Date post: | 03-Jun-2018 |
Category: |
Documents |
Upload: | moinul-hossain |
View: | 218 times |
Download: | 0 times |
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 1/28
Financial Services Industry
May 2012
Enterprise RiskManagement SurveyReport 2012Where do you stand?
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 2/28
2
Table of Contents
Foreword 3
Executive summary 4
About the Survey 5
Key Findings 6
Detailed Findings 9
Achieving a Strategic View of Risk 9
Enterprise Risk Management – a work in progress 14
Addressing the Full Range of Risks 20
Risk Management Systems and Technology Infrastructure 24
Conclusion: The Road Ahead 26
Contacts 27
This publication contains general information only. The publication has been prepared on the basis of information and
forecasts in the public domain. None of the information on which the publication is based has been independently verifiedby Deloitte and none of Deloitte Touche Tohmatsu Limited, any of its member firms or any of the foregoing’s affiliates
(collectively the “Deloitte Network”) take any responsibility for the content thereof. No entity in the Deloitte Network
nor any of their affiliates nor their respective members, directors, employees and agents accept any liability with respect
to the accuracy or completeness, or in relation to the use by any recipient, of the information, projections or opinions
contained in the publication and no entity in Deloitte Network shall be responsible for any loss whatsoever sustained by
any person who relies thereon.
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 3/28
3Enterprise Risk Management Survey Report 2012 Where do you stand?
Foreword
Welcome to the first edition of the Deloitte
East Africa Enterprise Risk Management Survey.
This is the first survey of its kind as it seeks to
provide a baseline assessment of the state of risk
management within the financial services sector in
the region.
Enterprise Risk Management (ERM) has become a hot
button issue in virtually all sectors of the economy across
East Africa. In particular, within the financial services
sector, risk management has grown in prominence
largely as a result of regulatory push but also as a meansof protecting current assets while actively seeking
competitive advantage.
Financial services industry (FSI) players within the region
increasingly have to contend with emerging threats and
competition, rapid shifts in the business environment
coupled with heightened regulatory demands.
However, there are also new exciting opportunities such
as regionalization through better integration across
the East African Community trading bloc, improved
technologies and enlightened customers with better
spending power. In light of these developments,
organizations have put in place risk management
structures and processes to manage the risks presented
by both the opportunities and challenges
in the marketplace.
So as to gain insights and provide a baseline assessment
of the state of risk management within the financial
services industry, Deloitte East Africa undertook this
survey and collated results from more than 60 risk
management professionals across Kenya, Uganda and
Tanzania.
We sincerely thank all those who participated in this
survey through sharing with us their experiences and
insights.
On behalf of my colleagues at Deloitte, I invite youto read the report and hope it inspires new thinking,
provides new insights and allows you to benchmark
with your own risk management processes while
facilitating enhancement of your ERM program.
We welcome your feedback and comments. If you
would like to further discuss any of the issues in more
detail, please speak to your usual Deloitte representative
or one of the contacts listed at the end of this survey
report.
Sincerely,
Julie Nyang’aya
Enterprise Risk Services Partner
& Financial Services Industry Leader
Deloitte East Africa
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 4/28
4
Executive summary
In an ever more complex and volatile business
environment, risk management has continued to grow
in importance in the financial services industry. Roughly
75% of organizations treat it as a board-level oversight
responsibility and more than 50% of the respondents
had their risk governance models at various stages of
implementation.
Although progress has been real, considerable work
still remains to be done. Most organizations are in
the process of creating effective system and processes
to measure and manage less traditional risk1 types suchas strategic, operational, reputational and Information
Technology (IT) risk. Those that have implemented ERM
programs are already recording gains; however many
concede it is difficult to quantify this value.
These are some of the important findings in the first
edition of the Deloitte East African Enterprise Risk
Management Survey. The survey gathered responses
from over 60 risk management professionals across
Kenya, Uganda and Tanzania. The survey looked at
issues such as risk governance, management of key
risks, the scope and coverage of ERM programs,
challenges encountered and risk management
technology solutions.
It is clear that financial institutions face an increasing
range of risks. Organizations have to keep pace with
ongoing regulatory change and scrutiny while meeting
demands for stronger governance and enhanced
transparency.
The survey showed an industry that is alert to this range
of risks, but identified a number of important areas
where additional investment and management attention
is needed. It also highlighted some of the basic
approaches organizations are taking, areas where they
have improved risk management capabilities, and areas
where they are still struggling to get a good handle on
risk issues and processes.
Effective risk management is fundamental to success in
the financial services industry, and a basic expectation of
shareholders, regulators and customers. In a challengingand changing risk environment, however, the bar
on what constitutes effective risk management is
constantly being raised. As this survey shows, most
organizations have an unfinished agenda when it comes
to the development of sophisticated risk management
capabilities, enabling an integrated, enterprise-wide
approach to managing the varied and dynamic risks
they face. Financial institutions that can understand
risk holistically- managing the full range of r isks they
confront- can strategically use risk taking as a means to
strengthen their competitive position and create value.
1 Risk as used in this report is defined as “the potential for loss or harm – or the d iminished opportunity for gain
- caused by factors that can adversely affect the achievement of an organization’s objectives.”
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 5/28
5Enterprise Risk Management Survey Report 2012 Where do you stand?
About the Survey
The Deloitte East Africa Risk Management Survey 2012
is our first baseline assessment of the state of Enterprise
Risk Management (ERM) in the financial services industry
(FSI). The survey was aimed at helping organizations
benchmark their enterprise risk management programs,
processes, structures and systems with those of their
peers within East Africa.
The survey was conducted in March 2012 through
an online questionnaire. We solicited the participation of
Chief Risk Officers (CRO’s) or their equivalents in various
companies and institutions in the Financial ServicesIndustry across Kenya, Uganda and Tanzania.
Financial Services Industry is defined as companies and
institutions operating within the banking, securities,
insurance, investment management and real estate
sectors.
Respondents who participated in the survey were
primarily drawn from the banking, insurance (both long
term and short term), asset management and fund
administrators (see Figure 1). Most of the respondents
had a turnover of more than US $ 500 million (See
Figure 2) while approximately 25% were listed on one or
more of the stock exchanges in East Africa.
Figure 1: How best would you describe the areas/ industries your company
is involved in?
0%
10%
20%
30%
40%
50%
60%
70%
80%
B a n k i n g
A s s e t M
a n a g
e m e n
t
F u n d
A d m
i n i s t r
a t i o n
L o n g
t e r m
i n s u
r a n c e
R e - i n
s u r a n
c e
R e a l E s
t a t e c
o m p a
n y
S h o r t t
e r m i n s u
r a n c e
C o l l e
c t i v e
i n v e
s t m e n
t s c h
e m e s
M u t u a l f u
n d
R e t i r e m
e n t f
u n d a
d m i n i
s t r a t i
o n
Figure 2: Which of the following best describes the size of your
organization in terms of revenue / turnover?
