Ey Iif Global Risk Survey V Final

An endurance course:
surviving and thriving

through 10 major risks
over the next decade
Tenth annual EY/IIF global bank risk
management survey
Contents
Executive summary 4
A decade of two halves 5
Near- and medium-term risk management 10

challenges
10 major risks to manage over the next 14

decade
1. Weathering the likely financial downturn 16
2. Operating in an ever-expanding ecosystem 19
3. Protecting privacy to maintain trust 22
4. Fighting a cyber war in banks and across 24

the system
5. Navigating the inevitable industry 27

transition to cloud
6. Industrializing data analytics across the 30

business in a controlled manner
7. Delivering services to customers, clients 33

and markets without disruption
8. Adapting to the effects of fast-shifting 36

geopolitics on banks and their customers
9. Addressing the impact of climate change 39

on banks and society
10. Meeting emerging customer demands 43

for customized, aggregated lifetime offerings
Headlines a decade from now will tell the 46

story
Research methodology and participant 48

demographics
Contacts 50
2 | Tenth annual EY/IIF global bank risk management survey

An endurance course | 3
Executive summary
For 10 years, EY and the Institute of International Finance (IIF) Managing risk over the next decade could prove to be much
have been observing and reporting on changes in how banks more challenging. For one, a financial downturn of some kind
manage risk. There has been a lot of progress over the decade. seems likely in the next few months or years. CROs and their
teams will have to show that they can guide the bank to take
Financial risks will always be cause for concern in banking.
actions to manage down risks and exposures well before banks
But today, globally, banks are much better positioned in
have to access their capital and liquidity backstops. This will
terms of capital and liquidity. Dependence on short-term
test the stature and influence of risk management across all
funding is down materially. Banks have greatly de-risked
banks.
and de-leveraged their balance sheets, and non-core assets
and operations that were amassed in the heady growth Industry leaders and regulators can already see a host of other
years before the financial crisis have been pruned back. significant risks that will require strong risk management over
Risk management practices around capital and liquidity the next decade. Consider the implications of the ever-growing
have been strengthened significantly, in part because of dependence on a complex web of third, fourth and fifth parties
robust regulatory-driven stress-testing across the industry. or the fact that cyber and privacy risks are becoming more
Accounting changes are supporting banks’ ability to build challenging by the day. The industry’s transition to more digital
counter-cyclical buffers against future expected credit losses strategies, business models and operations is creating new
(see sidebar on accounting for credit losses, page 13). These risks, such as those associated with industrializing the use of
changes have, in principle, been done with unprecedented machine learning (ML) and artificial intelligence (AI) across the
levels of global regulatory coordination. enterprise or using cloud across swaths of bank operations.
Adapting risk and compliance approaches to enable new
Risk leaders and their teams have been innovating approaches
businesses, products and pricing models that deliver against
to new, or newly emphasized, nonfinancial risks. First among
vastly different customer needs and preferences will not
those are cyber risks — without question, this is now the
be easy, especially as banks seek to strengthen operational
top keep-me-up-at-night risk for many boards and chief risk
resilience while doing so. Beyond all these challenges, several
officers (CROs). Conduct, compliance and fraud, and financial
tectonic shifts, such as those associated with climate change
crime and money-laundering risks have also necessitated new
and geopolitics, will impact banking far more than they have in
ways of thinking and operating. If mishandled, all of these risks
the past.
can create significant reputational risk for banks.
Dealing with any one of these risks individually will greatly
Taking the positive view of risk management over the past
test risk management. But their coincidence will call for risk
decade, banks are healthier than they were pre-crisis.
management to:
Congratulations are in order to CROs and their teams and more
broadly to those that helped strengthen banks’ three lines • Manage a much broader and more complex set of risks, each
of defense and governance. The business — the first line of of which is changing at a fast pace
defense — is playing a much more central role in managing the • Be much more creative and innovative in how those risks are
risks it creates. measured and managed, including being more predictive
A more forward-looking view would be less favorable. In some • Deliver risk management effectiveness efficiently
ways, strengthening risk management in the last decade was
The next 10 years will be interesting to watch — and
fairly straightforward. Management could get budget and
challenging to manage. There’s no off-the-shelf playbook for
other resources simply by pointing to specific regulatory or
managing many of these risks. It will call for endurance and
supervisory requirements that needed to be implemented.
agility for banks to survive and thrive.
Meeting those requirements was not easy, for sure, nor
comfortable or without stress. After all, regulatory timelines
were often short, while expectations were high. But many of
the changes were, in practice, rather foundational.

A decade of two halves
Figure 1: A decade of risk management transformation
First: recover, adapt, Third: progress made Fifth: shifting focus Seventh: a set of Ninth: accelerating digital
advance New risk appetite While the Basel agenda was blueprints for success transformation
Still in the wake of the frameworks became a still being conceived, conduct Despite material progress, it The role of risk in influencing
financial crisis, the focus was central focal point, as did and culture came to the fore. became apparent that risk and shaping digital
on regulatory change, a new enhancing the skills and Challenges in embedding risk management was in the transformation became
risk governance model, and stature of risk function. appetite, especially for midst of a 15-year critical as the speed and scale
roles and responsibilities. nonfinancial risks, became transformational journey. of change accelerated.
apparent.
2011 2013 2015 2017 2019
2010 2012 2014 2016 2018
Second: making strides Fourth: five years after the Sixth: rethinking risk Eighth: restore, Tenth: an endurance
The major focus was financial crisis management rationalize and reinvent course
risk management, notably Changing the risk culture had Enhancing the three-lines-of- Risk management was To be successful over the
capital, liquidity and stress to underpin technical and defense framework became a reaching a critical turning next decade, risk
testing. New risk governance personnel changes. Financial major focus, especially first- point, moving from management has to help
models focused on the role of risk management had line accountability. Conduct rationalization to supporting banks proactively manage 10
the board and chief risk improved significantly, but risk, among other firm-wide reinvention. Cyber major industry-wide risks.
officer. more change was required. nonfinancial risks, took risks became a top priority
prominence. and remain so today.
As shown across the 10 years of global bank risk management surveys conducted by EY and the IIF, risk management within the
global banking community has been on a transformational journey since the last financial crisis (Figure 1).
In the first half of the decade, the initial focus was on financial Midway through the decade of change, culture came to the
risks: capital, liquidity, counterparty risks, and associated fore. The new or enhanced capabilities aided better risk
issues, such as stress-testing and model risk management. management. Ultimately, there was recognition that culture
Early improvements were made in terms of governance, with matters because it is the foundation for behaviors that support
greater involvement of boards, and enhancements to the appropriate, balanced and informed risk taking and, where
CRO’s role and stature (and, by inference, the CRO’s team). necessary, escalation. Continued and significant instances of
This engendered a significant emphasis on having a strong, misconduct sharpened the focus on conduct risk and banks
independent second-line risk management function with an started to develop new risk approaches to influence behaviors.
effective leader who has unfettered access to the board. These Those efforts continue today because this remains unfinished
changes required an early focus on roles and responsibilities, business for many banks.
which in turn precipitated a decade-long journey to build out an
In the second half of the decade, there was a material shift
effective three-lines-of-defense operating model.
from financial to nonfinancial risks, as shown in Figures
Several years in, banks and regulators recognized the need 2 and 3. The former have not gone way, of course, and
to create and implement effective risk appetite frameworks the associated regulatory reform program continues, with
(RAFs). These quickly became the cornerstone of enhanced jurisdictions now focused on finalizing and implementing global
enterprise-wide risk management. Most banks introduced standards. But the energy in risk management shifted to the
an RAF for the first time, forcing them to clearly articulate panoply of risks that had, for many years, been subsumed
key risks facing the bank and, within that, gain agreement under the banner of operational risk. The initial focus was on
between the board and senior management that they were compliance, conduct and fraud; later, cybersecurity and other
willing to take risks and accept specific levels of exposure IT risks captured the industry’s attention. Today, the CRO’s key
across primary risk areas. Albeit a simple concept at one level, priorities include strengthening operational resilience, privacy
these frameworks revolutionized risk management. Efforts are and cloud, and the transformation to digital, to name but a few.
ongoing as to how best to translate board guidance on appetite Along the way, boards became highly attentive to business-
into actionable decisions deep in the organization. model risks, reflecting their core role of overseeing long-term
strategy and a sustainable competitive positioning.

Figure 2: CRO 12-month risk priorities, 2012 to 2019
CRO priorities 2012 to 2019
Rank 2012 2013 2014 2015 2016 2017 2018 2019
1 CRE CRE CRE REG REG CY CY CY
2 LIQ RA RA RA CY REG CRE CRE
3 RA REG OR CRE CRE CON REG DIG
4 MR OR REG OR RA CRE OR CON
5 REG LIQ RC CAP OR OR TECH REG
6 TECH CAP CAP LIQ TECH CUL CON OR
7 STR MR MR TECH STR TECH RA CUL
8 CAP STR LIQ STR CON ERM BM PRI
9 RC TECH STR MR CUL RA CUL RES
10 OR RC TECH CY ERM STR STR MO
Figure 3: Board 12-month risk priorities, 2013 to 2019*

Board priorities 2013 to 2019*
Rank 2013 2014 2015 2016 2017 2018 2019
1 RA RA COM REG CY CY CY
2 LIQ COM RA CY REG REG CRE
3 REG LIQ CRE RA BM RA DIG
4 CAP CAP LIQ CUL RA CRE CON
5 OR OR CUL CRE CRE CON REG
6 STR STR CON CON CUL OR CUL
7 ERM REP OR CAP CON BM OR
8 CUL CON CAP STR REP REP BM
9 TECH CUL TECH OR OR CUL RES
10 REP ERM STR TECH STR CAP RA
* CROs’ views of boards’ priorities
The increased focus on nonfinancial risks is even more striking industry disruption. There is a multiplicity of data challenges,
when looking beyond the next 12 months to the emerging risks whether related to privacy risk, data availability or data
over the next five years or more. Figure 4 highlights longer- integrity listed as emerging risks.
term risks, including political upheaval, climate change and
Figure 4: CRO and regulator priorities over the next five years
Concerns to regulators* Concerns to CROs

Industry disruption due
46% to new technologies 69%
Pace or breadth of change

48% from digitalization 65%
32% Geopolitical risk 60%
51% Use of machine learning (ML) or

artificial intelligence (AI) 59%
31% IT obsolescence or legacy systems 56%
69% Data privacy 53%
35% Environmental risk or climate 52%

change
53% 51%
Data integrity or destruction
27% Availability of data 51%
38% Model risk related to ML or AI 48%
* CRO’s views of regulators’ concerns

