Non-Financial Risk Management Insights Series Issue # 1 Risk Taxonomy and Risk Identification

Transcription

1 Non-Financial Risk Management Insights Series Issue # 1 Risk Taxonomy and Risk Identification A thorough analysis of a bank s risk profile that takes into consideration its business model and strategic direction is a fundamental prerequisite of an effective risk and control management framework; it necessitates a comprehensive risk taxonomy and a dynamic Risk Identification process.

2 We are pleased to welcome you to our Non-Financial Risk (NFR) Insights series. The series serves as a continuation of our original Point of View: The pressing case to design and implement a Non-Financial Risk Management Framework. 1 Each release will focus on one of the implementation categories: Technology Governance Reporting Culture Risk Appetite Supervision and Control Model Risk Identification Measurement and Monitoring 1

3 Introduction In the post-financial crisis era, most unexpected losses in financial institutions have emanated from non-financial risks. In general, risks have not been effectively controlled and in some cases, risks have not been identified, measured, or supported by models and capital. Institutions will therefore need to take a more holistic and systematic approach to identifying, assessing, and mitigating risks, including relatively new risk types and risks with increased focus (e.g., conduct-, cyber- and model-risk). Identifying and managing all risks relevant to the organization, based on a strong risk taxonomy that comprehensively covers financial and non-financial risks is a prerequisite to implementing a sound risk management framework. Material risks need to be considered in the ICAAP and ILAAP processes by allocating capital and liquidity respectively or by documenting a justification for not holding capital or liquidity to cover these risks In addition to these requirements, many financial institutions supervised by the ECB have received guidance suggesting they should expand their non-financial risk frameworks and manage emerging risks more effectively. In the United States, Risk Identification is a key component of CCAR stress-testing programs, and the Federal Reserve has published similar relevant expectations. Challenges It is particularly difficult to identify new and emerging material risks. It is in these cases that a dynamic Risk Identification process is most helpful and indeed necessary. The experience with operational risks is that banks data capabilities can inhibit timely identification and mitigation of new and emerging risk types; similar challenges can be extrapolated to other non-financial risks. Our approach Deloitte s Non-Financial Risk Management Framework provides guidelines for implementing a robust Risk Identification process, as well as a comprehensive risk taxonomy informed by extensive experience of risk identification exercises across a wide range of banks (cf. Fig. 1). A comprehensive risk inventory developed through a consistent, dynamic and wellgoverned Risk Identification process can help inform and enhance capital adequacy, strategic planning, stress testing and other downstream risk management processes and capabilities. Regulatory expectations In Europe, Risk Identification is a key component of ICAAP and ILAAP; the Supervisory Board of the ECB has published specific expectations, 1 including: Institutions should implement a regular process for comprehensively identifying all material risks across legal entities, business lines, and exposures at least annually Fig. 1 Deloitte has developed a set of tools and frameworks to help implement an effective and dynamic Risk Identification process Approach Activities cover four workstreams Regulatory Expectation, including optional technology driven solution The FED has set clear expectations for risk identification 1 PMO 018 Deloitte Inventory Technology Downstream uses* = applicable Large and Activities Expectations from the regulator Risk Identification Timeline complex Other Conduct data collection ( incl. existing risk reports and Month 1 Responsibility tools (e.g. top risks, control heat institutions* institutions** map) Central team Compile preliminary inventory with risk type Assess The material Risk risks across identification the enterprise process to capture covers risks stemming four phases from the firms and includes all three lines of defense LoBs across categories using event owners or Conduct workshops with lines of businesses to refine Process unique business activities and associated exposure templatess preliminary inventory and perform risk assessment Consolidate preliminary risk inventory Establish formal process and continuously m onitor material risk and update the risk Quarterly Meet with senior management & to review and challenge consolidated assessment Central team risk Phase regularly inventory I Compile preliminary inventory II Assess inventory III Consolidate and Review IV Downstream uses board of directors Project management Review and refine existing risk Segment risks beyond generic categories such as credit risk generic segmentation taxonomy beyond Build process to update and monitor risk inventory on regular basis (e.g., quarterly for material Capture risks) risks driven by Identify on - balance and create sheet a positions & off Supplement - balance and sheet edit risk exposures Compile, consolidated Risk Identify and integrate with Inventory Processing Develop standardised scorecard for the firm s business model preliminary and inventory other firms of risk - specific determinates events identified in (e.g. Phase regional I Inventory eliminating other business as usual risk Design materiality framework to identify emerging risks Inventory risk assessment Identify key drivers and exposure concentrations, operational events complexity) across all risk types Complete list based on duplication, grouping processes where relevant Define logic to capture risk events Include for each risk event events under as per normal the risk taxonomy ( incl. scenario and model development) as well as stressed business conditions perspective common risk events (e.g. risk appetite, control in capital Key planning Central team / Document how selected risk events are Incl. difficult - Inventory must also carry Leverage risks risk that reports only and impacting multiple lines of effectiveness, reporting, risk type owner capital planning process, business Activities materialize under Assess stressed each risk scenarios and its to- quant. risks considered in the Central team Calculate capital impact (e.g. CET measurement tools where business/functions governance, ) LoBs as usual management and stress) should aggregate risks, including by controls business using activities the Risk or products. for the selected risk events 1, Tier 1, total capital) Respective risk unit Collect system requirements possible to collectively identification impact Challenge output of this risk Feed output of the Risk a risk inventory Governance list by Board/ senior Identification process into across the organization Seek input employ from multiple Stakeholders across the bank to identify material risks Central team Identify potential software solutions Generate preliminary risk assessment score card inventory management and internal capital adequacy process Issue RfP and settle specific solution LoBs should consult with senior management before allowing any exceptions to risk limits to implement (incl. senior management audit sign IT Management Implement solution in a testing environment, lay Demonstrate - off) how material risks are accounted for in the capital planning process foundation for organizational wide roll Risk reports and tools Preliminary risk inventory Refined risk inventory (incl. Consolidated risk inventory Test implemented Downstream solution for errors, (CPP enhance ), incl. robustness those that are insufficiently captured by models (e.g. non - quantifiable risks) - out Roll - out system based solution across the organization uses Use identified Inputs SME input into risk event Scorecard with quantitative risk assessment) Further input depending on material risks to drive capital adequacy analysis and planning (i.e. template and qualitative measures * Activities depending on downstream uses; example here uses (e.g. capital planning) development of stress scenarios, assessment of capital sufficiency post - stress and adequacy is capital planning & stress testing of capital management actions) Sign - off Sign - off test solution, Risks from new businesses should be identified risk inventory & captured before commencing kick - off itrollout *Banks that are either (1) subject lines of Head of business/ Board and senior Head of capital planning 16 Committee (LISCC) framework Responsibility consolidated total on -balance sheet to the FED s Large Institution businesses Supervision Coordinating functions or () foreign have exposure total consolidated of $10 billion assets or more. ** Banks that (1) are not subject to the LISCC management framework or () have total consolidated assets Owners of relevant risk of $50 billion or more or $50 billion but $50 billion or have consolidated total on - balance sheet foreign exposure of 018 Deloitte Source: FED SR Letter < $10 billion processes Internal audit 15-18, FED SR Letter and Docket No. OP Deloitte 9 Institutions should define an internal risk taxonomy and maintain a complete risk inventory The Risk Inventory should incorporate an inherent risk assessment as well as a definition of materiality and involve the management body Cf.: ECB Supervisory Board, Multi-year plan on SSM Guides on ICAAP and ILAAP; February Cf.: FED SR Letter 15-18, FED SR Letter and FED Docket No. OP- 159.

