risk management and risk oversight have we built better banks feb17

21
RESEARCH PAPER February 2017 Robeco, Weena 850, 3014 DA Rotterdam, The Netherlands. Views expressed in the paper are the authors’ own and do not necessarily reflect those of Robeco.

Upload: johan-vanderlugt

Post on 03-Mar-2017

198 views

Category:

Economy & Finance


1 download

TRANSCRIPT

Page 1: Risk management and risk oversight have we built better banks feb17

RESEARCH PAPER

February 2017

Robeco, Weena 850, 3014 DA Rotterdam, The Netherlands. Views expressed in

the paper are the authors’ own and do not necessarily reflect those of Robeco.

Page 2: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

Getting inside the banks’ engine rooms

In this paper we discuss the development of the risk management and risk oversight function of banks since the global financial

crisis hit us in 2007-2008. The OECD in its 2009 report on the lessons learned pointed to major corporate governance weaknesses

that contributed to the financial crisis. It distinguished four areas: 1) remuneration, 2) risk management, 3) board practices and 4)

the exercise of shareholder rights.1

“Perhaps one of the greatest shocks from the financial crisis has been the widespread failure of risk management. In many cases

risk was not managed on an enterprise basis and not adjusted to corporate strategy. Risk managers were often kept separate fr om

management and not regarded as an essential part of implementing the company’s strategy. Most important of all, boards were

in a number of cases ignorant of the risk facing the company… With few exceptions, risk management is typically not covered, or is

insufficiently covered, by existing corporate governance standards or codes. Corporate governance standard setters should be

encouraged to include or improve references to risk management in order to raise awareness and improve implementation.”

This summary addresses the structuring of risk management, reporting and involvement of the Board. All the issues are intertwined

and regard the quality of earnings a bank is building and wants to build. Risk management takes place within the engine room of

a bank. Without proper risk management there cannot be proper banking.

The question that we would like to put forward is whether we have been able to build safer banks in the interim. Banks are often

regarded as black boxes. Admittedly, the quality of a bank’s risk management is hard to assess from the outside. How is

management managing the bank’s systemic risk profile (think of capital adequacy, liquidity and overall risk management)? It is

imperitive that investors, and particularly longer-horizon investors, feel comfortable with the risk management track record,

structure and framework of risk control. Senior executives need to communicate to the capital market how risk categories impact

capital allocation and frame this in the long-term value creation process. From a principal-agent perspective, the Board is the

ultimate body that has to monitor risk management, particularly from an ex-ante perspective. Do investors have enough

reassurance about the level of Board expertise and the strength of risk management committees?

We have split this report into three sections:

Section 1: How do you measure risk management? Have risk management practices improved since the financial crisis? We

assess this from a top-down perspective, looking to reach some conclusions for different geographies.

Section 2: Risk management from a governance perspective: relative strength of the Chief Risk Officer, knowledge and

experience of the Board, functioning of the Risk Committee, risk management and executive remuneration. We will also look

into best practices: What can we learn from the leaders in terms of their risk management?

Section 3: Towards a continuous dialogue: in this final section we list the topics that are relevant in engaging with companies.

How do we from an outside-in perspective assess the improvement (potential) and make sure management stays the course?

1 OECD (2009), Corporate Governance and the Financial Crisis: Key Findings and Main Messages

Page 3: Risk management and risk oversight have we built better banks feb17

3 |

The effectiveness of risk management and risk oversight is important from a stakeholder perspective. It falls under the UN PRI

Sustainable Development Goals, more specifically goal 16, which is dedicated to the promotion of peaceful and inclusive societies

for sustainable development, the provision of access to justice for all, and building effective, accountable institutions at all levels.

Two targets apply in our case: ‘develop effective, accountable and transparent institutions at all levels’ as well as ‘ensure responsive,

inclusive, participatory and representative decision-making at all levels.’

We will first provide a top-down view on risk management at banks before diving into a company-level discussion. In this first section

we address two fundamental questions: 1) How do you measure risk management? and 2) Have risk management practices

improved since the financial crisis?

Why do we still talk about it eight years after the financial crisis?

ESG risks for financials have picked up again judging by this sector materiality matrix by Cornerstone Capital Group – which builds

on disclosure by the Sustainability Accounting Standards Board (SASB) and RobecoSAM. We find this statement rather generic as it

does pinpoint the actual indicators showing that ESG risks have been rising. For financials, Cornerstone considers governance as the

key ESG risk, with risk management as the driver of that risk. In terms of metrics they look for capital ratios and leverage ratios.

Materiality matrix, Cornerstone Capital

Source: Cornerstone Capital Group

A natural starting point for our discussion is the relevance of the different themes from a financial materiality standpoint. The

RobecoSAM materiality matrix for banks distinguishes risk management and corporate governance as the two most material factors

in terms of magnitude and likelihood of impact.