*CROs’ views of regulators’ concerns
Amid a period of convergence, regional commonplace pre-crisis. Target ROEs fell materially, other than
for banks that were in regions that were, initially, less subject
variation abounds to regulatory reform or that had local market growth. Over the
In some ways, the past decade can be characterized as being decade, banks globally started to converge on 10% to 15% target
about convergence. The regulatory reform agenda may ROEs. Those banks with greatly depressed ROEs initially, slowly
not have been implemented in a fully consistent manner improved their economics, while those promising higher returns
globally, and will likely never be, but overall the agenda found the regulatory agenda caught up with them and eroded
created an unprecedented level of convergence of regulatory their economics.
requirements, especially around prudential matters (e.g., However, what appears to be industry convergence hid significant
capital and liquidity), board and internal governance, and regional divergence. From an ROE perspective, the differences
risk management. The resultant narrowing variety of bank are material. Today, banks operating in Latin America and Middle
strategies and business models, and the sale of non-core or East and Africa are quite profitable, with about half (44% and
riskier businesses and of less liquid assets, was a common 58%, respectively) expecting ROEs above 15%. North American
feature of banking globally. banks are also healthy, with only 6% unable to deliver at least
The net effect was growing industry convergence toward 10% returns. By contrast, European banks are still experiencing
lower targeted (though not always achieved) returns on equity fairly anemic growth and performance: 44% think they cannot
(ROEs), as shown in Figure 5. Gone are the days of banks yet deliver ROEs above 10%, and none are expecting to achieve
promising to deliver pretax 20% to 25% ROEs, which had been returns above 15%.

Figure 5: Banks’ target returns on equity over subsequent three years
2013 to 2019 2019 by region

2013 2014 2015 2016 2017 2018 2019 Asia- Europe Latin Middle East North
Pacific America and Africa America
Above 20% 13% 9% 2% 7% 6% 6% 11% 29%
16% − 20% 33% 20% 29% 22% 18% 21% 16% 5% 33% 29% 33%
11% − 15% 37% 52% 49% 57% 49% 52% 53% 62% 56% 33% 36% 61%
5% − 10% 11% 15% 20% 15% 25% 16% 25% 33% 44% 22% 7% 6%
Under 5% 6% 4% 2% 4% 1% 4%
CRO priorities have varied regionally over the years. Banks In addition to new regulations — some local and others part of
in the Asia-Pacific region had a mix of issues to deal with, the broader Basel agenda — supervisors set out demanding
including a strong regulatory focus on market and consumer new expectations across an array of areas such as capital
conduct, geopolitical tensions, and, more recently, the local and liquidity management, many of which affected risk
impact of global trade wars. European banks, meanwhile, management. Yet, in practice, the pace of implementation
continued to grapple with challenging economic conditions: across regions has not been uniform.
first the sovereign debt crisis, then stagnant growth and lately
As a result, while an overall industry journey of enhanced risk
a prolonged Brexit, which is causing continued uncertainty for
management has been visible across regions, local priorities
market participants. Latin America has faced domestic and
varied materially over the past decade.
political instability in many countries. Middle East and Africa
experienced a mix of political instability, yet growth in some
areas. The North American regulatory agenda, especially in the
US, was broad based and impacted banks sooner than many
other countries (perhaps with the exception of the UK).
Near- and medium-term risk
management challenges

While there has been a substantial amount of regulatory The quality of risk management undoubtedly has been enhanced.
change, on reflection, CROs are fairly positive on the overall Reflecting the changing focus from financial to nonfinancial
impact. “Increased discipline with respect to stress-testing, risks, risk professionals highlight differing levels of progress
capital and liquidity management is a positive for the industry in implementing risk management across these types of
as a whole,” said one CRO about prudential regulation. “For risks. As shown in Figure 6, enhancements to financial risk
a given product, the degree of thought that is now put into areas are generally at an advanced stage, if not complete. By
these issues would have been unrecognizable 10 years ago. contrast, there is still much room for improvement in managing
It’s amazing the number of lenses that products are now nonfinancial risks. Cyber risk is a recent example where banks
put through,” said another about the impact of consumer have been building up their expertise and approach. The real
protection and conduct regulation. challenge for CROs and their teams is building approaches that
capably span both financial and nonfinancial risks.
Figure 6: Progress in implementing risk management processes
Financial risks risks

Financial Nonfinancial risks risks
Nonfinancial
Early stages Early stages Fully complete

Fully complete Early stagesEarly stages Fully complete
Fully complete
11% 11% 35% 35% 5% 29%

5% 29% 13% 13%
Liquidity management
Liquidity management 54% 54% Operational risk
Operational risk 52% 52%
1% 1%
2% 2%
12% 12% 33% 33% 9% 9% 8% 8%
Capital management
Capital management 52% 52% Information
Information security risk
security risk 40% 44%
40% 44%
2% 2%
17% 17% 21% 21% 13% 13% 4% 4%
Risk identification
Risk identification 60% 60% Cyber riskCyber risk 40% 40%
43% 43%
1% 1%
3% 3%
24% 24% 23% 23% 2% 2%
13% 13% 3% 3%
Stress testing
Stress testing 49% 49% Conduct risk
Conduct risk 40% 40%
42% 42%
1% 1%
5% 5%
26% 26%
38% 38%
29% 29% 1% 1%
15% 15% 2% 2%
Recovery planning
Recovery planning Technology
Technology risk risk 41% 41%
41% 41%
11% 11%
10% 10%
16% 16%
39% 39%
24% 24% 2% 2%
12% 12% 32% 32%
5% 5%
Resolution Resolution
planning planning Operational
Operational resilience resilience 48% 48%
3% 3%
17% 17%
33% 33%
35% 35%
11% 11% 8% 8%
13% 13% 24% 24%
7% 7%
Model risk management
Model risk management Privacy risk
Privacy risk 48% 48%
3% 3%
19% 19% 28% 28%
3% 3%
Third-party
Third-party risk risk 46% 46%
More effective, but certainly not efficient promotes sustainability of the process or approach. Almost
three-quarters (73%) expect to improve the efficiency of
Notwithstanding the fact that risk capabilities have matured risk management over the next three years. Other priorities
overall, most banks have designed their risk management include:
approach in light of new regulations or supervisory findings —
• Improving risk management’s ability to inform decision-
and in short timeframes. As a result, enhancements were often
making (56%)
implemented using highly manual processes and suboptimal
approaches, many of which are cumbersome and expensive to • Integrating risk activities across the control functions: risk,
operate, especially in an environment where scrutiny on costs compliance and audit (55%)
remains high. • Completing the implementation of governance, risk and
control technologies (55%)
As a result, banks are seeking opportunities to become
more efficient by rationalizing processes and increasing • Enhancing board (24%) and senior management (22%)
automation. Doing so not only enhances efficiency, but also oversight

Altering the talent strategy will be a key area of focus, as well. Figure 7: Specialized talent banks feel they still require today
A large majority (69%) expect to add specialist talent, and
Areas where banks need to add financial risk experience …
nearly as many (62%) will work to obtain the right mix of skills.
As one risk leader said: “We will see a greater focus on skills 73% 23% 16% 16%
around machine learning, data privacy, IT, data security, the
climate change agenda, and so on. That will bring different
kinds of thinking and approaches. The way change and
Model risk management Stress Traditional Financial
disruption is managed will evolve, from the traditional, linear (MRM) of AI or ML testing MRM risks***
project management approach to a more agile, making-it-up-
as-you-go-along approach.” Figure 7 shows the skillsets that … and nonfinancial risk experience
will likely be most in demand in the coming few years.
77% 51% 46%
“
We are looking at our own people
and wondering whether we need to
re-skill them or get new skillsets.
Cybersecurity
Operational resilience
29%
Information security
Third party
28%
Technology
Operational
23%
— Risk executive ***Market, credit and liquidity risks
Libor transition: from misconduct to institutions) are generally more aware of the issue than they
were a year ago, substantial hurdles remain. The fact that
market illiquidity various jurisdictions are taking differing approaches adds
Perhaps one of the most startling instances of industry complexity1. Given that Libor underpins in excess of US$400
misconduct by a small set of individuals was the manipulation trillion in contracts, the transition has to be successful, for
of interbank rates. While much of the alleged misconduct that everyone’s sake. Transitional challenges include having to:
grabbed headlines in the wake of the financial crisis predated • Make sufficient resources available, such as key personnel
it, rate rigging continued to unfold several years after. It or budget (46%)
shocked everyone.
• Validate that business-as-usual data- and time-series
What started out as misconduct quickly turned into a market management processes support new risk-free rates (45%)
liquidity issue. Post-crisis, transactions in the interbank • Identify and model new risk factors (39%)
market declined precipitously, and ironically, this led to a
• Incorporate new risks into end-to-end risk management
heightened dependency on quotes from panel banks based
processes (37%)
on expert judgment — and those panels have increasingly
become reticent to submit quotes for fear of legal or • Adapt key firm-wide forecasting activities, including stress-
reputational risks. Liquidity has continued to dry up, and testing (25%)
concerns have surfaced that fallback language in legacy There is a range of risks that need to be managed through the
contracts is generally weak, which could significantly disrupt transition (see Figure 8).2
financial markets in the event of a permanent cessation of
the London Interbank Offered Rate (Libor). Figure 8: Risks most challenging to manage during Libor
transition
As such, policy-makers, regulators and industry participants
have been working together on the transition to alternative
reference rates for several years. However, there is still
much work to be done. While banks (and in particular larger
1
”Libor transition: progress but challenges remain;” IIF study on Libor transition: https://www.
iif.com/portals/0/Files/private/cmm_aug18_vf.pdf.
2
“Libor transition: A certainty not a choice,” EY website, https://www.ey.com/Publication/
vwLUAssets/ey-ibor-transition-a-certainty-not-a-choice/$File/ey-ibor-transition-a-certainty-not-
a-choice.pdf.

