Driven by the fallout from the financial crisis and increased regulatory scrutiny, the risk function at financial institutions is shifting from its traditional focus on measurement, compliance and control to providing a forward-looking view at the heart of decision making, in the boardroom and throughout the organization. These are among the key findings of a global survey of more than 50 banks, representing 42% of global banking assets, conducted jointly by McKinsey & Company and the Risk Management Association (RMA) to determine the current state of banks’ enterprise risk management (ERM) practices and core capabilities. The results of the survey are included in a report released today, called Enterprise Risk Management: Shaping the Risk Revolution.
Conducted over a year-long period, the research was designed to help banks develop a common understanding of ERM and to articulate the current state of the art. The survey included leading institutions in the Americas, Europe, the Middle East and Asia-Pacific regions. The survey sample was roughly equally distributed among these regions, and also with respect to size, regulatory regime and business model. A key element of the survey was an intensive syndication of the results with the majority of participants, including an exchange of key insights developed by the banks themselves and participant workshops on potential areas of improvement.
The research produced several intriguing findings:
■ Banks generally believe that they have already progressed well in improving their ERM capabilities, but more than half believe that they are not yet cutting-edge. Almost all participating banks plan to make a transformational change in at least one area of ERM within the next 12 months.
■ Banks are increasingly exposed to non-traditional risks (cyber risks, regulatory risks and new forms of macro risks), but many do not cover or assess these adequately.
■ Regulators are increasingly skeptical about banks´ internal—and often complex and opaque—risk modeling and measurement approaches. The debate around the future of internal risk modeling, how to capture qualitative and judgmental information and how to move from a backward to a more forward-looking risk assessment is becoming increasingly controversial.
■ 80% of participating banks believe they successfully integrate stress testing into strategic decision making, but the evidence from the research suggests that there is, in fact, considerable room for improvement, since banks rely on the supervisory stress-testing methodology and the specifics of the business model are often not appropriately reflected. The difficulties of EU banks in the current “Comprehensive Assessment” and “Asset Quality Review” is also evidence of the weakness that many banks identified in their IT and data management.
■ Banks think their risk appetite statements are adequately defined, but concede that these statements are neither well-integrated with core planning processes, nor fully cascaded throughout the organization with actionable key performance indicators (KPIs). For example, more than half of the banks still do not cascade credit and/or market risk metrics beyond the business-unit level.
■ Banks perceive that the quality of their risk-related decisions and processes varies. The potential for improvement is especially significant in capital-allocation and talent-management processes.
■ In an environment of increasing cost pressure, functionally aligned risk groups are perceived to be more effective and significantly more efficient than divisional risk functions. Despite the growing volume in regulatory requirements, more than half of the banks surveyed expect to keep the size of their risk organization stable in the future, and 20% of banks even plan to reduce the size by more than 5%.
“The goal of our research is to help banks improve communication and interaction on risk and return across the organization, both vertically—to connect the board room with the engine room—and horizontally - to ensure frontline activities are aligned with risk strategies and risk management,” said Hans Helbekkmo, an expert principal in McKinsey’s Banking & Securities Practice.
“Getting out in front of fundamental change in risk management is critical for banks,” said RMA Director of Enterprise Risk Mark Zmiewski. “The financial industry is struggling to integrate enterprise risk management into a coherent whole that reliably informs enterprise-level decisions. A strategic and holistic approach to risk management has become essential.”