Theme #5: Risk governance is evolving in a changing risk landscape
Following the financial crisis, supervisors, boards, and management teams focused heavily on enhancing risk management and board oversight. Much of their efforts focused on developing risk appetite frameworks, addressing risk culture, and refining the functioning of board risk committees.
Since then, the nature of risk has changed: nonfinancial risks, which have always been more challenging to model and embed in risk appetite frameworks, are more prominent. The competitive landscape is now crowded with new entrants and new partnerships and vendor relationships. The exogenous risks resulting from a volatile geopolitical environment and emerging issues like climate risk are increasingly of concern to boards.
Participants considered whether adequate attention has been paid to these evolving risks, and they reached a number of broad conclusions: boards must remain vigilant under pressure; nonfinancial risks will continue to challenge board oversight; and effective oversight requires substantial time and new sources of expertise.
More specifically, boards must be vigilant to ensure that standards, such as those around loan covenants and underwriting, remain high even as companies pursue opportunities to improve margins in a low interest-rate environment. Boards also need to look more closely at issues like concentration risk, including across traditional risk silos.
And given the intense pressure to control costs, boards must be vigilant not to allow cuts that unintentionally create other risks. One participant noted: “Cyber is not going away, so you cannot cut expenses there. AML and related compliance costs are not going away, so you can’t cut back there. And, digital transformation is not going away, so you can't reduce your spending there.” This dynamic means that firms “need to retain the same level of diligence, but do it smarter,” by leveraging robotics, artificial intelligence, and machine learning to automate and improve processes.
Participants also discussed specific steps to improve governance of cyber and operational resiliency risks. These included: diligence around basic IT “hygiene;” understanding the institution’s data strategy; ensuring sufficient testing and training; understanding third-party dependencies and potential weak spots; monitoring the rapid spread of (mis)information through social media that creates reputational risks; and improving response planning.
This new era of risk governance requires boards to commit significant amounts of time and to access new types of expertise. It also means getting the right information to assess financial and nonfinancial risks and to benchmark their companies against peers and understand best practices.
The five themes in this article are based on five Viewpoints from the 2019 Financial Services Leadership Summit held on the 16th and 17th of October in Washington, D.C., and aim to capture the essence of these discussions and associated research.