Less than KES 100M/ UGX 3.5M/ TZS 5M
Over KES 100M/ UGX 3.5M/ TZS 5M
Over KES 500M/ UGX 18M/ TZS 25M
Over KES 1billion/ UGX 36M/ TZS 50M
Over KES 50billion/ UGX 1.786B/ TZS 2.5BTZS 50M
5.4%
6.8%
8.1%
35.1%
44.6%
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 6/28
6
Risk governance
Risk governance can be defined as the approach for
directing the management and control of risk, which
may be overseen by the board of directors as a whole
or through a board risk committee. The role of clear and
active risk governance has gained currency in the recent
past as a result of corporate governance breaches, fraud
and related malfeasance coupled with increasing focus
by regulators who are now insisting on proper oversight
by the board.
Key findings
• Half of the respondents had their risk governance
models at various stages of implementation with
only 29% having their models already implemented.
• In 80% of the organizations, the board of directors
receives and reviews regular reports on the risk
management program and approves the ERM policy
and framework.
• Approximately half of the respondents indicated
that the board is involved in approving the risk
appetite statement. This could be due to the fact
that approximately a third of the respondents (34%)indicated that they have not yet defined a statement
of the company’s risk appetite.
• 82% of the respondents indicated having a Chief
Risk Officer (CRO) or equivalent with only 6
respondents indicating that they do not have this
executive in place.
• Aligning compensation and incentive plans with
appropriate risk taking is undertaken in 81% of
the organizations surveyed.
Our Point of View
• The Board should continue taking ownership and
driving the risk agenda across the business. While
senior management with support from the CRO
are involved in managing risks, the oversight by
the board cannot be delegated.
• Risk management should be infused throughout
the organization; not only at enterprise and business
unit level; but also in strategic and operational
decisions.
• The risk appetite sets the limits and delineates
acceptable versus unacceptable risks. This should
continue being formulated and constantly monitored
for compliance.
• Distinction between risk management and internal
audit should be emphasized within the organization
to ensure clarity of roles, responsibilities and
accountabilities.
• Consolidate the various risk functions (e.g. IT risk,
Credit Risk, Operational Risk) to facilitate better
oversight and reporting.
Enterprise Risk Management
ERM aims to bring a holistic organization-wide and
standardized risk management process to financial
institutions and provide them with an integrated view of
risks they face. By adopting a comprehensive approach
to risk identification and assessment, ERM can help iden-
tify many dependencies or inter-relationships among
risks that might otherwise go unnoticed. In addition, it is
easy to gain new insights and provide transparency into
the overall impact of risk on the institution.
Key Findings
• Implementation of ERM is fairly limited with only
31% of the organizations surveyed indicating
that they have a fully implemented ERM program.
However 38% of respondents indicated that they are
in the process of implementing one.
• Among survey respondents, ERM programs almost
always covered the major traditional risk categories
of credit risk (92%), liquidity risk (90%) regulatory/
compliance (90%), and market risk (85%).
• New risk categories such as operational risks (95%),
strategic (80%), reputation (83%) and IT security(75%) have also emerged as critical focus areas.
• ERM is integrated and linked to the Internal Audit
Plan in 59% of the organizations. A further 25%
indicated that this is not formalized as yet.
• Only 23% have their risk appetite both quantitatively
and qualitatively defined. A similar number are in
the process of seeking approval for their risk appetite
statement while 34% do not have the risk appetite
statement.
Key Findings
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 7/28
7Enterprise Risk Management Survey Report 2012 Where do you stand?
• Those organizations that have implemented ERM
are already recording gains. This is evidenced by
the fact that 85% of the respondents felt that
the value of their ERM program was greater than its
cost; however many conceded that it was difficult to
quantify this value. 14% indicate that they are yet to
reap the benefits of ERM.
• The top rated challenges during ERM implementation
were integrating risk data across the organization
(70%) and having the appropriate risk management
skills (64%).
Our Point of View
• Defining and implementing an ERM program is
imperative, this may include defining an ERM policy,
setting up relevant functions and putting in place
measures to monitor and report on key risks while
driving a risk culture in the organization.
• Internal audit plans should be aligned to the results
of the risk assessment arising from the ERM
program. The Internal Audit department should
provide assurance on the effectiveness of the ERM
framework and program implementation.
• Define and monitor compliance to the organization’s
risk appetite statement.
• Identify innovative ways to derive value from
the ERM program while minimizing cost of
implementation. This may call for integrating
various risk efforts while seeking a coordinated
implementation approach across the organization.
• Focus on new emerging risk types such
as reputation, operational risks and IT security while
not losing focus on the traditional risks such as credit
and market risks.
• Define an ERM framework and program which
enables effective reporting and consolidation of data.
• Have regular trainings on board and senior
management on ERM concepts and implementation
so as to build internal capacity. In addition,
undertake a continuous culture change program to
embed a risk-aware culture across the organization
Management of Key Risks
A critical challenge facing risk management is achieving
a comprehensive view of all the varied risks a financial
institution faces. Many institutions have much more to
achieve in this regard.
Key Findings
• Most executives rated the effectiveness of their
ERM programs as either 2 or 3 on a scale where 1 is
highest. This implies most program implementations
are still work in progress.• In terms of specific risk types, most organizations
felt that their ERM programs were most effective in
managing liquidity and financial/budgeting risk.
• Credit risks, tax and regulatory were identified as areas
where ERM is growing in effectiveness, possibly due
to the already existing regulatory oversight.
• Operational risk areas of business continuity,
IT security, legal, human capital and data integrity
risks were highlighted as areas where the ERM
programs have not been effective.
•
Most organizations have strengthened their liquidityrisk management function (70% of respondents) or
amended their liquidity management policies (65%
of respondents).
• Capability of the operational risk management
technology platforms was rated as ‘somewhat
capable’ by a majority of the respondents. Scenario
analysis and operational risk capital calculations
were identified as key challenges in these technology
solutions.
• 28% of the respondents indicated that regulatory
reform has resulted in an increase in the cost of
compliance and the need to hold higher capitallevels.
Our Point of View
• ERM program implementation efforts should
be accelerated with appropriate support from
the business.
• ERM programs should focus and expend efforts in
managing new and emerging threats to today’s
business such as IT security, fraud and talent.
• Continuous interfacing with the regulators and
timely communication of compliance challenges
should be embraced to ensure a mutually beneficial
relationship.
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 8/28
8
Risk Management Systems and Infrastructure
Information technology is a vital element of risk
management capabilities and acts as a key enabler to
the effectiveness of the ERM program.
Key Findings
• Only 60% of the organizations surveyed have
a dedicated risk management technology solution.
Most of the respondents, however clarified that
they have several sub-systems, at various levels of
sophistication, that address specific risks.• Legacy risk management system (incorporating
a spreadsheet solution) was rated as the most
prevalent in the industry while credit management
systems were identified as the second most common
solution. Credit management solutions could be due
to the need to score and evaluate the credit rating of
potential customers prior to advancing loan facilities.
• Possibly as a consequence of their perceived
prohibitive cost, 61% rated high cost of
maintenance and vendor fees as a major concern
over the technology systems. Integration, a long
standing issue when it comes to technology, wasrated as the second most significant concern by
the industry. Other issues tied to this were lack of
sufficient risk data, data integrity issues (46%) and
inability to extend the current legacy systems.
