www.pwc.com/financialservices

Time to actBasel III and beyond

fi/moc.wcp.www seicvreslaicnan

Basel III and beime tT

Basel III and beo actime t

onddyBasel III and be

010r 2ebmeceD

ugaelloe ctiuS-r Ciehtecfifffik o ofsif reef rihg cnicaffassy ieey iw on keis v’’s vCwP

.seud ns arrs ae

s eu

The risk specialists at PwC are equipped to cover every aspectof risk management and responding to challenges in today’sBasel III world – from top-of-house governance and strategicissues, to specific modelling and compliance challenges. Wediscuss key themes in these six strands:

1 Risk and strategy: The future of banking and globalmarkets remains uncertain, with opinion divided. As ever,change creates opportunities for those willing to take risk.

2 Risk in the business: The need for risk management to be anintegral part of each business decision, is more pressing than ever.

3 Risk technology and data: The technologyapplications and systems that support core risk managementprocesses are the foundation on which risk is managed.

4 Risk measurement: Risk methodologies have come under intensescrutiny as the result of a systemic underestimation of the interrelationship between market, credit and liquidity risk.

5Risk culture and people: Focus on risk culturechanges have delivered inadequate results to date. Firmsneed a clear view of the drivers of risk culture and thedesired end goal.

6 Liquidity risk management: New liquidity managementrequirements will have a significant impact on the profitability of globalfinancial institutions that do not manage them carefully.

In places, some of the themes overlap. Organisationally, so do we: PwC specialists oftenfind themselves working on projects which include a number of these elements, becausethe challenges financial institutions face do not always fit into neat boxes. Still, these sixsections describe themes which come up again and again, irrespective of industrysegments or the size of institutions. We think it’s a good way to lay out the riskmanagement challenges facing financial services companies today.

If you want to discuss any of the subjects raised here, please speak with your usual PwCcontact, or use the list of contacts included in this publication.

Risk and strategy

The future of banking and global markets remains uncertain, with opiniondivided. As ever, change creates opportunities for those willing to take risk.

In November 2010 the G20ratified the Basel Committee’sproposals for strengtheningcapital and liquidity standards.In doing so, it committedthe banking industry tosignificantly higher capitallevels and a transition periodthat extends beyond 2020.

As the fog surroundingregulatory change begins toclear, ‘2020’ vision is nowneeded for all bank strategists,capital managers and chief riskofficers (CROs). In developingthis vision we know that BaselIII is only one component of amuch wider reform agendathat will affect, for example,the structure of supervision,the relationship of banks withgovernment and the role ofcentral banks.

Those banks that are able toarticulate their position andstrategy in this uncertain andchanging world will be thewinners. The requirement forclear perspectives on risk,capital and funding in strategyformulation has never beenstronger.

Distant deadlines havethe danger of creatingcomplacency and inaction.Leading banks recognise thisthreat and have no desire tosuffer the same fate as theapocryphal simmering frog.The question then, is, whatactions should banks betaking now?

Contact:Richard Barfield+44 (0)20 7804 6658richard.barfield@uk.pwc.com

In our experience of workingwith clients on these issues,well-managed banks aretypically:

• Conducting ongoing impactanalysis of Basel III andother changes – constantlymonitoring the regulatoryhorizon and the competitivelandscape.

• Using the strategy round torefine risk appetite for thenew world.

• Assessing changes (someof them radical) to businessmodels that will bring newbusiness within risk appetiteand achieve acceptablereturns.

• Developing a 10-year viewof capital and funding –including new instrumentssuch as contingent capital.

• Setting priorities for theirrisk and regulationcommunications strategywith investors, ratingagencies, regulators andsupervisors.

To do all of this effectivelypresents major challenges tothe CRO and the risk team.Key strategic imperatives forthe CRO include:

• Wiring risk appetiteeffectively to limits.

• Upgrading stress testingacross the group.

• Rolling out risk-weightedassets (RWA) optimisationprogrammes.

• Up-skilling the team to meetthe unrelenting demands forstrengthened riskmanagement.

• Ensuring risk is priced fairly.

• Playing a much moreactive role in externalcommunication.

And, of course, as the long-awaited economic recoverytakes hold, the G20 needs toensure management maintains astrong focus on risk and does notforget the errors of the past.

In the rest of the booklet wedraw on our experience andspecialist expertise to discussthemes which are critical tosuccessful risk strategyexecution in the world of BaselIII and beyond:

• Risk in the business.• Risk technology and data.• Risk measurement.• Risk culture and people.• Liquidity risk management.