Accounting for credit losses Figure 9: Most likely significant impacts on loan markets
Alongside regulatory reform, banks globally have been working

Loan pricing 49%
through changes in accounting standards for recognizing
expected credit losses. Banks reporting under International
Loan duration or lifetime 38%
Financial Reporting Standards (IFRS) are a few years ahead
in adopting IFRS 9 compared with peer banks, who will adopt Underwriting standards 30%
the current expected credit loss (CECL) model issued by the
Financial Accounting Standards Board (FASB). Target customer mix 21%
The industry is split on the likely long-term effects on risk Product structure or
18%
management and loan pricing of the new rules. Almost as conditions
many expect the impact to be limited, as those predicting that Limit availability 16%
it will be much greater in the future. Indeed, one in five (19%)
already expect the impact to be very high.
In terms of banks’ capabilities to measure and report

impairment, banks highlighted several areas of additional
complexity, such as modeling (72%), forecasting and stress-
testing (68%), and portfolio monitoring and reporting (44%).
About a third of banks expect data management and pricing
methodologies will be affected. This will likely drive the need
for stronger capabilities in the short term and also result
in a need for standardization and simplification as the new
accounting standards take effect.
It will take time to determine the full impact, in part because it

is difficult to evaluate the likely interplay between accounting
standards for credit risk and recent changes in capital
requirements. Figure 9 highlights how banks believe loan
markets could be affected.

10 major risks to manage over the next
decade

The last financial crisis has been thoroughly studied, and the these issues was hidden and out of sight. The risks were not
risks that crystalized in bringing it about are now well known. unknown, they were simply not understood or addressed.
For example, at the time, personal and corporate debt reached
Given the importance of anticipating risks and managing them
unprecedented levels; the financing of home-ownership was
pre-emptively, and to mark the 10th anniversary of the global
unsustainable, at least in the US; structured finance products
bank risk management survey, EY and the IIF identified 10
became too complex; both regulation and monetary policies
major risks that will greatly test bank risk management over
were too loose; and board governance was weak. The list could
the next decade. These issues are akin to those that many,
go on.
both inside and outside the industry, missed or understated
While it is easy to say in hindsight that everyone should have prior to the last financial crisis. They are known, crucial issues
seen that the coming together of these issues was not going that banks will need to manage as well as they do now for
to end well, it is also reasonable to observe that not one of capital and liquidity. These are not unknown-unknowns.
These 10 major risks and issues over the next decade are:
1. Weathering the likely financial downturn

2. Operating in an ever-expanding ecosystem
3. Protecting privacy to maintain trust
4. Fighting a cyber war in banks and across the system
5. Navigating the inevitable industry transition to cloud
6. Industrializing data analytics across the business in a controlled manner
7. Delivering services to customers, clients and markets without disruption
8. Adapting to the effects of fast-shifting geopolitics on banks and their customers
9. Addressing the impact of climate change on banks and society
10. Meeting emerging customer demands for customized, aggregated lifetime offerings
Each of these issues is discussed on the following pages,

with a view to the specific challenges and uncertainties they
present, some of the evolving ways to manage those risks
and, importantly, the role of second-line risk management
in doing so. Others, especially the first line, have more of
a responsibility to manage these risks. But second-line risk
management has a prominent role in helping banks keep these
risks on the agenda and successfully navigate through the next
decade and beyond to deliver long-term survival.

1 Weathering the likely financial downturn

The banking industry globally is unquestionably better placed
“
to manage through a financial downturn than it was a decade
or so ago. Back then, there was a heavy dependence on
business model and revenue diversity as a mechanism to
drive profitability and deliver firm strength and an apparent Our board members do not
broader distribution of risk across the system to alleviate
concentrations. Capital was a back story. Indeed, credit ratings
have the same experience as
for banks showed an inverse relationship between capital management — most were not
levels and credit ratings (the larger the bank, the lower the here last time. The business has
proportion of capital rating agencies required they hold).
Everyone remembers how that turned out. changed substantially.
Risk executives are quick to acknowledge that the global — Risk executive
regulatory reform agenda was positive overall. “Increased
discipline with respect to stress-testing, capital management
and liquidity management is a positive for the industry as
a whole,” noted one risk executive. Regional differences facilitate such changes as external conditions shift. Similarly,
still exist, but generally banks have far more capital and overall, banks feel well-placed to dynamically adjust growth
liquidity than they had for decades, especially large, targets, budgets and investments, and M&A activity. This
systemically important banks. As one CRO stated, banks flexibility, if real, will prove important.
are “better prepared for an economic downturn — they are
A severe economic change may challenge banks, however.
more thoughtful on capital usages, and there is a better
Regulatory stress-testing models suggest that banks can
understanding of credit concentrations and behavior of
withstand severe economic shocks, but when asked, some
counterparties when stressed.”
banks are less confident about the quality of their playbooks
during a severe downturn. They also acknowledge they
still have relatively inflexible cost structures. Banks would
Better placed, but a severe downturn
do well to revisit their playbooks now and make necessary
could highlight cracks enhancements.
Notwithstanding efforts by central banks and policy-makers
globally, it is a near certainty that the next financial downturn Figure 10: Adaptability of bank to an economic downturn
will occur within a few years. Cycles may have been altered Adaptability of bank to an economic downturn
through tougher regulation, stronger central banking
Weak Strong
prudential powers, and more active interest rate management,
but economic cycles are inevitable. The question, as always, Ability to recalibrate 3% 13% 24%
60%
tolerances or limits
is not if, but when and how severe. Indeed, conditions today
portend economic challenges ahead. One executive summed Ability to incorporate 1% 4% 16% 24%
54%
into risk appetite
up the current situation well: “In terms of the macroeconomic
Flexibility in growth 6% 17% 19%
environment, we are seeing a move away from greater targets*
57%
globalization, toward an increasingly de-globalized world, and a Flexibility in changing 8% 23% 19%
51%
tougher economic environment on all fronts.” Low or negative budgets, investments
and operations
interest rates make it even harder on banks.
Flexibility in M&A or 3% 7% 25% 22%
43%
Banks are relatively sanguine about their ability to weather divestitures
an economic downturn, as noted in Figure 10. From a risk Quality of playbooks if 10% 36%
45%
9%
severe downturn
perspective, the groundwork laid over the past decade
Flexibility in variable 1% 19% 39% 33% 8%
means risk leaders feel relatively well-prepared to manage cost structure
risk thresholds and limits — mechanisms are now in place to
* By portfolio and market or client.

Crystal ball watching: a basket of leading An interesting question is which metrics should CROs monitor?
In some ways, the most highlighted metrics in Figure 11
and lagging indicators are lagging indicators, such as slowing real GDP growth
Risk managers have an important role in enhancing downturn and sharply rising unemployment. CROs watch consumer
readiness. Within their own domain, they have to validate that confidence surveys but pay less attention to their corporate
their risk monitoring captures emerging risks early enough to confidence, yet the latter is significant. That said, the focus on
inform decision-making. They can also evaluate their risk tools the inversion of the yield curve is very understandable, at least
to check whether they allow for sufficiently fast changes to risk in some developed-country markets where it is very much a
thresholds and limits, when indicators start to turn negative. leading indicator, if history is anything to go by.
Risk leaders can also pressure-test corporate and business- CROs would be well advised to review their set of
line strategies and plans. Do those plans sufficiently capture macroeconomic indicators and validate that the set is a good
macroeconomic risks on an ongoing basis, and are they mix of leading and lagging indicators. Otherwise, efforts
sufficiently flexible to adapt to those risks? This is more than a to readjust risk thresholds and limits may be slower than
kick-the-tires exercise. Those plans have to be downturn-ready, needed, especially if the downturn becomes severe faster
because they drive so much decision-making at corporate and than expected. The economics profession may be a source of
business-line levels. insight, particularly given its enhanced focus on using more
real-time data capture and modeling.
Figure 11: Top indicators used by CROs to identify potential material economic downturns
Economic indicators Sentiment surveys and models
27%
58% Decrease in 21%
Slowing real GDP consumer Decrease in
growth confidence* manufacturing
production
42%
Inversion of yield risk
36%
Sharply rising 22%
unemployment 20% 20% Decrease in
Sharply rising Surveys of business
interest rates economists confidence*
4%
8%
8% Deflation
Rising
Rising inventory 14%
inflation
Economic model
* From periodic surveys

* From periodic surveys

2 Operating in an ever-expanding ecosystem

Third-party risk management is not new. The financial services actually that fourth party is probably even more important to
sector has long depended on a complex web of external us than the third party. So, how do you make sure they have
providers for core and peripheral services. Pressures on banks’ the requisite controls, security levels, etc. to make sure they
economics — and management decisions to focus on core don’t make you vulnerable?” Figure 13 highlights the most
competencies — have propelled many banks to outsource key important risks associated with third parties.
activities. Still, the current level of dependence on third parties
is only a small fraction of what it will likely be in the future. The Figure 13: Top third-party risks
extended, or rather “hyper-connected,” third-party ecosystem
looks set to grow, perhaps exponentially, as the industry’s
value chain disaggregates.
56% 54% 48% 35%
Thus, as banks look out over the next decade or more, the
scale of third-, fourth- and fifth-party risk will feel materially
different. As one executive summarized, “We absolutely have Cybersecurity Information Business Reputational
security continuity and
to pay more attention to third and fourth parties. We’ve been resilience
rigorous in talking to our third-party suppliers and asking about
the suppliers on which they have a critical dependency.”
31% 28% 23% 13%
Risks abound
Privacy Regulatory Operational Fourth- and
Most banks expect their risk profile will change materially and fifth-party
because of increasing reliance on third parties. In general, compliance concentration
factors such as overall dependence, concentration risk, issues
related to data and technology, and outsourcing will have the
most significant impact (see Figure 12).3 4% 2% 2% 1%
Location of Strategic Geopolitical Financial
third party
Figure 12: Third-party factors that will materially affect

banks’ risk profiles over the next three to five years Risk management can make a difference
The industry’s decade-long transition from procurement to
Dependence on third vendor management to third-party risk management has
On third parties,
parties supporting 61% 46% in general shone a light on the role of second-line risk management.
core business services
Today, almost half (47%) of banks have their second line set
the policy framework, rather than the first line, and about the
Fourth or same proportion (52%) challenge how the first line implements
Core 34% fifth parties
technologies
36% the bank’s third-party risk management framework. Larger
banks have taken on these roles somewhat more than their
Factors smaller competitors, suggesting the industry is maturing
toward a model where the second line takes a more prominent
In a specific
Core business
16%
location role as banks grow in size. About a quarter (28%) of banks’
30%
processes second-line functions focus on identifying emerging risks and
trends associated with third parties, while nearly as many set
Transition core
58% 67% Use or access firm-wide risk appetite statements (23%) and metrics (22%)
services to public or to bank’s data
hybrid cloud around those risks.
A small proportion of risk functions, particularly in smaller

Managing these risks will prove challenging. “With the rise of banks, have a focused role around critical third parties,
FinTechs and their increased reliance on fourth, fifth and sixth whether it be assessing the actual vendors (15%) or the factors
parties, maintaining control is increasingly challenging,” noted used to determine criticality (14%). The growing focus on
one executive. Indeed, sometimes banks “discover many of strengthening firm-wide resilience will likely push this effort up,
our suppliers have the same supplier of a core service — so over time.
3
“Global financial services third-party risk management survey,” EY website, https://www.
ey.com/Publication/ vwLUAssets/ey-global-financial-services-third-party-risk-management-
survey/$File/ey-global-financial-services-third-party-risk-management-survey.pdf.

