future of risk management

7/27/2019 Future of Risk Management

1/18

w w w . P R M I A . o r g

A Survey by the

Professional Risk

Managers International

Association

August 2010

Future of Risk Management & Compliance:Global Trends and Perspectives

PRMIA thanks our survey sponsor


2/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

2 T H E P R O F E S S I O N A L R I S K M A N A G E R S I N T E R N A T I O N A L A S S O C I A T I O N

ACKNOWLEDGEMENTS

PRMIA thanks Microsoft for sponsorship of thissurvey, and also its broader support of PRMIA globally.

Founded in 1975, Microsoft (Nasdaq MSFT) is the worldwide leader in software,

services and solutions that help people and businesses realize their full potential.

Risk Management and Compliance industry solutions is a key focus within the

Microsoft industry group comprising industry experts dedicated to engage strate-

gically on key initiatives. Working closely with a large ecosystem of best of breed Risk

Management and Compliance solution providers, Microsofts wide range of end user

technology capabilities help integrate the different aspects of risk management and

regulatory controls in everyday activities for a simpler, faster and cost effective adop-tion. For more information on Microsoft please visit www.microsoft.com/industry.

PRMIA would like to also thank Sai Sireesh for his lead role in structuring the survey

and compiling the results. He was also earlier involved in PRMIAs 2008 ERM global

best practices study. Sai Sireesh is the Co-Regional Director for PRMIA Seattle chapter

and globally heads the Risk and Compliance strategy at Microsoft Corporation.

With over 18 years of global experience in risk management, corporate strategy and

business incubation, he was recognized by PRMIA in April 2009 as an outstanding

volunteer in helping develop the risk management profession and practices acrossthe world. Other contributors are recognized at the end of the survey.

The Professional Risk Managers International

Association (PRMIA) is a higher standard for risk

professionals, with 60 chapters around the world

and more than 70,000 members from 198 coun-

tries. A non-profit, member-led association, PRMIA

is dedicated to defining and implementing the best practices of risk management

through education including the Professional Risk Manager (PRM) designation and

Associate PRM certificate; webinar, online, classroom and in-house training; events;

networking; and online resources. More information can be found at www.PRMIA.org.


3/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

A H I G H E R S T A N D A R D F O R R I S K P R O F E S S I O N A L S

E X E C U T I V E S U M M A R Y

The global market dynamics continue to be challenging in 2010 with the rapidly

evolving regulatory and risk management landscape. Risk and compliance func-

tions have become even more critical and complex. Most companies are review-

ing their current and future state of risk and compliance blueprints. PRMIA has been

on the forefront of many initiatives to influence the regulatory directions.

Given the broadening base of PRMIAs membership, this was a global survey across all

industry sectors. It collates the views of both specialists as well as business, operational/

technology roles serving as the first line of defense. A total of 1,662 global PRMIA

members participated in this survey.

Vision and pulse of the profession Today we face both broader and deeper regulatory

issues such as Liquidity Risk, Capital Buffers, Supply Chain Risk, Information Risk,

Environmental Compliance etc. In addition technology changes also impact the way

risk and compliance is managed. Example given legal and reputation risk need to factor

in the usage of social media like blogs and wikis.

Empowerment and culture Risk and Compliance have become much more people

centric. The dependence on quant models will obviously continue but with balance

between qualitative assessment to back up the black box models. The focus is on organ-

ization wide employee buy-in for risk controls at all levels i.e. risk is really everybodysjob. Given the enhanced regulatory oversight, risk and compliance roles are under

immense pressure to deliver demonstrable impact, with every company enhancing

its controls. Hence respondents were also asked to consider broader areas such as

productivity and efficiency and their role in empowering an effective risk and compli-

ance culture across the organization.

Generational shift in the risk talent pool With the steady generational shift in the work-

place, the work practices of the technology savvy risk and compliance talent pool is also

influencing subtle changes. We were curious about any shift in both practices as well as

required skills for risk and compliance professionals and if the processes and technology

are keeping up.


4/18


5/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


Technology Predictions Ease of use, flexibility, self-serve and integration with cur-rent environment were key expectations, along with the need for enhanced decision

support, predictive analytics and high performance computing in the processes.

Also implicit was the role of technology enablers to enhance productivity and effi-

ciency in the workplace. Tools like risk computing via cloud start to become real.

