Deloitte ERS Report 2012

8/12/2019 Deloitte ERS Report 2012

http://slidepdf.com/reader/full/deloitte-ers-report-2012 1/28

Financial Services Industry

May 2012

Enterprise RiskManagement SurveyReport 2012Where do you stand?



2

Table of Contents

Foreword 3

Executive summary 4

About the Survey 5

Key Findings 6

Detailed Findings 9

Achieving a Strategic View of Risk 9

Enterprise Risk Management – a work in progress 14

Addressing the Full Range of Risks 20

Risk Management Systems and Technology Infrastructure 24

Conclusion: The Road Ahead 26

Contacts 27

This publication contains general information only. The publication has been prepared on the basis of information and

forecasts in the public domain. None of the information on which the publication is based has been independently verifiedby Deloitte and none of Deloitte Touche Tohmatsu Limited, any of its member firms or any of the foregoing’s affiliates

(collectively the “Deloitte Network”) take any responsibility for the content thereof. No entity in the Deloitte Network

nor any of their affiliates nor their respective members, directors, employees and agents accept any liability with respect

to the accuracy or completeness, or in relation to the use by any recipient, of the information, projections or opinions

contained in the publication and no entity in Deloitte Network shall be responsible for any loss whatsoever sustained by

any person who relies thereon.



3Enterprise Risk Management Survey Report 2012 Where do you stand?

Foreword

Welcome to the first edition of the Deloitte

East Africa Enterprise Risk Management Survey.

This is the first survey of its kind as it seeks to

provide a baseline assessment of the state of risk

management within the financial services sector in

the region.

Enterprise Risk Management (ERM) has become a hot

button issue in virtually all sectors of the economy across

East Africa. In particular, within the financial services

sector, risk management has grown in prominence

largely as a result of regulatory push but also as a meansof protecting current assets while actively seeking

competitive advantage.

Financial services industry (FSI) players within the region

increasingly have to contend with emerging threats and

competition, rapid shifts in the business environment

coupled with heightened regulatory demands.

However, there are also new exciting opportunities such

as regionalization through better integration across

the East African Community trading bloc, improved

technologies and enlightened customers with better

spending power. In light of these developments,

organizations have put in place risk management

structures and processes to manage the risks presented

by both the opportunities and challenges

in the marketplace.

So as to gain insights and provide a baseline assessment

of the state of risk management within the financial

services industry, Deloitte East Africa undertook this

survey and collated results from more than 60 risk

management professionals across Kenya, Uganda and

Tanzania.

We sincerely thank all those who participated in this

survey through sharing with us their experiences and

insights.

On behalf of my colleagues at Deloitte, I invite youto read the report and hope it inspires new thinking,

provides new insights and allows you to benchmark

with your own risk management processes while

facilitating enhancement of your ERM program.

We welcome your feedback and comments. If you

would like to further discuss any of the issues in more

detail, please speak to your usual Deloitte representative

or one of the contacts listed at the end of this survey

report.

Sincerely,

Julie Nyang’aya

Enterprise Risk Services Partner

& Financial Services Industry Leader

Deloitte East Africa



4

Executive summary

In an ever more complex and volatile business

environment, risk management has continued to grow

in importance in the financial services industry. Roughly

75% of organizations treat it as a board-level oversight

responsibility and more than 50% of the respondents

had their risk governance models at various stages of

implementation.

Although progress has been real, considerable work

still remains to be done. Most organizations are in

the process of creating effective system and processes

to measure and manage less traditional risk1 types suchas strategic, operational, reputational and Information

Technology (IT) risk. Those that have implemented ERM

programs are already recording gains; however many

concede it is difficult to quantify this value.

These are some of the important findings in the first

edition of the Deloitte East African Enterprise Risk

Management Survey. The survey gathered responses

from over 60 risk management professionals across

Kenya, Uganda and Tanzania. The survey looked at

issues such as risk governance, management of key

risks, the scope and coverage of ERM programs,

challenges encountered and risk management

technology solutions.

It is clear that financial institutions face an increasing

range of risks. Organizations have to keep pace with

ongoing regulatory change and scrutiny while meeting

demands for stronger governance and enhanced

transparency.

The survey showed an industry that is alert to this range

of risks, but identified a number of important areas

where additional investment and management attention

is needed. It also highlighted some of the basic

approaches organizations are taking, areas where they

have improved risk management capabilities, and areas

where they are still struggling to get a good handle on

risk issues and processes.

Effective risk management is fundamental to success in

the financial services industry, and a basic expectation of

shareholders, regulators and customers. In a challengingand changing risk environment, however, the bar

on what constitutes effective risk management is

constantly being raised. As this survey shows, most

organizations have an unfinished agenda when it comes

to the development of sophisticated risk management

capabilities, enabling an integrated, enterprise-wide

approach to managing the varied and dynamic risks

they face. Financial institutions that can understand

risk holistically- managing the full range of r isks they

confront- can strategically use risk taking as a means to

strengthen their competitive position and create value.

1 Risk as used in this report is defined as “the potential for loss or harm – or the d iminished opportunity for gain

- caused by factors that can adversely affect the achievement of an organization’s objectives.”




About the Survey

The Deloitte East Africa Risk Management Survey 2012

is our first baseline assessment of the state of Enterprise

Risk Management (ERM) in the financial services industry

(FSI). The survey was aimed at helping organizations

benchmark their enterprise risk management programs,

processes, structures and systems with those of their

peers within East Africa.

The survey was conducted in March 2012 through

an online questionnaire. We solicited the participation of

Chief Risk Officers (CRO’s) or their equivalents in various

companies and institutions in the Financial ServicesIndustry across Kenya, Uganda and Tanzania.

Financial Services Industry is defined as companies and

institutions operating within the banking, securities,

insurance, investment management and real estate

sectors.

Respondents who participated in the survey were

primarily drawn from the banking, insurance (both long

term and short term), asset management and fund

administrators (see Figure 1). Most of the respondents

had a turnover of more than US $ 500 million (See

Figure 2) while approximately 25% were listed on one or

more of the stock exchanges in East Africa.

Figure 1: How best would you describe the areas/ industries your company

is involved in?

0%

10%

20%

30%

40%

50%

60%

70%

80%

B a n k i n g

A s s e t M

a n a g

e m e n

t

F u n d

A d m

i n i s t r

a t i o n

L o n g

t e r m

i n s u

r a n c e

R e - i n

s u r a n

c e

R e a l E s

t a t e c

o m p a

n y

S h o r t t

e r m i n s u

r a n c e

C o l l e

c t i v e

i n v e

s t m e n

t s c h

e m e s

M u t u a l f u

n d

R e t i r e m

e n t f

u n d a

d m i n i

s t r a t i

o n

Figure 2: Which of the following best describes the size of your

organization in terms of revenue / turnover?

