Ey Iif Global Risk Survey V Final
Ey Iif Global Risk Survey V Final
Ey Iif Global Risk Survey V Final
Contacts 50
An endurance course | 5
Figure 1: A decade of risk management transformation
First: recover, adapt, Third: progress made Fifth: shifting focus Seventh: a set of Ninth: accelerating digital
advance New risk appetite While the Basel agenda was blueprints for success transformation
Still in the wake of the frameworks became a still being conceived, conduct Despite material progress, it The role of risk in influencing
financial crisis, the focus was central focal point, as did and culture came to the fore. became apparent that risk and shaping digital
on regulatory change, a new enhancing the skills and Challenges in embedding risk management was in the transformation became
risk governance model, and stature of risk function. appetite, especially for midst of a 15-year critical as the speed and scale
roles and responsibilities. nonfinancial risks, became transformational journey. of change accelerated.
apparent.
Second: making strides Fourth: five years after the Sixth: rethinking risk Eighth: restore, Tenth: an endurance
The major focus was financial crisis management rationalize and reinvent course
risk management, notably Changing the risk culture had Enhancing the three-lines-of- Risk management was To be successful over the
capital, liquidity and stress to underpin technical and defense framework became a reaching a critical turning next decade, risk
testing. New risk governance personnel changes. Financial major focus, especially first- point, moving from management has to help
models focused on the role of risk management had line accountability. Conduct rationalization to supporting banks proactively manage 10
the board and chief risk improved significantly, but risk, among other firm-wide reinvention. Cyber major industry-wide risks.
officer. more change was required. nonfinancial risks, took risks became a top priority
prominence. and remain so today.
As shown across the 10 years of global bank risk management surveys conducted by EY and the IIF, risk management within the
global banking community has been on a transformational journey since the last financial crisis (Figure 1).
In the first half of the decade, the initial focus was on financial Midway through the decade of change, culture came to the
risks: capital, liquidity, counterparty risks, and associated fore. The new or enhanced capabilities aided better risk
issues, such as stress-testing and model risk management. management. Ultimately, there was recognition that culture
Early improvements were made in terms of governance, with matters because it is the foundation for behaviors that support
greater involvement of boards, and enhancements to the appropriate, balanced and informed risk taking and, where
CRO’s role and stature (and, by inference, the CRO’s team). necessary, escalation. Continued and significant instances of
This engendered a significant emphasis on having a strong, misconduct sharpened the focus on conduct risk and banks
independent second-line risk management function with an started to develop new risk approaches to influence behaviors.
effective leader who has unfettered access to the board. These Those efforts continue today because this remains unfinished
changes required an early focus on roles and responsibilities, business for many banks.
which in turn precipitated a decade-long journey to build out an
In the second half of the decade, there was a material shift
effective three-lines-of-defense operating model.
from financial to nonfinancial risks, as shown in Figures
Several years in, banks and regulators recognized the need 2 and 3. The former have not gone way, of course, and
to create and implement effective risk appetite frameworks the associated regulatory reform program continues, with
(RAFs). These quickly became the cornerstone of enhanced jurisdictions now focused on finalizing and implementing global
enterprise-wide risk management. Most banks introduced standards. But the energy in risk management shifted to the
an RAF for the first time, forcing them to clearly articulate panoply of risks that had, for many years, been subsumed
key risks facing the bank and, within that, gain agreement under the banner of operational risk. The initial focus was on
between the board and senior management that they were compliance, conduct and fraud; later, cybersecurity and other
willing to take risks and accept specific levels of exposure IT risks captured the industry’s attention. Today, the CRO’s key
across primary risk areas. Albeit a simple concept at one level, priorities include strengthening operational resilience, privacy
these frameworks revolutionized risk management. Efforts are and cloud, and the transformation to digital, to name but a few.
ongoing as to how best to translate board guidance on appetite Along the way, boards became highly attentive to business-
into actionable decisions deep in the organization. model risks, reflecting their core role of overseeing long-term
strategy and a sustainable competitive positioning.