Game Changers This being an open ended question, there was a predictably wide

range of responses. The top categories of game changers were new regulatory

concepts, risk approach and next generation technology enablers. Some of the

specific game changer predictions were:

I Concepts Systemic risk, ERM, Stress testing, Liquidity risk, Dynamic capitalprovisioning

I Approach Integrated approach, ERM, risk controls in everyday processesand workflows

I Data still king Clean relevant data still an important factor impacting riskin the future

I New Regulatory landscape Basel III, Solvency II, Capital buffers, Rating &OTC oversight, IFRS

I Review of Measures VAR, PD, LDG, EAD, Monte Carlo, FundsTransfer

Pricing (FTP)

I Next generation technology Cloud risk services, High performancecomputing, Self-serve

I Culture Holistic risk based remuneration approach, Business ethics,Awareness, Education, Empowerment, Management accountability

E X E C U T I V E S U M M A R Y C O N T I N U E D


6/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


KEY FINDINGS

Given the broader and wider reach of PRMIA beyond financial services, this surveypolled respondents across financial as well as broader industry/sector trends to havea more balanced view of the results.

I Out of a total of 1,662 global respondents, 1,398 (84%) were from financial institutions and264 (16%) from non-financial institutions.

I The top 5 financial risk management future trends were: 1. Liquidity Risk Buffers, 2. EnterpriseRisk Management, 3. Stress Testing, 4. Managing Systemic Risk, 5. Banking Book CreditRisk Models.

I The top 5 non-financial risk management future trends were: 1. Enterprise Risk Management,2. Operational Risk, 3. Cash Flow at Risk (CFAR), 4. Productivity & Efficiency in Risk,

5. Technology Risk.

I Risk Management/Compliance trends foreseen in the next 2-3 years: 1. More visualization ofanalysis, 2. Collaboration as a key pillar, 3. Broader and wider access to business insights andanalytics, i.e. risk management for everybody.

I Risk management and compliance functions will rely much more on: 1. Automating work flowsand processes, 2. Self serve providing powerful analytics to end users, 3. Unlocking businessdata/insights.

I Top skills which Risk Managers of the future need to focus on: Deeper business knowledge wasranked the top skill; Quantitative skills (Math, Stats) and Communication skills ranked secondand third respectively.

I Risk Managers today spend on average 62% of their time on tactical tasks, e.g. data collection,and only 36% on strategic/analytical activities. The percentage of firms taking a more strategicand longer term view of risk management practices will rise.

I The percentage of operational costs needed for an effective risk management program: 27%felt 2-5% of the operational costs was adequate; 25% voted for 5-7% of the operational costsand 24% voted for a much larger share of 7-10% of the operational costs.

I Future decisions on Risk Management technology investments will be based on: 1. Efficiency Integrated offerings which help bring efficiency to work flows and processes, 2. Self service The right information, at the right time in the right format for end users, 3. Productivity Savevaluable hours for employees in everyday risk management tasks. Interestingly, cost came outas the lowest factor.


7/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


KEY FINDINGS CONTINUED

I The top 3 biggest challenges in obtaining risk data for management/Board reporting were:

Lack of effective tools for aggregating or analysis, data not available and not having a consistenttaxonomy i.e. data not categorized.

I Risk aggregation across a number of data sources is always a challenge. Around 14.6% usemore than 25 data sources which really represents the industry average at larger global firms.49% use 1-10 data sources; 25% use 10-15 data sources.

I Current level of risk systems integration: 42% felt their risk systems were somewhat integrated;31% felt their key risk systems were integrated but the rest were only somewhat integrated.On the opposite ends, 2.3% were fully integrated and 13.3% were not integrated.

I Role for technology in the future within your risk processes: Decision support was the favoredchoice with 52.7%; Predictive analytics (e.g. pattern analysis, artificial intelligence) was next

with 25%; Surprisingly data aggregation and analysis scored low.

I Top 3 factors in selecting future technology solutions for enabling ERM processes:Connectivity/integration with existing systems; Flexibility and Ease of use.

I 81.6% agreed that their firms should adopt a uniform taxonomy for categorizing risk, processes,organization hierarchy, etc.

I Game changing concepts/technology/trends in the Risk Management profession: The responseswere very broad, but the following themes were identified across categories of similar responses:1. Systemic risk management, 2. Stress testing and 3. Integrated approach.


8/18

T H E Q U E S T I O N S||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


Non-Financial

Financial

84.1%

15.9%

0 1.0 1.5 2.0 3.0 4.03.5

Liquidity Risk Buffers

Enterprise Risk Management

Stress Testing

Managing Systemic Risk

Banking Book Credit Risk Models

Operational Risk

Dynamic Capital Provisioning

Productivity and Efficiency in Risk

Technology Risk

2.50.5

Q1) Respondents Profile

What type of industry background do you have?

