The following is an excerpt from our Annual Report 2019, describing our risk governance framework and risk appetite principles.

Risk governance

Our risk governance framework operates along three lines of defense. Our first line of defense, business management, owns its risk exposures and is required to maintain effective processes and systems to manage its risks, including robust and comprehensive internal controls and documented procedures. Business management has appropriate supervisory controls and review processes in place, which are designed to identify control weaknesses and inadequate processes. Our second line of defense is formed by the control functions, which are separate from the business and report directly to the Group CEO. Control functions provide independent oversight of risks, including setting risk appetite and protecting against noncompliance with applicable laws and regulations. Our third line of defense, Group Internal Audit, reports to the Audit Committee of the Board of Directors. This function evaluates the overall effectiveness of governance, risk management and the control environment, including the assessment of how the first and second lines of defense meet their objectives.

The Board of Directors (the BoD) is responsible for approving the risk management and control framework of the Group, including the overall risk appetite of the Group and business divisions. The BoD is supported by the BoD Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework as approved by the BoD, and approves the Group’s risk appetite methodology. The Corporate Culture and Responsibility Committee supports the BoD in fulfilling its duty to safeguard and advance the Group’s reputation for responsible and sustainable conduct. It reviews stakeholder concerns and expectations pertaining to UBS’s societal contribution and corporate culture. The Audit Committee supports the BoD in fulfilling its oversight duty relating to financial reporting and internal controls over financial reporting, the effectiveness of the external and internal audit functions, and the effectiveness of whistleblowing procedures.

The Group Executive Board (the GEB) has overall responsibility for establishing and implementing risk management and control in the Group. It manages the risk profile of the Group as a whole.

The Group Chief Executive Officer (the Group CEO) has responsibility and accountability for the management and performance of the Group, has risk authority over transactions, positions and exposures, and allocates risk limits approved by the BoD within the business divisions and Group Functions.
The business division Presidents are responsible for the success, risks, results and value of their business division. This includes controlling and administering the dedicated financial resources and risk appetite of the business division.
The regional Presidents facilitate the implementation of UBS’s strategy in their region, and have the mandate to inform the GEB of any activities and issues that may give rise to actual or potentially material regulatory or reputational concerns.

The Group Chief Risk Officer (the Group CRO) is responsible for the development of the Group’s risk management and control framework (including risk principles and risk appetite) for credit, market, country, liquidity, funding, model, and environmental and social risks. This includes risk measurement and aggregation, portfolio controls and risk reporting. The Group CRO is responsible for setting risk limits and approving credit and market risk transactions and exposures. Risk Control is also the central function for model risk management and control for all models used in the firm. The risk control process is supported by a framework of policies and authorities. The business division CROs are responsible for the implementation and enforcement of the risk management and control framework within their business division. The regional Chief Risk Officers provide independent oversight of risks within their region. The Group Chief Compliance and Governance Officer is responsible for ensuring that all operational risks, including compliance and conduct risks, as well as cyber and information security risks, are identified, owned and managed according to the firm’s risk appetite, supported by an effective control framework.

The Group Chief Financial Officer (the Group CFO) is responsible for transparency in and assessing the financial performance of the Group and the business divisions, and for managing the Group’s financial accounting, controlling, forecasting, planning and reporting processes in line with regulatory and financial reporting requirements, corporate governance standards and global best practice to maintain high quality and timeliness. Additional responsibilities include managing UBS’s tax affairs, as well as treasury and capital management, including funding and liquidity risk and UBS’s regulatory capital ratios.

The Group General Counsel (the Group GC) is responsible for managing the Group’s legal affairs and ensuring effective and timely assessment of legal matters impacting the Group or its businesses, and for the management and reporting of all litigation matters.

Group Internal Audit (GIA) independently assesses the effectiveness of processes to define strategy and risk appetite, as well as overall adherence to the approved strategy and the effectiveness of governance processes and of risk management at Group, business division and regional levels, including compliance with legal and regulatory requirements, as well as with internal policies, constitutional documents and contracts. The Head GIA reports to the Chairman of the BoD and, in addition, GIA has a functional reporting line to the BoD Audit Committee.

Risk appetite framework

Our risk appetite is defined at the aggregate Group level and reflects the types of risk that we are willing to accept or intend to avoid. It is established via a complementary set of qualitative and quantitative risk appetite statements defined at a firm-wide level and is embedded throughout our business divisions and legal entities by means of Group, business division and legal entity policies, limits and authorities. UBS is the largest truly global wealth manager and a leading personal and corporate bank in Switzerland, with focused investment bank and asset management divisions. We are subject to consolidated supervision by FINMA and related ordinances, which impose, among other requirements, minimum standards for capital, liquidity, risk concentration and internal organization. Our risk appetite is reviewed and recalibrated annually with an aim to ensure that risk-taking at every level of the organization is in line with our strategic priorities, our capital and liquidity plans, our pillars, principles and behaviors, as well as minimum regulatory requirements. The risk appetite statements are a critical foundation for maintaining a robust risk culture throughout our organization. The “Risk appetite framework” chart below shows the key elements of the framework. These elements are described in more detail in this section. Qualitative statements aim to ensure that we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance the Group’s resilience against the effect of potential severe adverse economic or geopolitical events. These risk appetite objectives cover the Group’s minimum capital and leverage ratios, its solvency, earnings, liquidity and funding, and are subject to periodic review, including as part of the annual business planning process. These objectives are complemented by operational risk appetite objectives, which are established for each of our operational risk categories, such as market conduct, theft, fraud, data confidentiality and technology risks. A standardized financial firm-wide operational risk appetite has been established at the Group and business division level. Operational risk events that exceed predetermined risk tolerances, expressed as percentages of the Group’s operating income, must be escalated as per the firm-wide escalation framework to the respective Business division President or higher, as appropriate. The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at a portfolio level. These may apply across the Group, within a business division or business, at legal entity level, or to an asset class. These additional quantitative controls are typically bottom-up and are designed to monitor specific portfolios and to identify potential risk concentrations. Risk reports containing aggregated measures of risk across products and businesses provide insight into the amounts, types, and sensitivities of the various risks in our portfolios and are intended to ensure compliance with defined limits. Risk officers, senior management and the BoD use this information to understand our risk profile and the performance of the portfolios. The status of risk appetite objectives is evaluated each month and reported to the BoD and the GEB. Our risk appetite may change over time. Therefore, portfolio limits and associated approval authorities are subject to periodic reviews and changes, particularly in the context of our annual business planning process. Our risk appetite framework is governed by a single overarching policy and conforms to the Financial Stability Board’s Principles for an Effective Risk Appetite Framework published in 2013.

Risk management and control principles

Protection of financial strength

Protection of financial strength

Protection of reputation

Protection of reputation

Business management accountability

Business management accountability

Independent controls

Independent controls

Risk disclosure

Risk disclosure

Protection of financial strength

Protecting UBS’s financial strength
by controlling our risk exposure and avoiding potential risk
concentrations at individual exposure levels, at specific
portfolio levels and at an aggregate firm-wide level across all risk types

Protection of reputation

Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Conduct and Ethics

Business management accountability

Maintaining management accountability, whereby business management, as opposed to Risk Control, owns all risks assumed throughout the Group and is responsible for the continuous and active management of all risk exposures to provide for balanced risk and return

Independent controls

Independent control functions that monitor the effectiveness of the businesses’ risk management and oversee risk-taking activities

Risk disclosure

Disclosure of risks to senior management, the BoD, investors, regulators, credit rating agencies and other stakeholders with an appropriate level of
comprehensiveness and transparency

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2019.