4 A key aspect of a successful Risk Identification implementation is compiling risk events consistently across the institution, and for all risk types along the risk taxonomy, into a structured inventory to establish a comprehensive view of all risk events, including hard-to-quantify risks (e.g., strategic risk events). For this purpose, Deloitte has developed a tool-kit for compiling and evaluating risks through a systematic assessment process. Furthermore, our Risk Identification approach and tools can be linked to an organization-wide risk assessment, for which it is essential to consider quantitative (e.g., P&L impact) and qualitative factors and effectiveness of controls. Our experience shows that the involvement of all three lines of defense and senior management is necessary in order to ensure an adequate review, while simultaneously raising awareness in the organization. In general, risk practitioners will need to work more closely with business line representatives to leverage insights gained from a holistic Risk Identification approach and to strengthen downstream capabilities, such as strategic planning, stress testing, and capital adequacy. Maturity model and prevailing practices We have observed differing degrees in sophistication about Risk Identification; most firms are still at the Lagging and Moderate levels of maturity (cf. Fig. ). Conclusion Our structured Risk Identification approach strengthens the monitoring, detection, and management of nonfinancial risks and is designed to establish a basis for an effective risk and control management framework. Enhancing risk management capabilities to address newer non-financial risks starting with a holistic Risk Identification process is a key component of what we envision will be a common practice in future risk management frameworks. The next release of the Non-Financial Risk Management Insight Series will focus on Risk Appetite. Fig. Risk Identification maturity model (extract) Leading Dynamic, inclusive, consistent and comprehensive risk identification process across the organisation Integrated into an effective control framework and downstream risk management uses (e.g. capital planning, stress testing, risk appetite) Advanced Risk identification process backed up by efficient IT solution and sound data infrastructure Strong involvement of multiple stakeholders including all three lines of defense review by senior management and board Moderate Set-up of risk identification process across the organization and along a comprehensive risk taxonomy Risk assessment performed by individual functions or lines of business not always consistent Lagging Individual risk identification processes across lines of business and functions not supplemented by any top down view No aggregation of risks in an organization-wide risk identification For an in-depth discussion on The Future of Risk see

5 Your Contacts Michael Pieper Director Risk Advisory Hans Juergen Walter Partner Financial Services Industry Deloitte GmbH Wirtschaftsprüfungsgesellschaft ( Deloitte ) as the responsible entity with respect to the German Data Protection Act and, to the extent legally permitted, its affiliated companies and its legal practice (Deloitte Legal Rechtsanwaltsgesellschaft mbh) use your data for individual contractual relationships as well as for own marketing purposes. You may object to the use of your data for marketing purposes at any time by sending a notice to Deloitte, Business Development, Kurfürstendamm, Berlin or kontakt@deloitte.de. This will incur no additional costs beyond the usual tariffs. This communication contains general information only not suitable for addressing the particular circumstances of any individual case and is not intended to be used as a basis for commercial decisions or decisions of any other kind. None of Deloitte GmbH Wirtschaftsprüfungsgesellschaft or Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte brings worldclass capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 6,900 professionals are committed to making an impact that matters. Issued /018