The increase in risk appetite over the last 12 months flagged by participants seems logical, and the general observation that boards are paying more attention to risk also fits in with the prevailing mood from supervisors and regulators post-credit crunch (bear in mind this facet would be overwhelming if it was EU-only thanks to Solvency II et al).
That Enterprise-wide risk management was receiving the most attention from the risk function and the boards in insurance/reinsurance participants is also no surprise, with Solvency II/Equivalence/IAIS ICPs to consider. I also liked the acknowledgement that improving skills in identifying interdependencies in enterprise risks is seen as a priority by risk professionals
However, there were a number of areas which ranged from mildly concerning to shocking, such as;
- Nearly a quarter reported that the Risk Function is more often than not overridden or ignored (bear in mind these are financial services risk executives that have been polled)
- No improvement y-o-y on the percentage of respondents with a "clearly defined risk strategy"
- Investment in Risk functions has fallen in aggregate in almost every area
- Almost 2/3rds said complexity is incresing the risk exposure of their company
- Only 21% were confident that 100% of their risk exposure was measured and monitored accurately
- Only half felt members of the risk team played an important role in strategic decision making
- A similar percentage note that their boards have become more demanding with their risk reporting expectations (there must be some boards therefore asking for more from the function, then excluding them from the decision making process)
- In only 55% of participants the head of risk had a mandate to report to the Board independently
- Only 39% said their organisation has a "common risk language" - this is especially poor for financial services
- Effectiveness of organisations in managing "real-time risk" was rated poorly - this is fundamental to the risk function adding value and influencing strategic decision making, so must improve.
- Only a third have improved the quality of their board information on emerging risks
- 29% of respondents said they did not have "adequate expertise" in operational risk
I would add that the case study of Metro Bank (first new bank in the UK in 100 years) seems very unusual, in that they have decentralised responsibility for risk instead of having a dedicated function - very interested to know how this is approached by the banking regulator.