Hand holding electric orb

Why today’s banking CRO must be master of many trades

The EY/IIF global risk management survey results surface new challenges faced by today’s CRO as their strategic and tactical remit expands.


In brief

  • The CRO role has expanded and evolved to incorporate more issues even as the pressure to operate the risk function efficiently has intensified.
  • Cyber is again the top risk priority for CROs, with heightened threats from more sophisticated attacks and proliferating vulnerabilities.
  • To manage today’s risks and stay ahead of tomorrow’s, CROs seek more critical thinking skills, stronger analytics and increased organizational agility. 

With banks around the world facing an ever-growing volume and variety risks, chief risk officers (CROs) find themselves wearing more hats and engaged with a broader range of issues. The results of the 13th annual survey of banking CROs conducted by EY and the Institute of International Finance (IIF) demonstrate how the intersections of different risk types and the persistent volatility of the banking landscape demand versatility from senior risk leaders.

This year’s study points to the dynamic nature of banking risk management today. Financial risk has moved back up the CRO agenda after a few years of relative calm. Cyber threats morph constantly with evolving links to geopolitical, technology and third-party risks. New regulatory requirements and ambitious transformation programs also demand CROs’ attention. And CROs are also expected to direct finite resources to boost both the efficiency and effectiveness of the risk management function.

For these reasons, the CRO job description has become uniquely multi-faceted. Insights from the research reveal seven roles CROs must play in identifying risks accurately, managing them effectively and reporting on them efficiently.

Download the EY/IIF global bank risk management survey

1. Fortune teller: envisioning risk impacts against a wide range of scenarios

There is almost no end to the questions CROs must ask to get ahead of emerging risks. What will regulators focus on next? Which jurisdictions are most likely to take action on ESG or consumer protections? What form will cyber attacks take when quantum computing power is more widely available? What economic and geopolitical developments could expose our business? Is our transformation agenda bold enough for future customers? The survey results show just how broadly CROs must think when they consider future risks.


2. Risk management traditionalist: enhancing core capabilities

For all the “new” threats that have emerged in recent years, CROs can’t afford to lose sight of traditional risk types, including operational resilience. Significant proportions of survey respondents said they need more operational resilience and business continuity skills in both the first and second lines.

The macroeconomic uncertainty of the last few years has led to a resurgence of financial risk as an area of concern among respondents. One-third of CROs cited liquidity risk as a top priority for the next 12 months, up from 15% last year. And liquidity risk was named by two-thirds of CROs (66%) as the top financial risk for the next year, followed by consumer or retail credit risk (56%), wholesale credit risk (52%) and interest rate risk for the banking book (48%).

 

Survey results from the last few years showed that financial risks were perceived to be largely under control in the eyes of CROs. But the significant banking sector volatility in early 2023 showed just how quickly traditional risks can manifest and how severely they can impact banks. According to 40% of CROs, their bank’s playbook for recovery and resolution planning is only high level and needs enhancement.

3. Firewatcher: monitoring vigilantly to prevent emergencies

Cyber tops the list of immediate-term CRO and board concerns by a large margin and may remain there for years to come. Cyber is actually a portfolio of multiple risks, including different forms of ransomware attacks, expanding activity by state-sponsored bad actors and the risks associated with ecosystems, generative AI (GenAI) and other third-party relationships. Thus, advanced and constant monitoring must be the baseline for cybersecurity. CROs must also be vigilant about the rise in fraud and other financial crime caused by economic stress.

Cyber is the leading risk by a large margin
The percentage gap between cyber and the next risk on CRO priority lists for the next 12 months.

4. Transformative technologist: building a framework for safe transformation

Banks have significant digital transformation programs underway as they seek to modernize their infrastructure, keep up with consumer expectations and stay ahead of competitors. In many cases, they are looking to accelerate these initiatives, despite significant constraints, including limited resources and competing priorities.

CROs need a clear understanding of both the overarching business objectives and the unique risks presented by powerful technologies, including GenAI. The use of machine learning and AI was cited by survey respondents as the second most important emerging risk for the next five years.

The specific risks range from unintended bias in decision-making, to increased cyber vulnerability, to staying ahead of potential new regulatory requirements.  To manage these risks effectively, banks will need new skills and technology experts; 61% of survey respondents said talent is a key risk to establishing oversight capabilities for emerging tech.


5. Data guru: protecting and providing strategic guidance around the bank’s biggest asset

Data is critical to every part of the business, as CROs recognize. High-quality and highly secure data is necessary to manage through increasing regulatory requirements and to unlock business growth through increased customer insights. CROs have as much responsibility as anyone to secure these critical assets, especially as they move among partners and ecosystems.

The key is to provide strong protections while also supporting the ability of the business to use data fluidly and intelligently (e.g., via personalized customer experiences). The good news: a strong majority of CROs – 71% – say their banks are actively enhancing their data capabilities and frameworks.


6. Geopolitical expert: tracking global events and their potential impacts on the business

CROs have long paid attention to the statements and policies of central banks around the world. Only recently have they had more reason to become experts on international relations. A full 83% of CROs say geopolitical risks will have a somewhat more significant effect (35%) or the same effect (48%) in five years than they do today. CRO and board concerns about geopolitical risk are likely even higher than our results indicated, given the global conflicts that began after the survey closed.

Geopolitical risk is evolving too. Looking beyond armed conflicts, trade tensions and disrupted supply chains could all hurt the industry. Increased cyber attacks (cited by 69% of CROs), a global economic slowdown (67%) and increased market volatility (65%) were cited as the most likely manifestations of geopolitical risk.

 

7. Change agent: providing strategic guidance on responsible risks

CROs are increasingly involved in critical strategic initiatives. Nearly half (46%) say they are engaged as key stakeholders in new product and growth opportunities associated with environment, social and governance (ESG) and with work on data management and quality frameworks. More than a third (35%) are involved with the adoption of transformative technologies (e.g., AI, machine learning), a figure that will surely increase in the future.

To fulfill their potential as strategic advisors to the business, CROs will need to help other leaders think through safe and responsible innovations that unlock sustainable growth without gaining a reputation for being a roadblock to innovation. CROs can promote transformation success making sure the board and senior business leaders recognize intersecting risks. A strong risk culture will help, too. The survey results show that more leaders will be concentrating on their role as change agent and culture champion in the future.


EY/IIF global bank risk management survey

The survey reveals CROs' views on the most urgent issues facing their organizations now and in the next three to five years.

Podcast: Global bank risk management priorities

Panelists from EY and the IIF discuss findings from the 13th Annual EY-IIF Global bank risk management survey.


Summary

A brief glance at recent headlines demonstrate how CROs’ jobs have grown more complex and why they’re unlikely to get any easier in the coming years. From world events and macroeconomic shifts, to societal megatrends and relentless technology disruption, to intensifying regulatory scrutiny, the confluence of powerful forces has pushed CROs to wear multiple hats simultaneously. In doing so, they must think and act more strategically at the same time as they build out strong foundational technical and tactical capabilities.


About this article

Authors