Global Risk Management

Survey: Fifth Edition

Key Findings
Operational Risk Implementation and Its
Impact on Financial Institutions
December 11, 2007
Institute of International Bankers
Agenda
• About the Survey
• Key Findings
• An Operational View of Risk
• Basel II
• Targeting Operational Key Risks
• Challenges of Operational Risk
• Managing the Technology
• ERM and Beyond
• The Road Ahead

Copyright © 2007 Deloitte Development LLC. All rights reserved.

2
 About the Survey

– The Global Risk Management

Survey: Fifth Edition represents
our most recent examination of
the state of risk management in
the global financial industry
– The survey was conducted online
during the later part of 2006
– We solicited participation of
CRO’s or their equivalent at
financial services firms around
the world
– 130 financial services institutions
participated with an aggregate
asset size of almost $21 trillion
(USD)
– Respondents included global,
regional, and local institutions

Copyright © 2007 Deloitte Development LLC. All rights reserved.

3
About the Survey

• Participating institutions were

primarily commercial and retail
banks, and diversified financial
institutions
• The range of asset size for
participating institutions was from
smaller, regional institutions to some
of the worlds largest
• Headquartered in a variety of
geographic areas, participating
institutions tended to be global in
nature

Copyright © 2007 Deloitte Development LLC. All rights reserved.

4
 Key Findings
• The board of directors have increasing oversight responsibility for risk
management relative to previous years
• CRO position and role is being further accepted in financial institutions, with the
CRO reporting to the highest levels of management – board of directors & CEO
• Risk management for traditional risk areas such as credit, market and liquidity is
considered to be very effective, while other risk areas such as business
continuity/ IT security, operational, vendor and geopolitical risk was less effective
• Enterprise Risk Management programs have been implemented, are in the
process of being implemented or are in the planning stages for the majority of the
participating institutions
• For institutions that have implemented ERM programs, the total value exceeds
the cost. However the assessment of value is mostly qualitative
• Majority of participants have formal enterprise-wide Basel II programs. However
there is still significant work to be done in reaching Basel II qualification
standards – validation & testing, use test requirements, analytics and calibration
and AMA for modeling operational risk

Copyright © 2007 Deloitte Development LLC. All rights reserved.

5
 An Operational View of Risk
The Basel II Accord continues to
influence the development of operational
risk programs across financial institutions

With over 42% of respondents reporting

that they utilize operational risk “tools” to
identify risks within their operations

However, the primary driver in building

operational risk programs continue to be
to support “regulatory compliance”
initiatives

Copyright © 2007 Deloitte Development LLC. All rights reserved.

6
 Basel II
While the Basel II Accord may have increased awareness of operational risk
management, there continues to be more pressure and desire to focus on testing,
especially with the allocation of economic capital and the use of accurate data
• Many institutions reported that significant
work needs to be done to achieve key Basel
II qualification standards – especially in the
areas of:
– validation and testing
– use test requirements
– risk parameter analytics and calibration and
AMA modeling for operational risk
• The focus on accurate data for Basel II
purposes has also raised many larger data
issues throughout organizations such as data
governance, data policies and data testing.
However, data quality issues will continue to
garner more attention in the Basel II
programs with less than half of the
participating institutions considering their
current state to be good or excellent.

Copyright © 2007 Deloitte Development LLC. All rights reserved.

7
Basel II (continued)
Economic capital
• Institutions were more likely to calculate
economic capital for risks that are well
understood, such as credit, market and
interest-rate risk, and less likely to do so
for reputation, privacy and legal risks
• Larger institutions are more likely to adopt
more sophisticated approaches:
– Advanced Internal Ratings Based (AIRB)
– Advanced Measurement Approach (AMA)

• Institutions reported Regulatory capital

results often to be greater than economic
capital results – possible gap primarily due
to limitations in capital methodology
approaches for estimating strategic and
business risk

Copyright © 2007 Deloitte Development LLC. All rights reserved.

8
 Targeting Key Operational Risks
• While progress has been made in
implementing rigorous operational risk
management processes – driven
primarily by Basel II, overall results
remain mixed
– Roughly two-thirds of institutions had
substantially or fully implemented the ability to
identify operational risk types, while about half
had done so in documenting processes and
controls and in data gathering

• Operational risk program drivers:

– 80% of executives rated the need to respond to
regulatory activity, such as Basel II, as extremely
or very important drivers to their institutions’
focus on operational risk
– To support ERM initiatives (66%)
– In response to a request by senior management
or risk management leadership (56%)
– Due to loss events (55%)

Copyright © 2007 Deloitte Development LLC. All rights reserved.