• In terms of priority, risk data quality and
management were identified by most
respondents as being critical in the next 12
months as organizations seek to improve their
risk technology capabilities. Capabilities to
calculate the regulatory capital requirements,
ability to manage and monitor operational risk
and compliance risks were also highlighted as vital
priority areas over the next 12 months.
Our Point of View
• To derive value and facilitate integration
of risk information across different units of
the organization, consider implementing a robust
dedicated risk technology solution.
• The risk technology solution is only an enabler;
the key determinant on its efficacy will be the quality
of the risk registers and framework in use within
the organization.
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 9/28
9Enterprise Risk Management Survey Report 2012 Where do you stand?
Detailed FindingsAchieving a Strategic View of Risk
Risk governance can be defined as the approach fordirecting the management and control of risk, whichmay be overseen by the board of directors as a wholeor through a board risk committee.
With the increasing variety of risks- and the potentially huge negativeimpact they can have in terms of both financial and reputational loss, riskmanagement has become an even higher priority for financial institutions.This first FSI ERM survey found that the board wholly owns and is keptinformed of risk issues.
The role of clear and active risk governance has
gained currency in the recent past. Recent corporate
governance breaches, fraud and related malfeasance
have shone the spotlight on the level and oversight role
played by the board.
Regulators are now focusing more closely on the role of
the board of directors in setting a financial institution’s
risk policy and risk appetite and in monitoring that
these are implemented effectively by management.
In fact the need for active board oversight over risk
management has been emphasized in the guidelines
issued by the banking and insurance regulators in Kenya,Uganda and Tanzania.
Strengthening risk governance
The survey found that many financial institutions have
taken a variety of actions in response to the increased
focus on risk governance (see Figure 3).
The most common action, taken by roughly 75% of
the organizations, was to improve the process for
reporting of risk information to their boards of directors
and to their management risk committees. In addition,
formation of risk management committees- both atmanagement and board level- has been undertaken
by approximately two thirds of the respondents.
Establishment of the Chief Risk Officer (CRO) position
and development of a risk dashboard report were also
prominent activities undertaken.
Figure 3: Which of the following actions has your organization taken in response to recent concerns regarding risk governance?
Improved board risk reporting information
Formed risk management and board level committees
Increased management risk committee reporting information
Enhanced risk limits
Updated the risk appetite statement
Reviewed management risk committee structure
Developed risk dashboard report
Held more frequent management risk committee meetings
Updated management risk committee charters
Established Chief Risk Officer (CRO) position
Expanded Chief Risk Officer (CRO) responsibilities
Reviewed board risk committee structure
Materially reformed our risk culture to improve the effectiveness of risk oversight
Established a risk committee of the board of d irectors
Updated board risk charter
Added management risk committee members with risk experience
Added board members with risk experience
Established management executive sessions with CRO
Established board executive sessions with CRO
Held more frequent board of directors’ meetings
0% 10% 20% 30% 40% 50% 60% 70% 80%
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 10/28
10
An interesting finding was that approximately a third
of the respondents had materially reformed the risk
culture to improve the effectiveness of risk oversight.
This could have been through undertaking training
and related activities aimed at building awareness of
the importance of ERM, roles and responsibilities and
the value to be derived from ERM.
These results point to appropriate focus on risk
governance since relevant, on-time information on
risk and opportunities is vital for management and
board decision making. Such information also providesvisibility on initiatives being undertaken and any
exposure or opportunities available in the market.
Risk governance model
Organizations surveyed had strengthened or adopted
risk governance models under the impetus of the
expectations of their regulators or as part of their
strategy.
However, half of the respondents had their risk
governance models at various stages of implementation
with only 29% having their models already
implemented. (see Figure 4). The risk governance model
is a key risk program element that is typically defined
in the risk management policy and ERM framework.
The risk governance model2 should:
• Establish risk governance and oversight;
• Define the institution’s risk management roles and
responsibilities, including the role of business units;
and
• Specify the process for ongoing monitoring of risk
management.
Figure 4: Does your organization have a defined risk governance model and
approach which delineates functional responsibilities of risk management
Yes, fully implemented
Yes, being implemented
No, but under consideration
No
Receipt and review of regular riskmanagement reports
Review and approval of overall risk managementpolicy and/or Enterprise Risk Management (ERM)
framework
Approval of the risk appetite statement
Approval of individual risk management policies,e.g. for market, credit, liquidity, or operational risk
Approval of risk management frameworkadopted by management
Executive sessions with Chief Risk Officer (CRO)
Approval of the charters of managementrisk committees
Review of the compensation plan to consider itsimpact on risk factors
29.1%17.7%
3.2%
50.0%
Figure 5: Which of the following describe the roles in risk management of the board
of directors in your organization?
0% 20% 40% 60% 80% 100%
2 Getting Bank Governance Right, Deloitte Center for Banking Solutions, August 2009, Deloitte Development LLC.
Risk management today is a governance function: the boardand the audit committee are more focused than they everwere on enterprise risk. It is more and more commonfor the risk function to report directly to the board.The expectations around the level and thoroughness of keyrisk management documentation have greatly increased.
Chief Risk Officer, diversified financial services company
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 11/28
11Enterprise Risk Management Survey Report 2012 Where do you stand?
Role of the board of directors
Survey findings showed that for more than 80% of
the organizations, the board of directors receives
and reviews regular reports on the risk management
program and approves the ERM policy and framework.
(see Figure 5).
This is in line with the regulatory requirements
and good corporate governance expectations.
The prudential guidelines issued by banking regulators
and circulars issued by insurance regulators across
the region emphasize the need for active boardoversight over the risk management process within
the organization.
Approximately 50% of the respondents indicated
that the board is involved in approving the risk
appetite statement. This could be due to the fact that
approximately a third of the respondents (33.9%)
indicated that they have not yet defined a statement of
the company’s risk appetite.
With regard to the information reported to the board,
there was consensus on a Quarterly Risk Report which
contained the various components of the ERM program
as a key deliverable. Majority of the respondents
indicated that risk concentration (85.2%) and
operational failures (78.7%) were critical reporting items
to the board. Risks facing new products or business and
new emerging risks were also vital information reported
to the board (see Figure 6).
On the question of who within the organization receives
risk reporting, the board topped the list at 90.2%
indicating visibility of the risk agenda by the board.
Management risk committees, CEO’s and CFO’s were
also recipients of the risk reports (Figure 7).
Across the survey sample, it is evident that risk
management oversight is most often a board-level
responsibility; current regulatory guidance and best
practice reinforces this practice.
Figure 6: Which of the following type of risk information does your organization currently
report to the board of directors?
0%
20%
40%
60%
80%
100%
R i s k c
o n c e
n t r a t i o n
O p e r a
t i o n a l f a i l u
r e s
S t r e s s t e s t i
n g
N e w a n
d e m e
r g i n g r i
s k s
U t i l i z
a t i o n
v s. l i m
i t s
N e w p r
o d u c
t a n d
b u s i n e
s s
R i s k e
x c e p
t i o n s
r e p o r t i
n g
C o d e
o f t h e e
t h i c s
v i o l a t i o
n s
S y s t e
m i c r i s k
S h a r e
h o l d e
r / c u s
t o m e
r c o m
p l a i n
t s
N o n e
Figure 7: Which of the following individuals or groups receive risk reporting at
the enterprise level?
