Deloitte.

Global riskmanagement survey,seventh editionNavigating in achanged world

Financial Services

Foreword

Dear Colleague.

We are pleased to present Delaine's Global n'sk management survey, seventh edff.ion. our latest assessment of the state ofrisk management at financial services institutions around the world.

The financial services Industry Is emerging from an extraordinarily unsettled period. The global financial crisis was marked bymarket ""Iatility, a lack of liquidity In many financial markets, and h";ghtened systemic risks. The turmoil of the last se""ral

years has underscored the critical Importance of risk management and led government offidals. regulators. and Industryleaders alike to set new expectations for risk management.

Regulatory reqUirements are being rethought and fundamentally revised with the goal of redudng systemic risk to thefinandal system. Therefore. the boards of directors and senior management of finandallnstitutions are reexamining theirapproaches to risk management. including their risk frameworks. governance, and methodologies.

At many Institutions, boards of directors are taking a more active role In providing oversight of risK management, Indudlngestablishing the risK management policy and framework and approving their institution's risK appettte. More institutions havea Chief RisK Officer, who is often a member of the senior management team and has direct access to the board of directorsor the board's risK committee. E.nterprise risK management programs are becoming more commonplace across the Industry,and at many institutions, espedally In E.urope and Canada, the work of implementing Basel 11 has been largely completed.

But while progress has been made, risK management now faces even more rigorous requirements. There is likely to bewider use of tools that have been demonstrated useful In measuring risks, such as stress tests; the precision of risk models

may also be evaluated more dosely. Institutions that have not already adopted enterprise-wide risK management programsmay be more likely to do so. Senior management at many Institutions may consider how they can build a more risK·awareculture, in part by Incorporating risK management considerations into perfonnance goals and compensation decisions for key

employees throughout the organization.

Financial services institutions may also need to be prepared to comply with fundamental regulatory change. The Basel IIIframework includes requirements for higher levels of capital and greater liquidity. There are also important changes toregulatory frameworks in Individual countries: The 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act

constitutes the most important set of changes to financial regulation in the United States since the 19305; similar regulatorychanges are proposed for the E.uropean Union; and the United KIngdom has announced plans to abolish the RnandalServices Authority and to have the Bank of E.ngland assume a greater role in prudential regulatory oversight.

Delaine's SUlVey provides a picture of the state of risk management as financial services Institutions respond to enormouschanges across the industry. This assessment Is based upon the responses of 131 financial Institutions from around the worldwith more than $17 trillion In total assets; we wish to express our appreciation to each of the Institutions that participated.

We hope that this survey report provk:les you with useful Information about how financial Institutions are navigating thechallenges of risK management today and encourages a dialogue that can help enhance risk management in a changed world.

Sincerely,

Edward T. Hida II, O'AGloball£ader - Risk & capital ManagementGlobal Financial Services IndustryDeloine Touche Tohmatsu Umited

As us~ in the document, "Delcitte" refers to Delaitte Touche TotYnatsu Umited, a U.K. private company li"nited by guarantee, and its network. ofmember firms, each of which is a legally separate and i1dependent entity. Please see WVvW.deIoiUe.con'V'abollt. for a detaled description of the legalstructure of DeIoitte Touche Tohmatsu limited and its member rrms.

Global risk: management survey, seventh edition Navigating in a changed world 1

Executive summary

After the turmoil of the global finandal crisis characterizedby financial market dislocations and loss of liquidity, I

many world economies and finandal markets appear to

be strengthening, but serious concerns remain. Althoughthe financial services sector is recovering, institutions arenot returning to the same playing field; instead. they areopera~ng in a changed work! marked by fundamental shifts.During the last fe.w years. risk management assumptIonsand methods have been challenged as never before.

As a result, many institutions are rethinking their riskmanagement gavernance models, including a moreactive role for their boards of directors in overseeing riskmanagement. Some risk management methodologies mayneed to be reassessed and validated to assess whether theyadequately measure the "tail" risk from rare, but potentiallycatastrophic, events. Many institutions are revising theirbusiness models in response to the global financial crisisand the regulatory changes that have resulted, and so riskmanagement programs may need to adjust accordingly. Awave of regulatory change will almost certainly mean greateroversight especially for Institutions that are deemed to besystemically Important.

Deloitte's Global n'sk management survey; seventhedition, assesses the state of risk management in this newenvironment. The survey was conclUded during the thirdquarter of 2010: 131 financial institutions from around the

word, with aggregate assets of more than $17 trillkln and

representing a range of financial services sedors, participated.

Key find ings

Roughly 90 percent of Institutions had a defined riskgovernance model and approach, and 78 percentreported that their board of directors had approved theirrisk management policy or enterprise risk management(ERM) framework.

The position of chief risk officer (CRO) continued tobecome Increasingly prevalent. Eighty-six percent ofinstitutions had a CRO or equivalent position, up from 73

percent in 2008 and 65 percent In 2002. The eRO hasbeen ghien a high profile, reporting to the board level

or to the chief executive officer (CEO), or both, at 85

percent of institutions. Fifty-one percent of institutionsreported that the board of directors conduds exerutivesessions with the CRO, compared to 37 percent in 2008.

In the wake of the global financial crisis, the importanceof incorporating risk management considerations intoperformance evaluations and compensation decisionshas been Widely discussed; thirty-seven percent ofinstitutions reported that they had completely orsubstantially done so for business unit personnel.

More institutions have adopted ERM programs, as79 percent of institutions reported haVing an ERMprogram or eqUivalent in place or In progress, anIncrease from 59 percent in 2008. The greatestchallenges in implementing an effective ERM program,cited by roughly a quarter of institutions as extremelyor very challenging, were integrating data across theorganization and cultural Issues.

Institutions v.oere far along in Basel II implementation,with 70 percent or more having fully or mostlycompleted Implementation in the areas of externalagenc.y ratings (for the standardized approach),calculation and reporting, internal audit revieY-I,and governance and controls. Roughly one-third ofexecutives expected that the Basel II rule revisionsannounced in July 2009 would have significantImpacts on their strategy In such areas as entering newgeographical markets, changing their business model, orconduding mergers and acquisltions.2

I -A defining characteristic of the aisis was the depth and duration of the systemic liquidity disruption to k.ey funding markets-that is, thesimultaneous and protracted inability of financial institutions to roll over or obtain new short-term funding across both markets and borders:Gfob61 FinancialStabi/ity Report SoverngM, Funding and Systemic liquidity, International Monetary Fund, October 2010.

l The Basel Committee has continued to strengthen its bank supervisory standards, particularly regarding banking regulatory capital andliquidity requirements as noted in its December 2010 releases, Base/III: A g/obal regulatory jrameworkfor more resilient banks and bankingsystems, and Baul Iff: /nternational/rameworkjor liquidity risk measurement, standards and monitoring.

2

• For Insurance Institutions subject to Solvency II, 70percent or more said they plan to focus over the next12 months on program Initiation, gap analysis, andplanning; risk governance; and Own Risk and SolvencyAssessment (ORSA).

• Although the percentage of Institutions that calculateeconomic capital Increased since 2008, the practice wasfar from universal. Roughly two-thirds of Institutionscalculated economic capital for credit risk, market risk,and operational risk, while 29 pertent did so for liquidityrisk and 17 pertent for strategic risk.

• The use of stress testing Is Increasingly commonplaceacross the Industry, supplementing the use of Value atRisk (VaR) and ather risk analytlcs. Elghty-elght pertentof Institutions used stress testing for risk tactors affectingtheir credit portfolio, an Increase from 79 percent In2008, while 74 percent conducted stress testing formarket risk In their trading book.

• More than 80 percent of Institutions experiencedsignificant Impacts from regulatory changes In thecountries where they operate; at 40 percent ofresponding Institutions, these Impacts Induded theneed to maintain higher capital levels and the need tomaintain higher liquidity ratios.

• Progress has been made by many InstitutionsIn Implementing operational risk managementmethodologies. Roughly 60 pertent of executivesconsidered their operational risk assessments andIntemalloss event data to be extremely or very welldeveloped, an Increase from roughly 40 pertent In 2008.

• Many Institutions reported that they have additionalwork to do In Improving their risk technology systems.Whllethree-quarters of executives considered theirInstitutions to be extremely or very effective In managingcredit, market, and liqUidity risk, a lesser 60 percentconsidered their technology systems to be very effectiveIn supporting the management of credit and marketrisk, and 47 percent expressed the same concemlngthe management of liquidity risk. In terms of likelyrisk management technology Improvements dUringthe coming year, data quality and management andenhanced risk reporting were the two areas given thehighest priority by survey respondents, at 48 pertent and44 pertent, respectively.

The current economic and regulatory environment posesmany challenges for financial Institutions and In tum for riskmanagement. Having flexible risk management programsmay help flnandallnstltutlons to be effective In adapting tonew business models and changing regulatory requirements.Large, systemically Important financial Institutions mayalso have additional steps to comply with Increasedcapital, IIquld~ reportIng, recovery, resolutlal, and otherrequirements.

Strong risk governance continues to Increase In Importance,and boards of directors will likely need to continue to beactively Involved In providing Input Into, challenging, andapproving the risk management frame'tNork and overseeingthe program. The Increasing prevalence of aCRO positionas a member of the senior management team Is apositivetrend: The CRO can help darlfy accountabllJ1¥ for the riskmanagement program and can aid the board by providing avI~ Independent of management.of key risk managementIssues and the Institution's risk profile.

At many Institutions, risk management programs are likelyto Include agrowing spectrum of risk types, such as modelrisk, and to use more sophisticated techniques, such as stresstests. Risk technology and Information systems may need tobe upgraded to easily Integrate risk data on a consistent basisacross different products, geographies, and counterparties.In the final analysis, an Institution's risk profile can bedefined by the sum total of business decisions takenfNery day by employees throughout the organization. Thelinkages between business operations and effective riskmanagement should continue to be assessed and nurtured.In addition to a focus on risk management methodologiesand reporting, senior management may need to furtherdevelop a risk-aware culture throughout the organization.One Important consideration In this effort Is the closeralignment of performance management and inCEntivecompensation with risk considerations and accountabllJ1¥.BeginnIng with strong governance by the board of directorsand senior management. and continuing with afocus onrisk management by every employee, Institutions may bebetter positioned to navigate effectively the challenges of achanged world for risk management.

Global risk management survey, seventh edl1lon Navigating In a changed world 3

Introduction

Delaine's Global risk management strVey. seventh edition,was conducted during the third quarter of 2010, as thefinandal markets and the world economy were dimbing

bad< from the Impacts of the global financial crisis. Thesurvey assessed the ament status of risk managementprograms in the finandal services industry--<ommonpractices, enhancements being made, and remainingchallengl3-based on responses from 131 financialInstitutions from across geographic regions and industry

sectOr1, and of varying asset sizes. (See "About the survey.'

Growth returnsAfter contracting by 0.6 percent in 2009. the work:!economy retumed to growth: The IMF estimated the worldeconomy grew by 5.0 percent in 2010 and that ~ will growby 4.5 percent In 2011. largely due to expected growth of6.5 percent In emerging economies this year.] During 2010.the recovery remained tenuous in the United States and Inmany other developed economies, and there were concernsabout whether growth could be sustained and the pos51bllity01 a double-dip recession In some economies.

Although the markets for securitized assets, such as COOs.remained a fraction of their size as compared to before thecrisis, securities Issuance broadly has recommenced andcorporate M&A activity has returned. Equity markets haveposted positive retums. ~h the MSCI World Index fordeveloped countries gaIning 9.55 percent in the 12 monthsthrough December 31, 201 D.'

In response to the global financial crisis, many majoreconomies undertook fiscal stimulus programs in an effortto spur economic growth, although a significant number of

these programs are now winding down. On the monetaryfront, the U.S. Federal Reserve and the Bank of Japanreduced short·term government interest rates to at or nearzero percent

These Initiatives have led to concerns about rising levels ofpublic debt. According to the IMF, gross government debtin the world's developed economies. which was 70 percentof GOP in 2007. rose to 97 percent in 2009 and is expectedto reach 110 percent by 2015' In 2010. Greece requireda S145 billion financial rescue package from the EuropeanUnion and the IMF. while Ireland reqUired a package of $112billion. There were also concerns about so~relgn debt inother countries such as Portugal, Spain, and italy. On theother hand, interest rates on U.S. Treasuries and Germangovernment bonds remained below three percent Theseconflicting signals have fueled avigorous debate aboutwhether go~mments should take immediate action tobring down debt levels or whether the shorHerm priorityshould be to further stimulate the economy. The dedslonby the U.S. Federal Re5erve In November 2010 to purchase$600 billion In Trea5U1Y securities in a second round of"quantitative easlng" generated additional controversy overthe potential Impact on the value of the dollar and on assetprices In other markets, espedally In developing markets.

StabiliZing the financial sectorIn many countries, governments provided assistance totheir financlallnsl~utlons. Indudlng through the TroubledAsset Relief Program (TARP) In the Un~ed States. By the endof 2009, Tier 1 capital among global financial Institutionshad risen to more than 10 percent, with more than half thecapital coming from go~mments, according to the IME'

In OCtober 2010, the IMF estimated total write-downs andloan provisions from the global finandal crtsis by banks atS2.2 trillion, with three-quarters of this amount alreadyreported and S550 billion estimated still to be realized.'While these government initiatives helped to stabilize

the financ~1 system. they have al50 led 10 public aitlcismof financial assistance being provided to major financialinstitutions. In the wake of the crisis, there have also beena number of regulatory investigations and legal actionsInvolvlnglndMduals and firms.

J ·World Economic Outlook," IMF, January 2011

• Index Performance. January 201" MSCI, http://www.m5cibarra.com!productslindkeslinternationill_equityjndiceslperfOfmance.htmls "Withdraw.lI1 Symptom5.~ TM Economisr, October 9,2010, "World Economic Outlook,," IMF, October 20107 ·World Economic Outlook," IMF, October 2010

4

Many financial firms have recovered from the crisis and arenow returning to profitability. In the United States, many ofthe major bankIng institutions have now repaid the financialassistance they received under the TARP program, althoughbalances remain among other redpients in housing finance,insurance. and the auto Industry. In addition, significantunrepaid balances remain among Institutions in Europethat received government capital infusions. In 2009, theU.S. Federal Reserve and other bank supervisors conducteda stress test based assessment of the capital held by the19 largest u.s. bank holding companies, which Increasedtransparency and appeared to bolster confidence amonginvestors. In 2010, the Committee of European BankingSupervisors also conducted stress tests of European banks. Inlate 2010, a new round of stress tests In both the U.S. andEurope was announced.

A changed worldThe responses to the global financial cnsls on the partof governments, regulatory authoritJes, and financialinstitutions are leading to fundamental changes in theenvironment for finandal services.

Industry restructuring. The global financial cnsls spurredfurther consolidation of the Industry as some majorinstitutions closed and others merged with strongercompetitors. Increasing regulatory capital requirementsfor larger finandallnstitutions could potentially lead toadditional growth for nonbank financial Institutions subjectto less stringent regulation.

New btlslness models. In the United States, the 2010Dodd-Frank Wall Street Reform and Consumer ProtectionAct (Dodd-Frank Act) prohlb~ed most propnetary tradingby banks and required that most derivative products betraded on exchanges and centrally cleared. This may leadsome banks to spin off their hedge funds and private equitysubsidiaries and to close their proprletary trading desks. Itmay also create opportunities for small and mid-size firms tocompete in the "white space" vacated by the major players.These changes may also pose additional risks---operationa~

counterparty credit and/or funding-for those that interactwith these newly separate entities.

More regulation and government oversighL Therehas been a wave of regulatory change, with stricterrequirements and enhanced scrutiny In many countries;there has been a shift In mind set with regard to regulatorysupervision-more aggressive and with higher demandsfor data and information to supp:>rt representations madeby financial institutions to their regulators. The UnitedStates has been an early mover on finandal regulatoryreform and in a quite sweepIng way. relative to many otherjunsdictlons: The Dodd-Fr.lnk Act was the greatest changeto finandal regulatlon in the United States since the 1930s.In the United Kingdom, the government announced In2010 a major reorganization of regulatory ove,,;ght, with

the Financial Servkes Authonty (FIA) being abolished andits prudential regulatory responsibll~les being assumed bya subsidiary of the Bank of England. In both the Un~ed

States and the United Kingdom, new regulatory agenciesare being created to monitor compliance with consumerprotec1ion regulations.' Additional regulatory changes arealso anticipated by the European Union.

