Risk management & control

The following is an excerpt from our Annual Report 2020, describing our risk governance framework and risk appetite principles.

The Board of Directors (the BoD) approves the risk management and control framework of the Group, including the Group and business division overall risk appetite. The BoD is supported by its Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework approved by the BoD, and approves the Group’s risk appetite methodology. The Corporate Culture and Responsibility Committee helps the BoD meet its duty to safeguard and advance UBS’s reputation for responsible and sustainable conduct, reviewing stakeholder concerns and expectations pertaining to UBS’s societal contribution and corporate culture. The Audit Committee aids the BoD with its oversight duty relating to financial reporting and internal controls over financial reporting, and the effectiveness of whistleblowing procedures and the external and internal audit functions.

The Group Executive Board (the GEB) has overall responsibility for establishing and implementing a risk management and control framework in the Group, managing the risk profile of the Group as a whole. The Group Chief Executive Officer has responsibility and accountability for the management and performance of the Group, has risk authority over transactions, positions and exposures, and allocates business divisions and Group Functions risk limits approved by the BoD. The business division Presidents and Group function heads are responsible for the operation and management of their business divisions, including controlling the dedicated financial resources and risk appetite of the business division. The regional Presidents are responsible for cross-divisional collaboration in their region, and are mandated to inform the GEB of any activities / issues that may give rise to actual or potentially material regulatory or reputational concerns.

The Group Chief Risk Officer (the Group CRO) is responsible for developing the Group’s risk management and control framework (including risk principles and risk appetite) for credit, market, country, treasury, model, and environmental and social risks. This includes risk measurement and aggregation, portfolio controls and risk reporting. The Group CRO sets risk limits and approves credit and market risk transactions and exposures. Risk Control is also the central function for model risk management and control for all models used in UBS. A framework of policies and authorities support the risk control process. The business division CROs are responsible for the implementation and enforcement of the risk management and control framework in the respective business division. The regional CROs provide independent oversight of risks in the respective region.

The Group Chief Compliance and Governance Officer is responsible for developing the Group’s operational risk framework, which sets the general requirements for identification, management, assessment and mitigation of operational risk, and for ensuring that all non-financial risks are identified, owned and managed according to the operational risk appetite objectives, supported by an effective control framework.

The Group Chief Financial Officer is responsible for transparency in assessing the financial performance of the Group and the business divisions, and for managing the Group’s financial accounting, controlling, forecasting, planning and reporting. Additional responsibilities include managing UBS’s tax affairs, as well as treasury and capital management, including funding and liquidity risk and UBS’s regulatory capital ratios. The Group General Counsel is responsible for managing the Group’s legal affairs (including litigation involving UBS) and ensuring effective and timely assessment of legal matters impacting the Group or its businesses, and for the management and reporting of all litigation matters.

The Group Chief Operating Officer is responsible for independent oversight and challenge of employment-related risks. Group Internal Audit (GIA) independently assesses effectiveness of processes to define strategy and risk appetite and overall adherence to the approved strategy. It also assesses the effectiveness of governance processes and risk management, including compliance with legal and regulatory requirements and internal governance documents. The Head GIA reports to the Chairman of the BoD. GIA also has a functional reporting line to the BoD Audit Committee. Some of these roles and responsibilities are replicated for certain significant legal entities of the Group. The legal entity risk officers are responsible for independent oversight and control of financial and non-financial risks for certain significant legal entities of the Group as part of the legal entity control framework, which complements the Group’s risk management and control framework. 

Our risk appetite is defined at the aggregate Group level and reflects the types of risk that we are willing to accept or avoid. It is set via complementary qualitative and quantitative risk appetite statements defined at a firm-wide level and is embedded throughout our business divisions and legal entities by Group, business division and legal entity policies, limits and authorities. UBS is the largest truly global wealth manager and a leading bank in Switzerland. We are subject to consolidated supervision by the Swiss Financial Market Supervisory Authority (FINMA) and related ordinances, which impose, among other requirements, minimum standards for capital, liquidity, risk concentration and internal organization. Our risk appetite is reviewed and recalibrated annually, with an aim of ensuring that risk-taking at every level of the organization is in line with our strategic priorities, our capital and liquidity plans, our pillars, principles and behaviors, and minimum regulatory requirements. The risk appetite statements are critical for maintaining a robust risk culture throughout UBS. The “Risk appetite framework” chart below shows the key elements of the framework, which are described in detail in this section. Qualitative statements aim to ensure we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance UBS’s resilience against the effect of potential severe adverse economic or geopolitical events. These risk appetite objectives cover UBS’s minimum capital and leverage ratios, solvency, earnings, liquidity, and funding, and are subject to periodic review, including the annual business planning process. These objectives are complemented by operational risk appetite objectives, which are set for each of our operational risk categories, including market conduct, theft, fraud, data confidentiality and technology risks. A standardized financial firm-wide operational risk appetite has been established at Group level and is embedded throughout our business divisions. Operational risk events exceeding predetermined risk tolerances, expressed as percentages of UBS’s operating income, must be escalated as per the firm-wide escalation framework to the respective business division President or higher, as appropriate. The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at a portfolio level. These may apply across the Group, within a business division or business, at legal entity level, or to an asset class. These additional quantitative controls are designed to monitor specific portfolios and to control potential risk concentrations.

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2020.