1 RA RA COM REG CY CY CY
An endurance course | 7
The increased focus on nonfinancial risks is even more striking industry disruption. There is a multiplicity of data challenges,
when looking beyond the next 12 months to the emerging risks whether related to privacy risk, data availability or data
over the next five years or more. Figure 4 highlights longer- integrity listed as emerging risks.
term risks, including political upheaval, climate change and
Figure 4: CRO and regulator priorities over the next five years
53% 51%
Data integrity or destruction
Amid a period of convergence, regional commonplace pre-crisis. Target ROEs fell materially, other than
for banks that were in regions that were, initially, less subject
variation abounds to regulatory reform or that had local market growth. Over the
In some ways, the past decade can be characterized as being decade, banks globally started to converge on 10% to 15% target
about convergence. The regulatory reform agenda may ROEs. Those banks with greatly depressed ROEs initially, slowly
not have been implemented in a fully consistent manner improved their economics, while those promising higher returns
globally, and will likely never be, but overall the agenda found the regulatory agenda caught up with them and eroded
created an unprecedented level of convergence of regulatory their economics.
requirements, especially around prudential matters (e.g., However, what appears to be industry convergence hid significant
capital and liquidity), board and internal governance, and regional divergence. From an ROE perspective, the differences
risk management. The resultant narrowing variety of bank are material. Today, banks operating in Latin America and Middle
strategies and business models, and the sale of non-core or East and Africa are quite profitable, with about half (44% and
riskier businesses and of less liquid assets, was a common 58%, respectively) expecting ROEs above 15%. North American
feature of banking globally. banks are also healthy, with only 6% unable to deliver at least
The net effect was growing industry convergence toward 10% returns. By contrast, European banks are still experiencing
lower targeted (though not always achieved) returns on equity fairly anemic growth and performance: 44% think they cannot
(ROEs), as shown in Figure 5. Gone are the days of banks yet deliver ROEs above 10%, and none are expecting to achieve
promising to deliver pretax 20% to 25% ROEs, which had been returns above 15%.
16% − 20% 33% 20% 29% 22% 18% 21% 16% 5% 33% 29% 33%
11% − 15% 37% 52% 49% 57% 49% 52% 53% 62% 56% 33% 36% 61%
5% − 10% 11% 15% 20% 15% 25% 16% 25% 33% 44% 22% 7% 6%
Under 5% 6% 4% 2% 4% 1% 4%
CRO priorities have varied regionally over the years. Banks In addition to new regulations — some local and others part of
in the Asia-Pacific region had a mix of issues to deal with, the broader Basel agenda — supervisors set out demanding
including a strong regulatory focus on market and consumer new expectations across an array of areas such as capital
conduct, geopolitical tensions, and, more recently, the local and liquidity management, many of which affected risk
impact of global trade wars. European banks, meanwhile, management. Yet, in practice, the pace of implementation
continued to grapple with challenging economic conditions: across regions has not been uniform.
first the sovereign debt crisis, then stagnant growth and lately
As a result, while an overall industry journey of enhanced risk
a prolonged Brexit, which is causing continued uncertainty for
management has been visible across regions, local priorities
market participants. Latin America has faced domestic and
varied materially over the past decade.
political instability in many countries. Middle East and Africa
experienced a mix of political instability, yet growth in some
areas. The North American regulatory agenda, especially in the
US, was broad based and impacted banks sooner than many
other countries (perhaps with the exception of the UK).
An endurance course | 9
Near- and medium-term risk
management challenges
1% 1%
2% 2%
12% 12% 33% 33% 9% 9% 8% 8%
Capital management
Capital management 52% 52% Information
Information security risk
security risk 40% 44%
40% 44%
2% 2%
17% 17% 21% 21% 13% 13% 4% 4%
Risk identification
Risk identification 60% 60% Cyber riskCyber risk 40% 40%
43% 43%
1% 1%
3% 3%
24% 24% 23% 23% 2% 2%
13% 13% 3% 3%
Stress testing
Stress testing 49% 49% Conduct risk
Conduct risk 40% 40%
42% 42%
1% 1%
5% 5%
26% 26%
38% 38%
29% 29% 1% 1%
15% 15% 2% 2%
Recovery planning
Recovery planning Technology
Technology risk risk 41% 41%
41% 41%
11% 11%
10% 10%
16% 16%
39% 39%
24% 24% 2% 2%
12% 12% 32% 32%
5% 5%
Resolution Resolution
planning planning Operational
Operational resilience resilience 48% 48%
3% 3%
17% 17%
33% 33%
35% 35%
11% 11% 8% 8%
13% 13% 24% 24%
7% 7%
Model risk management
Model risk management Privacy risk
Privacy risk 48% 48%
3% 3%
19% 19% 28% 28%
3% 3%
Third-party
Third-party risk risk 46% 46%
More effective, but certainly not efficient promotes sustainability of the process or approach. Almost
three-quarters (73%) expect to improve the efficiency of
Notwithstanding the fact that risk capabilities have matured risk management over the next three years. Other priorities
overall, most banks have designed their risk management include:
approach in light of new regulations or supervisory findings —
• Improving risk management’s ability to inform decision-
and in short timeframes. As a result, enhancements were often
making (56%)
implemented using highly manual processes and suboptimal
approaches, many of which are cumbersome and expensive to • Integrating risk activities across the control functions: risk,
operate, especially in an environment where scrutiny on costs compliance and audit (55%)
remains high. • Completing the implementation of governance, risk and
control technologies (55%)
As a result, banks are seeking opportunities to become
more efficient by rationalizing processes and increasing • Enhancing board (24%) and senior management (22%)
automation. Doing so not only enhances efficiency, but also oversight
“
We are looking at our own people
and wondering whether we need to
re-skill them or get new skillsets.
