessary to achieve desired results. However, initial
implementation efforts do not have to be all-encompassing; firms © 2015 EYGM Limited.
can take a modular approach. All Rights Reserved.
The call for action by regulators and investors requires a prompt CK0931
response by boards and senior management, who should expect a 1504-1448694
complex journey that will take time. Therefore, it is critical that work ED none
starts today. While the task ahead is formidable, firms will rise to meet
This material has been prepared for general informational purposes
this challenge if they are to promote growth, long-term profitability only and is not intended to be relied upon as accounting, tax, or other
and their overall competitiveness. Addressing risk governance in an professional advice. Please refer to your advisors for specific advice.
innovative and holistic manner will provide tangible results when ey.com
executed in an integrated and structured manner.