UK: In Control? Gaining Competitive Advantage Through Governance, Risk And Control Best Practice

FOREWARD

Governance, risk and control is one of the biggest issues facing financial institutions today. As the credit crunch continues to present a number of challenges, to CEOs and entire corporations, it is imperative all financial institutions reappraise their enterprise-wide control and governance systems and hierarchies.

Reactions to some of the issues emerging from the 2007/2008 credit crunch include: tightening individual controls; building liquidity risk into models and business plans; identifying where credit and market risks really originate from; more sophisticated stress testing, and scenario analysis. These are clearly necessary steps and laudable aims. However, the questions that arise are whether they will address the underlying problems that resulted in businesses expanding into riskier products and sectors, and the aggregate exposure exceeding the risk appetite of organisations.

The purpose of this paper is to shed some light on the progress of major financial institutions around the world in developing governance and control systems. We have looked at actual operational data for 32 major financial institutions from around the globe, which has enabled us to examine the state of the governance, risk and control systems within financial institutions. Opportunities for improvement exist in the overall coherence of policies, procedures and operations and spotting the ways in which risks interact with each other, for example, credit and market risk.

A key issue is the lack of clarity in the taxonomy around governance and control. This opacity of definition is causing, on occasion, a failure in strategies.

For the purposes of our work we have defined governance, risk and control as:

• a process, implemented by the board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of business objectives in the following areas:
  
  
• • Maintaining compliance with applicable laws and regulations
    
    
  • Safeguarding the assets of the organisation
    
    
  • Promoting the effectiveness and efficiency of operations, including the effective management of risk
    
    
  • Ensuring the reliability of financial reporting.
    
    

A key to success lies in the introduction of more coherent risk and control systems with appropriate governance structures spanning all related procedures. As financial services organisations continue to focus on operational improvements and cost control, together with major mergers and acquisitions transactions, it is equally vital that priority is given to strengthening the control environment.

Russell Collins
Co-leader, Deloitte EMEA Financial Services

EXECUTIVE SUMMARY

Competitive Advantage Through Compliance?

Five years since the introduction of Sarbanes Oxley financial services institutions continue to face an avalanche of regulation. Seldom are compliance and competitive advantage mentioned together within a financial institution until now. To create greater value, institutions must consolidate, standardise and align their governance and control systems. This is an issue that must combine compliance and business approaches. The goal: developing corporate agility and flexibility to absorb new regulatory demands while accruing cost efficiencies and, in time, competitive advantages. As the bar of regulation and control continues to rise, senior executives must demonstrate to the relevant authorities they are in control.

The Hundred Billion Dollar' Challenge

Much has been said about the market costs of regulation.¹ Similarly volumes have been devoted to the cost of major initiatives such as Basel II, Sarbanes Oxley and IFRS. Little has appeared, however, about the total costs for financial institutions. This report is a first step to correcting this balance. According to our survey,² the top 100 financial services institutions by market capitalisation have seen expenditure in this area increase by over 30 per cent in the past three years to £28 billion ($56 billion). Further, this cost burden is yet to peak. Projecting from the results of our survey, the cost for governance and control for the top 100 institutions could reach £50 billion ($100 billion) by 2010.^{3, 4}

Unlevel Playing Field?

There has been much debate around the issue of the exact business impact of increased regulation in financial markets. Our survey suggests economies of scale apply to the enterprise-wide implementation of governance and controls systems. Larger financial services institutions, although they tend to operate in a higher number of jurisdictions, with greater compliance demands, spend on average four per cent of their total expense base on governance and compliance activities. By contrast, smaller financial institutions on average spend six per cent of their total expenses. In essence, it appears growing regulatory demands could be creating an uneven regulatory environment potentially acting as a competitive disadvantage to smaller financial institutions.

WORK IN PROGRESS?

