Ahead of RiskMinds Americas in Boston this September, we polled our leading CROs and asked them, what are the emerging local and global risks that every bank should have on their risk radar? Here, we reveal their answers.
What risks are the CROs keeping their eye on?
Every CRO we surveyed cited cyber security as a risk they were keeping front and center over the rest of 2018 and beyond. Cyber threats have been a recurring theme in our CRO polls, consistently ranking in the top three risks, and it isn't hard to see why. Estimations vary, but banks are now dealing with and responding to hundreds of thousands of security alerts and cyber threats a day, and so far the total cost for cyber crime globally has added up to over 100 billion dollars.
Both money and data are lucrative commodities for cyber criminals, and with the explosion of IoT and connected devices the potential for attacks will only increase. As demographics shift and more and more of a bank's client base expects swift and effective digital offerings, banking technology will become every more critical to remain competitive, however consumers will not want a trade-off between efficiency and increased risk.
Many boards are now considering how to best manage cyber risk, with some debate around appointing a Chief Cyber Officer to oversee new strategies, or assigning more responsibility for cyber to the CFO or CRO. Appointing a Chief Information Security Officer (CISO) has grown in popularity, though opinions differ on whether the CISO should report to the CEO or some other executive. Whatever banks decide, it is clear that they will not be able to work in a silo, and that cyber security measures must be implemented across departments.
Concerns around the risk culture in banking are not new, however there does appear to be a renewed interest and focus on this, with over half of our CROs responded with conduct risk as a key area.
Risk managers are taking time to define what their desired risk culture looks like and what steps they can take to promote and maintain this at all levels of the organisation. The focus is shifting from solely a "tone from the top" attitude towards an inclusive embedding of values and daily behaviours at all levels.
In a recent EY publication the idea that, "while progress has been made by many financial institutions, embedding risk culture throughout the institution will remain a key challenge for many years to come — cultural change does not happen overnight." Many risk managers surveyed seem to acknowledge the slow and consistent steps needed to address this risk and will continue to embed this throughout 2018.
From the impact of recent elections and rising attitudes of global protectionism to climate change and reputational risk from mis-managed social media interactions, many CROs we polled were also keeping macro trends on their radar.
Concerns included how the U.S.'s belligerent trade rhetoric will continue to unsettle markets and contribute to volatility. Telltale signs like billions of pounds of U.S. meat meant for export laying in storage and U.S. imports reaching new highs as companies fear all-out trade war, indicate that current volatility portends greater uncertainty. U.S. President Donald Trump has thus far been emboldened in his promise of a strengthened U.S. economy, but as business leaders continue to speak out and the potential effects of trade war begin to hit home, many risk managers are watching for conciliatory shifts as the U.S. Republican party eyes the upcoming November mid-term elections.
Immigration debates also look to impact firm strategy around developing technological capabilities. Firms that have long looked to import high-skilled workers for in-house technology development may find that potential avenues for bringing talent on through immigration programs will close. In this environment, banks may decide to grow their technology offerings through acquisitions, with the potential for substantial integration risks due to systems agglomeration.
Compete or collaborate? It's an important question facing banks when it comes to their relationship with emerging FinTech start-ups, and remains high on the priority list for CROs globally. Whilst some banks are playing catch up to develop new apps and capability to rival FinTechs. almost daily new entrants to the market offer potential partnerships to the larger financial incumbents.
Increased collaboration can go hand-in-hand with increased third party risk, and pairing legacy systems with new technology can often lead to cyber security gaps and vulnerability too. Since the introduction of GDPR this May, data protection when working with FinTechs is also giving risk managers a headache, and for some may prove more hassle than it is worth.
However, many will have learned from the recent TSB digital banking fiasco though, that it is not necessarily easier to bring FinTech strategies in-house. As the company attempted to move accounts from one legacy system to their new in-house host server, a catastrophic IT glitch resulted in some series reputational and financial damage to the bank.
The interest from large tech companies like Amazon and Google into providing financial services is also giving risk managers some food for thought. With large and loyal customer pools and huge amounts of data at their disposal, tech firms could prove a very tough adversary should they make a move into the FinTech and banking space.