Less than KES 100M/ UGX 3.5M/ TZS 5M

Over KES 100M/ UGX 3.5M/ TZS 5M

Over KES 500M/ UGX 18M/ TZS 25M

Over KES 1billion/ UGX 36M/ TZS 50M

Over KES 50billion/ UGX 1.786B/ TZS 2.5BTZS 50M

5.4%

6.8%

8.1%

35.1%

44.6%



6

Risk governance

Risk governance can be defined as the approach for

directing the management and control of risk, which

may be overseen by the board of directors as a whole

or through a board risk committee. The role of clear and

active risk governance has gained currency in the recent

past as a result of corporate governance breaches, fraud

and related malfeasance coupled with increasing focus

by regulators who are now insisting on proper oversight

by the board.

Key findings

• Half of the respondents had their risk governance

models at various stages of implementation with

only 29% having their models already implemented.

• In 80% of the organizations, the board of directors

receives and reviews regular reports on the risk

management program and approves the ERM policy

and framework.

• Approximately half of the respondents indicated

that the board is involved in approving the risk

appetite statement. This could be due to the fact

that approximately a third of the respondents (34%)indicated that they have not yet defined a statement

of the company’s risk appetite.

• 82% of the respondents indicated having a Chief

Risk Officer (CRO) or equivalent with only 6

respondents indicating that they do not have this

executive in place.

• Aligning compensation and incentive plans with

appropriate risk taking is undertaken in 81% of

the organizations surveyed.

Our Point of View

• The Board should continue taking ownership and

driving the risk agenda across the business. While

senior management with support from the CRO

are involved in managing risks, the oversight by

the board cannot be delegated.

• Risk management should be infused throughout

the organization; not only at enterprise and business

unit level; but also in strategic and operational

decisions.

• The risk appetite sets the limits and delineates

acceptable versus unacceptable risks. This should

continue being formulated and constantly monitored

for compliance.

• Distinction between risk management and internal

audit should be emphasized within the organization

to ensure clarity of roles, responsibilities and

accountabilities.

• Consolidate the various risk functions (e.g. IT risk,

Credit Risk, Operational Risk) to facilitate better

oversight and reporting.

Enterprise Risk Management

ERM aims to bring a holistic organization-wide and

standardized risk management process to financial

institutions and provide them with an integrated view of

risks they face. By adopting a comprehensive approach

to risk identification and assessment, ERM can help iden-

tify many dependencies or inter-relationships among

risks that might otherwise go unnoticed. In addition, it is

easy to gain new insights and provide transparency into

the overall impact of risk on the institution.

Key Findings

• Implementation of ERM is fairly limited with only

31% of the organizations surveyed indicating

that they have a fully implemented ERM program.

However 38% of respondents indicated that they are

in the process of implementing one.

• Among survey respondents, ERM programs almost

always covered the major traditional risk categories

of credit risk (92%), liquidity risk (90%) regulatory/

compliance (90%), and market risk (85%).

• New risk categories such as operational risks (95%),

strategic (80%), reputation (83%) and IT security(75%) have also emerged as critical focus areas.

• ERM is integrated and linked to the Internal Audit

Plan in 59% of the organizations. A further 25%

indicated that this is not formalized as yet.

• Only 23% have their risk appetite both quantitatively

and qualitatively defined. A similar number are in

the process of seeking approval for their risk appetite

statement while 34% do not have the risk appetite

statement.

Key Findings




• Those organizations that have implemented ERM

are already recording gains. This is evidenced by

the fact that 85% of the respondents felt that

the value of their ERM program was greater than its

cost; however many conceded that it was difficult to

quantify this value. 14% indicate that they are yet to

reap the benefits of ERM.

• The top rated challenges during ERM implementation

were integrating risk data across the organization

(70%) and having the appropriate risk management

skills (64%).

Our Point of View

• Defining and implementing an ERM program is

imperative, this may include defining an ERM policy,

setting up relevant functions and putting in place

measures to monitor and report on key risks while

driving a risk culture in the organization.

• Internal audit plans should be aligned to the results

of the risk assessment arising from the ERM

program. The Internal Audit department should

provide assurance on the effectiveness of the ERM

framework and program implementation.

• Define and monitor compliance to the organization’s

risk appetite statement.

• Identify innovative ways to derive value from

the ERM program while minimizing cost of

implementation. This may call for integrating

various risk efforts while seeking a coordinated

implementation approach across the organization.

• Focus on new emerging risk types such

as reputation, operational risks and IT security while

not losing focus on the traditional risks such as credit

and market risks.

• Define an ERM framework and program which

enables effective reporting and consolidation of data.

• Have regular trainings on board and senior

management on ERM concepts and implementation

so as to build internal capacity. In addition,

undertake a continuous culture change program to

embed a risk-aware culture across the organization

Management of Key Risks

A critical challenge facing risk management is achieving

a comprehensive view of all the varied risks a financial

institution faces. Many institutions have much more to

achieve in this regard.

Key Findings

• Most executives rated the effectiveness of their

ERM programs as either 2 or 3 on a scale where 1 is

highest. This implies most program implementations

are still work in progress.• In terms of specific risk types, most organizations

felt that their ERM programs were most effective in

managing liquidity and financial/budgeting risk.

• Credit risks, tax and regulatory were identified as areas

where ERM is growing in effectiveness, possibly due

to the already existing regulatory oversight.

• Operational risk areas of business continuity,

IT security, legal, human capital and data integrity

risks were highlighted as areas where the ERM

programs have not been effective.

•

Most organizations have strengthened their liquidityrisk management function (70% of respondents) or

amended their liquidity management policies (65%

of respondents).

• Capability of the operational risk management

technology platforms was rated as ‘somewhat

capable’ by a majority of the respondents. Scenario

analysis and operational risk capital calculations

were identified as key challenges in these technology

solutions.

• 28% of the respondents indicated that regulatory

reform has resulted in an increase in the cost of

compliance and the need to hold higher capitallevels.

Our Point of View

• ERM program implementation efforts should

be accelerated with appropriate support from

the business.

• ERM programs should focus and expend efforts in

managing new and emerging threats to today’s

business such as IT security, fraud and talent.

• Continuous interfacing with the regulators and

timely communication of compliance challenges

should be embraced to ensure a mutually beneficial

relationship.



8

Risk Management Systems and Infrastructure

Information technology is a vital element of risk

management capabilities and acts as a key enabler to

the effectiveness of the ERM program.

Key Findings

• Only 60% of the organizations surveyed have

a dedicated risk management technology solution.

Most of the respondents, however clarified that

they have several sub-systems, at various levels of

sophistication, that address specific risks.• Legacy risk management system (incorporating

a spreadsheet solution) was rated as the most

prevalent in the industry while credit management

systems were identified as the second most common

solution. Credit management solutions could be due

to the need to score and evaluate the credit rating of

potential customers prior to advancing loan facilities.

• Possibly as a consequence of their perceived

prohibitive cost, 61% rated high cost of

maintenance and vendor fees as a major concern

over the technology systems. Integration, a long

standing issue when it comes to technology, wasrated as the second most significant concern by

the industry. Other issues tied to this were lack of

sufficient risk data, data integrity issues (46%) and

inability to extend the current legacy systems.

