The following is an excerpt from our Annual Report 2022, describing our risk governance framework and risk appetite principles.
Risk governance
Risk governance
The Board of Directors (the BoD) approves the risk management and control framework of the Group, including the Group and business division overall risk appetite. The BoD is supported by its Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework approved by the BoD, and approves the Group’s risk appetite methodology. The Corporate Culture and Responsibility Committee (the CCRC) helps the BoD meet its duty to safeguard and advance UBS’s reputation for responsible and sustainable conduct, reviewing stakeholder concerns and expectations pertaining to UBS’s societal contribution and corporate culture. The Audit Committee assists the BoD with its oversight duty relating to financial reporting and internal controls over financial reporting, and the effectiveness of whistleblowing procedures and the external and internal audit functions.
The Group Executive Board (the GEB) has overall responsibility for establishing and implementing a risk management and control framework in the Group, managing the risk profile of the Group as a whole.
The Group Chief Executive Officer has responsibility and accountability for the management and performance of the Group, has risk authority over transactions, positions and exposures, and allocates business divisions and Group Functions risk limits approved by the BoD.
The business division Presidents and Group functional heads are responsible for the operation and management of their business divisions / Group Functions, including controlling the dedicated financial resources and risk appetite of the business divisions.
The regional Presidents ensure cross-divisional collaboration in their regions and are mandated to inform the GEB about any regional activities and issues that may give rise to actual or potentially material regulatory or reputational concerns.
The Group Chief Risk Officer (the Group CRO) is responsible for developing the Group’s risk management and control framework (including risk principles and risk appetite) for credit, market, country, treasury, model and sustainability and climate risks. This includes risk measurement and aggregation, portfolio controls and risk reporting. The Group CRO sets risk limits and approves credit and market risk transactions and exposures. Risk Control is also the central function for model risk management and control for all models used in UBS. A framework of policies and authorities support the risk control process.
The Group Chief Compliance and Governance Officer is responsible for developing the Group’s non-financial risk framework, which sets the general requirements for identification, management, assessment and mitigation of non-financial risk, and for ensuring that all non-financial risks are identified, owned and managed according to the non-financial risk appetite objectives, supported by an effective control framework.
The Group Chief Financial Officer is responsible for transparency in assessing the financial performance of the Group and the business divisions, and for managing the Group’s financial accounting, controlling, forecasting, planning and reporting. Additional responsibilities include managing UBS’s tax affairs, as well as treasury and capital management, including liquidity and funding risk and UBS’s regulatory ratios, Finance Artificial Intelligence & Data Analytics strategy and Group M&A.
The Group General Counsel manages the Group’s legal affairs (including litigation involving UBS), ensuring effective and timely assessment of legal matters impacting the Group or its businesses, and managing and reporting all litigation matters.
The Head Human Resources is responsible for independent oversight and challenge of employment-related risks.
Group Internal Audit (GIA) independently assesses the effectiveness of processes to define strategy and risk appetite and overall adherence to the approved strategy. It also assesses the effectiveness of governance processes and risk management, including compliance with legal and regulatory requirements and internal governance documents. The Head GIA reports to the Chairman of the BoD. GIA also has a functional reporting line to the BoD Audit Committee.
Some of these roles and responsibilities are replicated for significant legal entities of the Group. Designated legal entity risk officers oversee and control financial and non-financial risks for significant legal entities of UBS as part of the legal entity control framework, which complements the Group’s risk management and control framework
Risk appetite framework
Risk appetite framework
We have a defined Group-level risk appetite, covering all financial and non-financial risk types, via a complementary set of qualitative and quantitative risk appetite statements. This is reviewed and recalibrated annually and presented to the BoD for approval.
Our risk appetite is defined at the aggregate Group level and reflects the types of risk that we are willing to accept or wish to avoid. It is set via complementary qualitative and quantitative risk appetite statements defined at a firm-wide level and is embedded throughout our business divisions and legal entities by Group, business division and legal entity policies, limits and authorities. Our risk appetite is reviewed and recalibrated annually, with the aim of ensuring that risk-taking at every level of the organization is in line with our strategic priorities, our capital and liquidity plans, our Pillars, Principles and Behaviors, and minimum regulatory requirements. The “Risk appetite framework” chart below shows the key elements of the framework, which is described in detail in this section.
Qualitative risk appetite statements aim to ensure we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance UBS’s resilience against the effects of potential severe adverse economic or geopolitical events. These risk appetite objectives cover UBS’s minimum capital and leverage ratios, solvency, earnings, liquidity and funding, and are subject to periodic review, including the yearly business planning process. These objectives are complemented by non-financial risk appetite objectives, which are set for each of our non-financial risk categories. A standardized quantitative firm-wide non-financial risk appetite has been established at the Group and business division levels. Non-financial risk events exceeding predetermined risk tolerances, expressed as percentages of UBS’s total revenue, must be escalated as per the firm-wide escalation framework to the respective business division President or higher, as appropriate.
The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at a portfolio level to monitor specific portfolios and to control potential risk concentrations.
The status of risk appetite objectives is evaluated each month and reported to the BoD and the GEB. As our risk appetite may change over time, portfolio limits and associated approval authorities are subject to periodic reviews and changes, particularly in the context of our annual business planning process.
Our risk appetite framework is governed by a single overarching policy and conforms to the Financial Stability Board’s Principles for an Effective Risk Appetite Framework
Risk management and control principles
Protection of financial strength | Protection of financial strength | Protection of reputation | Protection of reputation | Business management accountability | Business management accountability | Independent controls | Independent controls | Risk disclosure | Risk disclosure |
---|---|---|---|---|---|---|---|---|---|
Protection of financial strength | Protecting UBS’s financial strength by controlling our risk exposure and avoiding potential risk concentrations at individual exposure levels, at specific portfolio levels and at an aggregate firm-wide level across all risk types. | Protection of reputation | Protecting our reputation through a sound risk culture characterized by a holistic and integrated view of risk, performance and reward, and through full compliance with our standards and principles, particularly our Code of Conduct and Ethics. | Business management accountability | Maintaining management accountability, whereby business management owns all risks assumed throughout the Group and is responsible for the continuous and active management of all risk exposures to provide for balanced risk and return. | Independent controls | Independent control functions that monitor the effectiveness of the businesses’ risk management and oversee risk-taking activities. | Risk disclosure | Disclosure of risks to senior management, the BoD, investors, regulators, credit rating agencies and other stakeholders with an appropriate level of comprehensiveness and transparency. |