0%
20%
40%
60%
80%
100%
B o a r d o f
D i r e
c t o r s
a n d / o
r
d e s i g
n a t e d
B o a r d
R i s k
C o m
m i t t e
e
M a n
a g e m e
n t R i s k
C o m
m i t t e
e
C E O a n
d / o r C
F O a n d / o
r C C O
a n d / o
r C I O
( C h i e
f i n v e
s t m e n
t O f fi c
e r ) a n d
/ o r T r e a
s u r e r C R
O
B u s i n
e s s U
n i t H e a
d s ( e x e
c u t i v
e l e v
e l )
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 12/28
12
Increasing role of the CRO
The presence of a Chief Risk Officer (CRO) who
is a member of the senior management team
may help risk management efforts and initiatives
receive appropriate high-level attention. 82% of
the respondents indicated having a CRO or equivalent
with only 6 respondents indicating that they do not
have this in place (Figure 8). While the name may vary
across organizations (e.g. Head of Risk, Manager-
Risk) the core functions performed seem to be very
clearly articulated with defined risk management
responsibilities. Out of those without a specific CROfunction, risk management responsibilities are carried
out by the Head of Internal Audit, Head of Operations
or the CFO (Figure 9).
Some of the respondents indicated that they were at
an advanced stage of engaging a CRO or were looking
to recruit a Risk and Compliance Officer.
Not only is the CRO position more prevalent, generally
he or she is also increasingly reporting to higher levels
within the organization and playing a more strategic
role. 53% of the organizations have the CRO reporting
functionally to the board or a board level committee
while 43% report to the CEO. 3 % report to the CFO.
The CRO and the enterprise risk management group
have more responsibilities and a higher profile. More
than 80% of respondents said these responsibilities
included developing and implementing the risk
management framework, developing risk reporting
mechanisms, chairing or participating in management
risk committees and escalating risk issues to the CEO or
the board (Figure 10).
Probably due to the fact that the value of the risk
appetite has not grown in prominence, only 53%
are involved in calculating the firm’s appetite for
risk. In addition, since Basel II and Solvency II are not
mandatory requirements within this region, only 21%
are involved in calculating and reporting of economic
and regulatory capital.
Figure 8: Does your organization have a Chief Risk Officer (CRO) or equivalent?
Yes
No
17.6%
82.4%
Figure 9: If your organization does not have a Chief Risk Officer (CRO), who manages or is
responsible for coordinating Risk Management within the organization?
Head of Internal Audit
Head of Operations
Head of Credit (0%)
Head of Finance/CFO
IT Manager (0%)
46.2%
15.4%
38.5%
Figure 10: What are the responsibilities of the Chief Risk Officer (CRO)?
0% 20% 40% 60% 80% 100%
Developing and maintaining riskmanagement framework
Developing risk reporting mechanisms
Chairing or participating in managementrisk committees
Escalating issues to the CEOor board of directors
Developing and documenting theinstitution’s risk appetite statement
Calculating and reporting of economic andregulatory capital
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 13/28
13Enterprise Risk Management Survey Report 2012 Where do you stand?
Infusing risk management throughout
the organization
New business initiatives
New product launches, mostly riding on
mobile-commerce, coupled with greenfield or
acquisition-related regional expansion has characterized
the financial services industry in the recent past. These
events have an important bearing on risk management
withregulators and media analysts increasing their focus
in this area. 87% of the respondents indicated that risk
considerations are incorporated during these strategic
decisions and new product launches.
In their business and product approval process,
almost all institutions reported considering more
than traditional major risk types - operational (95%),
regulatory (89%) and market (81%) (see Figure 11).
Also considered with increasing importance were
strategic, liquidity, foreign exchange volatility and
country risk. While these were not rated, they were
highlighted as part of the ‘Other’ category to indicate
their relative importance during decision making. In
particular, liquidity and foreign exchange volatility is
critical as most of the companies operate as regionalentities with their head offices being in one of the East
African countries, South Africa or Nigeria and therefore
have to consider the impact of any foreign exchange
translation whether for revenue, tax or intercompany
transactions settlement and reporting.
Aligning risks and performance measures
The incorporation of risk management responsibility
into performance goals has become a key leading
practice. The objective is that employees, especially
those with the authority to take decisions that entail
significant risk, have incentives to consider the risk
associated with those decisions. The survey identified
that 81% have incorporated risk management
considerations into performance goals across
the organization. An almost similar number indicated
that risk management is incorporated in both senior
management and business unit personnel performance
measures (see Figure 12).
The importance of aligning compensation and
incentive plans with appropriate risk taking has received
increasing attention particularly in the US and Europe
arising from the global financial crisis. In September
2009, the Financial Stability Board issued a report on
the standards for sound compensation practices that
identified the importance of having independent andeffective board oversight of compensation policies
and practices3. This is particularly critical in the face
of the corporate governance breaches reported in
the recent past and related management failures.
Figure 11: Which of the following type of risk information does your organization
currently report to the board of directors? (Select all that apply)
0%
20%
40%
60%
80%
100%
Operational Regulatory Credit Legal Reputational Market
Figure 12: Has the organization incorporated risk management considerations into
performance goals across the organization?
Yes
No
19.4%
80.6%
3 FSB Principles for Sound Compensation Practices, Financial Stability Board, September 25, 2009
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 14/28
14
Figure 13: Does your organization have an Enterprise Risk Management (ERM)
program or equivalent?
Yes, program in place
Yes, currently implementing one
No, we don’t have an enterprise-wide program.It focusses on a limited aspect e.g. Operations,IT and Credit Risk.
No we don’t have one/ I don’t know
30.6%
38.8%
27.4%
3.2%
Enterprise Risk Management– a work in progress
An enterprise risk management (ERM) program is meant toset the overall framework and methodology for how a companymanages risks. ERM provides an institution with the tools toclarify its risk appetite and the risk profile, and to evaluate risksacross the organization. By adopting a comprehensive approachto risk identification and assessment, ERM can help identifymany dependencies or inter-relationships among risks that mightotherwise go unnoticed.
Understanding of the root causes of risk factors and their correlationcan be accelerated by an effective ERM program. Looking at risk
from an integrated perspective can bring new insights and providetransparency into the overall impact of risk on the institution.
Enterprise risk management continues to command a great deal of attentionin the financial services industry. The appeal is clear: ERM aims to bringa holistic organization-wide and standardized risk management process tofinancial institutions and provide them with an integrated view of risksthey face. The goal is to have a consistent reporting of information acrossthe enterprise, perhaps through a risk dashboard that provides relevant
information for individuals in varying roles throughout the organizationbased on standardised information.
Despite its appeal, however, implementation of ERM
is fairly limited with only 31% of the organizations
surveyed indicating that they have a fully implemented
ERM program. However 39% indicate that they are
in the process of implementing one. Another 27%
do not have an enterprise-wide program but rather one
focused on limited aspects such as credit, operationsand IT (Figure 13).
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 15/28
15Enterprise Risk Management Survey Report 2012 Where do you stand?