Managing what’s critical
Not all third parties are the same. Some are
materially more important to the bank than others.
As such, almost all (97%) banks maintain a list
of critical third parties. The criteria for making
that list have changed over the past 10 to 15
years. Originally, it was heavily weighted toward
total spending and financial impact. Today, key
determinants include the impact on the firm’s
resilience strategy (66%), the type of data and
systems accessed (61%), and the sensitivity of data
used (54%).
Identifying critical third parties is increasingly

difficult. In the context of strengthening resilience,
banks now have to identify their most critical
services, and then determine what processes,
technologies, people and third parties support those
services. It is sometimes difficult to reach internal
agreement on which business services are critical, so
doubly difficult to identify critical third parties.
If the identification process is challenging, then

actually managing critical third parties is even harder.
Adherence to conditions in service-level agreements
is a primary lever for doing so (71%), as is getting
the right contractual conditions in place, such as the
right to audit (40%) or conduct site visits (28%). The
challenge is ongoing monitoring and what tools to
use. Surprisingly, less than one in five (18%) leverage
issues management as a monitoring technique
and less than one in ten (8%) use external risk
data or ratings, even though these can be efficient
and effective ways to identify potential issues at
specific vendors. If managing critical vendors is the
difference between sustained and disrupted critical
business services delivery, surely this will need to
change.

3 Protecting privacy to maintain trust

Five years ago, there was little public attention on privacy. Figure 14: Most concerning privacy risks
Banks were not cavalier about privacy; they recognized they
owed their customers and clients a duty of care to protect their Not concerned Highly concerned
private information and had mechanisms in place to support

Large-scale data 1% 3% 12% 38%
privacy commitments, in line with needs at the time. breach
46%
However, the significant increase in the amount of personal Third party creates 2% 6% 15% 33%
43%
material privacy risk
data being processed and number of high-profile cyber events event
in recent years have propelled privacy concerns up the policy Being noncompliant 1% 15% 24% 33% 27%
agenda. Five years ago, the loss of 10 million personal accounts with laws and
regulations
was considered major news. Today, the loss of hundreds of
Meeting legal or 5% 16% 30% 23% 26%
millions of accounts does not seem so surprising to the public. regulatory requirements
for breach reporting
Banks recognize the urgency now placed on privacy. One in Conflicting privacy laws 3% 26% 23% 35% 13%
four banks (23%) rank it as a top risk in the next 12 months, across jurisdictions
and one in two (53%) view privacy as a key emerging risk over Fragmentation of 3% 23% 29% 31% 14%
privacy laws across
the next five years. This emphasis highlights that privacy is not jurisdictions
simply a technical matter — it is about maintaining trust in the Meeting customer 4% 22% 32% 28% 14%
bank and the system at large. As one risk professional said, demands to delete their
data
“What worries us most is the reputational impact if client data
are hacked. As a bank, we sell trust to our clients. If we are not
able to protect their personal data, that trust is going away.” As banks have started to re-assess the adequacy of their
privacy programs, many have concluded that more needs
to be done to fully integrate privacy into business-as-usual
Being exposed and noncompliant operational and risk management activities. Only about a
quarter (28%) of banks feel they have adequately incorporated
Large-scale breaches remain banks’ main concern, as shown
privacy risk into their enterprise risk management (ERM)
in Figure 14. Banks recognize the reputational damage caused
framework. Most are in the midst of enhancing their approach,
every time a firm in any sector has to admit to a major breach
some materially. Over the next three years, almost three in five
and loss of data. The quality and speed of response certainly
(57%) banks expect to enhance the degree to which privacy
matter, but a breach is a breach. As the industry has seen in
is embedded in ERM, to build stronger data analytics and to
numerous instances where the bank did not suffer a breach but
establish more robust control frameworks. Almost as many
rather a third party, the reputational damage can be the same.
(54%) expect to automate processes.
Customers often blame the bank.
Second-line risk management has a pivotal role to play, initially
The regulatory and political focus on privacy matters creates
by establishing the right risk framework (65%) or by greatly
additional new risks. Banks worry about being able to remain
influencing or informing the privacy-risk framework (49%).
compliant with requirements overall and specifically relating
It has to challenge the first line’s approach (68%), validating
to breach reporting and are concerned about the complexities
privacy is being taken seriously, from product design to
of competing local and international requirements. The trend
marketing and distribution. A real challenge is determining
toward regulations that give customers control over their data,
who, within management, is accountable for privacy. Currently,
while expected, creates significant new challenges relating to
across the industry, there is a variety of leaders involved, as
data capture, use, movement and deletion.
shown in Figure 15.
Integrating privacy into the broad risk Figure 15: Executive primarily in charge of privacy risk
framework Primary owner
As many firms have realized in adapting to the European Other

Union’s General Data Protection Regulation (GDPR), new No executive Legal
regulations on privacy are much more stringent than those designated 4%3%
that existed previously4. The worldwide political focus on 9%
CRO
privacy will accentuate these demands.5 7% 39%
Compliance
4
“How GDPR impacts financial services organizations,” EY website, https://www.ey.com/ Chief information 8%
en_us/financial-services/6-ways-to-maximize-value-from-your-cloud-migration. officer
5
“Public policy spotlight: the evolving data privacy landscape,” EY website, https://
www.ey.com/Publication/vwLUAssets/Ey-public-policy-spotlight-evolving-data-privacy- 14%
landscape/$FILE/Ey-public-policy-spotlight-evolving-data-privacy-landscape.pdf. “How The Chief data 16%
California Consumer Privacy Act compares to the EU GDPR,” EY website, https://consulting. officer
ey.com/california-consumer-privacy-act-compares-eu-gdpr/. Chief privacy
officer

4 Fighting a cyber war in banks and across
the system

Without question, cyber risks top CRO and board agendas. Five Figure 16: Top cybersecurity risks
years ago, in 2014, cybersecurity did not even make the top 10
priority list for either group. Now it’s by far the most significant Data integrity
risk and has been at the top for three years in a row. No other
Data destruction
risk comes close.
18%
Manipulation of data
An industry-level systemic risk 13%
For several years, the focus has been on the degree to which Loss or disclosure
banks are exposed to direct cyber risks. Dialogue then turned
Customer data loss
to the weakest link — which bank or third party in the financial
67%
services ecosystem provided the most significant risk to
everyone. Loss of confidence in banking system or bank
33%
These risks remain important. However, the fact that bad
Proprietary data loss
actors, notably certain nation states, have shown a tendency
toward destructive — not just criminal — behavior, means the 11%
focus has now shifted to industry-wide systemic risk. Four in
five banks now believe a system-wide industry-level attack or Threats and vulnerabilities
material event is likely in the next five years, and almost a third
Critical third party attacked
(29%) view that as very likely.
23%
The main (68%) concern remains banks having their own Insider threat
systems or data compromised and, thus, creating a systemic,
18%
industry-wide issue. But other concerns relate to an attack on
a third party, other systemically important financial institution, Security risks associated with cloud
or even another critical infrastructure industry, such as 12%
telecommunications or cloud provider. These concerns explain
Inability to …
the heightened focus in regulatory and industry circles on
industry preparedness and multi-firm simulations. Recover operations after attack
53%
Give customers access to services
The real nightmare: losing data and
33%
operations
Access core IT systems
Given the confluence of privacy and cybersecurity concerns, 15%
it is not surprising that banks are most worried about the loss
of customer data, as shown in Figure 16. However, banks are Second-line risk management plays a central role in the three-
increasingly worried about access to, and the integrity of, lines-of-defense approach to cyber risk management. It has
data — about one in two (51%) banks cite those issues as key taken on a material role in establishing the overall framework
emerging risks over the next five years. The impact of cyber (54%) and building cyber risks into the risk appetite (60%) and
attacks on resilience is accelerating up executives’ and boards’ metrics (63%) frameworks. Boards expect the second line to
agendas; over half of banks (53%) worry about the ability to have an independent view on the bank’s vulnerabilities and
recover operations after an attack and a third about customers threats (51%), and the first line’s ability to manage those risks
accessing services6. Indeed, bank leaders view cyber warfare as effectively (71%).
the top geopolitical risk globally, alongside China’s rising global
influence. The challenge is an organizational one. As one CRO
commented, “Cybersecurity is one of the biggest issues at the
moment, especially when looking at the internal organizational
approach. Who is responsible for what? What is the role of the
second line? Answering these questions is significant because it
is key to finding the right people with the right competence.”
6
“Advancing regulatory fragmentation to support a cyber/resilient global financial services
industry.”IIF study on Cyber Resilience: https://www.iif.com/portals/0/Files/private/iif_cyber_
reg_04_25_2018_final.pdf.

Cyber capabilities need to mature more Figure 17: Maturity of cyber risk reporting capabilities*
quickly Initial Repeatable Defined Managed Efficient
There are myriad ways in which banks manage against cyber Cyber reporting to 4% 12% 23% 18%
42%
risks. As a result, the maturity of their capabilities to do so board
varies materially across banks. First-line cyber 7% 16% 32% 39% 7%
metrics
On the positive side, as shown in Figure 17, banks believe
Second-line cyber 16% 17% 27% 38% 3%
they have driven home the importance of having a firm-wide metrics
cyber-aware culture and have enhanced their ability to identify
Ability to articulate 9% 18% 34% 37% 2%
risks and vulnerabilities. They also think first-line — and to a and document cyber
lesser extent second-line — cyber reporting and metrics have risk appetite
matured, though they acknowledge there is a long way to go. Quantification of 10% 27% 34% 28% 1%
Many banks admit in conversation that they still rely on key cyber risks
performance indicators (e.g., measuring the percentage of Ability to incorporate 27% 18% 28% 18% 8%
cyber risks into capital
attacks defended against, regardless of severity) as opposed to stress testing
key risk indicators (e.g., measuring the percentage of most-
Ability to track return 35% 21% 27% 12% 4%
severe attacks defended against).7 on investment in
cybersecurity
Banks struggle most in areas such as data backup and
restoration and identity and access management, the latter of * Initial (i.e., ad hoc and undocumented); repeatable (i.e., documented and globally
which is essential to underpin a robust cybersecurity posture. respected); defined (i.e., defined as standard business process); managed (i.e., quantitatively
managed using agreed-upon services); and efficient (i.e., allows for deliberate optimization)
In risk measurement, banks struggle to properly quantify cyber
risks and integrate them into their capital stress-testing.
The most significant challenge (particularly for midsize and

small banks) is evaluating the return banks are getting from
their investments in cybersecurity. Those investments are
clearly increasing. But are banks really getting the return — of
whatever kind — they expect?
“
With today’s rapid technology
developments, banks are
constantly playing catch-up on
cybersecurity.
— CRO
7
“Five considerations for cybersecurity reporting,” EY website, https://www.ey.com/en_gl/
financial-services/5-considerations-for-cybersecurity-reporting.

