Global regulators, still working to address the legacy of the 2008 financial crisis, are slowly beginning to converge on appropriate risk management approaches for the asset management industry.Worldwide, regulatory responses to the crisis have, until recently, taken different paths, with EU regulators going furthest in their rulemaking. Now, as international consensus is reached on many risk practices, processes, and governance, regulators in the US are shifting their focus toward potentially risky activities and products and away from an emphasis on designating individual asset management firms as systemically important, according to an April 2016 update by the Financial Stability Oversight Council.
Meanwhile, for the better part of a decade, asset managers have worked largely on their own to develop risk management policies and best practices. At industry forums, they have given voice to, and found agreement on, a number of risk management principles and priorities—consensus that was also evident in the results of this year’s Global Asset Management Benchmarking Survey conducted by The Boston Consulting Group.1 Notes: 1 BCG’s 2016 Global Asset Management Benchmarking Survey involved nearly 140 leading asset managers—representing $40 trillion, or more than 55%, of global AuM—and covered more than 3,000 data points per player. The supplemental risk management elements in this year’s survey measured fundamental capabilities, such as governance, scope, organization, data, and systems; a review of the organizational model; and detailed benchmarking of risk management staffing and spending. As a result, managers are better positioned than in the past to voice support for regulatory initiatives aimed at enhancing stability, as well as protecting and serving the interests of investors.
Regulators’ evolving views in the US and Europe appear increasingly close to those of asset managers. With the direction of the US Securities and Exchange Commission (SEC) and risk oversight becoming clearer and firmer, managers now have a clear path for future investments in risk management.
Prudent managers have little time to lose in moving forward. We believe that it is a matter of when—not whether—they will face increased regulatory obligations, especially in the US, and increased obligations to support investor protection globally, with the EU already leading the way.
With basic risk management frameworks and governance now a norm, regulators and asset managers appear to be converging on the importance of managing liquidity risk, leverage obtained through derivatives, and operational risk. We also see increasing agreement on the importance of data and technology, as well as analytics and reporting platforms that enable integration of risk management and portfolio management.
Although risk management processes and methodologies continue to evolve, it is crucial that the risk function contribute more actively to investment processes, product development and approvals, and key transactions. This imperative is in alignment with the view of industry participants and regulatory agencies that key risks are embedded in products and activities rather than organizations.
In our benchmarking survey, which this year included extensive additional measurements of risk management capabilities, asset managers identified their most important needs similarly: as a comprehensive risk management framework, as liquidity risk management, and as the ability to support new products. At the same time, some managers acknowledged a struggle to benchmark the maturity of their processes and to define a roadmap to the goal. Managers may have to be patient if their roadmap is a global one.
Progress toward global harmonization of risk management regulations will pause while agencies study the impact of asset management on financial stability. (See “Progress on Global Risk Standards Hits Pause, but Not for Long.”)
Progress toward establishing global regulatory standards for risk management in asset management is expected to pause while global regulatory agencies reach a consensus on the potential impact of asset management, if any, on financial stability.
In March 2015, the Financial Stability Board (FSB), jointly with the International Organization of Securities Commissions (IOSCO), published a revised proposal for asset managers that would likely be designated global systemically important financial institutions (G-SIFIs). This proposal, if implemented, would set the stage for national regulators to propose home country asset managers for G-SIFI designation. However, both the FSB and the IOSCO concluded that a full review of asset management activities and products that could contribute to systemic risk should be completed before the finalization of any G-SIFI methodology.
In June 2016, the FSB followed up with an advisory document, “Proposed Policy Recommendations to Address Structural Vulnerabilities from Asset Management Activities,” which should be finalized by the end of 2016. We expect this to catalyze national regulators to heighten standards for risk management.
The US Financial Stability Oversight Council (FSOC) has moved from designating asset managers as systemically important financial institutions (SIFIs) to evaluating the impact of their activities and products on financial stability. Similarly, the SIFI discussion seems to be off the table for now.
By signaling the importance of risk management, the FSOC has prompted the Securities and Exchange Commission (SEC) to expand its role in prudential regulation. For example, the SEC’s 2016 exam priorities for asset expansion of management firms emphasized cyberrisk, liquidity risk, and anti-money-laundering activities and proposed rules on risk related to liquidity and use of derivatives.
The SEC has created the Office of Risk Assessment and Risk and Examinations Office to support the agency’s rulemaking and monitoring of asset management activities. In the near term, we expect the SEC to continue to use its existing examination program and oversight authority and then to set a robust rulemaking agenda.
EU regulatory frameworks—already in place for some time—are markedly ahead of those in the US. The directive that covers investment funds—known as “Undertakings for Collective Investment in Transferable Securities”—requires a permanent risk management function, policies that address material risks, and a risk management process for funds that use derivatives. The more recent “Alternative Investment Fund Managers Directive” defines requirements for governance, risk measurement, and disclosure; mandates a separate risk management function; and sets capital and liquidity requirements.
