As technology and ongoing competitive disruption force banks to reinvent themselves, the risk management function must undergo a revolution in risk management professionals balancing their roles and operating models, according to a new report published jointed by EY and the Institute of International Finance.
The ninth annual global bank risk management survey, titled "Accelerating digital transformation: four imperatives for risk management," finds that risk groups link strategy and risk appetite (67 percent); identify forward-looking or emerging risks (53 percent); assess strategy and business models from a risk appetite perspective (36 percent); help influence firm risk culture and behaviors (34 percent); and implement effective risk management structures (31 percent).
The survey highlights four imperatives that boards, senior management, chief risk officers (CROs) and other key executives will have to address to stay competitive, maintain trust and successfully achieve their digital transformation ambitions. The four imperatives include: adapting to a risk environment and risk profile that is changing faster and more intensively than ever; leveraging risk management to enable business transformation and sustained growth; delivering risk management effectively and efficiently; and managing through and recovering from disruptions.
Mark Watson, EY Americas Financial Services Center for Board Matters Deputy Leader, said: “Risk management will always have a critical role in protecting the franchise. However, now it must take on a trusted advisor role to help enable sustainable growth and inform banks’ digital and technological transformations. Risk management has to deploy new technologies across its own activities, which inevitably will necessitate new operating and talent models. Otherwise, risk management will be left behind.”
Additionally, risk management has a central role to play in helping navigate the evolving risk profile of banks, and preparing for, managing through, and recovering from disruptions such as cyber-attacks and weather-related disasters, which are commonplace. Top resilience concerns of respondents include: overall cyber risks (80 percent), prolonged IT outages inside the bank’s environment (64 percent), critical-third-party outages (64 percent), data availability (41 percent), IT obsolescence (39 percent), critical data being destroyed (39 percent) and financial resilience (32 percent).
The survey suggests that risk management functions can leverage new technologies much more than they are doing currently. Respondents identify a range of areas where new technologies will have a material impact: fraud surveillance (72 percent), financial crime (68 percent), modeling (57 percent), credit analysis (57 percent), cybersecurity (57 percent) and know-your-customer activities (57 percent).
Andrés Portilla, Managing Director of Regulatory Affairs, Institute of International Finance, said: “Working closely with CROs at our member firms it is clear that the transformation of the risk management function is accelerating, influenced by new digital and technological innovations. Risk managers play a unique role within institutions to not only identify, manage and prepare for risks but also to work closely with the board and the business to identify new opportunities. Technology enables the risk function to transform but it also raises new challenges around cyber security, the use and accessibility of data and operational resilience, on top of broader concerns such as the implementation of new regulatory rules and supervisory expectations.”
Regional Differences Exist
The survey findings reveal regional trends including that North American banks place more importance on protecting the firm’s reputation than banks in other regions. African and Middle Eastern banks are more concerned about third-party outages and ransomware, while those in Asia-Pacific are more concerned about business-model viability than others, but less concerned than North American banks about cyber risks, third-party outages and data destruction. Latin American banks most fear cyber risks and IT obsolescence.
Beyond cybersecurity, each region has different CRO top priorities: credit and liquidity risks in Asia-Pacific (both 58 percent); risk appetite in Latin America (62 percent); implementation of new regulations and supervisory expectations in Africa and the Middle East (86 percent); business-model risk and implementation of new regulations and supervisory expectations in Europe (both 56 percent) and operational risk (excluding cybersecurity) and risk technology architecture in North America (both 65 percent).