The Basel III requirements, originally proposed in December2009 and issued in December 2010, may have the greatestimpact. The new requirements include higher levels ofcapital, with a focus on requlnng a higher "quality" ofcapital such as common equity, as lNell as new leverage andliqUidity ratios for instiMlons. Basel III builds on the Base/IIframework. with the Intent of strengthening the regulation.supervision, and risk management of banks.

There has been an active debate on the possible Impact thatthe changes In Basel III would have on economk growth.In June 201 0, the Institute of International Finance Issuedan analysis that concluded the proposed changes couldreduce the absolute level of GOP In developed countriesby approximately three percent by 2015.' In August 201 0,the Basel Committee on Banking Supervision issued its own

analysis, concluding that absolute GOP would be 0.6 percentlower dUring an assumed four year Implementation than itotherwise would have been, but then would be higher overthe long term due to fewer financial crises. IO The eventual,full impact of Basel III and other regulatory changes remainsto be seen and will depend to a great extent on the spedficregulations that are put in place to Implement them.

• ·UK Banking after the Crisis," presentation by Charles Randelt Slaughter and May. October 2010, "Super Model: T~ Economjst. August 19. 201010 Ibid.

Global risk managemE!rlt survey. seventh edition Nnl~t1ng In .. changed work! 5

Consumer protection Initiatives. Reforms with directconsumer and/or consumer protection Implications have beennumerous and touch areas Indudlng BSAIAML, fair lending,foreign account tax compliance, credit cards, and mortgage­refated activities. Both the United States and the UnitedKfngdom have aeated new consumer protection agencies thatare charged with regulating flrms providing flnanclal productsto consumers. The goal of these reforms Is to Increaseconsumer protection, but they may also Increase costs chargedto the consumer and slow the Introduction of nevv products.

New paradigm for monitoring systemic risk. Regulatoryauthorities have Increased their focus on Identlfylng andmanaging systemic risks to the flnancial system. The Dodd­Frank Act Imposes additional reporting requirements onInstitutions designated as "systemically Important," and alsorequires these Institutions to create recovery and resolutionplans. The Dodd-Frank Act also creates a Financial StabilityOversight Coundl charged with Identlfylng and responding

to emerging systemic risks, as well as an OffIce of FlnandalResearch to Improve the collection and analysis of flnancialmarket data for financial regulators. In Europe, a EuropeanSystem Risk Board was created to monitor and assesssystemic risk In the European finandal system. Rnal~ BasefIII Includes the requirement that systemIcally Importantfinancial Institutions be reqUired to hold additional capital.

The economic and regulatory landscape remains unsettled,with concer~ remaIning about the outlook for the worldeconomy and with the details of nevv regulations stili to beflnalized. Rnanclallnstltutlons are rethinking thefr businessmodels and assessing the likely Impacts ofthe nevv regulato!)'requIrements. As a result, significant enhancements inindustry risk management practices may be expectedto continue to ocOJPf the agendas of financial servicesinstitutions for some time In such key areas as systemic risk.enhanced capital and IIquldt1¥ approaches, strengthened riskoversight and governance, and remedlated risk data.

The financial services marketplace has beconle so complexthat continuous im!)rovenlent and enhancements in the riskmanagement function will continue to be inlportant for yearsto come. An effective, comprehensive risk nlanagementprogram nlust evolve constantly to meet changes in theenvironment: As the business changes, so nlust the tools and

<-

processes used to assess and olanage risk.- Director of risk management, asset management firm

6

Agure 1Partldpants by headquarters location

8"

About the surveyThis r~polt pI-=-s.-:nl, ttl-=- I,,:,',' illldll1'}) 110m 11'102'

sev-?nth edltl,:on ':'/ 002'10:'111-=-', ,:,n';l'JII1'J ,)S)';-'Stll,:"IH

.:.f r1S~ mana';1€'ment pI.1(tl(,:,~, In H,':" '.11'Jb.11 ilTO"n:I.11

selvl(-:-s mdustf',' Tlk SUI'>';-', '.1.111'-:-10:-<.! n'l:"" 1':-1.'.', ('i

(ROs (,rlheJl ",qul·:al.;-ne .1W!·.".jS (-Jrl1f,I.:T.:-.j 1:",131

finanCIal S\?I·.. lces m~lltutlon~, .·jl'.'~HI.j Tho:- ',,';. ,rid 11 ·... ~l~.

COndU(I.;or.lm lh". tt",wj '.lll-llkl (IT :XJ1(1

Insiltutl'>I1$ pJrtl(lp,'IIri~11I1 the ~'Ul\'':'\' lel,r,,·',':'lit.;..-:!

the rnaJ')1 go:-o'Jlaplll( IE'(,1I':,n:; ot Ill,:. \"'0'01101 M,)st

(of tl1o:- sUlvey partlclp..'ll1b ',',1('1";" ll1ultll1,lW,n,ll

institutions, "'illll 59 pelc'mt h,l\'IIlOl ol ..:r~ltl<:'ns

':'U1Slo:l\? lh\?tt h,:otlle countlv (',to',:, FI'JUI':' 1)

Til"" sixth >:'(Jltlon of our IIS~ n1all.)IJ",rn",nl ~.urv·:"..

Io:-p·:ort ,\:?llo:-S WJ:; r.A,:-,)se',1111 "",I!',' 2009, t'J-:"!<:! ·:,n J

sut\;,:?·" (.:,nduct.:-d If) Iht" 1.111':1 tnlf ,:,j 21)(18 '.'lhdt"

l'O'l-:-v.:int, thiS 1000p':Olt C0IT1p,.I':-S (Ullell\ 1,:":.l.Jll-:. ".'.'Ilh

tho,>o:- f!':'1ll th", 2008 :.1JI·.(·~

Survey p,ll llC1pants al',o le~'1':"5,:,nl",,:l a v,'lII·!I ...

(,f flnalKkll sector~" ','':1111 Ill,:'sl h"'llll.lIl1TtO"JI.lt",,:l

frnan(lal or9aI1l.':ath)ns. InSLJr~lnc-: comp.llll"" riO-TJ11

bani '>, ,lnd comlllo:-fCk11 1:0,1111 '> '5"'';- FI9Ut,:. 21

The rn~tltutlons pt,:ovldllllJ .:lSSO:-I111Jn,19E'llh?nl had

total c1SS\?ts und .. r IIkln,19L'll1l:?l1t 01 S14 1 111111,:on

.~tinAmeric:a

• Middle East & Africa• US. & Canada• Europe.Asia Pacific

Agure2Partldpants by primary business

4% 2%

,."

""• Integrated fnandal organization.Insu-ance company• Retail bank• Commercial bank

• Ass!!t milna<JernentGOYernment-feiatedfinance carpany

.Othe<

Agure 3Partldpants by asset size

• Greater than $100 bllion.510.5100 billion

• Less than 510 binion

Global risk management survey. seventh edition Navigating In a changed world 7

Risk governance

Since the global financial crisis. regulators and others haveplaced Increasing emphasis on the importance of a clearrisk governance model, I.e., the approach for directing themanagement and control of risk. whIch may be overseenby the board of directors as a whole or through a boardrisk committee. Regulators are naw focusing more dosely

on the role of the board of directors in setting a financial

InstiMlon's risk policy and risk appetite and in monitoringthat these are Implemented effectively by management. InOctober 2010. the Basel Committee on Banking SupervisionIssued principles for enhancing corporate goyernance that

addressed such Issues as the role of the board of directors.the qualificatIons of board members. and the importanceof an Independent risk management function. In the UnitedStates, the Dodd-Frank Act requires a risk committee ofthe board of directors for publicly-traded bank holding

companies with total assets of $10 billion or more as wellas for systemically Important publicly-traded nonbankfinancial companies. Also in the United States, U.s. SECRule 33-9089, which became effective on February 28,2010, requires that proxy statements disclose the extent ofthe board's role in risk oversight. Numerous other industry

and regulatory groups have also issued gUidance on riskmanagement oversight, including the Bank for InternationalSettlements, Office of the Comptroller of the Currency,Federal Deposit Insurance Corporation, Committee ofSponsoring Organizations, the National Association ofCorporate Directors. and the Senior Supervisors Group.

Strengthening risk governance

The survey found that many financial institutionshave taken a variety of actions in response to theincreased focus on risk governance (see Figure 4). Themost common action, taken by roughly two-thirds of

Institutions, was to Improve the process for reportingof risk Information to their boards of directors and totheir management risk committees. Roughly half theinstitutions had enhanced their risk limits and updatedtheir risk appetite statement. These appear to be positive

developments because upgrading risk managementreporting and reviewing an institution's risk appetite maybe appropriate in periods of difficult market conditionsmarked by volatility. lack of liqUidity, changed regulatoryexpectations, and a weak economic outlook.

Figure 4Which of the following steps has your organization taken In response to recentconcerns regarding risk governance?

lmprOo'ed board risk reporting information

Emanced risk limits

Updated risk appetite statement

Reviewed management risk committee structure

63%

.,%

55%

"""..%

DEY~oped risk dashboard report

H~d more frl!quent rNnagftTlE'l"lt risk C(mmittee mfttings

Upd..ted m..n..gement risk committee chOllrten

ExpOInded CRO responsililities

Est..b1ished eRa position

Reviewed board risk committee structure

Established a risk comnittee of the board of directors

Updated board risk chOllrten

Added rNnagemenl risk committee members with risk eJePE!l'ience

Added board members with risk experience

Established management execlltive sessions with eRa

Established board execlltive sessions with eRa

Held more frequent board of directors' meetings

35%

33%

3O'l6

29%

28%

25%

25%

19%

18%

17%

,,%

20% '0% 100%

Note: Percentages total to rTlO(e tNn 10096 because respondents could make multiple selections.

8

Institutions are also devoting more resources to riskmanagement. Committing an adequate number ofprofessionals with the appropriate skills and at theappropriate levels provides the foundation for effective riskmanagement and has been an area of focus for regUlatorsover the last several years. looking ahead, almost 80percent of executives expeded their Institution's spendingon risk management to increase over the next three years,with 29 percent expecting increases of 25 percent or more.

In the risk management policy and ERM framework andshould establish risk governance and oversight, define theInstitution's risk management roles and responsibilities,define the role of business units In risk management,and specify the process for ongOing monitoring of riskmanagement." Roughly two-thirds of InstiMions said theirboards of directors had approved the organization's riskappelhe slalemenl or the risk policy framework adopted bymanagement.

Figure 5Does your organization have a defined risk

governance model and approach, which delineatesfunctional responsibliltJes for risk management?

Risk governance modelsMany banks have strengthened or adopted risk governancemodels under the impetus of expectations of theirregulators. Most insurance companies around the worldhave been subjed to regulatory oversight that encouragesthem to adopt company-wide risk governance models,although there has been less pressure by state regulatorsfor U.S. Insurance companies to do so.

The survey found that 91 percent of Institutions had a riskgovernance model and approach, either one that wasfully Implemented or in the process of being Implemented(see Figure 5). However, a smaller proportion, 78 percentof institutions, reported that their boards of directors hadreviewed and approved their risk management policy and!or ERM framework, and this percentage had not increasedsince the 2008 survey (see Figure 6). The risk governancemodel is a key risk program element that is typically defined

• Yes, fUly implemented• Yes, being irJ1)lemented

63%

• No, but under consideliltion.NoFlgure 6

Which of the follOWing describe the roles in risk management of the board of directors in your organization?

Rl!Ceipt and rEView of regular risk management reports

Review and approval of overall risk management polky and/or ERM flilmework

Approval of the risk appetite statement

Approval of individual risk management policies,e.g., for market, aedit, liql.idity, or operational risk

Approval of risk management framework adopted by management

Executive sessions with o,ief Risk Officer (eRO)

ApprOYal of the charters of management risk committees

Review of the caTlpensatioo plan to consideC" its impact on risk factors

Oth"

20% 40% 80%

8S%

100%

Note: Percentages total to more than 100% because respondents could make multiple selections.

11 Getting Bank Govemance Right, £>e.Ioitte Center for Banking Solutions, August 2009, Deloitte Development LLC.

Global risk management SUf\tey. seventh edition Navlg.tlng In a changed world 51

Role of the board of directorsSurvey findings showed that at 85 percent of institutions,the board of directors receives and reviews regular reportson the risk management program. The percentage ofboards that regularly review risk management reportsincreased from 73 percent In 2008, which indicates thatmore boards of directors are actively Involved in overseeingrisk management. Another Indication of Increased boardInvolvement is that 51 percent of institutions reportedthat their boards had executive sessions with the eRO, upfrom 37 percent In the prior survey. This practice is evenmore common at large Institutions, as 68 percent of theInstiMions with assets of $100 billion or more reportedthat their boards followed this practice.

The importance of aligning compensation and incentiveplans with appropriate risk taking has received increasingattention in the period since the global financial crisis. InSeptember 2009. the financial Stability Board Issued areport on the standards for sound compensation practicesthat identified the importance of haVing independentand effective board oyersight of compensation policiesand practices.ll Among survey respondents, 35 percentof boards of directors reviewed their institution'scompensation plans to consider the Impact of risk factors.This practice was more common among institutions withassets of $100 billion or more, where 48 percent of boardsreviewed compensation plans from this perspective.

When it came to how the board carries out its riskmanagement responsibilities, 29 percent said that riskmanagement oyersight was handled by the full board. Amore common scenario, used by 56 percent of institutions,was for the board's responsibilities to be handled by boardcommittees. Additionally, seven percent of the institutionssurveyed reported having risk management oversighthandled by mUltlp~ commtttees. This latter approachmay diffuse responsibility, so when used, it is importantto define c1earty the role and scope of authority of eachIndMdual body. There has been a trend for boards to p~ce

this responsibility with a dedicated board risk managementcommittee, an approach used by 37 percent of institutions,although 12 percent used the audit committee. The Dodd­frank Act requires bank holding companies wtth $10 billionor more In total assets to have a dedicated risk committee.In addition, 11 percent of all survey respondents said thatan individual board member exerdsed the board's riskmanagement oyersight responsibility. This goyemanceapproach was more common in Europe, where 27 percentof institutions followed it, compared with three percent inthe United States/Canada and four percent in AsialPacific.However, even in Europe, none of the instiMlons with $100billion or more in assets placed the responsibility for riskmanagement oyersight with an Individual board member.

Across the survf!f sample, then, risk management oyersightIs most often a board·level responsibility; current regulatorygUidance reinforces this practice.'l However, at five percentof the responding institutions, responsibility for oyerseeingrisk management had been delegated to management.

Risk managemenc coelay is a governance function: The boarelanel the auelit committee are more t(>cuseel than they everwere on enterprise risk. It is more anel more common for therisk function to report elirectly to the boarel. The expectationsarounel the level anel thorou£!hness of key risk mana"ement

~, b

documencation have greatly increased.- Chief risk officer. diversified financial services company

,) H8 Princip/~sfrxSound ComfNnsation PrQcf;us,· Financial Stability Board, September 25, 2009

1l~e board has OYefali responsibility for the bank, including apprOYing and oyerseeing the implementation of the bank's strategic objectives,risk strategy, corporate goyernance, and corporate values. Accordingly, the board should approve and monitor the overall business strategyof the bank, taking into account the bank's long-term fil'\ilnoal interests, its exposure to risk, and its ability to manage risk effectively;and approye and oversee the Implementation of the bank's OYefall risk strategy, including its risk tolerance/appetite; policies for risk, riskmanagement and compliance; Internal controls system; corporate governance framework, principles, and corporate values, induding a codeof conduct or comparable document; and compensation system. See Prindp/~s for ~nhoncing corporot~ 90vernanc~ - final docu~nt, BaselCommittee on Banking Supervision, October 2010, httpJlwww.bis.orglpubVbcbs176.htm

,.