5 Navigating the inevitable industry
transition to cloud

For a variety of reasons, the banking industry is increasingly Knowing and managing cloud transition
moving to cloud, but to date only a few banks have gone all-in. 8
Most have been exposed to cloud through third-party providers

risks
supporting enterprise-resource planning, human resource or Materially switching to the cloud is not without risks. Banks
other such services. worry most about risk to customer or bank data and believe
This is changing quickly. The benefits are simply too appealing regulators, in general, have the same concerns, as noted in
— cost efficiencies, gains in reliability and resilience, the ability Figure 18. Losing data is not the only risk — maintaining the
to leverage highly sophisticated analytics, and faster software integrity and availability of that data is also cause for concern.
deployment. Arguably, if implemented effectively, information That said, banks are more concerned with reputational risk
and cybersecurity safeguards are also stronger. These benefits than regulators, while regulators are more concerned with the
are hard to achieve if banks maintain their own data and geographic location of data and data servers (understandably
backup capabilities. so, perhaps, given regulation is jurisdictional in nature).
It will be interesting to see how regulators deal with cloud
Banks recognize they cannot accrue the scale benefits by concentration and data location issues.
remaining purely on private cloud. They have to move to hybrid
(public and private) or public cloud capabilities.
Figure 18: Concerns related to industry-wide adoption of cloud
Concern to regulators* Concern to CROs
87% Security of customer data 92%
74% Security of bank data 77%
59% Customer data integrity or destruction 63%
61% Bank data integrity or destruction 63%
Compliance or legal risk

60% 62%
Reputational risk
33% 62%
Concentration of cloud providers

57% 61%
Impact on operational resilience

55% 57%
Cloud provider exit strategy

43% 48%
Limited knowledge of third-party
43% dependence on cloud 47%
Geographic location of data or servers

53% 36%
Insufficient second-line
risk management involvement
30% 33%
*CROs’ views of regulators’ concerns
8
“6 ways to maximize value from your cloud migration,” EY website, https://www.ey.com/
en_us/financial-services/6-ways-to-maximize-value-from-your-cloud-migration.

The impact on the bank’s ability to maintain delivery of services Figure 19: Confidence in integration of core capabilities into
to customers and clients is a risk that merits vigilance. While in cloud strategy
theory cloud provides more resilience, especially when banks Not very confident Very confident
avail themselves of in- and out-of-region services, the issue is

Business continuity or
complicated by a material concentration in cloud providers. disaster recovery
2% 14% 35% 38% 11%
This may not be a concern for the bank’s direct services but
Identity and access 5% 14% 34% 39% 8%
could be an issue if the bank’s third and fourth parties also are management
subject to the same concentration risk and do not have the Availability or capacity 4% 16% 35% 37% 8%
same levels of cloud resilience. Said one executive, “The board management
is comfortable with our strategy to use cloud more. But they Data protection or 2% 14% 38% 32% 13%
privacy
want us to make sure we are not taking undue resilience risk
Legal or regulatory 4%
4% 12% 39% 5%
and to know what the backup plan is if something fails. You management 40%
.
have to have a backup plan for everything.” Security operations 2% 18% 38% 34% 8%
management
A third of banks are concerned their second line is not 2% 11% 36% 6%
IT operations
sufficiently engaged in the risks of transitioning at scale 45%
to cloud. Yet the second line can play an important role in Threat and vulnerability 2% 21% 32% 5%
40%
management .
challenging the first line’s approach (62%), establishing the
Systems development 4% 17% 29% 6%
firm-wide strategy (31%) and monitoring enterprise-level and operations 45%
risk appetite/risk metrics for cloud risks. (40%). Within the Third-party 7%
7% 14% 29% 5%
45%
context of third-party risk, a notable minority of banks have management .
their second line challenge the testing (28%) and assess the Infrastructure asset 6%
6% 17% 28% 6%
43%
management
criticality (25%) of cloud service providers.
Change or configuration 4% 17% 24% 8%
management 47%
Risks could strain cloud risk capabilities

In general, risk professionals are most concerned about
adapting their risk capabilities (60%) and culture (58%) to
cloud. They also know they need to adapt their security-risk
capabilities (50%) and invest in interpreting and aligning to
evolving regulatory requirements (36%).
Relative to other risks, banks are fairly critical of the degree to

which core capabilities are integrated into their cloud strategy,
as shown in Figure 19. Even in areas that might be expected to
be fairly well integrated, such as business continuity, identity
and access management, and data privacy, responses suggest
that not all banks are as confident as one might expect. In
areas such as systems development and infrastructure asset
management, they admit to yet lower levels of confidence.
Addressing these capability gaps will be an essential factor in

making boards, regulators and other stakeholders comfortable
with a major, industry-wide switch to cloud. Undoubtedly, it will
call for industry-level processes, alongside those of individual
banks.

6 Industrializing data analytics across the
business in a controlled manner

For several years now, the industry has been excited about the is gradually moving to industrializing ML and AI across the bank,
potential of ML and AI. Until recently, the promise has been especially in first-line operations.
greater than the reality. For sure, banks have been identifying
Initially, banks focused on the most obvious target — the low
and testing proofs of concept and piloting them. There are
hanging fruit — automating operational tasks (for example,
ample use cases: anti-money laundering, fraud, conduct
financial-crimes surveillance alerts). There is still scope in some
surveillance, and credit decisions, to name but a few. However,
banks to expand usage in these areas.
only some of these pilots have moved into full-scale production
across banks. However, as shown in Figure 20, the next areas of growth will
likely be real-time decision-making, such as credit decisions, or
automating challenging areas such as compliance and audits. In
Driving decisions, not just operations these areas, more complex human judgments will be augmented
by algorithms.
As noted in last year’s ninth annual global bank risk
management survey, the industry is on the cusp of change. It
Figure 20: Use of ML and AI now and in five years
81%
72% 71% 71%
30% 22% 50% 20%
90% 81% 90% 74%

Improved compliance Better credit extension More robust financial Automation of audits
efficiency decisioning crimes monitoring and testing
Key:
70% 69% 69% Using now

44% 21%
30% Will be using in five years
Expect substantial
increase in use in five years
79% 86% 77%
Automated analysis of Better client credit Model validation and

historical documents decisioning reviews
68% 38% 67% 28%

64% 59% 14%
52%
94% 85% 76% 56%

Automation of Data quality and Front-office monitoring Improved controls in
operational tasks anomaly detection and surveillance marketing materials
Scaling machine learning and artificial They also see the lack of historical data in how these models
act under different market conditions (54%) and uncertain
intelligence could be risky regulatory expectations (47%) as additional challenges.
ML and AI have vast potential. The industry has not yet There are also broader societal and political concerns. Public
fully grasped the degree to which these analytics could discourse is centered on “ethical AI” — the moral or ethical
fundamentally change how banks operate. implications of greater dependence on robotics and AI.9
Yet, risk professionals, regulators and policy-makers are very Naturally, such concerns go well beyond financial services or
focused on the risks of scaling up these technologies. Banks’ technological issues. One CRO said, “We tried to have a more
risk teams already see challenges in capturing new risks centralized approach in the risk analytics department, but you
(64%) and getting the right talent to manage the risks (59%). need someone to build regulatory models that meet all the
regulator’s requirements, and that conflicts with people who
want to consider new methodologies that don’t fit. It really is a
culture clash.”
9
How do you teach AI the value of trust? How embedding trust from the start can help
companies reap AI’s rewards. https://www.ey.com/en_us/digital/how-do-you-teach-ai-the-
value-of-trust.

Model risk management 2.0 Figure 21: Model risk management enhancements expected
over the next three years to address ML- and AI-related risks
The broad use of models has been a central focus of the global
regulatory reform agenda over the past decade. Regulators
have been skeptical of internal models, noting that the
spectrum of outcomes from such models across banks has
been too significant and has hindered common capital and 75%
Model risk assessment
liquidity standards. Recent regulatory initiatives have shown
a bias toward standardized approaches. The focus on models, 63%
inevitably, has pushed banks to greatly enhance their model Ongoing model
monitoring 51%
risk management (MRM) approaches and capabilities. Model change
management
However, banks recognize that risks associated with ML and 51%
AI are different. Almost three in five banks (59%) view the Policies and 42%
procedures
increased use of these data techniques as an emerging risk Model conceptual
soundness
over the next five years and almost one in two (48%) point 35%
Model inventory
specifically to the associated model risks. Banks acknowledge framework
that responsible innovation requires investment in governance 25%
34%
Model 27%
and risk management around ML and AI prior to scaling its Vendor risk
definition Issues management
management
usage, not afterward. After all, difficulties with managing risks
from AI-based models may hinder their use and acceptance.
Few banks have a solution in place. Less than one in ten (8%)
believe they have a fully functioning governance process In the end, a key component of gaining political and consumer
in place for these risks, and most of those admit to gaps in acceptance is transparency. Customers and clients will want to
the coverage of risks such as compliance and data risk. As know when their data informs AI (43%), and when AI is used
a result, many banks are currently evaluating the need for interactions with their clients (29%). Banks also have to remain
a new governance framework (36%) or are in the process of aware of the potential for hidden or unknown biases in data
implementing one (28%). sets driving the wrong outcomes (46%), train their employees
on the limitations of AI (37%), and remain attuned, and adapt,
Current MRM frameworks are also likely insufficient to mitigate
to public and government concerns (38%).
risks associated with ML and AI. In the words of an executive,
“There is probably value, but it is hard to build on it. We don’t
have enough experience to be comfortable with it ourselves,
let alone convince regulators.” Not surprisingly, a significant
majority (93%) of banks expect to enhance their MRM
framework across a range of areas noted in Figure 21.10
Banks are recruiting specialized talent. They put MRM
experience around ML and AI as the top in-demand financial-
risk skillset (73% expect to add headcount in this area,
compared with 16% for traditional MRM experience).
10
Building the right governance model for AI/ML: How banks can identify and manage risks to
build trust and accelerate adoption https://go.ey.com/30lfRgw.