The range of seismic change is far wider than regulation, which makes responding to it more challenging:

Dimension Key areas of change

Regulatory change • Stringent regulation of core banking (particularly aroundcapital and liquidity)

• Inclusion of the shadow banking sector in coreregulatory reform

• Basel III

External environment • Economic uncertainty

• China’s impact

• State interest in banks (post crisis)

Internal control • Pay and reward

• Risk, governance and control

• Reducing complexity

Risk in the business

A fragile recovery in the financial services market, a desire to convincinglyoutperform peers, and relentless expectations from regulators have made therequirement for efficient and effective risk management more pressing than ever.Firms that look at risk functions in isolation to provide this are missing the point.Risk management should be an integral part of each business decision.

The holy grail of banks is to haverisk management fully embeddedin the business. This involvesbringing risk information andinsight to bear on every decisionan organisation takes, fromacquisitions and divestmentsto new product launches andtransaction pricing – indeedwherever decisions are taken inthe business. It’s about takinga functionally siloed disciplineand ingraining it in the way anorganisation thinks and theway it works.

To achieve this transformation,people at all levels of theorganisation need to understandtheir responsibility for risk anda culture should be promulgatedwhereby raising risk issues is

regarded as a strength. Evidencewould lie in the full involvementof risk in strategic decisions,business planning, etc. Manybusinesses still struggle with thisconcept and see the risk functionas being responsible for themanagement of risks.

One of the ways to clarify thisis to have a defined operatingmodel for risk that is wellunderstood by all stakeholdersand that reinforces the way inwhich risk management activitypermeates throughout thebusiness. This would start withthe articulation of a visionand design principles for riskmanagement that addressthe risk functionality acrossthe business.

Contact:Sonja du Plessis+44 (0)20 7213 3051sonja.duplessis@uk.pwc.com

A clearly defined service modelhelps to identify stakeholdersdependent on the riskmanagement activity. Combinedwith a functional model thatspecifies interaction withstakeholders it helps to articulatespecific roles and responsibilitiesacross the three lines of defence(3LOD).

Whilst the diagram below sets outthe principles of the 3LOD model,many banks have found it helpfulto articulate for each material riskthe specific risk managementactivity carried out by first lineand second line. This helps to setout roles and responsibilities andto clarify delegation andescalation processes.

For example, credit risk is managedon a transactional level by therelationship managers and thesanctioning teams, as well as at aportfolio level by the credit riskteams at divisional and group level.

Market risk is managed by dealers,back office confirmation clerksand treasury teams that hedgerisks as much as by the specialistfunctions that would challengeconcentrations and modelassumptions.

Many areas of operational riskare managed through supportfunctions such as HR, Operationsand IT security. Setting outactivities clearly helps to identifyareas where oversight may beduplicated, for example by HR andfinance functions and IT security.

This also helps to set out key areasof control for internal audit tofocus on.

PwC has assisted many clientsin strengthening their targetoperating model for riskmanagement, articulating riskmanagement responsibilitiesacross the 3LOD. We have alsoassisted many clients in theintegration of finance and riskfunctions and the optimisationof internal audit focus.

Governance structure, including the board and risk c ommittee

Management Oversight Assurance

ManagementOwnership, accountability

and responsibility forrisks inherent in business

processes

Executive management

Business operations

Risk function

Compliance function

Internal audit

External audit

Risk management functionsProviding the framework andinfrastructure to facilitaterisk management acrossorganisations includingoversight and challenge

AssuranceIndependent assessmentby internal/external audit

Risk technology and data

Underpinning the ability of an organisation to apply an effective risk managementframework is the ability to give people the information required to make informeddecisions. The technology applications and systems that provide this information, thatimplement quantitative models, and that support core risk management processes are thefoundation stones on which risk is actually managed.

Most, if not all financial servicesorganisations struggle to address thedata and technology needs of riskmanagers. The unique perspectivetaken by risk, which can spanbusiness lines, geographies andmanagement structures, and rangefrom consolidated portfolio viewsdown to individual transactions,presents unique challenges. To meetthese challenges, risk technologyand technologists must tacklefundamental issues outside theirdirect control, and forge co-operative partnerships with ownersof data and systems across theorganisation to address issues atsource, rather than compensate forthem in isolation.

