Port douglas scenery

Why digital resilience must be a top priority for banks

The 11th annual EY/IIF global bank risk management survey reveals the growing importance of digital resilience in the wake of COVID-19.

In brief

  • Banks continue to embrace digital modernization and transformation efforts at pace and scale, but must stay on top of associated risks.
  • Risk management functions need to be involved as early as possible in the development of new products and services.
  • Risk teams need to evolve and upskill to meet banks’ shifting needs, with an emphasis on increasing agility.

Almost overnight, the COVID-19 pandemic forced banks into dramatic, technology-focused changes. Customer-facing digital channels were introduced or enhanced, remote working platforms scaled and emerging tools, such as data analytics software, integrated across organizations.

Alongside myriad opportunities these technologies provide – more efficient operating models and an improved customer and workforce experience chief among them, according to the 11th annual EY/IIF global bank risk management survey (pdf) – there are risks that need to be managed. In particular cybersecurity, the unintended consequences of artificial intelligence (AI), and integration issues associated with moving infrastructure, such as migration to the public cloud, are front of mind for chief risk officers (CROs).

Identifying, managing and preventing these risks via automation should be at the heart of digital resilience given that it enables controls to be embedded in a consistent, efficient manner – so long as the infrastructure and processes themselves are built to be resilient.

Urgent modernization and transformation

It is well accepted the pandemic has been a catalyst for change in organizations across almost every sector. For banks already buffeted by financial pressures, new competition, regulatory scrutiny and shifting consumer behavior, the need to embrace new technology and transform into more digital businesses became critical and urgent. But digital transformation should not pursue speed at the expense of resilience. Banks need agile, scalable technology that operates 24/7, mitigates cyber attacks, and protects data. The most enlightened CROs will not only bring to the table expertise about identifying risks associated with such transformations, but they will also explain how they can be better governed.

CROs polled in the survey expect their senior management team to focus on implementing process automation (88%), modernizing core IT functions (66%) and using analytics to improve customer insights (64%) over the next few years.

They cited developing a more efficient operating model as the main driver for digital modernization and transformation efforts, followed by customer-related issues, such as an improved experience and increased product and sales personalization.

If not integrated effectively, however, such changes can introduce unwanted risks and hoped-for gains can remain frustratingly hard to realize fully. Introducing third-party technology – a common requirement of digital transformation efforts – can be revolutionary for customers and for internal ways of working, but it can add to a bank’s risk profile.

A cyber attack, a system outage, or a failure to protect customer data, for example, can have significant effects on a company’s finances and reputation. In large organizations, with changes happening at scale across multiple departments, workflows and chains of command, these risks can multiply quickly.

One of the most common ways that organizations look to transform is moving from legacy IT systems to the cloud, especially the public cloud. But CROs polled in the survey continue to have concerns about how banks can do this migration safely and effectively – the level of security risk capabilities (59%) and the ability to adapt existing risk capabilities to address cloud-specific risks (46%) are of particular concern. Addressing these challenges will go a long way to improving digital resilience.

Control through automation

Using automation to better understand, measure and manage what is happening in near or real time and in the future is another common theme of digital transformation efforts. The use of AI and machine learning (ML) to carry out audits, monitor financial crime or aid compliance activities, for example, is growing.

Digital resilience can be improved by building in the right automated controls from the outset. Continuous monitoring capabilities, for example, can be embedded during the process design phase. This can aid processes such as risk and control testing by allowing banks to test more, instead of sampling sporadically, and to increase consistency through the reduction of manual approaches.

But banks should spend time on developing a coherent control strategy to enable digital transformation and modernization. They should carefully select the right controls and not fall into the trap of simply adding more controls; after all, controls can be time-consuming and costly to implement. Similarly, just because you can automate a control doesn’t mean that you should. Banks should start by defining the necessary process – and simplifying the process where they can – before embedding the most appropriate control. CROs can add value here, but only if they are part of the conversation from the get-go.

While senior executives in marketing, product development or technology may feel under pressure to launch a new digital process, tool or product quickly and at scale, it is not in the interest of the business to do so without involving risk teams as early as possible. This requires something of a cultural shift, but if risk teams get brought in after a new tool or product has been offered to employees and customers, it may be too late.

Risk managers need to raise their game

Digital resilience is predicated on risk management functions evolving too. And that is both skill and mindset. With the scale and pace of change happening across organizations, they must get to a point where they are able to move fast enough to keep up with other departments.

Upskilling is one clear priority. Today’s CRO needs to master the risks associated with cloud computing and predictive analytics, and to understand how emerging technologies, such as ML, will benefit and threaten the business. They also need to get more comfortable with new processes and development approaches, such as agile methodology.

Some risk professionals need to change their mindset. Bank CROs and their teams need to buy into the very necessary digital transformation programs that their organizations are undertaking. Risk should not be viewed as the department that always says “no”: it needs to say “yes” more often, but accompany that with an analysis of the associated risks and what can be done to mitigate them.

Although cyber attacks are on the rise, outages linked to third-party providers are making headlines and regulators are increasingly levying fines for customer data breaches, the drumbeat of digital transformation is set to continue. As such, CROs and their teams have a crucial role to play in helping their organization to modernize in a thoughtful, resilient manner. Combining automation and data with core risk disciplines will be key to the success of transformation strategies.


COVID-19’s rapid acceleration of digital modernization and transformation has seen immense progress in a short space of time. Now the challenge is to improve resilience and agility to mitigate risk while maximizing the opportunities this rapid progress has unlocked.

Related articles

Why workforce resilience is now a critical focus for bank CROs

The 11th annual EY/IIF global bank risk management survey reveals the growing importance of workforce resilience in the wake of COVID-19. Get the details.

Climate change and risk: 3 key challenges facing banks

Climate change is now a major risk, but there are multiple obstacles to overcome if banks are to be resilient.

How banks can turn political analysis into strategic decision-making

Financial institutions can take four actions to address political change and the risks and opportunities it presents.

What good risk management means for operational resilience

The 11th annual EY/IIF global bank risk management survey inherently links strong risk management and robust operational resilience.

How COVID-19 has changed the role of the chief risk officer

The 11th annual EY/IIF global bank risk management survey shows that COVID-19 has exposed what resilience really means for banks today. Learn more.

How resiliency in risk management is the new top priority for banks

The 11th annual EY/IIF global bank risk management survey shows that COVID-19 has exposed what resilience really means for banks today. Learn more.