Page 4: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

4 |

Materiality matrix banks, RobecoSAM

Source: RobecoSAM

SASB identifies five material sustainability issues for commercial banks. Systemic risk management is one of them as part of

leadership & governance together with management of the legal and regulatory environment.2 Also in the materiality matrix of

banks themselves, risk management is often stated as one of the most material risk factors in terms of (financial) importance to

both the bank itself and its primary stakeholders. We include two examples: SEB in the Nordics and Commonwealth Bank of

Australia.

SEB: materiality matrix

Source: SEB

2

SASB (2014), Commercial Banks Research Brief, February 2014

Page 5: Risk management and risk oversight have we built better banks feb17

Commonwealth Bank Australia (CBA): materiality matrix

Source: CBA

Why is risk management so important for banks?

Banks are different from non-financial firms as they create shareholder value through their liabilities (funding). Looking at value

creation, risk is therefore both an upside and a downside. One could say that there is an optimal amount of risk for a bank from the

perspective of its shareholders. This optimum level differs from bank to bank. The better-governed banks distinguish themselves by

having processes in place to 1) identify this optimal amount of risk, and 2) make sure that its actual risk does not deviate too much

from the optimum.3 To assess the development of risk management we firstly analyze the RobecoSAM dataset for global developed

markets banks on their risk management scores. We divide the global banks into three geographical buckets and calculate the

mean for their RobecoSAM risk management scores based on the 2011-2016 dataset. We do this for 28 European banks, 23 North

American banks and 17 Asia-Pacific banks, i.e. 68 banks in total. We arrive at the following conclusions:

European banks as a segment consistently have the highest risk management score over 2011-2016. There has been some

improvement, particularly in the last year.

In terms of improvement the North American banks have shown some strong momentum, particularly over 2014-2016. This

is also illustrated by the second exhibit showing the indexed development since 2011.

The Asia-Pacific banks (including Japan) lag behind the other segment, which is largely due to many Japan banks being relative

underperformers. The major Australian banks on the other hand are all part of the risk management ‘super league’.

3

Stulz, R.M. (2016), ‘Risk Management, Governance, Culture, and Risk Taking in Banks’, FRBNY Economic Policy Review, August 2016.

Page 6: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

6 |

Risk management scores

Source: RobecoSAM

Delving a bit deeper, we note that if we rank the banks within their segment the standard deviation is largest for the North American

and Asia-Pacific banks. This also underlines the fact that the improvement potential in risk management overall is greater than at

European banks. Risk management scores versus segment mean, 2016

Source: RobecoSAM

Another way to address the question about risk management performance is to look at a bank’s balance sheet and earnings profile

over time. For SASB the most important accounting metric for measuring the quality of systemic risk management is the result of

stress tests and the impact on 1) loan losses, 2) losses, revenue, and net income before taxes, 3) tier-1 common capital ratio, 4)

tier-1 capital ratio, 5) total risk-based capital ratio and 6) tier-1 leverage ratio. A common metric for risk management from a size

perspective is the risk-weighting of a bank’s asset base. From our analysis it follows that European banks started deleveraging in

2008-2009, whereas for the Asia-Pacific banks it took another three years. This contrasts with the North American banks that

actually increased their risk-weighted assets (RWA) from 2012 onwards. As the second exhibit shows, this was not a result of a big

jump in loan growth, although loan growth has been picking up nicely since 2011 relative to the other geographies.

Page 7: Risk management and risk oversight have we built better banks feb17

Increase in RWAs in North America ….. … not entirely matched by similar jump in loans

Source: Robeco, Bloomberg

What about capital?

The banking system around the world has seen a substantial increase in capitalization, since the low of 2008. North American banks

have taken the lead in this. Relative to RWAs growth, tangible common equity growth has been slower in North America than in

other regions.

Tangible common equity

Source: Robeco, Bloomberg

The North American banking system – particularly the US one – is different in two ways: the relative size of off-balance sheet assets

and the higher portion of fair value assets and trading securities. For example, European banks have a ratio of off-balance sheet

commitments over net loans of 4x compared with 19x for North American banks. This is visible in a higher weight of RWAs over net

loans and over total assets. Typically, North American banks have greater off-balance sheet leverage, whereas European and Asia-

Pacific banks have greater on-balance sheet leverage.

Page 8: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

8 |

RWAs/ total assets Total assets/total common equity (x)

Source: Robeco, Bloomberg

The actual level of loan losses has been relatively contained in the case of the European Banks and Asia-Pacific Banks. North

American Banks experienced a sharp spike in loan losses in 2007-11, which is partly compensated for by a higher return profile (as

measured on the basis of Return on Assets).