7 Delivering services to customers, clients
and markets without disruption

CROs have been shifting their attention toward the Figure 22: Top resiliency-risk concerns
management of nonfinancial risks given the significant 2018 2019
improvement in financial risk management over the last 10

years. Indeed, as highlighted by the EY/IIF survey results,
cyber, privacy and third-party risks and risks associated with
80% 41% 64%
emerging technologies have certainly come to the fore. 60%
67%
Arguably the most significant change in tenor and tone of the 94%
regulatory and supervisory focus in recent years has been the Cyber risks Data access and availability Prolonged IT outage
shift from financial to operational resilience. Authorities — and
increasingly customers and other stakeholders — are not only
focused on the ability of banks to continue to intermediate 42%
39% 64% 32%
markets and service customers during a severe financial 59% 56%
shock, but also on their abilities to do so during a significant

disruption to their operations.
IT obsolescence Critical third-party Financial
and legacy systems outage resilience*
From if to when: a shift in paradigm 16%

34% 32%
25% 9%
Historically, operational resilience has been narrowly focused 39%
on banks’ ability to protect against physical disruptions and
resume specific systems, applications and capabilities. Critical data destroyed Prolonged outage Dependence on cloud
of systemic player service
Times have changed. In recent years, major banks and * For example, liquidity, capital and collateral
infrastructure providers globally have experienced an array of
operational disruptions. The causes have been broad — severe
weather events, cyber events, third-party outages, and legacy- Concentrate on governance
system failures have been prominent. The impact — actual and
The fact that so many factors can precipitate a disruption has
reputational — has been significant. Bank management has
brought firm-wide governance of resilience to the fore. At
had to admit failings to customers, regulators and, for some,
some level, this means the way in which boards of directors
politicians.
oversee and challenge the bank’s resilience strategy and
Regulators have quickly reset the fundamentals on how to framework. But more practically speaking, it means how
manage resilience across the enterprise. They are now assessing management will integrate resilience across the bank. Many
banks’ capabilities to continuously intermediate markets and of the firms are moving to centralize aspects of resilience, as
deliver services to their customers and clients on the assumption noted in Figure 23.11
a disruption of some kind will occur, not whether it will. The
scope of resilience activities is also being challenged, with Figure 23: Functions being integrated to strengthen resilience
authorities seeking to understand banks’ abilities to prevent,
respond to, recover and learn from disruption, whatever the Cyber-incident
70% response (IR)
threat or vulnerability that might cause it.
Industry
27%
Banks, naturally, have a range of concerns regarding what initiatives**** 68% Disaster recovery
might trigger a disruption, as noted in Figure 22. Many of these

concerns have increased since last year, notably for data access
Testing*** 40%
and availability, and IT obsolescence and legacy systems. Single
66% Business continuity
function planning across
The concern that has grown the most over the past year BUs*
relates to legacy systems and IT obsolescence. As one risk RRP activities** 52%
executive summarized, “Internally we are debating whether,
given the pace of technological change, rather than continuing 61% Crisis management
58%
to fix and upgrade clunky systems, there is a way of building 58%
Crisis
a totally different bank on the side. The [systems are] so Technology
incident response communication
entangled it is really hard to ever get where you want to get
to, given the legacy systems.” Depending on complex, legacy
* Business units
systems will become increasingly more challenging given the ** Recovery and resolution planning
*** Including simulations and table-top exercises
pace and scale of change in products and services. **** For example, Sheltered Harbor in the US or industry-wide cyber simulations
11
Ten ways to enhance firmwide resilience https://www.ey.com/en_gl/financial-services/ten-
ways-to-enhance-firmwide-resilience.

Apply a strong risk lens to resilience
Inevitably, second-line risk management will have to step up its
focus on risks to resilience, oftentimes elevating issues across
a range of existing (but frequently siloed) disciplines, such
as cybersecurity, IT risks, severe weather events or physical
security risks. Already, the second-line plays a material role in
many banks. One in two establishes the firm-wide resilience
strategy and framework (49%), validates that resilience is
in the risk framework and taxonomy (52%), and sets firm-
wide resilience metrics (49%). Interestingly, almost half
(46%) manage the crisis management plan, rather than the
first line12.
In challenging the first-line’s approach to resilience (a role 61%

already assume), second-line risk management has to focus
on core capabilities to prevent, respond to, recover, and learn
from disruptions, the maturity of which vary considerably
across the industry. Capabilities linked to disaster recovery
and data back-ups are relatively mature, according to banks.
Crisis-management and incident-response frameworks have
mixed maturity levels. Where banks’ capabilities are most in
need of enhancing is in the areas of firm-wide governance
and strategy, program management and reporting, and
articulating the appetite for or tolerance to disruption (the
latter is particularly important given the UK regulators’ focus
on defining and implementing so-called impact tolerances13).
“The integration of end-to-end

risk management and core
operational processes remains
the most significant challenge to
maintaining enterprise resilience
— Risk leader
12
Managing through crises: preparation is key https://www.ey.com/en_gl/financial-services/
ten-ways-to-enhance-firmwide-resilience.
13
UK regulators have proposed that firms develop impact tolerances, which define their upper
level of tolerance for disruption to certain business services, under the assumption that
disruption will occur. This differs from a risk appetite statement or recovery-time objective,
as those incorporate an element of probability. See EY/UK Finance, Perspectives: Operational
resilience in financial services, June 2019 (https://www.ey.com/Publication/vwLUAssets/
ey-perspectives-operational-resilience-in-financial-services/$FILE/ey-perspectives-operational-
resilience-in-financial-services.pdf).

8 Adapting to the effects of fast-shifting
geopolitics on banks and their customers

Banks are quick to highlight that they have withstood political Figure 24: Top geopolitical risks that will impact banks over
pressures and geopolitical risks for years. Many note they have the next decade
been in operation for decades or hundreds of years. Political
issues ebb and flow, and banks generally manage through.
To some degree that is true. Banks have long been subject 47% 47%
to direct or indirect political change or pressure over the Escalating China and US
past decades. More recently, one might argue that the global cyber relationship
regulatory agenda of the past decade or the 2009 European warfare
sovereign debt crisis illustrated how political and regulatory 36%
42% Rise of populism
pressures can become blurred. Yet, most banks coped.
Changes to
global trading
environment 26%
Closer to home EU instability
Today, political pressures seem different. The distribution of
22% 23%
political power is shifting, especially between East and West. Changing US Elongated Brexit
Technology transformations are quickening, making the world role fallout
more interconnected. Issues of the day, such as immigration
and climate change, are cross-jurisdictional global matters. 18% 12% 11%
Emerging- Middle East China’s rising
Not surprisingly, three in five banks now view geopolitical – or
market volatility instability global influence
domestic political – issues as a major emerging risk for the
industry over the next five years 10%
3%
Push to account
Russia’s
Figure 24 highlights the political risks that worry banks the for climate
changing role
most. The impact of some of these risks is often diffused and change
therefore hard to discern, such as the changing roles of China,
Russia and the US, or the rise of populism across democracies.
Others are more palpable, such as being subject to nation-state It’s not simply a matter of guesswork
cyber warfare, or the impact of Brexit on the UK and European
Union.14 For many executives, evaluating complex geopolitical trends
often seems more of an art than a science. It requires an
Nevertheless, banks believe political issues will have a more
ability to read between the lines and make bold, but highly
material impact on them and their customers in the coming
speculative, predictions about potential political outcomes, and
years. Four in five expect the impact to be somewhat (58%)
their broader relevance for their institutions.14
or much more (22%) significant over the next decade. Banks
believe they will likely be affected via the overall impact on Yet, while banks are quick to recognize they will be more
global or domestic demand (78%), unexpected market volatility subject to political risks in the future, they acknowledge they
(74%) and the impact on customer demand (41%). More need to be more aware of those risks, and better adapt to
directly, the supply chains of corporate clients (32%) or, to a them. Four in five banks say they either need to enhance their
lesser extent, the operational or financial strength of bank third understanding of political risks or improve their ability to adapt
parties or counterparties (10%), might be adversely affected. to those risks as they change.
14
Why you need a strategic approach to political risk https://www.ey.com/en_gl/geostrategy/
why-you-need-a-strategic-approach-to-political-risk.

Geopolitical analysis is not simply for those with arcane Figure 25: Ways banks use to analyze impact of
policy knowledge. Rather, banks have to establish robust geopolitical risks
capabilities to evaluate political risk and determine potential
actions to address identified risks.15 As shown in Figure 25, We factor geopolitical risks into …
banks highlight that they are very focused on (second order)
Ongoing analysis of economic conditions
macroeconomic conditions, as well as on building political
considerations into the markets, sectors or clients they are 77%
exposed to, or the markets they operate in. Beyond those Determining exposure to markets, sectors or clients
market-focused decisions, it is important that political issues 75%
are built into capital-stress-testing scenarios, annual strategy-
Risk indicator monitoring
planning processes, and business continuity plans.
62%
Second-line risk has an essential role translating political Capital stress testing scenario development
intuition and debates into decision-making. As one risk
57%
executive put it, “The risk function has a role to help set and
define the framework, instill the necessary discipline, and work Determining which markets to operate in
with and challenge first-line management.” A large proportion 55%
of banks (75%) have their second line monitor the impact of Annual strategy planning process
politics on the bank’s risk profile, and challenge how line-of- 52%
business plans, or country or sector plans, incorporate political
Identification of opportunities and risks
risks (47% and 39%, respectively).
51%
Within that context, it is important to translate analysis
Business continuity plans
into action. One CRO highlighted a range of ways his bank
48%
incorporates political risks in management decision-making,
“We approach it first by looking at country risks, and whether Risk appetite framework
certain countries are becoming riskier, which can impact 40%
decisions as to whether we open or keep open certain Operational risk management
locations. We also look at where third-party providers are. 30%
Finally, we also look at credit risk and direct exposures – we
look at our portfolio and the impact on certain sectors – and
how best to build it into scenarios that are part of our sector-
specific stress-testing exercises.” Getting it right will take
time. As she noted, as of now, “the majority of what we do are
medium-term adjustments.”
15
What we are watching: geostrategic outlook https://assets.ey.com/content/dam/ey-sites/ey-
com/en_gl/topics/geostrategy/ey-geostrategic-outlook-february-2019.pdf.