Risk management is criticallydependent on data. Indeed if thereis a data issue somewhere in anorganisation, then there is likely tobe a risk manager impacted by it.Yet most of the data used by risk is

owned by someone else. Firms thathave successfully addressed theseissues have done so by developinga comprehensive and consistentdefinition of the data requirementsfor risk, along with clear ownershipand governance models for eachtype of data. This, combined withmoving towards common viewsof data across functions, willresult in improvements in datacompleteness, timeliness andquality, and ultimately allow riskmanagers to make better-informeddecisions.

Quantitative risk models are a keycomponent of a risk managementframework, and the application ofmodels is highly dependent on theunderlying high-performancetechnology platforms. The ongoingdevelopment of new technologiesis providing a rapidly increasingcapacity for computationallyintensive models, yet this

Contact:Steve Swain+44 (0)20 7804 9036stephen.b.swain@uk.pwc.com

technology needs to be understood,and models implementedappropriately to take advantage ofthis capacity. In addition, therequirements of quantitativemodellers responsible fordeveloping, validating and back-testing models are distinct fromthose of a production environment,yet cannot be considered separately.Indeed, models must be developedwith full knowledge of exactly whatdata is and is not available, and howthose models will be implementedand used in practice.

Key risk processes including riskreporting and limit managementare enabled by technology, such asbusiness intelligence tools andworkflow packages. Selecting the

right solution can play an importantrole in process automation andcontrol improvement, and inproviding the right information tothe right person at the right time.

The technology and data needs ofrisk managers are broad, complexand multi-faceted. Understandingthese requirements and helping youidentify and achieve the rightsolution is the focus of our RiskTechnology and Data team. Whetheryour need is defining requirements,identifying and evaluating internalor external solution options,specification and design of solutions,or defining and managing deliveryand migration programmes, we havethe depth of experience to help.

Key risk processesincluding risk reportingand limit managementare enabled by technology,such as businessintelligence tools andworkflow packages.

Risk measurement

Risk methodologies in the financial services industry have come under intense scrutiny as aresult of the systemic underestimation of market, credit (in particular counterparty credit) andliquidity risks that have materialised since 2007. Considerable focus has been placed byregulators on this area and firms have had to extend their use of scenario and stress testingand upgrade risk models to incorporate elements of risk not sufficiently covered.

How are firmsaddressing the issue?Financial firms and supervisors alikehave been developing new techniquesin the last two years to restore thecredibility of risk models, but much ofthis work has to date seen theincorporation of conservatism buffersand the adoption of new, severe-casestresses through techniques such asintegrated and reverse stress testing.This work needs to be codified and,where appropriate, shared across theindustry to capitalise on the benefitsof new techniques and create a new‘industry standard’.

Firms have focused on capturing riskelements which were missed prior tothe crisis and are aiming to achieve amore ‘forward-looking’ focus for riskmodels. PwC has been assisting clientsin a number of areas as describedbelow:

Minimising model riskAs models undergo significantdevelopment, the importance ofrobust model governance has neverbeen so great. This has manifesteditself through increased regulatoryrequirements and regulators arelooking for institutions to quantifymodel risk and understand thebalance sheet implications under theheadline ‘prudential valuation’.Institutions are reviewing modelgovernance, from the development ofnew models through to independentvalidation and ongoing monitoring.

Exotic price testingmethodologiesThe credit crisis left a number ofleading financial institutions withsignificant exotic derivative portfolioswith little or no continued tradingflow and an associated lack of pricetransparency. PwC has been assisting

Contact:Stefano Mortali+44 (0)20 7213 2033stefano.m.mortali@uk.pwc.com

clients with assessing market andconsensus data and improvingmethodologies to capture uncertainty.

Refining VaRmethodologiesIncreased capital requirements andidentified weaknesses in the riskcapture of value at risk (VaR) models,requires institutions to spendconsiderable effort on reviewing,improving and validating their VaRmethodologies and supportinginfrastructure. Significant effort isrequired to focus on elements such asliquidity adjustments, better riskcapture such as volatility skew, impliedcorrelations, basis, CVA and cross risks.

Credit valuationadjustmentsThe accurate capture of counterpartyrisk within trade pricing can lead tocompetitive advantage in trade pricingand better pricing of transactions.Banks are faced with organisationaland infrastructure issues that conflictwith a centralised view of counterpartyrisk, and solving these issues under thedeveloping capital regime will becomeincreasingly important to competitiveadvantage.

Ongoing developmentof risk models, data andsystemsIn addition to specific methodologydevelopments, the onerous capitalrequirements place increasing pressureon risk functions to measure risk moreaccurately to optimise capital, supportmore accurate risk-based pricing andidentify deterioration in the risk profileat an earlier stage.