Regional perspectiveTher-:- ·.·.·i:r~ some slgnlllc,lnt (jllf",l",nces am,:ong

r"'910ns 111 the respome~ of IllstllU11,:,n:; to 90veln,)llcoO­

",nllanc",rn",nts Institutions In th.,. Unll-:-d Statt'sl

Canad.-; '.·;~r.,. more IIh;,.l".. to h.ll:,;o "lad", chang",,; to

their rnan,lgement r1Sl c,:ommltt':'t' Among InStitutions

In tht' Ul1lkd Staks/Cana,j,l, 6.:.\ perct?111 r",YIE'w-:-d

the ';lructure 01 the mana'Jement rlS~ e,:ommltte",.

comp"If.;...:1 wIth 45 perc",nt amOIl'.! European

lI1';tltullon5 ,llld 1",5S than 40 p':'f(",rH In ASla/PaClflC

and Latll1 Arn",nca In thE' UI1It",ol Sta\o;,.s/Cana,ja.

83 p",rcent ,:of institutions Incr'o'.ls",d !he reportlll'~

(lj mlor rn~ltlon to the management r1Sl cornmlttt-e.

while 61 p>?lcent In EUiope. and hJlt or jewer III Cother

f>?glons. did so In contrast, 73 pelc",nt 01 EUlo:,pean

institutions updat>?fj th';'lr Iisl app·:.-tlt", statement.

comp,lr-:-d ~'.'Ith 39 percent m th", UI1It"-'d Stat€<.1

Canada. .:.\0 perc",nt In ASia/Pacillc, and 33 p""rc>?nt

In Latin AOl>?t1ca. It IS posslbl>? tllat m')te EUlop>?an

institutions may have updated tht?1I f1sl~ appetite

statements III conJUIlCtion \,.mh 8.15",111 Pillar IIlnlel nal

Capital Ad>?quJcy ASS>?SSllloO-lll Pruces:, IICAAP) ,lnd

Solvency II ORSA efforts, whete Ewop>? IS generally

ah..;,-ad of otht?llE'glo)ns

Management oversight

Use of management risk committeesAbout two-thirds of institutions reported having anenterprise risk management committee or eqUivalent oran asset liability management committee. As might haYebeen expected, large institutions were more likely to havethese risk committees, with 84 percent of Institutions with$100 billion or more in assets having an enterprise riskmanagement committee and 81 percent having an asset

liability management committee.

The use of management risk committees was foundto be less prevalent for some Important risk types-58percent of instiMions had a management risk committeefor credit risk. S3 percent for operational risk. and 40percent for market risk. The possible need for specializedrisk comminees depends on the nature of an institution'sbusiness. e.g .• those involved in trading would be morelikely to need a market risk committee. Among thecommercial banks and retail banks, where credit risksare often the largest risk factor, a credit risk committeeis common, but not universal; roughly three-quarters ofsurvey respondents reported having one.

Centralization of risk managementMost institutions had a risk management structurethat was either centralized or amix of centralized anddea'"tral~ed_ with few following a highly decent",l~ed

approach. Roughly 70 percent of institutions reported usinga centralized approach to setting risk policy and standards,and to defining their risk appetlle and setting IImlls_ whiletwo-thirds did so for reviewing their compensation planto consider the Impact of risk factors. The areas whereinstitutions were most likely to follow a mixed approachwere in identifying and assessing key risks (47 percent),selecting and implementing risk mitigation strategies (44

percent), and monitoring and identifying emerging risks (47percentl.

Since 2008, a number of Institutions moved from adecentralized to a more centralized approach; the lattermay help support more consistent polley and supportingmethodologies across organizations. Seventeen percent ofInstitutions took a decentralized approach to monitoringcompliance with risk limits. down from 28 percent in2008, while 24 percent took a decentralized approach toassessing the effectiveness of risk mitigation and controls,compared with 33 percent in 2008.

Increasing role of the CROThe presence of a CRO who reports to the CEO and is amember of the senior management team may help riskmanagement receive appropriate high-level anention.Although the percentage of institutions with a CRO positionhas fluctuated, the CRO position has generally becomemore prevalent CHer time. Eighty-six percent of institutionsreported having a eRO or an eqUivalent position, up from73 percent in 2008 and 65 percent in 2002 ~ee Figure 7).

Agure 7Percentage of Institutions with eRO or equivalent,2002-2010

1"""

..%

Global risk management SUI\ley, seventh edition Navigating In _ ch.Jinged world 11

The CRO or an equivalent senior risk offiCEr positionhas become widely commonplace at larger institutions;ninety-seven percent of the institutions with $100 billionor more In assets and 91 perCEnt of the integratedfinancial Institutions reported having this position. Evenamong Institutions with less than $10 billion in assets. 82percent had a CRO or equivalent position. Ten percent ofInstitutions without a CRO position had no plans to createone, which Is half the figure of 20 percent found in ourprior survey.

CRO reportingNot only is the CRO position more prevalent, generallyhe or she Is also reporting to higher levels within theorganization and playing a more strategic role. Sixty-threepercent of Institutions said that the CRO was supervisedby the board of directors or a board-I~I committee, anIncrease from 52 percent In 2008. In aggregate, 85 percentof the institutions had the CRO reporting to the board ofdirectors. a board committee. or the CEO, compared to 78percent in 2008.

The CRO and the enterprise risk management group havemore responsibilities and a higher profile. More than 90percent of Institutions said these responsibilities Includedeveloping and Implementing the risk managementframework. developing risk reporting mechanisms, chairingor particIpating in management risk committees, andescalating risk Issues to the CEO or the board of directors.A number of areas of CRO responsibility have also become

more widespread since 2008. For example, at 81 percentof Institutions. the CRO/risk management group wasresponsible for assisting in developing and documentingthe Institution's risk appetite statement. compared to 72percent in 2008. Similarly. at 64 percent of instttuijons.the calculating and reporting of economic and regulatorycapital was a responsibility, up from 52 percent in 2008.

Infusing risk management throughout the

organization

New business InltiatfvesOne of the decisions that can have Important Implicationsfor risk management is deciding to introduce a new productor enter a new business. and both financial institutionsand regulators are increasing their focus in this area. Intheir busIness and product approval process, almost allInstitutions reported considering more traditional major risktypes---<lperatlonal (94 percent). regulatory (91 percent).

12

credtt (89 percent). legal (87 percenO. reputational (86percent), and market (86 percent). Two-thirds of institutionsconsidered the risks from the increased demands onstaffing levels and infrastructure. and 56 percent conSideredthe risks resulting from increased transaction volumes.Although considered with less frequency among the surveypopulation. these risk dimensions may also be Importantfor an institution in determining whether it will have theresources necessary to handle increased work flows shoulda new product be successful.

At more than 90 percent of institutions, induded withinthe scope of the formal business and product approyalprocess were both new business and new productIntroductions, up significantly from 2008 when 82 percentincluded neYv' product approvals and 64 percent includednew business approvals. Most institutions also consideredother initiatives, such as changes to business/product riskprofile rn percent). new systems (72 percent). and theIntroduction of a business or products to new geographicalmarkets or to a nfIN client base (60 percent). Almost 90percent of Institutions have taken steps to enhance theIr

business and product approval processes, with the mostcommon actions being to increase the involvement of riskmanagement (57 perCEnO. enhance approval polides (54percent), and require a more thorough review of proposednew businesses or new products (53 percent).

Aligning risks and IncentivesThe Incorporation of risk management responsibilityInto performance goals and compensation decisionshas become another leading practice, and some viewcompensatIon planning as a key tool in enterprise-widerisk management effectiveness. The objective Is thatemployees. especially those wtth the authority to lilkedecisions that entail significant risk, have Incentives toconsider the risk assodated with those decisions.

The current survey's results identified that 37 percent ofinstitutions have completely or substantially incorporatedrisk management considerations into performance goalsacross their organizations. For senior management. 56percent of institutions have incorporated risk managementresponsibilities Into their performance process, increasingsomewhat from 49 percent in 2008. For business unitpersonnel, 37 percent of institutions have incorporated riskmanagement responsibilities into performance evaluations.

The survey revealed that many Institutions are stili inthe process of adopting changes recommended byregulators and others to better integrate risk managementinto Incentive compensation. For senior management,82 percent of institutions reported that they requiredthat a portion of the annual Incentive be tied to overallcorporate results (see Figure 8). For senior management,64 percent of institutions sought to balance their emphasis

on short-term versus long-term Incentives, 57 percentpaid their Incentive In company stock. and 52 percentdeferred payouts linked to future performance. Further.a comparatively lower 31 percent of Institutions matchedthe timing of payouts to senior executives to the term ofthe risks Involved. and 26 percent had InstiMed c1awbackprovisions In the event of misconduct or the overstatementof earnings.

Compensarion is an area where we now have a morerigorous process-including more board-level governance,review, and approvals; more risk managemenr inpurs inrocompensarion design. There is a change in rhe mix of pay,including increased deferrals for higher earners and higherrisk rakers ...and I rhink indusrry srandards are likely to gerstrieter in this regard.- Chief risk officer. global bank

AgureBDo you Incorporate the following risk management considerations Into your Incentive plans forsenior management?

Requiring that a portion of the an~incentive be tied to overall caporate results

The use of multiple incentive plan metria

Balandng the emphasis on short- and long-term incentives

Payment in company stock:

Deferred payouts linked to future perlormance

Caps on payouts

Matching the timing of payouts with the term of the risk

The use of Individual metria tied to the implementationof effective risk mitigation strategies

The use of da'Nback provisions (e.g.. in the eventof misconduct or overstatement of earnings)

2096 40'l6

8296

10096

Note: Percentages total to more than 100% because respondents could make multiple sele<:tions.

Global risk management survey, seYenth edition Nnlgatlng In a chilng~ world 13

Enterprise risk management

An ERM program Is meant to set the overall frameworkand methodology for how a company manages risKs.ERM provldes an Institution with the tools to clarify its risk

appetite and risk profile. and to evaluate risles across theorganization. By adopting a comprehensive approach to riskidentification and assessment, ERM can help identify many

dependencies or Interrelationships among risks that might

otherwise go unnoticed.

Understanding of the root causes of risk factors andtheir correlation can be accelerated by an effective ERMprogram. looking at risk from an Integrated perspectivecan bring new Insights and proVide transparency into theoverall impact of risk on the institution. Not only does ERM

provide an institution with greater insight Into its individualrisk profiles, it may also allow an organization to assessmore completely overall risk levels.

The survey found that adoption of ERM has Increased

sharply. Fifty-two percent of institutions reported haVingan ERM program (or equivalent), up from 36 percent in2008 (see Figure 9). large institutions are more likely toface more complex and interconnected risks, and amonginstitutions with total assets of $100 billion or more, 91

percent reponed either having an ERM program in place orIn the process of Implementing one.

Agure9Does your organization have an ERM program,

or equivalent?

To enhance the effectiveness of ERM programs, institutionsmay choose to define and approve an ERM framework orERM policy. Seventy·seven percent of institutIons had sucha framework, with 70 percent of these Institutions saying ithad been approved by the board of directors.

We're formalizing our risk program at theenterprise level, and we're getting moredisciplined about measuring not onlyindividual risks, but what the potencialoverall impacts of those risks are.- Chief risk officer, diversified financial services company

ERM program coverage

Among survey respondents, ERM programs almost alwayscovered the major risk categories of operational risk(98 percent), credit risk (96 percent), and market risk(93 percent).I. Uquldity risk was covered by 92 percent of

ERM programs, up from 82 percent in 2008; this increaseseems understandable given the liqUidity concerns dUring the

global financial crisIs. The coverage of a wide range of risksby an ERM program allQl/ols the risk function to contributemore effectiYeIy to strategic dedsions, because it has a morecomprehensive viM of risk across the organization.

1("l'l6

• Yes, currently rnplernenting one

"""70% 67%

60%

5O'l6

"'"3O'l6

20%

'0%

0%2006

• Yes, plOglilm in place

2008

7996

2010

Other risk categories were induded in fewer ERM programs.The importance of managing the risk that models may notaccurately assess the probability or severity of potentialrisk events was highlighted In the global finandal crisis.Fony-eight percent of Institutions reported that their ERMprograms addressed model risk, which was down from 58percent in 2008. However, 72 percent of larger institutions inthe survey said that their ERM programs did cover model risk.

There was an increase In litigation following the global

financial crisis, and the ERM programs at 71 percent ofinstitutions Induded legal risk, compared to 54 percent in200B. The global financial crisis also tested the business

models of some institutions, and the coverage of strategicrisk Increased to 73 percent from 64 percent in 2008.

Fifty·three percent of Institutions reponed that their ERMprograms covered liability management. Relatively fewinstitutions that provided insurance services reponed thattheir ERM program addressed spedfic categories of Insurance

osk. such as mortality (28 percent), morbidity (28 percenO.~pse (24 percent), and property and casualty (18 percenO.

1& This and the remaining questions related to ERM were only asked of those institutions that reported having an ERM program or an equivalent.

14

Risk appetiteTo support the effectiveness of an ERM program. aninstitution should consider having an approved enterprise·levei statement of ris. appetite. Forty-eight percent of

institutions reported having an approved. wrinen. enterprise­level statement of risk appetite, while another 24 percent

were in the process of defining their risk appetite statementor having It approved. Rnanciallnstitutions can benefit fromhaving an explicit statement of risk appetite. reviewed and

approved l7; the board of directors as an important part oftheir oyersight responsibilities. The risk appetite statementcan then be translated into specific limits and tolerances forbusinesses and for spedfic risk categories.

In translating the risk appetite Into spedflc risk limits.roughly three-quarters of institutions set limits for market,credit. and liqUidity risk at the enterprise level. About halfthe Institutions established limits at the level of businessunits for marlcet risk: (49 percent), credit risk (56 percent),

and liquidity ris' (40 percenO. and even fewer had limits atthe trading des. level for mar"t ns' (45 percent). credit ris'(30 percent), and Iiquld~y rls' (11 percent). Establishmentof risk limits for different categories of risk can be animportant step towards monitoring that an Institution'sactivities are consistent with its risk appetite. Institutionsmay set limits for important risk categorles at the enterpriselevel, and many institutions may also benefit from havinglimits at the business unit level.

Value ofERM

ERM programs allow institutions to achieve a holistic viewof risk across risk categories and lines of business. Fully 85percent of executives fett the value of their ERM programwas greater than its cost; yet, many executives foundthe value of ERM difficuit to quantify. While 48 per",ntof executives said that the overall value of their ERM

program was much greater than its cost, 23 percent saidthe same about its quantifiable financial value. Althoughthe full value may not be quantified, most executivesfelt ERM provided significant value In specific areas-an

improved understanding of risks and controls (81 percent),an increased ability to escalate critical Issues to seniormanagement (76 percent), an enhanced risk rulture anda better balance of risks and reYlards (73 percent), andimproved perceptions by the regulators (72 percent).1S Foreach of these items, executives were more likely to believethat their ERM programs provided significant vaiue. Three­quarters or more of the executives felt that their ERMprograms provided significant value as compared with nomore than half In 2008.

IS Rated 1 Of 2 on a fr.oe-point scale.

Risk management data challengesWhile the value of ERM has increased, so have the challengesof implementing an effective program. The top-rated issuewas integrating risk data across the organization. which wasrated as an extremety or very significant ctIallenge by 74percent of executives. Sixty percent of executives gave thisrating to data integrity, an Increase from 45 percent In 2008.Institutions need tre ability to integrate accurate ris' datain a timety fashion to support risk reporting and business

decision making. Establishing common data standardsand definitions are an important element In successfuldata integration. (See "Risk management systems andInfrastructure"iater in this report.)

Institutions also recognized that they may needmethodologies and metries that have the flexibilityto respond to the evolving requirements of boards of

directors, senior management. and regulators. DeYelopingrisk technology systems and haVing appropriate riskmethodologies and mettles were each considered to beextremely or very significant challenges by roughly 60

percent of executives, compared to one-third for each Issuein 2008.

These findings are understandable. Periods of economic

or market Instability, such as the global financial crisis

can severely test the Information capabilities of financialinstitutions. Such times help highlight the importance of theability to aggregate risk data across the organization from

different lines of business to achieve a consolidated view of

an organization's risk profile-for example, when assessing

counterparty risk or exposures to partlrular markets whichimpact different business areas.

