Seven years on from financial crisis, banks now looking for blueprints for risk accountability, treatment of non-financial risks and sustainable business models

• Banks under considerable pressure from investors on ROE - investors pressing for cost reductions and business model change
• Top three priority risk areas for boards of directors: implementation of new regulatory rules, cybersecurity risk and risk appetite
• Challenges in industry as more than 60% of banks are changing their three lines of defense'

While banks have materially strengthened their risk management approach from the board level down across risk, compliance and controls since the financial crisis, the industry is still searching for the appropriate blueprints to establish effective risk accountability across the three lines of defense. This is according to EY's 2016 global banking risk management survey, " set of blueprints for success."

The global survey of banks carried out by EY and the Institute of International Finance (IIF) follows the industry's progress in improving risk management by surveying senior risk executives. This year, 67 banks from 29 countries participated in the survey. This includes 23 of the 30 institutions described as "global systematically important banks" (G-SIBS).

Tom Campanile, Partner, Financial Services Office, Ernst & Young LLP, says:

"Banks have made considerable strides in terms of risk management enhancements since the crisis. However, regulations are still changing and industry approaches on emerging or evolving areas such as non-financial risks and increased IT security threats are still maturing. This suggests a long road ahead for banks. Finding a sustainable risk management operating model that will be flexible through this current market environment will be essential to success."

Although the survey highlighted that significant progress has been made so far, banks may be halfway through what could be a 15-year journey of substantial work to enhance risk management processes. Additionally, increased investor pressure to achieve higher, stable returns have resulted in banks converging toward an industry norm of three-year ROE targets of 10% to 15% across G-SIB and non-G-SIB banks, forcing banks to adapt their business models to meet these targets.

Andrés Portilla, Managing Director of the Regulatory Affairs Department at the IIF, says: "Banks are still under huge pressure on different fronts, and the risk management function is evolving rapidly to cope with the changes in the economic and regulatory environments. As this report shows, it is about embedding the concept of risk throughout all the processes and business of the organization, for which a period of regulatory stability is essential."

EY and the IIF have also identified the continued significance of non-financial risks that pose major financial strains on the business. Specifically, focus on a wide range of conduct areas has increased - money laundering (increased to 72% from 52% in 2015) and sanctions (increased to 52% from 30% in 2015) have moved significantly up the agenda. Cybersecurity has surged with almost half of respondents (48%) highlighting cybersecurity as one of the three most important risks for their board over the next year.

Effective implementation of the three lines of defense blueprint

According to the survey, banks have greatly stepped up their efforts to make a fully functioning three-lines-of-defense approach to risk management work, but there is still no agreed blueprint within the industry on the balance of responsibilities across the first and second lines - with many firms working to enhance the responsibility of the first line.

More than 60% of banks highlighted that they are currently changing their three lines of defense model. Top reasons for doing this includes significant focus on the first line including:

• Making the first line accountable for end-to end risk (38%)
• Making the first line more clearly accountable for non-financial risk (28%)
• To make the first line more clearly accountable for financial risk (27%)

'

Banks are also looking at the effectiveness and efficiency of the second line functions - in particular better technology and more advanced data analytics are essential, as are properly implemented centralized teams for common, repeatable tasks (such as testing). Such approach would allow firms to deliver the right risk outcomes cost-effectively.

Developing a working blueprint to address non-financial risks

The industry, and G-SIBs in particular, continue to focus on addressing non-financial risks more effectively. Banks recognize that they need the management of risk to be part of everyone's job, not just those in risk and control roles, and are testing and enhancing controls frameworks.

Significant changes have been made to improve the management of non-financial risk. Banks are attempting to reduce non-financial risk by reducing complexity of products (57%); exiting products (63%); improving employee training (67%) and strengthening risk culture and employee behavior by enhancing messaging and tone from the top (90%). Importantly, they are also enhancing their forward looking and analysis of intrinsic non-financial risks and embedding non-financial risk into other risk management initiatives.

In addition to addressing conduct issues, banks are focusing on three main areas: operational risk, cybersecurity and vendor risks. Firms report clear focus on operational risk (with 77% of them reporting devoting more time to it as compared to last year). Cybersecurity has shot up to the top of the CRO agenda, ranking second (51%) in the list of top five concerns over the next year.

Navigating toward a blueprint for a sustainable, long-term business model

The report highlights the combined effect of lower profitability because of economic conditions and low interest rates and higher regulatory capital on ROEs. Respondents say their investors are pushing for higher ROEs (82%) and reduced costs (79%). Banks express major concerns about the regulatory proposals to increase capital further and reduce risk sensitivity. Overall it would have the effect of making yet more areas of core lending activity unprofitable.

• The capital, liquidity and leverage changes under Basel III have led banks to rethink their business model as a large percentage of G-SIBs (83%) and non-G-SIBs (67%) are evaluating asset portfolios. Over 48% of respondents are exiting business lines and 27% are exiting countries.
• It is projected that the cumulative reforms to the Basel III capital framework - often referred to as "Basel IV" - could have a particularly negative impact on banks. The survey highlights that changes to internal ratings-based (IRB) models are a major concern as 63% of respondents highlighted that the models could change the economics of some areas of business. Concerns also exist regarding fundamental changes proposed on the treatment market and operational risks.
• Additional changes including the standardized measurement approach (SMA) for operational risk will drive up capital, especially for G-SIBs - with 67% expecting a significant or moderate increase; and the fundamental review of the trading book (FRTB) will greatly impact trading and investment banks.

View the report online here.'  Follow us on Twitter: @EY_Banking and @IIF

###

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

About the IIF

The Institute of International Finance is the global association of the financial industry, with close to 500 members from 70 countries. Its mission is to support the financial industry in the prudent management of risks; to develop sound industry practices; and to advocate for regulatory, financial and economic policies that are in the broad interests of its members and foster global financial stability and sustainable economic growth. IIF members include commercial and investment banks, asset managers, insurance companies, sovereign wealth funds, hedge funds, central banks and development banks.' For more information visit www.iif.com.

'

About the survey
This is the seventh annual risk management survey that EY and the IIF have conducted. From April through July 2016, in cooperation with the IIF, EY surveyed IIF member firms and other top banks from around the globe.'  Participating banks' chief risk officers or other senior risk executives were interviewed by EY or completed an online survey, or both. A total of 67 banks across 29 countries participated in the study.'