Actual loan losses/ net loans ROA

Source: Robeco, Bloomberg

Page 9: Risk management and risk oversight have we built better banks feb17

Robust risk management ideally goes hand in hand with strong corporate governance. The Board of Directors in our view is

instrumental in the control and oversight of the risk management function. In this section we look into risk management from a

governance perspective. We will discuss issues such as the relative strength of the Chief Risk Officer, knowledge and experience of

the Board on risk management, functioning of the risk management committee, risk management and executive remuneration.

What can we learn from the leaders in terms of their risk management?

Structuring of the risk function

How are risk management and risk control structured within the organization? What insights can we get into the risk

management track record and structure and framework of risk control? Is there strong risk management awareness

throughout the organization? We approach this from three angles: independence, capacity and effectiveness of the risk

function.

Executive Committee and the Chief Risk Officer function

Is sufficient risk management expertise available on the Executive Committee?

Seniority level of the Chief Risk Officer (CRO), part of the C-suite? What authority do CROs have? Has the CRO function been

strengthened over the past couple of years? Succession planning around CRO function: is there a strong and deep bench?

Board of Directors

Use of a dedicated and standalone risk committee, or a hybrid form? Independence and strength of the risk committee? Level

of risk management and general financial expertise? Experience in risk management, within and outside current organization?

Board renewal: is it addressing skill/ experience gap in risk management?

Remuneration and scorecard

Is risk management integrated into the remuneration framework (particularly the Long-Term Incentive Plan)? And how

(qualitative/Board discretion or also quantitative)? Are there clawbacks?

Structuring of the risk function

How are risk management and risk control structured within the organization? What insights can we get into the risk management

track record and structure and framework of risk control? Is there strong risk management awareness throughout the organization?

We approach this from three angles: independence, capacity and effectiveness of the risk function. The three lines of defense model

is widely known and captures three levels:

1) The business operations: it is in the business operations where risk and risk control are being established. It is important that

from the very start the business risks taken are in line with the risk profile and policy of the bank as part of its risk culture. This

is a dynamic process and the risk appetite varies depending on changes in the business environment. The first line of defense

concerns the very heart of the engine room. Through active risk management a bank can have a strategic advantage on its

peers, in terms of both risks and opportunities. A typical example in European banking is Svenska Handelsbanken which

through its decentralized model has made the branch the key entity in terms of responsibility for credit risk. The risk

management and credit approval process are based on the conviction that the decentralized organization with local presence

ensures high quality in credit decisions. The starting point is zero tolerance for loan losses. As a result of this the bank tends to

address potential loan losses earlier than competitors.

2) The oversight function: this is where the oversight over business processes and risk takes place. It comprises various functions

such as finance, compliance, risk control and model validation. Banks have strongly increased their investments in this area,

Page 10: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

10 |

expanding the staff pool active in risk oversight and compliance, partly driven by regulatory demands (as an outcome of several

litigation issues). It is important that the second line of defense is independent from the first line. There should be controls on

an ongoing basis, based on clear risk assessment criteria. The core question is whether the bank has a clearly defined oversight

structure in terms of roles, responsibilities and accountability.

3) Independent assurance: the third line of defense has to do with risk assurance, both within the internal audit function and

from independent assurance providers (think of the large accounting firms). Excessive tenure of the auditor would raise a flag

in the sense that they might be too comfortable.

Three lines of defense model

Source: Deloitte Tohmatsu

Executive Committee and Chief Risk Officer function

Is sufficient risk management expertise available on the Executive Committee? What is the seniority level of the Chief Risk Officer

(CRO); is the CRO part of the C-suite? Has the CRO function been strengthened over the past couple of years?

It should be considered best practice that one person has oversight of all types of risks on a company level, embodied in the Group

CRO. We increasingly see the CRO being part of the Executive Committee, a development we welcome. What is less often addressed

is succession planning around the CRO function in terms of the strength and deepness of the bench. Companies in general are not

transparent about this.

In the table below we assess the relative strength of the CRO role of a collection of international banks. Our data sample of 12 banks

is a combination of the leaders by region in terms of their 2016 risk management score by RobecoSAM (these are BNP Paribas,

Toronto Dominion Bank and Commonwealth Bank of Australia), their direct peers and some current or previous portfolio holdings.

We will use this same dataset throughout the section.

Based on the CRO matrix, we see HSBC as best-in class, whereas Commonwealth Bank of Australia (CBA) has much room for

improvement (CRO is relatively new, has a background as director general council, but no risk management experience).

Page 11: Risk management and risk oversight have we built better banks feb17

CRO profile for a select number of banks

Source: Companies, S&P Global Market Intelligence, Bloomberg

Svenska Handelsbanken is generally regarded as a bank with a deep risk culture which is prevalent throughout the organization.

However, assessing the profile of the bank’s CRO we find that the CRO does not bring prior risk management experience within the

own organization, nor prior external risk management experience.