Cybersecurity
Operational resilience
29%
Information security
Third party
28%
Technology
Operational
23%
Libor transition: from misconduct to institutions) are generally more aware of the issue than they
were a year ago, substantial hurdles remain. The fact that
market illiquidity various jurisdictions are taking differing approaches adds
Perhaps one of the most startling instances of industry complexity1. Given that Libor underpins in excess of US$400
misconduct by a small set of individuals was the manipulation trillion in contracts, the transition has to be successful, for
of interbank rates. While much of the alleged misconduct that everyone’s sake. Transitional challenges include having to:
grabbed headlines in the wake of the financial crisis predated • Make sufficient resources available, such as key personnel
it, rate rigging continued to unfold several years after. It or budget (46%)
shocked everyone.
• Validate that business-as-usual data- and time-series
What started out as misconduct quickly turned into a market management processes support new risk-free rates (45%)
liquidity issue. Post-crisis, transactions in the interbank • Identify and model new risk factors (39%)
market declined precipitously, and ironically, this led to a
• Incorporate new risks into end-to-end risk management
heightened dependency on quotes from panel banks based
processes (37%)
on expert judgment — and those panels have increasingly
become reticent to submit quotes for fear of legal or • Adapt key firm-wide forecasting activities, including stress-
reputational risks. Liquidity has continued to dry up, and testing (25%)
concerns have surfaced that fallback language in legacy There is a range of risks that need to be managed through the
contracts is generally weak, which could significantly disrupt transition (see Figure 8).2
financial markets in the event of a permanent cessation of
the London Interbank Offered Rate (Libor). Figure 8: Risks most challenging to manage during Libor
transition
As such, policy-makers, regulators and industry participants
have been working together on the transition to alternative
reference rates for several years. However, there is still
much work to be done. While banks (and in particular larger
1
”Libor transition: progress but challenges remain;” IIF study on Libor transition: https://www.
iif.com/portals/0/Files/private/cmm_aug18_vf.pdf.
2
“Libor transition: A certainty not a choice,” EY website, https://www.ey.com/Publication/
vwLUAssets/ey-ibor-transition-a-certainty-not-a-choice/$File/ey-ibor-transition-a-certainty-not-
a-choice.pdf.
The industry is split on the likely long-term effects on risk Product structure or
18%
management and loan pricing of the new rules. Almost as conditions
many expect the impact to be limited, as those predicting that Limit availability 16%
it will be much greater in the future. Indeed, one in five (19%)
already expect the impact to be very high.
These 10 major risks and issues over the next decade are:
“
to manage through a financial downturn than it was a decade
or so ago. Back then, there was a heavy dependence on
business model and revenue diversity as a mechanism to
drive profitability and deliver firm strength and an apparent Our board members do not
broader distribution of risk across the system to alleviate
concentrations. Capital was a back story. Indeed, credit ratings
have the same experience as
for banks showed an inverse relationship between capital management — most were not
levels and credit ratings (the larger the bank, the lower the here last time. The business has
proportion of capital rating agencies required they hold).
Everyone remembers how that turned out. changed substantially.
Risk executives are quick to acknowledge that the global — Risk executive
regulatory reform agenda was positive overall. “Increased
discipline with respect to stress-testing, capital management
and liquidity management is a positive for the industry as
a whole,” noted one risk executive. Regional differences facilitate such changes as external conditions shift. Similarly,
still exist, but generally banks have far more capital and overall, banks feel well-placed to dynamically adjust growth
liquidity than they had for decades, especially large, targets, budgets and investments, and M&A activity. This
systemically important banks. As one CRO stated, banks flexibility, if real, will prove important.
are “better prepared for an economic downturn — they are
A severe economic change may challenge banks, however.
more thoughtful on capital usages, and there is a better
Regulatory stress-testing models suggest that banks can
understanding of credit concentrations and behavior of
withstand severe economic shocks, but when asked, some
counterparties when stressed.”
banks are less confident about the quality of their playbooks
during a severe downturn. They also acknowledge they
still have relatively inflexible cost structures. Banks would
Better placed, but a severe downturn
do well to revisit their playbooks now and make necessary
could highlight cracks enhancements.
