Chief risk officers (CROs) in the banking sector are closely examining their resource allocations. CROs are increasingly being expected to assist in enhancing their institutions’ overall efficiency, following years of hiring more staff to strengthen controls of global, multidimensional, and developing threats. In light of the current inflationary pressures, this is a justifiable and challenging request. However, CROs perceive that supervisors are pressuring them to augment their organizational and regulatory resource bases. Regardless, in order to fulfill their fiduciary obligations, CROs need to ensure that the right amount of resources is available for effective risk management oversight. However, figuring out how best to distribute resources across a variety of risks, dispersed operations, and geographical locations can be challenging.

to assist CROs in analyzing their resource levels to those of their competitors and discovering potential areas for efficiency within their own companies. More than thirty sizable banks in Europe, North America, and Australia have CROs; of these, more than half are widely recognized, systemically important institutions. In order to ensure comparability and explanation, Various Survey asked them about the specific resources for their second line of defense (LOD2) risk function, as well as the key factors that have shaped the evolution of their risk function over the previous few years, such as organizational structure, offshoring, functional maturity, and the bank’s business model. These questions were based on about 80 risk and compliance management activities.

Increasing the number of employees does not always translate into improved risk management, according to an analysis of a small data sample. Effectiveness and risk efficiency have a usually favorable correlation, according to recent studies. Additionally, a well-designed risk transformation program can increase risk effectiveness while reducing costs by 15 to 25 percent on a gross basis (with a portion being reinvested).

Reducing the risk function

Risk resources are being mapped by activity multiple CROs in an effort to right size the risk function. However, it is a challenging activity to compare risk functions with peers and find potential gaps. The division of responsibility between LOD1 and LOD2 (e.g., in the processes associated with credit underwriting, financial crime, or fraud) and between the various LOD2s (e.g., risk, compliance, legal, and finance) varies widely among banks. Comparisons must be done as precisely and at a level of activity as feasible in order to be meaningful.

Focus on a statistic called risk full-time-employee (FTE) intensity in the survey done in 2021. This metric is essentially the number of FTEs in the risk function divided by the total number of FTEs at the bank. Risk FTE intensity for a shared standardized scope of core risk activities (excluding financial crime and compliance activities) was found to be between 1.6 and 3.5 percent for over 90% of the banks in the studied sample, with a median of 2.6 percent. Banks above the median tended to streamline and converge toward the median, while banks below the median continued to gradually increase their risk resources in comparison to a similar poll conducted two years previously. Half of CROs anticipate that the number of risk FTEs will increase in the future.

Because there is a little negative association between scale and FTE intensity, the bigger banks have a lower skew. For a bank with 150,000 employees compared to a bank with 50,000 employees, these scale benefits helped reduce risk FTE intensity by 0.2 to 0.3 percent. There is a higher intensity of wholesale activities within universal banks (roughly two times higher), but there is no discernible relationship between FTE intensity and geographic footprint or business model at the bank level (for example, primarily wholesale versus primarily retail banking).

Significant differences in risk FTE intensity are present among the surveyed banks for all risk functions. These variations can be attributed to various factors, including the maturity of LOD1, the level of regulatory scrutiny, the maturity of the bank’s systems and procedures, data management, and the history of risk incidents. Nevertheless, the averages serve as useful benchmarks.
In terms of expenses, risk costs comprised roughly 2.5 percent of operational costs for the banks examined. Due in part to their increased usage of near- and off-shoring for risk FTEs as well as a lower ratio of average risk FTE cost vs front office average FTE cost, large universal banks—especially those with significant corporate and investment banking—generally have lower cost-intensity ratios compared to FTE ratios.

Setting up money for specific hazards

Credit risk management accounts for the majority of FTEs in the LOD2 risk function, with a median FTE intensity of 1.25 percent. There has been an average drop in credit risk FTEs over the last two years of 4 to 5 percent, mostly in the credit underwriting sector. This was mostly brought about by LOD1 being given additional responsibility and the underwriting process continuing to be automated.

The average FTE intensity of market risk is found to be 0.25 percent. Particularly for the banks with the lowest FTE intensity in market risk, this increased marginally from two years ago. The increase in this average was facilitated by regulatory activity, including the Fundamental Review of the Trading Book. Similar to compliance, operational risk likewise has an FTE intensity of 0.25 percent, however it has dropped in the last two years. By giving the LOD1 greater authority over tasks like testing and monitoring, several banks have significantly reduced the scope of their operational-risk departments. Less “generalist” operational-risk employees now serve the businesses, as more funds are devoted to strengthening LOD2 knowledge on emerging nonfinancial risks (including cyber, data, and IT risks).

Model risk management, enterprise risk management, and other activities make up about equal portions of the remaining risk FTEs. The number of resources dedicated to model risk management has been increasing as more banks develop this function to enforce regulations and monitor a wider range of models, including regulatory capital models, compliance models, market pricing models, underwriting models, and climate risk models.

With the launch of the Prudential Regulatory Authority CP6/22 in the UK in June 2022, the sorts of models that need validation will only increase, maintaining this rising trend in risk management resources. Despite the fact that many banks have established climate risk teams, they are typically small—less than 15 FTEs—and primarily serve as coordinating bodies. Other well-established teams include climate risk into their current risk frameworks, procedures, and models and carry out climate stress testing.

Organizational levers to alter risk in order to improve effectiveness and efficiency

CROs can evaluate alternative approaches to reshaping their risk functions by using survey findings as a benchmark against peers. Refocusing LOD2 tasks, balancing resources between individual companies and locales against cross-business and global teams, and near- and off-shoring are organizational levers that IT has learned are of special relevance from survey work.