• In terms of priority, risk data quality and

management were identified by most

respondents as being critical in the next 12

months as organizations seek to improve their

risk technology capabilities. Capabilities to

calculate the regulatory capital requirements,

ability to manage and monitor operational risk

and compliance risks were also highlighted as vital

priority areas over the next 12 months.

Our Point of View

• To derive value and facilitate integration

of risk information across different units of

the organization, consider implementing a robust

dedicated risk technology solution.

• The risk technology solution is only an enabler;

the key determinant on its efficacy will be the quality

of the risk registers and framework in use within

the organization.




Detailed FindingsAchieving a Strategic View of Risk

Risk governance can be defined as the approach fordirecting the management and control of risk, whichmay be overseen by the board of directors as a wholeor through a board risk committee.

With the increasing variety of risks- and the potentially huge negativeimpact they can have in terms of both financial and reputational loss, riskmanagement has become an even higher priority for financial institutions.This first FSI ERM survey found that the board wholly owns and is keptinformed of risk issues.

The role of clear and active risk governance has

gained currency in the recent past. Recent corporate

governance breaches, fraud and related malfeasance

have shone the spotlight on the level and oversight role

played by the board.

Regulators are now focusing more closely on the role of

the board of directors in setting a financial institution’s

risk policy and risk appetite and in monitoring that

these are implemented effectively by management.

In fact the need for active board oversight over risk

management has been emphasized in the guidelines

issued by the banking and insurance regulators in Kenya,Uganda and Tanzania.

Strengthening risk governance

The survey found that many financial institutions have

taken a variety of actions in response to the increased

focus on risk governance (see Figure 3).

The most common action, taken by roughly 75% of

the organizations, was to improve the process for

reporting of risk information to their boards of directors

and to their management risk committees. In addition,

formation of risk management committees- both atmanagement and board level- has been undertaken

by approximately two thirds of the respondents.

Establishment of the Chief Risk Officer (CRO) position

and development of a risk dashboard report were also

prominent activities undertaken.

Figure 3: Which of the following actions has your organization taken in response to recent concerns regarding risk governance?

Improved board risk reporting information

Formed risk management and board level committees

Increased management risk committee reporting information

Enhanced risk limits

Updated the risk appetite statement

Reviewed management risk committee structure

Developed risk dashboard report

Held more frequent management risk committee meetings

Updated management risk committee charters

Established Chief Risk Officer (CRO) position

Expanded Chief Risk Officer (CRO) responsibilities

Reviewed board risk committee structure

Materially reformed our risk culture to improve the effectiveness of risk oversight

Established a risk committee of the board of d irectors

Updated board risk charter

Added management risk committee members with risk experience

Added board members with risk experience

Established management executive sessions with CRO

Established board executive sessions with CRO

Held more frequent board of directors’ meetings

0% 10% 20% 30% 40% 50% 60% 70% 80%



10

An interesting finding was that approximately a third

of the respondents had materially reformed the risk

culture to improve the effectiveness of risk oversight.

This could have been through undertaking training

and related activities aimed at building awareness of

the importance of ERM, roles and responsibilities and

the value to be derived from ERM.

These results point to appropriate focus on risk

governance since relevant, on-time information on

risk and opportunities is vital for management and

board decision making. Such information also providesvisibility on initiatives being undertaken and any

exposure or opportunities available in the market.

Risk governance model

Organizations surveyed had strengthened or adopted

risk governance models under the impetus of the

expectations of their regulators or as part of their

strategy.

However, half of the respondents had their risk

governance models at various stages of implementation

with only 29% having their models already

implemented. (see Figure 4). The risk governance model

is a key risk program element that is typically defined

in the risk management policy and ERM framework.

The risk governance model2 should:

• Establish risk governance and oversight;

• Define the institution’s risk management roles and

responsibilities, including the role of business units;

and

• Specify the process for ongoing monitoring of risk

management.

Figure 4: Does your organization have a defined risk governance model and

approach which delineates functional responsibilities of risk management

Yes, fully implemented

Yes, being implemented

No, but under consideration

No

Receipt and review of regular riskmanagement reports

Review and approval of overall risk managementpolicy and/or Enterprise Risk Management (ERM)

framework

Approval of the risk appetite statement

Approval of individual risk management policies,e.g. for market, credit, liquidity, or operational risk

Approval of risk management frameworkadopted by management

Executive sessions with Chief Risk Officer (CRO)

Approval of the charters of managementrisk committees

Review of the compensation plan to consider itsimpact on risk factors

29.1%17.7%

3.2%

50.0%

Figure 5: Which of the following describe the roles in risk management of the board

of directors in your organization?

0% 20% 40% 60% 80% 100%

2 Getting Bank Governance Right, Deloitte Center for Banking Solutions, August 2009, Deloitte Development LLC.

Risk management today is a governance function: the boardand the audit committee are more focused than they everwere on enterprise risk. It is more and more commonfor the risk function to report directly to the board.The expectations around the level and thoroughness of keyrisk management documentation have greatly increased.

Chief Risk Officer, diversified financial services company




Role of the board of directors

Survey findings showed that for more than 80% of

the organizations, the board of directors receives

and reviews regular reports on the risk management

program and approves the ERM policy and framework.

(see Figure 5).

This is in line with the regulatory requirements

and good corporate governance expectations.

The prudential guidelines issued by banking regulators

and circulars issued by insurance regulators across

the region emphasize the need for active boardoversight over the risk management process within

the organization.

Approximately 50% of the respondents indicated

that the board is involved in approving the risk

appetite statement. This could be due to the fact that

approximately a third of the respondents (33.9%)

indicated that they have not yet defined a statement of

the company’s risk appetite.

With regard to the information reported to the board,

there was consensus on a Quarterly Risk Report which

contained the various components of the ERM program

as a key deliverable. Majority of the respondents

indicated that risk concentration (85.2%) and

operational failures (78.7%) were critical reporting items

to the board. Risks facing new products or business and

new emerging risks were also vital information reported

to the board (see Figure 6).

On the question of who within the organization receives

risk reporting, the board topped the list at 90.2%

indicating visibility of the risk agenda by the board.

Management risk committees, CEO’s and CFO’s were

also recipients of the risk reports (Figure 7).

Across the survey sample, it is evident that risk

management oversight is most often a board-level

responsibility; current regulatory guidance and best

practice reinforces this practice.

Figure 6: Which of the following type of risk information does your organization currently

report to the board of directors?

0%

20%

40%

60%

80%

100%

R i s k c

o n c e

n t r a t i o n

O p e r a

t i o n a l f a i l u

r e s

S t r e s s t e s t i

n g

N e w a n

d e m e

r g i n g r i

s k s

U t i l i z

a t i o n

v s. l i m

i t s

N e w p r

o d u c

t a n d

b u s i n e

s s

R i s k e

x c e p

t i o n s

r e p o r t i

n g

C o d e

o f t h e e

t h i c s

v i o l a t i o

n s

S y s t e

m i c r i s k

S h a r e

h o l d e

r / c u s

t o m e

r c o m

p l a i n

t s

N o n e

Figure 7: Which of the following individuals or groups receive risk reporting at

the enterprise level?

