Last year, we polled our global CROs and asked them “What keeps you up at night?” – then, live at RiskMinds International, we ran the poll again, widening the scope to include the audience as well as the CROs leading the panel. The results were similar, with cyber, regulation and geopolitics featuring as the top three risks giving the crowd sleepless nights.
This year, we asked “10 years after the financial crisis – what next for CROs?” In effect, what risks are top of the agenda, and which have fallen in relevance since 2008. How are managers striking the right risk-return balance and managing risk in this new era, and how are they preparing for the new risk paradigm.
1 Cyber threats
Unsurprisingly, cyber risk remains the top concern for CROs, with 79% ranking it in their top three risks. Of this, just under half rated it as their top concern and priority.
To look at some of the statistics makes its clear why CROs are keeping this particular risk front and centre. A study by Accenture found that the average cost of a malware attack is $2.4 million and the cost in time is around 50 days, with the average global cost of cyber crime increasing by over 27% in 2017. Add to this that the financial services industry takes the highest cost from cyber crime (an average of $18.3 million per company surveyed). Then you have the headline risk, the reputational damage that can be wrought following a cyber-attack. Considering this, creating and delivering a robust cyber risk strategy appears to still be of upmost importance.
While most banks already have comprehensive plans in place—doing things like hire ethical hackers to identify weaknesses and run war-game scenarios to prepare for the worst--there is still one area of managing this risk which continues to cause a headache for managers: employee vigilance. It remains that most attacks come through what could be considered the crudest tactics. Malware endures as one of the most popular methods for cyber criminals, and targeted spear-phishing campaigns are becoming fileless and complex, tempting unsuspecting, under-trained or negligent staff to click and potentially infect the entire network. The International Data Corporation has previously estimated that organisations are expected to spend over $1bn on cyber security software in 2020, but this is only of so much help if the workforce remains the easiest entry point. Engaging employees across all functions of the business to play their part in cyber risk management and drive a more stable risk culture is a key challenge for CROs over the next decade.
Finally, one respondent noted that managing cyber risk isn’t just about hacking and data malware on the company, “but the increasing attacks on individuals to compromise their banking credentials and push payment frauds”. As more banking moves digital, this will also be a growing risk factor.
2 Geopolitical shifts
A year on and geopolitical risk keeps its spot as the second most problematic risk for CROs; 42% of respondents ranked it in their top 3, and terms like “balance of power”, “nationalism”, “populism”, “Brexit” and “Trade wars” appeared across many answers.
The Trump administration maintains its focus on penalizing the partners it perceives as taking advantage of their relationship, and markets do not appear to know how to respond to this posturing. You could be forgiven for thinking that the collapse of the global trade order was imminent one day, or that thinking so was beyond the pale. CROs should focus on real implications as they come in to best handle these ever-shifting issues.
Beyond that, there are increasing concerns about how institutions will respond to sustained economic growth, changing demographics, a tight labour market, and increasing economic and social populism. In any case, most CROs will be increasingly skittish as recent market turbulence unsettles investors and could be seen to herald a coming recession.
3 FinTechs and business transformation
FinTech and business transformation marks a new risk to break into the three, toppling regulation as the top risk on the CRO agenda, with just over a third of CROs backing this.
Regarding what’s at stake, one respondent put it, “disruption and increased competition. Survival of the banking model as we know it,” while another described what was needed as a, “radical transformation in traditional bank models due to technology, regulation and expanded customer options”.
Indeed, with FinTechs entering the fray, many traditional banking products and practices are under threat. Many banks are finding customers desire an “unbundled” product offering and with this are choosing single service providers to match this – long gone are the days a bank is considered your one-stop-shop for a checking account, savings, mortgage, insurance and credit card. Banks are also struggling to differentiate themselves as consumers increasingly compare products online (perhaps even through third party comparison sites), and choose products and services with little thought or care to which brand delivers. Disintermediation is an additional concern, as banks lose access to customers switching to non-banking channels.
More often than not though, it isn’t the smaller scale start-ups who make waves and give banks a pause for thought (though many successful challenger and digital only new banks are doing just that) – it’s the large tech enterprises looking to wade into the financial services sector.
One article states that tech giant Amazon has its sights set on checking accounts, small business credit cards and mortgages, on top of the small loans it has already been offering since 2011. If a significant number of customers were to be swayed across (and research is suggestion last swaths of young customers are looking for alternatives to traditional banks), these are the sorts of products which would eat into a bank’s revenues. One way to tackle this risk is to join forces with the tech companies, offering the services, know-how and regulatory approval which the new entrants lack – but not all banks will be in a position to do this, or want to.
So, will CROs see FinTechs as friends or foes? Competition or potential new partners? And how will banks adapt to changing customer expectations, new technologies and shifting demographics? It’s a question many CROs a mulling over in the last quarter of 2018.
The final results
Where did other key risks like conduct and culture, credit and market fall? Below shows the range of risks identified, and how popular they were across our global CRO survey.