Global risk management 5Urv~. seventh edition Navlgiltlng In a c~nged world 15

Risk reportingThe board of directors and/or a designated board riskcommittee received ERM reporting at 97 percent ofInstrtutions in the survey, while 85 percent of institutionsprovided these reports to one or more of the CEO,CFO. CCO. COO. ClO. or treasurer (see Figure 10). Risk

reports were provided to the board of directors and/or adesIgnated board risk committee for market risk and forcredit risk at 90 percent of institutions. and tor operationalrtsk at 91 percent. Many institutions may be seeking accessto a wider range of reliable risk data for their ERM programsbecause this is not always readily available today.

Agu'.10Which of the follO\Nlng Individuals or groups receive risk reporting at the enterprise level for each risk type?

lOll'll> .,%

8S%90% 88% .."

8'%

Operational Risk

-

Insurance RiJlt

• Boatd of dirKtors andlor designated board ri~ comnittee

• Management risk committee• CEO ard'or CfO antVor CCO antVor COO antVor (10 (Olief 11M!'St1Tlent Officer) and/or TrNsurer

• CRO• Business unit neads (exeo.Jtive leve~

• Other

Note: Percentages total to more than 100,*, bKause respondents crold mal::e multiple selections.

1.

The scope of risk management Information commonlyreported to the board of dlredors is Indicative ofthe range and depth of risk management oversight.While this is a new area of forus in our survey, basedon changes in market practices, our expectation wasthat risk reporting to the board of directors would beincreased. The survey found that roughly three-quartersof institutions reported risk information to the boardof directors on risk concentrations, operational failures,

and stress testing, while two-thirds reported on newand emerging risks and on utilization versus limits(see Figure 11). Given the growing risk managementoversight responsibilities of boards illustrated by thissurvey's findings and the Importance of these Issues,one may expect more Institutions to report thisinformation to their boards of directors more frequentlyin the future, based on the business mix and relevantrisks for the institution.

Rgure 11Which of the following types of risk Information does your organization currently report to theboard of directors?

Risk concentrations

Operational failures

Stress testing

Newand emerging risks

Utilization ¥S. limits

New prodJcts and businesses

Risk. exceptions reporting

Code of ethics violations

Systemic risk.

Shareholder/customer complaints

None 196

40%

Note: Percentages total to more than 10096 because respondents could make multiple selections.

80% 100%

Global risk management survey, seventh edition NilVigatlng in a c~nged world 17

Systemic riskSince the global financial crisis, there has been increasedattention on managing systemic risk, or the potentialthat risk events affecting one instlMlon could threaten

the financial system as a whole. More than 90 percent ofInstlMlons have taken adlons In response to the focuson systemic risk. Roughly 60 percent of Instrtutlons haveevaluated counterparty concentrations, increased their useof scenario analysis, and enhanCEd their liquidity fundingplan or liqUidity cushion. The survey's findings shOW' thatonly five percent of Institutions have a "living will," a planfor the orderly dissolution of the Institution in the case offailure, which Is required by the u.s. Oodd-Frank Act for

systemically Important financial institutions and by theFInandal Services Act 2010 in the United Kingdom." Thisis an expected area of focus for large financial servicesInstitutions In the coming years.

Stress testingStress testing Is one tool that financial institutions canemploy to help prepare for potential systemic risks byassessing the potential impact of extreme, but rare, events.The portion of institutions that conducted stress testingmonthly or less often Is 47 percent for the trading book

and roughly three-quarters each for the banking book, thestructured products book, and counterparty exposures.Given the speed and volatility of financial markets, financialInstitutions may benefit from conducting stress tests moreoften than quarterly or annually, to help enable the moretimely identmcatlon of risks.

The most common usage of stress testing was at the overallenterprise level, employed by 85 percent of Institutions.At the enterprise level,lt is typIcally easier to employtop-down stress testing, which employs broad assumptionsto examine balance sheet assets and to stratify loanbooks Into different categories based on loss experiencefor consumers with different credit levels. However, a

bottom-up approach may provide more detailed results andoffer Insight. Many Institutions also reported condudlngstress testing at lower levels, e.g., 81 percent for individualportfolios and 70 percent for Individual business units.

Thirty-four percent of institutions conducted reverse stress

testing. This is anew method that does not use predefinedscenarios, but instead tries to identify scenarios that wouldcause the Institution to fail (so called "killer scenarios"). It Isan emerging practice that can help identify vulnerabilitiesthat might otherwise go unnoticed, and regulators areIncreasingly looking at the scenarios that institutions stress

test. The use of this approach was higher among largeInstitutions, where 48 percent reported using It.

Use of stress test InformatJon

Almost all Institutions used stress testing to report tosenIor management (90 percent), to report to the board of

directors (88 percent), and to understand the institution'srisk profile (87 percent). Most Institutions also used stresstestIng In responding to enquiries from rating agenciesand regulators (80 percent), triggering further analysis

(80 percenO, SEtting limits 06 percenO, and conductingstrategiC p~nning (65 percent).

101 Brief Summary of the Dodd-Frank Wall Street Reform and Consumer Protection Act, U.S. Senate, httpJlbanking.senate.govlpublicJjilesJ070110_OoddJran~WaILStreeCReform_comprehensil.oe_summaryJinal.pdf; financial Servkes Act 2010, Rnanciil Services Authority, http://www.fsa.grN.ulclPageslAboutJWholAcccx.ntability/fsact_20101index.shtml

'8

Regulatory and economic capital

Basel II

Basel II was designed to Improve the risk sensitivity ofan Institution's regulatory capital measures and requires

Improved measurement of credit, market. and operationalrisk. The survey assessed the progress that institutions havemade In implementing Basel I! and the impacts that thenew requirements have had on their organizations andbusiness models.

Most Institutions either have implemented or are now

far along in implementing Basel I!. Institutions may need

to contemplate the prospect of Implementing additional

substantial changes to comply with Basel III, which was

developed In response to the experience of the global

finandal crisis. BasellJl is designed to provide the financial

system with higher levels of tangible capital, more liquidity,and greater transparency.11 The Basel Committee finalized

this framework after the survey was completed. Among

new requirements Is a minimum Tier 1 common eqUity

ratio of 7 percent of risk weighted assets (4.5 percent to

be achieved by 2015, and a further capital conservation

buffer of 2.5 percent by 2019). Basellll reqUires a more

stringent definition of Tier 1 capital, reqUiring It to consist

primarily of common eqUity and retained earnings. Basel

III also adopts two liquidity ratios that will reqUire banks tohave more sufficient funding and liquidity resources.!! The

new requirements have transition requirements, with final

implementation by 2019.

11 Bas~ I/!:.A global (~u1atO(Yfram~wo'kformor~ ,~silientbanks and bonJdng sys"r~ms was issued by the Basel Committee on BankingSuperviSIon. December 16, 2010,http://www.bis.Ofglpubl/bcbsI89.htm

II Bas~ fll: Inr~'notionalJ,a~ Jor liquidity ,is/( mNSU'~~nt.standards and monitoring was issued by the Basel Committee on BankingSupervision, December 16, 2010, http://www.bis.orglpresslpl01216.htm

Global risklTl<W'lagement SUNey. seventh edition Navigating in a ch.angMt work! 19

Basel II adoptionAmong the institutions participating in the survey, halfwere subject to the Basel II requirements, while anothersix percent were not subject to these regulations but havedecided to adopt them.11I Finandallnstitutlons in Europe(69 percent). AsIaIPadfic (67 percent), and latin America(63 percent) were more likely to be subject to Basel IIthan in the United States/Canada (22 percent). The UnitedStates/Canada result Is no doubt influenced by the decisionby U.S. regulators to focus Basel II on larger institutions.Among European institutions, 82 percent were eithersubject to Basel II or had adopted it voluntarl~. Sixty-onepercent of global institutions complying with Basel II wereplanning to implement it outside their home country.These Institutions may need to address the implementationchallenges that may arise when their home and hostregulators have different standards or timellnes.

In Implementing Basel II, most institutions were using. orintending to use, approaches other than the advancedapproaches (see Figure 12). For credit risk, 52 percent ofinstitutions were using the Standardized Approach, while30 percent have adopted the Advanced Internal Ratings­Based (IRB) Approach. Similarly. 51 percent of Institutionshave adopted the Standard~ed Measurement Approachfor market risk, while 37 percent have chosen the InternalModels Approach. As expected. large institutions-thosewith $100 billion or more in assets-were much more likelyto employ the more advanced approaches: Fifty percentused the Advanced IRS for credit risk, and 63 percent usedthe Intemal Mooels Approach for market risk. Yet, somelarger Institutions were still following the less advancedapproaches; this was especially true for operational risk.where 20 percent of large institutions reported followingthe Advanced Measurement Approaches.

19 The remaining questionsrelated to Baselll.......ere askedof institutions that eitherwere SLtlject to Basel II Of hadadopted Basel II although notsubject to it.

20

Agure 12Which approach does your organization currently useor Intend to use for Basel II on a consolidated basis

for credit risk, market risk, and operational risk?

Credit R~k

.Advanced IRS

• StandardIZed Approadl• Foundation IRS

Base: Respondents at institutions subject to Basel II.Note: Some graphs do not add to 100% due to rounding.

Market R~k

• Internal Models Approach• Standardized MeaslJ'ement Approach.1988 RIsk Welght RiJes

Operational Risk

.AOianced Mea5lJn!metltApproaches• StandardlzeGlAllematl\le Starrlardllt'd Approach• Basic: Indicator

Base: Respondents at institutions subject to Basel II

With the benefit of two additional years since the lastDeloitte risk management survey, most institutions werenow much farther along in their implementation of BaselII than they were in 2008. Seventy percent or more ofinstitutions reported that worle had been completedor Is mostly done on external agency ratings (for the

Standardized Approach), calculation and reporting, Internalaudit review, securitizations, and gO'-lemance and controls(see Figure 13). For other items, such as scenario analysiS,technology Infrastructure, and analytlcs and calibration,about half of the institutions reported having completedmost of the reqUired work.

Rgure 13What level of progress has your organization made with respect to Implementing each of the following areasfor the purposes of Basel II?

External agency ratings (fot' Standardized Approach)

CalaAation and reporting

Internal olooit reYiew

Go.'ernance and controls

Securitizations

Pillar III requirements

Stress testing

Risk rating system and scorecards

Operational loss data

Incorporation of CRM

PiILu IIJ1CAAP

Po5t implementation operating framework.

Vollidation and testing

Equity <M"Id au

Credit data history for PD. lGD, EAD

Analytia and calibration

·Use Test· requirements

Technology nfr.ntructure

Scenario analysis

Trolding bookIsecuritization rule changes

AMA modeling for operational risk

20% 40% 10096

• Completed • little wOO:. still needed

Global risk management SUNey, seventh edition Navl~tlng In a cMnged WOf"Jd 21

Most large Institutions have Iarge~ completedimplementation of many items. Among instrtutions wtth$100 billion or more In assets, about 80 perCEnt or more

have completed or mostly completed Implementationfor risk rating systems and scorecards. governance andcontrols, "Use Test'" requirements. calculation and reporting.

securitizations, internal audit review, Pillar III requirements,and equity and Collective Investment Undertakings (CIU).

One area where fewer Institutions reported progresswas In AdvanCEd Measurement Approaches (AMA)

modeling for operational risk, which is understandablegiven the challenges In Its implementation. Among all

survey participants, 23 percent reported that their worleIn this area was completed or largely done; even amonglarger Institutions, where more progress mIght have beenantidpated. 29 percent said that work in this area wascompletely or large~ done. Many Inst~utions have foundAMA modeling for operational risk to be challenging

because of the sIgnificant data reqUirements, the need toIncorporate numerous additional factors into the models,and the testing reqUired.

Impact of Basel II revisionsMany exerutives expected that the July 2009 Basel II rulerevisions addressing capital adequacy and risk managementwould have Important impacts on their institution (seeRgure 14). Roughly 60 perCEnt of executives expected therevisions 'NOuld lead their institutions to revise their capital

allocation. while 41 percent each antIcipated a changeIn fundlnglcap~al raising strategy and In product pricingstrategy. Thlrty-.two percent of executives believed that therevisIons would also have one or more important strategicImpacts by leading their institutions to tak.e such actions aschanging their business model, exiting an existing business,consolidating business areas, or changing their approach togeographical diversification.

Rgure 14

Which Impacts do you expect the July 2009, Basel II rule revisions will have on your business?

Revise capital ..uoc..tion

CNnge funding/capital raising str.. tegy

Revise product pricing strategy

CNnge in business model

£lOt an easting business area

Consolid..te busrtess areas

Revise customer rNtionshipfdistribution approach

(Nenify rtto other busiuss areas

Sell off an existing business atea

CNnge geographial diverJitKationlglobal presence

Enter into a merger

No impacts eJCPected

61 "

096 1096 20'6 30% 40% 50% 6096 70% 8096 9096 100%

Note: Percentages total to more th..n 100% bec..use respondents could make multiple selections.

22

Figure 15How much of an impact do you expect each of the following aspects of the regulatory changes proposed bythe Basel Committee on Banking Supervision In December 2009 would have on your organization?

Strengthened CDlJ1terparty capitalll!qJlremertts

Introduction olleYer~ge ratio

Introduction 01 CDt.rl1ef'Cyd1ul1 capital adjustments

Introduction of m~lmtlT1 ~ld~ ltandards

ErtI~nced capital base

• Substantlal/slgllflcant Impact • Moder~te Impact

In December 2009, the Basel Committee issued new

proposed gUidance around tighter capital and liquiditystandards in an effort to promote a more resilient bankingsystem, and many executives also anticipated that thesewould have important impacts. Roughly 40 percentof executives expected that the following proposedchanges would have a substantial or significant impacton their InstitutIons-Introduction of a leverage ratio,enhancements of the capital base, and strengthenedcounterparty capital requirements (see Figure 15).Executives at large institutions vvere more likely to expectsignificant impacts than were those across the entire surveypopulation, with more than half expecting substantlalor significant impacts from an enhanced capital base,

strengthened counterparty capital requirements, Introductionof countercydlcal capital adjustments, and Introduction ofmInimum liquidity requirements.

Although most institutions vvere '#ell along in their BaselII implementation. challenges remain (see Rgure 16).Implementing Basel II requires significant expertise andresources, as well has haVing broad impacts on an Institution'sinfrastructure In such areas as data, technology systems,busIness processes, analytics, and reporting. The areas thatwere most often considered by executives to be extremely orvery challenging in their Basel II Implementation "",re Internalresources and budget (55 percent), technology infrastructure(46 perCEnt). and internal models (40 perCEnt).

Figure 16

How challenging are each of the following Issues for your organization in relation to your Basel IIImplementation effort?

Internal resotJ"ces and capablltles. ~nd budget

Technologyllntr.UWetun! related

Clarity/expectations of reglJitory C2qulrements

HomeA1ost SlJpervlslon

'Use Test' requirements

MbA ~tegralJon

Strict de~dlnes

ClSrent martet CDOdIUons

Ac.countabllty!oWrlE!Mlp

Product dmtliGltlorl and treatment cholCe'l

'9'16

""

""

0% to% 20% 30% 40% SlY*(, 609(, 7096 8O~ 90% ICJOll&

• Extremely d'lallengng • Vt!ry challeng~g

Global risk management survey. seYeflth edition Navigating In a changed world 23

With large institutions more likely to adopt the advancedapproaches under Basel II, Implementation Is even morecomplex. Among executives from Institutions with assetsof $100 bill,m or more, 65 percent said that obtainingadequate resources, internal capabilities, and budget wereextremely or very challenging Issues, while 56 percent saidthe same about technology and Infrastructure Issues, and47 percent about developing Internal models.

