As banks reinvent themselves using technology to drive digital change in the future, risk teams expect to do so, too.
Five challenges for banks
As banks transition from the middle to the third phase of the transformation journey, they must navigate five broad challenges.
1. Managing emerging risks and increased competition: Broader geopolitical, social and environmental concerns are looming larger, as regulatory fragmentation continues and competition intensifies. FinTechs and major technology companies seek traction in profitable parts of financial services, while banks’ strategic options to deliver 11% to 15% ROE narrow. Cybersecurity is now clearly the top risk for boards and CROs.
2. Leading a digital transformation of risk management: Technology has reshaped customer interfaces, but banks still have to implement new technologies in the middle and back office to drive fundamental change. Risk functions must change how they monitor risk profiles and enable innovation, and become smarter, faster and more cost-effective. New talent in technology and risk will be necessary, but hard to attract.
3. Operationalizing three-lines-of-defense models: Operationalization of the three-lines model is necessary to improve the effectiveness and cost-efficiency of risk management. Talent shortages are expected in advanced analytics, model risk and other key areas. Standardization and automation are accelerating, even if broader technology deployments are delayed.
4. Managing nonfinancial risks cost-effectively: Though conduct risk frameworks are in place, there is a long way to go to prove effectiveness and improve cost-efficiency. As risk appetite frameworks evolve, common challenges remain (e.g., expressing appetite for all risk types, cascading appetite to business units). Quantifying nonfinancial risks (e.g., reputational, strategic and cyber risks) remains difficult.
5. Staying resilient and protecting against cyber risks: Banks are rethinking what constitutes operational resiliency. Beyond core competencies (business continuity and disaster recovery), data quality and process-flow mapping need enhancing. In managing cyber risks across the three lines of defense, quantification and reporting are a challenge, even as boards increase oversight. Managing critical vendors more effectively supports operational and cyber-resiliency.