A special topic is that of succession planning around the CRO function. In other words, is there a strong and deep bench? There is

the succession risk around the CRO, but also that of critical staff members with deep risk management skills. Turnover in a bank’s

risk management group can harm a bank’s ability to monitor risk. This is an issue where we typically lack good disclosure. It is only

though regular dialogues with company management that we can develop a comfortable level of understanding on this.

Some conclusions:

Renewal of CROs: In general, banks have appointed a new generation of CROs since the global financial crisis (with the

exception of TD Bank).

Internal experience: half of the CROs in our sample have prior internal experience in risk management before being appointed

CRO. In a steady business state (i.e. no strategic overhaul of the bank) we would prefer this to be the norm.

External experience: in only 2 out of our 12 banks the CRO has experience in risk management outside the current

organization. We would advocate more diverse risk management expertise, also outside the current organization.

Length of experience: the average length of experience in risk management is about 9 years … which just includes the global

financial crisis experience. We find that in most cases shorter risk management tenure tends to coincide with no/limited prior

risk management within the own organization. This is a potential risk factor and red flag.

Diversity: ideally, we would like to see a range of diversity in terms of past experience, market and perspective. In terms of

gender diversity, there is only one female CRO in our sample of 12 banks.

Board of Directors

Many Boards do recognize the importance of risk management and the relevance of good oversight. As a result, Boards have set

up committees to focus on this. We look at whether bank boards use dedicated and standalone risk committees, or a hybrid form.

And what about the independence and strength of the risk committee? The level of risk management and general financial

expertise? Experience in risk management, within and outside the current organization? Board renewal: is the Board addressing a

skill/ experience gap in risk management when it looks for new directors?

Page 12: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

12 |

Board and Risk Committee

Source: Companies, S&P Global Market Intelligence, Bloomberg

Our conclusions:

Stand-alone risk committee: the stand-alone risk committee is the dominant model, with the hybrid model typically being a

combination with internal control & compliance.

Independence: in 7 out of 12 banks the risk committee is fully independent, the least desirable situation is where a former CEO

is Chairman of the Board and also Chair of the risk committee. In two cases the former CEO is member of the risk committee.

We would strongly advise against this practice.

Size (capacity): we assess the size of the risk committee to the overall Board size, which on average is 45% in our sample. In

three cases the outcome is well below that average. This becomes a concern if the risk committee is not fully independent and

Board size is below common practice standards.

Tenure: it is a difficult question as to what the optimal tenure is for risk committee members; balance is important as well. In

our sample the average board tenure of the risk committee members was 6.8 years. Evidently, we have seen much renewal

post the global financial crisis. Still, there is much historical knowledge too with the longest tenure of risk committee members

being 12.3 years on average (with a range of 7.5 years in the case of ING to 17.0 years for both Bank of Nova Scotia and M&T

Bank).

Risk management expertise (effectiveness): if we aggregate the data in our sample, only 15% of the members of the risk

committee have relevant risk management expertise. In 5 out of 12 cases no one on the risk committee had relevant risk

management expertise. This is the area where we would like to see more progress.

Disclosure: lastly, disclosure is key to us. More disclosure around the self-assessment of the functioning of the risk committee

members and especially around the key outcomes of what was discussed is welcome.

In the first table we found that in most cases shorter risk management tenure of the CRO tends to coincide with no/limited prior

risk management within the own organization. If this also corresponds with a lack of risk management expertise in the Board, we

get particularly worried. In the graph below we have plotted the risk management expertise of the CRO on the x-axis and the

Page 13: Risk management and risk oversight have we built better banks feb17

average board tenure of the risk committee members on the y-axis. The bank that we would be most concerned about is

Commonwealth Bank of Australia (CBA) with limited risk management expertise of the CRO in combination with relatively low

tenure of the risk committee members.

CRO experience versus Board member (risk committee) experience

Source: Companies, S&P Global Market Intelligence, Bloomberg

Regulation

Regulation has caught up since the global financial crisis, with regulators keen to strengthen risk governance. In the US under the

Dodd-Frank Act the enhanced prudential standards require publicly traded bank holding companies with total assets of USD 50

billion or more to have a risk committee. US banks must have at least one risk management expert on the board risk committee

(this is indeed the case for the banks in our sample). The risk committee has to be comprised of no fewer than three members and

its chair must be an independent director. In many cases – also in Europe – banks were required to have a separate risk committee

as part of a settlement with regulators on the back of a litigation issue.