Almost to the day, on the fifth anniversary of the Securities and Exchange Commission's (SEC) introduction of the Sarbanes-Oxley Act financial markets suffered one of the most significant tightenings in credit markets in a generation. In the aftermath, many financial institutions and senior executives have had to take huge write-downs already totalling in excess of £600 billion ($1.2 trillion)⁵ a sum which may become even higher. Senior executives have also found their job security has been threatened.

Above all, it is clear that financial institutions are still seeking to find the correct balance between risk and reward amongst the upheaval of financial innovation. And governance and control mechanisms developed to identify and eradicate uneconomic investment decisions are clearly a work in progress.

The purpose of this paper is to shed some light on the progress of major financial institutions around the world in developing governance and control systems. Further, it endeavours to provide answers to some significant questions that have hovered over the industry for some time: Has the burden of implementation cost peaked? How much is the annual cost of compliance?

Are economies at play in compliance with the introduction of myriad new rules? Are geographical or sectoral differences evident across the industry? Who has responsibility within financial institutions for governance and control? And, finally, what does best practice look like?

The financial services industry has been hit by a deluge of regulation since the turn of the Millennium. This has included measures to address capital adequacy such as Basel II and Solvency II, and measures addressing market practices, such as Treating Customers Fairly (TCF) in the United Kingdom, and the Markets in Financial Instruments Directive (MiFID) in the European Union, as shown in Figure 1. Investment banks, commercial banks and insurers have all been affected by regulations from a variety of jurisdictions.

More important for investors is the ability of a financial institution not only to focus on compliance but also to deliver bottom-line business benefits from governance and control activities. These benefits can include increased shareholder confidence, better credit ratings, a lower cost of capital, strengthened risk management practices, including evidencing of control, and an overall, stronger sense and comfort of being in control.

KEY FINDINGS

The governance and control burden is growing rapidly, and is likely to peak at £50 billion in 2010

Most senior executives realise that one of the fastest growing line items on the expense base over the last five years has been governance and control, but often this is not highlighted separately in profit and loss accounts. Significant programmes have been established, and resources diverted, to redesign control infrastructure, procedures and processes to ensure compliance across the business. We estimate that major financial institutions have seen the costs for governance and control between 2003 and 2006 rise by around a third on average.

Contrary to established wisdom, our research shows that the financial burden of compliance has not yet peaked and is likely to reach nearly £50 billion ($100 billion) in 2010. Over half of the respondents do not expect to see any deceleration of reform until 2010, compared with only a fifth who think reform will slow. In 2007, costs for the largest 100 financial institutions were between £21 billion and £28 billion ($42 billion and $56 billion). By 2010 these will likely rise to between £35 billion and £48 billion ($70 billion and $96 billion). The most significant increases are likely to be in compliance activities, risk management and business unit control.

The very different evolution of compliance demands across the industry is leading to different cost trajectories within banking, insurance and capital markets. The principal impact of Basel II spending has been on banks in the middle of this decade, but completion deadlines are now in effect in most markets with the exception of the United States. Solvency II, however, is still very much in its infancy. Figure 2 illustrates these different sector expense profiles. The graphic shows the financial services industry is unlikely to pass the peak of the compliance burden until well into the next decade.

Each of these sectors differs in terms of the steps it is now likely to take. Banks will be attempting to use their investments in implementing Basel II to gain business benefits, principally through regulatory capital relief and improved pricing. European insurers are likely to be accelerating their investment and upgrading of systems to reach compliance with Solvency II, with International Financial Reporting Standards (IFRS) giving all insurers opportunities for benefits by improving the reporting of risk. Finally, investment banks are likely to be investing in enterprise-wide controls to become more compliant and efficient following the credit crunch.

Economies Of Scale Are At Play, As Big Appears To Be Best

Little is known about how the burden of compliance has been distributed across the financial services industry. This is a fiendishly difficult area to investigate, but it is critical to understanding the impact of the regulatory avalanche on business performance. Our survey of governance and control has found that larger financial services institutions have costs as a percentage of operating expenses 2.5 per cent lower than smaller counterparts.⁶ Larger institutions appear to be benefiting from economies of scale this despite the fact that on average they operated in 36 markets compared with just six for smaller institutions.

