10 minute read 21 Sep 2021

CROs will need new skills and digital tools to manage increasing risks around climate-change, cybersecurity, and operational resilience.

Morning fog on sunshine with trees

Where are Southeast Asian banks focusing their risk attention

By Wolfram Hedrich

Partner, Financial Services Consulting, Ernst & Young Advisory Pte. Ltd.

Integrating climate risk and sustainability into strategy, risk and capital management. Curious about the interlinkages between global emerging risks. Aspiring global citizen. Proud father.

10 minute read 21 Sep 2021

Show resources

  • Resilient banking: Capturing opportunities and managing risks over the long term (pdf)

CROs will need new skills and digital tools to manage increasing risks around climate change, cybersecurity, and operational resilience.

In brief
  • Climate risk surges as a priority – ahead of global sentiment – as local CROs move to get ahead of regulators.
  • Workforce and technology resilience are emerging risks as operational resilience becomes increasingly important.
  • To adapt to these and growing cybersecurity risks, risk functions must expand skill sets and invest in digital transformation.

COVID-19 was the most unprecedented and unexpected test of banks’ risk management. The global health crisis quickly evolved into an economic one, testing the financial and operational resilience of banks around the world to the core and shifting risk priorities. In Asia-Pacific, the 11th annual EY/IIF global bank risk management survey finds regional banks with a different focus than their global peers, especially when it comes to climate change risk and credit risk.

Around the world, most banks went into the crisis in good financial health, with capital and liquidity positions strengthened substantially with measures well taken after the previous global financial crisis. But, in many countries, the sheer scale, depth and prolonged nature of the recent economic shock have put the spotlight back on credit concerns. In fact, 98% of bank chief risk officers (CROs) globally named credit risk as the biggest issue on their mind in next 12 months.

In Asia-Pacific, we found a slightly different story. Only 67% of local CROs and 56% of boards put credit risk at the top of their risk issues. And a healthy 64% of the region’s banks also said their average expected returns on equity over the next three years would be in the 11% to 15% bracket.

These findings likely reflect the region’s improving economic fundamentals, which will support lending confidence and reduce credit costs. They may also be partly bolstered by expectations of sovereign support for state-owned and systemically important banks in some countries.

Climate change risk management

But the biggest differentiator was Asia-Pacific’s focus on climate change risk. Across the region, the idea that climate change is a problem belonging solely to high-carbon-emitting sectors is no longer true. A staggering 100% of Asia-Pacific CROs recognize it as a top risk requiring their utmost attention – compared with 49% globally. 

11th annual EY/IIF global bank risk management survey


of Asia-Pacific CROs recognize climate risk as a top risk

When it comes to sustainability, local CROs are more focused on climate change risk than their global peers. Asked to look over the horizon about emerging risks that will be important for their organizations over the next five years, 91% of CROs globally put climate change risk at the top of their list. They know climate change risk will be a huge focus in future – they’re just not on top of it right now.

The region’s early focus on climate change risk may be a response to the number of Southeast Asian governments, including Malaysia, Singapore and the Philippines, pursuing the development of sustainable financial markets and country-level carbon neutrality. Most countries around the region officially recognize the role of the financial system in causing and halting climate change and are introducing regulatory initiatives to support this. Although some actions today are still voluntary, CROs are mindful that regulators are increasingly introducing binding regulations.

Given there’s no industry model for how to embed climate change risk into risk management, banks have taken an array of approaches to doing so. The most common is including climate change in their scanning of emerging risks, which was the case at the time of our last survey.

CRS_GBMC_124954288_Charts for ASEAN POV_V2

But, increasingly, the region’s banks are also analyzing the impact of climate change on material credit exposures, conducting climate change, risk-related scenario analysis and stress testing, and quantitatively assessing the potential impact of physical risks. On the latter, local banks are ahead of their global peers. Only 26% of CROs globally are quantifying physical risks, compared with 70% of CROs in Asia-Pacific, although the sophistication of methods and data still vary widely. 70% of local banks also assess climate change risks in their material credit exposures.

That said, the region’s banks still have a way to go. Only 30% have controls in place to monitor climate change risks, 30% have climate change risks embedded in their risk appetite framework and 40% have embedded climate change risks in their risk taxonomy.

Cyber resilience

According to the EY global information security survey 2021 (GISS), more than three in four (77%) respondents to this year’s GISS warn that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months. This is a substantial increase on the previous 12 months when the figure was 59%, likely down to the perfect storm of a sustained remote working environment with an increased attack vector, many more customers accessing financial services remotely and high-profile cyber-attacks. In addition, half of our Asia-Pacific CRO respondents say they expect regulators to impose higher standards of cybersecurity.

No wonder cybersecurity concerns remain top of mind in the risk universe, with 89% of local CROs putting this high on their agenda – on a par with worldwide sentiment.

