A new survey-based report by EY and the Institute of International Finance (IIF) has concluded that, as technology and ongoing competitive disruption force banks to reinvent themselves, the risk management function must undergo a revolution with risk management professionals balancing their roles and operating models.
The report, ‘Accelerating digital transformation: four imperatives for risk management’ finds that risk groups link strategy and risk appetite (67 percent); identify forward-looking or emerging risks (53 percent); assess strategy and business models from a risk appetite perspective (36 percent); help influence firm risk culture and behaviors (34 percent) and implement effective risk management structures (31 percent).
Four imperatives that boards, senior management, chief risk officers (CROs) and other key executives will have to address to stay competitive, maintain trust, and successfully achieve their digital transformation ambitions are highlighted. The four imperatives are: adapting to a risk environment and risk profile that is changing faster and more intensively than ever; leveraging risk management to enable business transformation and sustained growth; delivering risk management effectively and efficiently; and managing through and recovering from disruptions.
The report states that risk management has a central role to play in helping navigate the evolving risk profile of banks, and preparing for, managing through, and recovering from disruptions such as cyber attacks and weather-related disasters, which are commonplace. Top resilience concerns of respondents include: overall cyber risks (80 percent), prolonged IT outages inside the bank’s environment (64 percent), critical-third-party outages (64 percent), data availability (41 percent), IT obsolescence (39 percent), critical data being destroyed (39 percent) and financial resilience (32 percent).
Additionally, the report suggests that risk management functions can leverage new technologies much more than they are doing currently. Survey respondents identify a range of areas where new technologies will have a material impact: fraud surveillance (72 percent), financial crime (68 percent), modeling (57 percent), credit analysis (57 percent), cyber security (57 percent) and know-your-customer activities (57 percent).
Mark Watson, EY Americas Financial Services Center for Board Matters Deputy Leader, says: “Risk management will always have a critical role in protecting the franchise. However, now it must take on a trusted advisor role to help enable sustainable growth and inform banks’ digital and technological transformations. Risk management has to deploy new technologies across its own activities, which inevitably will necessitate new operating and talent models. Otherwise, risk management will be left behind.”
Andrés Portilla, Managing Director of Regulatory Affairs, Institute of International Finance, says: “Working closely with CROs at our member firms it is clear that the transformation of the risk management function is accelerating, influenced by new digital and technological innovations. Risk managers play a unique role within institutions to not only identify, manage and prepare for risks but also to work closely with the board and the business to identify new opportunities. Technology enables the risk function to transform but it also raises new challenges around cyber security, the use and accessibility of data and operational resilience, on top of broader concerns such as the implementation of new regulatory rules and supervisory expectations.”
Regional differences exist
The survey findings reveal regional trends including that North American banks place more importance on protecting the firm’s reputation than banks in other regions. African and Middle Eastern banks are more concerned about third-party outages and ransomware, while those in Asia-Pacific are more concerned about business-model viability than others, but less concerned than North American banks about cyber risks, third-party outages and data destruction. Latin American banks most fear cyber risks and IT obsolescence.
Beyond cyber security, each region has different CRO top priorities: credit and liquidity risks in Asia-Pacific (both 58 percent); risk appetite in Latin America (62 percent); implementation of new regulations and supervisory expectations in Africa and the Middle East (86 percent); business-model risk and implementation of new regulations and supervisory expectations in Europe (both 56 percent) and operational risk (excluding cyber security) and risk technology architecture in North America (both 65 percent).