This may be because larger institutions are more likely to leverage economies of scale in governance, control and risk specialists in setting global standards. The ability to implement, cost-effectively, flexible systems for governance and control, which can cope with significant variation in compliance responsibilities across borders, will increasingly become a hallmark of success.

Trends in international regulation, particularly the use of a lead supervisor' to co-ordinate peer jurisdictional authorities could significantly cut costs for larger institutions. The insurance sector, for example, believes that the supervision of groups operating in a number of jurisdictions should be co-ordinated and led by the supervisory authority of the jurisdiction where the group is headquartered.⁷ Further, the European Commissioner, Charles McCreevy, announced that regulatory authorities would be co-ordinated, where possible, across all areas of the current Level 3 arrangements.⁸

The long-term implications of this potentially are highly significant. If the regulatory burden is falling more heavily on smaller institutions, they will increasingly be operating at a competitive disadvantage. This unintended consequence of the regulatory deluge may therefore need to be reviewed within the context of principal-based regulatory regimes.

The Western Hemisphere Is Forging Ahead Of Asia Pacific

Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.

Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems.

Banks And Capital Market Players Lead The Way

A similar picture emerges across sectors of the financial industry. Banking and capital markets tend to be the most advanced in their risk management control structures. This is most likely driven by the fact that these institutions have had to deal with major regulatory demands such as Basel II and MiFid.

All the major sectors of the financial services industry are facing a significant, and seemingly ongoing, governance and control challenge. Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between 2003 and 2006. Each of these sectors differs in terms of the steps it is now likely to take. Banks will be attempting to use their investments to finalise the implementation of Basel II to gain business benefits. European insurers are likely to be accelerating their investment and upgrading of systems to reach compliance with Solvency II, with IFRS giving all insurers opportunities for benefits by improving the reporting and disclosures to market participants on regulatory capital levels and risk management procedures. Finally, investment banks are likely to be investing in enterprise-wide controls to become more compliant and efficient, and will be trying to gain advantage from working in the post MiFid environment.

Banks are ahead of investment banks and insurers in the implementation of regulations such as anti money-laundering, IFRS, information security and privacy legislation. The biggest regulatory burden they face is Basel II (see Sidebar) and, unsurprisingly, at the time of our survey nearly nine-in-ten were halfway through its implementation. However, the Basel II Accord is complex, with many areas of specific policy where discretion is available to supervisors.⁹ This could put internationally active banks under a significant burden, as they will have to comply with multiple versions' of Basel II following differing timelines for implementation.

Our survey found that insurance is currently the sector lagging in its implementation of a governance and control structure. Preparations for compliance with Solvency II by 2012 are putting pressure on insurers to improve their governance, control and risk practices (see Sidebar). As well as the potential benefits from Solvency II, insurers face opportunities from IFRS Phase 2, which will give them the chance to convey their business potential and risk appetite in financial statements, and therefore potentially improve shareholder confidence.

Somewhat surprisingly, following recent problems in the sector, investment banking is furthest ahead in terms of an institution's likelihood to have fully implemented a governance and control structure. We found investment banks' governance and control investment is likely to be driven by the need to obtain improving shareholder confidence, as opposed to the spending of banks and insurers, which is more likely to be compliance driven. Investment banks' leading performances can also be partly explained by their being in the midst of implementing Basel II, with European firms also implementing MiFID (see Sidebar).

