Financial Services Industry

May 2012
Enterprise Risk
Management Survey
Report 2012
Where doyou stand?
2

Table of Contents
Foreword 3
Executive summary 4
About theSurvey 5
Key Findings 6
Detailed Findings 9
Achieving aStrategic View of Risk 9
Enterprise Risk Management awork in progress 14
Addressing theFull Range of Risks 20
Risk Management Systems and Technology Infrastructure 24
Conclusion: TheRoad Ahead 26
Contacts 27

This publication contains general information only. Thepublication has been prepared on thebasis of information and
forecasts in thepublic domain. None of theinformation on which thepublication is based has been independently veried
by Deloitte and none of Deloitte Touche Tohmatsu Limited, any of its member rms or any of theforegoings afliates
(collectively theDeloitte Network) take any responsibility for thecontent thereof. No entity in theDeloitte Network
nor any of their afliates nor their respective members, directors, employees and agents accept any liability with respect
to theaccuracy or completeness, or in relation to theuse by any recipient, of theinformation, projections or opinions
contained in thepublication and no entity in Deloitte Network shall be responsible for any loss whatsoever sustained by
any person who relies thereon.
3 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Foreword
Welcome to therst edition of theDeloitte
East Africa Enterprise Risk Management Survey.
This is therst survey of its kind asitseeks to
provide abaseline assessment of thestate of risk
management within thenancial services sector in
theregion.
Enterprise Risk Management (ERM) has become ahot
button issue in virtually all sectors of theeconomy across
East Africa. In particular, within thenancial services
sector, risk management has grown in prominence
largely asaresult of regulatory push but also asameans
of protecting current assets while actively seeking
competitive advantage.
Financial services industry (FSI) players within theregion
increasingly have to contend with emerging threats and
competition, rapid shifts in thebusiness environment
coupled with heightened regulatory demands.
However, there are also new exciting opportunities such
asregionalization through better integration across
theEast African Community trading bloc, improved
technologies and enlightened customers with better
spending power. In light of these developments,
organizations have put in place risk management
structures and processes to manage therisks presented
by both theopportunities and challenges
in themarketplace.
So asto gain insights and provide abaseline assessment
of thestate of risk management within thenancial
services industry, Deloitte East Africa undertook this
survey and collated results from more than 60 risk
management professionals across Kenya, Uganda and
Tanzania.
We sincerely thank all those who participated in this
survey through sharing with us their experiences and
insights.
On behalf of my colleagues at Deloitte, Iinvite you
to read thereport and hope itinspires new thinking,
provides new insights and allows you to benchmark
with your own risk management processes while
facilitating enhancement of your ERM program.
We welcome your feedback and comments. If you
would like to further discuss any of theissues in more
detail, please speak to your usual Deloitte representative
or one of thecontacts listed at theend of this survey
report.
Sincerely,
Julie Nyangaya
Enterprise Risk Services Partner
& Financial Services Industry Leader
Deloitte East Africa
4
Executive summary
In anever more complex and volatile business
environment, risk management has continued to grow
in importance in thenancial services industry. Roughly
75% of organizations treat itasaboard-level oversight
responsibility and more than 50% of therespondents
had their risk governance models at various stages of
implementation.
Although progress has been real, considerable work
still remains to be done. Most organizations are in
theprocess of creating effective system and processes
to measure and manage less traditional risk
1
types such
asstrategic, operational, reputational and Information
Technology (IT) risk. Those that have implemented ERM
programs are already recording gains; however many
concede itis difcult to quantify this value.
These are some of theimportant ndings in therst
edition of theDeloitte East African Enterprise Risk
Management Survey. Thesurvey gathered responses
from over 60 risk management professionals across
Kenya, Uganda and Tanzania. Thesurvey looked at
issues such asrisk governance, management of key
risks, thescope and coverage of ERM programs,
challenges encountered and risk management
technology solutions.
Itis clear that nancial institutions face anincreasing
range of risks. Organizations have to keep pace with
ongoing regulatory change and scrutiny while meeting
demands for stronger governance and enhanced
transparency.
Thesurvey showed anindustry that is alert to this range
of risks, but identied anumber of important areas
where additional investment and management attention
is needed. Italso highlighted some of thebasic
approaches organizations are taking, areas where they
have improved risk management capabilities, and areas
where they are still struggling to get agood handle on
risk issues and processes.
Effective risk management is fundamental to success in
thenancial services industry, and abasic expectation of
shareholders, regulators and customers. In achallenging
and changing risk environment, however, thebar
on what constitutes effective risk management is
constantly being raised. Asthis survey shows, most
organizations have anunnished agenda when itcomes
to thedevelopment of sophisticated risk management
capabilities, enabling anintegrated, enterprise-wide
approach to managing thevaried and dynamic risks
they face. Financial institutions that can understand
risk holistically- managing thefull range of risks they
confront- can strategically use risk taking asameans to
strengthen their competitive position and create value.
1 Risk asused in this report is dened asthepotential for loss or harm or thediminished opportunity for gain
- caused by factors that can adversely affect theachievement of anorganizations objectives.
5 Enterprise Risk Management Survey Report 2012 Where doyou stand?
About theSurvey
TheDeloitte East Africa Risk Management Survey 2012
is our rst baseline assessment of thestate of Enterprise
Risk Management (ERM) in thenancial services industry
(FSI). Thesurvey was aimed at helping organizations
benchmark their enterprise risk management programs,
processes, structures and systems with those of their
peers within East Africa.
Thesurvey was conducted in March 2012 through
anonline questionnaire. We solicited theparticipation of
Chief Risk Ofcers (CROs) or their equivalents in various
companies and institutions in theFinancial Services
Industry across Kenya, Uganda and Tanzania.
Financial Services Industry is dened ascompanies and
institutions operating within thebanking, securities,
insurance, investment management and real estate
sectors.
Respondents who participated in thesurvey were
primarily drawn from thebanking, insurance (both long
term and short term), asset management and fund
administrators (see Figure 1). Most of therespondents
had aturnover of more than US $ 500 million (See
Figure 2) while approximately 25% were listed on one or
more of thestock exchanges in East Africa.
Figure 1: How best would you describe theareas/ industries your company
is involved in?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
B
a
n
k
i
n
g
A
s
s
e
t

