Source: EY

Amid unprecedented levels of volatility and global uncertainty, cybersecurity has remained at the top of the list of near-term risks for banks around the world for the second consecutive year, according to the latest EY and Institute of International Finance (IIF) bank risk management survey.

The 13th edition of this joint report is based on survey data from 85 banks across 30 countries and highlights the issues chief risk officers (CROs) and other senior risk executives view as the most pressing for their organizations now, and in the future.

Today’s CROs face increased complexity caused by overlapping and correlated risks, nearly all of which seem to be increasing in urgency. In the short term, nearly three out of four CRO respondents identified cybersecurity risk as their top concern over the next 12 months (73%), in addition to two-thirds (66%) of respondents naming liquidity as the top financial risk for the next year.

Jan Bellens, EY Global Banking & Capital Markets Sector Leader, says:
“Banking CROs need to build numerous competing priorities into their strategic agenda in 2024, while navigating endemic risks in a volatile market. The events of 2023 have illustrated that financial risks are resurgent, so it’s no surprise to see liquidity climbing the ranks during times of macroeconomic uncertainty. Elsewhere, 2024 will be a pivotal year for reskilling and building a pipeline of talent to tackle emerging risks, including the deployment of AI and fragmentation of regulation.”

Reducing and understanding risk exposures
The survey highlights that more than half (56%) of CRO respondents see environmental risk as a top-five issue that will demand CRO attention during the next three years, up from 37% in last year’s survey. Despite climate risk increasing in importance, only 6% have a complete understanding of climate risk exposure, and 49% of CRO respondents report that their organizations stated they only had a preliminary understanding of their exposure to climate risk.

While cybersecurity remains the main concern for CROs, the threats from cyber are constantly morphing with evolving links to geopolitical, technology and third-party risks. The number of CROs concerned about increased cyber attacks manifesting from geopolitical risk rose from 62% last year to 69% this year; this pressure is further compounded by the challenge of attracting cybersecurity talent (62%), and more than half (56%) of CROs stating cybersecurity will be the most important skill set in the next five years.

Additionally, data and technology concerns persist as long-term priorities in the rapidly digitizing banking sector, with more than a third (39%) of CRO respondents highlight industry disruption from new technologies as crucial for risk management in the next five years. Artificial intelligence (AI) and machine learning risks have surged among CROs - up from 13% to 38% since last year. This suggests that wider AI deployments may pose a tangible day-to-day risk in the near future.

Martin Boer, Senior Director, Regulatory Affairs at the IIF, says:
"We’re seeing a paradigm shift where interconnected risks have become endemic to the banking sector - as it has in nearly every industry. This change calls for a holistic, proactive and resilient approach in risk management, adapting to ongoing challenges in cybersecurity, credit and environmental risks amid increasing global uncertainties.”

Geopolitical tensions create uncertainty
Geopolitical risk is evolving. Looking beyond armed conflicts, trade tensions and disrupted supply chains could all hurt the industry. Increased cyber attacks (cited by 69% of CROs), a global economic slowdown (67%) and increased market volatility (65%) were cited as the most likely manifestations of geopolitical risk. Geopolitical risks play out differently by region, with almost three-quarters (73%) of Asia-Pacific CRO respondents concerned about changes to the global trade environment, compared to 59% in Europe and 38% in North America. However, CROs respondents in Asia-Pacific (73%), North America (72%) and Europe (71%) share the concern that cyber warfare between nation states is the principal risk.

Additional notable findings from the survey include:
* In 2015 and 2016, regulatory risk was the top CRO priority, but over the years it fell to the middle of the pack. This year, it re-emerges as a top priority - the second most important for the next 12 months. The events of early 2023 increased CRO expectations for supervisory scrutiny in the US and elsewhere, and only 10% of CRO respondents report that their institutions are fully prepared for Basel III finalization, while 11% have not yet kicked off their implementation efforts.
* Only 35% of CRO respondents are involved as stakeholders in enterprise-wide initiatives regarding adoption of transformative technologies like AI and machine learning. This is a missed opportunity to advise the business and may lead to heightened technology risk in the future.
* CRO respondents are also very concerned about talent and culture risks, with 66% of them noting that talent is one of the most significant long-term risks facing the banking industry - up from 57% last year.
* Liquidity risk was named by two-thirds of CRO respondents (66%) as the top financial risk for the next year, followed by consumer/retail credit risk (56%), wholesale credit risk (52%) and interest rate risk for the banking book (48%).