In recent years, the financial services industry has been exposed to a constantly growing number of implementation challenges. The increased concentration of regulatory requirements has particularly affected risk controlling, whose staff had to take on a more reactive role, in order to implement the numerous regulatory requirements in time. This led to a situation where task and resource allocation could not always be efficient and future-oriented. By now, some institutions are increasingly exposed to a new challenge: On the one hand, risk controlling has not yet taken on the strong role that the supervisory authority and regulator are postulating for this function. On the other hand, the cost awareness that increased due to the low interest phase, balance sheet shrinking and the increasing capital requirements demands that the risk function (after years of mainly unchanged growth) begins to make a real contribution. To take both aspects into account, efforts will be required for the own organizational structure and the productivity as well as the impact. In 2014/15 we conducted a brief survey of decision makers responsible for risk controlling resulting in an assessment of the current situation.
Using large and medium-sized banks from the German-speaking market (including four specialized institutions), the status quo for risk controlling organization and its planned development for the near future  were evaluated. Based on the institution-specific responses we derived general trends for the market.
The first step of the assessment was a quantitative stock take of the personnel resources for group risk controlling (GRC). For the purpose of this analysis we divided the participating institutions into four equal groups depending on the business size (indicator: balance sheet total). Furthermore we separated the risk controlling tasks into core and supplementary tasks; the latter of which included tasks that do not fit into the original field of risk controlling but which are currently conducted within the questioned GRC units. To facilitate the comparability between the various institutions, the individual organization of the GRC was transferred to a standardized reference organization that represents the major business functions and risk types as applicable today. The quantitative analysis is complemented by a qualitative set of questions so that the role of the participating risk controlling staff and their influence on total bank management can be analyzed. The very last part of the survey includes correlations of the results from the qualitative and quantitative analysis.
1. Quantitative analysis
The personnel resources in risk controlling increase with the scope of the business activities—Staff for additional function disproportionately available in large institutions
Depending on the scope of the business activities (measured as balance sheet total in billion euros) the workforces at participating institutions are growing based on a standardized reference organization. While the institutions with a balance sheet total of less than EUR 50 bn have an average of 44 FTEs, the personnel resources increase up to the largest group with five times as many: 215 FTEs.
While the relative workforce size in credit risk controlling has shrunk slightly with the size, especially the resource capacity of the Methods and Processes functions has increased with the institution size. Almost every third job is assigned to this function in larger banks. Against the general trend of personnel reduction in the banking landscape, the responses in the survey reveal that the institutions expect a continued increase of the resource needs in risk controlling.
2. Qualitative analysis
The survey results show continued needs for improvement across all risk types
In the medium term, there is a need for content-related enhancement for all risk types. It is noteworthy that obviously a further sophistication in the field of credit risk is seen as urgent. The findings also show that the strategic total bank risk must be further expanded. There is a clear belief that improvements must be achieved across all risk types, especially in the area of data quality and regarding methodologies.
This constellation is not surprising in terms of the regulatory agenda of the last months, which involved projects such as the asset quality review, IFRS 9 and last but not least BCBS 239 and will involve setting new focuses in the near future. The findings from the comprehensive assessment have obviously left the institutions with the lasting impression that credit risk management (typically, still the largest driver of RWAs and risk capital) has been ignored for too long.
However, these projects are often limited by the existing infrastructure: The participating banks feel they have a significant need to catch up, especially related to automation of risk controlling processes,. While individual risk types are already monitored and reported with a high level of automation, the aggregation into total bank risk controlling, however, often demands considerable manual work when using individual reports in the “modular principle”.
There is still considerable room for improvement regarding the scope and impact of the challenging function for risk controlling—the importance is expected to grow significantly
The responses are very heterogeneous with regards to the scope and level of impact for the challenging function GRC is playing as a counterpart to the front office units. In general, both dimensions have room for improvement. Shared reviews of the risk situation together with the front office and/or active or forward-looking influencing of the operational business are still rather uncommon today. Instead, reports are created and portfolio structures are discussed. While limits are generally adjusted proactively and the GRC does actively support strategy meetings of the business units, the impact on them is, however, seen as insufficient by the participating institutions themselves. Thus, it does not surprise, that all survey respondents claim that the importance of the challenging function will grow in the future.
3. Summarizing consideration
Larger institutions tend to aim for a higher level of sophistication, but also suffer from the increasing complexity
Looking at size-dependent answers is useful for qualitative relationships: The respondents aim for a medium level of methodological sophistication, while larger GRCs tend to aim for a higher level of sophistication. The GRC’s technical status quo is often seen as an obstacle: It is noteworthy that poor infrastructures (data silos, process and structure interruptions to the interfaces between data warehouses and complex transition guidelines) appear to be more common than one would think.
One major advantage of larger risk controlling units is in the efficiency of challenging. While the scope of the challenging function is only slightly larger, by their own account, larger units achieve a greater impact. Respondents also assert that they have greater influence on operational decisions of the business units (with a comparable communication effort).
The results of the survey reveal a clear need for action for risk controlling—The regulatory agenda already picks up on this partially
Overall, risk controlling units are facing major challenges demanding further procedural, technical, methodological, and personnel developments. The increasing regulatory requirements lead to capacity shortages across all risk types. Rather than facing the requirements by increasing resources, as was expected by the respondents, there exists a recognizable trend towards reorganization and increasing efficiency. Some institutions thus face the requirements with various measures such as bundling competencies along the value-added chain and an associated resource reallocation. This also implies changing skill profiles for employee qualification and training, which in future will involve the personnel departments that are responsible for risk management to a greater degree than before.
Reactively dealing with regulatory developments—as usual in the past—now leads to an acute need for action in the three dimensions of methodology, infrastructure and especially in the understanding of roles. The regulator has already reacted and picked up on some of these demands by starting regulatory initiatives. However, it remains the bank’s responsibility to reach a position “ahead of the wave” again and proactively drive the procedural, methodological, and organizational developments.
The future of group risk controlling will thus be characterized by “anticipative” risk management, which will efficiently take into account the changed framework conditions of the branch (new risk types and sources). For this purpose, we already support institutions to reorganize and establish a comprehensive target for the risk function. Together with our clients, we are developing the risk function for 2020 and thus create a sound basis for sustainable effectiveness in risk controlling.
 The banks surveyed were mainly banks from German-speaking markets with total assets of over 30 billion euros.