M
a
n
a
g
e
m
e
n
t
F
u
n
d

A
d
m
i
n
i
s
t
r
a
t
i
o
n
L
o
n
g

t
e
r
m

i
n
s
u
r
a
n
c
e
R
e
-
i
n
s
u
r
a
n
c
e
R
e
a
l

E
s
t
a
t
e

c
o
m
p
a
n
y
S
h
o
r
t

t
e
r
m

i
n
s
u
r
a
n
c
e
C
o
l
l
e
c
t
i
v
e

i
n
v
e
s
t
m
e
n
t

s
c
h
e
m
e
s
M
u
t
u
a
l

f
u
n
d
R
e
t
i
r
e
m
e
n
t

f
u
n
d

a
d
m
i
n
i
s
t
r
a
t
i
o
n
Figure 2: Which of thefollowing best describes thesize of your
organization in terms of revenue / turnover?
Less than KES 100M/ UGX 3.5M/ TZS 5M
Over KES 100M/ UGX 3.5M/ TZS 5M
Over KES 500M/ UGX 18M/ TZS 25M
Over KES 1billion/ UGX 36M/ TZS 50M
Over KES 50billion/ UGX 1.786B/ TZS 2.5BTZS 50M
5.4%
6.8%
8.1%
35.1%
44.6%
6
Risk governance
Risk governance can be dened astheapproach for
directing themanagement and control of risk, which
may be overseen by theboard of directors asawhole
or through aboard risk committee. Therole of clear and
active risk governance has gained currency in therecent
past asaresult of corporate governance breaches, fraud
and related malfeasance coupled with increasing focus
by regulators who are now insisting on proper oversight
by theboard.
Key ndings
Half of therespondents had their risk governance
models at various stages of implementation with
only 29% having their models already implemented.
In 80% of theorganizations, theboard of directors
receives and reviews regular reports on therisk
management program and approves theERM policy
and framework.
Approximately half of therespondents indicated
that theboard is involved in approving therisk
appetite statement. This could be due to thefact
that approximately athird of therespondents (34%)
indicated that they have not yet dened astatement
of thecompanys risk appetite.
82% of therespondents indicated having aChief
Risk Ofcer (CRO) or equivalent with only 6
respondents indicating that they donot have this
executive in place.
Aligning compensation and incentive plans with
appropriate risk taking is undertaken in 81% of
theorganizations surveyed.
Our Point of View
TheBoard should continue taking ownership and
driving therisk agenda across thebusiness. While
senior management with support from theCRO
are involved in managing risks, theoversight by
theboard cannot be delegated.
Risk management should be infused throughout
theorganization; not only at enterprise and business
unit level; but also in strategic and operational
decisions.
Therisk appetite sets thelimits and delineates
acceptable versus unacceptable risks. This should
continue being formulated and constantly monitored
for compliance.
Distinction between risk management and internal
audit should be emphasized within theorganization
to ensure clarity of roles, responsibilities and
accountabilities.
Consolidate thevarious risk functions (e.g. ITrisk,
Credit Risk, Operational Risk) to facilitate better
oversight and reporting.
Enterprise Risk Management
ERM aims to bring aholistic organization-wide and
standardized risk management process to nancial
institutions and provide them with anintegrated view of
risks they face. By adopting acomprehensive approach
to risk identication and assessment, ERM can help iden-
tify many dependencies or inter-relationships among
risks that might otherwise go unnoticed. In addition, itis
easy to gain new insights and provide transparency into
theoverall impact of risk on theinstitution.
Key Findings
Implementation of ERM is fairly limited with only
31% of theorganizations surveyed indicating
that they have afully implemented ERM program.
However 38% of respondents indicated that they are
in theprocess of implementing one.
Among survey respondents, ERM programs almost
always covered themajor traditional risk categories
of credit risk (92%), liquidity risk (90%) regulatory/
compliance (90%), and market risk (85%).
New risk categories such asoperational risks (95%),
strategic (80%), reputation (83%) and ITsecurity
(75%) have also emerged ascritical focus areas.
ERM is integrated and linked to theInternal Audit
Plan in 59% of theorganizations. Afurther 25%
indicated that this is not formalized asyet.
Only 23% have their risk appetite both quantitatively
and qualitatively dened. Asimilar number are in
theprocess of seeking approval for their risk appetite
statement while 34% donot have therisk appetite
statement.
Key Findings
7 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Those organizations that have implemented ERM
are already recording gains. This is evidenced by
thefact that 85% of therespondents felt that
thevalue of their ERM program was greater than its
cost; however many conceded that itwas difcult to
quantify this value. 14% indicate that they are yet to
reap thebenets of ERM.
Thetop rated challenges during ERM implementation
were integrating risk data across theorganization
(70%) and having theappropriate risk management
skills (64%).
Our Point of View
Dening and implementing anERM program is
imperative, this may include dening anERM policy,
setting up relevant functions and putting in place
measures to monitor and report on key risks while
driving arisk culture in theorganization.
Internal audit plans should be aligned to theresults
of therisk assessment arising from theERM
program. TheInternal Audit department should
provide assurance on theeffectiveness of theERM
framework and program implementation.
Dene and monitor compliance to theorganizations
risk appetite statement.
Identify innovative ways to derive value from
theERM program while minimizing cost of
implementation. This may call for integrating
various risk efforts while seeking acoordinated
implementation approach across theorganization.
Focus on new emerging risk types such
asreputation, operational risks and ITsecurity while
not losing focus on thetraditional risks such ascredit
and market risks.
Dene anERM framework and program which
enables effective reporting and consolidation of data.
Have regular trainings on board and senior
management on ERM concepts and implementation
so asto build internal capacity. In addition,
undertake acontinuous culture change program to
embed arisk-aware culture across theorganization
Management of Key Risks
Acritical challenge facing risk management is achieving
acomprehensive view of all thevaried risks anancial
institution faces. Many institutions have much more to
achieve in this regard.
Key Findings
Most executives rated theeffectiveness of their
ERM programs aseither 2 or 3 on ascale where 1 is
highest. This implies most program implementations
are still work in progress.
In terms of specic risk types, most organizations
felt that their ERM programs were most effective in
managing liquidity and nancial/budgeting risk.
Credit risks, tax and regulatory were identied asareas
where ERM is growing in effectiveness, possibly due
to thealready existing regulatory oversight.
Operational risk areas of business continuity,
ITsecurity, legal, human capital and data integrity
risks were highlighted asareas where theERM
programs have not been effective.
Most organizations have strengthened their liquidity
risk management function (70% of respondents) or
amended their liquidity management policies (65%
of respondents).
Capability of theoperational risk management
technology platforms was rated assomewhat
capable by amajority of therespondents. Scenario
analysis and operational risk capital calculations
were identied askey challenges in these technology
solutions.
28% of therespondents indicated that regulatory
reform has resulted in anincrease in thecost of
compliance and theneed to hold higher capital
levels.
Our Point of View
ERM program implementation efforts should
be accelerated with appropriate support from
thebusiness.
ERM programs should focus and expend efforts in
managing new and emerging threats to todays
business such asITsecurity, fraud and talent.
Continuous interfacing with theregulators and
timely communication of compliance challenges
should be embraced to ensure amutually benecial
relationship.
8
Risk Management Systems and Infrastructure
Information technology is avital element of risk
management capabilities and acts asakey enabler to
theeffectiveness of theERM program.
Key Findings
Only 60% of theorganizations surveyed have
adedicated risk management technology solution.
Most of therespondents, however claried that
they have several sub-systems, at various levels of
sophistication, that address specic risks.
Legacy risk management system (incorporating
aspreadsheet solution) was rated asthemost
prevalent in theindustry while credit management
systems were identied asthesecond most common
solution. Credit management solutions could be due
to theneed to score and evaluate thecredit rating of
potential customers prior to advancing loan facilities.
Possibly asaconsequence of their perceived
prohibitive cost, 61% rated high cost of
maintenance and vendor fees asamajor concern
over thetechnology systems. Integration, along
standing issue when itcomes to technology, was
rated asthesecond most signicant concern by
theindustry. Other issues tied to this were lack of
sufcient risk data, data integrity issues (46%) and
inability to extend thecurrent legacy systems.
In terms of priority, risk data quality and
management were identied by most
respondents asbeing critical in thenext 12
months asorganizations seek to improve their
risk technology capabilities. Capabilities to
calculate theregulatory capital requirements,
ability to manage and monitor operational risk
and compliance risks were also highlighted asvital
priority areas over thenext 12 months.
Our Point of View
To derive value and facilitate integration
of risk information across different units of
theorganization, consider implementing arobust
dedicated risk technology solution.
Therisk technology solution is only anenabler;
thekey determinant on its efcacy will be thequality
of therisk registers and framework in use within
theorganization.
9 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Detailed Findings
Achieving aStrategic View of Risk
Risk governance can be dened astheapproach for
directing themanagement and control of risk, which
may be overseen by theboard of directors asawhole
or through aboard risk committee.
With theincreasing variety of risks- and thepotentially huge negative
impact they can have in terms of both nancial and reputational loss, risk
management has become aneven higher priority for nancial institutions.
This rst FSI ERM survey found that theboard wholly owns and is kept
informed of risk issues.
Therole of clear and active risk governance has
gained currency in therecent past. Recent corporate
governance breaches, fraud and related malfeasance
have shone thespotlight on thelevel and oversight role
played by theboard.
Regulators are now focusing more closely on therole of
theboard of directors in setting anancial institutions
risk policy and risk appetite and in monitoring that
these are implemented effectively by management.
In fact theneed for active board oversight over risk
management has been emphasized in theguidelines
issued by thebanking and insurance regulators in Kenya,
Uganda and Tanzania.
Strengthening risk governance
Thesurvey found that many nancial institutions have
taken avariety of actions in response to theincreased
focus on risk governance (see Figure 3).
Themost common action, taken by roughly 75% of
theorganizations, was to improve theprocess for
reporting of risk information to their boards of directors
and to their management risk committees. In addition,
formation of risk management committees- both at
management and board level- has been undertaken
by approximately two thirds of therespondents.
Establishment of theChief Risk Ofcer (CRO) position
and development of arisk dashboard report were also
prominent activities undertaken.
Figure 3: Which of thefollowing actions has your organization taken in response to recent concerns regarding risk governance?
Improved board risk reporting information
Formed risk management and board level committees
Increased management risk committee reporting information
Enhanced risk limits
Updated therisk appetite statement
Reviewed management risk committee structure
Developed risk dashboard report
Held more frequent management risk committee meetings
Updated management risk committee charters
Established Chief Risk Ofcer (CRO) position
Expanded Chief Risk Ofcer (CRO) responsibilities
Reviewed board risk committee structure
Materially reformed our risk culture to improve theeffectiveness of risk oversight
Established arisk committee of theboard of directors
Updated board risk charter
Added management risk committee members with risk experience
Added board members with risk experience
Established management executive sessions with CRO
Established board executive sessions with CRO
Held more frequent board of directors meetings
0% 10% 20% 30% 40% 50% 60% 70% 80%
10
Aninteresting nding was that approximately athird
of therespondents had materially reformed therisk
culture to improve theeffectiveness of risk oversight.
This could have been through undertaking training
and related activities aimed at building awareness of
theimportance of ERM, roles and responsibilities and
thevalue to be derived from ERM.
These results point to appropriate focus on risk
governance since relevant, on-time information on
risk and opportunities is vital for management and
board decision making. Such information also provides
visibility on initiatives being undertaken and any
exposure or opportunities available in themarket.
Risk governance model
Organizations surveyed had strengthened or adopted
risk governance models under theimpetus of the
expectations of their regulators or aspart of their
strategy.
However, half of therespondents had their risk
governance models at various stages of implementation
with only 29% having their models already
implemented. (see Figure 4). Therisk governance model
is akey risk program element that is typically dened
in therisk management policy and ERM framework.
Therisk governance model
2
should:
Establish risk governance and oversight;
Dene theinstitutions risk management roles and
responsibilities, including therole of business units;
and
Specify theprocess for ongoing monitoring of risk
management.
Figure 4: Does your organization have adened risk governance model and
approach which delineates functional responsibilities of risk management
Yes, fully implemented
Yes, being implemented
No, but under consideration
No
Receipt and review of regular risk
management reports
Review and approval of overall risk management
policy and/or Enterprise Risk Management (ERM)
framework
Approval of therisk appetite statement
Approval of individual risk management policies,
e.g. for market, credit, liquidity, or operational risk
Approval of risk management framework
adopted by management
Executive sessions with Chief Risk Ofcer (CRO)
Approval of thecharters of management
risk committees
Review of thecompensation plan to consider its
impact on risk factors
29.1% 17.7%
3.2%
50.0%
Figure 5: Which of thefollowing describe theroles in risk management of theboard
of directors in your organization?
0% 20% 40% 60% 80% 100%
2 Getting Bank Governance Right, Deloitte Center for Banking Solutions, August 2009, Deloitte Development LLC.
Risk management today is agovernance function: theboard
and theaudit committee are more focused than they ever
were on enterprise risk. Itis more and more common
for therisk function to report directly to theboard.
Theexpectations around thelevel and thoroughness of key
risk management documentation have greatly increased.
Chief Risk Ofcer, diversied nancial services company
11 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Role of theboard of directors
Survey ndings showed that for more than 80% of
theorganizations, theboard of directors receives
and reviews regular reports on therisk management
program and approves theERM policy and framework.
(see Figure 5).
This is in line with theregulatory requirements
and good corporate governance expectations.
Theprudential guidelines issued by banking regulators
and circulars issued by insurance regulators across
theregion emphasize theneed for active board
oversight over therisk management process within
theorganization.
Approximately 50% of therespondents indicated
that theboard is involved in approving therisk
appetite statement. This could be due to thefact that
approximately athird of therespondents (33.9%)
indicated that they have not yet dened astatement of
thecompanys risk appetite.
With regard to theinformation reported to theboard,
there was consensus on aQuarterly Risk Report which
contained thevarious components of theERM program
asakey deliverable. Majority of therespondents
indicated that risk concentration (85.2%) and
operational failures (78.7%) were critical reporting items
to theboard. Risks facing new products or business and
new emerging risks were also vital information reported
to theboard (see Figure 6).
On thequestion of who within theorganization receives
risk reporting, theboard topped thelist at 90.2%
indicating visibility of therisk agenda by theboard.
Management risk committees, CEOs and CFOs were
also recipients of therisk reports (Figure 7).
Across thesurvey sample, itis evident that risk
management oversight is most often aboard-level
responsibility; current regulatory guidance and best
practice reinforces this practice.
Figure 6: Which of thefollowing type of risk information does your organization currently
report to theboard of directors?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
R
is
k

