Risk management & control

The following is an excerpt from our Annual Report 2016, describing our risk governance framework and risk appetite principles.

Risk governance

Our risk governance framework operates along three lines of defense. Our first line of defense, business management, owns its risk exposures and is required to maintain effective processes and systems to manage its risks, including robust and comprehensive internal controls and documented procedures. Business management has appropriate supervisory controls and review processes in place designed to identify control weaknesses and inadequate processes. Our second line of defense, the control functions, are independent from the business and report directly into the Group CEO. Control functions provide independent oversight of risks, including setting risk limits and protecting against non-compliance with applicable laws and regulations. Our third line of defense, Group Internal Audit (GIA), reports to the Audit Committee of the Board of Directors and evaluates the overall effectiveness of governance, risk management and the control environment, including the assessment of how the first and second lines of defense meet their objectives.

The Board of Directors (BoD) is responsible for determining the risk principles, risk appetite and major portfolio limits of the Group, including their allocation to the business divisions and Corporate Center units. The BoD is supported by the BoD Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework as approved by the BoD, as well as assessing the Group’s key risk measurement methodologies. The Corporate Culture and Responsibility Committee supports the BoD in fulfilling its duty to safeguard and advance the Group’s reputation for responsible and sustainable conduct. It reviews and assesses stakeholder concerns and expectations pertaining to UBS’s societal performance and corporate culture and recommends appropriate actions to the BoD. The Group Executive Board (GEB) implements the risk framework, controls the Group’s risk profile and approves key risk policies.

The Group Chief Executive Officer (Group CEO) is responsible for the Group’s results, has risk authority over transactions, positions and exposures, and allocates portfolio limits approved by the BoD within the business divisions and Corporate Center units. The business division Presidents are accountable for the results of their business divisions. This includes actively managing their risk exposures, and ensuring profit potential, risk, balance sheet and capital usage are balanced. The regional Presidents coordinate and implement UBS’s strategy in their regions in conjunction with the business division Presidents and heads of the control and support functions. They have a veto power over decisions with respect to all business activities that may have a negative regulatory or reputational effect in their respective regions.

The Group Chief Risk Officer (Group CRO) is responsible for Risk Control. Risk Control independently oversees all primary risks and most consequential risks as outlined in the "Risk categories" section above. This includes establishing methodologies to measure and assess risk, setting risk limits, and developing and operating an appropriate risk control infrastructure. Risk Control is also the central function for model risk management, which includes the validation of models used in the firm. The risk control process is supported by a framework of policies and authorities. Business division and regional Chief Risk Officers have delegated authority for their respective divisions and, regions. Moreover, authorities are delegated to risk officers according to their expertise, experience and responsibilities.

The Group Chief Financial Officer (Group CFO) is responsible for assessing and ensuring transparency in the financial performance of the Group and business divisions, and for ensuring that disclosure of our financial performance meets regulatory requirements and corporate governance standards. The Group CFO manages the Group's and divisional financial control functions, including financial accounting, controlling, forecasting, planning and reporting processes. The Group CFO also provides external certifications under sections 302 and 404 of the Sarbanes-Oxley Act of 2002. Further responsibilities include managing UBS's tax affairs, as well as treasury and capital management, including the management of funding and liquidity risk and UBS's regulatory capital ratios. The Group General Counsel (Group GC) is responsible for implementing the Group's risk management and control principles for legal matters, and for managing our legal function. Group Internal Audit (GIA) independently assesses the adherence to our strategy, the effectiveness of governance, risk management and control processes at Group, business division and regional levels, including compliance with legal, regulatory and statutory requirements, as well as with internal policies and contracts. GIA has a functional reporting line to the Audit Committee. The above roles and responsibilities are replicated for certain significant legal entities of the Group through the appointment of entity level Presidents, Chief Risk Officers, Chief Financial Officers and General Counsels.

Risk appetite framework

Our risk appetite is defined at the aggregate level and reflects the types of risk that we are willing to accept or intend to avoid. It is established via a complementary set of qualitative and quantitative risk appetite statements defined on a Group-wide level and is embedded throughout our business divisions and legal entities through Group, business division and legal entity policies, limits and authorities. These statements are a critical foundation to maintaining a robust risk culture throughout our organization. Qualitative statements aim to ensure we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance the Group’s resilience against the impact of potential severe adverse economic or geopolitical events. These objectives cover areas such as the Group’s capital buffer, solvency, earnings, leverage, liquidity and funding, and are subject to periodic review, including as part of the annual business planning process. These objectives are complemented by operational risk appetite objectives, which are established for each of our operational risk categories, such as market conduct, theft, fraud, data confidentiality and technology risks. Operational risk events that exceed predetermined risk tolerances, expressed as percentages of the Group’s operating income, must be escalated to the respective business division President or higher, as appropriate. The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at the portfolio level. These may apply across the Group, within a business division or business unit, at legal entity level, or to an asset class. These additional quantitative controls are typically bottom-up and are designed to monitor specific portfolios and to identify potential risk concentrations.

Risk reports aggregating measures of risk across products and businesses provide insight into the amounts, types, and sensitivities of the various risks in our portfolios and ensure compliance with defined limits. Risk officers, senior management and the BoD use this information to understand our risk profile and the performance of the portfolios.

The status of risk appetite objectives is evaluated each month and reported to the BoD and the GEB. Our risk appetite may change over time. Therefore, portfolio limits and associated approval authorities are subject to periodic reviews and changes, particularly in the context of our annual business planning process. In addition, recovery risk indicators embedded in the firm’s recovery plan are drawn from the set of risk limits that management monitors on a routine basis. Our risk appetite framework is encompassed in a single overarching policy and conforms to the Financial Stability Board’s “Principles for An Effective Risk Appetite Framework published in 2013.

Risk management and control principles

Protection of financial strength

Protection of reputation

Business management accountability

Independent controls

Risk disclosure

Protecting UBS’s financial strength by controlling our risk exposure and avoiding potential risk concentrations at individual exposure levels, at specific portfolio levels and at an aggregate firm-wide level across all risk types

Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Conduct and Ethics

Ensuring management accountability, whereby business management, as opposed to Risk Control, owns all risks assumed throughout the Group and is responsible for the continuous and active management of all risk exposures to ensure that risk and return are balanced

Independent control functions that monitor the effectiveness of the businesses’ risk management and oversee risk-taking activities

Disclosure of risks to senior management, the BoD, investors, regulators, credit rating agencies and other stakeholders with an appropriate level of comprehensiveness and transparency

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2016, available at www.ubs.com/annualreporting.