There were 1,662 global respondents; 1,398

(84%) from financial institutions and

264 (16%) from non-financial institutions.

Q2) Financial Top five risk management trends important to future industryblueprints.

There are many regulations in process around liquidity risk and stress testing. But beyond these

what else tops the list for Risk Managers? The responses highlighted the following top five trends,

of which ERM, Systemic Risk and Stress Testing were the expected trends. Apart from these normal

financial measures, Productivity and Efficiency was also called out as a trend amongst others.

1. Liquidity Risk buffers

2. Enterprise Risk Management

3. Stress Testing

4. Managing Systemic Risk5. Banking Book Credit Risk Models

For financial services firms, rank your top five risk management trends in the terms of

importance in future industry blueprints.


9/18

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


0 1.0 1.5 2.0 3.0 4.03.5

Enterprise Risk Management

Operational Risk

Cash Flow at Risk (CFAR)

Productivity and Efficiency in Risk

Technology Risk

2.50.5

Q3) Non-financial Top five risk management trends important to future industryblueprints:

ERM was again the top, with Operational Risk and Cash flow at Risk (CFAR) coming in next. Interestingly

Productivity and Efficiency in Risk and Compliance as well as Technology Risk were predicted as trendsto impact future blueprints.

1. Enterprise Risk Management

2. Operational Risk

3. Cash Flow at Risk (CFAR)

4. Productivity & Efficiency in Risk

5. Technology Risk

For non-financial services firms, rank your top five risk management trends in terms of importance in

future industry blueprints:

0% 40% 60% 80%

Risk and Compliance analysis will get more visual

Collaboration as a key pillar of Risk and Compliance function

More people with access to business insights and analytics

High performance computing at finger tips

Centrally hosted and controlled business critical spreadsheets

20%

68.4%

66.3%

53.2%

30.1%

29.5%

Q4) What will Risk Management/Risk Compliance look like in the next 2-3 years?

Organizations are focusing on employee buy-in for risk controls at all levels i.e. risk is really everybody's

job. Based on the responses, risk and compliance controls need to be much more people centric and this

is borne out by choice of cross company collaboration as a key pillar of how companies expect to manage

risk and compliance in the future.

1. 68% opined that Risk and Compliance analysis will get more visual

2. 66% identified Collaboration as a key pillar of the Risk and Compliance function

3. 53% opined that more people will have access to business insights and analytics.


10/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

1 0 T H E P R O F E S S I O N A L R I S K M A N A G E R S I N T E R N A T I O N A L A S S O C I A T I O N

0% 40% 60% 80%

Deeper business knowledge

Quantitative (Math, Stats)

Communications

Qualitative

20%

74.4%

45.6%

42.6%

31.9%

Q5) Role of tools in future risk management and compliance functions:

Responses indicate a shared vision towards enhanced automation in future risk and compliance

workflows. Also as a sign of increasing generational shift towards a technology savvy risk talent

pool, self-serve (i.e. DIY-do it yourself analytics) tools came out on top. The top 3 responses were:

1. Automating work flows and processes

2. Self serve providing powerful analytics to end users

3. Unlocking business data.

0 2 3 4

Self serve providing powerful analytics to end users

Unlock business data

Automating work flows and processes

Visualization

More computing power

1

3.35

3.21

3.46

2.49

3.14

Q6) Top skills which Risk Managers of the future need to focus on:

This question sought to capture the professions sentiment on skills for Risk Managers to succeedin the future. Would it need more specialists or generalists? The responses are fairly balanced. The

top 3 skills were business knowledge, quantitative and the ability to communicate complex

concepts in simple and clear terms.

1. Deeper business knowledge was called out as the top skill by over 74%

2. Quantitative (Math, Stats) was ranked as the second most needed skill, with over 45%

3. Over 42% rated Communication as third most important skill


11/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


3%

49.4%

9.7%

16.7%

21.2%

20-40% / 60-80%

40-60% / 40-60%

80-100% / 0-20%

0-20% / 80-100%

60-80% / 20-40%

Q7) Proportion of time that Risk Managers today spend on tactical/data collectionactivities as compared to strategic/analytical tasks:

There is always a dynamic balance between the overall strategy and tactical business realities and the

underlying processes. Are Risk Managers and compliance professionals able to balance their timebetween strategic and tactical efforts? The response shows that on average 62% of Risk Managers

spend their time on tactical tasks and implies a desire to be able to spend more time on strategic and

proactive risk mitigation activities, rather than time consuming tactical tasks like data aggregation.