The effectiveness of quantitativeanalysis is also heavily dependent onthe quality and availability of data, andthe flexibility and functionality ofthe systems that support it. Buildingan effective technical capability insome cases requires significantimprovements to systems and data.These aspects can be included in thedevelopment scope, or at least,understood in terms of the potentiallimitations on risk measurement,aggregation and monitoringcapabilities.

How can PwC help?PwC’s Risk Measurement team isable to support firms in theongoing development of their riskmethodologies or in validating firms’approaches against developingindustry practice. From identifying andcapturing data required, building orimproving existing models, validationand (more refined) calibration; toperformance monitoring, PwC canhelp you to ensure that you establishand maintain the appropriate infra-structure and governance to manageyour models and to ensure regulatorycompliance. Then, working together,we can help you to derive themaximum value from them, integratingthem not only into your creditprocesses but also into your pricing,stress testing and capital management.

Risk culture and people

The concept of strengthening risk culture has been long been heralded as a key area of focus, but inreality has received somewhat ineffective focus. This is because firms have been trying to tackle acomplicated issue with lack of clarity over the key drivers of risk culture, the desired end goal andhow to approach cultural change. This raises the question of whether risk culture is sufficiently highon firms’ agendas.

We believe that an effective risk cultureis vital and an implicit component ofchange in risk management, whetherdriven, for example, by Basel III,Solvency II or by changes in firms’ riskappetite. The failure to establish anappropriate risk culture and mindset canundermine a sound reputation and riskoperating model. If firms’ reform agendato strengthen risk management is to besustained and change secured, it must beaccompanied by sustainable change inrisk culture.

Firms’, regulators’ and policymakers’efforts are focusing on drivingcultural change, principally throughcompensation, to align interests of keyrisk takers with those of shareholdersand customers. It is questionablewhether this alone will drive the stepchange in risk culture required in thepost-crisis world.

Understanding andinfluencing risk cultureCulture means simply a universalunderstanding and acceptance of ‘theway things are done around here’.Risk culture is the result of history,leadership, organisational values andthe external environment. It isfundamentally important because itresults in the behaviours that underpinmanagement’s risk decision making.

To start the process of change, firmsneed a candid appraisal of their existingculture. This can be difficult to do – it isvery hard to stand back and form anobjective view of the culture of whichone is part. Such an appraisal may wellresult in the stark realisation that thereare major shortcomings.

Contact:Duncan Laugher+44 (0)20 7804 4420duncan.r.laugher@uk.pwc.com

Some examples that we have observedwhen working with clients on this issue,include:

• Business planning dominated bythe pursuit of growth or improvedprofitability without regard toeconomic, macro-economic oroperational/reputational risks.

• Entrenched silos with limitedwillingness to challenge risks, whetherwithin a particular risk class, acrossbusiness lines or between functions.

• Wider risk management responsibilitiesfailing to take root as a result of highlycentralised, isolated risk controlfunctions.

In performing a self-appraisal firms willneed to analyse their organisation acrossthe broad range of behavioural factorsthat influence risk culture. Thesignificance of these factors will vary byfirm, business line and function but inour experience there are certain factorsthat need to be considered: Leadership,Governance, Motivation, People andInfrastructure.

To describe the desired risk culture andbehaviours clearly, there are some coreprinciples that we believe firms shouldaim to institutionalise:

• Consideration of risk is demanded asan integral part of decision making.

• Risk is placed in the context of therisk/return profile commensuratewith strategy.

• Continuous understanding of key risks,recognising interactions and impactsacross business lines, functions andrisk classes.

• Focus on action, not analysis.

• Clear expectations of the riskbehaviours expected from seniorpersonnel both within, and outside,the risk function.

Approach to drivingchangeAchieving change is not straightforwardand many firms continue to be frustratedby the lack of demonstrable change inrisk culture. One approach that we haveused with clients is to focus on the keyrisk/value events, for example in thestrategic planning process, and to definethe core behaviours required to deliverappropriate outcomes at these criticalpoints.

The three-step process of:

• Focusing on identifying the key riskevents.

• Defining the core behaviours required.

• Tracking the cultural change thatemerges.

is an approach that provides a practicalbasis to achieve success.