c
o
n
c
e
n
t
r
a
t
io
n
O
p
e
r
a
t
io
n
a
l
f
a
ilu
r
e
s
S
t
r
e
s
s

t
e
s
t
in
g
N
e
w

a
n
d

e
m
e
r
g
in
g

r
is
k
s
U
t
iliz
a
t
io
n

v
s
.

lim
it
s
N
e
w

p
r
o
d
u
c
t

a
n
d

b
u
s
in
e
s
s
R
is
k

e
x
c
e
p
t
io
n
s

r
e
p
o
r
t
in
g
C
o
d
e

o
f

t
h
e

e
t
h
ic
s

v
io
la
t
io
n
s
S
y
s
t
e
m
ic

r
is
k
S
h
a
r
e
h
o
ld
e
r
/
c
u
s
t
o
m
e
r

c
o
m
p
la
in
t
s
N
o
n
e
Figure 7: Which of thefollowing individuals or groups receive risk reporting at
theenterprise level?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
B
o
a
r
d

o
f

D
ir
e
c
t
o
r
s

a
n
d
/
o
r

d
e
s
ig
n
a
t
e
d

B
o
a
r
d

R
is
k

C
o
m
m
it
t
e
e
M
a
n
a
g
e
m
e
n
t

R
is
k

C
o
m
m
it
t
e
e
C
E
O

a
n
d
/
o
r

C
F
O

a
n
d
/
o
r

C
C
O

a
n
d
/
o
r

C
I
O

(
C
h
ie
f

in
v
e
s
t
m
e
n
t

O
f

c
e
r
)