0%

20%

40%

60%

80%

100%

B o a r d o f

D i r e

c t o r s

a n d / o

r

d e s i g

n a t e d

B o a r d

R i s k

C o m

m i t t e

e

M a n

a g e m e

n t R i s k

C o m

m i t t e

e

C E O a n

d / o r C

F O a n d / o

r C C O

a n d / o

r C I O

( C h i e

f i n v e

s t m e n

t O f fi c

e r ) a n d

/ o r T r e a

s u r e r C R

O

B u s i n

e s s U

n i t H e a

d s ( e x e

c u t i v

e l e v

e l )



12

Increasing role of the CRO

The presence of a Chief Risk Officer (CRO) who

is a member of the senior management team

may help risk management efforts and initiatives

receive appropriate high-level attention. 82% of

the respondents indicated having a CRO or equivalent

with only 6 respondents indicating that they do not

have this in place (Figure 8). While the name may vary

across organizations (e.g. Head of Risk, Manager-

Risk) the core functions performed seem to be very

clearly articulated with defined risk management

responsibilities. Out of those without a specific CROfunction, risk management responsibilities are carried

out by the Head of Internal Audit, Head of Operations

or the CFO (Figure 9).

Some of the respondents indicated that they were at

an advanced stage of engaging a CRO or were looking

to recruit a Risk and Compliance Officer.

Not only is the CRO position more prevalent, generally

he or she is also increasingly reporting to higher levels

within the organization and playing a more strategic

role. 53% of the organizations have the CRO reporting

functionally to the board or a board level committee

while 43% report to the CEO. 3 % report to the CFO.

The CRO and the enterprise risk management group

have more responsibilities and a higher profile. More

than 80% of respondents said these responsibilities

included developing and implementing the risk

management framework, developing risk reporting

mechanisms, chairing or participating in management

risk committees and escalating risk issues to the CEO or

the board (Figure 10).

Probably due to the fact that the value of the risk

appetite has not grown in prominence, only 53%

are involved in calculating the firm’s appetite for

risk. In addition, since Basel II and Solvency II are not

mandatory requirements within this region, only 21%

are involved in calculating and reporting of economic

and regulatory capital.

Figure 8: Does your organization have a Chief Risk Officer (CRO) or equivalent?

Yes

No

17.6%

82.4%

Figure 9: If your organization does not have a Chief Risk Officer (CRO), who manages or is

responsible for coordinating Risk Management within the organization?

Head of Internal Audit

Head of Operations

Head of Credit (0%)

Head of Finance/CFO

IT Manager (0%)

46.2%

15.4%

38.5%

Figure 10: What are the responsibilities of the Chief Risk Officer (CRO)?

0% 20% 40% 60% 80% 100%

Developing and maintaining riskmanagement framework

Developing risk reporting mechanisms

Chairing or participating in managementrisk committees

Escalating issues to the CEOor board of directors

Developing and documenting theinstitution’s risk appetite statement

Calculating and reporting of economic andregulatory capital




Infusing risk management throughout

the organization

New business initiatives

New product launches, mostly riding on

mobile-commerce, coupled with greenfield or

acquisition-related regional expansion has characterized

the financial services industry in the recent past. These

events have an important bearing on risk management

withregulators and media analysts increasing their focus

in this area. 87% of the respondents indicated that risk

considerations are incorporated during these strategic

decisions and new product launches.

In their business and product approval process,

almost all institutions reported considering more

than traditional major risk types - operational (95%),

regulatory (89%) and market (81%) (see Figure 11).

Also considered with increasing importance were

strategic, liquidity, foreign exchange volatility and

country risk. While these were not rated, they were

highlighted as part of the ‘Other’ category to indicate

their relative importance during decision making. In

particular, liquidity and foreign exchange volatility is

critical as most of the companies operate as regionalentities with their head offices being in one of the East

African countries, South Africa or Nigeria and therefore

have to consider the impact of any foreign exchange

translation whether for revenue, tax or intercompany

transactions settlement and reporting.

Aligning risks and performance measures

The incorporation of risk management responsibility

into performance goals has become a key leading

practice. The objective is that employees, especially

those with the authority to take decisions that entail

significant risk, have incentives to consider the risk

associated with those decisions. The survey identified

that 81% have incorporated risk management

considerations into performance goals across

the organization. An almost similar number indicated

that risk management is incorporated in both senior

management and business unit personnel performance

measures (see Figure 12).

The importance of aligning compensation and

incentive plans with appropriate risk taking has received

increasing attention particularly in the US and Europe

arising from the global financial crisis. In September

2009, the Financial Stability Board issued a report on

the standards for sound compensation practices that

identified the importance of having independent andeffective board oversight of compensation policies

and practices3. This is particularly critical in the face

of the corporate governance breaches reported in

the recent past and related management failures.

Figure 11: Which of the following type of risk information does your organization

currently report to the board of directors? (Select all that apply)

0%

20%

40%

60%

80%

100%

Operational Regulatory Credit Legal Reputational Market

Figure 12: Has the organization incorporated risk management considerations into

performance goals across the organization?

Yes

No

19.4%

80.6%

3 FSB Principles for Sound Compensation Practices, Financial Stability Board, September 25, 2009



14

Figure 13: Does your organization have an Enterprise Risk Management (ERM)

program or equivalent?

Yes, program in place

Yes, currently implementing one

No, we don’t have an enterprise-wide program.It focusses on a limited aspect e.g. Operations,IT and Credit Risk.

No we don’t have one/ I don’t know

30.6%

38.8%

27.4%

3.2%

Enterprise Risk Management– a work in progress

An enterprise risk management (ERM) program is meant toset the overall framework and methodology for how a companymanages risks. ERM provides an institution with the tools toclarify its risk appetite and the risk profile, and to evaluate risksacross the organization. By adopting a comprehensive approachto risk identification and assessment, ERM can help identifymany dependencies or inter-relationships among risks that mightotherwise go unnoticed.

Understanding of the root causes of risk factors and their correlationcan be accelerated by an effective ERM program. Looking at risk

from an integrated perspective can bring new insights and providetransparency into the overall impact of risk on the institution.

Enterprise risk management continues to command a great deal of attentionin the financial services industry. The appeal is clear: ERM aims to bringa holistic organization-wide and standardized risk management process tofinancial institutions and provide them with an integrated view of risksthey face. The goal is to have a consistent reporting of information acrossthe enterprise, perhaps through a risk dashboard that provides relevant

information for individuals in varying roles throughout the organizationbased on standardised information.

Despite its appeal, however, implementation of ERM

is fairly limited with only 31% of the organizations

surveyed indicating that they have a fully implemented

ERM program. However 39% indicate that they are

in the process of implementing one. Another 27%

do not have an enterprise-wide program but rather one

focused on limited aspects such as credit, operationsand IT (Figure 13).