ERM Program coverage
Among survey respondents, ERM programs almost
always covered the major traditional risk categories
of credit risk (92%), liquidity risk (90%) regulatory/
compliance risk (90%), and market risk (85%) (see
Figure 14).
New risk categories such as operational (95%),
strategic (80%), reputation (83%) and IT security (75%)
have also emerged as critical focus areas.
Strategic and reputation risks have become critical giventhe current competitive landscape due to new, more
established entrants from more advanced markets,
effects of mergers and acquisitions and greater scrutiny
by the media (including social media).
Regulatory and compliance risks have also grown in
prominence due to the increasing focus insurance,
banking and capital market regulators are placing
as a consequence of adopting the risk-based
supervision model.
IT Risk and business continuity risks has also emerged
due to the increased investments and pervasive use
of IT across organizations. Fraud perpetrated through
IT systems has also contributed to the growth of this
risk type.
Other risks such as liquidity are critical given
the recent foreign exchange volatility which affected
the economies of the East African countries.
The coverage of a wide range of risks by an ERM
program allows the risk function to contribute more
effectively to strategic decisions, because it has a more
comprehensive view of risks across the organization.
Linkage to Internal Audit
Internal Audit is regarded as the third line of defense
after management implementation of controls (first
line of defense) and risk management program and
procedures (second line of defense).
59% of the respondents indicated that ERM is
integrated and linked to the internal audit plan.
This means that their internal audit plan is based on
prioritized risks identified through an ERM process.
A further 25% indicated that this is not formalized
as yet (Figure 15).
Figure 14: What major risk areas in your organization does your ERM
program cover? (Select all that apply)
0%
20%
40%
60%
80%
100%
O p e r a
t i o n a l r i
s k
C r e d i t r
i s k
M a r k
e t r i s k
L i q u i d
i t y r i s k
S t r a t e
g i c r i s k
R e g u l a t
o r y /
C o m p
l i a n c
e r i s k
L e g a l / L
i t i g a t i
o n r i s k
I T S e
c u r i t y
r i s k
B u s i n
e s s C
o n t i n
u i t y r i s k
H a z a
r d o r
I n s u
r a b l e
r i s k s
R e p u
t a t i o n
r i s k
Figure 15: Is ERM integrated and linked to the Internal Audit Plan i.e. annual internal audit
plan is based on prioritized risks identified through an ERM process?
Yes
No
Not formalised / Not sure
25.4%
15.3%
59.3%
We are formalizing our risk program at the enterpriselevel, and we are getting more disciplined aboutmeasuring not only individual risks, but also whatthe overall potential impacts of those risks are.
Chief risk officer, diversified financial services company
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 16/28
16
Risk Appetite
To support the effectiveness of an ERM program,
an institution should consider having an approved
enterprise-level statement of risk appetite. Only
23% have their risk appetite both quantitatively and
qualitatively defined with a further 13% having it either
qualitatively or quantitatively defined. 23% are in
the process of seeking approval for their risk appetite
statement while 34% do not have the risk appetite
statement (see Figure 16).
Financial institutions can benefit from having an explicitstatement of risk appetite, reviewed and approved by
the board of directors as an important part of their
oversight responsibilities. The risk appetite statement
can then be translated into specific limits and tolerances
for business and for specific risk categories.
In translating the risk appetite into specific risk
limits, 62% translated it into business unit level
while the remainder has it at the enterprise level.
Establishment of risk limits for different categories of
risk can be an important step towards monitoring that
an institution’s activities are consistent with its risk
appetite.
Value of ERM
ERM programs allow institutions to achieve a holistic
view of risk across risk categories and lines of business.
Those organizations that have implemented ERM are
already recording gains. This is evidenced by the fact
that 85% of the respondents felt that the value of their
ERM program was greater than its cost; however many
concede that it was difficult to quantify the value of
ERM. There are still 14% who have not seen the value
of their ERM program.
Although the full value of ERM may not be easily
quantified, most respondents felt the ERM provided
significant value in specific areas-an improved
understanding of risk and controls (51%), enhanced risk
culture and a better balance of risk and rewards (41%),
increased ability to escalate critical issues to senior
management (41%) and improved perceptions by
the regulators (27%)4. The average rating across the
4 value-scores was 2 indicating that most believed that
the ERM provided significant value (see Figure 17).
Figure 16: Does your organization have an enterprise level statement of Risk Appetite?
No, we do not have a statement of ourfirm’s risk appetite
We are currently developing or seekingapproval for our risk appetite
We have an informally defined or not approvedstatement of risk appetite
Yes, our risk appetite is qualitative definedand approved
Yes, our risk appetite is quantitatively definedand approved
Yes, our risk appetite is quantitatively andquantitatively defined and approved
22.6%33.7%
22.6%8.1%
6.5%
6.5%
Figure 17: On a scale of 1-5 where one is most and 5 is least, in what areas does ERM
provide most significant value?
i
i l l
0 1 2 3
Enhanced risk culture and a better balanceof risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
4 Rated on a scale of 1-5 where 1 is most and 5 is least
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 17/28
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 18/28
18
Stress Testing
Since the global financial crisis, there has been
increased attention on managing systemic risk. Systemic
risk refers to the potential likelihood that risk events
affecting one institution could threaten the financial
system as a whole.
Stress testing is one tool that financial institutions can
employ to help prepare for potential systemic risks
by assessing the potential impact of extreme, but
rare, events. 59% of the organizations represented
by the respondents of the survey carry out stresstesting. Half of the respondents indicated that they
carried out stress testing on a quarterly basis, 32% of
the respondents do it on a monthly basis while 14%
have an annual stress test exercise. Most respondents
however added the caveat that the frequency is
amended if the underlying key parameters in the stress
tests change.
There are however 41% of the respondents who
do not undertake stress testing. While these could
be in the insurance sector where stress testing is not
a mandatory requirement, there is scope for carrying
out the stress testing to ensure the organization is
prepared for unexpected events or rapid changes in
underlying business assumptions (see Figure 19).
Given the speed and volatility of financial markets,
financial institutions may benefit from conducting stress
tests more often than quarterly or annually, to enable
the more timely identification of risks, unexpected
events and rapid changes in underlying assumptions.
Figure 19: Does your organization perform stress tests?
Yes
No
40.7%
59.3%
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 19/28
19Enterprise Risk Management Survey Report 2012 Where do you stand?
Implementation of industry standards
Basel II5 and Solvency II6 are critical industry standards
for the banking and insurance industry respectively.
While both are not mandatory standards to be
adopted within East Africa, we sought to find out
the level of preparedness or adoption state of players
in the sector. 25% of the organizations are already
implementing the standards in phases while 3% have
fully implemented them. 59% indicated that they are
moderately prepared while 12% are not prepared at all.
Those that have implemented the standards are possibly
subsidiaries of organizations that have mandatorycompliance requirements from their parent company
jurisdiction (see Figure 20).
36% of the respondents identified lack of sufficient
data to meet the industry standards requirements
as the most significant obstacle to their implementation
if compliance to these standards were to be made
mandatory in East Africa. 26% felt that lack of suitably
qualified personnel in the market would hinder their
implementation while 22% identified lack of budget
resources. Other challenges to their implementation
included; lack of affordable technology systems in
the market, customizing the framework to the local
settings in terms of capital adequacy requirements and
possible inconsistent application of the rules across
the industry players (see Figure 21).
