Risk management & control

The following is an excerpt from our Annual Report 2013, describing our risk governance framework and risk appetite principles.

Risk governance

Our risk governance framework operates along three lines of defense: business management, who own their risk exposures, control functions, which provide independent oversight of risks, and Group Internal Audit, which evaluates the overall effectiveness of the control environment. These key roles and responsibilities for risk management and control are described below:

The Board of Directors (BoD) is responsible for determining the Group’s risk principles, risk appetite and major portfolio limits, including their allocation to the business divisions and Corporate Center. The risk assessment and management oversight performed by the BoD considers evolving best practices and is intended to conform to statutory requirements. The BoD has a Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework as approved by the BoD, as well as assessing and approving the Group’s key risk measurement methodologies. The Risk Committee, in conjunction with the Chairman of the BoD and the Audit Committee, oversees the performance of Group Internal Audit.

The Group Chief Executive Officer (Group CEO) is responsible for the results of the Group, has risk authority over transactions, positions and exposures, and also allocates portfolio limits approved by the BoD within the business divisions and Corporate Center.

The Group Executive Board (GEB) implements the risk framework, controls the Group’s risk profile and approves key risk policies.

Business management comprises divisional and regional Chief Executive Officers. The divisional Chief Executive Officers are accountable for the results of their business divisions. This includes actively managing their risk exposures and ensuring profit potential, risk, balance sheet and capital usage are balanced. The regional Chief Executive Officers coordinate and implement UBS’s strategy in their region, jointly with the divisional CEOs and heads of the control and support functions. They have a veto power over decisions in respect to all business activities that may have a negative regulatory or reputational impact in their respective regions.

The Group Chief Risk Officer (Group CRO) reports directly to the Group CEO and has functional and management authority over Risk Control (including compliance) throughout the Group. Risk Control provides independent oversight of all primary and certain consequential risks as outlined in “Risk categories.” This includes establishing methodologies to measure and assess risk, setting risk limits, and developing and operating an appropriate risk control infrastructure. The risk control process is supported by a framework of policies and approval authorities. Divisional and regional Chief Risk Officers have delegated authority for their respective divisions and regions. Further, authorities are delegated to risk officers according to their expertise, experience and responsibilities.

The Group Chief Financial Officer (Group CFO) is responsible for ensuring that disclosure of our financial performance meets regulatory requirements and corporate governance standards as well as being leading practice in clarity and transparency. The Group CFO is also responsible for the management of UBS’s tax affairs, treasury and capital, including management of funding and liquidity risk and UBS’s regulatory capital ratios. Responsibility for implementation of the control framework for tax and funding risks resides with the Group CFO whereas responsibility for implementation of the control framework for treasury activities is with Risk Control.

The Group General Counsel (Group GC) is responsible for implementing the Group’s risk management and control principles for legal matters, and for managing the legal function for the UBS Group. The Group GC is responsible for reporting legal risks and material litigation, and for managing legal, internal, special and regulatory investigations.

Group Internal Audit (GIA) independently, objectively and systematically assesses the adherence to our strategy, the effectiveness of governance, risk management and control processes at Group, divisional and regional levels, including compliance with legal, regulatory and statutory requirements, as well as with internal policies and contracts. GIA has a functional reporting line to the Risk Committee and the Audit Committee.

Risk appetite framework

Our risk appetite framework contains both qualitative and quantitative risk appetite statements. The qualitative risk appetite statements comprise the risk management and control principles and various policies and initiatives that ensure we maintain the desired risk culture. The quantitative statements aim to ensure the Group’s resilience against the impact of potential severe adverse economic or geopolitical events, by setting objectives for the level of capital, earnings and liquidity that we seek to maintain even after experiencing severe losses over a defined time horizon. The framework is comprehensive in aggregating all material risks across the Group. The combination of the qualitative and quantitative risk appetite statements aims to protect our businesses and reputation in both normal and stressed environments.

Protection of financial strength Protection of reputation Business management accountability Independent controls Risk disclosure
Protecting the financial strength of UBS by controlling our risk exposures and avoiding potential risk concentrations at individual exposure levels, at specific portfolio levels and at an aggregate firm-wide level across all risk types Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Business Conduct and Ethics Ensuring management accountability, whereby business management, as opposed to Risk Control, owns all risks assumed throughout the firm and is responsible for the continuous and active management of all risk exposures to ensure that risk and return are balanced Independent control functions which monitor the effectiveness of the business’s risk management and oversee risk-taking activities Disclosure of risks to senior management, the Board of Directors, shareholders, regulators, rating agencies and other stakeholders with an appropriate level of comprehensiveness and transparency

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2013, available at www.ubs.com/annualreporting.