Banks halfway into a 15-year risk transformation

  • Share

Post-financial crisis, banks are halfway through a 15-year risk management transformation. What are the next stages of the journey?

Over the last seven years, in collaboration with the Institute of International Finance (IIF), we have monitored the industry’s progress in improving risk management through annual global surveys of top banks.

Banks have faced considerable headwinds since the financial crisis. They are under pressure to increase return on equity (ROE) to 10%-15% over the next three years, a struggle given the continued upward path of capital and liquidity requirements. While banks have made good progress, they need to continue making changes to achieve their growth targets – and those of their investors.

To meet these ROE commitments to investors, this year’s survey identifies three strategic actions to take:

  • Banks must implement their blueprint for managing risk more effectively, including the three-lines-of-defense model.
  • Banks need to better manage non-financial risks, including operational risk, cybersecurity and vendor risk.
  • Banks must continue their quest for a strategic blueprint that addresses ongoing regulatory change and other uncertainties and come up with a sustainable business model.

Implementing a blueprint for managing risk more effectively

Most banks have established frameworks to implement a fully functional three-lines-of-defense risk management model. This includes increasing first-line accountability, clarifying responsibilities across lines and adopting processes and tools for a more effective approach.

Across the first and second lines of defense, banks are adapting their risk and compliance functions – despite differing views on what activities should fall within each line. Boards and chief risk officers cited these key issues:

EY - Banks halfway into a 15-year risk transformation

Developing a workable blueprint to address non-financial risks

The industry, particularly G-SIBs, has struggled with non-financial risks. In the past five years, 51% of G-SIBs reported losses, including fines, settlements and remediation costs, of at least US$1 billion, with 6% reporting losses of at least US$20 billion. To a lesser degree, non-G-SIBs face similar impacts.

To meet the challenge, banks are innovating in the ways they manage three key non-financial risks.

  • Operational risk
    Banks continue to improve their approach to operational risk. This includes improving risk assessment and risk identification processes, enhancing business accountability, improving data collection and more.
  • Cybersecurity
    Banks are taking a broad approach to addressing cyber risks, including allocating more resources, adopting a three-lines-of-defense model unique to cyber risks and taking an enterprise-wide approach.
  • Vendor risks
    Regulators have emphasized clearly that banks remain fully accountable for the activities undertaken by third parties, and banks have increased oversight, government and risk assessment accordingly.

Ultimately, non-financial risks have to be firmly embedded into a firm’s ongoing risk management approach and linked to key human-resource processes. This includes further embedding non-financial risks into risk appetite, driving forward risk-culture initiatives, and linking culture and performance.

Finding a strategic blueprint

Although ROE targets of 10-15% are much lower than pre-crisis levels, achieving them will prove difficult. Many banks have a cost of capital that is just below, or in some cases just above, actual ROEs.

Moves to rely more heavily on data analytics, automated processes and common firmwide risk and control approaches will help ameliorate costs in the long run. But those initiatives are competing for budgets against other investments. Intensifying competition from FinTech and shadow banking also limits opportunities to increase prices and boost revenue.

The most challenging aspect of meeting ROE targets relates to the prudential agenda being driven by the BCBS and local regulators. Indeed, the combined capital, liquidity and leverage changes under Basel III have led banks to rethink their business models – and the so-called Basel IV agenda could have an additional negative impact.

Banks might have to accept ongoing revisions to their business portfolio, suite of products and services and regions served. Finding the blueprint for sustainable and dependable bank returns may prove elusive for a while.