Figure 20: In your view, how prepared is your organization to adopt and implement
international industry standards such as Basel II, Solvency II etc. if the regulator
were to enforce mandatory compliance?
We are implementing the standards in phases
Moderate Prepared
We have fully implemented the standards
Not prepared
11.9%
3.4%
59.3%
25.4%
Figure 21: In your view, what are the key challenges that may face your organization or your
industry if compliance to the above industry standards were to be made compulsory?
Lack of suitably qualified, skilled or experiencedpersonnel in the market
Lack of sufficient data to meet the industrystandards requirements
Lack of affordable technology systemsin the market
Insufficient budget to be able to implementthe industry standards
22.4% 25.9%
15.5%
36.2%
5 Basel II was designed to improve the risk sensitivity of an institution’s regulatory capital measures and requires improved measurement of credit, market and operational risks.
Basel III is designed to provide the financial system with higher levels of tangible capital, more liquidity and greater transparency. www.bis.org6 Solvency II is a revised capital adequacy regime developed by European Union regulators that will determine minimum and solvency capital levels for insurers. It employs a three-
pillar approach applied across individual risk categories of market, credit, liquidity, operational and insurance risk and is designed to reflect risks more accurately than current
standards. The Solvency II directive is planned for implementation on October 31, 2012, though there is discussion to delay implementation until January 1, 2013. (Delivering
Solvency II, Financial Services Authority, June 2010)
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 20/28
20
Addressing the Full Range of Risks
Figure 22: On a scale of 1 to 5 with 1 being the highest, how effective is your
organization in overall risk management?
i
i l l
i l l i
i i l
i l
ili l i i l i
i
0
5
10
15
20
25
54321
Figure 23: How effective do you think your organization is in managing each of the following types of risks?
0%
10%
20%
30%
40%
50%
60%
B u d g
e t i n g
/ fi n a n c i a l
B u s i n
e s s C
o n t i n u i t
y
C r e
d i t
F r a u
d
D a t a i n t e g
r i t y
H u m a
n C a p i t a
l
I T S e c u
r i t y
L e g a l
L i q u i d i t
y
M a r k e
t
P r i v a c
y
R e g u l a t
o r y / c
o m p l i a
n c e
R e p u t a t
i o n
S t r a t e g i c
S y s t e m i
c T a
x
V e n d
o r / s e
r v i c e
p r o v i d e
r
Very Effective
Somehow Effective
Effective
Not Effective
A critical challenge facing risk management is achieving a comprehensiveview of all the varied risks a financial institution faces, yet many institutionshave much more to achieve in this regard. While some institutions seem totake a broad view of managing the full range of risks, others appear to bestill focussed on the traditional areas of market, credit and liquidity risks.
Overall, most executives rated the effectiveness of their
ERM programs as either 2 or 3 on a scale where 1 is
highest. While most organizations lie at the mid-point
indicating the need for more focus and action, 5%
rated their ERM programs as highly effective (score
of 1). ERM implementation is still a work-in-progress
for most organizations. This mirrors the continuous
evolution of ERM within organizations and the reality
that every organization is at various stages of
implementation (Figure 22).
In terms of specific risk types, most organizationsfelt that their ERM programs were most effective in
managing liquidity and financial/budgeting risk. This
is probably explained by the fact that financial risk
management is the path of least resistance during
the initial stages of an ERM program implementation.
In addition, the quantitative nature of financial and
liquidity risks lends them to easy management. Liquidity
risk management has gained prominence given
the huge increase in interest rates which also impacts
access to short term working capital and ability to fund
operations using overdrafts.
Credit , tax and regulatory risks were also identified as
areas where ERM is growing in effectiveness, possibly
due to the already existent regulatory oversight.
Business continuity, IT security, legal, human capital
and data integrity risks were highlighted as areas where
the ERM program has not been effective (Figure 23).
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 21/28
21Enterprise Risk Management Survey Report 2012 Where do you stand?
Liquidity risk management
An increase in the cost of credit has put the spotlight
on liquidity risk management. In response, most
organizations have strengthened liquidity risk
management function (70% of respondents) or
amended their liquidity management policies (65%
of respondents). Other responses include; diversified
funding sources (56%); maintain liquid asset portfolios
(53%); revised contingency funding strategy (54%); and
revision of contingent funding strategy (54%).
Maybe due to the level of maturity, availability andcost, the least favored approach was to decrease use
of collateralized funding, such as repo and securities
lending.
The banking industry in the region has witnessed
a rush to build large liquidity buffers through shifting
from shorter term wholesale sources of funding to
more longer term and stable funding sources such
as from deposit taking. Institutions are recognizing
that the scenarios and assumptions used for liquidity
also need to be as rigorous as those used for capital
planning, with some establishing consistent economic
scenarios across capital and liquidity (see Figure 24).
Figure 24: Which of the following steps has your organization taken in response to the liquidity environment over the last two years?
0%
10%
20%
30%
40%
50%
60%
70%
80%
i
i l l
S t r e n
g t h e
n e d l i q u
i d i t y
r i s k
m a n a
g e m e
n t f u n c
t i o n
E n h a
n c e d
l i q u i d
i t y s t r e s
s t e s t i n
g
M a i n
t a i n e
d l i q u
i d s t r
e s s t
e s t i n
g
M a i n
t a i n e
d l i q u
i d a s s e t p
o r t f o l i o
s
I m p r o
v e d p
o l i c y
A d d e
d c o o
r d i n a
t i o n b
e t w e e
n t r e a
s u r y
a n d r i s k
m a n
a g e m
e n t
R e v i s
e d c o n t i n g
e n c y
f u n d i n g
s t r a t
e g y
D i v e
r s i fi e
d f u n
d i n g s
o u r c e
s
I n c r e a
s e d c
o o r d i n a
t i o n b
e t w e e
n l i q u
i d i t y
a n d c
a p i t a
l p l a n
n i n g
I m p r o v
e d a n a l y
s i s o f
c o n t i n g
e n t a
n d
o f f b
a l a n c
e s h e
e t p o
s i t i o n
s
I m p r o v
e d t r e a
s u r y
a n d A
n t i - M
o n e y
L a u n
d e r i n
g ( A M
L ) s y s
t e m s
R e v i s
e d a n a l y
t i c s m
e t h o d
o l o g i e s
I n c r e a
s e d d
a t a r e q u i r e
m e n t s
I n c r e a
s e d c
o m m i
t t e d l i n e
s o f c
r e d i t
D e c r e
a s e d
p o s i t i o n
l i m i t s
I n t e g
r a t e d
t r e a
s u r y f u n
c t i o n
w i t h
r i s k
m a n a
g e m e
n t f u n c
t i o n
C h a n
g e d f
u n d s
t r a n
s f e r p
r i c i n g
m e t h o d
o l o g y
D e c r e
a s e d
u s e o
f c o l l
a t e r a l i z e
d f u n
d i n g ,
s u c h
a s r e p o
a n d s
e c u r i t i e
s l e n
d i n g
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 22/28
22
Operational risk management
Operational risk - risk arising from internal or failed
internal processes, human behaviour (including fraud)
and systems or from external events - has always been
in the radar screens of financial institutions as this
affects their core business. Across all options, most
respondents indicated they had substantially and
not fully implemented operational risk management
measures to manage these risks. Identification of risk
types and development of risk mitigation measures
were rated as areas where the operational risk
management was fully implemented.