ERM Program coverage

Among survey respondents, ERM programs almost

always covered the major traditional risk categories

of credit risk (92%), liquidity risk (90%) regulatory/

compliance risk (90%), and market risk (85%) (see

Figure 14).

New risk categories such as operational (95%),

strategic (80%), reputation (83%) and IT security (75%)

have also emerged as critical focus areas.

Strategic and reputation risks have become critical giventhe current competitive landscape due to new, more

established entrants from more advanced markets,

effects of mergers and acquisitions and greater scrutiny

by the media (including social media).

Regulatory and compliance risks have also grown in

prominence due to the increasing focus insurance,

banking and capital market regulators are placing

as a consequence of adopting the risk-based

supervision model.

IT Risk and business continuity risks has also emerged

due to the increased investments and pervasive use

of IT across organizations. Fraud perpetrated through

IT systems has also contributed to the growth of this

risk type.

Other risks such as liquidity are critical given

the recent foreign exchange volatility which affected

the economies of the East African countries.

The coverage of a wide range of risks by an ERM

program allows the risk function to contribute more

effectively to strategic decisions, because it has a more

comprehensive view of risks across the organization.

Linkage to Internal Audit

Internal Audit is regarded as the third line of defense

after management implementation of controls (first

line of defense) and risk management program and

procedures (second line of defense).

59% of the respondents indicated that ERM is

integrated and linked to the internal audit plan.

This means that their internal audit plan is based on

prioritized risks identified through an ERM process.

A further 25% indicated that this is not formalized

as yet (Figure 15).

Figure 14: What major risk areas in your organization does your ERM

program cover? (Select all that apply)

0%

20%

40%

60%

80%

100%

O p e r a

t i o n a l r i

s k

C r e d i t r

i s k

M a r k

e t r i s k

L i q u i d

i t y r i s k

S t r a t e

g i c r i s k

R e g u l a t

o r y /

C o m p

l i a n c

e r i s k

L e g a l / L

i t i g a t i

o n r i s k

I T S e

c u r i t y

r i s k

B u s i n

e s s C

o n t i n

u i t y r i s k

H a z a

r d o r

I n s u

r a b l e

r i s k s

R e p u

t a t i o n

r i s k

Figure 15: Is ERM integrated and linked to the Internal Audit Plan i.e. annual internal audit

plan is based on prioritized risks identified through an ERM process?

Yes

No

Not formalised / Not sure

25.4%

15.3%

59.3%

We are formalizing our risk program at the enterpriselevel, and we are getting more disciplined aboutmeasuring not only individual risks, but also whatthe overall potential impacts of those risks are.

Chief risk officer, diversified financial services company



16

Risk Appetite

To support the effectiveness of an ERM program,

an institution should consider having an approved

enterprise-level statement of risk appetite. Only

23% have their risk appetite both quantitatively and

qualitatively defined with a further 13% having it either

qualitatively or quantitatively defined. 23% are in

the process of seeking approval for their risk appetite

statement while 34% do not have the risk appetite

statement (see Figure 16).

Financial institutions can benefit from having an explicitstatement of risk appetite, reviewed and approved by

the board of directors as an important part of their

oversight responsibilities. The risk appetite statement

can then be translated into specific limits and tolerances

for business and for specific risk categories.

In translating the risk appetite into specific risk

limits, 62% translated it into business unit level

while the remainder has it at the enterprise level.

Establishment of risk limits for different categories of

risk can be an important step towards monitoring that

an institution’s activities are consistent with its risk

appetite.

Value of ERM

ERM programs allow institutions to achieve a holistic

view of risk across risk categories and lines of business.

Those organizations that have implemented ERM are

already recording gains. This is evidenced by the fact

that 85% of the respondents felt that the value of their

ERM program was greater than its cost; however many

concede that it was difficult to quantify the value of

ERM. There are still 14% who have not seen the value

of their ERM program.

Although the full value of ERM may not be easily

quantified, most respondents felt the ERM provided

significant value in specific areas-an improved

understanding of risk and controls (51%), enhanced risk

culture and a better balance of risk and rewards (41%),

increased ability to escalate critical issues to senior

management (41%) and improved perceptions by

the regulators (27%)4. The average rating across the

4 value-scores was 2 indicating that most believed that

the ERM provided significant value (see Figure 17).

Figure 16: Does your organization have an enterprise level statement of Risk Appetite?

No, we do not have a statement of ourfirm’s risk appetite

We are currently developing or seekingapproval for our risk appetite

We have an informally defined or not approvedstatement of risk appetite

Yes, our risk appetite is qualitative definedand approved

Yes, our risk appetite is quantitatively definedand approved

Yes, our risk appetite is quantitatively andquantitatively defined and approved

22.6%33.7%

22.6%8.1%

6.5%

6.5%

Figure 17: On a scale of 1-5 where one is most and 5 is least, in what areas does ERM

provide most significant value?

i

i l l

0 1 2 3

Enhanced risk culture and a better balanceof risk and rewards

Improved understanding of risk and controls

Improved perceptions by the regulators

Increased ability to escalate critical issues

to senior management.

4 Rated on a scale of 1-5 where 1 is most and 5 is least





18

Stress Testing

Since the global financial crisis, there has been

increased attention on managing systemic risk. Systemic

risk refers to the potential likelihood that risk events

affecting one institution could threaten the financial

system as a whole.

Stress testing is one tool that financial institutions can

employ to help prepare for potential systemic risks

by assessing the potential impact of extreme, but

rare, events. 59% of the organizations represented

by the respondents of the survey carry out stresstesting. Half of the respondents indicated that they

carried out stress testing on a quarterly basis, 32% of

the respondents do it on a monthly basis while 14%

have an annual stress test exercise. Most respondents

however added the caveat that the frequency is

amended if the underlying key parameters in the stress

tests change.

There are however 41% of the respondents who

do not undertake stress testing. While these could

be in the insurance sector where stress testing is not

a mandatory requirement, there is scope for carrying

out the stress testing to ensure the organization is

prepared for unexpected events or rapid changes in

underlying business assumptions (see Figure 19).

Given the speed and volatility of financial markets,

financial institutions may benefit from conducting stress

tests more often than quarterly or annually, to enable

the more timely identification of risks, unexpected

events and rapid changes in underlying assumptions.

Figure 19: Does your organization perform stress tests?

Yes

No

40.7%

59.3%




Implementation of industry standards

Basel II5 and Solvency II6 are critical industry standards

for the banking and insurance industry respectively.

While both are not mandatory standards to be

adopted within East Africa, we sought to find out

the level of preparedness or adoption state of players

in the sector. 25% of the organizations are already

implementing the standards in phases while 3% have

fully implemented them. 59% indicated that they are

moderately prepared while 12% are not prepared at all.

Those that have implemented the standards are possibly

subsidiaries of organizations that have mandatorycompliance requirements from their parent company

jurisdiction (see Figure 20).