Sidebar: Major Regulations Affecting The Financial Services Industry Basel II provides a regulatory capital framework that is more sensitive to the risks that banks face. It is designed better to align regulatory capital levels with a bank's risk profile. This offers the potential for firms to be able to release for other purposes any capital in excess of regulatory capital requirements. It is likely to affect the product development and investment mix of banks and provide significant incentives for firms to improve their risk management practices. So far, the European Banking industry is estimated to have invested £9 billion ($18 billion/ ¬13 billion) in its implementation.10 Solvency II broadly follows the approach of Basel II. Larger insurers in particular are already tending to align themselves to Basel II standards for their operational risk.11 Solvency II will aim to promote sound risk management, align supervisory requirements with market practices and reward financial services institutions that are good at managing risk. For the first time, insurers will be required to hold capital against their operational and market risks. This is intended to ensure that they can withstand adverse, unexpected events and can protect their policyholders and the financial system as a whole. Analysts have suggested that up to 40 per cent of insurers' buffer capital requirements could be shaved off when the regulation comes into force. MiFID has introduced significant changes to the European regulatory framework for investment banks and aims to complete the process of creating a single EU market for investment services. The FSA's cost-benefit analysis indicates that MiFID should lead to a one-off investment of £925 million £1 billion ($1850 million $2 billion), with subsequent ongoing costs of £100 million ($200 million).12 However, it also estimated that it will reduce compliance and transaction costs for cross-border firms by £200 million ($400 million).13

Fragmented Responsibility And Accountability

Good intentions are not enough to ensure a shift in operating culture. Clarity on who owns what process in an integrated governance and control architecture is therefore critical. It appears a prime source for the losses incurred by many major banks in the recent credit crunch was the inability of those institutions, in many instances, to link risk and control functions together.

Our research highlights fragmentation across major financial firms in who has responsibility for integrating governance, risk and control systems. Just 41 per cent of firms stated their audit committees or boards of directors have overall control of governance and controls. Less than half (47 per cent) have undertaken consolidation of governance and controls across borders and operational units in the past three years.

Implementation challenges

Compliance and competitive advantage are seldom paired together. Most financial institutions have kept them well apart over decades. Until now. It is clear that developing governance and control capabilities can yield improved business performance. The focus is now on achieving next generation capabilities.

Almost no major financial institution can claim to have a fully integrated and operational system of risk, governance and controls. We estimate around 33 per cent of institutions are in the leaders category, 45 per cent in the followers cluster, with the remainder in the laggards group.

The focus on achieving next generation status an intelligent risk, governance and control culture will require those at the top of an organisation to recognise the long-term benefits of improved risk management. A portfolio view of an organisation's risk appetite may have helped many of the financial institutions that have faced difficulties in the recent credit crunch for example. By moving to a more active approach, as shown in Figure 3, rather than a passive or defensive approach, all firms can gain business benefits from their governance and control.

Next-generation institutions will be distinguished in three key areas:

1) Governance. Senior management should be visibly involved in communicating messages about behaviour in risk and control culture through the organisation in a way that reflects the tone at the top' and adopts continual improvement. The Basel Committee on Banking Supervision at the Bank for International Settlements has said that since the board of directors is ultimately responsible for the operations and financial soundness of a company, a bank's risk profile, policies and management procedures should be understood and approved at board level.¹⁴

Action: From now on, the board and senior executives must bring clarity to who owns the integration of governance, risk and control across the institution. Different regulatory systems across the world mean no one position fulfils this function. Nonetheless, the common factor is the need for the board to appoint an individual with this responsibility. In the United Kingdom the chairman could be best placed to take on this responsibility. The responsibility for control may give the chairman the detailed management information to act as a more effective counterweight to the executives. Gaining clarity on the issue of accountability will be essential for success.

2) Culture. Building a strong governance and control culture within a company could significantly reduce the risks of control failure and could identify more areas where good control can bring business benefits. The FSA in the United Kingdom has said: "there should be a clear message within [a] firm that compliance risk is owned by the business and that all staff are responsible for adhering to the desired compliance culture".¹⁵ This message should be strengthened by explicitly considering the compliance behaviour in staff assessments, including staff appraisal, reward and promotion processes.

Action: It is clear that if a financial institution does not appreciate controls as good business sense, there may be active resistance to governance and control initiatives. There needs to be a continuing work programme focused on how to embed and reward the right policies and procedures across an organisation. As one executive put it "you have to keep renewing the white blood cells".