Creating metrics for monitoring each type of
operational risk and developing methodologies
to quantify risks were identified as areas where
the operational risk measures had not been
implemented.
Given the recent cases of fraud perpetrated mostly
through the IT systems or collusion by staff, there
is scope for ensuring that robust operational risk
identification, assessment, management and mitigation
are implemented (Figure 25).
Capability of the operational risk management
technology platforms was rated as ‘somewhat capable’
by a majority of the respondents. Scenario analysis
and operational risk capital calculations were identified
as key challenges in these technology solutions.
While most of the systems are quite good in data
gathering, it is the data analysis and reporting that will
prove the key value-add from these systems (Figure 26).
Figure 25: To what extent has your organization implemented the following aspects
of operational risk management?
0%
10%
20%
30%
40%
50%
60%
i
i l
i
i
ili
Fully implemented
Not Implemented
Substantially implemented
C r e a
t i n g m
e t r i c s
f o r m
o n i t o
r i n g
e a c h
t y p e
o f o p e r a
t i o n a l r i
s k
D e v e l o p
i n g m e t h
o d o l o
g i e s
t o q u a n
t i f y r i s k s
D e v e l o p
i n g o p e r a
t i o n a l r i
s k m i
t i g a t i
o n
s t r a t e
g i e s i n c l u
d i n g i
n s u r a
n c e
G a t h e r i
n g r e l e v
a n t d
a t a
I d e n t i f y
i n g r i s k t
y p e s
R o l l i n
g o u t
a f o
r m a l
o p e r a
t i o n a l r i
s k
t r a i n i
n g p r o g
r a m
S t a n d
a r d i z i n
g d o c
u m e n
t a t i o n
o f t h e p
r o c e
s s a n
d c o n
t r o l s
Figure 26: How capable are your organization’s operational risk management
technology platforms in the following areas?
0%
10%
20%
30%
40%
50%
60%
i
i l l
i l
i
i i
i
ili l i i
i C a s u
a l e v
e n t a
n a l y s
i s
D a t a
g a t h e r i
n g
O p e r a
t i o n a l r i
s k
c a p i t
a l c a l c u
l a t i o n
s
R e p o
r t i n g
R i s k a
s s e s s m
e n t s
S c e n
a r i o a
n a l y s
i s
Extremely/very capable
Not capable / Not sure
Somewhat capable
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 23/28
23Enterprise Risk Management Survey Report 2012 Where do you stand?
Regulatory reform
Across the East African region, there has been increased
regulatory reform with regulators keen on playing
an active rather than a passive role in the affairs of
the industry. Risk-based supervision has gained currency
coupled with more demanding regulatory requirements.
While this has led to greater stability in the financial
services sector with muted cases of failures or statutory
management, this has increased the need to ensure
greater compliance levels.
Organizations indicated that regulatory reform hasresulted in an increase in the cost of compliance and
the need to hold higher capital levels. Both of these
were rated at similar levels indicating the significance of
regulatory reform. Costs of compliance include systems,
processes and human resources to monitor and ensure
compliance. Higher capital levels on the other hand
explain the rights issues, recapitalization and mergers
that have occurred within the industry. The increase
in minimum capital levels for insurance companies in
Kenya and Uganda could also be a contributing factor
to this rating.
Maintaining higher liquidity was also identified
as a consequence of the regulatory reform and may be
explained by the tightening of the inter-bank lending
rates.
16% of the respondents however point out that
regulatory reform has not had any impact to their
business, which could point to institutions that
are subsidiaries of parents with tighter regulatory
requirements.
East Africa financial sector regulations have however
not undergone the radical change experienced in
the US and in Europe. This is probably as a consequence
of the fact that our economies were largerly shielded
from the credit crisis with no direct impact per
se. However, we believe the regulators are keenly
observing the market conditions and slowly introducing
regulations based on learnings from the developed
market (Figure 27).
As a consequence of the recent credit crisis in the global
arena and volatility in the local markets, 52% indicated
that they now communicate the organization’s issues
to the regulator in a timely manner so as to arrive at
consensus rather than adopting a reactionary posture.
20% are now proactively engaging regulators so as to
identify regulator concerns early enough to inform
quick resolution (Figure 28).
Figure 27: Which of the following impacts on your business have resulted from regulatory
reform in the major jurisdictions where you operate?
Noticing an increased cost of compliance
Maintaining higher liquidity
Maintaining higher capital
Adjusting certain product lines
No significant impacts
15.5%
6.9%
22.4%
27.6%
27.6%
Figure 28: In light of the recent credit crisis, in which of the following ways have you
changed the way you address/manage regulatory concerns?
Meet with regulators on a more frequent basis
Enhance the organization’s infrastructureto support heightened security
Communicate the organization’s issuesin a more timely manner
27.6%20.7%
51.7%
Undoubtedly, gallant efforts have been made by manykey players in the Financial Services Industry to mitigatethe impact of fraud on their operations and safeguardstakeholder value. These efforts notwithstanding, both
the magnitude and pervasiveness of fraud in the industryhave progressively increased. This can be attributedto a mismatch between the level of sophistication ofthe fraud, and the tools and techniques being deployedby the industry players to contain the fraud. In viewof this, it is imperative for all players in the industryto invest in the right systems, processes and people,underpinned by robust technology, in order to mitigatethe impact of fraud and ultimately safeguard stakeholdervalue.
Robert Nyamu, Director, Forensic and Litigation Support Services
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 24/28
24
Risk Management Systemsand Technology Infrastructure
Figure 29: Please select the risk management system in use in your organization:
Legacy-wide risk management system
Business continuity management system
Credit risk management system
IT security incident and event management(SIEM) system
17.4%
8.7%
73.9%
Figure 30: Please rate the following (from Major Concern to No Concern)
in accordance with your concerns over the technology systems
0%
10%
20%
30%
40%
50%
60%
H i g h c
o s t o f m
a i n t e n
a n c e
a n d v
e n d o
r f e e
s
L a c k
o f i n t e g
r a t i o n
a m o n
g s y s t
e m s
L a c k
o f fl e x i b i l i t
y t o e
x t e n d
t h e c
u r r e n
t s y s t
e m s
L a c k
o f p e r f o
r m a n
c e f o r m
o r e
f r e q u
e n t a
n d t i m
e l y r e p o
r t i n g
L a c k
o f s u f fi c
i e n t d
a t a / d a
t a
i n t e g
r i t y i
s s u e s
O u t o f d
a t e m e t h
o d o l o
g i e s
Major concern
No concern
Moderate concern
Information technology is a vital element of risk management capabilitiesand acts as a key enabler to its effectiveness. However, our survey shows thatmany institutions continue to struggle with many fundamental technologychallenges. Only 40% of the organisations surveyed have a dedicated riskmanagement technology solution.
