CROs say they will be focused on six risks over the next five years
Cyber threats: CROs see cyber risk everywhere — in every line of business, in day-to-day operations and transformation programs, and across extensive partner and supplier networks. Cyber risk is prominent on both short-term and long-term agendas. 58% of survey respondents chose their inability to manage cybersecurity risk as the top strategic risk for the next three years.
Credit risk: At the time of the survey, most banks felt good about traditional measures of credit risk. The strong controls that were established in response to the global financial crisis have clearly served banks well and bolstered confidence among boards and senior leaders. As the recessionary environment worsens, prudent CROs will look deeper to find hidden credit risks, such as those lurking in the shadow banking system and beyond.
Geopolitical risks: The war in Ukraine pushed geopolitical risks to the forefront for global banks. US-China tensions, regional conflicts and the retreat from globalization are now on some CROs’ agendas. Nearly two-thirds (62%) of respondents said geopolitical risks would have a “much more significant” or “somewhat more significant” effect on their organization during the next year; for G-SIBs, that number was 84%.
Climate and environmental risk: Climate risk remains a top-three risk for both boards and CROs in the next 12 months. But, in this year’s survey, only 37% of CROs cited environmental risk as a top-five issue for the next three years, versus 49% in last year’s research. This drop is likely a function of the nearer-term urgency around cyber and geopolitical risks. Looking ahead, CROs expect both ESG and climate risks to see the greatest increase in priority during the next 36 months.
Operational resilience: Banks have made significant investments to boost their operational resilience, and CROs now take a comprehensive view of operational resilience, from cyber and tech-related concerns to third-party risks. Cyber controls are the top priority for boosting operational resilience, followed by technology capacity and third-party dependencies. Third-party dependencies are a higher priority for those banks more dependent on ecosystems and other partnerships. One survey respondent commented that, “Operational resilience is key, but most banks still struggle with it because it’s complicated and a moving target. Regulators are turning up the heat and expect us to be perfect in the delivery of consumer services.”
Operational resilience is key, but most banks still struggle with it because it’s complicated and a moving target. Regulators are turning up the heat and expect us to be perfect in the delivery of consumer services.
Transformation risks: Digital transformation programs are essential to product and service innovation and the development of new business models. According to CROs, banks will focus on modernizing core platforms (58%), generating customer insights (54%), automating more processes (53%) and moving more operations to the cloud (51%). These moves produce unique risks, but also opportunities for CROs to engage with business leaders proactively and design controls that enable — rather than inhibit — innovation.
The risk profile of alliances and ecosystems: Digital transformation provides the foundation to execute growth strategies, including participation in alliances and ecosystems. Cybersecurity and data privacy are the top risk priorities in this area, though CROs see potential third- and fourth-party risks.
Banks’ vulnerabilities depend on their partners’ security and data privacy practices. These risks can vary considerably based on different strategies — full ecosystem development and orchestration, direct investments in joint ventures, and looser alliances.
Persistent talent risk across the business: As much as banking is being digitized and automated, the vast majority of CROs view talent as critical to future success. First and foremost, banks are struggling to attract the talent they need across the business, including in risk management functions. One CRO survey respondent said, “I’m concerned with having the right skills and attracting talent, but also about human capital as a resiliency risk.”
I’m concerned with having the right skills and attracting talent, but also about human capital as a resiliency risk.
Highly effective risk management starts with high-performing people, according to CROs. A vast majority (94%) say they need some or many new skills. The six most important skills for risk management functions are the same as last year’s survey, with cyber and data science topping the list.
New talent is key to establishing business-enabling cultures that are proactive in identifying risks and doing more than sharing risk knowledge with the business. Rather, the goal should be to fully engage in the formation of new business models and the execution of growth and innovation strategies.
Summary
There is no denying that banks have made substantial progress in enhancing risk management practices and establishing robust controls across the business during the last decade. Effectively managing risks during the next decade necessitates building on that impressive track record, with creative thinking and bold action, more advanced technology, and new talent.