a
n
d
/
o
r

T
r
e
a
s
u
r
e
r
C
R
O
B
u
s
in
e
s
s

U
n
it

H
e
a
d
s

(
e
x
e
c
u
t
iv
e

le
v
e
l)
12
Increasing role of theCRO
Thepresence of aChief Risk Ofcer (CRO) who
is amember of thesenior management team
may help risk management efforts and initiatives
receive appropriate high-level attention. 82% of
therespondents indicated having aCRO or equivalent
with only 6 respondents indicating that they donot
have this in place (Figure 8). While thename may vary
across organizations (e.g. Head of Risk, Manager-
Risk) thecore functions performed seem to be very
clearly articulated with dened risk management
responsibilities. Out of those without aspecic CRO
function, risk management responsibilities are carried
out by theHead of Internal Audit, Head of Operations
or theCFO (Figure 9).
Some of therespondents indicated that they were at
anadvanced stage of engaging aCRO or were looking
to recruit aRisk and Compliance Ofcer.
Not only is theCRO position more prevalent, generally
heor she is also increasingly reporting to higher levels
within theorganization and playing amore strategic
role. 53% of theorganizations have theCRO reporting
functionally to theboard or aboard level committee
while 43% report to theCEO. 3 % report to theCFO.
TheCRO and theenterprise risk management group
have more responsibilities and ahigher prole. More
than 80% of respondents said these responsibilities
included developing and implementing therisk
management framework, developing risk reporting
mechanisms, chairing or participating in management
risk committees and escalating risk issues to theCEO or
theboard (Figure 10).
Probably due to thefact that thevalue of therisk
appetite has not grown in prominence, only 53%
are involved in calculating therms appetite for
risk. In addition, since Basel II and Solvency II are not
mandatory requirements within this region, only 21%
are involved in calculating and reporting of economic
and regulatory capital.
Figure 8: Does your organization have aChief Risk Ofcer (CRO) or equivalent?
Yes
No
17.6%
82.4%
Figure 9: If your organization does not have aChief Risk Ofcer (CRO), who manages or is
responsible for coordinating Risk Management within theorganization?
Head of Internal Audit
Head of Operations
Head of Credit (0%)
Head of Finance/CFO
ITManager (0%)
46.2%
15.4%
38.5%
Figure 10: What are theresponsibilities of theChief Risk Ofcer (CRO)?
0% 20% 40% 60% 80% 100%
Developing and maintaining risk
management framework
Developing risk reporting mechanisms
Chairing or participating in management
risk committees
Escalating issues to theCEO
or board of directors
Developing and documenting the
institutions risk appetite statement
Calculating and reporting of economic and
regulatory capital
13 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Infusing risk management throughout
theorganization
New business initiatives
New product launches, mostly riding on
mobile-commerce, coupled with greeneld or
acquisition-related regional expansion has characterized
thenancial services industry in therecent past. These
events have animportant bearing on risk management
withregulators and media analysts increasing their focus
in this area. 87% of therespondents indicated that risk
considerations are incorporated during these strategic
decisions and new product launches.
In their business and product approval process,
almost all institutions reported considering more
than traditional major risk types - operational (95%),
regulatory (89%) and market (81%) (see Figure 11).
Also considered with increasing importance were
strategic, liquidity, foreign exchange volatility and
country risk. While these were not rated, they were
highlighted aspart of theOther category to indicate
their relative importance during decision making. In
particular, liquidity and foreign exchange volatility is
critical asmost of thecompanies operate asregional
entities with their head ofces being in one of theEast
African countries, South Africa or Nigeria and therefore
have to consider theimpact of any foreign exchange
translation whether for revenue, tax or intercompany
transactions settlement and reporting.
Aligning risks and performance measures
Theincorporation of risk management responsibility
into performance goals has become akey leading
practice. Theobjective is that employees, especially
those with theauthority to take decisions that entail
signicant risk, have incentives to consider therisk
associated with those decisions. Thesurvey identied
that 81% have incorporated risk management
considerations into performance goals across
theorganization. Analmost similar number indicated
that risk management is incorporated in both senior
management and business unit personnel performance
measures (see Figure 12).
Theimportance of aligning compensation and
incentive plans with appropriate risk taking has received
increasing attention particularly in theUS and Europe
arising from theglobal nancial crisis. In September
2009, theFinancial Stability Board issued areport on
thestandards for sound compensation practices that
identied theimportance of having independent and
effective board oversight of compensation policies
and practices
3
. This is particularly critical in theface
of thecorporate governance breaches reported in
therecent past and related management failures.
Figure 11: Which of thefollowing type of risk information does your organization
currently report to theboard of directors? (Select all that apply)
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
Operational Regulatory Credit Legal Reputational Market
Figure 12: Has theorganization incorporated risk management considerations into
performance goals across theorganization?
Yes
No
19.4%
80.6%
3 FSB Principles for Sound Compensation Practices, Financial Stability Board, September 25, 2009
14
Figure 13: Does your organization have anEnterprise Risk Management (ERM)
program or equivalent?
Yes, program in place
Yes, currently implementing one
No, we dont have anenterprise-wide program.
Itfocusses on alimited aspect e.g. Operations,
ITand Credit Risk.
No we dont have one/ Idont know
30.6%
38.8%
27.4%
3.2%
Enterprise Risk Management
awork in progress
Anenterprise risk management (ERM) program is meant to
set theoverall framework and methodology for how acompany
manages risks. ERM provides aninstitution with thetools to
clarify its risk appetite and therisk prole, and to evaluate risks
across theorganization. By adopting acomprehensive approach
to risk identication and assessment, ERM can help identify
many dependencies or inter-relationships among risks that might
otherwise go unnoticed.
Understanding of theroot causes of risk factors and their correlation
can be accelerated by anefective ERM program. Looking at risk
from anintegrated perspective can bring new insights and provide
transparency into theoverall impact of risk on theinstitution.
Enterprise risk management continues to command agreat deal of attention
in thenancial services industry. Theappeal is clear: ERM aims to bring
aholistic organization-wide and standardized risk management process to
nancial institutions and provide them with anintegrated view of risks
they face. Thegoal is to have aconsistent reporting of information across
theenterprise, perhaps through arisk dashboard that provides relevant
information for individuals in varying roles throughout theorganization
based on standardised information.
Despite its appeal, however, implementation of ERM
is fairly limited with only 31% of theorganizations
surveyed indicating that they have afully implemented
ERM program. However 39% indicate that they are
in theprocess of implementing one. Another 27%
donot have anenterprise-wide program but rather one
focused on limited aspects such as credit, operations
and IT (Figure 13).
15 Enterprise Risk Management Survey Report 2012 Where doyou stand?
ERM Program coverage
Among survey respondents, ERM programs almost
always covered themajor traditional risk categories
of credit risk (92%), liquidity risk (90%) regulatory/
compliance risk (90%), and market risk (85%) (see
Figure 14).
New risk categories such asoperational (95%),
strategic (80%), reputation (83%) and ITsecurity (75%)
have also emerged ascritical focus areas.
Strategic and reputation risks have become critical given
thecurrent competitive landscape due to new, more
established entrants from more advanced markets,
effects of mergers and acquisitions and greater scrutiny
by themedia (including social media).
Regulatory and compliance risks have also grown in
prominence due to theincreasing focus insurance,
banking and capital market regulators are placing
asaconsequence of adopting therisk-based
supervision model.
ITRisk and business continuity risks has also emerged
due to theincreased investments and pervasive use
of ITacross organizations. Fraud perpetrated through
ITsystems has also contributed to thegrowth of this
risk type.
Other risks such asliquidity are critical given
therecent foreign exchange volatility which affected
theeconomies of theEast African countries.
Thecoverage of awide range of risks by anERM
program allows therisk function to contribute more
effectively to strategic decisions, because ithas amore
comprehensive view of risks across theorganization.
Linkage to Internal Audit
Internal Audit is regarded asthethird line of defense
after management implementation of controls (rst
line of defense) and risk management program and
procedures (second line of defense).
59% of therespondents indicated that ERM is
integrated and linked to theinternal audit plan.
This means that their internal audit plan is based on
prioritized risks identied through anERM process.
Afurther 25% indicated that this is not formalized
asyet (Figure 15).

