Boards at a substantial number of the world’s largest financial institutions are still failing to do enough to address risk management.
According to Deloitte’s Global Risk Management Survey, just 60% have open discussions about risk.
The survey found half of respondents believed it was their risk management team’s role to consider executive pay against corporate culture.
But 85% of respondents said that risk was discussed more than it was two years ago. Deloitte said that this continued a trend of “ratcheting up” involvement by boards in providing risk oversight and “which we expect to continue”.
Edward Hida, Deloitte’s global risk management leader, said: “Regulators are looking beyond solely quantitative measures of market, credit, and liquidity risk to assess whether institutions have created a culture that encourages employees to take appropriate risks and that promotes ethical behaviour more broadly.
“This new focus on risk culture and ethics is more than just ‘buzzwords’—it is a very real thing with teeth. Banks are responding to the regulatory focus on culture by establishing new oversight committees, offices, and policies, while also struggling to develop the right approaches to measure and assess risk culture.”
Deloitte concluded that more attention was needed for operational risk. Around two-thirds of respondents said their organisations were extremely or very effectively managing traditional operating risks like tax and legal. But when it came to risks such as third parties, the figure was 44%, with cyber-security at 42% and data integrity at 40%.
“For the last several years, risk data and technology has been an area that we continue to see significant challenges,” said Hida. “Regulators expect financial institutions to provide timely information on such issues as capital, liquidity, stress testing, risk utilisation, resolution planning, consumer protection, and Volcker Rule compliance.
“Data on these and other areas need to be timely, accurate, and consistently aggregated across the enterprise. More broadly, we see that institutions will need to enhance their risk management programmes to stay current—notably in improving analytical capabilities and attracting risk management talent.”