The European Banking Authority is less prescriptive in its guidelines on internal governance: a risk committee should be responsible

for advising the Board on the current and future risk tolerance/appetite and strategy of the bank, and for overseeing the

implementation of that strategy. The risk committee should regularly communicate with the CRO and should have access to external

expert advice, particularly in relation to proposed strategic transactions, such as mergers and acquisitions.4

The Financial Standards Board in 2013 published its thematic review on risk governance. It looked at risk governance practices for

36 banks within the G-20 countries (including Japan and China). It recommended that national regulatory and supervisory

authorities should:

‘set requirements on the independence and composition of boards, including requirements on relevant types of skills that the

board, collectively, should have (e.g., risk management, financial industry expertise) as well as the time commitment

expected;’

‘hold the board accountable for its oversight of the firm’s risk governance.’

‘set requirements to elevate the CRO’s stature, authority, and independence in the firm.’

4

European Banking Authority (2011), EBA Guidelines on Internal Governance – GL 44), September 2011

Page 14: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

14 |

‘require the board to obtain an independent assessment of the design and effectiveness of the risk governance framework on

an annual basis.’

Specifically, on the relationship between the CRO and the Risk Committee FASB advocates: 1) that ‘the CRO should have a direct

reporting line to the board and/or risk committee’, and 2) that ‘the CRO meets periodically with directors without executive directors

and management present’. Beyond that, ‘the CRO should have a direct reporting line to the CEO and should be involved in activities

and decisions (from a risk perspective) that may affect the firm’s prospective risk profile (e.g., strategic business plans, new products,

mergers and acquisitions, internal capital adequacy assessment process).’ This is illustrated in the framework below:

An example of a risk governance framework (Financial Stability Board/FSB)

Source: Financial Stability Board

Page 15: Risk management and risk oversight have we built better banks feb17

Remuneration and executive scorecard

The next topic we address in this paper is the degree to which risk management metrics are part of the bank executives’ scorecard

and whether these are merely qualitative or quantitative in nature. The EBA issued some guidelines on remuneration in December

2015. The key principle is that variable remuneration is consistent with sound and effective risk management. It should provide

incentives for prudent risk taking in the long term. At this stage the remuneration principles are not legally binding, they are just

guidelines. This may change in the near future.

Risk management and remuneration

Source: Companies, Glass Lewis

We conclude the following:

With the exception of HSBC, none of the banks in our sample have some sort of risk management metric as part of their Long-

Term Incentive Plan (LTIP).

Looking at the Short-Term Incentive Plan (STIP), we find some banks bring in risk-adjusted metrics such as Profit After Capital

Charge (CBA), or a more general risk-adjusted return on capital at risk as well as a cash return on risk-weighted assets. In other

cases, the credit rating or CET1 capital ratio are chosen. We find Citigroup’s approach with metrics such as risk appetite surplus

and a risk appetite ratio interesting - see the discussion on the next page - as these indicators provide some context of the risk

environment in which profitability targets are realized. All banks have these data, but not all of them share them with the

outside world, let alone integrate them into the executive scorecard and remuneration scheme.

Page 16: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

16 |

No single best risk management metric: it is evident that there is no single best metric to assess risk management

(improvement), but some banks bring in a mix of quantitative and qualitative indicators. ING and HSBC look at more

qualitative issues such as enhancing the Finance and Risk capabilities (ING) or implementing and embedding of conduct

programs as part of the Global Standards initiative (HSBC).

Disclosure can be improved with respect to remuneration and the different incentive structures. It is difficult for generalist

investors to quickly understand whether the remuneration structure and executive scorecard are in line with their best

interests. Furthermore, the relative balance between STIP and LTIP should receive more attention as it can be seen as a good

proxy for risk management. For example, large STI awards relative to LTI do encourage gaming and short-term risk taking.

Citigroup’s key risk management metrics

Risk Appetite Ratio = ‘ratio between the earnings of a business unit, including expected losses (defined as core revenues

minus operating expenses minus expected losses) (the numerator) and the stress losses under a 1-in-10-year stress scenario

(the denominator). The business unit should produce sufficient earnings each year, so that it does not lose money under a

moderate stress event (i.e. a 1-in-10-year stress scenario). As long as the relationship is higher than 1-to-1, the business unit

‘passes’ the Risk Appetite Ratio test. The Risk Appetite Ratio is currently viewed as a baseline standard or a minimum goal.’

Risk Appetite Surplus = ‘earnings (defined as core revenues minus operating expenses) minus both expected losses and

unexpected losses (i.e., the stress losses of the business unit under a 1-in-10-year stress scenario). The Risk Appetite Surplus

metric is intended to measure the ability of a business unit to withstand a moderate stress event without incurring an annual

loss, and should improve year-over-year as a measure of improved capital strength. Risk Appetite Surplus is used as a more

nuanced qualitative tool to evaluate the capital generation power of businesses that may ‘pass’ the Risk Appetite Ratio test.’

Source: Citigroup, 2016 Proxy Statement

HSBC: Strengthening compliance and risk management procedures part of remuneration …..