Notwithstanding efforts by central banks and policy-makers
globally, it is a near certainty that the next financial downturn Figure 10: Adaptability of bank to an economic downturn
will occur within a few years. Cycles may have been altered Adaptability of bank to an economic downturn
through tougher regulation, stronger central banking
Weak Strong
prudential powers, and more active interest rate management,
but economic cycles are inevitable. The question, as always, Ability to recalibrate 3% 13% 24%
60%
tolerances or limits
is not if, but when and how severe. Indeed, conditions today
portend economic challenges ahead. One executive summed Ability to incorporate 1% 4% 16% 24%
54%
into risk appetite
up the current situation well: “In terms of the macroeconomic
Flexibility in growth 6% 17% 19%
environment, we are seeing a move away from greater targets*
57%
globalization, toward an increasingly de-globalized world, and a Flexibility in changing 8% 23% 19%
51%
tougher economic environment on all fronts.” Low or negative budgets, investments
and operations
interest rates make it even harder on banks.
Flexibility in M&A or 3% 7% 25% 22%
43%
Banks are relatively sanguine about their ability to weather divestitures
an economic downturn, as noted in Figure 10. From a risk Quality of playbooks if 10% 36%
45%
9%
severe downturn
perspective, the groundwork laid over the past decade
Flexibility in variable 1% 19% 39% 33% 8%
means risk leaders feel relatively well-prepared to manage cost structure
risk thresholds and limits — mechanisms are now in place to
* By portfolio and market or client.
Risk leaders can also pressure-test corporate and business- CROs would be well advised to review their set of
line strategies and plans. Do those plans sufficiently capture macroeconomic indicators and validate that the set is a good
macroeconomic risks on an ongoing basis, and are they mix of leading and lagging indicators. Otherwise, efforts
sufficiently flexible to adapt to those risks? This is more than a to readjust risk thresholds and limits may be slower than
kick-the-tires exercise. Those plans have to be downturn-ready, needed, especially if the downturn becomes severe faster
because they drive so much decision-making at corporate and than expected. The economics profession may be a source of
business-line levels. insight, particularly given its enhanced focus on using more
real-time data capture and modeling.
Figure 11: Top indicators used by CROs to identify potential material economic downturns
27%
58% Decrease in 21%
Slowing real GDP consumer Decrease in
growth confidence* manufacturing
production
42%
Inversion of yield risk
36%
Sharply rising 22%
unemployment 20% 20% Decrease in
Sharply rising Surveys of business
interest rates economists confidence*
4%
8%
8% Deflation
Rising
Rising inventory 14%
inflation
Economic model
Risks abound
Privacy Regulatory Operational Fourth- and
Most banks expect their risk profile will change materially and fifth-party
because of increasing reliance on third parties. In general, compliance concentration
factors such as overall dependence, concentration risk, issues
related to data and technology, and outsourcing will have the
most significant impact (see Figure 12).3 4% 2% 2% 1%
Location of Strategic Geopolitical Financial
third party
3
“Global financial services third-party risk management survey,” EY website, https://www.
ey.com/Publication/ vwLUAssets/ey-global-financial-services-third-party-risk-management-
survey/$File/ey-global-financial-services-third-party-risk-management-survey.pdf.