9 Addressing the impact of climate change
on banks and society

Climate change has risen on public and political agendas. The effects of climate change. In part, this reflects their broader
fact the world has just experienced its hottest summer on institutional commitments to sustainable business practices
record is known by everyone. The realities of fires in Brazil and finance, as well as the need to factor in environmental,
and California, or hurricanes in Asia and Central America, social and governance (ESG) matters to attract retail and
are prime-time television. It could not be more real. Climate institutional investors who are increasingly attuned to these
change has moved quickly from what seemed like a sometimes issues.
esoteric, academic debate (notably about cause and
More broadly, however, banks are concerned about climate
magnitude) to a political and societal issue globally, not least
change risks for more commercial and practical reasons. As
because the biggest impact of climate change will fall on many
highlighted in Figure 26, banks acknowledge that climate
of the world’s poorest countries.
change will impact their customers and clients directly, as well
as their own operations. New commercial opportunities will
materialize, as highlighted by the direction of regulators in
“
some countries (such as the UK) to understand and report on
both risks and opportunities from climate change.
Climate change is one of the defining Figure 26: Most significant likely impacts from climate
risks of our career to manage change
Products, customers and assets
— Bank risk leader Bank’s operations
Banks increasingly recognize the importance of this issue. Over 46%

half (52%) of banks view environmental and climate change Financial needs of certain
53% corporate sectors
matters as a key emerging risk over the next five years, up Higher default or
credit risk in certain
from just over a third (37%) a year ago. corporate sectors 30%
Commercial opportunities in
Yet, levels of understanding of the potential impact on banks energy
– for example, on credit defaults or corporate loans – varies 23%
Own environmental
significantly from bank to bank and continent to continent. impact 20%
Some banks have committed to the recently launched UN Business continuity
19% plans
Principles for Responsible Banking and are driving climate
Residential real estate or
change commitments deep into their organization, while mortgage portfolio 11%
Commercial real estate
others are more focused on addressing their environmental portfolio
footprint and better disclosures. Banks are having to address 8%
10% 5%
Impact on Repricing of securities
climate change risk not only in their operations, but also in Catastrophic or other
critical third
insurance policies and derivatives
terms of how it affects them serving their customers and parties 3%
2% Own real estate portfolio
clients and how it affects their balance sheet and capital. The (e.g., branches)
Repricing of
pace of activity will surely quicken in coming years, given the sovereign debt
intensifying public demand to act.
Don’t guess, analyze

At the center of environmental
sustainability Interestingly, just as insurers are altering their property
underwriting policies and pricing in light of climate change,
As a result, banks are increasingly under pressure to consider banks are waking up to the fact that they, too, need to consider
climate change risks, and broader environmental and how climate change affects them. Some banks are investing
social risks. Indeed, “rising regulatory impetus and wider heavily on their firm-wide climate change strategy.
societal expectations, alongside our institution’s own desire
Banks know deep analysis is required when it comes to
and purpose,” have pushed such risks way up the agenda,
such a political and sensitive issue. “It’s important to
according to one bank risk officer.
approach this issue in an unemotional way,” noted one CRO.
In some ways, banks find themselves in the center of Perhaps surprisingly, already, four in five (79%) banks have
environmental sustainability. Many have significant asset incorporated climate change into their risk management
management operations, and in their stewardship role, approach. Half (51%) have built it into their scanning of
banks are pushing companies in which they invest to address emerging risks, while two in five (41%) have already adopted
sustainability, and within that to identify and manage the policies for impacted businesses.

The most forward-thinking banks have started to build climate about one in ten have firm-wide (9%) and business-unit (8%)
change risk into their core risk management capabilities: level risk metrics tied to climate change.
• O
ver a third (36%) have evaluated the inherent risks in •  Almost a third (32%) are evaluating the impact on expected
material credit exposures and almost a quarter (23%) credit losses, over a quarter (26%) are determining the
have built it into their scenario planning for stress-testing impact on capital, and one in five (21%) are focused on the
purposes. balance-sheet sensitivity changes in external conditions
related to climate change.
• A
round a quarter have built it into their enterprise risk
framework (27%) and risk taxonomy (23%), although only
Figure 27: Ways to incorporate climate change risks into enterprise risk management
Climate change Scanning of emerging risks

is embedded in: 51%
Enterprise risk management framework
27%
Risk taxonomy
23%
We quantitively Inherent risks in material credit exposures
assess 36%
Within scenario adoption or stress testing
23%
Potential transition risks*
14%
Potential physical risks
12%
Policies for impacted businesses
We have 41%
Controls in place to monitor risks
10%
Enterprise-level risk metrics
9%
Business-line risk metrics
8%
*Transition risks of moving to low-carbon economy
The extent to which climate change analysis is embedded in change, and broader ESG issues. A small minority of banks
decision-making varies significantly16. One executive said, (8%) even factor climate change into compensation programs.
“We address the risk through portfolio analyses and building
Getting good data to drive decision-making will prove essential.
policies and instructions for the affected areas. Both physical
Official-sector initiatives, such as the Financial Stability Board’s
and transition risk are being considered in mitigating climate
Task Force on Climate-related Financial Disclosures and the
change risk. In general, climate change risk is being treated as
activities of central banks in the Network for Greening the
any other risk category, i.e., incorporating it in credit decisions,
Financial System, will spur better, more consistent public
establishing a scenario modeling, and so on. It is being
disclosures. A plethora of private-sector firms are also
addressed sector by sector and down to each customer.”
developing climate change risk or ESG ratings. However, today,
The key is getting beyond simple disclosure. Over half of banks the quality of climate change or ESG data is still fairly nascent.
(55%) depend on external disclosures to create the necessary As one executive noted, “It is critically important now that we
governance regimen. But increasingly, banks are enhancing the get the right data to enable banks to model and manage the
quality of board and senior-management oversight of climate risk, but data sources are not there yet.” Another executive
agreed, saying, “It is challenging to collect the right data. A
lot of ESG-driven measures are still quite fuzzy about data
16
How can you prepare for tomorrow’s climate, today? https://www.ey.com/en_gl/banking- quality.”
capital-markets/how-can-you-prepare-for-tomorrows-climate-today.

First climate change, then what?
Some banks recognize that climate change is simply the tip
of the iceberg. Banks will increasingly be drawn into broader
environmental or societal issues.
Climate change is not the only environmental issue that

requires attention. Take water shortages. One risk executive,
who is worried about operational resilience and the
dependence on shared services in certain locations, linked
resilience to the broader environmental concerns, “There’s a
growing water shortage. We may be able to get our staff to
work, but what if they don’t have immediate access to water?
Won’t that threaten the practicality of our business continuity
plan?”
Beyond environmental matters, there are controversial

social issues. CROs highlight that, while climate change
may be the most prominent ESG risk at the moment, social
risks create, arguably, more challenging issues for banks. A
North American CRO pointed to gun control – banks may be
able to identify, isolate and potentially cease financing gun
manufacturers, but how will they do the same for stores that
sell guns? Similarly, given the focus on immigration and more
broadly on detention matters, are banks to stop financing
commercial prisons?

10 Meeting emerging customer demands for
customized, aggregated lifetime offerings

“
Consumer preferences and buying behaviors for financial
products and services are changing. EY NextWave financial
services research shows that the average consumer is shifting
away from owning and buying, to renting and using. The
impact on banks will likely be a shift from delivering and pricing We are trying to change the way
specific products and services, to delivering and pricing a we do business in a way that meets
comprehensive bundle of products, services and value-added
capabilities.
customer needs and expectations
The pricing model may become subscription-based (i.e., in
in the future
which financial products are bundled, often with nonfinancial — CRO
products, and purchased on a per-period subscription basis)
versus a flat-fee basis (i.e., in which financial products are
purchased on a per transaction or activity basis). These
bundled products, services and capabilities will increasingly on subscriptions, risk professionals are intuitively aware of the
center on key life events17 (e.g., getting married, becoming impact of such change.
parents), when a complex set of financial needs should be Figure 28 highlights the most likely affected aspects of a bank.
addressed holistically. As one might expect, products and services linked to payments
This shift to a new model for meeting consumer needs will and residential real estate will likely be most immediately
affect how banks operate and call for new approaches to affected – after all, they have been most swayed by the rise
managing inherent risks. of non-bank or FinTech competitors. Deposit, savings and
investment products will also be affected, though less so in the
minds of CROs.
Significant impact on products and
Bank operations will also be affected, notably the bank’s digital
operations or online operations, as well its technology strategy and branch
footprint.
Even though the industry is in the early stages of moving
toward radically different business and service models based
Figure 28: Areas most affected by meeting new consumer needs
Products and services Bank’s operations
45%
27% Digital
Residential real footprint
37%
estate and mortgage
Payments products
portfolio
25% 24%
23%
Technology Branches
Deposit and savings
products
16%
Investment
14% products 16%
Personal loan portfolios Third-party
13% ecosystem
Credit 9%
7%
card Insurance
Auto loan portfolios
portfolio products
7%
Cash 5%
management Home equity loan
portfolios or line portfolio
17
NextWave Consumer Financial Services: financial subscriptions are coming https://cdn.foleon.
com/upload/3941/nextwave_cfs_research_report_final_april_2019.67be3d331ef6.pdf.

Meeting the challenges head on Figure 29: Potential required changes to risk capabilities
New or more advanced data and technology capabilities
In some ways, the analytical impact on banks is hard to predict. 62%
The move to subscription-based models – or anything akin to More integrated risk platforms to accelerate decision-making
it – requires bank risk leaders to recommend novel new risks, 60%
based on untried business models. Indeed, one executive Revised new-product approval process
59%
asserted, “The whole concept of personalization may open a
More sophisticated risk modeling to evaluate customer lifetime value
Pandora’s box for risk. Are offerings discriminatory if not done
55%
the ‘right’ way?”
More sophisticated risk modeling to capture cross product and business risks
48%
Yet, over two-fifths (44%) of risk professionals realize the most
Revised risk governance to provide real-time risk monitoring
pressing challenge will be pricing the service properly, and a 40%
third understand that it will be even more challenging to do Revised talent and training model
so over the lifetime of the bundled offering. Some see some 39%
embedded risks, such as those associated with compliance Revised risk framework to align with life-event-based customer value propositions
(25%) and product-related risks (23%). As a result, some 31%
banks highlight challenges related to being transparent to

the customer on pricing investments (26%) and to risk to the As one CRO put it, the risk dimension of delivering new value
customer (24%). As one CRO said, “Risks are rising because to customers in new ways highlights many issues: “How do you
the tolerance of clients is decreasing. What was acceptable two make sure the customer is buying the products in the right
years ago, no longer is.” way? How do you know you are selling it the right way? How do
you make sure they are generally reading and understanding
the terms and conditions?”
New or enhanced risk capabilities will be
required
Meeting customer needs in materially different ways will
require enhanced or new risk capabilities, as highlighted in
Figure 29. First and foremost, it will necessitate data analytics
and ways to model customer value over the lifetime of the
product or service, and to capture risks across products
or associated businesses. Such analysis will need to be
incorporated into revised new-product approval processes. Risk
monitoring will have to expand, in part to spur faster, more
informed decision-making. Training around the risks will need
to adapt, as will talent needs.