Figure 14: What major risk areas in your organization does your ERM
program cover? (Select all that apply)
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
O
p
e
r
a
t
io
n
a
l
r
is
k
C
r
e
d
it

r
is
k
M
a
r
k
e
t

r
is
k
L
iq
u
id
it
y

r
is
k
S
t
r
a
t
e
g
ic

r
is
k
R
e
g
u
la
t
o
r
y
/

C
o
m
p
lia
n
c
e

r
is
k
L
e
g
a
l/
L
it
ig
a
t
io
n

r
is
k
I
T

S
e
c
u
r
it
y

r
is
k
B
u
s
in
e
s
s

C
o
n
t
in
u
it
y

r
is
k
H
a
z
a
r
d

o
r

I
n
s
u
r
a
b
le

r
is
k
s
R
e
p
u
t
a
t
io
n

r
is
k
Figure 15: Is ERM integrated and linked to theInternal Audit Plan i.e. annual internal audit
plan is based on prioritized risks identied through anERM process?
Yes
No
Not formalised / Not sure
25.4%
15.3%
59.3%
We are formalizing our risk program at theenterprise
level, and we are getting more disciplined about
measuring not only individual risks, but also what
theoverall potential impacts of those risks are.
Chief risk ofcer, diversied nancial services company
16
Risk Appetite
To support theeffectiveness of anERM program,
aninstitution should consider having anapproved
enterprise-level statement of risk appetite. Only
23% have their risk appetite both quantitatively and
qualitatively dened with afurther 13% having iteither
qualitatively or quantitatively dened. 23% are in
theprocess of seeking approval for their risk appetite
statement while 34% donot have therisk appetite
statement (see Figure 16).
Financial institutions can benet from having anexplicit
statement of risk appetite, reviewed and approved by
theboard of directors asanimportant part of their
oversight responsibilities. Therisk appetite statement
can then be translated into specic limits and tolerances
for business and for specic risk categories.
In translating therisk appetite into specic risk
limits, 62% translated itinto business unit level
while theremainder has itat theenterprise level.
Establishment of risk limits for different categories of
risk can be animportant step towards monitoring that
aninstitutions activities are consistent with its risk
appetite.
Value of ERM
ERM programs allow institutions to achieve aholistic
view of risk across risk categories and lines of business.
Those organizations that have implemented ERM are
already recording gains. This is evidenced by thefact
that 85% of therespondents felt that thevalue of their
ERM program was greater than its cost; however many
concede that itwas difcult to quantify thevalue of
ERM. There are still 14% who have not seen thevalue
of their ERM program.
Although thefull value of ERM may not be easily
quantied, most respondents felt theERM provided
signicant value in specic areas-an improved
understanding of risk and controls (51%), enhanced risk
culture and abetter balance of risk and rewards (41%),
increased ability to escalate critical issues to senior
management (41%) and improved perceptions by
theregulators (27%)
4
. Theaverage rating across the
4 value-scores was 2 indicating that most believed that
theERM provided signicant value (see Figure 17).
Figure 16: Does your organization have anenterprise level statement of Risk Appetite?
No, we donot have astatement of our
rms risk appetite
We are currently developing or seeking
approval for our risk appetite
We have aninformally dened or not approved
statement of risk appetite
Yes, our risk appetite is qualitative dened
and approved
Yes, our risk appetite is quantitatively dened
and approved
Yes, our risk appetite is quantitatively and
quantitatively dened and approved
22.6%
33.7%
22.6% 8.1%
6.5%
6.5%
Figure 17: On ascale of 1-5 where one is most and 5 is least, in what areas does ERM
provide most signicant value?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
4

Rated on ascale of 1-5 where 1 is most and 5 is least
17 Enterprise Risk Management Survey Report 2012 Where doyou stand?
ERM implementation challenges
While ERM has delivered signicant value, there are
challenges of implementing aneffective ERM program.
Thetop rated issue was integrating risk data across
theorganization, which was rated asanextremely
or signicant challenge by 70% of therespondents.
Closely following this was having theappropriate skills
at 64%. Having appropriate risk methodologies and
metrics was also akey concern at 63%, coupled with
developing, implementing or selecting theright risk
technology system(s) at 61%. Lack of arisk culture and
awareness within theorganization was also identied
asakey challenge at 61% (Figure 18).
Theperennial complaint or excuse on lack of budget
and getting support from top management and
theboard were not rated askey challenges. These
were rated at 24% and 22% respectively. This is avery
insightful nding asitindicates that there is active
support from thetop management and theboard to
ERM programs.
Establishing common data standards and denitions are
animportant element in successful data integration.
(See Risk management systems and infrastructure
later in this report).
Institutions also recognize that they may need
methodologies and metrics that have theexibility
to respond to theevolving requirements of boards of
directors, senior management and regulators. Having
theright talent that is sufciently experienced and
competent to provide value and drive theERM program
is vital. However thechallenge is in attracting and
retaining such talent in theface of thehuge demand in
theindustry.
These ndings are understandable. Periods of
market instability, such astherecent exchange rate
volatility can severely test theinformation capabilities
of nancial institutions. Such times help highlight
theimportance of theability to aggregate risk data
across theorganization from different lines of business
to achieve aconsolidated view of anorganizations risk
prole-for example when assessing counterparty risk or
exposures to particular markets which impact different
business areas.
Figure 18: What are thegreatest challenges of implementing aneffective ERM program in
your organization?
0% 10% 20% 30% 40% 50% 60% 70% 80%
Integrating risk data across theorganization
Lack of appropriate data,
including data integrity issues
Developing, implementing or selecting
theright risk technology system(s)
Having appropriate risk methodologies
and metrics
Having theappropriate skills
Getting support from top management
and theboard
Lack of budget
Lack of arisk culture and awareness
within theorganization
18
Stress Testing
Since theglobal nancial crisis, there has been
increased attention on managing systemic risk. Systemic
risk refers to thepotential likelihood that risk events
affecting one institution could threaten thenancial
system asawhole.
Stress testing is one tool that nancial institutions can
employ to help prepare for potential systemic risks
by assessing thepotential impact of extreme, but
rare, events. 59% of theorganizations represented
by therespondents of thesurvey carry out stress
testing. Half of therespondents indicated that they
carried out stress testing on aquarterly basis, 32% of
therespondents doit on amonthly basis while 14%
have anannual stress test exercise. Most respondents
however added thecaveat that thefrequency is
amended if theunderlying key parameters in thestress
tests change.
There are however 41% of therespondents who
donot undertake stress testing. While these could
be in theinsurance sector where stress testing is not
amandatory requirement, there is scope for carrying
out thestress testing to ensure theorganization is
prepared for unexpected events or rapid changes in
underlying business assumptions (see Figure 19).
Given thespeed and volatility of nancial markets,
nancial institutions may benet from conducting stress
tests more often than quarterly or annually, to enable
themore timely identication of risks, unexpected
events and rapid changes in underlying assumptions.
Figure 19: Does your organization perform stress tests?
Yes
No
40.7%
59.3%
19 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Implementation of industry standards
Basel II
5
and Solvency II
6
are critical industry standards
for thebanking and insurance industry respectively.
While both are not mandatory standards to be
adopted within East Africa, we sought to nd out
thelevel of preparedness or adoption state of players
in thesector. 25% of theorganizations are already
implementing thestandards in phases while 3% have
fully implemented them. 59% indicated that they are
moderately prepared while 12% are not prepared at all.
Those that have implemented thestandards are possibly
subsidiaries of organizations that have mandatory
compliance requirements from their parent company
jurisdiction (see Figure 20).
36% of therespondents identied lack of sufcient
data to meet theindustry standards requirements
asthemost signicant obstacle to their implementation
if compliance to these standards were to be made
mandatory in East Africa. 26% felt that lack of suitably
qualied personnel in themarket would hinder their
implementation while 22% identied lack of budget
resources. Other challenges to their implementation
included; lack of affordable technology systems in
themarket, customizing theframework to thelocal
settings in terms of capital adequacy requirements and
possible inconsistent application of therules across
theindustry players (see Figure 21).
Figure 20: In your view, how prepared is your organization to adopt and implement
international industry standards such asBasel II, Solvency II etc. if theregulator
were to enforce mandatory compliance?
We are implementing thestandards in phases
Moderate Prepared
We have fully implemented thestandards
Not prepared
11.9%
3.4%
59.3%
25.4%
Figure 21: In your view, what are thekey challenges that may face your organization or your
industry if compliance to theabove industry standards were to be made compulsory?
Lack of suitably qualied, skilled or experienced
personnel in themarket
Lack of sufcient data to meet theindustry
standards requirements
Lack of affordable technology systems
in themarket
Insufcient budget to be able to implement
theindustry standards
22.4%
25.9%
15.5%
36.2%
5 Basel II was designed to improve therisk sensitivity of aninstitutions regulatory capital measures and requires improved measurement of credit, market and operational risks.
Basel III is designed to provide thenancial system with higher levels of tangible capital, more liquidity and greater transparency. www.bis.org
6 Solvency II is arevised capital adequacy regime developed by European Union regulators that will determine minimum and solvency capital levels for insurers. Itemploys athree-
pillar approach applied across individual risk categories of market, credit, liquidity, operational and insurance risk and is designed to reect risks more accurately than current
standards. TheSolvency II directive is planned for implementation on October 31, 2012, though there is discussion to delay implementation until January 1, 2013. (Delivering
Solvency II, Financial Services Authority, June 2010)
20
Addressing theFull Range of Risks
Figure 22: On ascale of 1 to 5 with 1 being thehighest, how effective is your
organization in overall risk management?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
Figure 23: How effective doyou think your organization is in managing each of thefollowing types of risks?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
B
u
d
g
e
t
in
g
/