Solvency IISolvency Ills a revised capllal adequacy regime deVelopedby European Union regulators that will determine minimumand solvency capital levels for insurers. As with Basel II, itemploys athree-pillar approach applied across individualrisk categories of market. credit, liqUidity, operational,and Insurance risk, and Is designed to reflect risks moreaccurately than current capital standards. The Solvency 11directive is planned for implementation on October 31,2012, although currently there Is significant discussion ofdelaying implementation until January 2013. 2ll

Fifty~two percent of the Institutions partldpating weresubject to Solvency II requirements or to similar revisedregulatory capital requirements. These Institutions wereasked how they were comp~ng wllh Solvency II, thechallenges they face, and the expected impaets. 21

Implementation approachesMost instltutfons reported that their business units haveflexibility in executing the organization's overall strategyfor Implementing Solvency 11-46 percent said they havesome flexibility and 29 percent said they have substantialflexibilily. For many, the chalk!nge here is finding the nghtbalance-allO'Ning individual business units some flexibilityin their approaches to Solvency II implementation whilestill being able to consolidate capital appropriately andachieve the benefits of diversification at the enterpriselevel. However, in light of the significance of the "use test"under Solvency II, which requires that an Internal modelused to determine reqUired capital also be used to makebusiness decisions, business units may need more flexibilityto consider, and obtain, the buy In and understanding ofmanagement.

Sixty-four percent of Institutions said that they areintending to pursue either full or partial internal modelapproval: Most organizations pursuing this approach havea goal of reducing reqUired capital by better reflectingmanagement's internal view of risks and diversification,rather than being constrained by the requirements of thestandard formula. These Institutions most often plannedto use their Internal model as part of their declslon­making process for Solvency II in the areas of risk-based

zo lkliwring Solwncy fI, Financial5ervices Authority, Jl.ne 2010

JI The questions related to Solvency II were only asked of institutions that were SUbject to Solvency II or to equivalent requirements.

24

performance reporting (87 percent), capital managementand planning (87 percent), and management Informationon nsk profile (80 percent), while roughly two-thirds citeddeclslons on asset mix strategy and also on strategy andplanning (see Figure 17). Among the institutions thatIntended to use Internal models for Solvency 11,40 percentplanned to use them to prioritize risk management activity

and 20 percent for executive compensation decisions.In particular, the requirements to meet the Solvency IIuse test, as well as the requIrements laid out In SolvencyII with res pea to the need to embed risk managementIn executive remuneration, tend to encourage theconsideration of Internal model results In these areas.

Figure 17In which areas do you plan to use your Internal model as part of the dedslon-maklng process for Solvency II?

Risk-based performance reporting

Capital management and planning

Management information, e.g., providing information on howthe risk position compares with risk appetite, tolerances, or Imits

Decisions on asset mix strategy and the pos~b/e

effects of investment deci~ons

Strategy and planning, e.g., as an input to planning and strategyby providing an assessment of the impact on risks or capital

Analysis, design.. or purchase of reinsurance

Pricing of business

Assessment of the risks, value, and mpact to the businessof potential mergers, acquisitions, and disposals

Product development

Prioritization of risk management activity

Purchase of hedging assets or changes to existing hedges

Excess SlXplUS investigations (with profit fl.rlds)

Executive corTllensation

.",

87%

0% 10% 20% 30% 40% 5<m 60% 70% 80% 90% 100%

Base: Companies that provide insurance services and are subject to Solvency II.Note: Percentages total to mor-e than 100% because respondents could make multiple selections.

Global risk management survey; seventh edition Navigating In .. changed world 25

Major Insurers have established sizeable programs andallocated substantial financial resources to comply withSolvency II. The effort Is proving to be a significantchallenge for many institutions, with actuarial skills ingreatest demand. looking ahead, the subjects citedmost often In the survey as areas of foOJs for Solvency II

implementatIon over the next 12 months were programin~iation. gap analysis. and planning (86 percent); riskgovernan'" (71 per",nU; and Own Risk and SolvencyAssessment (ORSA) (71 percent). Roughly 60 per",nt ofinstitutions also cited the areas of documentation, training,and validatIon as areas of focus in the coming year. Morework may be needed on ORSA for Solvency f1, where halfthe institutions reported that some material risks have notbeen considered, such as strategic. reputational, liquidity.or operational risks. In our experience. many Institutions arecurrently working to Improve the linkage of the ORSA totheir business strategy and planning process.

Economic capitalEconomic capital reflects an Institution's actual risk profileand thus is an important tool for allocating capital and forassessing risk·adjusted performance. Some institutions maycalculate economic capital on an enterprise basis, withoutmaking separate calOJlations for individual risk types. Yet

InstitutIons, especially larger Institutions, may benefit froma more granular understanding of the economic capitalassociated with each of the major risk categories they face.

Economic capkal appcoadlesThe OJrrent percentages of institutions that calculateeconomic capital for dtfferent risk types were generallyhigher than in the 2008 survey; given the importance ofeconomic capital, the oyerail focus on adequacy of capitalstructures, and the use of economic capital In Pillar 2 for8aselll and Solvency II. higher percentages were expected(see Figure 18). Institutions were most likely to calculate

Agure 18For which of the following risk types do you calculate economic capital?

Market

Interest rate risk of the balance sheet

~tional

Counter-party aedit

Mortality

fv10rbidity

Property ~nd casualty

liquidity

Catastrophe

Strategic

$tptemic

DiYersificaticn effects across risk categaies

68%

0% 10% 20% 30% 40% 5096 60% 7096 80% 90% 100%

Note: PetCeIltages total to more than 100% because respondents could make multiple sele<:tions.

2.

economic capital for credit risk (68 percent), market risk (65pertent), Intel1!5t rate risk of the balanm sheet (61 percent),and operational risk (60 pertent). For other Importantrisk types, the pertentages of Institutions calculatingeconomic capital were much 1000er. T\Yenty-nlne percentof Institutions reported calaJlatlng economic capital forliquidity risk and 17 pertent for strategic risk.

To gain an assessment of risks across the organization,60 percent of Institutions used a summation approach.Additionally, other approaches to aggregating risks wereused-28 pertent used variance/covariance approach, 17pertent used the hybrid approach (square root of sum ofcorrelated squares), while roughly 10 pertent each usedcopulas and square root of sum of squares.a Among largeInstitutions, about one-third used one or more of thesetechniques.

Use of economic capitalThe uses ofeconomic capital are now more widespreadthan was true In the 2008 survey, Ingrained In both riskand broader management arenas and Indicating thateconomic capital Is now a more mature technique. In thecurrent survey, 64 percent of Institutions used economiccapital at the boardlsenlor management level for strategicdecision maldng, and 62 permnt at the enterprise level toallocate economic caplta~ compared to 53 permnt and 56percent, respectively, In 2008. Similarly, roughly 4S percentused economic capital at the transaction level for risk-based pricing and at the desk/product level for riskJreturnoptimization of product mix, up from about 30 percent eachIn 2008. While the use ofeconomic capital In compensationdecisions was reported at 30 percent of Institutions, this wasdouble the figure of 15 percent In 2008.

Large Institutions reported making more use of economiccapital In their dedslon making. Among Institutions with$100 billion or more In assets, n percent used It at theenterprise level to evaluate/allocate economic capital, 74pertent for strategic decision maldng by the board and

senior management 65 percent at the business unit levelto evaluate risk-adjusted performance, and 40 pertent tomake compensation decisions.

Economic capital was also used more widely by InstitutionsIn Europe than by those In other regions. For example, 77percent of European Institutions used emnomlc capitalfor strategic decision making at the level of the board of

directors and senior management, compared with 63percent In AsiaJPadfic and 48 percent In the United states!canada. Similarly, economic capital was used by 47 percentof European Institutions In compensation decisions, whileItwas used In this WfrJ by only 26 percent of InstitutionsIn AslalPadflc and 23 pertent of Institutions In the UnitedStateslCanada. The responsibility for reviewing andapproving economic capital reporting and results was placedwith the board of directors at 47 percent of Institutions,while 23 percent chose senior management The remaining30 percent plamd this responslblUtywlth functional groups,such as flnanm or risk management. Given Its Importance,one would expect the responsibility to review economiccapital reporting and approve results would be placed withthe board of directors orsenior management.

economic compared to regulatorycapitalEconomic capital was now reported as greater thanregulatory capital at most Institutions, In contrast to surveyresults In 2008. Sixty-three percent of Institutions reportedthat economic capital was higher than regulatory capital,up from 46 pertent In 2008, and 26 percent said thatregulatory capital was greater, adrop from 42 pertent Inthe prior survey. This shift towards higher economic capitalIs consistent with a better recognition by many Institutionsof the greater risk associated wlth their businesses dueto economic cycle factors: Economic capital levels aretypically more volatile and sensitive to risk conditions, whileregulatory capital tends to be more stable. It may be, too,that Institutions have generally strengthened the coverageand assumptions In their economic capital models duringthe recent period.

n Percentages total to more than 10096 because respondents could make multiple sefections.

Global risk management su~ seventh edition Navigating In a changed world 27

Management of key risks

Effectiveness of risk managementInstitutions should not only consider traditional riskcategories, such as market. aedit.'quldity. and operationalrisk, but a150 a broader array of risk: types that are nowgaining greater prominence. These risks should be consideredin the context of recent turmoil in the finandal mar~. a

reduced risk appetite among many Institutions. and greaterscrutiny of the effectiveness of os. management programs bythe regulators. In this rapidly shifting landscape, 66 percent ofexecutives conSidered their institution to be extremely or veryeffective In risk management overall. Perhaps because theytale more resources at hand. executives at larger InrttMionswere more likely to fee! their risk management programs'Here effective--75 percent rated them as extremely or very

effective. compared with a lesser 61 percent of those atinstitutions with less than $10 billion in assets.

The 9Jrvey also asked executives about their institutions'effectiveness in managing 26 Individual risk types. bothtraditional and emerging risks. Roughly three quarters of

exeartives believed their institutions were extremely or

very effectr.oe in managing market, credit, and liquidity risk.similar to the ratings in 2008. Regulatorylcompliance risk: isassuming greater Importance as many regulatory authoritiesaround the world are implementing more stringentsupervisory requirements, and 76 percent of executivesconsidered their InstiMion to be very effective In managingthis os. (see Rgure 19).

Agure 19How effective do you think your organization Is In managing each of the following types of risks?

Percent responclng extremely or very effective

Uquidity ~::::::::::::::::::::r 77.,.Regulatory/compliance _ 76%

74"

Credit

47'"

='43'"Mod~

!-timan resource

lap"

Data integrity

Vendorlservice provider

Stritegic

Property ind taRJiIty

Roputati"" ,-Ii

l'9'I=~71"Budgetil'9'finandal 7196

~ 71%

Mortally

Uabitity minagement

==-Business continuityJ1T securityI:::::::::::Countrylsotereign rislt

Fraud

9O'l6 100'l680"70%

Sy5temic !iiiiiiiiii~~_~ __L __L_~__~__'

(,"",oph.

Geopolitical

0% 1096 20% 30% 4096 50%

Note: Percentages total to more than 100% becau5e respondents could make multiple selections.

2.

Several risks that became more apparent in the globalfinancial crisis continue to present challenges for mostInstitutions. Forty-four percent of executives rated theirinstitution as extremely or very effective in managingrisks due to problems with data Integrity, and 41 percentrated their InstiMion highly for managing model risk. Atthe Individual institution level, there may be difficulty inaddressing systemic risk; however, 37 percent of executivesIndicated steps were being taken to do so and consideredtheir Institution to be extremely or very effective inmanaging this risk type.

Credit riskThe global finandal crisis led to large credit losses beingIncurred In some segments of the market, although theselosses appear to have been abating over the last year. The2010 review of large 'yndicated credits by U.s. regulatorsconduded that cred~ qual~y in the Untted State' remainedweak, although the volume of criticized loans decreasedby more than 30 percent from the record levels reportedIn 2009.23 In Europe, concerns about sovereign debt andpotential sovereign defaults haVe galvanized attention,as well as having knock·on effects to Individual finandalinstitutions. In the United States, precarious finances amongstate governments and their potential Impact on municipaldebt markets are starting to gain attention. In China andsome of the other developing markets, there Is concernabout the potential for asset bubb~, and the future fallouton loan collateral if asset bubbles do form and then correctthemselves.

eredtt risk management roles and responsibilitiesThe credit risk function has a broad mandate, and as thesurvey results show, the mandate is increasing. Views inthe industry on the role of credit risk management arenot consistent, and there are different roles and operatingmodels. Because many of the losses sustained by financialinstitutions over the past three years were a result ofwrite-downs in their investment and trading portfolios, thecredit risk management function in many Institutions hasextended its focus to include both Issuer and counterpartyrisk. Credit risk management responsibilities increasinglyInclude issuer and counterparty measurement. limit setting,and reporting. Such activities help prOVide enterprise-widecontrol of credit exposure that Includes the totality of creditrisk, encompassing loans, investments, and off·balanceinstruments.

At least half the institutions participating In the surveyIncluded 10 different areas as primary responsibilities of

their institution's credit risk management function. Theitems cited most often as primary responsibilities wererisk Identification, analytics, and reporting (80 percent);developing and Implementing the risk managementframework, methodologies, and standards (76 percent);monitoring risk exposures (74 percent); and escalatingrisk issues to the CEO and the board of directors where

appropriate 01 peroent).

Credit risk mitigationFor underlying and issuer credit risk, the most commonlyused credit risk mitigation tools were collateral (65 percent),guarantees (60 percent), the default management process(48 percent), and syndication and partidpation (45 percent).Among survey respondents, 34 percent of Institution usedcredit derivatives as a credit risk mitigation tool, although57 percent of institutions with S100 billlon or more Inassets did so. The survey found a signIficant Increase since2008 in the use of several credit risk mitigation tools forcounterparty credit risk. The use of collateral Jumped to 88percent of institutions from 54 percent in 2008, while theuse of guarantees rose to 65 percent from 45 percent, andthe use of syndication and participation (e.g., whole loansales) rose to 47 percent from 34 percent.

Credit risk measurementIn measuring counterparty credit exposures, Institutions areusing a number of techniques, more than were observedIn the 2008 survey. For measuring counterparty credit risk,the use of prlndpallnotional (e.g., by industry, sector, orgeography) increased to 81 percent of Institutions from61 percent in 2008, the sum of potential exposures forindividual transactions Jumped to 75 percent from 51percent, and potential exposure by counterpartyllssuerusing analytical method to 62 percent from 48 percent

For assessing underlying and Issuer credit risk:. the mostcommon approach was prindpaVnotional, used by 79percent of Institutions, an increase from 69 percent in 2008.However, there were a number of additional analytics thatwere included in the 2010 survey for the first time that werewdeiy used-probabil~ of defau~ (65 percentJ. los, givendefault (63 peroent). and exposure at defautt (60 peroentJ.These analytlcs allow Institutions to assess credit risk and areconsistent with the efforts by many institutions to employeconomic capital and to comply with the requirementsof Basel II. A continuing area of credit risk measurementdevelopment is the ability of institutions to get a complete,single view of customer exposure across different regions,product areas, business units, and legal entities.

lJ 5ha~dNational Cr~dits Program: 2010 Rnt~w. Board of Governori of the Federal Reserve System, Federal Deposit Insurance CorporationOffice of the COf'rlItroiler of the Currency. and Office of Thrift Supel'Vision, September 2010 '

Global risk management survey. seventh edition Navigating in ill changed world 29

Scress cescing across che encerprise has evolved and becomemuch more robusc for us, coming chrough our Basel IIimplemencacion. We've improved che rigor of our scresscescing and now work chrough numerous variables andcorrelacions co arrive ac a comprehensive sec of scenarios;chese help drive our capical planning process and are a cencralfeacure of lJuarcerly reponing co che board risk commiccee.- Chief risk officer, global bank

Cred~ risk stress testingStress testing is an important tool that tests the resiliency ofthe Institution In the face of adverse economic and marketconditions. and it is Increasingly an area of focus by ther09ulators In determining cap~al adequacy. Bghty-elghtpercent of Instttutions reported using stress tests for riskfactors affecting the credit portfolio, an Increase from 79percent In 2008. Among Institutions that employed stresstesting for their credit portfolio. 78 percent employedthem for default rates by underlying factors, 69 percentfor interest rate changes, and 62 percent for recoveryrates, all higher than In 2008. Stress testing was even morecommon among Institutions with $100 billion or more inassets: Ninety-seven percent used them for default rates byunderlying factors and 72 percent for re<overy rates.

