How bank CROs are responding to volatility and shifting risk profiles

The EY/IIF global risk management survey shows that banks must manage multiple interconnected risks and the impacts of external events.

In brief

• While CROs remain focused on many familiar risks, this year’s results reveal the increased complexity caused by overlapping and correlated risks. 
• Cyber jumped ahead of credit risk as the top CRO priority for the next 12 months, though the deteriorating economic environment could amplify credit risk. 
• CROs are confident that they can build on the momentum of past years to deliver the risk management programs that banks need in a dynamic market.

The results from the 12th annual EY/IIF global bank risk management survey confirm that banking industry chief risk officers (CROs) face an extraordinary volume and variety of risks — traditional and emerging, external forces and internal pressures — nearly all of which seem to be increasing in urgency. But CROs’ biggest challenge may be understanding how intersecting risks can create single or multiple points of failure, even when traditional risk management metrics look stable. 

Consider how the combination of geopolitical and cyber risks threatens operational resilience while also increasing market risk, particularly for institutions designated as global systemically important banks (G-SIBs), or how macroeconomic challenges may reveal previously hidden sources of credit risk. The talent shortage makes it more difficult to manage risks related to data security, consumer privacy and the use of artificial intelligence (AI) and machine learning. Environmental, social and governance (ESG) strategies, digital transformation and new product development also require multi-dimensional thinking by CROs. Increased regulatory risk is present in all of these vectors. 

In such an uncertain and fast-changing environment, yesterday’s compartmentalized taxonomies and conventional risk modeling processes may not account for the impacts of multiple, simultaneous risk events. The bottom line is that the most effective banking CROs must excel in both the strategic and tactical realms and commit to helping the business succeed in delivering innovative services that satisfy ever-rising customer expectations.

Cyber risk is the top risk priority for the next 12 months, according to CROs. But credit risk may soon become more of a focal point if economic conditions worsen. It’s notable that 83% of G-SIB CROs and 62% of CROs for European banks ranked geopolitical risk as the top priority. The cluster of issues in the next tier demonstrates the complex risk matrix CROs face today. 

Looking ahead, CROs say they will focus on the same risks as their regulators during the next five years, though priorities diverge significantly when it comes to tech-driven disruption, IT obsolescence and data privacy. Concern about climate risk is highest among CROs in Asia-Pacific (89%) and Europe (77%) and lowest in Latin America (40%). North American CROs are most concerned about the scale of organizational change (67%), climate risk (57%) and the pace and breadth of digitization (43%).

CROs say they will be focused on six risks over the next five years

Cyber threats: CROs see cyber risk everywhere — in every line of business, in day-to-day operations and transformation programs, and across extensive partner and supplier networks. Cyber risk is prominent on both short-term and long-term agendas. 58% of survey respondents chose their inability to manage cybersecurity risk as the top strategic risk for the next three years.

Credit risk: At the time of the survey, most banks felt good about traditional measures of credit risk. The strong controls that were established in response to the global financial crisis have clearly served banks well and bolstered confidence among boards and senior leaders. As the recessionary environment worsens, prudent CROs will look deeper to find hidden credit risks, such as those lurking in the shadow banking system and beyond.

Geopolitical risks: The war in Ukraine pushed geopolitical risks to the forefront for global banks. US-China tensions, regional conflicts and the retreat from globalization are now on some CROs’ agendas. Nearly two-thirds (62%) of respondents said geopolitical risks would have a “much more significant” or “somewhat more significant” effect on their organization during the next year; for G-SIBs, that number was 84%.

Climate and environmental risk: Climate risk remains a top-three risk for both boards and CROs in the next 12 months. But, in this year’s survey, only 37% of CROs cited environmental risk as a top-five issue for the next three years, versus 49% in last year’s research. This drop is likely a function of the nearer-term urgency around cyber and geopolitical risks. Looking ahead, CROs expect both ESG and climate risks to see the greatest increase in priority during the next 36 months.

Operational resilience: Banks have made significant investments to boost their operational resilience, and CROs now take a comprehensive view of operational resilience, from cyber and tech-related concerns to third-party risks. Cyber controls are the top priority for boosting operational resilience, followed by technology capacity and third-party dependencies. Third-party dependencies are a higher priority for those banks more dependent on ecosystems and other partnerships. One survey respondent commented that, “Operational resilience is key, but most banks still struggle with it because it’s complicated and a moving target. Regulators are turning up the heat and expect us to be perfect in the delivery of consumer services.”

Transformation risks: Digital transformation programs are essential to product and service innovation and the development of new business models. According to CROs, banks will focus on modernizing core platforms (58%), generating customer insights (54%), automating more processes (53%) and moving more operations to the cloud (51%). These moves produce unique risks, but also opportunities for CROs to engage with business leaders proactively and design controls that enable — rather than inhibit — innovation. 

The risk profile of alliances and ecosystems: Digital transformation provides the foundation to execute growth strategies, including participation in alliances and ecosystems. Cybersecurity and data privacy are the top risk priorities in this area, though CROs see potential third- and fourth-party risks.

Banks’ vulnerabilities depend on their partners’ security and data privacy practices. These risks can vary considerably based on different strategies — full ecosystem development and orchestration, direct investments in joint ventures, and looser alliances.

Persistent talent risk across the business: As much as banking is being digitized and automated, the vast majority of CROs view talent as critical to future success. First and foremost, banks are struggling to attract the talent they need across the business, including in risk management functions. One CRO survey respondent said, “I’m concerned with having the right skills and attracting talent, but also about human capital as a resiliency risk.”

Highly effective risk management starts with high-performing people, according to CROs. A vast majority (94%) say they need some or many new skills. The six most important skills for risk management functions are the same as last year’s survey, with cyber and data science topping the list.

New talent is key to establishing business-enabling cultures that are proactive in identifying risks and doing more than sharing risk knowledge with the business. Rather, the goal should be to fully engage in the formation of new business models and the execution of growth and innovation strategies.