6 minute read 10 Jan 2023
Aerial view of stand up paddle boarder paddling in glacier lagoon

How bank CROs are responding to volatility and shifting risk profiles

Authors
Jan Bellens

EY Global Banking & Capital Markets Sector Leader

Passionate leader on innovation in financial services, especially in emerging markets. Global citizen. Keen traveler.

Christopher Woolard CBE

Partner, Financial Services Consulting, Ernst & Young LLP; EY UK FinTech Leader; EY Global Financial Services Regulatory Network Chair; EY EMEIA Financial Services Regulation Leader

Experienced senior leader in regulation, strategy and innovation. Building better consumer and market outcomes in financial services.

6 minute read 10 Jan 2023

The EY/IIF global risk management survey shows that banks must manage multiple interconnected risks and the impacts of external events. 

In brief

  • While CROs remain focused on many familiar risks, this year’s results reveal the increased complexity caused by overlapping and correlated risks. 
  • Cyber jumped ahead of credit risk as the top CRO priority for the next 12 months, though the deteriorating economic environment could amplify credit risk. 
  • CROs are confident that they can build on the momentum of past years to deliver the risk management programs that banks need in a dynamic market. 

The results from the 12th annual EY/IIF global bank risk management survey confirm that banking industry chief risk officers (CROs) face an extraordinary volume and variety of risks — traditional and emerging, external forces and internal pressures — nearly all of which seem to be increasing in urgency. But CROs’ biggest challenge may be understanding how intersecting risks can create single or multiple points of failure, even when traditional risk management metrics look stable. 

Consider how the combination of geopolitical and cyber risks threatens operational resilience while also increasing market risk, particularly for institutions designated as global systemically important banks (G-SIBs), or how macroeconomic challenges may reveal previously hidden sources of credit risk. The talent shortage makes it more difficult to manage risks related to data security, consumer privacy and the use of artificial intelligence (AI) and machine learning. Environmental, social and governance (ESG) strategies, digital transformation and new product development also require multi-dimensional thinking by CROs. Increased regulatory risk is present in all of these vectors. 

In such an uncertain and fast-changing environment, yesterday’s compartmentalized taxonomies and conventional risk modeling processes may not account for the impacts of multiple, simultaneous risk events. The bottom line is that the most effective banking CROs must excel in both the strategic and tactical realms and commit to helping the business succeed in delivering innovative services that satisfy ever-rising customer expectations.

Cyber risk is the top risk priority for the next 12 months, according to CROs. But credit risk may soon become more of a focal point if economic conditions worsen. It’s notable that 83% of G-SIB CROs and 62% of CROs for European banks ranked geopolitical risk as the top priority. The cluster of issues in the next tier demonstrates the complex risk matrix CROs face today. 

  • Image description

    A bar chart that lists top CRO risk priorities for the next 12 months, with the length of each representing the percentage of respondents that chose each priority. Respondents could pick five responses.

Looking ahead, CROs say they will focus on the same risks as their regulators during the next five years, though priorities diverge significantly when it comes to tech-driven disruption, IT obsolescence and data privacy. Concern about climate risk is highest among CROs in Asia-Pacific (89%) and Europe (77%) and lowest in Latin America (40%). North American CROs are most concerned about the scale of organizational change (67%), climate risk (57%) and the pace and breadth of digitization (43%).

  • Image description

    A list of emerging risks over the next five years with circles beside each item and a percentage of respondents that chose each emerging risk. Respondents could pick 5 responses.

Podcast: Global bank risk management priorities

Panelists from EY and the IIF discuss findings from the 12th Annual EY-IIF Global bank risk management survey.

Listen now

CROs say they will be focused on six risks over the next five years

Cyber threats: CROs see cyber risk everywhere — in every line of business, in day-to-day operations and transformation programs, and across extensive partner and supplier networks. Cyber risk is prominent on both short-term and long-term agendas. 58% of survey respondents chose their inability to manage cybersecurity risk as the top strategic risk for the next three years.

Credit risk: At the time of the survey, most banks felt good about traditional measures of credit risk. The strong controls that were established in response to the global financial crisis have clearly served banks well and bolstered confidence among boards and senior leaders. As the recessionary environment worsens, prudent CROs will look deeper to find hidden credit risks, such as those lurking in the shadow banking system and beyond.

Geopolitical risks: The war in Ukraine pushed geopolitical risks to the forefront for global banks. US-China tensions, regional conflicts and the retreat from globalization are now on some CROs’ agendas. Nearly two-thirds (62%) of respondents said geopolitical risks would have a “much more significant” or “somewhat more significant” effect on their organization during the next year; for G-SIBs, that number was 84%.

Climate and environmental risk: Climate risk remains a top-three risk for both boards and CROs in the next 12 months. But, in this year’s survey, only 37% of CROs cited environmental risk as a top-five issue for the next three years, versus 49% in last year’s research. This drop is likely a function of the nearer-term urgency around cyber and geopolitical risks. Looking ahead, CROs expect both ESG and climate risks to see the greatest increase in priority during the next 36 months.