HSBC is one of the global banks with relatively high exposure to litigation. Following the USD 1.9bn settlement in 2009 for

money laundering and breach of US sanctions, HSBC admitted to a breakdown of controls and committed to strengthening

its compliance procedures. A Global Standards Committee was installed reporting to the Board to allow for quicker escalation

of information. The Global Standards Program comprises the bank’s multi-year approach in which it implements global

standards across its network to safeguard the bank and its clients against financial crime. The bank has been putting in place

robust controls aimed at understanding more about its customers, what they do, and where and why they do it. In 2015, HSBC

spent USD 1.5bn on Global Standards (versus USD 0.9bn in 2014) and investments only appear to be expected to plateau in

2016. The bank disclosed in 2015 that some 10% of the total FTE pool worked in compliance (believed to be the peak level).

Global Standards including risk and compliance are part of the executive scorecard of HSBC’s executive directors. For CEO

Stuart Gulliver, they had a 25% weight in the 2015 annual incentive scorecard. In the Board assessment, only 60% of the 25%

- i.e. 15% - was awarded. This was motivated by the Remuneration Committee as follows:

Page 17: Risk management and risk oversight have we built better banks feb17

HSBC …. continued

‘During 2015, the Global Standards programme assurance function has been strengthened to provide additional insight into

programme outcomes and effectiveness. This has resulted in enhanced visibility of potential risks and compliance w eaknesses

and has enabled proactive mitigating actions. The Committee recognised that the Group had progresses with the

implementation of other compliance and regulatory programmes in addition to Global Standards, including global stress

testing, ring-fencing and global conduct. The Committee further noted favourable trends in customer redress, regulatory fines

and regulatory provisions. However, the Committee exercised its discretion and reduced the assessment from 75% to 60%.

This was based on feedback received from the Monitor, matters arising from risk and compliance incidents, and the number

and extent of unsatisfactory internal audits covering AML and sanctions related issues. ’1

Global Standards Progress

Source: HSBC (ESG Update, November 2015)

Page 18: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

18 |

In this final section we look at best practice examples in risk management that we have come across in our analysis. We subsequently

provide a table in which we look at the earnings and capital impact of relevant risk management value drivers. Finally we list the

topics that are relevant in engaging with companies: How do we from an outside-in perspective assess the improvement (potential)

and how do we make sure management stays the course? From our previous discussion we can distill the following best practice

characteristics:

General risk management

Risk management is explicitly mentioned as part of the bank’s materiality matrix, including the objectives for the current year

to strengthen risk management capabilities.

There is sufficient risk management expertise available on the Executive Committee (ideally more than half of the committee

has risk management expertise).

The risk function is structure in such a way that it is independent from the CFO with a direct report to the Board (and the risk

committee).

There is a strong understanding of the risk appetite on a business unit level and client level across the organization.

Chief Risk Officer function

There is a Chief Risk Officer (CRO), who is part of the Executive Committee.

The CRO has a clearly identified authority to guard risks within the organization.

The CRO has deep experience in risk management, ideally within and outside the current organization.

Succession planning around the CRO function and the key levels below that is well-planned with a deep and strong enough

bench. The bench should be diverse in terms of personality, gender, nationality, etc.

Risk management and the Board

The Board has sufficient experience and knowledge to effectively challenge management on risk management (more than

one independent non-executive director has risk management expertise, ideally with outside perspective).

Availability of a skill/experience gap matrix: The Board is pro-actively addressing a potential skill/ experience gap in risk

management when it looks for new directors (and is transparent about this to relevant stakeholders).

The Board has a stand-alone risk committee that is 100% independent and has sufficient risk management and general

banking and financial expertise.

The members of the risk committee are voted upon by shareholders.

Risk management and remuneration

Risk management metrics are explicitly integrated into the remuneration framework and profit targets are based on risk-

weighted capital.

The company has clawbacks in place. It is interesting to note that the majority of recent clawbacks have been a result of

shareholder pressure rather than regulation. As an example, Wells Fargo was not required under the Dodd-Frank Act to have

a clawback policy in place. Instead, shareholders pressured the Board to include it. The subsequent issue, now that it is in

place, is to actually enforce it (Deutsche Bank is making some strides in this regard).

Culture and behavior

There is a clear tone from the top on risk awareness and reducing the risk of future losses with ownership of risk throughout

the organization.

Page 19: Risk management and risk oversight have we built better banks feb17

The company is transparent on risk governance issues with the aim to improve procedures and performance and learn from

past incidents.

The bank has a link between the Code of Conduct and the executive scorecard with respect to risk management.

Cyber risk

The bank takes an active approach to cyber security and is able to articulate its level of preparation.

Someone on the Board – ideally on the risk committee – has ownership of cyber security risks.

