Risk management - operating in the new normal: increased regulation

This is an interesting read for financial institutions in Thailand as risk management practice and relevant regulations here also reflect the trend and regulatory development in the global perspective.

The overall feedback is that risk management must respond to “the new normal”—an environment of continual regulatory change and ever more demanding expectations.

The new regulatory landscape is placing demands on financial institutions in such areas as corporate governance, risk appetite, capital adequacy, stress tests, operational risk, technology data and information systems, and risk culture, to name only some areas of focus.

As financial institutions prepare to comply, they will need the flexibility, in both their business models and compliance programs, to respond to the seemingly inevitable next round of reforms.

We highlight some key findings from the survey here.

There is more focus on risk management by boards of directors, reflecting increased regulatory requirements, with 85 per cent of respondents reporting that their board currently devotes more time to oversight of risk than it did two years ago.

The most common board responsibilities are approving the enterprise-level statement of risk appetite (89 per cent) and reviewing corporate strategy for alignment with the risk profile of the organisation (80 per cent).

Other key findings include:

ERM is becoming standard practice. It has become a regulatory expectation for larger institutions to have an enterprise risk management (ERM) programme.

Ninety-two per cent of respondents said their institution either had an ERM programme or were in the process of implementing one, an increase from 83 per cent in 2012 and 59 per cent in 2008.

Progress in meeting Basel III capital requirements. Eighty-nine per cent of respondents at banks subject to Basel III or to equivalent regulatory requirements said their institution already meets the minimum capital ratios.

The most common response to Basel III’s capital requirements was to devote more time on capital efficiency and capital allocation (75 per cent).

In Thailand, this regulation has become effective and is being implemented in phases in accordance with the global practice.

Increasing use of stress tests. Regulators are increasingly relying on stress tests to assess capital adequacy, and respondents said stress testing plays a variety of roles in their institutions, including enabling forward-looking assessments of risk (86 per cent), feeding into capital and liquidity planning procedures (85 per cent), and informing the setting of risk tolerance (82 per cent).

We are seeing more interests from local Thai financial institutionsto utilise more complex stress tests, together with complying with local regulators’ requirements.

Low effectiveness ratings on managing operational risk types. Roughly two-thirds of respondents felt their institution was extremely or very effective in managing the more traditional types of operational risks, such as legal (70 per cent) and regulatory/compliance (67 per cent).

Fewer respondents felt their institution was extremely or very effective when it came to other operational risk types such as third party, cyber-security, data integrity, and model.

More attention needed on conduct risk and risk culture. There has been increased focus on the steps that institutions can take to manage conduct risk and to create a risk culture that encourages employees to follow ethical practices and assume an appropriate level of risk, but more work appears to be needed in this area.

Sixty percent of respondents said their board of directors works to establish and embed the risk culture of the enterprise and promote open discussions regarding risk.

Increasing importance and cost of regulatory requirements. When asked which risk types would increase the most in importance for their institution over the next two years, regulatory/compliance risk was most often ranked among the top three, and 79 per cent felt that increasing regulatory requirements and expectations were their greatest challenges.

The most important impact of regulatory reform was noticing an increased cost of compliance, cited by 87 per cent of respondents. 

Risk data and technology systems continue to pose challenges. Focus is placed on a need for continued improvement to risk data and information systems. Issues related to data quality and information systems were also considered by many respondents to be extremely or very challenging in complying with regulations, including Basel III. 

Cyber-attacks on corporations, including financial institutions, have increased dramatically in the last few years, requiring institutions to strengthen the safeguards for information systems and customer data. 

Based on our survey, financial institutions are adjusting to the new environment for risk management. Most institutions will need to enhance their risk management programmes to stay current – improving analytical capabilities, investing in risk data and information systems, attracting risk management talent, fostering an ethical culture, and aligning incentive compensation practices with risk appetite.

They will find that business strategies and models must be reassessed in response to changed regulations more often than before. Perhaps most important, financial institutions will need to develop the flexibility to respond nimbly to the “new normal” risk management environment of unceasing regulatory change. 

 

Somkrit Krishnamra is an enterprise risk services partner and financial services industry leader at Deloitte Thailand.