However, the significant increase in the amount of personal Third party creates 2% 6% 15% 33%
43%
material privacy risk
data being processed and number of high-profile cyber events event
in recent years have propelled privacy concerns up the policy Being noncompliant 1% 15% 24% 33% 27%
agenda. Five years ago, the loss of 10 million personal accounts with laws and
regulations
was considered major news. Today, the loss of hundreds of
Meeting legal or 5% 16% 30% 23% 26%
millions of accounts does not seem so surprising to the public. regulatory requirements
for breach reporting
Banks recognize the urgency now placed on privacy. One in Conflicting privacy laws 3% 26% 23% 35% 13%
four banks (23%) rank it as a top risk in the next 12 months, across jurisdictions
and one in two (53%) view privacy as a key emerging risk over Fragmentation of 3% 23% 29% 31% 14%
privacy laws across
the next five years. This emphasis highlights that privacy is not jurisdictions
simply a technical matter — it is about maintaining trust in the Meeting customer 4% 22% 32% 28% 14%
bank and the system at large. As one risk professional said, demands to delete their
data
“What worries us most is the reputational impact if client data
are hacked. As a bank, we sell trust to our clients. If we are not
able to protect their personal data, that trust is going away.” As banks have started to re-assess the adequacy of their
privacy programs, many have concluded that more needs
to be done to fully integrate privacy into business-as-usual
Being exposed and noncompliant operational and risk management activities. Only about a
quarter (28%) of banks feel they have adequately incorporated
Large-scale breaches remain banks’ main concern, as shown
privacy risk into their enterprise risk management (ERM)
in Figure 14. Banks recognize the reputational damage caused
framework. Most are in the midst of enhancing their approach,
every time a firm in any sector has to admit to a major breach
some materially. Over the next three years, almost three in five
and loss of data. The quality and speed of response certainly
(57%) banks expect to enhance the degree to which privacy
matter, but a breach is a breach. As the industry has seen in
is embedded in ERM, to build stronger data analytics and to
numerous instances where the bank did not suffer a breach but
establish more robust control frameworks. Almost as many
rather a third party, the reputational damage can be the same.
(54%) expect to automate processes.
Customers often blame the bank.
Second-line risk management has a pivotal role to play, initially
The regulatory and political focus on privacy matters creates
by establishing the right risk framework (65%) or by greatly
additional new risks. Banks worry about being able to remain
influencing or informing the privacy-risk framework (49%).
compliant with requirements overall and specifically relating
It has to challenge the first line’s approach (68%), validating
to breach reporting and are concerned about the complexities
privacy is being taken seriously, from product design to
of competing local and international requirements. The trend
marketing and distribution. A real challenge is determining
toward regulations that give customers control over their data,
who, within management, is accountable for privacy. Currently,
while expected, creates significant new challenges relating to
across the industry, there is a variety of leaders involved, as
data capture, use, movement and deletion.
shown in Figure 15.
Integrating privacy into the broad risk Figure 15: Executive primarily in charge of privacy risk
For several years, the focus has been on the degree to which Loss or disclosure
banks are exposed to direct cyber risks. Dialogue then turned
Customer data loss
to the weakest link — which bank or third party in the financial
67%
services ecosystem provided the most significant risk to
everyone. Loss of confidence in banking system or bank
33%
These risks remain important. However, the fact that bad
Proprietary data loss
actors, notably certain nation states, have shown a tendency
toward destructive — not just criminal — behavior, means the 11%
focus has now shifted to industry-wide systemic risk. Four in
five banks now believe a system-wide industry-level attack or Threats and vulnerabilities
material event is likely in the next five years, and almost a third
Critical third party attacked
(29%) view that as very likely.
23%
The main (68%) concern remains banks having their own Insider threat
systems or data compromised and, thus, creating a systemic,
18%
industry-wide issue. But other concerns relate to an attack on
a third party, other systemically important financial institution, Security risks associated with cloud
or even another critical infrastructure industry, such as 12%
telecommunications or cloud provider. These concerns explain
Inability to …
the heightened focus in regulatory and industry circles on
industry preparedness and multi-firm simulations. Recover operations after attack
53%
Give customers access to services
The real nightmare: losing data and
33%
operations
Access core IT systems
Given the confluence of privacy and cybersecurity concerns, 15%
it is not surprising that banks are most worried about the loss
of customer data, as shown in Figure 16. However, banks are Second-line risk management plays a central role in the three-
increasingly worried about access to, and the integrity of, lines-of-defense approach to cyber risk management. It has
data — about one in two (51%) banks cite those issues as key taken on a material role in establishing the overall framework
emerging risks over the next five years. The impact of cyber (54%) and building cyber risks into the risk appetite (60%) and
attacks on resilience is accelerating up executives’ and boards’ metrics (63%) frameworks. Boards expect the second line to
agendas; over half of banks (53%) worry about the ability to have an independent view on the bank’s vulnerabilities and
recover operations after an attack and a third about customers threats (51%), and the first line’s ability to manage those risks
accessing services6. Indeed, bank leaders view cyber warfare as effectively (71%).
the top geopolitical risk globally, alongside China’s rising global
influence. The challenge is an organizational one. As one CRO
commented, “Cybersecurity is one of the biggest issues at the
moment, especially when looking at the internal organizational
approach. Who is responsible for what? What is the role of the
second line? Answering these questions is significant because it
is key to finding the right people with the right competence.”