With cybersecurity clearly a business, not just a technology risk, CROs should be more actively involved in the guidance and decision making around cyber risks. Right now, we do not see sufficient engagement between the CISO and CRO, who should be combining their skills to better manage these growing risks.

A CRO can help the CISO navigate the complexities of emerging regulations, quantify cybersecurity risk and align it back to the organization’s risk appetite. This allows the CISO to focus on their strengths: implementing controls and ensuring the environment is kept operationally secure.

Multi-faceted operational resilience

Even before the pandemic, banks were already investing more in operational or enterprise resilience, building on a decade of enhancing financial resilience. COVID-19 has only strengthened these priorities, with 70% of the region’s bank CROs saying operational resilience has become a higher priority since the pandemic. Three in five believe operational resilience skills will be one of the most important skill sets required in their risk functions over the next three years. Most Asia-Pacific banks (93%) expect regulators to impose additional or new operational resilience requirements over the next few years. Expected areas of change include capital and liquidity, and stress testing scenario selection and key assumptions.

The pandemic has also opened bank CROs’ eyes to the broader dimensions of resilience, especially workforce resilience, with 100% of local respondents saying this is now a higher priority as a result of COVID-19. As well as being concerned about the data security implications of remote work, CROs worry that productivity, culture and engagement have been permanently degraded by the virtual work environment.

As employees work remotely, it is even more important for individual performance assessments to be fair and equitable. The voice of the employee has to be systematically solicited, understood, monitored and measured as a key metric for company culture. In their efforts to monitor culture, banks are also considering more employee surveys and focus groups.

Technology resilience is rapidly coming into focus – a result of greatly accelerated moves to transform digitally. Only a third of Asia-Pacific CROs put digital transformation at the top of their risk issues. However, when we extend that to a five-year view, around 60% of CROs nominate the pace and breadth of change from digitization as a top emerging risk – perhaps indicating that many Asia-Pacific banks still have a way to go on their digital transformation journey.

Key actions for CROs

Looking ahead, it is clear banks will have to contend with persistent and dynamic disruption, and change not just today, but tomorrow and into the future. Asia-Pacific’s CROs are also worried that prolonged adverse economic conditions will continue, especially as countries may face new waves or variants of COVID-19 and government support measures expire.

Looking at a five-year horizon, after climate change, they nominate the length and depth of global economic recovery (80%) and geopolitical risk (80%) as the next most important risks.

In this environment, key priority actions for CROs include:

  1. Onboarding the risk skills of the future – Notably, 100% of our Asia-Pacific respondents said their talent pool was not equipped to meet the changing needs of the risk management function over the next three years, requiring additional skillsets. The specific skills in demand by those banks adding new professionals over the next few years align with new risks, such as climate change (90%), cybersecurity (80%) and data science (60%). Three in five are also seeking people with operational resilience and business continuity skills. How can banks ensure their people are ready for what's next? Banks need to reimagine their workforce development programs to retain people with the right technical and behavioral skills required to equip their businesses for the future. Innovative learning programs, curated learning experiences and a culture that nurtures curiosity, will help employees prepare for what’s next.
  2. Integrating risk management disciplines – A large majority of bank CROs acknowledge their data management and privacy processes are not well integrated, and neither is IT change management or third-party risk management. CROs should work with the business to weave operational resilience deep into the fabric of operations and risk management, leveraging across existing approaches.
  3. Harnessing digital – In some ways, risk management is still playing catch-up with the rest of the organization. CROs are not simply spectators to technology transformation. They also need to accelerate the digital transformation of risk management itself. Areas Asia-Pacific bank CROs think are most important include automating manual processes, and using advanced analytics in risk reporting and portfolio analysis. As many banks embed more agile ways of operating, we expect risk to align with this trend, by both applying agile approaches to risk management itself and making risk controls more agile. Of course, just because the case for digital transformation has been strengthened, this doesn’t mean the change itself has become easier. While CROs cite a range of constraints, such as a lack of relevant technology or change management expertise, the two primary constraints are budgetary and the scale of change required.

Perhaps the biggest lesson of the pandemic is that survival depends on more than strategy or performance. Whether banks survive in a future of constant disruption and challenging new risks, also depends on whether they have the ongoing resilience to do so, while capturing the opportunities offered by change. Resilience, then, will be a defining characteristic of success over the next decade or more – and an essential focus for bank CROs across the region.


Risk priorities have shifted significantly for bank CROs in Southeast Asia. Financial and operational resilience, and cybersecurity continue to dominate the agenda, but climate change is off the scale in terms of capturing attention. In response, CROs are looking to expand their teams with digital skills and new expertise aligned to their top risks. Risk functions of the future will soon include professionals with climate change, cybersecurity, and data science skills.

About this article

By Wolfram Hedrich

Partner, Financial Services Consulting, Ernst & Young Advisory Pte. Ltd.

Integrating climate risk and sustainability into strategy, risk and capital management. Curious about the interlinkages between global emerging risks. Aspiring global citizen. Proud father.