Thirty-three percent of Institutions used stress testing forcorrelation risks, although 52 percent of large Institutfonsdid; this Is an application of stress testing that moreInstitutions may wish to consider. However, there aredifficulties In employing stress tests to correlation risks:Correlation data 15 difficult to obtain In the first. place,and the hlstorlcal series of correlation results required tofOnTlulate relevant stress tests are more difficult still.

Market risk

Value at risk (VaR)The propriety of various tools to manage market risk hasbeen under Intense scrutiny. VaR has been a Widely usedtool to assess risk but has come undercritidsm, espedallywhen used alone. By focusing on the potential ~latility In aportfolio at some predefined percentage of the time. suchas 99 percent, VaR has been critldzed for not focusing onso-called tall or ·Slack Swan· events, which are rare butcan have devastating impacts when they occur. Further.because VaR Is often based on a normal distribution, it mayunderestimate how often such events may occur.

Institutions In the current survey were using VaRsomewhat less often than in 2008 for various assetclasses. Sixty-four percent of institutions reported thatVaR extensively covered fixed income, down from 73percent In 2008, while 25 percent said it extensivelycovered asset-backed securities and structured products,down from 38 percent. Among those using VaR,more Institutions were using a variety of spe<lfic VaRmethodologies. The percentage of institutions usinghistorical simulation with full revaluation rose to 54percent from 46 percent In 2008, while the percentusing variance/covariance based on first-order Greeksrose to 38 percent from 31 percent.

However, there may well be new demands for the useofVaR. The new rules for separation of over-the-counter(OTO derivatives businesses in the Dodd-Frank legislationin the United States, and that have been proposed inEurope, will require institutions to be able to calculatemarket risk measures such as VaR for the entities Intowhich OTC derivatives will be transferred.

Market risk stress testing

Some have recommended that institutions supplementVaR with stress testing. The Basel Committee'spublication, Principles for sound stress testing practicesand supervision, addressed this, stating: ·Stress testingshould prOVide a complementary and Independent riskperspective to other risk management tools such asvalue~at-rlsk (VaR) and economic capital. Stress testsshould complement risk management approaches

that are based on complex, quantitative models usingbackward looking data and estimated statisticalrelationships. In particular, stress testing outcomesfor a particular portfolio can prOVide Insights aboutthe validity of statistical models at high confidenceintervals, for example those used to determine VaR:'J,t

lol PrindpJ~for sound str~s tming p(Qcric~sand sup~rvision, Basl!1 Committel! on 9.1nking Supervision. May 2009.

30

Among the survey particIpants, 74 percent of Institutionsconducted stress tests for the trading book and 51 percentfor the structured products book. larger Institutions 'Neremuch more likely to conduct stress tests for the structuredproducts book; 91 percent of Institutions with $100 billionor more did 50, compared with 31 percent of Institutionswith assets of $10 billion or less and 43 percent ofinstitutions with assets of $10 billion to $100 billion.

Price verification function

Institutions with price-sensitive positions may considerestablishing an independent price verification function.There has been increased Interest in price vertficationacross financial services institutions that need to valueassets (or pools of assets) periodically-in partiOJlar inseOJritles, banking, and Investment management, but alsoin insurance. The market turmoil from the global financialcrisis has led to more attention on this Issue from regulatorsand others. The forus has been on the need for a priceverification fundion that Is independent-In other words,with reporting lines that are independent of those for theprimary valuation process.

Eighty-six percent of inst~utions reported having suchan independent price verification function, including 93percent of institutions with $100 billion or more In assets.Forty percent of institutions located this function In theirrisk management organization, while 24 percent placed it inproduct controllers/finance. Eighteen percent of Institutionsreported locating this function In the middle office, down

from 21 percent in 2008, while only seven percent placed Itin the back office, down from 12 percent in 2008.

Model validation functionModel validation is a key activity to help assess whethermodels function as Intended, both when they areImplemented and over time. Ongoing monitoring andvalidation of risk management models are important in

order to assess a model's sensitivity to structural changesand to changes in parameters and assumptions.15 Fifty­nine percent of Institutions reported haVing a modelvalidation function, an increase from 53 percent in 2008.Larger institutions were more likely to have a modelvalidation function, with 79 percent of Institutions with

more than $100 billion in assets haVing such a function, upfrom 66% in 2008.

Model validation was most often placed in anIndependent risk management function. AmongInstitutions with a model validation function, 65 percentreported that model validation resides within independentrisk management, while 19 percent placed it withininternal audit and eight percent within the actuarialfunction. larger Institutions were even more likely tohave risk management handle model validation. Amonginstitutions with more than $100 billion In assets, 77percent said that model validation responsibility wasplaced within Independent risk management.

LiqUidity risk and asset liability managementSince the global financial crisis, the need for strongerliqUidity risk management has been recognized as neverbefore. large liqUidity buffers have been accumulated bymany financial institutions, and there has been a shift bysome from shorter-term wholesale sources of fundIng tolonger-term and more stable funding bases, such as fromdeposit taking.

liqUidity risk management has been a forus of regulators,with many institutions continuing to enhance theirliqUidity risk management tools, policies, and proceduresas a result. Institutions are recognIzing that the scenariosand assumptions used for liqUidity also need to be asrigorous as those used for capItal planning purposes, withsome establishing consistent economic scenarios andassumptions across capital and liquIdity.

There's a whole new action plan being rolled our in responseto IOcreaslOg needs around managing liquidity risk ... newpolicies, new contingency planning, new indicators, and newreporting-all to help vel)' actively manage diversifYing thesources and types of leverage.- Managing director, risk management, asset management firm

:IS ~rmptementation of Credit Risk Rating Models.~ Deloitte Development LlC, April 2008

Global risk management survey. seventh edition Navigating In a chang.ct world 31

Roughly three-quarters of Institutions surveyed havetaken a wide array of actions over the last two yearsin response to the liquidity environment. The mostcommon responses, each chosen by roughly half ofthese Institutions, were strengthening their liquidity riskmanagement function, enhandng liquidity stress testing,maintaining liquid asset portfolios. Improving liquiditymanagement policy, increased coordination betweentreasury and risk management. revised contingencyfunding strategy. and diversifying funding sources (seeFigure 20). In some areas, large institutions were muchmore likely to have taken action: Fifty-four percent ofinstitutions with $100 bllllon or more in assets haveincreased coordination between liquidity and capttalplanning (compared with 37 percent of all institutions),

and half have Improved their analysis of contingentand off-balance sheet positions (versus 36 percent of allinstitutions).

Both financial institutions and regulators are assessingthe liquidity dlfflcu~les experienced dunng the globalfinandal cnsls. Basel ~I will slgnlficant~ enhance liquidityrequirements by Instituting new- liquidity ratios andrequiring that institutions have more sufficient fundingand liquidity resources. The nature of the new rules will

become clearer over time as regulators finalize the detailsof the new requirements. Many institutions will likely haveto complete significant war!< to upgrade their liquidity riskmanagement systems and capabilities and comply withthese new- regulations.

Rgure 20

Whkh of the following steps has your organization taken in response to the liquidity environment over

the last two years?

Strengthened liquidityrisk. minagement fulction

Enhanced liquidity stress testing

Maintained liquid asset portfolios

Revised ca"ltingency fl..ndng strategy

Diwrsified funding sources

Increased coordiNOOn betwetnliquidity and capital planning

ImprOied analysis of contingentand off balance sheet positions

Improved treasury and AlM systems

Revised analytks methodologies

Increased data reqliremenu

Increased committed lines of oedit

Decreased position liTlils

Integrated tre~sury Mction withrisk rNNgement fl.nctjon

Q\anged funds ~nsfli!f pricing methodology

DecreaSEd use of collateralized fl..nding,such u repa ~nd securities lending

Other

53%

53%

0% 10% 20% 30% 4096 50% 60% 70% 8096 90% 100%32

Asset liability managementInstitutions partldpating In the survey performed variousanalyses for asset liability management (ALM) purposeswith varying degrees of frequency. For liquidity scenarios.28 percent of Institutions conducted these analyses dallyand 11 percent weekly, with 61 percent that conductedthem monthly or less often. Gap analysis was conductedeither daily orweekly by 36 percent of instttutions, while 64

percent conducted them less often. When it comes to otherImportant types of ALM analyses, roughly three-quartersof institutions reported that they conduct them monthly

or less often; this applied to earnings at risk. equity at risK.sensitivity analysis of net interest income. and sensitivityanalysis of economic value of equity. There can bedifficulties managing capital and funding structures dUringperiods of market turmoil, and obtaining information inorder to do so; therefore. institutions that conduct these

analyses for ALM monthly, or even only quarterly orannually, may consider conducting them more frequently.

Insurance riskInstitutions that provide Insurance products were ask.edseveral questions on Insurance risk.. In the survey, 17percent of institutions reported Insurance as their primarybusiness, with life insurance being the most common sector

(11 percenU. In addttlon, 34 percent of Instttutionsreportedthat they provide InsuranCE products, although insurancewas not their primary business.

Insurers that follow a traditIonal business model based ongenerating premiums, rather than those that engage Inother financial aetMUes, such as selling credit protection Inthe CDS market, may be in a more lk1uld position than otherInstitutions. Yet. Insurers do face risk management challengesresulting from the nature of their products, such as the

risks associated with variable annuity products. Maintainingeffective management of liqUidity risk., managing andestablishing limits for counterparty risk, and being able toaggregate risks across the organization are Important.K

Institutions reported using a variety of techniques toassess insurance risk. Several methods were cited byroughly 60 percent of Institutions as either a primary or asecondary methodology-stress testing, VaR, economiccapital. and dynamic financial analysis. No one method

dominated, and many Institutions used more than onemethod (see Rgure 21). These methodologies can overlapbecause analyses of economic capital often encompass

stress testing and VaR. and market-consistent embeddedvalue is the underlying framework used for economiccapital at many life insurance institutions.

Most Institutions providing insurance products reportedusing stress testing to assess insurance risk. Seventy-two

percent of Institutions used stress testing for mortality risk,while 66 percent employed tt for lapse nslc, 63 percent formorbidity risk, and 59 percent for expense nsk.

Figure 21

To what extent does your company use the following methods to assess Insurance risk?

EconorTic apiQl

Value at risk.

Stress testing

Market consistent embedded value

Dynamic: fn¥Idal anillysls

83"

• Prirn,uy methodology • Secondolry methodology • Don't ~e but pan to

)I Dr. Robert W. Klein, et ill., "The Flnolndoll Crisis and Lessons for Insurers, M CAS, S1A, SOA Joint Risk Management Section. 50A Committee onFinance Reseolrch, Society of Actuaries, Septembl!'r 2009

Global risk management survey. seventh edition Navfg<ltlng In II cunged world 33

Rgure 22Who In the organization has primary responsibility for managing each of the following types of Insurance risk?

100%

-% 17%

80%70%

'0%I

50%'0%30%20%10%0%

ReinSUr<Wlce

Insurable event

Policyholder behavior

Pridng

Catastrophe

Concentration

• Actuarial • Undel"M'iting • Product development • ERM • Internal Audit • Oaims • Other

Note: Some graphs do not add to 10096 due to rounding.

Institutions used a variety of organizational struduresfor overseeing insurance risks, with no function being

named by more than 39 percent of Institutions for anyrisk type. For example, for pricing risk, 37 percent ofinstitutions said the primary responsibility was placed withactuarial, while 26 percent cited product development,and lesser percentages named other areas (see Figure 22).

One potential challenge In Interpreting responses to thisquestion is that depending on an Institution's structure,there may not be a separate and distinct actuarialdepartment, with actuaries Instead residing within ERM,produa development, and other areas.

For concentration risk, 39 percent named ERM, while35 percent cited actuarial and the remainder placed theresponsibility in other functions. The higher proportionof Institutions placing responsibility for concentrationrisk w~hln the ERM function may be leveraging the ERMfunction's ability to aggregate and analyze risk informationacross the enterprise.

Operational risk

Although Institutions have always managed operationalrisks, the importance of operational risk management was

made agreater priority by the Indusion of operational risk inthe Basel II capital framework.. As a result, many institutionshave major programs for operational risk in place. However,these regulatory-driven operational risk. efforts are typically

focused more on measurement and capital than on helpinginstitutions proactively identify and manage operational risk,such as those resulting from model risk., (See "Effeaivenessof risk management" in this report for a discussion ofthe survey results on model risk,) In addition, While some

Institutions have done so, many have not integratedoperational risk management with related programs, suchas Sarbanes~Oxley and regulatory compliance.

Although operational risks can potentially have majornegative Impacts on an Institution's reputation, theyhave typically not received as much attention from senior

management and boards of directors as other risks; theimpacts of the global financial crisis from credit, market.and liqUidity risk events may have further reduced the

relative priority placed on managing operational risk, Yet.although individual operational risk events may be small, inthe aggregate they can be substantial.

Operational risk implementation progress

Institutions have made progress In some areas. When askedabout the Implementation of various aspects of operationalrisk management. 87 percent of Institutions reported that

they had e~her fully or substantially completeo the work ofIdentify;ng risk types, while 67 percent said the same about

gathering relevant data and 65 percent about standardiZingthe documentation of processes and controls (see Figure 23),

34

Figure 23To what extent has your organization Implemented the following aspects of operational risk management?

879'~)%

=====::======~67"

Identifying risk. types

Gathering relevant data

Standardizing documentationof processes and controls

Developing operational risk. mitigationstrat~ies induding insurance

Creating metrics for monitoringeach type of operational risk.

Developing methodol~iesto quantify nslcs

Rolling out a formal operational

risk.1Taining program ~~~~~::;:==~=::::;:~~.L. __L-_-l__...L__L-_.....J

0% 10% 20% 30% 40% 50% 6096 7096 8096 90% 100%

• Fully iTIpiemented • Substantially implemented

However, In other areas less than half the institutionshave largely completed implementation: creating metricsfor monitoring each type of operational risk, rollingout a formal training program for operational risk, anddeveloping methodologies to quantify risk.

Because AMA modeling indudes these areas asrequirements, these lower percentages are consistent withthe fact that only 23 percent of instiMions said their workunder Basel II on AMA modeling was completed or largelydone. (See the "Basel II" section of this report.) LargeInstitutions have not done as much work in some areas,perhaps due to the compleXity of the task of managingoperational risk In complex organizations. While 67 percentof all Institutions have completed or substantially completedthe work of gathering relevant data, the figure was 60percent among Institutions with $100 billion or more inassets. Thirty-seven percent of large institutions havelargely completed the work of developing operational riskmitigation strategies.

Based on Deloitte's risk management surveys. progress hasbeen made on implementing operational risk methodologiessince 2008. Sixty-one percent of executives rated their risk

assessments, and 54 percent rated their Intemalloss eventdata, as extremely or very well developed, compared withroughly 40 percent for each two years ago. For key nskindicators, 30 percent of executives considered them to bewell developed in 2010, compared with only 12 percent in2008.

The use of scenario analysis for operational risk wasWidespread. Roughly two-thirds of institutions reportedconducting scenario analysis for operational risk at theenterprise level and the business unit level. 56 percent didso at the level of nsk type, and roughly one-third did soat the trading desk level and at the level of product type.Among institutions that employed a scenario analysismethodology for operational risk. either quantitative or amix of quantitative and qualitative scenario analysis wasused by roughly three-quarters for nsk type, product type,business unit and enterprise levels, and by 83% for thetrading desk or eqUivalent unit level.

In 2010, executives believed theIr technology systemsfor operational risk management were more capable Inseveral areas than they did in 2008. Forty-four percentof executives considered theIr technology systems to beextremely or very capable In supporting operational riskassessments. up from 23 percent in 2008. Forty percentgave this rating to their capabilities In data gatheringcompared to 27 percent in the last survey (see figure 24).

Global risk. rnMagement survey, seventh edition Navlgiltlng in a cMnged world 35

Figure 24How capable are your organization's operational risk management technology platforms In the following areas?