36% of the respondents identified lack of sufficient

data to meet the industry standards requirements

as the most significant obstacle to their implementation

if compliance to these standards were to be made

mandatory in East Africa. 26% felt that lack of suitably

qualified personnel in the market would hinder their

implementation while 22% identified lack of budget

resources. Other challenges to their implementation

included; lack of affordable technology systems in

the market, customizing the framework to the local

settings in terms of capital adequacy requirements and

possible inconsistent application of the rules across

the industry players (see Figure 21).

Figure 20: In your view, how prepared is your organization to adopt and implement

international industry standards such as Basel II, Solvency II etc. if the regulator

were to enforce mandatory compliance?

We are implementing the standards in phases

Moderate Prepared

We have fully implemented the standards

Not prepared

11.9%

3.4%

59.3%

25.4%

Figure 21: In your view, what are the key challenges that may face your organization or your

industry if compliance to the above industry standards were to be made compulsory?

Lack of suitably qualified, skilled or experiencedpersonnel in the market

Lack of sufficient data to meet the industrystandards requirements

Lack of affordable technology systemsin the market

Insufficient budget to be able to implementthe industry standards

22.4% 25.9%

15.5%

36.2%

5 Basel II was designed to improve the risk sensitivity of an institution’s regulatory capital measures and requires improved measurement of credit, market and operational risks.

Basel III is designed to provide the financial system with higher levels of tangible capital, more liquidity and greater transparency. www.bis.org6 Solvency II is a revised capital adequacy regime developed by European Union regulators that will determine minimum and solvency capital levels for insurers. It employs a three-

pillar approach applied across individual risk categories of market, credit, liquidity, operational and insurance risk and is designed to reflect risks more accurately than current

standards. The Solvency II directive is planned for implementation on October 31, 2012, though there is discussion to delay implementation until January 1, 2013. (Delivering

Solvency II, Financial Services Authority, June 2010)



20

Addressing the Full Range of Risks

Figure 22: On a scale of 1 to 5 with 1 being the highest, how effective is your

organization in overall risk management?

i

i l l

i l l i

i i l

i l

ili l i i l i

i

0

5

10

15

20

25

54321

Figure 23: How effective do you think your organization is in managing each of the following types of risks?

0%

10%

20%

30%

40%

50%

60%

B u d g

e t i n g

/ fi n a n c i a l

B u s i n

e s s C

o n t i n u i t

y

C r e

d i t

F r a u

d

D a t a i n t e g

r i t y

H u m a

n C a p i t a

l

I T S e c u

r i t y

L e g a l

L i q u i d i t

y

M a r k e

t

P r i v a c

y

R e g u l a t

o r y / c

o m p l i a

n c e

R e p u t a t

i o n

S t r a t e g i c

S y s t e m i

c T a

x

V e n d

o r / s e

r v i c e

p r o v i d e

r

Very Effective

Somehow Effective

Effective

Not Effective

A critical challenge facing risk management is achieving a comprehensiveview of all the varied risks a financial institution faces, yet many institutionshave much more to achieve in this regard. While some institutions seem totake a broad view of managing the full range of risks, others appear to bestill focussed on the traditional areas of market, credit and liquidity risks.

Overall, most executives rated the effectiveness of their

ERM programs as either 2 or 3 on a scale where 1 is

highest. While most organizations lie at the mid-point

indicating the need for more focus and action, 5%

rated their ERM programs as highly effective (score

of 1). ERM implementation is still a work-in-progress

for most organizations. This mirrors the continuous

evolution of ERM within organizations and the reality

that every organization is at various stages of

implementation (Figure 22).

In terms of specific risk types, most organizationsfelt that their ERM programs were most effective in

managing liquidity and financial/budgeting risk. This

is probably explained by the fact that financial risk

management is the path of least resistance during

the initial stages of an ERM program implementation.

In addition, the quantitative nature of financial and

liquidity risks lends them to easy management. Liquidity

risk management has gained prominence given

the huge increase in interest rates which also impacts

access to short term working capital and ability to fund

operations using overdrafts.

Credit , tax and regulatory risks were also identified as

areas where ERM is growing in effectiveness, possibly

due to the already existent regulatory oversight.

Business continuity, IT security, legal, human capital

and data integrity risks were highlighted as areas where

the ERM program has not been effective (Figure 23).




Liquidity risk management

An increase in the cost of credit has put the spotlight

on liquidity risk management. In response, most

organizations have strengthened liquidity risk

management function (70% of respondents) or

amended their liquidity management policies (65%

of respondents). Other responses include; diversified

funding sources (56%); maintain liquid asset portfolios

(53%); revised contingency funding strategy (54%); and

revision of contingent funding strategy (54%).

Maybe due to the level of maturity, availability andcost, the least favored approach was to decrease use

of collateralized funding, such as repo and securities

lending.

The banking industry in the region has witnessed

a rush to build large liquidity buffers through shifting

from shorter term wholesale sources of funding to

more longer term and stable funding sources such

as from deposit taking. Institutions are recognizing

that the scenarios and assumptions used for liquidity

also need to be as rigorous as those used for capital

planning, with some establishing consistent economic

scenarios across capital and liquidity (see Figure 24).

Figure 24: Which of the following steps has your organization taken in response to the liquidity environment over the last two years?

0%

10%

20%

30%

40%

50%

60%

70%

80%

i

i l l

S t r e n

g t h e

n e d l i q u

i d i t y

r i s k

m a n a

g e m e

n t f u n c

t i o n

E n h a

n c e d

l i q u i d

i t y s t r e s

s t e s t i n

g

M a i n

t a i n e

d l i q u

i d s t r

e s s t

e s t i n

g

M a i n

t a i n e

d l i q u

i d a s s e t p

o r t f o l i o

s

I m p r o

v e d p

o l i c y

A d d e

d c o o

r d i n a

t i o n b

e t w e e

n t r e a

s u r y

a n d r i s k

m a n

a g e m

e n t

R e v i s

e d c o n t i n g

e n c y

f u n d i n g

s t r a t

e g y

D i v e

r s i fi e

d f u n

d i n g s

o u r c e

s

I n c r e a

s e d c

o o r d i n a

t i o n b

e t w e e

n l i q u

i d i t y

a n d c

a p i t a

l p l a n

n i n g

I m p r o v

e d a n a l y

s i s o f

c o n t i n g

e n t a

n d

o f f b

a l a n c

e s h e

e t p o

s i t i o n

s

I m p r o v

e d t r e a

s u r y

a n d A

n t i - M

o n e y

L a u n

d e r i n

g ( A M

L ) s y s

t e m s

R e v i s

e d a n a l y

t i c s m

e t h o d

o l o g i e s

I n c r e a

s e d d

a t a r e q u i r e

m e n t s

I n c r e a

s e d c

o m m i

t t e d l i n e

s o f c

r e d i t

D e c r e

a s e d

p o s i t i o n

l i m i t s

I n t e g

r a t e d

t r e a

s u r y f u n

c t i o n

w i t h

r i s k

m a n a

g e m e

n t f u n c

t i o n

C h a n

g e d f

u n d s

t r a n

s f e r p

r i c i n g

m e t h o d

o l o g y

D e c r e

a s e d

u s e o

f c o l l

a t e r a l i z e

d f u n

d i n g ,

s u c h

a s r e p o

a n d s

e c u r i t i e

s l e n

d i n g



22

Operational risk management

Operational risk - risk arising from internal or failed

internal processes, human behaviour (including fraud)

and systems or from external events - has always been

in the radar screens of financial institutions as this

affects their core business. Across all options, most

respondents indicated they had substantially and

not fully implemented operational risk management

measures to manage these risks. Identification of risk

types and development of risk mitigation measures

were rated as areas where the operational risk

management was fully implemented.