6
“Advancing regulatory fragmentation to support a cyber/resilient global financial services
industry.”IIF study on Cyber Resilience: https://www.iif.com/portals/0/Files/private/iif_cyber_
reg_04_25_2018_final.pdf.
There are myriad ways in which banks manage against cyber Cyber reporting to 4% 12% 23% 18%
42%
risks. As a result, the maturity of their capabilities to do so board
varies materially across banks. First-line cyber 7% 16% 32% 39% 7%
metrics
On the positive side, as shown in Figure 17, banks believe
Second-line cyber 16% 17% 27% 38% 3%
they have driven home the importance of having a firm-wide metrics
cyber-aware culture and have enhanced their ability to identify
Ability to articulate 9% 18% 34% 37% 2%
risks and vulnerabilities. They also think first-line — and to a and document cyber
lesser extent second-line — cyber reporting and metrics have risk appetite
matured, though they acknowledge there is a long way to go. Quantification of 10% 27% 34% 28% 1%
Many banks admit in conversation that they still rely on key cyber risks
performance indicators (e.g., measuring the percentage of Ability to incorporate 27% 18% 28% 18% 8%
cyber risks into capital
attacks defended against, regardless of severity) as opposed to stress testing
key risk indicators (e.g., measuring the percentage of most-
Ability to track return 35% 21% 27% 12% 4%
severe attacks defended against).7 on investment in
cybersecurity
Banks struggle most in areas such as data backup and
restoration and identity and access management, the latter of * Initial (i.e., ad hoc and undocumented); repeatable (i.e., documented and globally
which is essential to underpin a robust cybersecurity posture. respected); defined (i.e., defined as standard business process); managed (i.e., quantitatively
managed using agreed-upon services); and efficient (i.e., allows for deliberate optimization)
In risk measurement, banks struggle to properly quantify cyber
risks and integrate them into their capital stress-testing.
“
With today’s rapid technology
developments, banks are
constantly playing catch-up on
cybersecurity.
— CRO
7
“Five considerations for cybersecurity reporting,” EY website, https://www.ey.com/en_gl/
financial-services/5-considerations-for-cybersecurity-reporting.
Reputational risk
33% 62%
8
“6 ways to maximize value from your cloud migration,” EY website, https://www.ey.com/
en_us/financial-services/6-ways-to-maximize-value-from-your-cloud-migration.
This may not be a concern for the bank’s direct services but
Identity and access 5% 14% 34% 39% 8%
could be an issue if the bank’s third and fourth parties also are management
subject to the same concentration risk and do not have the Availability or capacity 4% 16% 35% 37% 8%
same levels of cloud resilience. Said one executive, “The board management
is comfortable with our strategy to use cloud more. But they Data protection or 2% 14% 38% 32% 13%
privacy
want us to make sure we are not taking undue resilience risk
Legal or regulatory 4%
4% 12% 39% 5%
and to know what the backup plan is if something fails. You management 40%
.
have to have a backup plan for everything.” Security operations 2% 18% 38% 34% 8%
management
A third of banks are concerned their second line is not 2% 11% 36% 6%
IT operations
sufficiently engaged in the risks of transitioning at scale 45%
to cloud. Yet the second line can play an important role in Threat and vulnerability 2% 21% 32% 5%
40%
management .
challenging the first line’s approach (62%), establishing the
Systems development 4% 17% 29% 6%
firm-wide strategy (31%) and monitoring enterprise-level and operations 45%
risk appetite/risk metrics for cloud risks. (40%). Within the Third-party 7%
7% 14% 29% 5%
45%
context of third-party risk, a notable minority of banks have management .
their second line challenge the testing (28%) and assess the Infrastructure asset 6%
6% 17% 28% 6%
43%
management
criticality (25%) of cloud service providers.
Change or configuration 4% 17% 24% 8%
management 47%
81%
72% 71% 71%
30% 22% 50% 20%
Key:
Scaling machine learning and artificial They also see the lack of historical data in how these models
act under different market conditions (54%) and uncertain
intelligence could be risky regulatory expectations (47%) as additional challenges.
ML and AI have vast potential. The industry has not yet There are also broader societal and political concerns. Public
fully grasped the degree to which these analytics could discourse is centered on “ethical AI” — the moral or ethical
fundamentally change how banks operate. implications of greater dependence on robotics and AI.9
Yet, risk professionals, regulators and policy-makers are very Naturally, such concerns go well beyond financial services or
focused on the risks of scaling up these technologies. Banks’ technological issues. One CRO said, “We tried to have a more
risk teams already see challenges in capturing new risks centralized approach in the risk analytics department, but you
(64%) and getting the right talent to manage the risks (59%). need someone to build regulatory models that meet all the
regulator’s requirements, and that conflicts with people who
want to consider new methodologies that don’t fit. It really is a
culture clash.”