Depending upon the maturity of risk management, a more healthy balance can certainly help.

1. 62% of time spent on tactical

2. Only 36% of time spent on strategic

16.2%

27.1%

24.3%

6.7%

25.7%

Under 2%

Greater than 10%

7%-10%

5%-7%

2%-5%

Q8) Percentage of operational costs needed for effective Risk Management program:

Risk and compliance initiatives have to face the business reality of budgetary constraints. Is there a

baseline budget needed for an effective risk management program? The responses were:

Risk management budgets between 2-5% of operational costs 27%



What do you think is the right

percentage of operational costsneeded for effective Risk

Management program?

Select only 1

Tactical/Strategic

Time Allocation


12/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


0% 40% 60% 80%

Efficiency Integrated offerings help in efficient work flows and processes

Self service Right information, right time in right format for end users

Productivity Save valuable hours for employees in everyday risk management tasks

Maximize existing investments and capabilities

Everyday activities Embed solutions in employee regular daily activities

Rapid deployment Quick and easy deployment for fast track projects

Familiarity End user ease of use and familiarity for reduced cost of training

Costs Lower cost of deployment and maintenance

20%

71%

61.2%

60.3%

50.5%

50.2%

49.2%

38.8%

36.5%

Q9) Future of Risk Management technology investment decisions:

Many organizations are focusing on company wide employee buy-in for risk management and

compliance practices at all levels i.e. risk is really everybody's job. Technology being a key pillar of

how effective Risk Managers are, this section highlights the factors that Risk Managers deem key

to future directions of risk management technology adoption.

1. Efficiency Integrated offerings help make work flows and processes efficient

2. Self service Right information, right time in right format for end users

3. Productivity Save valuable hours for employees in everyday risk management tasks

4. Maximize existing investments and capabilities

5. Everyday activities Embed solutions in employees regular daily activities


13/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


0% 40% 60% 80%

Lack of effective tools for aggregation or analysis

Data not available

Data not categorized (taxonomy)

Data not quantified

Data not weighted

20%

71.1%

63.5%

50.6%

44.4%

27.9%

Q10) Biggest challenges in obtaining risk data for management/Board reporting:

Lack of relevant data is still a big challenge to address. The responses were, in order of significance:

1. Lack of effective tools for aggregating or analysis2. Data not available

3. Data not categorized (taxonomy)

4. Data not quantified

0% 20% 30% 40% 50% 60%

110

1015

1525

More than 25

10%

48.9%

25.1%

11.4%

14.6%

Q11) What number of data sources does your organization use to provide executivemanagement, the Board and external stakeholders (regulatory agencies, external

auditors, etc.) with risk reporting:

The existence of multiple data sources has been a challenge and will continue to be an issue in the

future. Almost 50% of the respondents indicated disparate data sources between 1-10.

1. 49% use 1-10 data sources

2. 25% use 10-15 data sources

3. 14.6% use more than 25 data sources


14/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

0% 20% 30% 40% 50%

1

2

3

4

5

10%

Q12) Rate the current level of risk systems integration:

Not integrated Somewhat Integrated Key systems integrated Integrated

1 2 3 4 5

A. 42% felt their risk systems were somewhat integrated

B. 31% felt their key risk systems were integrated but the rest only somewhat integrated

C. On the opposite ends, 2.3% were fully integrated and 13.3% were not integrated

Q13) What role will technology play in the future within your risk processes:

Data aggregation and analysis Decision Support Artificial Intelligence

1 2 3 4 5

1. Decision support was the favored choice with 52.7%

2. Predictive analytics (e.g. pattern analysis, artificial intelligence) was next with 25%

3. Surprisingly, data aggregation and analysis scored low

0% 20% 30% 40% 50% 60%

1

2

3

4

5

10%

3.4%

13.3%

52.7%

25.1%

5.4%



15/18


16/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

0 100 150 200 250

ERM/IntegratedRM

Technology/Systems/Automation

Models and analytic tools

Governance/Compliance/Basel/Crisis

Data

Common sense/Simplification/Qualitative

Credit/Counterparty/Default/LiquidityRisk

Organizational improvements

Stress testing

Black Swans/Tail events/Correlation risk

Risk awareness

Human capital

Capital allocation

Systemic risk

Knowledge/Information/Intelligence

50

202

135

125

117

71

71

57

53

49

38

34

34

34

31

29


Q16) Top 2 game changing concepts/technology/trends in the RiskManagement profession:

This being an open ended question, the range of responses was predictably very wide. The

responses are classified into the following categories. The top 5 categories of game changers

were ERM/Integrated Risk Management; Technology/Systems/Automation; Models and AnalyticalTools; Governance, Compliance, Basel and finally Data related.