Creating metrics for monitoring each type of

operational risk and developing methodologies

to quantify risks were identified as areas where

the operational risk measures had not been

implemented.

Given the recent cases of fraud perpetrated mostly

through the IT systems or collusion by staff, there

is scope for ensuring that robust operational risk

identification, assessment, management and mitigation

are implemented (Figure 25).

Capability of the operational risk management

technology platforms was rated as ‘somewhat capable’

by a majority of the respondents. Scenario analysis

and operational risk capital calculations were identified

as key challenges in these technology solutions.

While most of the systems are quite good in data

gathering, it is the data analysis and reporting that will

prove the key value-add from these systems (Figure 26).

Figure 25: To what extent has your organization implemented the following aspects

of operational risk management?

0%

10%

20%

30%

40%

50%

60%

i

i l

i

i

ili

Fully implemented

Not Implemented

Substantially implemented

C r e a

t i n g m

e t r i c s

f o r m

o n i t o

r i n g

e a c h

t y p e

o f o p e r a

t i o n a l r i

s k

D e v e l o p

i n g m e t h

o d o l o

g i e s

t o q u a n

t i f y r i s k s

D e v e l o p

i n g o p e r a

t i o n a l r i

s k m i

t i g a t i

o n

s t r a t e

g i e s i n c l u

d i n g i

n s u r a

n c e

G a t h e r i

n g r e l e v

a n t d

a t a

I d e n t i f y

i n g r i s k t

y p e s

R o l l i n

g o u t

a f o

r m a l

o p e r a

t i o n a l r i

s k

t r a i n i

n g p r o g

r a m

S t a n d

a r d i z i n

g d o c

u m e n

t a t i o n

o f t h e p

r o c e

s s a n

d c o n

t r o l s

Figure 26: How capable are your organization’s operational risk management

technology platforms in the following areas?

0%

10%

20%

30%

40%

50%

60%

i

i l l

i l

i

i i

i

ili l i i

i C a s u

a l e v

e n t a

n a l y s

i s

D a t a

g a t h e r i

n g

O p e r a

t i o n a l r i

s k

c a p i t

a l c a l c u

l a t i o n

s

R e p o

r t i n g

R i s k a

s s e s s m

e n t s

S c e n

a r i o a

n a l y s

i s

Extremely/very capable

Not capable / Not sure

Somewhat capable




Regulatory reform

Across the East African region, there has been increased

regulatory reform with regulators keen on playing

an active rather than a passive role in the affairs of

the industry. Risk-based supervision has gained currency

coupled with more demanding regulatory requirements.

While this has led to greater stability in the financial

services sector with muted cases of failures or statutory

management, this has increased the need to ensure

greater compliance levels.

Organizations indicated that regulatory reform hasresulted in an increase in the cost of compliance and

the need to hold higher capital levels. Both of these

were rated at similar levels indicating the significance of

regulatory reform. Costs of compliance include systems,

processes and human resources to monitor and ensure

compliance. Higher capital levels on the other hand

explain the rights issues, recapitalization and mergers

that have occurred within the industry. The increase

in minimum capital levels for insurance companies in

Kenya and Uganda could also be a contributing factor

to this rating.

Maintaining higher liquidity was also identified

as a consequence of the regulatory reform and may be

explained by the tightening of the inter-bank lending

rates.

16% of the respondents however point out that

regulatory reform has not had any impact to their

business, which could point to institutions that

are subsidiaries of parents with tighter regulatory

requirements.

East Africa financial sector regulations have however

not undergone the radical change experienced in

the US and in Europe. This is probably as a consequence

of the fact that our economies were largerly shielded

from the credit crisis with no direct impact per

se. However, we believe the regulators are keenly

observing the market conditions and slowly introducing

regulations based on learnings from the developed

market (Figure 27).

As a consequence of the recent credit crisis in the global

arena and volatility in the local markets, 52% indicated

that they now communicate the organization’s issues

to the regulator in a timely manner so as to arrive at

consensus rather than adopting a reactionary posture.

20% are now proactively engaging regulators so as to

identify regulator concerns early enough to inform

quick resolution (Figure 28).

Figure 27: Which of the following impacts on your business have resulted from regulatory

reform in the major jurisdictions where you operate?

Noticing an increased cost of compliance

Maintaining higher liquidity

Maintaining higher capital

Adjusting certain product lines

No significant impacts

15.5%

6.9%

22.4%

27.6%

27.6%

Figure 28: In light of the recent credit crisis, in which of the following ways have you

changed the way you address/manage regulatory concerns?

Meet with regulators on a more frequent basis

Enhance the organization’s infrastructureto support heightened security

Communicate the organization’s issuesin a more timely manner

27.6%20.7%

51.7%

Undoubtedly, gallant efforts have been made by manykey players in the Financial Services Industry to mitigatethe impact of fraud on their operations and safeguardstakeholder value. These efforts notwithstanding, both

the magnitude and pervasiveness of fraud in the industryhave progressively increased. This can be attributedto a mismatch between the level of sophistication ofthe fraud, and the tools and techniques being deployedby the industry players to contain the fraud. In viewof this, it is imperative for all players in the industryto invest in the right systems, processes and people,underpinned by robust technology, in order to mitigatethe impact of fraud and ultimately safeguard stakeholdervalue.

Robert Nyamu, Director, Forensic and Litigation Support Services



24

Risk Management Systemsand Technology Infrastructure

Figure 29: Please select the risk management system in use in your organization:

Legacy-wide risk management system

Business continuity management system

Credit risk management system

IT security incident and event management(SIEM) system

17.4%

8.7%

73.9%

Figure 30: Please rate the following (from Major Concern to No Concern)

in accordance with your concerns over the technology systems

0%

10%

20%

30%

40%

50%

60%

H i g h c

o s t o f m

a i n t e n

a n c e

a n d v

e n d o

r f e e

s

L a c k

o f i n t e g

r a t i o n

a m o n

g s y s t

e m s

L a c k

o f fl e x i b i l i t

y t o e

x t e n d

t h e c

u r r e n

t s y s t

e m s

L a c k

o f p e r f o

r m a n

c e f o r m

o r e

f r e q u

e n t a

n d t i m

e l y r e p o

r t i n g

L a c k

o f s u f fi c

i e n t d

a t a / d a

t a

i n t e g

r i t y i

s s u e s

O u t o f d

a t e m e t h

o d o l o

g i e s

Major concern

No concern

Moderate concern

Information technology is a vital element of risk management capabilitiesand acts as a key enabler to its effectiveness. However, our survey shows thatmany institutions continue to struggle with many fundamental technologychallenges. Only 40% of the organisations surveyed have a dedicated riskmanagement technology solution.

