Risk management & control

The following is an excerpt from our Annual Report 2017, describing our risk governance framework and risk appetite principles.

Risk governance

Our risk governance framework operates along three lines of defense. Our first line of defense, business management, owns its risk exposures and is required to maintain effective processes and systems to manage its risks, including robust and comprehensive internal controls and documented procedures. Business management has appropriate supervisory controls and review processes in place designed to identify control weaknesses and inadequate processes. Our second line of defense is formed by the control functions, which are independent from the business and report directly to the Group CEO. Control functions provide independent oversight of risks, including setting risk limits and protecting against non-compliance with applicable laws and regulations. Our third line of defense, Group Internal Audit (GIA), reports to the Audit Committee of the Board of Directors and evaluates the overall effectiveness of governance, risk management and the control environment, including the assessment of how the first and second lines of defense meet their objectives.

The Board of Directors (BoD) is responsible for determining the risk principles, risk appetite and major portfolio limits of the Group, including their allocation to the business divisions and Corporate Center units. The BoD is supported by the BoD Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework as approved by the BoD, as well as assesses the Group’s key risk measurement methodologies. The Corporate Culture and Responsibility Committee supports the BoD in fulfilling its duty to safeguard and advance the Group’s reputation for responsible and sustainable conduct. It reviews and assesses stakeholder concerns and expectations pertaining to UBS’s societal performance and corporate culture and recommends appropriate actions to the BoD.

The Group Executive Board (GEB) implements the risk framework, controls the Group’s risk profile and approves key risk policies. 

The Group Chief Executive Officer (Group CEO) is responsible for the Group’s results, has risk authority over transactions, positions and exposures, and allocates portfolio limits approved by the BoD within the business divisions and Corporate Center units. 

The business division Presidents are accountable for the results of their business divisions. This includes actively managing their risk exposures, and balancing profit potential, risk, balance sheet and capital usage. The regional Presidents facilitate the implementation of UBS’s strategy in their region, and have the mandate to escalate activities and issues that may give rise to actual or potentially material regulatory or reputational concerns.

The Group Chief Risk Officer (Group CRO) is responsible for Risk Control. Risk Control independently oversees all primary risks and most consequential risks as outlined in “Risk categories” above. This includes establishing methodologies to measure and assess risk, setting risk limits, and developing and operating an appropriate risk control infrastructure. Risk Control is also the central function for model risk management, which includes the validation of models used in the firm. The risk control process is supported by a framework of policies and authorities. Business division and regional Chief Risk Officers have delegated authority for their respective divisions andregions. Moreover, authorities are delegated to risk officers according to their expertise, experience and responsibilities.

The Group Chief Financial Officer (Group CFO) is responsible for assessing and facilitating transparency in the financial performance of the Group and business divisions, and for monitoring whether disclosure of our financial performance meets regulatory requirements and corporate governance standards. The Group CFO manages the Group’s and divisional financial control functions, including financial accounting, controlling, forecasting, planning and reporting processes. Further responsibilities include managing UBS’s tax affairs, aswell as treasury and capital management, including the management of funding and liquidity risk and UBS’s regulatory capital ratios.

The Group General Counsel (Group GC) manages the Group’s legal affairs and is responsible for supporting the Group with effective and timely assessment of legal matters impacting the Group or its businesses and for providing the legal advice required by the Group. The Group GC is further responsible for the management and reporting of all litigation and other significant contentious matters, including all legal proceedings, that involve UBS.

Group Internal Audit (GIA) independently assesses the adherence to our strategy, the effectiveness of governance, risk management and control processes at Group, business division and regional levels, including compliance with legal, regulatory and statutory requirements, as well as with internal policies and contracts. The Head GIA reports to the Chairman of the BoD and, in addition, GIA has a functional reporting line to the Audit Committee.

The above roles and responsibilities are replicated for certain significant legal entities of the Group through the appointment of entity level Presidents, Chief Risk Officers, Chief Financial Officers and General Counsels.

Risk appetite framework

Our risk appetite is defined at the aggregate level and reflects the types of risk that we are willing to accept or intend to avoid. It is established via a complementary set of qualitative and quantitative risk appetite statements defined on a Group-wide level and is embedded throughout our business divisions and legal entities through Group, business division and legal entity policies, limits and authorities. These statements are a critical foundation to maintaining a robust risk culture throughout our organization. Qualitative statements aim to ensure we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance the Group’s resilience against the impact of potential severe adverse economic or geopolitical events. These risk appetite objectives cover the Group’s minimum capital and leverage ratios, solvency, earnings, liquidity and funding, and are subject to periodic review, including as part of the annual business planning process. These objectives are complemented by operational risk appetite objectives, which are established for each of our operational risk categories, such as market conduct, theft, fraud, data confidentiality and technology risks. Operational risk events that exceed predetermined risk tolerances, expressed as percentages of the Group’s operating income, must be escalated to the respective business division President or higher, as appropriate. The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at the portfolio level. These may apply across the Group, within a business division or business unit, at legal entity level, or to an asset class. These additional quantitative controls are typically bottom-up and are designed to monitor specific portfolios and to identify potential risk concentrations.

Risk reports aggregating measures of risk across products and businesses provide insight into the amounts, types, and sensitivities of the various risks in our portfolios and are intended to ensure compliance with defined limits. Risk officers, senior management and the BoD use this information to understand our risk profile and the performance of the portfolios.

The status of risk appetite objectives is evaluated each month and reported to the BoD and the GEB. Our risk appetite may change over time. Therefore, portfolio limits and associated approval authorities are subject to periodic reviews and changes, particularly in the context of our annual business planning process. Our risk appetite framework is encompassed in a single overarching policy and conforms to the Financial Stability Board’s Principles for an Effective Risk Appetite Framework published in 2013.

Risk management and control principles

Protection of financial strength

Protection of reputation

Business management accountability

Independent controls

Risk disclosure

Protecting UBS’s financial strength
by controlling our risk exposure and avoiding potential risk
concentrations at individual exposure levels, at specific
portfolio levels and at an aggregate firm-wide level across all risk types

Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Conduct and Ethics

Maintaining management accountability, whereby business management, as opposed to Risk Control, owns all risks assumed throughout the Group and is responsible for the continuous and active management of all risk exposures to provide for balanced risk and return

Independent control functions that monitor the effectiveness of the businesses’ risk management and oversee risk-taking activities

Disclosure of risks to senior management, the BoD, investors, regulators, credit rating agencies and other stakeholders with an appropriate level of
comprehensiveness and transparency

For comprehensive information on risk management and control at UBS, please refer to the “Risk, treasury and capital management” section of our Annual Report 2017.