6 minute read 6 Nov 2019
people receiving tire obstacle course training.

How banks can elevate risk management over the next decade

By

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.

6 minute read 6 Nov 2019

We highlight the 10 major risks that will require management, endurance and survival techniques.

Financial risks will always be cause for concern in banking. But, today banks are much better positioned in terms of capital and liquidity. They have greatly de-risked and de-leveraged their balance sheets and pruned back non-core assets and operations that were amassed in the years before the financial crisis. Now, nonfinancial risks have taken on new levels of importance.

For the past decade, the global banking community has been on a transformational journey. However, managing risk over the next decade could prove to be much more challenging.

For 10 years, EY and the Institute of International Finance (IIF) have been observing and reporting on changes in how banks manage risk. Chief risk officers (CROs) and their teams are being asked to manage a much broader and complex set of continually evolving risks and play a more influential role in helping banks thrive and survive.

Our survey identifies 10 significant risks that will require strong management over the next decade. 

A shift to nonfinancial risks

As highlighted by the EY/IIF survey results, the CRO’s key priorities today include strengthening operational resilience, privacy and cloud, and the transformation to digital, to name but a few. Cyber security is still the CRO’s highest priority for the third year in a row.

CROs also cite these top concerns:

  • 69% - industry disruption due to new technologies
  • 65% - change from digitalization
  • 59% - geopolitical risk

Arguably the most significant change in tenor and tone of the regulatory and supervisory focus in recent years has been the shift from financial to operational resilience. Regulators have quickly reset the fundamentals on how to manage resilience across the enterprise. They are now assessing banks’ capabilities to deliver services to their customers and clients on the assumption a disruption of some kind will occur, not whether it will.

What might trigger a disruption?

The scope of resilience activities is also being challenged, with authorities seeking to understand banks’ abilities to prevent, respond to, recover and learn from disruption, whatever the threat or vulnerability that might cause it. Many of these concerns have increased since last year, notably for data access and availability, and IT obsolescence and legacy systems. The concern that has grown the most over the past year relates to legacy systems and IT obsolescence.

Infographics about resilience risk and organization

More effective, but certainly not efficient

Notwithstanding the fact that risk capabilities have matured overall, most banks have designed their risk management approach in light of new regulations or supervisory findings — and in short time frames. As a result, enhancements were often implemented using highly manual processes and suboptimal approaches, many of which are cumbersome and expensive to operate, especially in an environment where scrutiny on costs remains high.

As a result, banks are seeking opportunities to become more efficient by rationalizing processes and increasing automation. Almost three-quarters (73%) expect to improve the efficiency of risk management over the next three years.

Yet, transition to more automated and more digitized strategies, business models and operations is creating new risks. The industry was on the cusp of change in last year’s survey – gradually moving to the use of machine learning and artificial intelligence. This year, their use is a concern for over half of CROs (59%).

Focus on altering talent strategy

Future challenges will call for new talent strategies in banking. A large majority (69%) expect to add specialist talent, and nearly as many (62%) will work to obtain the right mix of skills. Tracking the broad trend, there is a major focus on skills around managing nonfinancial risks.

We will see a greater focus on skills around machine learning, data privacy, IT, data security, the climate-change agenda, and so on. That will bring different kinds of thinking and approaches.
Risk executive
Infographics about financial and nonfinancial risk experience
We are trying to change the way we do business in a way that meets customer needs and expectations in the future.
CRO

Headlines will set the future tone

Everyone remembers the headlines. The media wrote constantly about the industry in unflattering ways. Every week a new blockbuster hit bookstands telling a tale of the run up to the crisis and how it was mismanaged in the early weeks and months as it unfolded.

A decade from now, headlines will tell a story of how successful risk management was guiding banks to manage 10 major risks that are at the forefront today. Many will share the responsibility for managing these risks and for the progress that has been made.

Only time will tell whether those headlines will be positive or critical. But, without hyperbole, risk management will play an influential role in determining which set of outcomes is more likely.

Summary

Across the 10 years of global bank risk management surveys conducted by EY and the IIF, risk management has been a transformational journey for the global banking community. The next decade will be interesting and challenging to watch. There’s no off-the-shelf playbook to manage many of the 10 complex and major risks that we have identified. It will call for endurance and agility for banks to survive and thrive. 

About this article

By

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.