9
How do you teach AI the value of trust? How embedding trust from the start can help
companies reap AI’s rewards. https://www.ey.com/en_us/digital/how-do-you-teach-ai-the-
value-of-trust.
Few banks have a solution in place. Less than one in ten (8%)
believe they have a fully functioning governance process In the end, a key component of gaining political and consumer
in place for these risks, and most of those admit to gaps in acceptance is transparency. Customers and clients will want to
the coverage of risks such as compliance and data risk. As know when their data informs AI (43%), and when AI is used
a result, many banks are currently evaluating the need for interactions with their clients (29%). Banks also have to remain
a new governance framework (36%) or are in the process of aware of the potential for hidden or unknown biases in data
implementing one (28%). sets driving the wrong outcomes (46%), train their employees
on the limitations of AI (37%), and remain attuned, and adapt,
Current MRM frameworks are also likely insufficient to mitigate
to public and government concerns (38%).
risks associated with ML and AI. In the words of an executive,
“There is probably value, but it is hard to build on it. We don’t
have enough experience to be comfortable with it ourselves,
let alone convince regulators.” Not surprisingly, a significant
majority (93%) of banks expect to enhance their MRM
framework across a range of areas noted in Figure 21.10
Banks are recruiting specialized talent. They put MRM
experience around ML and AI as the top in-demand financial-
risk skillset (73% expect to add headcount in this area,
compared with 16% for traditional MRM experience).
10
Building the right governance model for AI/ML: How banks can identify and manage risks to
build trust and accelerate adoption https://go.ey.com/30lfRgw.
11
Ten ways to enhance firmwide resilience https://www.ey.com/en_gl/financial-services/ten-
ways-to-enhance-firmwide-resilience.
12
Managing through crises: preparation is key https://www.ey.com/en_gl/financial-services/
ten-ways-to-enhance-firmwide-resilience.
13
UK regulators have proposed that firms develop impact tolerances, which define their upper
level of tolerance for disruption to certain business services, under the assumption that
disruption will occur. This differs from a risk appetite statement or recovery-time objective,
as those incorporate an element of probability. See EY/UK Finance, Perspectives: Operational
resilience in financial services, June 2019 (https://www.ey.com/Publication/vwLUAssets/
ey-perspectives-operational-resilience-in-financial-services/$FILE/ey-perspectives-operational-
resilience-in-financial-services.pdf).
To some degree that is true. Banks have long been subject 47% 47%
to direct or indirect political change or pressure over the Escalating China and US
past decades. More recently, one might argue that the global cyber relationship
regulatory agenda of the past decade or the 2009 European warfare
sovereign debt crisis illustrated how political and regulatory 36%
42% Rise of populism
pressures can become blurred. Yet, most banks coped.
Changes to
global trading
environment 26%
Closer to home EU instability
Today, political pressures seem different. The distribution of
22% 23%
political power is shifting, especially between East and West. Changing US Elongated Brexit
Technology transformations are quickening, making the world role fallout
more interconnected. Issues of the day, such as immigration
and climate change, are cross-jurisdictional global matters. 18% 12% 11%
Emerging- Middle East China’s rising
Not surprisingly, three in five banks now view geopolitical – or
market volatility instability global influence
domestic political – issues as a major emerging risk for the
industry over the next five years 10%
3%
Push to account
Russia’s
Figure 24 highlights the political risks that worry banks the for climate
changing role
most. The impact of some of these risks is often diffused and change
therefore hard to discern, such as the changing roles of China,
Russia and the US, or the rise of populism across democracies.
Others are more palpable, such as being subject to nation-state It’s not simply a matter of guesswork
cyber warfare, or the impact of Brexit on the UK and European
Union.14 For many executives, evaluating complex geopolitical trends
often seems more of an art than a science. It requires an
Nevertheless, banks believe political issues will have a more
ability to read between the lines and make bold, but highly
material impact on them and their customers in the coming
speculative, predictions about potential political outcomes, and
years. Four in five expect the impact to be somewhat (58%)
their broader relevance for their institutions.14
or much more (22%) significant over the next decade. Banks
believe they will likely be affected via the overall impact on Yet, while banks are quick to recognize they will be more
global or domestic demand (78%), unexpected market volatility subject to political risks in the future, they acknowledge they
(74%) and the impact on customer demand (41%). More need to be more aware of those risks, and better adapt to
directly, the supply chains of corporate clients (32%) or, to a them. Four in five banks say they either need to enhance their
lesser extent, the operational or financial strength of bank third understanding of political risks or improve their ability to adapt
parties or counterparties (10%), might be adversely affected. to those risks as they change.