n
a
n
c
ia
l
B
u
s
in
e
s
s

C
o
n
t
in
u
it
y
C
r
e
d
it
F
r
a
u
d
D
a
t
a

in
t
e
g
r
it
y
H
u
m
a
n

C
a
p
it
a
l
I
T

S
e
c
u
r
it
y
L
e
g
a
l
L
iq
u
id
it
y
M
a
r
k
e
t
P
r
iv
a
c
y
R
e
g
u
la
t
o
r
y
/
c
o
m
p
lia
n
c
e
R
e
p
u
t
a
t
io
n
S
t
r
a
t
e
g
ic
S
y
s
t
e
m
ic
T
a
x
V
e
n
d
o
r
/
s
e
r
v
ic
e

p
r
o
v
id
e
r
Very Effective
Somehow Effective
Effective
Not Effective
Acritical challenge facing risk management is achieving acomprehensive
view of all thevaried risks anancial institution faces, yet many institutions
have much more to achieve in this regard. While some institutions seem to
take abroad view of managing thefull range of risks, others appear to be
still focussed on thetraditional areas of market, credit and liquidity risks.
Overall, most executives rated theeffectiveness of their
ERM programs aseither 2 or 3 on ascale where 1 is
highest. While most organizations lie at themid-point
indicating theneed for more focus and action, 5%
rated their ERM programs ashighly effective (score
of 1). ERM implementation is still awork-in-progress
for most organizations. This mirrors thecontinuous
evolution of ERM within organizations and thereality
that every organization is at various stages of
implementation (Figure 22).
In terms of specic risk types, most organizations
felt that their ERM programs were most effective in
managing liquidity and nancial/budgeting risk. This
is probably explained by thefact that nancial risk
management is thepath of least resistance during
theinitial stages of anERM program implementation.
In addition, thequantitative nature of nancial and
liquidity risks lends them to easy management. Liquidity
risk management has gained prominence given
thehuge increase in interest rates which also impacts
access to short term working capital and ability to fund
operations using overdrafts.
Credit , tax and regulatory risks were also identied as
areas where ERM is growing in effectiveness, possibly
due to thealready existent regulatory oversight.
Business continuity, IT security, legal, human capital
and data integrity risks were highlighted as areas where
theERM program has not been effective (Figure 23).
21 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Liquidity risk management
Anincrease in thecost of credit has put thespotlight
on liquidity risk management. In response, most
organizations have strengthened liquidity risk
management function (70% of respondents) or
amended their liquidity management policies (65%
of respondents). Other responses include; diversied
funding sources (56%); maintain liquid asset portfolios
(53%); revised contingency funding strategy (54%); and
revision of contingent funding strategy (54%).
Maybe due to thelevel of maturity, availability and
cost, theleast favored approach was to decrease use
of collateralized funding, such asrepo and securities
lending.
Thebanking industry in theregion has witnessed
arush to build large liquidity buffers through shifting
from shorter term wholesale sources of funding to
more longer term and stable funding sources such
asfrom deposit taking. Institutions are recognizing
that thescenarios and assumptions used for liquidity
also need to be asrigorous asthose used for capital
planning, with some establishing consistent economic
scenarios across capital and liquidity (see Figure 24).
Figure 24: Which of thefollowing steps has your organization taken in response to theliquidity environment over thelast two years?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
S
t
r
e
n
g
t
h
e
n
e
d

liq
u
id
it
y

r
is
k

m
a
n
a
g
e
m
e
n
t

f
u
n
c
t
io
n
E
n
h
a
n
c
e
d

liq
u
id
it
y

s
t
r
e
s
s

t
e
s
t
in
g
M
a
in
t
a
in
e
d

liq
u
id

s
t
r
e
s
s

t
e
s
t
in
g
M
a
in
t
a
in
e
d

liq
u
id

a
s
s
e
t

p
o
r
t
f
o
lio
s
I
m
p
r
o
v
e
d

p
o
lic
y
A
d
d
e
d

c
o
o
r
d
in
a
t
io
n

b
e
t
w
e
e
n

t
r
e
a
s
u
r
y

a
n
d

r
is
k

m
a
n
a
g
e
m
e
n
t
R
e
v
is
e
d

c
o
n
t
in
g
e
n
c
y

f
u
n
d
in
g

s
t
r
a
t
e
g
y
D
iv
e
r
s
i
e
d

f
u
n
d
in
g

s
o
u
r
c
e
s
I
n
c
r
e
a
s
e
d

c
o
o
r
d
in
a
t
io
n

b
e
t
w
e
e
n

liq
u
id
it
y

a
n
d

c
a
p
it
a
l
p
la
n
n
in
g
I
m
p
r
o
v
e
d

a
n
a
ly
s
is

o
f

c
o
n
t
in
g
e
n
t

a
n
d

o
f
f

b
a
la
n
c
e

s
h
e
e
t

p
o
s
it
io
n
s
I
m
p
r
o
v
e
d

t
r
e
a
s
u
r
y

a
n
d

A
n
t
i-
M
o
n
e
y

L
a
u
n
d
e
r
in
g

(
A
M
L
)

s
y
s
t
e
m
s
R
e
v
is
e
d

a
n
a
ly
t
ic
s

m
e
t
h
o
d
o
lo
g
ie
s
I
n
c
r
e
a
s
e
d

d
a
t
a

r
e
q
u
ir
e
m
e
n
t
s
I
n
c
r
e
a
s
e
d

c
o
m
m
it
t
e
d

lin
e
s

o
f

c
r
e
d
it
D
e
c
r
e
a
s
e
d

p
o
s
it
io
n

lim
it
s
I
n
t
e
g
r
a
t
e
d

t
r
e
a
s
u
r
y

f
u
n
c
t
io
n

w
it
h

r
is
k

m
a
n
a
g
e
m
e
n
t

f
u
n
c
t
io
n
C
h
a
n
g
e
d

f
u
n
d
s

t
r
a
n
s
f
e
r

p
r
ic
in
g

m
e
t
h
o
d
o
lo
g
y
D
e
c
r
e
a
s
e
d

u
s
e

o
f

c
o
lla
t
e
r
a
liz
e
d

f
u
n
d
in
g
,

s
u
c
h

a
s

r
e
p
o

a
n
d

s
e
c
u
r
it
ie
s

le
n
d
in
g
22
Operational risk management
Operational risk - risk arising from internal or failed
internal processes, human behaviour (including fraud)
and systems or from external events - has always been
in theradar screens of nancial institutions as this
affects their core business. Across all options, most
respondents indicated they had substantially and
not fully implemented operational risk management
measures to manage these risks. Identication of risk
types and development of risk mitigation measures
were rated as areas where theoperational risk
management was fully implemented.
Creating metrics for monitoring each type of
operational risk and developing methodologies
to quantify risks were identied asareas where
theoperational risk measures had not been
implemented.
Given therecent cases of fraud perpetrated mostly
through theITsystems or collusion by staff, there
is scope for ensuring that robust operational risk
identication, assessment, management and mitigation
are implemented (Figure 25).
Capability of theoperational risk management
technology platforms was rated assomewhat capable
by amajority of therespondents. Scenario analysis
and operational risk capital calculations were identied
askey challenges in these technology solutions.
While most of thesystems are quite good in data
gathering, itis thedata analysis and reporting that will
prove thekey value-add from these systems (Figure 26).
Figure 25: To what extent has your organization implemented thefollowing aspects
of operational risk management?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
Fully implemented
Not Implemented
Substantially implemented
C
r
e
a
t
in
g