====:::;;:~===::;:-,87"Data gathering

Reporting

Risk assessments

Scenario analysis

Causal event analysis

Operational risk capital catwations ~~~~~~~~~=~~~~=~~~-:::::;---:=_--::::-_~0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 1()()%

• ExtremelyNery capable • Somewhat capable

Although only about one-quarter of executives eachconsidered their risk management systems for scenarioanalysis and for causal event analysis to be extremely orvery capable. this was roughly double the percentagesseen In the 2008 survey. Generally increasing capabilities inoperatlonal risk: management technology platforms wereexpected given the continued development of operational

risk capabilities in the Industry and the fact that mostinstitutions are now well along in implementing Basel II.

With operational risk capital models becoming moredeveloped as Institutions Implement Basel II, institutionsare including more Inputs Into those models. Traditionally,operational risk capital models have been largely based onintemalloss data, but increasingly, Institutions are includingawider array of factors. In the survey population, the mostcommon inputs to operational risk capital models wereintemalloss data and risk setf assessments, each cited by74 percent of institutions. Roughly hatf the institutions usedkey risk Indicators and scenario analysis. Institutions arealso now using a wider range of Inputs to their operationalrisk capital models than In 2008. Seventy-four percent ofInstiMlons reported using risk self assessments, up from60 percent in 2008; 56 percent use scenario analysis and55 percent use key risk Indicators and scenario analysis, ascompared to 39 percent in 2008; 45 percent use internalaudit scores, while 22 percent did so In 2008.

Regulatory riskThe global financial crisis unleashed atidal wave of regulatorychange. Regulations have been introduced or made morestringent regulatory authorities have received new powers,and new regulatory bodies have been created.

The Dodd-Frank Act, which was signed Into law inthe United States in July 2010, constitutes the mostfundamental change to the U.S. regulatory regime since the1930s. With the overall goal of redudng risk in the financialsystem and increasing protections for consumers, thepro~slons of the Dodd-Frank Act Indude the following:

A new Financial Stability Oversight Council will monitorand respond to risks to the financial system as a whole.A new Office of Financial Research will have theresponSibility to coiled and analyze systemic finandalInformation for the regulatory agencies.Institutions that are designated as systemically important,including nonbanks, are subjed to new information andreporting provisions and reqUired to create a "living will"for their orderly dissolution in case they should fall.Banks, their affiliates, and holding companies face newrestridions on proprietary trading and on investments inhedge funds and private equity funds.Many derivatives are reqUired to be traded and clearedon exchanges.Institutions are reqUired to have a risk managementexpert as a member of the board risk managementcommittee.

A new Consumer Financial Protection Bureau within theFederal Reserve consolidates the consumer protectionresponsibilities previously handled by several regUlatoryagendes. The new agency has the authority to writenew rules for consumer protection that will govern allfinandal institutions, both banks and nonbanks, offeringfinandal products to consumers.

3.

In June 2010. the government In the United Kingdomannounced that It would abolish the FSA and place itsprudentla I regulatory authority with a new subsidiary of

the Bank of England. which vvll be given new author~y toaddress systemic risk. issues.2J A new Consumer Protectionand Markets Authority will be created to regulateInstitutions providing financial services to consumers. TheEuropean Commission announced legislative proposals toregulate over-the-counter derivatives markets, induding

establishing a central counterparty clearing me<hanlsm.28

The Impacts on the finandallndustry could be evengreater from the series of revisions introduced by theBasel Committee on Banking Supervilion. Since the globalfinancial crisis, funding structure and liqUidity managementhave become major areas of forus by the regulators andalso an Important component of Basel III. Regulators areexamining whether nonbank ent~les have direct access tothird-party sources of funding, or whether they are fundedcentrally, leading to the risk of double leverage. The BaselIII rules introduce a global liqUidity standard to supplementcapital regulation, with higher levels of capital and higherliqUidity ratios, among its other provisions. In December2009, the committee issued two consultative papers thatproposed additional changes In the areas of leverage ratios,counterparty credit risk, capital ratios, and systemic risk. Thecapital levels may also vary by individual countries. Whilemany countries may believe that the Basel III capital levelsare adequate, other countries may choose to reqUire anadditional capital requirement fortheir large Institutions.

For example, the Expert Commission in Switzerland, formedto examine regulation of systemically important finandalinstitutions, Issued awhite paper on September 30, 2010,that recommended that these Institutions be required tohold aminimum of 10 percent of assets In common equity,compared to seven percent under Basel 111.29 In July 2009,the Basel Committee approved several regulatory revisionsto Its rules goveming capital adequacy, risk management,and corporate governance. For Insurers, the European Unionhas intrOOuced Solvency II, a revised capital adequacy regimethat will establish minimum solvency reqUirements.(See "Regulatory and Economic Capital.")

These regulatory developments are expected to haveimportant Impacts, many of which cannot be anticipatedtoday. In the survey, more than 80 percent of Institutionshave already experienced significant Impacts on theirbusiness from regulatory reform in the countries 'Nherethey operate (see Figure 2S). More than half the Inst~utlonl

reported that their compliance costs have risen, whileroughly 40 percent cited the need to maintain bothhigher cap~al and higher liqUidity. Roughly one quarter

of the institutions have also had to adjust certain of theirproduds in order to meet regulatory requlrements.30 LargeInstitutions were even more likely to have experiencedsignificant impacts from regulatory changes, with 63percent maintaining higher levels of capital and S6 percentmaintaining higher levels of liquld~.

Agure 25

Which of the follOWing Impacts on your business have resulted from regulatory reform In the majorJurisdictions where you operate?

Noticing an increased cost of compliance

Maintaining higher capital

Maintaining higher liqlidity

Adjusting certain product lines

Oth"

No signiflCilnt impacts

SS'l6

0% 10% 20% 30% 40% 50% 60% 70% 80% 9096 100%

Not~: Percentages total to more than 10096 because respondents could make multiple selections.

J1 Toney Bonsignore, ~FSA~ and Bankof England Beefed Up in Regwtory Shake-Up.· City Wire, June 17, 2010, http:lkitywTe.co.uklmoneylfs.1·axed-and-ban~0f-en9Iand-bee~n-regulatory-shak~pla407635

1I 'W Fmndal Reform, ~ McDermott Will & Emery, September 23, 2010, http://www.mwe.conVindex.cfmlfuseaction/pLtllications.n1detailobil!Ctidldlb430c2-781e-409o-acda-e6302d58defa.cfm -

19 ~Bank Regulatory DewIoprneots in Switzerland in the Aftermath of the Crisis,~ Presentation by Dr. Daniel Daeniker, HornI:Iurger, October 27, 2010)0 Th~percentages total to more than 100% bl!Cause respondents Cl:)Ijd make rTkJltipJe sell!Ctions.

Global risk m<nagement SlINey. seventh edition NavigOltlng In a ctulnged world 37

Agure 26In light of the recent credit crisis, In which of the following ways have you changed the way you address/manageregulatory concerns?

Meet with reguatOl's on amore frequent basis

Communcate firm Issues ina more timely manner

Enhance fTm's infrastructureto support heightened sautiny

'096 2096 3096 60% 7096

73%

90% '0096

Note: Percentages total to more than 1009& because respondents could make multiple selections.

In response to the changed regulatory environment,roughly three-quarters of institutions said they now meetwith regulators more regularly. while 51 percent said theymake an effort to communicate to the regulators in atimelier manner the issues that affect their institution(see Figure 26). In addition, 38 percent of Inst~utionshavetaken steps to enhance their Infrastructure to supportefforts to comply with the heightened regulatory scrutiny.

With much of the attention of regulators focusedon systemically Important financial Institutions, largeInstitutions were more likely to have made changes. AmongInstitutions with $100 billion or more In assets, 89 percentsaid they now meet more otten with regulators. and 52percent had upgraded their infrastructure to supportregulatory compliance.

To manage their relatlonshlps with regUlators, 35 percentof institutions have Instituted a formal program and meetregularty with regulators. while 51 percent have an ad hocprogram and meet with regulators only as needed. AmongInstitutions with $100 billion or more in assets. 55 percentsaid they had Instituted a formal program as compared to30 percent of Institutions with less than $10 billion in assets.

38

Regional perspectiveTIl""re were sI9nlfl(,lnt dllfel':-Ilc,:,s ,KlOSS re91011S In

t.:-rms ,)1 how IIlstltutl(lm l1lanage r>O-9ulatory IIs1

a(cordln9 to )U!vev lesrJ':ond'2'l1ts Tho;- [JockHr,lnl

Act C(lnstltutes a lTl.lJ,)r retorm ,llld stl""ngtllelllnlj

(,f the r~lul.lt,:orv fr.:UlloO'\'.,'Ori 1f1 rhe 1I111t>?<J States In

addition. overSight bv U S re9ulat':'rs has bec,)me more

sUlll'Jent Slnc,~ the ';llobal flllarlClJI crl51S As J result c,j

tll.:-,;.:- development:,. InstitutiOI1S III the United Stat""Sf

CanadJ \"·:""re mOlE' iiI' ely to repolt ch.mges In r>?sp')lls>?

to the.> r",gul'1t,w,' ellvIIonrnt'nl. With 90 p,,-,/cent SJVll1g

that th""v were meelln9 With roO'9ulatars more (,ftell.

comp"I""d With 63 per(.:-nt In Eur,:opoO'. 56 perco;-nt III

ASia/PaCifiC, "nd 6.:1 ~'""rCE'l1t In L.ltlll Aln';'-IICJ Flftv-nllle

pelCl?l1t (,f U S ICan"dlan Institutions S,lld they had

up,yad.;.-d th""lr collll:olianco:- Infr.,5tructllre. ((,mpart-oJ

to 37 percent III Europe. 28 pelcent In ASla/P"Clflc. ,lnd

w,n':-In latlll Arnell(J

Institutions III the United St.)ks/C~nadJ\/'.'el"" ,llso rw,re

111'",lv to h,,1':e IllstltUt':"1:J f':'11I131 pro'pams t':, rn""d \""Ith

r-=9u1at,:>rs Flfty·el9ht pelc'o'nt a/lllstitutlollS In til':'

UnIted StakslClnadJ ha~'"" J for InJI pro~lrJ1ll and Illeet

With re~lulJI(OIS rJ?9uIJily. c(lmp,lred to 26 percent III

Elw,p"". 2.:1 po;-rcent 111 ASIJ·PJClflc. and 21 p""rcent III

Latin Amer ica

Risk management systemsand infrastructure

Risk management relies on robust Information andtechnology systems. The ability to quickly Integrate riskInformation in a consistent format across the organization

will help institutions gain a comprehensive picture oftheir overall risk profile, as well as the risk associatedwith individual cQunterpartles. The global financial crisishighlighted the importance, and the dlfflcul1ies, ofachieving an integrated and seamless approach to riskdata. In their October 2009 report, the Senior SupervisorsGroup cited the complexity of the financial industry'stechnology Infrastructure as a key hindrance In Identifyingand measurlng risk within the financial system,)' In someInstitutions, the limitations of enterprise risk managementtechnology systems have led Individual lines of businessto create their own systems. leading to a potentiallyfragmented structure.

Institutions Increasingly need the ability to respondto mounting requests from regulators for stress tests,reporting, and ad hoc information. As regulatoryrequirements evolve, institutions are likely to need theflexibility to reconfigure and scale their risk systems. Forexample, some banks are fadng challenges with creditvaluation adjustment analytlcs and with generating liqUiditystress testing reports trom their legacy asseHabilitymanagement systems. For Insurers, Solvency II may alsoplace additional demands on risk management technologysystems: There will be the need to calculate regulatorycapital In atimely fashion and to conduct continuousmodeling of solvency. which may prove difficun for thosewith legacy systems.

Structural changes to markets and new business modelsare presenting additional demands on risk managementtechnology systems. For example, derivatives trading mayincreasingly move to exchanges and to central clearingfacilities. As the IndUStry's derivatives business modelchanges, corresponding changes to the operations andtechnology infrastructure may be required. As new entitiesenter into derivatives dearing activities, counterparty andoperational risks may need to be assessed.

Since the global finandal crisis, many major financialInstitutions have undertaken significant investmentsto upgrade their risk technology Infrastructure-tohelp provide for the availability of more consistent andreliable risk Infonnation, to help enhance the capabilitiesoftedmology Infrastructure to support new functionalrequirements needed by the business, and to supportregulatory compliance, Increased stress testing, andenhanced risk reporting capabilities.

Another trend among some institutions has been to adopta shared risk technology model that provides the frontoffice with the analytlcs necessary to allow it to serve asthe "first line of defense" in risk management, while the riskmanagement function defines the spedfic risk measures.Underthis approach, common pricing models are oftenused for valuation and risk measurement

Other institutions have focused on the need for both thefinance and risk management functions to have access toreliable and granular infonnation, such as counterpartyexposures and underlying transaetion·level data, for analysisand reporting purposes. These Institutions have undertaken

a variety of efforts to meet shared finance and riskmanagement needs, such as data quality remediation efforts,joint systems architecture ren€'W'al, data warehousing, andreporting engines.

Institutions may want to devote additional focus on risktechnology systems, supported by the fact that exeOJtivesin the survey gave their Institutions somewhat higherratings In managing major risks than they gave to theability of their risk management technology systems tosupport management of these risks. Roughly three-quartersof executives rated their InstiMlon as extremely or veryeffective in managing credrt. market. and liqUidity risk (see"Management of key risks"). When asked to rate their riskmanagement technology systems In these areas, however,a smaller proportion, 61 percent, rated them as extremelyor very effective in supporting credit risk management,while 57 percent provided as high a rating for effedivenessIn supporting market risk management and 47 percent forliqUidity nsk (see figure 27).

JI -Rislt Management lessons from the Global Baridng Crisis of 2008,· Serior ~l!fVisors Group, O<:tober 21, 2009.

Global rislt management SUI\ley. seventh edition N~vigilting In iI changed world 39

Agur.27How effective do you think your risk management systems are In the following areas (whether developed by a

vendor or Internally)?

Credit risk.

Market risk.

RegulatOl'}' and economic capitalcalwlation and reporting

Property and casualtyunderwriting risk

liquidity risk

Compliance management

life or health inSU'"anceunderwriting risk

Operational risk.

Collateral management

Enterprise risk

'0% 20% 30% '0% 5O'l6

6'%

70% 100%

• Extremely effective • Very effective

Funetionailimitations may exist In technology systems andif so, institutions may need to do more manual work in

gathering, reconciling, deaning. and anatyzing risk data.Institutions may also find that they may want to improvetheir ability to easily leverage risk data consistently acrossfunctions and businesses.

Forty percent of executives surveyed rated their risk datastrategy and Infrastructure as being extremely or veryeffective in data management/maintenance and datacontrols/checks (see Figure 28). In the areas of data standardsand data marts/warehouses, a smaller proportion, aboutone-quarter, of executives considered their institutions to beextremely or very effective.

Agur.28

How .ffoctlv. do you think your organization Is in tho following aspocts of risk data strategy and Infrastruct1Jr.7

Data gavemance

Data managementfmanteoance

Data process architectu~orkflow logic

Data controls/checks

Data SOIScing strategy

Data martslwarehouses

Data standards

'096 20% 30% '0% 50% 60% 70% 90% 100%

40

• Extremely effective • Very effective

The data you need for risk management is not as wellsupported as it might be. When you try to use daracollected for other business purposes to enable riskmanagement, it's missing a lot of the elements you'd likeor need-it's like when you need electricity, you can't justuse the plumbing system!- Managing director, risk management, asset management firm

Global risk m<Wlagement SUNey. seventh edition N~vJg.t1ng In ill changftf world 41

Exerutlves had the greatest concerns about risk data qualityand management, which 43 percent described as a majorconcem. The changing regulatory environment, indudingBasel II and III, Solvency II, and the Dodd-Frank Act, mayalso place additional demands for data and reporting onrisk technology systems. The abilily of nsk technologysystems to adapt to evolving regulatory requirements was

a major concem for 38 percent of executives.

