Risk management & control

The following is an excerpt from our Annual Report 2015, describing our risk governance framework and risk appetite principles.

Risk governance

Our risk governance framework operates along three lines of defense. Business management, as the first line of defense, own their respective risk exposures and are required to maintain effective processes and systems to manage their risks, including robust and comprehensive internal controls and documented procedures. Business management must also have appropriate supervisory controls and review processes in place to identify control weaknesses, inadequate processes and unexpected events. Control functions act as the second line of defense, providing independent oversight of primary and consequential risks. This includes setting risk limits and protecting against non-compliance with applicable laws and regulations. Group Internal Audit (GIA) forms the third line of defense, evaluating the overall effectiveness of governance, risk management and the control environment, including the assessment of how the first and second lines of defense meet their objectives.

These key roles and responsibilities for risk management and control are illustrated in the following chart and described below.

The Board of Directors (BoD) is responsible for determining the risk principles, risk appetite and major portfolio limits of the Group, including their allocation to the business divisions and Corporate Center. The risk assessment and management oversight performed by the BoD considers evolving best practices and is intended to conform to statutory requirements. The BoD is supported by the BoD Risk Committee, which monitors and oversees the risk profile of the Group and the implementation of the risk framework as approved by the BoD, as well as assessing the Group’s key risk measurement methodologies. The Corporate Responsibility Committee supports the BoD in fulfilling its duty to safeguard and advance the Group’s reputation for responsible corporate conduct. It reviews and assesses stakeholder concerns and expectations for responsible corporate conduct and their possible consequences for UBS, and recommends appropriate actions to the BoD. The Chairman of the BoD and the Audit Committee oversee the performance of Group Internal Audit.

The Group Executive Board (GEB) implements the risk framework, controls the Group’s risk profile and approves key risk policies.

The Group Chief Executive Officer (Group CEO) is responsible for the results of the Group, has risk authority over transactions, positions and exposures, and also allocates portfolio limits approved by the BoD within the business divisions and Corporate Center.

Business management comprises divisional and regional Presidents. The divisional Presidents are accountable for the results of their business divisions. This includes actively managing their risk exposures, and ensuring profit potential, risk, balance sheet and capital usage are balanced. The regional Presidents coordinate and implement UBS’s strategy in their region, jointly with the divisional Presidents and heads of the control and support functions. They have a veto power over decisions with respect to all business activities that may have a negative regulatory or reputational impact in their respective regions.

The Group Chief Risk Officer (Group CRO) reports directly to the Group CEO and has functional and management authority over Risk Control (including Compliance & Operational Risk Control) throughout the Group. Risk Control provides independent oversight of all primary and most consequential risks as outlined in “Risk categories.” This includes establishing methodologies to measure and assess risk, setting risk limits, and developing and operating an appropriate risk control infrastructure. The risk control process is supported by a framework of policies and authorities. Divisional and regional Chief Risk Officers have delegated authority for their respective divisions and regions. Further, authorities are delegated to risk officers according to their expertise, experience and responsibilities.

The Group Chief Financial Officer (Group CFO) is responsible for ensuring that disclosure of our financial performance meets regulatory requirements and corporate governance standards with clarity and transparency. The Group CFO is also responsible for the management of UBS’s tax affairs, treasury and capital, including management of funding and liquidity risk and UBS’s regulatory capital ratios. The Group CFO is also responsible for implementation of the associated control frameworks, with the exception of the control framework for treasury activities, for which responsibility is with Risk Control.

The Group General Counsel (Group GC) is responsible for implementing the Group’s risk management and control principles for legal matters, and for managing the legal function for the UBS Group. The Group GC is responsible for reporting legal risks and material litigation, and for managing legal, internal, special and regulatory investigations.

Group Internal Audit (GIA) independently, objectively and systematically assesses the adherence to our strategy, the effectiveness of governance, risk management and control processes at Group, divisional and regional levels, including compliance with legal, regulatory and statutory requirements, as well as with internal policies and contracts. GIA has a functional reporting line to the Audit Committee.

Risk appetite framework

Our risk appetite is defined as the aggregate level and types of risk that we are willing to accept or intend to avoid. It is established via a complementary set of qualitative and quantitative objectives defined on a Group-wide level and embedded throughout our business divisions and legal entities through Group, divisional and legal entity policies, limits and authorities. These objectives are a critical foundation to maintaining a robust risk culture throughout our organization and are aimed at ensuring that our reputation is protected at all times. The chart “Risk appetite framework” depicts the key elements of this framework, which are described further below.

Qualitative statements, reflected in the Group’s Risk Management and Control Principles, and various policies and initiatives, ensure we maintain the desired risk culture.

Quantitative risk appetite objectives relate Group-wide risk exposure to our risk capacity and are designed to ensure the Group’s resilience against the impact of potential severe adverse economic or geopolitical events. They cover areas such as the Group’s capital buffer, solvency, earnings, leverage and liquidity, and are subject to periodic review, including as part of the annual business planning process.

These objectives are complemented by operational risk appetite objectives, which are established for each of our operational risk categories, for example market conduct, theft, fraud, data confidentiality, and technology risks. Operational risk events which exceed risk tolerances set according to predetermined percentages of the firm’s operating income must be escalated to the divisional President or higher, as appropriate.

The status of risk appetite objectives is evaluated each month, and reported to the BoD and the GEB. Our risk appetite may change over time and, as a consequence, portfolio limits and risk authorities will be subject to periodic reviews and changes, in particular in the context of the annual business planning process. In addition, the escalation triggers embedded in the firm's Recovery Plan are drawn from the set of risk limits that management monitors on a routine basis.

Our risk appetite framework is encompassed in a single overarching policy and conforms to the Financial Stability Board's "Principles for An Effective Risk Appetite Framework" published on 18 November 2013.

Risk management and control principles

Protection of financial strength

Protection of reputation

Business management accountability

Independent controls

Risk disclosure

Protecting the financial strength of UBS by controlling our risk exposures and avoiding potential risk concentrations at individual exposure levels, at specific portfolio levels and at an aggregate firm-wide level across all risk types

Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Business Conduct and Ethics

Ensuring management accountability, whereby business management, as opposed to Risk Control, owns all risks assumed throughout the firm and is responsible for the continuous and active management of all risk exposures to ensure that risk and return are balanced

Independent control functions which monitor the effectiveness of the business’s risk management and oversee risk-taking activities

Disclosure of risks to senior management, the Board of Directors, investors, regulators, credit rating agencies and other stakeholders with an appropriate level of comprehensiveness and transparency

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2015, available at www.ubs.com/annualreporting.