9
 Targeting Key Operational Risks
• Operational Risk Management
Capabilities
– More than two-thirds of executives said their
institutions were at least somewhat capable in
areas reporting and data gathering
– Only one-half rated their institutions highly in
exposure calculations and in scenario model
building - many institutions have been engaged
in operational risk loss data collection activities
for years due to the need to build historical
databases, but have only recently focused on
scenario and model building

• Emerging Trends
– Integration of Risk Frameworks - there are
significant benefits to be gained by integrating
multiple risk frameworks such as Sarbanes-
Oxley, regulatory compliance, compliance with
internal policies and procedures, IT risk, risk
inherent in business processed, and HR risk
– Operational Risk Management Technology - the
growing sophistication of operational risk
management technology has substantially
increased the capabilities available to firms

Copyright © 2007 Deloitte Development LLC. All rights reserved.

10
Challenges of Operational Risk Management
• Developing awareness and
accountability of operational risk
management continues to be a
struggle for most organizations. While
credit and market risk programs have
had track records and disciplines to
support their successes, operational
risk continues to be a relative
newcomer with reporting to senior
management a significant hurdle to
manage within organizations.
• ORM Tools, although more abundant in
today’s market place, continues to be a
struggle for organizations due to the
integration challenges to existing
legacy systems.

Copyright © 2007 Deloitte Development LLC. All rights reserved.

11
 Managing the Technology
Technology plays a critical role in any successful operational risk program. Basel
II has significantly expanded the requirements for better loss data, scenario
analysis methods, capital calculations, risk and control self-assessment programs
and key risk indicators.
• The current survey shows that financial institutions
continue to struggle with many fundamental
technology challenges-with integration at the top of
the list of risk management concerns.
• The most common cited factor in the selection
criteria for risk systems was the ability to integrate
with existing systems.
• Most institutions have had credit and market risk
management systems for some time. However,
Basel II’s requirement for operational risk
management have made this a relatively new area
for risk management technology investment.
• Some firms are attempting to develop integrated
operational risk and compliance platforms to
increase efficiency and reduce their overall
spending to support risk management and
compliance.

Copyright © 2007 Deloitte Development LLC. All rights reserved.

12
 ERM Landscape & Beyond
While the growth of Enterprise Risk Management continues, operational risk will
maintain progress toward greater emphasis of risk quantification to better
understand risk exposures and to better align itself to a wider range of risks for the
organization
•The survey highlighted some clear
areas of opportunity in ERM
implementation. While roughly 90%
of Institutions have included market,
credit and operational risk under the
ERM program, only 63% say IT
security is covered by ERM and 58%
include business continuity. Even
fewer institutions covered risks such
as strategic, privacy or geopolitical.

•Many institutions need to continue to

broaden the scope of their ERM
programs to include the full range of
risks they face.

Copyright © 2007 Deloitte Development LLC. All rights reserved.

13
 The Road Ahead
• The fifth edition of our Global Risk Management Survey underscores the fact that
risk is clearly assuming greater visibility in financial institutions, and responsibility
for risk management is being placed at the highest levels of most organizations
• But while progress has been real, many institutions have much more to
accomplish to truly achieve a comprehensive approach that actively identifies,
assesses, and manages the full range of risks they face
• The trend toward a strategic approach to risk management is likely to continue—
and we believe that the institutions that take a leading role in this evolution will be
in a position to use risk management as a key competitive tool

Copyright © 2007 Deloitte Development LLC. All rights reserved.

14
Thank You
Edward Hida
Partner, Risk Strategy & Analytics Service Line Leader
Regulatory & Capital Markets Consulting
Deloitte & Touche LLP
+1 (212) 436 4854
ehida@deloitte.com

Survey and related links:

• Survey report: www.deloitte.com/us/riskmanagementsurvey
• Podcast: www.deloitte.com/us/podcasts/RiskInFinancialIndustry
• Dbriefs webcast: www.deloitte.com/us/dbriefs-> Financial services -> “Accelerating Risk
Management Practices: Applying Insights from Leading Global Institutions”

Copyright © 2007 Deloitte Development LLC. All rights reserved.

15
About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte
Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on
client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of approximately 135,000
people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than
one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-
growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain
member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions.
Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche
Tohmatsu” or other related names.

In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of
Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their
subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation’s leading professional services
firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than 90 cities. Known as employers of
choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit
the U.S. member firm’s Web site at www.deloitte.com

Copyright © 2007 Deloitte Development LLC. All rights reserved.

16