Primarily, there is a continuous movement to shift the risk function’s focus back to standard LOD2 duties, such as policy formulation, challenge role, appetite establishment and monitoring, and second-line controls and reporting. LOD2 generally has to increase their proficiency in emerging risk categories, like those that emerge in the fields of tech and cyber security and climate change. On the other hand, LOD1, who are in charge of specific processes and operations, must improve their ability to manage risk and make more decisions that involve taking a chance. Examples of these decisions include underwriting, exceptions management, remediation, collections, know-your-customer (KYC) and anti-money laundering (AML) and sanctions transaction monitoring, fraud management, and, in certain situations, creating regulatory models.

The decision of how much to allocate to support and manage individual companies and regions versus teams with a global or cross-business mission (as in shared services centers or transversal risk teams) is another one that CROs must make and one that could have significant effects on the effectiveness of their function. This makes it possible to standardize procedures and practices throughout banks, mutualize tools and expertise, and facilitate risk management (for instance, by consolidating data at the bank level). There are several different ways to tackle this problem. Transversal risk teams and shared service centers receive less than 10% of the risk resources from some institutions, while over 50% are allocated by others.

Model risk management and validation, liquidity risk management, enterprise risk management (ERM) activities including stress testing and regulatory management, and risk modeling and analytics are some of the activities that are commonly managed globally. Since market risk is mostly associated with financial markets and Treasury services, it is typically addressed on a worldwide scale. In the meanwhile, shared service centers are an excellent option for LOD2 controls, reporting, and data management.

Conversely, credit risk management is usually handled through designated enterprises or regions, especially when it comes to underwriting and portfolio management. In these situations, it is clearly advantageous to be near the creators, customers, and goods.
However, in practice, the majority of banks don’t really use either. The percentage of risk free trade agreements (FTEs) that are near- or off-shored was reported by less than one-third of the banks in Suryes’s sample. These are usually the biggest, most global banks, with excellent corporate and institutional banking divisions and a sizable workforce concentrated in high-cost cities (e.g., Singapore, Hong Kong, London, New York, Paris, and Zurich). There are very few other banks who are thinking about increasing their offshoring and nearshoring capability.

The median allocation is 33 percent among the banks that have at least 10 percent of their risk-weighted foreign exchange facilities (FTEs) located offshore. Two tactics predominate. One approach is to offshore only the portions of the process that need the greatest amount of manual labor (data gathering for modeling, model backtesting, and reporting), with FTEs answering to managers onshore. The maximum amount of offshore that can be done with this strategy is usually limited to about 30% of risk-weighted FTEs. As an alternative, some banks decide to near- and off-shore entire operations (including counterparty rating, the onboarding process, and full modeling lifecycle), with managers seated beside those departments. This strategy allows for more offshore.

Operational risk (up to 58 percent) and ERM (up to 41 percent) are the risk functions that account for the largest percentage of near- and off-shore FTEs. An average of twenty percent of the FTEs in the remaining functions (credit and market risk, for example) are assigned to near- and off-shore sites. The percentage of risk FTEs at near- and off-shore sites and the degree of FTE risk do not appear to be related, even while near- and off-shoring undoubtedly helps banks in significant financial centers reduce costs.

Constructing a Reliable and Successful Risk Function

Research from the Asian Development Bank (ADB) indicates a favorable correlation between risk effectiveness and efficiency. Following decisions about organizational architecture, the top-performing banks have a number of characteristics in common:

-A robust risk culture in which the roles of LOD1 are well-defined and both LOD1 and LOD2 are capable of carrying out their duties. This frees the risk function from having to make up for LOD1 failings in order to concentrate on its LOD2 responsibility.
-A top-notch credit underwriting procedure featuring digital straight-through processing and a front-to-back workflow for both small and medium-sized businesses and private individuals. Simplified, standardized, and digitally enabled credit risk scoring models should be a part of the corporate credit underwriting process.
-Enhanced digital monitoring capabilities through automated counterparty ratings, automated portfolio stress testing, and counterparty-level credit monitoring tools (e.g., anticipatory action early-warning system).

-Automated risk reporting that is managed by business units through the use of contemporary data architecture and demand management. Self-service risk reporting that is quick, reliable, automated, and relevant supports general risk users. What-if predictions and flexible querying options are accessible for more experienced information users.
-AML and fraud systems have benefited from enhanced financial crime procedures, including streamlined KYC solutions that employ dynamic checklists of standards and regulations and powerful analytics to lower false-positive rates to as low as 50–60%.

-A front-to-back market, counterparty credit risk, and liquidity risk aligned architecture and models that minimize discrepancies and the manual adjustments and checks needed in LOD2, while also supporting data quality (e.g., risk systems and front-office systems using the same data or even integrated data).
Streamlined risk policies and risk organization and governance that cater to quick decision-making (including fewer organizational layers, merged teams with related tasks, and zero-based governance meetings).
-A well-established performance management system, complete with dashboards displaying measures for risk efficacy and efficiency that are tracked over time and compared between locations and regions, makes it easier to share best practices and tools.
-A comprehensive approach to the creation and verification of models, bolstered by a shared model inventory, a streamlined workflow, automation instruments, and document repositories for both LOD1 and LOD2.

Now that their risk functions have been created, many CROs are transitioning to a phase that is more focused on increasing efficiency. The good news is that additional FTEs do not always translate into greater risk management once a bank’s risk function reaches a certain degree of maturity. The increased complexity of risks and regulations, along with skyrocketing inflation, is making it difficult for many CROs to control costs, even if each institution has a different risk appetite and set of circumstances. According to recent experience, a well-designed risk transformation program can increase risk effectiveness while reducing costs by 15 to 25 percent on a gross basis. Prominent companies usually allocate a portion of these savings back into strengthening and expanding their risk operations.