Cyber security risks are regularly discussed at Board level and this is combined with an outside-in view.

The bank is transparent about its investment in security technologies and the processes in place to manage access to sensitive

data.

What is the impact on shareholder value creation?

An important question is how a strong risk management track record and profile impact the shareholder value creation of a bank.

We see many specific factors that contribute to this and link this to the bank’s value drivers:

Source: Robeco

What can we so far say about the subtitle of our research paper … Have we built better banks? There are various angles to this

question: progress in terms of structure and procedures, in terms of capital strength and risk management appetite measurement

and lastly there is the behaviorial side and whether remuneration is aligned with this.

We have established that indeed banks have built better risk management and improved risk oversight structures (the three lines

of defense model has been strengthened). Undeniably, capital levels have been boosted and also the quality of the capital position

has improved with leverage in the system coming down.

The final factor is about behavior and remuneration. On remuneration and the embeddedness into the executive scorecard, we

found that there are still many banks that do not incorporate any risk management metric into their incentive plan. This often goes

hand in hand with Return on Equity as the key metric for a bank’s Short-Term Incentive Plan. Suffice it to say, there is room for

improvement here.

It is recommended that investors continue the dialogue with banks on a continuing basis. To aid with this, we have included a

checklist with questions relating to risk management and risk oversight dealing with bank management and directors. Let us build

better banks together!

Page 20: Risk management and risk oversight have we built better banks feb17

Risk management and risk oversight – Have we built better banks? | Robeco

20 |

Checklist

General risk management

- Who at the highest level in your bank is responsible for risk control/oversight, risk appetite/tolerance, the

risk strategy and risk monitoring?

- Can you provide some insights into your bank’s risk limits? Who sets which limits?

- How has your bank’s risk appetite changed over the past 10 years? How do you measure/ benchmark this?

- How do you incorporate risk management criteria into the product development or approval process?

Chief Risk Officer function

- How many direct reports does the CRO have?

- How is the independence and authority of the CRO safeguarded at your bank?

- What is the reporting relationship between the CRO and CFO?

- How many internal successors do you have for the CRO function?

- What does the executive scorecard for the CRO look like?

Risk management and the Board

- What is the responsibility of the Board with respect to risk governance?

- How many members of your Board’s Risk Committee in your view have strong risk management expertise?

Who else on the Board?

- How important is risk management expertise for new Board members?

- When was the last time you brought in external expertise within the Risk Committee?

- Are new checks and balances mandated by the Board?

- How does the Board ensure that incentive performance targets do not encourage unwanted (cultural/

excessive risk-taking) behavior?

- Do the members of your Board’s Risk Committee have many other directorships (risk of over-boarding: do

they have sufficient time to dedicate or are they sitting on multiple boards, perhaps related to the scarcity

of their expertise)?

Risk management and remuneration

- How have you structured your compensation policy to manage employee risk-taking?

- Are risk management metrics part of your STIP and LTIP performance indicators?

- Are there clawbacks in place? Have you ever had to use them?

Culture and behavior

- Is there a link between your Code of Conduct and the executive scorecard with respect to risk management?

- How do you ensure that employees comply with your code of ethics?

- How do you address behavior that is not aligned with your bank’s values?

- What changes have been made to your Code of Conduct since the 2008/09 financial crisis?

- How many employees are in Compliance and how does this compare to pre-financial crisis?

- Is there any risk of further litigation?

Cyber risk

- Who on the Board has expertise and ownership of cybersecurity risks?

- Do you feel that your bank has adequate systems and governance to deal with cyber risk?

- Is cybersecurity discussed at Board level? How frequently? Do you bring in external expertise?

- What have you learned from some of your bank or the sector’s latest cyberattacks?

- What processes do you have to manage access to sensitive data? What are your data protection policies?

- How much has your bank invested in security technologies? Do you expect to increase this amount?