Rough~ two-thirds of Institutions reported they havestrategies to address their risk Infrastructure, but Inmost cases executives said that the strategies are notyet well developed. Roughly two-thirds of InstiMionshave strategies for most areas, Including risk softwareapplications, data warehousing, architecture standards,

and data sourcing, but less Institutions had well i

developed strategies. For hardware, 26 percent ofexerutlves considered their strategy to be well developed,

although this was an increase from 16 percent In 2008.For architecture standards, 18 percent of respondentsconsidered their strategy to be well developed, up from

10 percent In 200B.

Consistent with these findings, concerns about dataquality challenges were also expressed by many Institutions.The greatest risk technology priorities cited for the next

12 months were to improve risk data quality andmanagement, which was a high pnomy for 48 percentof institutions, and to enhance the reporting of riskinformation, which was a high priority for 44 percent(see Figure 29). Based on the survey results. moreinstitutions agree that building risk Information systems

with the ability to gather consistent data from across theorganization and to quickly generate reports customizedto spedfic requests. such as from senior management or

regulators, should IIke~ be a priority."

Figure 29

Over the next 12 months. how much of a prJorlty are Improvements to the following areas of your risktechnology capabilities?

86"

Economic capital

Risk information reporting

Collateral management s)'5tem

SpecialiZed credit risk systems

Specialized mar1cet risk systems

Compliance management system

UqJidity risk management system

Risk data qUillity and management

Operational risk measurement system

Regulatory capital cakulation and reporting

Enterprise-wide risk datawarehouse development

Integrated market and credit risk measurement system

Integration of risk and compliance systems ~~~~~=~~~~~=C---::L--=L._,-'-----'-_--'0% 10% 2096 30% 40% 50% 60% 70% 80% 90% 100%

• High priority • Moderate priofity

)l For additional discussion, see the report by the DeIoitte Center for Banking Solrtions, Vv'I"Ming in l~ rtI!W risk ~nviro~t, 2010,Deloitt~ Development Uc.

42

Conclusion

The experiences of the global financial crisis have created anew financial services marketplace: Economies have beenstrained. key players have changed or disappeared, andbusiness models and the avenues to competitive advantagehave been altered. The scale and pace of regulatory changehas also been unprecedented. with new requirementsunder Basel III as well as important changes in individual

countries. such as the United States and United Kingdom.

Responding to these new realities may require effedlve

risk governance. Boards of directors have an Important role

to play in providing active oversight of risk management.including the approval of their Institution's risk managementframework and risk appetite. The eRO position can providean Important focal point, helping risk management toreceive adequate attention from senior management and to

prClll'ide the board of directors with independent views onkey risk management issues.

Institutions that do not have an ERM program may consider

implementing one to gain a comprehensive view of risksacross the organization and identify interdependencies. Toachieve such a comprehensive picture of the risks they face,

many institutions may need to consider upgrading their riskmanagement information systems so they have consistent,quality risk data that can be easily aggregated acrossprooucts, geographies, and counterparties.

There Is increased attention to the importance ofmanaging tall risk from events that are rare, but potentiallycatastrophic. Many institutions may benefit fromreassessing their risk models and supplementing VaRwith stress tests and other tools. Given the volatility ofthe financial markets, some Institutions may also considerconducting stress tests more frequently than they do

currently.

But rlsk management Is not simply a matter of models andmethodologies. Institutions may also need to considerhow they can infuse risk management considerationsthroughout the organization, creating a culture that places

a value on appropriate risk taking. Another area likely toreceive heightened attention Is how to Incorporate riskmanagement considerations Into performance goals and

incentive compensation decisions.

Finally, this report on Deloitte's Global risk managementsurvey, seventh edition, underscores that the bar for risk

management in financial services may continue to beraised: There are still many challenges ahead to navigating

in a changed world.

Global risk managem~t suNey, seventh edition NilVlgat/ng In a c....nged world 43

Contacts

Globill Finandotl5erviCll!sIndustry l.eadeBhlp

Jack RibeiroOlalrmanGlobal Financial Services IndustryDeloitte Touche Tohmatsu Lirrited+ 1 2124362573jribeiro@deloitte.com

Chris HarveyGlobal Managing Director andBanking and Securities IndustrySector leaderGlobal Financial Services IndustryDeloitte Touche Tohmatsu Limited+44 20 7007 1829caharvey@deloitte.co.uk.

Joe GuastellaInsurance Industry Sector leaderGlobal Financial Services IndustryDeloitte Touche Tohmatsu Umited+12126184287jguastella@deloitte.com

Stuart OppInvestment Management IndustrySectOf leaderGlobal Financial Servic!!S IndustryDeloitte Touche Tohmatsu I..imited+44 20 7303 6397stopp@deloitte.co.uk

Survey edttor

Edward T. Hida II, (FAGlobal leader • Risk & CapitalManagementGlobal Financial Services IndustryDeloitte Touche Tohmatsu Limited+12124364854ehida@deloitte.com

Contributors

Argentina

Claudio E. FiorilloPartnerDeloitte & Co S.R.L+54 11 43202700, Ext 4781cfiorillo@deloittl!.com

Belgium

Frank De JonghePartnerDeloitte & Touche+3228002456fdejonghe@deloitte.ccm

Canada

Leon BloomPartnerDelcitte & Touche+14166016244lebloom@deloitte.com

China

Dr. Philip GoethManaging Director GFSl, AsiaPadficDeloitte Touche Tohmatsu CIY\ Ltd.+861085207116phgoeth@deloine.com.cn

China, Hong Kong, S.A.R.

Eric TongPartnerDeloitte Touche Tohmatsu+852 2852 6690ertong@deloitte.com.hk

France

Marc Van CaeneghemPartnerDeloitte (onsetl+33 1 55 61 6588mvancaeneghem@deloitte.fr

Italy

Paolo GlanturcoPo_Delcitte Consulting S.pA.390283323131pgianturco@deloitte.it

New Zealand

Richard KirklandPort""Delcine New Zealand+6444703711richardki"k1and@deloitte.co.nz

United Kingdom

Julian LeakePort""Financial Services IndustryDelcine MCS Limited+442070071223jileake@deloitte.co.uk

United States

Dolores Atallo-Ha.zelgreenDirectorDelcine & Touche llP.12124365346datalohazel!1een@deloitte.com

Samuel AuxierDirectorDelaine & Touche LLP+13123862793sauxier@deloitte.com

Scott BaretPo_DeIoitte & Touche LLP+12124365456sbaret@deloitte.com

Craig BrownDirectorDeIoitte & Touche LLP+12124363356cbrown@deloilte.com

tH. Caldwenp,-Delaine & Touche LLP+1704 2271444jacaldwell@deloitte.com

Eric OapproodSenior Mil"lagerDeloitte Consulmg LLP+1 860 72S 3473ecJapprood@deloitte.com

Michele CrishSenior ManagerDeloitte & Touche UP+12124362053mcrish@deloitte.com

Karen DeToroSenior ManagerDelcitte Consult"'g llP+13124865640kdetoro@cIeloitte.ccm

Andrea 01 GiovaMiDirectorDelcitte & Touche UP+12124367094andigiovanni@deloitte.com

Simon FisherSenior ManagerDeloine & Touche UP+12124365907siftsher@deloitte.com

Thomas AneisDirectorDeloitte Consulting UP+13124865593tfineis@deloitte.com

Olga KasparovaSenior ManagerDelcine & Touche UP+16174372812ok.asparova@cIeloitte.com

Paul KurganDirector (Retired)Deloine & Touche LLP+1 202 626 4420pkt..rgan@deloine.com

Patrida MatsonPrincipalDeloitte Consulting UP+1860 725 3302pmatson@deloitte.com

Ricardo MartinezPrincipalDeIoitte & Touche LLP+12124362086rimartinez@cIeloitte.com

Michael MclaughlinPrincipalDeIoine Consulting UP+13124864466mikemclaur#1 lir@deloittl'.com

William NugentSenior ManagerDeIoitte & Touche llP+12124363070wnugent@deloitte.com

Kenneth RiskoSenior ManagerDeIoitte & Touche llP+16152591832krisko@deloitte.com

Thomas RoltauerDirectorDeIoine & Touche LLP+12124364802troilauer@deloiUe.com

Sabeth SiddlqueDirectorDeIoitte & Touche+1 202 378 5289ssiddique@deloitte.com

Richard SpiJIenkothenDirectorDebtte & Touche llP+1 202220-2747rspillenkothen@deloitte.can

Jyoti VaziraniSenior ManagerDebne & Touche LLP+12152994574ftvazirani@deloitte.com

Deloitte Touche Tohmatsu Limited and DTTLMember Firms Risk & Capital Management Contacts

Argentina Caribbean Indiill Malaysia South Korea

C~io E. Fiorilo .Jeremy Smith ~yGupte St~Um .lung In LH..- ..""" Senior DirKtof Executive Di"ector .."""Delaine & Co SAL Delcitte & Touche DeIcitte Touche Tdvnatsu ndia Delcitte Deldtte Ccnsu/ting 'l\ilarhoesa+54 11 43202700, Ext. 4781 +1 3458143315 MUd +603 n23 6515 +82266761312cfiorillo@deloitte.com jersmith@ldeloitte.com + 91 21. 6681 0600 stM:'l"llim@deOtte.com junginee@dl!lo~cam

aguptl!@deloitte.comAustralioJ Chile Mexico Switzerland

Sean Coody Pablo ....,.,. Indonesi.J ........ Homo""'" Philipp Kl!ller..- ..""" Claudia Lauw Di"ector .."""Delaitle Touche Totrnatsu Delcitte Olile ..""" Delcitte MexkD Delaitte /IG-+6139671 6396 +5627298150 Delaine Toudle Totrnatsu +52 55 50806295 +41 44 421 6290scoady@deloltte.com.au paherrera@deloitte.com +6221 2312879. Ext. 6993 mihernandez@cleloittemxcom phkeI1er@deloitte..c:h

doILW@dek:itte.comJohn Kidd Chin.. TheNfC'therIands David 5tn!1iski..- Dr. Phiip Gofth ..~ Hans Van Leeuwen .."""Delcitte Touche ToIYnauu Managi"lq Onder. GFSI. Asia Pacific Pierluigi BrifllZa ..""" Delaitte SA-+61 39671 73S7 Delcitte Touche Tohmatsu CPA lid. MU'liging Pilr1ner Deloitte +41217~ 1900jlcidd@deloitte.com.au +86 1085207116 Delcitte Consulting S.pA +31 882883293 d~~5~~deloitte..ch

phgoeth@deloitte.comcn +390647805412 Havanl..eeu-..wn@dtloitte.nlMark Young pbfienza@cltloitte.it Taiwan..- Jason U New Zealand Benson ChengDeloitte Touche TotYnatsu lead Partner Paolo Gianturco Richard Kirkland .."""+ 61 29322 3533 DeIoitte Touche Tohmatsu CPA ltd.. ..""" ..""" Deloittemayoung@deloitte.com.au Olina Deloitte Consulting 5.pA Deloitte + 886 2 25459988, Ext.7843

+861085207012 +390283323131 +6444703711 bensonhdleng@deloitte.can.twAustria jasonlishigang@deloitte.com.m pgiantlXco@deloitte.it richardkirldand@deloitte.co.nzDominik Damm Thailitndp,- Alvin Ng Japan Philippines Suttharug PanyaDeloitte Rnandal Advisory GmbH ..""" Shigeru Furusawa Diane Yap p,,,,,,,+43 153700 5400 Deloitte Consulting (Shanghai) "rtne< p,,,,,,, Deloitte Touche Totvnatsu Jalyosddamm@deloitte.at Co., ltd. Deloilte Touche Tot'ITIatsu UC Deloitte AcMsory Co., ltd.

+86 1085207333 -+8136213 3160 +63 2 8120535, Ext. 9053 +66 26765700. ~. 5247Belgium aIvng@deloitte.com.m shigeru.furusawa@totmatsu.co.jp dyap@deloitte.cORl spanya@deloitte.rom

Frank De Jonghe China, Hong Kong SAR. Daisuke Kuwahara Poland United Kingdom..- MariaXUel'eb ..""" William HigginsDeloitte & Touche ..""" Deloitte Touche TotYnatsu UClbigniew Szczerbe1lc.a

+32 280024 56 Deloitte Touche TotYnatsu -+81362133525 ..""" lead Partnl'f - Risk and RegulatmDeloitte Central &lope DeloittellPfde;onghe@deloitte.com -+8S2 2852 1008 OaisU:e.kuwabira@tohmatsu.co.jp+4822 511 0799 +44 207 303 2936

mcnuereb@deloitte.comhklSZCZI!fbe1Ic.1@deloitte.rom wtiggi'l5@de1oitte.co.uk:B",;J SNg"" C>nori

Anselmo Bonservitti Denmarit ..""" Singapore VlShai Vecli..- Jens Petel' Hoeck Delcitte Touche Totrnatsu UC .."""Delcitte Touche TotYnatsu ..""" -+813 6213 3170 TseGan ThioDelcittellP

+55 11 5186 6226 Delcitte & Touche Denmark SNgeru.omori@tohmatsu.co.j) ExtocutiYe Di"ect.or+44 207 303 6737

abscnservizzi@dekitte.CORl +45 36 103426 Delcitte & Touche &rterprisewedi@deloitte.co.u.:

jhoed:@deloitte.dk TsuyoshlOyama Risk: Services+6562163158Iws Pereira Mutler ..""" Unit~ Stltn..- ""nee Deloitte Toudle Totmatsu UC tgthio@deloitte.o::m

Delcitte Toudle Totmatsu -+813 6213 1945 Edward T. Hida a, (fA

+551937073009Marc Van Caeneghem

TsuyoshLOflIma@tohmatsu.co.j) Spa;n Global leader - Risk: &

imuller@deloitte.a:m ..""" Rafael Campo Bemad Capital M¥\agEmentDelcitte Conseil

Lox........ ..""" Global Rnandal Services Indlsby

Rodrigo Mendes Duarte+33155616588

Delcitte S.L Delcitte Toudle TotYnatsu limtedI1lViIncaeneghem@deloitte.fr laurent 8erliner +12124364854..- ..""" +4 915145000 &1.1488

Delcitte Toudle Totmatsu Delcine r~d@deloitte.es8-lida@deloitte.rom

Gonmoy+5511 51866206 +352451452328 Robert Maantrodriganendes@delcitte.com JOrg Engefs

Ibl'ffner@deloitte.lu South Africa..""" .."""Deloitte & Touche GmbH Wayne Savage Deloitte & Touche UPGo.....Wrtsehaftspnjfungsgesellsc:haft Xaviel' Zaegel ..""" +1212436 7046

leon Bloom +49211 Bn22376 ..""" Delcine & Touche rmaxant@deloine.com..- jengels@deloitte.de Deloitte +27 11 209 8082Deloitte & Touche +352451452748 dsavage@deloitte.con A10k Sinha+14166016244 Ireland megel@deloitte.lu Prndpallebloom@deloitte.mrn

Martin Reilly Deloine & Toudle UP..""" +1415783 5203

Deloitte & Touche asima@deloitte.cORl

+35314172212mrelly@deloitteJe

Deloltte refers to one or more of Delatte Touche Tohmatsu United. a UK private company limited byguarantee, and its netwak of member firms, each of which is a legally separate and independent entity.Please see www.deloitte.comfabout fur a detailed desalptlon of the legal structure of Delcltte ToucheTotwna1su Umlted and its member firms.

Deloltte provides audit. tax. consulting, and filandal advisory services to plbllc and private clients spanningndtIple industries. WIth a globally connected network of member firms in more than 150 coun1ries, Deloittebrings worlcklass capabilties and deep local expertise to help dlen15 succeed whereYer they operate.Deloltte's appraldmatefy 170,000 professionals are committed to becoming the standard of excellence.

This publication contains generallnfurmatlon only, and none of Deloltte Tauche Tohmatsu United, Its memberfirms, or their related entitles (collectively, the -Deloitte NetwClfk1 is, by means of 1his plbllcatlon, renderingprofessional advice or services. Before malclng any decision or taldng any action 1hat may affectyour financesor~ business, you shedd consult a qualified professional adviser. No entity in the Deloltte Network shall beresponsible for any loss whatsoever sustained by any person who refies on this plblicatlon.

o 201 t DeIoItte Global ServIces UmltedItem It 100214February 2011