m
e
t
r
ic
s

f
o
r

m
o
n
it
o
r
in
g

e
a
c
h

t
y
p
e

o
f

o
p
e
r
a
t
io
n
a
l
r
is
k
D
e
v
e
lo
p
in
g

m
e
t
h
o
d
o
lo
g
ie
s

t
o

q
u
a
n
t
if
y

r
is
k
s
D
e
v
e
lo
p
in
g

o
p
e
r
a
t
io
n
a
l
r
is
k

m
it
ig
a
t
io
n

s
t
r
a
t
e
g
ie
s

in
c
lu
d
in
g

in
s
u
r
a
n
c
e
G
a
t
h
e
r
in
g

r
e
le
v
a
n
t

d
a
t
a
I
d
e
n
t
if
y
in
g

r
is
k

t
y
p
e
s
R
o
llin
g

o
u
t

a

f
o
r
m
a
l
o
p
e
r
a
t
io
n
a
l
r
is
k

t
r
a
in
in
g

p
r
o
g
r
a
m
S
t
a
n
d
a
r
d
iz
in
g

d
o
c
u
m
e
n
t
a
t
io
n

o
f

t
h
e

p
r
o
c
e
s
s

a
n
d

c
o
n
t
r
o
ls
Figure 26: How capable are your organizations operational risk management
technology platforms in thefollowing areas?
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
C
a
s
u
a
l
e
v
e
n
t

a
n
a
ly
s
is
D
a
t
a

g
a
t
h
e
r
in
g
O
p
e
r
a
t
io
n
a
l
r
is
k

c
a
p
it
a
l
c
a
lc
u
la
t
io
n
s
R
e
p
o
r
t
in
g
R
is
k

a
s
s
e
s
s
m
e
n
t
s
S
c
e
n
a
r
io

a
n
a
ly
s
is
Extremely/very capable
Not capable / Not sure
Somewhat capable
23 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Regulatory reform
Across theEast African region, there has been increased
regulatory reform with regulators keen on playing
anactive rather than apassive role in theaffairs of
theindustry. Risk-based supervision has gained currency
coupled with more demanding regulatory requirements.
While this has led to greater stability in thenancial
services sector with muted cases of failures or statutory
management, this has increased theneed to ensure
greater compliance levels.
Organizations indicated that regulatory reform has
resulted in anincrease in thecost of compliance and
theneed to hold higher capital levels. Both of these
were rated at similar levels indicating thesignicance of
regulatory reform. Costs of compliance include systems,
processes and human resources to monitor and ensure
compliance. Higher capital levels on theother hand
explain therights issues, recapitalization and mergers
that have occurred within theindustry. Theincrease
in minimum capital levels for insurance companies in
Kenya and Uganda could also be acontributing factor
to this rating.
Maintaining higher liquidity was also identied
asaconsequence of theregulatory reform and may be
explained by thetightening of theinter-bank lending
rates.
16% of therespondents however point out that
regulatory reform has not had any impact to their
business, which could point to institutions that
are subsidiaries of parents with tighter regulatory
requirements.
East Africa nancial sector regulations have however
not undergone theradical change experienced in
theUS and in Europe. This is probably asaconsequence
of thefact that our economies were largerly shielded
from thecredit crisis with no direct impact per
se. However, we believe theregulators are keenly
observing themarket conditions and slowly introducing
regulations based on learnings from thedeveloped
market (Figure 27).
Asaconsequence of therecent credit crisis in theglobal
arena and volatility in thelocal markets, 52% indicated
that they now communicate theorganizations issues
to theregulator in atimely manner so asto arrive at
consensus rather than adopting areactionary posture.
20% are now proactively engaging regulators so asto
identify regulator concerns early enough to inform
quick resolution (Figure 28).
Figure 27: Which of thefollowing impacts on your business have resulted from regulatory
reform in themajor jurisdictions where you operate?
Noticing anincreased cost of compliance
Maintaining higher liquidity
Maintaining higher capital
Adjusting certain product lines
No signicant impacts
15.5%
6.9%
22.4%
27.6%
27.6%
Figure 28: In light of therecent credit crisis, in which of thefollowing ways have you
changed theway you address/manage regulatory concerns?
Meet with regulators on amore frequent basis
Enhance theorganizations infrastructure
to support heightened security
Communicate theorganizations issues
in amore timely manner
27.6%
20.7%
51.7%
Undoubtedly, gallant eforts have been made by many
key players in theFinancial Services Industry to mitigate
theimpact of fraud on their operations and safeguard
stakeholder value. These eforts notwithstanding, both
themagnitude and pervasiveness of fraud in theindustry
have progressively increased. This can be attributed
to amismatch between thelevel of sophistication of
thefraud, and thetools and techniques being deployed
by theindustry players to contain thefraud. In view
of this, it is imperative for all players in theindustry
to invest in theright systems, processes and people,
underpinned by robust technology, in order to mitigate
theimpact of fraud and ultimately safeguard stakeholder
value.
Robert Nyamu, Director, Forensic and Litigation Support Services
24
Risk Management Systems
and Technology Infrastructure
Figure 29: Please select therisk management system in use in your organization:
Legacy-wide risk management system
Business continuity management system
Credit risk management system
ITsecurity incident and event management
(SIEM) system
17.4%
8.7%
73.9%
Figure 30: Please rate thefollowing (from Major Concern to No Concern)
in accordance with your concerns over thetechnology systems
0%
20%
40%
60%
80%
100%
0,0 0,2 0,4 0,6 0,8 1,0
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
10%
20%
30%
40%
50%
60%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0%
20%
40%
60%
80%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2.50 2.55 2.60 2.65 2.70 2.75
How do you rate
your risk assessment?
How do you rate
your internal loss event data?
0 1 2 3
Enhanced risk culture and a better balance
of risk and rewards
Improved understanding of risk and controls
Improved perceptions by the regulators
Increased ability to escalate critical issues
to senior management.
0
5
10
15
20
25
5 4 3 2 1
H
ig
h

c
o
s
t

o
f

m
a
in
t
e
n
a
n
c
e

a
n
d

v
e
n
d
o
r

f
e
e
s
L
a
c
k

o
f

in
t
e
g
r
a
t
io
n

a
m
o
n
g

s
y
s
t
e
m
s
L
a
c
k

o
f

e
x
ib
ilit
y

t
o

e
x
t
e
n
d

t
h
e

c
u
r
r
e
n
t

s
y
s
t
e
m
s
L
a
c
k

o
f

p
e
r
f
o
r
m
a
n
c
e

f
o
r

m
o
r
e

f
r
e
q
u
e
n
t

a
n
d

t
im
e
ly

r
e
p
o
r
t
in
g
L
a
c
k

o
f

s
u
f

c
ie
n
t

d
a
t
a
/
d
a
t
a

in
t
e
g
r
it
y

is
s
u
e
s
O
u
t

o
f

d
a
t
e

m
e
t
h
o
d
o
lo
g
ie
s
Major concern
No concern
Moderate concern
Information technology is avital element of risk management capabilities
and acts asakey enabler to its efectiveness. However, our survey shows that
many institutions continue to struggle with many fundamental technology
challenges. Only 40% of theorganisations surveyed have adedicated risk
management technology solution.
Most of therespondents, however claried that
they have several sub-systems, at various levels of
sophistication that address specic risks. Legacy risk
management system (incorporating aspreadsheet
solution) was rated asthemost prevalent in theindustry
while credit management systems were identied
asthesecond most common solution. Credit
management solutions could be due to theneed
to score and evaluate thecredit rating of potential
customers prior to advancing loan facilities (Figure 29).