Page 21: Risk management and risk oversight have we built better banks feb17

Important Information Robeco Institutional Asset Management B.V., hereafter Robeco, has a license as manager of UCITS and AIFs from the Netherlands Authority for the Financial Markets in Amsterdam. Without further explanation this presentation cannot be considered complete. It is intended to provide the professional investor with general information on Robeco’s specific capabilities, but does not constitute a recommendation or an advice to buy or sell certain securities or investment products. All rights relating to the information in this presentation are and will remain the property of Robeco. No part of this presentation may be reproduced, saved in an automated data file or published in any form or by any means, either electronically, mechanically, by photocopy, recording or in any other way, without Robeco's prior written permission. The information contained in this publication is not intended for users from other countries, such as US citizens and residents, where the offering of foreign financial services is not permitted, or where Robeco's services are not available Additional Information for investors with residence or seat in France RIAM is a Dutch asset management company approved by the AFM (Netherlands financial markets authority), having the freedom to provide services in France. Robeco France has been approved by the French prudential control and resolution authority (formerly ACP, now the ACPR) as an investment firm since 28 September 2012. Additional Information for investors with residence or seat in Germany This information is solely intended for professional investors or eligible counterparties in the meaning of the German Securities Trading Act. Additional Information for investors with residence or seat in Italy This document is considered for use solely by qualified investors and private professional clients (as defined in Article 26 (1) (d) of Consob Regulation No. 16190). If made available to Distributors and individuals authorized by Distributors to conduct promotion and marketing activity, it may only be used for the purpose for which it was conceived. Therefore, the information set forth herein is not addressed and must not be made available, in whole or in part, to other parties, such as retail clients. Robeco disclaims all liability arising from uses other than those specified herein. All rights relating to the information in this presentation are and will remain the property of Robeco. Additional Information for investors with residence or seat in Spain The Spanish branch Robeco Institutional Asset Management BV, Sucursal en España, having its registered office at Paseo de la Castellana 42, 28046 Madrid, is registered with the Spanish Authority for the Financial Markets (CNMV) in Spain under registry number 24. Additional Information for investors with residence or seat in Switzerland RobecoSAM AG has been authorized by the FINMA as Swiss representative of the Fund, and UBS AG as paying agent. The prospectus, the articles, the annual and semi-annual reports of the Fund, as well as the list of the purchases and sales which the Fund has undertaken during the financial year, may be obtained, on simple request and free of charge, at the head office of the Swiss representative RobecoSAM AG, Josefstrasse 218, CH-8005 Zurich. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency. The value of the investments may fluctuate. Past performance is no guarantee of future results. The prices used for the performance figures of the Luxembourg-based funds are the end-of-month transaction prices net of fees up to 4 August 2010. From 4 August 2010, the transaction prices net of fees will be those of the first business day of the month. Return figures versus the benchmark show the investment management result before management and/or performance fees; the fund returns are with dividends reinvested and based on net asset values with prices and exchange rates of the valuation moment of the benchmark. Please refer to the prospectus of the funds for further details. The prospectus is available at the company’s offices or via the www.robeco.ch website. Performance is quoted net of investment management fees. The ongoing charges mentioned in this publication is the one stated in the fund's latest annual report at closing date of the last calendar year. Additional Information for investors with residence or seat in the United Kingdom This statement is intended for professional investors only. Robeco Institutional Asset Management B.V. has a license as manager of UCITS and AIFs from the Netherlands Authority for the Financial Markets in Amsterdam and is subject to limited regulation in the UK by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request. Additional Information for investors with residence or seat in Hong Kong This document has been distributed by Robeco Hong Kong Limited (‘Robeco’). Robeco is licensed and regulated by the Securities and Futures Commission in Hong Kong. The contents of this document have not been reviewed by any regulatory authority in Hong Kong. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. Additional Information for investors with residence or seat in Singapore This document has not been registered with the MAS. Accordingly, this document may not be circulated or distributed directly or indirectly to persons in Singapore other than (i) to an institutional investor under Section 304 of the SFA, (ii) to a relevant person pursuant to Section 305(1), or any person pursuant to Section 305(2), and in accordance with the conditions specified in Section 305, of the SFA, or (iii) otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA. This information is for informational purposes only and should not be construed as an offer to sell or an invitation to buy any securities or products, nor as investment advice or recommendation. The contents of this document have not been reviewed by the Monetary Authority of Singapore (“MAS”). Robeco Singapore Private Limited holds a capital markets services licence for fund management issued by the MAS and is subject to certain clientele restrictions under such licence. An investment will involve a high degree of risk, and you should consider carefully whether an investment is suitable for you. Additional Information for investors with residence or seat in Australia This document is distributed in Australia by Robeco Hong Kong Limited (ARBN 156 512 659) (‘Robeco’) which is exempt from the requirement to hold an Australian financial services licence under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order 03/1103. Robeco is regulated by the Securities and Futures Commission under the laws of Hong Kong and those laws may differ from Australian laws. This document is distributed only to wholesale clients as that term is defined under the Corporations Act 2001 (Cth). This document is not for distribution or dissemination, directly or indirectly, to any other class of persons. It is being supplied to you solely for your information and may not be reproduced, forwarded to any other person or published, in whole or in part, for any purpose. Additional Information for investors with residence or seat in the Dubai International Financial Centre (DIFC), United Arab Emirates: Robeco Institutional Asset Management B.V. (Dubai Office), Office 209, Level 2, Gate Village Building 7, Dubai International Financial Centre, Dubai, PO Box 482060, UAE. Robeco Institutional Asset Management B.V. (Dubai office) is regulated by the Dubai Financial Services Authority (“DFSA”) and only deals with Professional Clients and does not deal with Retail Clients as defined by the DFSA.