Among the many crises and challenges facing the world, cybersecurity remains the top near-term risk for banks around the world.
According to the latest EY and Institute of International Finance (IIF) bank risk management survey, today’s chief risk officers (CROs) face increased complexity caused by overlapping and correlated risks, nearly all of which seem to be increasing in urgency.
In the short term, three out of four CROs identified cybersecurity risk as their top concern over the next 12 months (72%), edging out credit risk (59%).
Jan Bellens, EY global banking & capital markets sector leader, opined that CROs are no longer juggling a tiered waterfall of risk, but a torrent of interwoven complexities that have rapidly evolved in a matter of months.
He added that the role of the CRO is in the spotlight; and, with geopolitical risk underpinning everything else on their agenda, they will need to find new and innovative ways to address competing demands.
“It is arguably one of the hardest jobs in the banking c-suite, facing new and hidden risks – particularly from increasingly sophisticated cyber-attacks, that will put increasing pressure on an already volatile environment.”
Jan Bellens
Market volatility is a major concern
Among 78% of CROs in the Asia-Pacific region who are focused on China’s changing global role, 67% say they are most worried about ongoing changes within the global trade environment.
Geopolitical risks play out differently by region, with 70% of North American CROs concerned about cyber warfare between nation-states — substantially more than their peers in Europe (46%).
Despite the regional differences, 59% of CROs agreed that market volatility from geopolitical risk would have a ‘major or moderate-to-high impact on exposure to market risk.
Mitigating and understanding risk exposures
Source: 12th annual EY/IIF global bank risk management survey
The survey noted that CROs are not confident in their ability to defend against cyberattacks, with 58% citing their organisation’s inability to manage cybersecurity risks as their top strategic threat over the next three years. The number of CROs concerned about increased cyber-attacks manifesting from geopolitical risk jumped from 39% last year to 61% this year.
On climate risk, which topped the list of emerging concerns for CROs last year, 51% of organisations stated they only had a basic understanding of their climate risk exposure. The survey also highlights that only 37% of CROs see environmental risk as a top-five issue that will demand CRO attention during the next three years, a drop from 49% in last year’s research.
About 71% of global CROs expect climate risk to be the most important concern for regulators over the next five years, far ahead of digitisation (37%), data integrity (36%) and geopolitical risk (35%). Notably, a majority of CROs surveyed say they will prioritise risk from new technologies and digitisation to a greater extent than regulators, who they expect to focus on data privacy and security.
Andrés Portilla, Managing Director, Regulatory Affairs at the IIF, noted the interconnectedness between the top risks identified by CROs this year – cybersecurity, geopolitical, and credit – and their underpinning networks.
“Ongoing economic volatility has only fuelled the concern that CROs will be navigating an increasingly complex risk landscape over the next 12 months,” he added.
Other notable findings
Cyber controls are the top priority for boosting operational resilience (65%), followed by technology capacity (33%) and third-party dependencies (30%). Given the expanding need for more robust controls, 85% of respondents noted they expect the cost of controls to go up in the next three years.
Source: 12th annual EY/IIF global bank risk management survey
Given the recent challenges faced by some large crypto exchanges, CROs are operating a more conservative model on digital assets. Nearly half (49%) of banks surveyed said they are still defining their digital asset strategies.
CROs are also very concerned about talent and culture risks, with 57% of them noting that talent is one of the most significant long-term risks facing the banking industry.
To attract and retain the talent to build a high-performing risk management function and meet the changing needs of the risk management function, the vast majority of CROs (94%) say they need some or many new skills and resources.
