Cyber threats are now the biggest risk for boards and chief risk officers; Data destruction and disruption from technology top emerging risks
New York, NY (Nov. 22, 2018) — As technology and ongoing competitive disruption force banks to reinvent themselves, the risk management function must undergo a revolution in risk management professionals balancing their roles and operating models, according to the ninth annual global bank risk management survey, Accelerating Digital Transformation: Four imperatives for risk management.
The survey finds that risk groups link strategy and risk appetite (67%); identify forward-looking or emerging risks (53%); assess strategy and business models from a risk appetite perspective (36%); help influence firm risk culture and behaviors (34%) and implement effective risk management structures (31%).
The survey, a collaboration between EY organization and the Institute of International Finance (IIF), highlights four imperatives that boards, senior management, chief risk officers (CROs) and other key executives will have to address to stay competitive, maintain trust, and successfully achieve their digital transformation ambitions. The four imperatives include: adapting to a risk environment and risk profile that is changing faster and more intensively than ever, leveraging risk management to enable business transformation and sustained growth, delivering risk management effectively and efficiently, and managing through and recovering from disruptions.
“Risk management will always have a critical role in protecting the franchise,” says Mark Watson, EY Americas Financial Services Center for Board Matters Deputy Leader. “However, now it must take on a trusted advisor role to help enable sustainable growth and inform banks’ digital and technological transformations. Risk management has to deploy new technologies across its own activities, which inevitably will necessitate new operating and talent models. Otherwise, risk management will be left behind.”
Additionally, risk management has a central role to play in helping navigate the evolving risk profile of banks, and preparing for, managing through, and recovering from disruptions such as cyber-attacks and weather-related disasters, which are commonplace. Top resilience concerns of respondents include: overall cyber risks (80%), prolonged IT outages inside the bank’s environment (64%), critical-third-party outages (64%), data availability (41%), IT obsolescence (39%), critical data being destroyed (39%) and financial resilience (32%).
The survey suggests that risk management functions can leverage new technologies much more than they are doing currently. Respondents identify a range of areas where new technologies will have a material impact: fraud surveillance (72%), financial crime (68%), modeling (57%), credit analysis (57%), cybersecurity (57%) and know-your-customer activities (57%).
“Working closely with CROs at our member firms it is clear that the transformation of the risk management function is accelerating, influenced by new digital and technological innovations,” says Andrés Portilla, Managing Director of Regulatory Affairs, Institute of International Finance. “Risk managers play a unique role within institutions to not only identify, manage and prepare for risks but also to work closely with the board and the business to identify new opportunities. Technology enables the risk function to transform but it also raises new challenges around cyber security, the use and accessibility of data and operational resilience, on top of broader concerns such as the implementation of new regulatory rules and supervisory expectations.”
Regional differences exist
The survey findings reveal regional trends including that North American banks place more importance on protecting the firm’s reputation than banks in other regions. African and Middle Eastern banks are more concerned about third-party outages and ransomware, while those in Asia-Pacific are more concerned about business-model viability than others, but less concerned than North American banks about cyber risks, third-party outages and data destruction. Latin American banks most fear cyber risks and IT obsolescence.
Beyond cybersecurity, each region has different CRO top priorities: credit and liquidity risks in Asia-Pacific (both 58%); risk appetite in Latin America (62%); implementation of new regulations and supervisory expectations in Africa and the Middle East (86%); business-model risk and implementation of new regulations and supervisory expectations in Europe (both 56%) and operational risk (excluding cybersecurity) and risk technology architecture in North America (both 65%).
For further information, view the report at ey.com/bankingrisk.
About the Survey
This is the ninth annual risk management survey that EY and the IIF have conducted. From June through September 2018, in cooperation with the IIF, EY surveyed IIF member firms and other top banks from around the globe. Participating banks’ chief risk officers or other senior risk executives were interviewed by EY or completed an online survey, or both. A total of 74 firms across 29 countries participated in the study.
The Institute of International Finance is the global association of the financial industry, with close to 450 members from more than 70 countries. Its mission is to support the financial industry in the prudent management of risks; to develop sound industry practices; and to advocate for regulatory, financial and economic policies that are in the broad interests of its members and foster global financial stability and sustainable economic growth. IIF members include commercial and investment banks, asset managers, insurance companies, sovereign wealth funds, hedge funds, central banks and development banks.
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.
Source: EYTags: cyber attacks, emerging risks, EY, survey, Transformation