Most of the respondents, however clarified that
they have several sub-systems, at various levels of
sophistication that address specific risks. Legacy risk
management system (incorporating a spreadsheet
solution) was rated as the most prevalent in the industry
while credit management systems were identified
as the second most common solution. Credit
management solutions could be due to the need
to score and evaluate the credit rating of potential
customers prior to advancing loan facilities (Figure 29).
The reason for the low implementation of dedicated
risk management technology platforms could be due tothe fact that most organizations still view risk from a silo
perspective hence the reason for disparate systems to
manage each specific risk. In addition, there are some
industry players who are still in the formative stages
of developing the risk frameworks and risk registers.
An example is the Kenya insurance industry where
the regulator only recently required the establishment of
dedicated risk management functions.
Possibly as a consequence of their perceived prohibitive
cost, 61% rated high cost of maintenance and vendor
fees as a major concern over the technology systems.
Integration, a long standing issue when it comes to
technology, was rated as the second most significant
concern by the industry. This result may reflect both
the complexity of integration challenge along with
the important role integration plays in achieving a more
strategic view of risk. Other issues tied to this was lack
of sufficient risk data, data integrity issues (46%) and
inability to extend the current legacy systems (Figure 30).
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 25/28
25Enterprise Risk Management Survey Report 2012 Where do you stand?
Figure 31: Over the next 12 months, how much of a priority are improvements to the following areas of your risk technology capabilities?
0% 10% 20% 30% 40% 50% 60%
7 “Risk Management Lessons from the Global Banking Crisis of 2008,” Senior Supervisors Group, October 21, 2009
In terms of priority, risk data quality and management
was identified by most respondents as being critical in
the next 12 months as organizations seek to improve
their risk technology capabilities. Capabilities to
calculate the regulatory capital requirements, ability to
manage and monitor operational risk and compliance
risks were also highlighted as vital priority areas over
the next 12 months (Figure 31).
The ability to quickly integrate risk information in
a consistent format across the organization will help
institutions gain a comprehensive picture of their overall
risk profile, as well as the risk associated with individual
counterparties. The global financial crisis highlighted
the importance, and the difficulties, of achieving
an integrated and seamless approach to risk data.
In their October 2009 report, the Senior Supervisor’s
Group cited the complexity of the financial industry’s
technology infrastructure as a key hindrance in
identifying and measuring risk within the financial
system7.
The value to be gained from formal risk technology
infrastructure is clear: help to provide for the availability
of more consistent and reliable risk information, to help
enhance the capabilities of technology infrastructure
to support new functional requirements needed
by the business and to support effective regulatory
compliance, increased stress testing and enhanced risk
reporting capabilities.
High priority
Not a priority
Moderate priority
Compliance management systems
Collateral management system
Economic capital
Enterprise-wide risk data warehouse development
Integrated market and credit risk measurement system
Integration of risk and compliance systems
Liquidity risk management systems
Operational risk measurement system
Regulatory capital calculation and reporting
Risk information reporting
Risk data quality and management
Specialized credit risk systems
Specialized market risk systems
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 26/28
26
Risk is clearly assuming greater visibility and priority
in financial organizations. In response, organizations
are continuing to formalize risk management and to
move responsibility for risk management to the highest
levels of the organization. Boards of directors have
an important role to play in providing active oversight
of risk management, including the approval of their risk
management framework and risk appetite. The CRO
position can provide an important focal point, helping
risk management receive adequate attention from senior
management and to provide the board of directors withindependent views on key risk issues.
ERM program implementation is still a work in progress
though those that have these programs in place are
already recording benefits and deriving value. Most
organizations have done a much better job of managing
traditional risks such as market, credit and liquidity
risks though emerging risk types such as operational,
reputational, strategic and IT security are gaining
currency.
Looking ahead, we expect financial institutions will
focus on a number of different areas and undertakevarious initiatives. Some organizations will begin or
advance their ERM program development efforts. Others
may include additional risk types within their ERM
program- particularly the less traditional and emerging
risks where the risk methodologies are not as developed
and the risks themselves less understood. Most will
seek to gain a comprehensive view of risks across
the organization and identify interdependencies.
To achieve such a comprehensive picture of the risks
they face, many organizations may need to consider
upgrading their risk management information systems
so they have a consistent, quality risk data that can be
easily aggregated across products, geographies and
counterparties. Risk management talent will continue to
grow as more organizations invest in training and use
of in-house subject matter experts (e.g. an experienced
operations staff who is moved to work within the ERM
function).
Regardless of the areas of focus within risk management
initiatives, it is clear that all financial services industry
players will be pressured to reduce costs. As a result,
they will look at both the efficiency and effectiveness
of their major risk management-and ERM- programs.
We encourage the organizations to address these
cost pressures by developing more integrated risk
and compliance programs, which will save money by
creating a more efficient solution and provide better
and more timely risk management information through
an integrated capability.
Progress within the industry has been real, yet the surveymakes it clear that many organizations have much
more to accomplish to truly achieve a comprehensive
approach that actively identifies, assesses and manages
the full range of risks they face. The trend towards
a strategic approach to risk management is likely to
continue- and those that take a leading role in this
evolution will be in a position to use risk management
as a key competitive tool.
Conclusion: The Road Ahead
Our first edition of the Deloitte East Africa Enterprise Risk Management(ERM) Survey provides a comprehensive overview of the state of riskmanagement in the financial services industry within the region. Just as important, it provides guideposts for understanding how riskmanagement will continue to evolve in the coming years and whereorganizations can best focus their efforts.
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 27/28
27Enterprise Risk Management Survey Report 2012 Where do you stand?
Contacts
Nairobi Kampala
Dar es Salaam
Julie Nyang’aya
Partner, Enterprise Risk Services
Tel: +254 (0) 20 423 02 34
Email: [email protected]
Urvi Patel
Senior Manager, Enterprise Risk Services
Tel: +254 (0) 20 423 00 12
Email: [email protected]
Michael Karanja
Manager, Enterprise Risk Services
Tel: +254 (0) 20 423 02 92
Email: [email protected]
Joshua Ochola
Manager, Enterprise Risk Services
Tel: +254 (0) 20 423 07 35
Email: [email protected]
Deloitte Place
Waiyaki Way Westlands
P.O. Box 40092
Nairobi – 00100 GPO
Kenya
Fred Okwiri
Partner
Tel: +256 (0) 343 850
Email: [email protected]
Adam Sengooba
Manager, Enterprise Risk Services
Tel: +256 (0) 417 701 154
Email: [email protected]
3rd Floor Ruwenzori House
1 Lumumba Avenue
P.O. Box 10314
Kampala
Uganda
David Nchimbi
Partner
Tel: +255 (0) 22 216 903
Email: [email protected]
Janet Bolo
Manager, Enterprise Risk Services
Tel: +255 (0) 22 211 60 06
Email: [email protected]
10th Floor, PPF Tower
Cnr of Ohio Street & Garden Avenue
Dar es Salaam
Tanzania
8/12/2019 Deloitte ERS Report 2012
http://slidepdf.com/reader/full/deloitte-ers-report-2012 28/28
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its
network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about
for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple
industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class