Most of the respondents, however clarified that

they have several sub-systems, at various levels of

sophistication that address specific risks. Legacy risk

management system (incorporating a spreadsheet

solution) was rated as the most prevalent in the industry

while credit management systems were identified

as the second most common solution. Credit

management solutions could be due to the need

to score and evaluate the credit rating of potential

customers prior to advancing loan facilities (Figure 29).

The reason for the low implementation of dedicated

risk management technology platforms could be due tothe fact that most organizations still view risk from a silo

perspective hence the reason for disparate systems to

manage each specific risk. In addition, there are some

industry players who are still in the formative stages

of developing the risk frameworks and risk registers.

An example is the Kenya insurance industry where

the regulator only recently required the establishment of

dedicated risk management functions.

Possibly as a consequence of their perceived prohibitive

cost, 61% rated high cost of maintenance and vendor

fees as a major concern over the technology systems.

Integration, a long standing issue when it comes to

technology, was rated as the second most significant

concern by the industry. This result may reflect both

the complexity of integration challenge along with

the important role integration plays in achieving a more

strategic view of risk. Other issues tied to this was lack

of sufficient risk data, data integrity issues (46%) and

inability to extend the current legacy systems (Figure 30).




Figure 31: Over the next 12 months, how much of a priority are improvements to the following areas of your risk technology capabilities?

0% 10% 20% 30% 40% 50% 60%

7 “Risk Management Lessons from the Global Banking Crisis of 2008,” Senior Supervisors Group, October 21, 2009

In terms of priority, risk data quality and management

was identified by most respondents as being critical in

the next 12 months as organizations seek to improve

their risk technology capabilities. Capabilities to

calculate the regulatory capital requirements, ability to

manage and monitor operational risk and compliance

risks were also highlighted as vital priority areas over

the next 12 months (Figure 31).

The ability to quickly integrate risk information in

a consistent format across the organization will help

institutions gain a comprehensive picture of their overall

risk profile, as well as the risk associated with individual

counterparties. The global financial crisis highlighted

the importance, and the difficulties, of achieving

an integrated and seamless approach to risk data.

In their October 2009 report, the Senior Supervisor’s

Group cited the complexity of the financial industry’s

technology infrastructure as a key hindrance in

identifying and measuring risk within the financial

system7.

The value to be gained from formal risk technology

infrastructure is clear: help to provide for the availability

of more consistent and reliable risk information, to help

enhance the capabilities of technology infrastructure

to support new functional requirements needed

by the business and to support effective regulatory

compliance, increased stress testing and enhanced risk

reporting capabilities.

High priority

Not a priority

Moderate priority

Compliance management systems

Collateral management system

Economic capital

Enterprise-wide risk data warehouse development

Integrated market and credit risk measurement system

Integration of risk and compliance systems

Liquidity risk management systems

Operational risk measurement system

Regulatory capital calculation and reporting

Risk information reporting

Risk data quality and management

Specialized credit risk systems

Specialized market risk systems



26

Risk is clearly assuming greater visibility and priority

in financial organizations. In response, organizations

are continuing to formalize risk management and to

move responsibility for risk management to the highest

levels of the organization. Boards of directors have

an important role to play in providing active oversight

of risk management, including the approval of their risk

management framework and risk appetite. The CRO

position can provide an important focal point, helping

risk management receive adequate attention from senior

management and to provide the board of directors withindependent views on key risk issues.

ERM program implementation is still a work in progress

though those that have these programs in place are

already recording benefits and deriving value. Most

organizations have done a much better job of managing

traditional risks such as market, credit and liquidity

risks though emerging risk types such as operational,

reputational, strategic and IT security are gaining

currency.

Looking ahead, we expect financial institutions will

focus on a number of different areas and undertakevarious initiatives. Some organizations will begin or

advance their ERM program development efforts. Others

may include additional risk types within their ERM

program- particularly the less traditional and emerging

risks where the risk methodologies are not as developed

and the risks themselves less understood. Most will

seek to gain a comprehensive view of risks across

the organization and identify interdependencies.

To achieve such a comprehensive picture of the risks

they face, many organizations may need to consider

upgrading their risk management information systems

so they have a consistent, quality risk data that can be

easily aggregated across products, geographies and

counterparties. Risk management talent will continue to

grow as more organizations invest in training and use

of in-house subject matter experts (e.g. an experienced

operations staff who is moved to work within the ERM

function).

Regardless of the areas of focus within risk management

initiatives, it is clear that all financial services industry

players will be pressured to reduce costs. As a result,

they will look at both the efficiency and effectiveness

of their major risk management-and ERM- programs.

We encourage the organizations to address these

cost pressures by developing more integrated risk

and compliance programs, which will save money by

creating a more efficient solution and provide better

and more timely risk management information through

an integrated capability.

Progress within the industry has been real, yet the surveymakes it clear that many organizations have much

more to accomplish to truly achieve a comprehensive

approach that actively identifies, assesses and manages

the full range of risks they face. The trend towards

a strategic approach to risk management is likely to

continue- and those that take a leading role in this

evolution will be in a position to use risk management

as a key competitive tool.

Conclusion: The Road Ahead

Our first edition of the Deloitte East Africa Enterprise Risk Management(ERM) Survey provides a comprehensive overview of the state of riskmanagement in the financial services industry within the region. Just as important, it provides guideposts for understanding how riskmanagement will continue to evolve in the coming years and whereorganizations can best focus their efforts.




Contacts

Nairobi Kampala

Dar es Salaam

Julie Nyang’aya

Partner, Enterprise Risk Services

Tel: +254 (0) 20 423 02 34

Email: [email protected]

Urvi Patel

Senior Manager, Enterprise Risk Services

Tel: +254 (0) 20 423 00 12


Michael Karanja

Manager, Enterprise Risk Services

Tel: +254 (0) 20 423 02 92


Joshua Ochola


Tel: +254 (0) 20 423 07 35


Deloitte Place

Waiyaki Way Westlands

P.O. Box 40092

Nairobi – 00100 GPO

Kenya

Fred Okwiri

Partner

Tel: +256 (0) 343 850


Adam Sengooba


Tel: +256 (0) 417 701 154


3rd Floor Ruwenzori House

1 Lumumba Avenue

P.O. Box 10314

Kampala

Uganda

David Nchimbi

Partner

Tel: +255 (0) 22 216 903


Janet Bolo


Tel: +255 (0) 22 211 60 06


10th Floor, PPF Tower

Cnr of Ohio Street & Garden Avenue

Dar es Salaam

Tanzania



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its

network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about

for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple

industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class

Date post:	03-Jun-2018
Category:	Documents
Upload:	moinul-hossain
View:	218 times
Download:	0 times

Deloitte ERS Report 2012

Documents