  • Image description

    A bar chart with rankings of risk area priorities. The ranking are decreased priority, no change and increased priority, represented in gradations of color. Listed above each bar is the risk area and at the end of each segment of the bar is the percentage of respondents that chose the ranking.

Operational resilience: Banks have made significant investments to boost their operational resilience, and CROs now take a comprehensive view of operational resilience, from cyber and tech-related concerns to third-party risks. Cyber controls are the top priority for boosting operational resilience, followed by technology capacity and third-party dependencies. Third-party dependencies are a higher priority for those banks more dependent on ecosystems and other partnerships. One survey respondent commented that, “Operational resilience is key, but most banks still struggle with it because it’s complicated and a moving target. Regulators are turning up the heat and expect us to be perfect in the delivery of consumer services.”

  • Image description

    A bar chart displaying priorities for operational resilience enhancements over the next three years. Each bar shows a range of five responses, with a gradation of color showing responses from low to high. Percentages for each response are provided at the end of each bar.

Operational resilience is key, but most banks still struggle with it because it’s complicated and a moving target. Regulators are turning up the heat and expect us to be perfect in the delivery of consumer services.
CRO survey respondent

Transformation risks: Digital transformation programs are essential to product and service innovation and the development of new business models. According to CROs, banks will focus on modernizing core platforms (58%), generating customer insights (54%), automating more processes (53%) and moving more operations to the cloud (51%). These moves produce unique risks, but also opportunities for CROs to engage with business leaders proactively and design controls that enable — rather than inhibit — innovation. 

  • Image description

    A list of ways digital transformation will accelerate in the next three years and beside each list item is a circle with the percentage of respondents that chose the item written inside the circle. The circles are placed to indicate the percentages, with the item with largest percentage furthest to the right.

The risk profile of alliances and ecosystems: Digital transformation provides the foundation to execute growth strategies, including participation in alliances and ecosystems. Cybersecurity and data privacy are the top risk priorities in this area, though CROs see potential third- and fourth-party risks.

  • Image description

    A bar chart displaying ecosystem and alliance risks requiring the most attention from CROs in the next three years. Each bar has the text of the risk above it. The percentage of respondents selecting a given choice are listed at the end of the bars and the bar lengths are longer the higher the percentage.

Banks’ vulnerabilities depend on their partners’ security and data privacy practices. These risks can vary considerably based on different strategies — full ecosystem development and orchestration, direct investments in joint ventures, and looser alliances.

Persistent talent risk across the business: As much as banking is being digitized and automated, the vast majority of CROs view talent as critical to future success. First and foremost, banks are struggling to attract the talent they need across the business, including in risk management functions. One CRO survey respondent said, “I’m concerned with having the right skills and attracting talent, but also about human capital as a resiliency risk.”

  • Image description

    A circle chart in which there is a list of items that represent the significance of talent risk to banks. Beside the list are circles with percentages inside them that show the percentage of respondents that chose a given item. Respondents could pick multiple responses.

I’m concerned with having the right skills and attracting talent, but also about human capital as a resiliency risk.
CRO survey respondent

Highly effective risk management starts with high-performing people, according to CROs. A vast majority (94%) say they need some or many new skills. The six most important skills for risk management functions are the same as last year’s survey, with cyber and data science topping the list.

  • Image description

    Sets of bar charts. For each set, there is a bar for G-SIB responses, Non-G-SIB responses and Overall (both combined.) To the left of the bars are a list of top skills required in the risk management function over the next three years. At the end of the bars are percentages of respondents who chose the response and the length of the bars are consistent with the percentages. Respondents could select only three items.

New talent is key to establishing business-enabling cultures that are proactive in identifying risks and doing more than sharing risk knowledge with the business. Rather, the goal should be to fully engage in the formation of new business models and the execution of growth and innovation strategies.

  • Image description

    A semi-circle with little circles of different colors. There is a key that explains what each color represents, all of which are steps to building positive cultures, behaviors and ways of working in the risk organization. The number of small circles of a given color is consistent with the percentage of respondents that chose a response. If one hovers over a color, the percentage choosing that response is displayed. Respondents could select only three items.

EY/IIF global bank risk management survey

The survey reveals CROs’ views on the most urgent issues facing their organizations now and in the next three to five years.

Access the report

Summary

There is no denying that banks have made substantial progress in enhancing risk management practices and establishing robust controls across the business during the last decade. Effectively managing risks during the next decade necessitates building on that impressive track record, with creative thinking and bold action, more advanced technology, and new talent.

About this article

Authors
Jan Bellens

EY Global Banking & Capital Markets Sector Leader

Passionate leader on innovation in financial services, especially in emerging markets. Global citizen. Keen traveler.

Christopher Woolard CBE

Partner, Financial Services Consulting, Ernst & Young LLP; EY UK FinTech Leader; EY Global Financial Services Regulatory Network Chair; EY EMEIA Financial Services Regulation Leader

Experienced senior leader in regulation, strategy and innovation. Building better consumer and market outcomes in financial services.