3) Operating model and systems. The technology industry would not be what it is today without the financial sector and its huge purchasing power. Pressure to reduce costs means that successful financial institutions are likely to demonstrate an ability to optimise technology around key priorities including governance and controls. Developing systems that can intelligently review data to identify control shortfalls in real time is crucial to reducing the many and costly risks of control failures. Tools now exist that allow organisations to structure and store all relevant data in a central repository, including data related to their risks, controls and procedures.¹⁶ Embedding automated controls can give senior management the opportunity to govern in a manner that is consistent with the company's risk profile.

Action: Building the operational infrastructure to ensure a flexible and integrated governance and control system is a major challenge for financial institutions. Figure 4 sets out four pillars around which to build this infrastructure:

• Organisational consistency

• Business model architecture

• Technology capacity and capability

• Information quality.

The challenge for financial institutions is to ensure such programmes are coherent and deliver real business value. To achieve this objective requires senior management to add control and governance considerations to each investment decision.

Conclusion

Current market dynamics reinforce that there are few greater issues for financial institutions to address than governance and control systems. While such systems set few hearts racing until it is often too late, increasingly they are determining the long-term winners and losers across the world's financial services industry. Further, they are likely to play a central role in the individual success or failure of senior executives whom shareholders, regulators and other stakeholders hold accountable. Like it or not governance and controls should be right back at the top of the corporate agenda in financial firms around the globe.

Projecting from the results of our survey, we estimate financial services institutions will potentially face costs of £50 billion ($100 billion) from governance and control by 2010. In order to tackle this challenge to cost efficiency, risk and governance, institutions need to consolidate and redesign their systems, making them flexible enough to adapt to a changing regulatory and business environment. Our survey has found that some financial institutions are already meeting this challenge, while others are likely to require a rethink.

Larger institutions are facing proportionally lower costs for governance and control and the possibility of a lead supervisor' model across boundaries could further their advantage. This could spur consolidation in the industry. On the other side of the coin is return on investment. Financial institutions that grasp the opportunities this entails will move successfully ahead in the coming years fully in control.

Footnotes

1. For example, see: The cost of regulation study, Deloitte & Touche LLP, 2006 (commissioned by the Financial Services Authority in the United Kingdom).

2. Deloitte Research undertook a survey of 32 companies in the financial services industry, together making up a third of the world's top 100 financial services companies by market capitalisation. Governance and controls survey, January 2007.

3. This calculation is based purely on the cost base. We have not included any costs or benefits from improved risk management and allocation of capital.

4. Deloitte Research undertook a survey of 32 companies in the financial services industry, together making up a third of the world's top 100 financial services companies by market capitalisation. Governance and controls survey, January 2007.

5. Goldman sees credit losses totalling $1.2 trillion, www.reuters.com, 26 March 2008.

6. Larger companies have been defined as those with a market capitalisation of greater than £20 billion and operate in an average of 36 countries. Smaller companies have been defined as those with a market capitalisation of less than £20 billion and operate in an average of six countries. Governance and controls survey, January 2007.

7. www.cea.assur.org/cea/download/publ/article258.pdf

8 McCreevy rules out super-regulator, Financial Times, 21 November 2007.

9. Deloitte & Touche LLP (China), Understanding the framework: Adopting the Basel II Accord in Asia Pacific, Deloitte Touche Tohmatsu 2005. http://www.deloitte.com/dtt/cda/doc/content/02720_Basel_II_Adopting.pdf

10. Payback time for Basel II, Oliver Wyman, 2007.

11. Management of Operational Risks in Insurance, Deloitte & I.VW-HSG, June 2007.

12. Financial Services Authority, The overall impact of MiFID. http://www.fsa.gov.uk/pubs/international/mifid_impact.pdf

13. Ibid.

14 Enhancing corporate governance for banking organisations, Basel Committee on Banking Supervision, Bank for International Settlements, February 2006.

15 http://www.fsa.gov.uk/pubs/ceo/compliance_risk.pdf

16 Securities and Banking Update: A firm hand at the wheel, Deloitte & Touche LLP UK, July 2007.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.