14
Why you need a strategic approach to political risk https://www.ey.com/en_gl/geostrategy/
why-you-need-a-strategic-approach-to-political-risk.
15
What we are watching: geostrategic outlook https://assets.ey.com/content/dam/ey-sites/ey-
com/en_gl/topics/geostrategy/ey-geostrategic-outlook-february-2019.pdf.
“
some countries (such as the UK) to understand and report on
both risks and opportunities from climate change.
Climate change is one of the defining Figure 26: Most significant likely impacts from climate
risks of our career to manage change
Products, customers and assets
Figure 27: Ways to incorporate climate change risks into enterprise risk management
The extent to which climate change analysis is embedded in change, and broader ESG issues. A small minority of banks
decision-making varies significantly16. One executive said, (8%) even factor climate change into compensation programs.
“We address the risk through portfolio analyses and building
Getting good data to drive decision-making will prove essential.
policies and instructions for the affected areas. Both physical
Official-sector initiatives, such as the Financial Stability Board’s
and transition risk are being considered in mitigating climate
Task Force on Climate-related Financial Disclosures and the
change risk. In general, climate change risk is being treated as
activities of central banks in the Network for Greening the
any other risk category, i.e., incorporating it in credit decisions,
Financial System, will spur better, more consistent public
establishing a scenario modeling, and so on. It is being
disclosures. A plethora of private-sector firms are also
addressed sector by sector and down to each customer.”
developing climate change risk or ESG ratings. However, today,
The key is getting beyond simple disclosure. Over half of banks the quality of climate change or ESG data is still fairly nascent.
(55%) depend on external disclosures to create the necessary As one executive noted, “It is critically important now that we
governance regimen. But increasingly, banks are enhancing the get the right data to enable banks to model and manage the
quality of board and senior-management oversight of climate risk, but data sources are not there yet.” Another executive
agreed, saying, “It is challenging to collect the right data. A
lot of ESG-driven measures are still quite fuzzy about data
16
How can you prepare for tomorrow’s climate, today? https://www.ey.com/en_gl/banking- quality.”
capital-markets/how-can-you-prepare-for-tomorrows-climate-today.
45%
27% Digital
Residential real footprint
37%
estate and mortgage
Payments products
portfolio
25% 24%
23%
Technology Branches
Deposit and savings
products
16%
Investment
14% products 16%
Personal loan portfolios Third-party
13% ecosystem
Credit 9%
7%
card Insurance
Auto loan portfolios
portfolio products
7%
Cash 5%
management Home equity loan
portfolios or line portfolio
17
NextWave Consumer Financial Services: financial subscriptions are coming https://cdn.foleon.
com/upload/3941/nextwave_cfs_research_report_final_april_2019.67be3d331ef6.pdf.
Number of countries
Region of headquarters operated in
$100b to $499b
$500b to
41%
$999b
16%
Domestic SIFI
53%
Type of bank
Other
5%
Primarily
Universal
investment
bank
banking
49%
3%
Adam Girling
Principal, Financial Services EMEIA
New York (Europe, Middle East, India, Africa)
[email protected] Frank de Jonghe
+1 212 773 9514 Partner, Financial Services
Diego Pleszowski Brussels
Latam Financial Services Leader [email protected]
Santiago +32 2 774 9956
[email protected] Ivica Stankovic
+569 9321 3284 Partner, MENA Financial Services
Mario Schlener Kuwait
Partner, Financial Services Advisory [email protected]
Toronto +965 22955000
[email protected] John Liver
+1 416 932 5959 Partner, Financial Services
Mark Watson London
Managing Director, Financial Services [email protected]
Boston +44 20 7951 0843
[email protected] Vibhuti Lalloo
+1 617 305 2217 Partner, Financial Services Africa
Sandton
[email protected]
+27 76 440 0585
Max Weber
Partner, Financial Services Risk
Stuttgart
[email protected]
+49 711 9881 15494
ey.com/bankingrisk
The views of third parties set out in this publication are not necessarily the views of the global EY organization or its member
firms. Moreover, they should be seen in the context of the time they were made.
www.iif.com
[email protected]