Some of the specific game changer predictions were:

Concepts Systemic risk, ERM, Stress testing, Liquidity risk, Dynamic Capital Provisioning

Approach Integrated approach, ERM, Risk controls in everyday processes and workflows

Data is still king Clean relevant data still an important factor impacting risk in the future

Next generation technology, analytics Cloud services, High performance computing

New Regulatory landscape Basel III, Solvency II, Capital buffers, Rating & OTC oversight, IFRS

Measures Review of VAR effectiveness, PD, LDG, EAD, Monte Carlo, Funds Transfer Pricing (FTP)

Next generation technology Cloud services, High performance computing, Self-serve analytics

Culture Holistic Risk based remuneration approach, Business ethics, Awareness, Education,

Empowerment, Management accountability

Top 15 Clusters


17/18

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


B I O G R A P H I E S O F C O N T R I B U T O R S

Sai Sireesh Sai Sireesh is the worldwide director for Risk & Compliance Strategy, Industry Group at

Microsoft Corporation. He currently serves pro bono as the Co-Regional Director, PRMIA Seattle. He has over

18 years of global experience in risk management, corporate strategy and business incubation. He was recog-nized by PRMIA in April 2009 as an outstanding volunteer in helping develop risk management profession

and practices across the world. He has served pro-bono as Advisor/Board Member/Trustee for: Rural Credit

Delivery to Poor IIIT, Bangalore India; Stanford Universitys Digital Vision ICT project, Reuters Centenary

Fund PLC UK. He has attended courses at Wharton, INSEAD, NUS Financial Engineering Center, Harvard Law

School Berkman Centre for Internet Law, Graduate School of Business, AIM Manila, Shivaji University-India.

Dr. Ufuk Ince A PRMIA Seattle steering committee member, Dr. Ufuk Ince has been on finance and graduate

faculty at the Business Program at the University of Washington, Bothell for the past 9 years. Earlier he taught

at Georgia State University, where he completed his doctoral work and also obtained his masters degree

in finance.

While he was pursuing his doctorate, Dr. Ince also taught Investments and Managerial Finance at Harvard

University Summer School. His scholarly work focuses on financial risk management, real options, and valua-

tion of seismic retrofit investments. Dr. Ince is a Chartered Financial Analysts and a member of the CFA

Institute, Financial Management Association, and American Finance Association

Bradley Yee Bradley Yee is a founder and principal for Risk Management Solutions (RMS) Partners, a consul-

tancy specializing in assisting clients in building risk management processes and designing and deploying

enabling technologies. Formerly, he was an SVP in Global Compliance & Operational Risk at Bank of America.

Mr. Yee spent 29 years with Bank of America building and managing functions in Operational Risk,

Technology, Control Evaluation Services and Audit.

Jacob Firestone Jacob (Jack) Firestone is an SVP in Global Compliance & Operational Risk at Bank of

America, responsible for the design and maintenance of related core infrastructure, tools and analytics. He

has spent more than 25 years at Bank of America in various technology and call-center integration roles. Jack

is an attorney licensed in California and Federal courts, with a JD Degree from UC Hastings. He holds a BA

Degree from San Diego State University. Before entering the business world, Jack practiced law for a number

of years as a litigator.

Jeffrey Napper Director, ORM, GMAC Group USA. Jeff is a Sr. Financial Services Executive with over 25 years

of experience across Risk Management and Financial Services in various roles. He was earlier Sr. Vice

President, ERM at Bank of America. His other stints being at MBNA,Chubb Group of Insurance Companies

and Risk Management Solutions (RMS) Partners. He has experience across many facets of risk and compli-

ance including - Board and executive management compliance and operational risk reporting, Regulatory

relationship management for OCC, FRB and OTS, Oversight of Basel II compliance.

Dr. Stefan Zimmermann Dr. Stefan Zimmermann is the Worldwide Technology Strategist for Risk

Management and Compliance industry solutions at Microsoft Corporation. Based in Munich, Germany,

Stefan works with leading companies on Risk Management and compliance projects.


18/18

w w w . P R M I A . o r g

future of risk management

Documents