In pursuing its strategy and business, Julius Baer Group (‘the Group’) is exposed to risks, e.g. events which may have an impact on its financial, business, regulatory and reputational standing. Risk management as a result is an integral part of the Group’s business model and is designed to protect its franchise and reputation.

Risk management framework

The Group’s Risk Management Framework (‘RMF’) links and integrates all relevant activities, governance and processes of the Group to identify, assess, manage, monitor and report risks across the organization.

Risk management activities are structured according to the Group’s Risk Categorisation which represents the material risks the organisation is exposed to. Beside credit, market and treasury risk, the Group is exposed to non-financial risks, covering operational risk, compliance and legal risk, as well as strategic, business and reputational risk. The Risk Categorisation allows for individual assignment of responsibilities to Risk Type Owners (RTO), who maintain the risk management framework of each material risk type by means and in accordance with the RMF.

Risk tolerance framework

Not all risks can be eliminated, fully controlled and mitigated at all times. However, the Group’s Risk Tolerance Framework (‘RTF’) supports and ensures that risk-taking is in line with the strategic objectives and within the Group’s overall risk capacity. The Group’s risk tolerance is defined as the aggregate level of risk, subject to appropriate mitigating actions, that the Group is willing to accept across all relevant risk categories. It is formalised by a set of qualitative risk statements and quantitative risk metrics along the Group’s key risk categories.

The risk capacity describes the maximum level of risk the Group can assume given the Group’s capabilities and resources taking account of capital, earnings and liquidity constraints (financial risk capacity), regulatory requirements and the firm’s reputational standing (regulatory and reputational risk capacity).

Risk culture

The Group recognises that successful risk management requires a combination of a sound risk culture, organisation and supporting processes as well as controls.

A sound risk culture is the key pillar in effectively managing risks. It promotes sound risk-taking and ensures  that emerging risks or risk-taking activities beyond the Group’s risk tolerance are appropriately identified, assessed, escalated and addressed in a timely manner. To this effect, the following four levers are viewed as critical elements in ensuring a strong alignment between the expected behaviour standards and the strategic objectives of the Group:

  • Strong leadership and tone from the top
  • Accountability and clear roles and responsibilities
  • Effective communication and challenge
  • Employee life cycle and incentives

Group risk landscape

In order to make risks transparent and to put them into perspective, a Risk Landscape is compiled annually and is continuously maintained. To comprehensively and holistically identify, assess existing and emerging risks and disclose them transparently to the BoD and EBG | ExB, the following multi-layered approach is applied:

  • A bottom-up ‘Risk and Control Self-Assessment’ of operational, legal and compliance risks performed by the Group’s entities and the Business Functions at Head Office and challenged by the second line of defence.
  • This bottom-up assessment is complemented by the top-down ‘Risk Type Owner Assessments’ which are being performed annually by the RTOs for all operational, legal and compliance risk types.
  • This process is supplemented by an annual stress risk assessment across all key risk categories with a view to quantify the total financial and business risk exposures under unlikely events and to put those in context of the Group’s overall risk capacity.

The Risk Landscape, which is discussed and evaluated at ExB and BoD level, is an integral part of the Group’s strategic capital planning process.

The three lines of defence  

The Group has adopted the ‘Three Lines of Defence’ model as a guiding organisational framework for managing risk in the functions operating across the Group. This encompasses the Internal Control System (‘ICS’), which is, amongst others, the sum of controls and processes that operate across the three lines of defence to ensure that risk is being incurred in a deliberate and disciplined manner.

The Group seeks to follow an approach of assigning clear accountability in identifying, assessing, managing, monitoring and reporting risks. In doing so, the Group has implemented and continues to strengthen the three lines of defence model across its global business operations.

The ‘Three Lines of Defence’ model is defined according to the following key principles:

For comprehensive information on risk management and control, please refer to the “Comment on Risk Management” section of our Annual Report.

Risk governance

The Group has established a robust Risk Governance, involving several stakeholders across the organisation and various committees, functions and business units.

The Board of Directors (BoD) is responsible for establishing the strategic course of the Group and the guiding principles for the Group’s corporate culture. It approves the Group-wide RMF and RTF. This ensures that risks are managed effectively at Group level and that suitable processes are in place.

Regular reporting enables the BoD to monitor whether the risk tolerance, policies, instructions and mandates are being complied with and whether they remain appropriate, given the Group’s business model, risk profile and strategy. In addition, the BoD regularly reviews reports analysing the Group’s risk exposure.

The Group has defined the underlying risk management processes for every risk type along a Risk Management Cycle.

The continuous identification (step 1) of relevant risks is a key risk management activity. This relates to both emerging threats/risks as well as to increasing risk profiles. New risks may arise by developing and launching new products and services, a change in the regulatory landscape or a change to the business model.

The assessment (step 2) of identified risks consists of the qualitative analysis and quantification of the inherent risk, the control risk and finally the residual risk along defined risk management principles and methods. It also includes the development, testing and validation of models to measure risks, as well as stress testing procedures to assess and measure risks in pre-defined scenarios.

The day-to-day risk management (step 3) has to ensure an adequate response to identified risks and the set risk tolerance. It includes all activities from risk evaluation to the definition and implementation of risk mitigation measures, which aim to prevent or reduce risks and damages, e.g. the setting of standards and controls, education and training, automation of processes, and the implementation of standards, limits and metrics.

Monitoring activities (step 4) include the performance of control activities or quality assurance procedures on implemented standards and controls to ensure that the risk profile and exposure is kept within the risk tolerance, e.g. via risk metrics (KRIs or KPIs) and limits.

The reporting (step 5) supports all hierarchy levels to have a transparent and accurate overview of the underlying risk profile and risk exposure. This includes also the timely escalation in case of breaches of set risk tolerances. The frequency and depth of the reporting is defined, assessed and aligned where appropriate by the recipients of the reports depending on the size and complexity of the respective areas.