Thereason for thelow implementation of dedicated
risk management technology platforms could be due to
thefact that most organizations still view risk from asilo
perspective hence thereason for disparate systems to
manage each specic risk. In addition, there are some
industry players who are still in theformative stages
of developing therisk frameworks and risk registers.
Anexample is theKenya insurance industry where
theregulator only recently required theestablishment of
dedicated risk management functions.
Possibly asaconsequence of their perceived prohibitive
cost, 61% rated high cost of maintenance and vendor
fees asamajor concern over thetechnology systems.
Integration, along standing issue when itcomes to
technology, was rated asthesecond most signicant
concern by theindustry. This result may reect both
thecomplexity of integration challenge along with
theimportant role integration plays in achieving amore
strategic view of risk. Other issues tied to this was lack
of sufcient risk data, data integrity issues (46%) and
inability to extend thecurrent legacy systems (Figure 30).
25 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Figure 31: Over thenext 12 months, how much of apriority are improvements to thefollowing areas of your risk technology capabilities?
0% 10% 20% 30% 40% 50% 60%
7 Risk Management Lessons from theGlobal Banking Crisis of 2008, Senior Supervisors Group, October 21, 2009
In terms of priority, risk data quality and management
was identied by most respondents asbeing critical in
thenext 12 months asorganizations seek to improve
their risk technology capabilities. Capabilities to
calculate theregulatory capital requirements, ability to
manage and monitor operational risk and compliance
risks were also highlighted asvital priority areas over
thenext 12 months (Figure 31).
Theability to quickly integrate risk information in
aconsistent format across theorganization will help
institutions gain acomprehensive picture of their overall
risk prole, aswell astherisk associated with individual
counterparties. Theglobal nancial crisis highlighted
theimportance, and thedifculties, of achieving
anintegrated and seamless approach to risk data.
In their October 2009 report, theSenior Supervisors
Group cited thecomplexity of thenancial industrys
technology infrastructure asakey hindrance in
identifying and measuring risk within thenancial
system
7
.
Thevalue to be gained from formal risk technology
infrastructure is clear: help to provide for theavailability
of more consistent and reliable risk information, to help
enhance thecapabilities of technology infrastructure
to support new functional requirements needed
by thebusiness and to support effective regulatory
compliance, increased stress testing and enhanced risk
reporting capabilities.
High priority
Not apriority
Moderate priority
Compliance management systems
Collateral management system
Economic capital
Enterprise-wide risk data warehouse development
Integrated market and credit risk measurement system
Integration of risk and compliance systems
Liquidity risk management systems
Operational risk measurement system
Regulatory capital calculation and reporting
Risk information reporting
Risk data quality and management
Specialized credit risk systems
Specialized market risk systems
26
Risk is clearly assuming greater visibility and priority
in nancial organizations. In response, organizations
are continuing to formalize risk management and to
move responsibility for risk management to thehighest
levels of theorganization. Boards of directors have
animportant role to play in providing active oversight
of risk management, including theapproval of their risk
management framework and risk appetite. TheCRO
position can provide animportant focal point, helping
risk management receive adequate attention from senior
management and to provide theboard of directors with
independent views on key risk issues.
ERM program implementation is still awork in progress
though those that have these programs in place are
already recording benets and deriving value. Most
organizations have done amuch better job of managing
traditional risks such as market, credit and liquidity
risks though emerging risk types such as operational,
reputational, strategic and IT security are gaining
currency.
Looking ahead, we expect nancial institutions will
focus on anumber of different areas and undertake
various initiatives. Some organizations will begin or
advance their ERM program development efforts. Others
may include additional risk types within their ERM
program- particularly theless traditional and emerging
risks where therisk methodologies are not asdeveloped
and therisks themselves less understood. Most will
seek to gain acomprehensive view of risks across
theorganization and identify interdependencies.
To achieve such acomprehensive picture of therisks
they face, many organizations may need to consider
upgrading their risk management information systems
so they have aconsistent, quality risk data that can be
easily aggregated across products, geographies and
counterparties. Risk management talent will continue to
grow asmore organizations invest in training and use
of in-house subject matter experts (e.g. anexperienced
operations staff who is moved to work within theERM
function).
Regardless of theareas of focus within risk management
initiatives, itis clear that all nancial services industry
players will be pressured to reduce costs. Asaresult,
they will look at both theefciency and effectiveness
of their major risk management-and ERM- programs.
We encourage theorganizations to address these
cost pressures by developing more integrated risk
and compliance programs, which will save money by
creating amore efcient solution and provide better
and more timely risk management information through
anintegrated capability.
Progress within theindustry has been real, yet thesurvey
makes itclear that many organizations have much
more to accomplish to truly achieve acomprehensive
approach that actively identies, assesses and manages
thefull range of risks they face. Thetrend towards
astrategic approach to risk management is likely to
continue- and those that take aleading role in this
evolution will be in aposition to use risk management
asakey competitive tool.
Conclusion: TheRoad Ahead
Our rst edition of theDeloitte East Africa Enterprise Risk Management
(ERM) Survey provides acomprehensive overview of thestate of risk
management in thenancial services industry within theregion.
Just asimportant, itprovides guideposts for understanding how risk
management will continue to evolve in thecoming years and where
organizations can best focus their eforts.
27 Enterprise Risk Management Survey Report 2012 Where doyou stand?
Contacts
Nairobi Kampala
Dar es Salaam
Julie Nyangaya
Partner, Enterprise Risk Services
Tel: +254 (0) 204230234
Email: jnyangaya@deloitte.co.ke
Urvi Patel
Senior Manager, Enterprise Risk Services
Tel: +254 (0) 204230012
Email: upatel@deloitte.co.ke
Michael Karanja
Manager, Enterprise Risk Services
Tel: +254 (0) 204230292
Email: mmkaranja@deloitte.co.ke
Joshua Ochola
Manager, Enterprise Risk Services
Tel: +254 (0) 204230735
Email: jochola@deloitte.co.ke
Deloitte Place
Waiyaki Way Westlands
P.O. Box 40092
Nairobi 00100 GPO
Kenya
Fred Okwiri
Partner
Tel: +256 (0) 343850
Email: fokwiri@deloitte.co.ug
Adam Sengooba
Manager, Enterprise Risk Services
Tel: +256 (0) 417701154
Email: asengooba@deloitte.co.ug
3rd Floor Ruwenzori House
1 Lumumba Avenue
P.O. Box 10314
Kampala
Uganda
David Nchimbi
Partner
Tel: +255 (0) 22216903
Email: dnchimbi@deloitte.co.tz
Janet Bolo
Manager, Enterprise Risk Services
Tel: +255 (0) 222116006
Email: jbolo@deloitte.com
10th Floor, PPF Tower
Cnr of Ohio Street & Garden Avenue
Dar es Salaam
Tanzania
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, aUK private company limited by guarantee, and its
network of member rms, each of which is alegally separate and independent entity. Please see www.deloitte.com/about
for adetailed description of thelegal structure of Deloitte Touche Tohmatsu Limited and its member rms.
Deloitte provides audit, tax, consulting, and nancial advisory services to public and private clients spanning multiple
industries. With aglobally connected network of member rms in more than 150 countries, Deloitte brings world-class
capabilities and deep local expertise to help clients succeed wherever they operate. Deloittes approximately 182,000
professionals are committed to becoming thestandard of excellence.
2012 Deloitte & Touche