Factors that influence risk culture

Areas Key drivers

Leadership and strategy • Strategically aligned objectives

• Cross risk class and process view of risk

Governance and • Clearly defined accountabilities

responsibilities • Prominence of risk in key decisions

Motivation • Risk disciplines part of all employees’ recognition

• Compensation aligned to shareholder interests

• Collective mentality and appreciation of all interests

People • Risk competencies and skills embedded in allpersonnel

• Respect and willingness to commit to riskmanagement

• Stable workforce with loyalty and commitment

Infrastructure • Balanced between risk technology and expertjudgement

• Sustainable backing for change programs anddelivery

Liquidity risk management

The financial crisis and high-profile failures have highlighted the importance of effective liquiditymanagement and triggered the development of onerous new liquidity rules. These rules include minimumstandards for liquidity management and quantitative requirements that will have a significant impact onthe profitability and business models of financial institutions.

The planned regulations under Basel IIIwill require banks to hold significantliquidity reserves that, as the rules arerolled out globally, may lead to localregulators requiring significant pools ofliquidity to be held in their respectiveterritories. These could disrupt the globalfunding arrangements operated by manybanks and lead to trapped pools of liquidityin the major territories in which a givenbank operates.

Linked to these quantitative requirements,banks will be required to significantlyimprove their funding and liquiditymanagement framework – measuring,monitoring and managing liquidity moreproactively.

What do banks need to do?Many banks have been focusing on thedevelopment of their treasury and liquiditymanagement approaches, but many of theimprovements to date have been tactical innature, aimed at satisfying requirementsput in place by regulators such as the UKFSA that have led the development of newrules. As these regulations are ‘globalised’through Basel III, banks will need to make asignificant effort to translate these tacticalfixes into longer term solutions. These willinclude the following areas of focus:

• Embedding funding and liquidityforecasting into strategy and businessplanning.

• Improvements to liquidity stress testingto reduce the need for ‘compensatingconservatism’ that leads to excessiveliquidity reserves – this will include thelinkage of liquidity risk measurement torelated risk types such as credit andmarket risk that drive liquidity flowsunder stress.

Contact:Charles Beach+44 (0)20 7213 3591charles.beach@uk.pwc.com

• Alignment of global regulatory reportingrequirements with internal liquiditymonitoring and reporting.

• Development of day-to-day liquidity riskprocesses and controls focusing on keyliquidity drivers such as intra-group,intra-day and cross-currency risks.

• The development of funds transfer pricingframeworks to ensure that fundingand liquidity costs and benefits aretransparently allocated to the appropriatebusinesses.

How PwC can helpPwC is a leading provider of funding andliquidity management advice and hasassisted leading firms in enhancing theirliquidity risk management frameworks torespond to the new rules and the increasedemphasis on liquidity. Our services coverall of the above areas and also specificregulatory requirements (such as IndividualLiquidity Adequacy Assessments in the UK).

Working with us brings to beara breadth of industry and regulatoryexperience that you can employ toanticipate challenges and accelerateliquidity risk management programmes.

Working with us brings to beara breadth of industry andregulatory experience that canbe employed to anticipate thechallenges of this work andaccelerate liquidity riskmanagement programmes.

Contacts

If you would like to discuss any of the issues raised in this paper, please speak to your usual PwC contact orone of the following:

Symon Dawson+44 (0)20 7804 1225symon.k.dawson@uk.pwc.com

Richard Barfield+44 (0)20 7804 6658richard.barfield@uk.pwc.com

Miles Kennedy+44 (0)20 7212 4440miles.x.kennedy@uk.pwc.com

Charles Beach+44 (0)20 7213 3591charles.beach@uk.pwc.com

Richard Smith+44 (0)20 7213 4705richard.r.smith@uk.pwc.com

Sonja du Plessis+44 (0)20 7213 3051sonja.duplessis@uk.pwc.com

Steve Swain+44 (0)20 7804 9036stephen.b.swain@uk.pwc.com

Eduardo Viegas+44 (0)20 7804 2510eduardo.m.viegas@uk.pwc.com

Stefano Mortali+44 (0)20 7213 2033stefano.m.mortali@uk.pwc.com

Duncan Laugher+44 (0)20 7804 4420duncan.r.laugher@uk.pwc.com

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publicationwithout obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to theextent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyoneelse acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

www.pwc.com/banking© 2010 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom). As the context requires,"PricewaterhouseCoopers" may also refer to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate legal entity. Each member firm is a separatelegal entity and PricewaterhouseCoopers LLP does not act as agent of PwCIL or any other member firm nor can it control the exercise of another member firm's professional judgement or bind anothermember firm or PwCIL in any way.