Headlines a decade from now will tell
the story

Looking back over the past 10 years, it is comforting to sit back
and provide a compelling narrative that bank risk management
is vastly better than it was pre-crisis. It doesn’t matter whether
changes were made to comply with legislation or regulatory
and supervisory rules or were voluntary; change was good
overall.
Everyone remembers the headlines of a decade or so ago. The

media wrote constantly about the industry in unflattering ways.
Every week a new blockbuster hit bookstands telling a tale of
the run up to the crisis and how it was mismanaged in the early
weeks and months as it unfolded.
No one was free from criticism. Politicians, among others,

supported growth-oriented fiscal and other policies, and
pressed for ever-increasing homeownership, especially in the
US. Regulators promoted light-touch regulation. Bank boards
of directors inadequately governed management. Senior
management was self-interested and compensated simply for
growth. Credit rating agencies were complicit in issuing top
ratings to complex, esoteric structured finance products. The
accounting profession was quizzed on its role.
We have come a long way since then.
As one looks forward, what will headlines involving banking

look like over the next 10 years?
Will they be positive? “Bankers help arrest climate change?”

“Banks support small businesses, despite months of economic
turmoil globally.”
Or negative? “Banks have given way to techno-financiers.” “AI

failed us – banks admit misconduct ran deep in their code.”
“Yesterday, cyber attackers brought the global financial system
to a standstill.”
Only time will tell. But, without hyperbole, risk management

will play an influential role in determining which set of
outcomes is more likely.

Research methodology and participant
demographics

Research methodology and participant (14), Latin America (10) and North America (23). Of those, 19
are globally systemically important banks and 49 have been
demographics designated as systemically important domestically. Data in this
EY, in conjunction with the IIF, surveyed IIF member firms report relates to the 92 banks that completed the quantitative
and other banks in each region globally (including a small survey, and the narrative includes insights gleaned from
number of material subsidiaries that are top-five banks in their qualitative interviews with some of those and other banks. As
home countries) from June 2019 through September 2019. shown in Figure 30, participating banks were fairly diverse in
Participating banks’ CROs or other senior risk executives were terms of asset size, geographic reach and type of bank.
interviewed, completed a survey, or both. It is worth noting that 21 other financial institutions participated
In total, 94 firms across 43 countries participated (up from 74 informally by responding to the survey. Their data is not included
banks in 2018). Regionally, those banks were headquartered in this survey report, but directionally it did inform this report’s
in Asia-Pacific (21), Europe (26), Middle East and Africa narrative.
Figure 30: Participant demographics
Number of countries
Region of headquarters operated in
North America Above 50

Asia- 10% 1
24%
Pacific 16%
24%
2 to 3
10%
Middle East
and Africa
15% 4 to 20
Latin Europe 45% 21 to
America 28% 50
9% 19%
Systemically important Asset size (US$)

financial institution (SIFI) status Under
$100b $1t or more
Not a SIFI 29% 14%
27% Global SIFI
20%
$100b to $499b
$500b to
41%
$999b
16%
Domestic SIFI
53%
Type of bank
Other
5%
Primarily
Universal
investment
bank
banking
49%
3%
Primarily retail and

corporate banking
43%

Contacts

EY and IIF contacts
EY Asia-Pacific IIF
Eugène Goyne Andres Portilla
Global Associate Partner, Financial Services Managing Director, Regulatory Affairs
Jan Bellens Hong Kong Washington, D.C.
Global Banking & Capital Markets Leader [email protected] [email protected]
Singapore +852 2849 9470 +1 202 857 3645
[email protected] Maggi Hughes
+65 6309 6888 Martin Boer
Partner, Financial Services Director, Regulatory Affairs
Dai Bedford Singapore Washington, D.C.
Global Banking & Capital Markets Advisory [email protected] [email protected]
Leader +65 6309 8268 +1 202 857 3636
London
[email protected] Doug Nixon Stefan Gringel
+44 20 7951 6189 Partner, Financial Services Policy Advisor, Regulatory Affairs
Sydney Washington, D.C.
Keith Pogson [email protected] [email protected]
Global Banking & Capital Markets Assurance +61 2 9276 9484 +1 202 682 7456
Leader
Hong Kong David Scott
[email protected] Partner, Financial Services
+852 28499227 Hong Kong
[email protected]
+852 26293070
Americas
Yoshio Wagoya
Tom Campanile
Partner, Financial Services Advisory
Partner, Financial Services
Tokyo
New York
[email protected]
[email protected]
+81 3 3503 1110
+1 212 773 8461
Adam Girling
Principal, Financial Services EMEIA
New York (Europe, Middle East, India, Africa)
[email protected] Frank de Jonghe
+1 212 773 9514 Partner, Financial Services
Diego Pleszowski Brussels
Latam Financial Services Leader [email protected]
Santiago +32 2 774 9956
[email protected] Ivica Stankovic
+569 9321 3284 Partner, MENA Financial Services
Mario Schlener Kuwait
Partner, Financial Services Advisory [email protected]
Toronto +965 22955000
[email protected] John Liver
+1 416 932 5959 Partner, Financial Services
Mark Watson London
Managing Director, Financial Services [email protected]
Boston +44 20 7951 0843
[email protected] Vibhuti Lalloo
+1 617 305 2217 Partner, Financial Services Africa
Sandton
[email protected]
+27 76 440 0585
Max Weber
Partner, Financial Services Risk
Stuttgart
[email protected]
+49 711 9881 15494

EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services
we deliver help build trust and confidence in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a
critical role in building a better working world for our people, for our clients andfor our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to clients. Information about how EY collects and uses
personal data and a description of the rights individuals have under data protection legislation is available via
ey.com/privacy. For more information about our organization, please visit ey.com.
About EY’s Global Banking & Capital Markets Sector

In today’s globally competitive and highly regulated environment, managing risk effectively while satisfying
an array of divergent stakeholders is a Sector key goal of banks and securities firms. EY’s Global Banking &
Capital Markets network brings together a worldwide team of professionals to help you succeed — a team with
deep technical experience in providing assurance, tax, transaction and advisory services. The Sector team
works to anticipate market trends, identify their implications and develop points of view on relevant sector
issues. Ultimately, it enables us to help you meet your goals and compete more effectively.
© 2019 EYGM Limited.
All Rights Reserved.
EYG no. 004903-19Gbl
1909-3267866 (BD FSO)
ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting,
tax or other professional advice. Please refer to your advisors for specific advice.
ey.com/bankingrisk
The views of third parties set out in this publication are not necessarily the views of the global EY organization or its member
firms. Moreover, they should be seen in the context of the time they were made.
About the Institute of International Finance

The Institute of International Finance (IIF) is the global association of the financial industry, with close to
500 members in more than 70 countries. Its mission is to support the financial industry in the prudent
management of risks; to develop sound industry practices; and to advocate for regulatory, financial and
economic policies that are in the broad interests of its members and foster global financial stability and
sustainable economic growth. IIF members include commercial and investment banks, asset managers,
insurance companies, sovereign wealth funds, hedge funds, central banks and development banks.
The Institute of International Finance (IIF)
1333 H St NW, Suite 800E
Washington, DC 20005-4770
USA
Tel: +1 202 857 3600
Fax: +1 202 775 1430
www.iif.com
[email protected]

Ey Iif Global Risk Survey V Final

Uploaded by

Copyright:

Available Formats

Ey Iif Global Risk Survey V Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ey Iif Global Risk Survey V Final

Uploaded by

Copyright:

Available Formats

An endurance course:

surviving and thriving

A decade of two halves 5

Near- and medium-term risk management 10

10 major risks to manage over the next 14

1. Weathering the likely financial downturn 16

2. Operating in an ever-expanding ecosystem 19

3. Protecting privacy to maintain trust 22

4. Fighting a cyber war in banks and across 24

5. Navigating the inevitable industry 27

6. Industrializing data analytics across the 30

7. Delivering services to customers, clients 33

8. Adapting to the effects of fast-shifting 36

9. Addressing the impact of climate change 39

10. Meeting emerging customer demands 43

Headlines a decade from now will tell the 46

Research methodology and participant 48

2 | Tenth annual EY/IIF global bank risk management survey

4 | Tenth annual EY/IIF global bank risk management survey

2011 2013 2015 2017 2019

2010 2012 2014 2016 2018

6 | Tenth annual EY/IIF global bank risk management survey

1 CRE CRE CRE REG REG CY CY CY

2 LIQ RA RA RA CY REG CRE CRE

3 RA REG OR CRE CRE CON REG DIG

4 MR OR REG OR RA CRE OR CON

5 REG LIQ RC CAP OR OR TECH REG

6 TECH CAP CAP LIQ TECH CUL CON OR

7 STR MR MR TECH STR TECH RA CUL

8 CAP STR LIQ STR CON ERM BM PRI

9 RC TECH STR MR CUL RA CUL RES

10 OR RC TECH CY ERM STR STR MO

Figure 3: Board 12-month risk priorities, 2013 to 2019*

2 LIQ COM RA CY REG REG CRE

3 REG LIQ CRE RA BM RA DIG

4 CAP CAP LIQ CUL RA CRE CON

5 OR OR CUL CRE CRE CON REG

6 STR STR CON CON CUL OR CUL

7 ERM REP OR CAP CON BM OR

8 CUL CON CAP STR REP REP BM

9 TECH CUL TECH OR OR CUL RES

10 REP ERM STR TECH STR CAP RA

* CROs’ views of boards’ priorities

Concerns to regulators* Concerns to CROs

Pace or breadth of change

32% Geopolitical risk 60%

51% Use of machine learning (ML) or

31% IT obsolescence or legacy systems 56%

69% Data privacy 53%

35% Environmental risk or climate 52%

27% Availability of data 51%

38% Model risk related to ML or AI 48%

* CRO’s views of regulators’ concerns

8 | Tenth annual EY/IIF global bank risk management survey

2013 to 2019 2019 by region

Above 20% 13% 9% 2% 7% 6% 6% 11% 29%

10 | Tenth annual EY/IIF global bank risk management survey

Figure 6: Progress in implementing risk management processes

Financial risks risks