Although asset management regulators have progressively clarified their objectives, they have yet to formulate or propose a comprehensive risk management framework or set of benchmarks to guide managers. In the meantime, the industry itself, assisted by service providers, is working through industry forums such as the Global Association of Risk Professionals (GARP) to establish a common language and a set of principles that provide a development path for firms. In particular, the GARP Buy Side Risk Managers Forum (BSRMF) updated its Risk Principles for Asset Managers in September 2015, with a framework covering governance, investment risk, and operational risk.
These principles usefully clarify the importance of having clear segregation of functions and well-defined roles and responsibilities for managing risk. They also highlight the need for an independent risk management function and for tracking and understanding liquidity, capacity, issuer, counterparty, concentration risks, and risks related to leverage, for example, through derivatives. Given the SEC’s recent focus on derivatives, such risks have fresh relevance in the US. In the EU, leverage through derivatives has been on the rule-making agenda since the 2001 Undertakings for Collective Investment in Transferable Securities, or UCITS, directive.
On the basis of discussions with managers and the results of our survey, we agree with GARP’s observation that many firms have responded to the increasingly complex risk environment by establishing enterprise risk management functions. In our survey, 89% of our respondents reported the presence of a chief risk officer, and 94% reported that the scope of a risk function was well developed.
The priority of most firms, our survey found, has been to establish basic risk governance in core investment risk areas, including counterparty, credit, market, and liquidity risk. Other risk categories have appeared (to asset managers) as having lower priority, and consequently are less well developed. Those categories include model and valuation risk, IT risk and cybersecurity, other operational risks, corporate risk, anti-money-laundering activities, and portfolio construction support. (See the exhibit “Core Investment Risk Areas Are Well Covered by Managers; Other Categories Are Less Developed.”)
In our view, the importance of measuring, monitoring, and managing these risks has now increased—not only because of greater regulatory scrutiny of the management of such risks, but also because of recent incidents at several financial institutions. We expect that asset managers will recognize, as regulators already do, the impact of low-frequency but high-severity events that may disproportionately threaten the risk profile, reputation, and even survival of firms. Furthermore, firms are involving risk functions in decision making, especially when approving new business or initiatives, but more progress is needed to ensure that risk functions are fully incorporated into the investment process.
Also, firms are more aware of the need to invest in enterprise enablers, such as analytics and reporting platforms, with one-third of our respondents seeking better consolidation in risk reporting and 40% saying that information systems need to be further developed.
Many firms have already begun to establish elements of a general risk management framework. Managing the evolving requirements of risk regulation was a top priority cited by our survey respondents. It’s not surprising, therefore, that they have focused on developing a full framework, incorporating both governance and data and analytics—topics that will facilitate management of evolving regulatory measures.
Liquidity risk also ranked as a priority, which is not surprising given the recent regulatory focus. Another concern was the management of the risk and complexity of new products, which is driving further investment in the development of enhanced risk approval and governance processes.
Among risk categories in which firms are strengthening capabilities, credit risk was most frequently cited. We also found that firms increasingly take an enterprise-wide approach to risk—as opposed to managing risk in silos—and they are investing in reporting and consolidation capabilities across all risks. This indicates the industry’s growing maturity and its intent to develop broad capabilities to capture and proactively manage emerging risks rather than retain a locked focus on well-known categories alone.
However, we discovered that many firms, while acknowledging principles such as those in the BSRMF framework, still found it difficult to assess the level of their own development, which they must do before creating a roadmap or framework for improvement. We believe that the next step for the industry—and for regulators—is to develop standards and benchmarks that help differentiate between mature and leading practices in each part of such a framework.
According to our benchmarking survey results, most firms are taking the initiative to invest significantly in risk management. Still, we believe that more can be done.
As we noted above, it is imperative that risk management be active across the enterprise: in investment processes, product development, and approvals, as well as key transactions. Yet despite progress, risk management can often remain disconnected from the business—not just from new products but also, and more critically, from day-to-day investment decision making. To that, they could provide an independent risk-based perspective that could facilitate more informed decisions.
Many IT and risk platforms are falling behind the rapidly increasing complexity of products, systems, and organizations, making firms more vulnerable to new manifestations of risk. A wider lesson can be drawn from the pressing cybersecurity need to improve one’s defenses against hackers and malware that now have the ability to quickly change attack vectors on the basis of both human and technical responses. This is just one example of how risk managers and IT systems need to keep investing and evolving ahead of a growing universe of potential challenges. Managers should prioritize investments in keeping IT systems harmonized and platforms up to date—particularly in integrating front and back offices.
The most prudent firms are preparing a foundation for tomorrow’s regulatory moves, not just responding to those of the past. Best-in-class firms invest to accommodate emerging trends that affect investors well before regulators take action. Using stress-testing concepts in risk management, for example, would improve a firm’s resilience to severe but plausible events—pleasing investors while preparing for unprecedented events—as the Financial Stability Board proposed in June 2016 to G20 authorities. Investors are increasingly aware of risk. They take a more favorable view of managers that exhibit foresight and a commitment to prudent practices, which lends competitive advantage.