surviving and thriving in banking through 10 major risks ......systemic cyber threat likelihood of...
TRANSCRIPT
Surviving and thriving in Banking through 10 major risks over the next decade
Tenth annual EY/IIF global bank risk
management survey
2 | Global bank risk management survey
History shows that there are two things we can be sure of when it comes to financial crises: there will be another one, and the next one won’t be the same as the last.
1. Weathering the likely financial downturn
3 | Global bank risk management survey
1%Rampant inflation
Downturn threats and bank adaptability
Most significant threats
78%Trade wars
58%Asset valuation bubble 55%
Major country turmoilaffecting global economy
27%Sovereign debt crisis
14%Financial infrastructure failure(s)
12%Deflation
21%Energy price shocks
17%Financial institution failure(s)
14%Economic model
Top indicators used by CROs to identify potential material economic downturn
42%Inversion of yield risk
20%Sharply rising interest rates
27%Decrease in consumer confidence*
4%Deflation
36%Sharply rising unemployment
22%Decrease in business confidence*
8%Rising inventory
8%Rising inflation
20%Surveys of economists
*From periodic surveys
58%Slowing real GDP growth
21%Decrease in manufacturing production
Economic indicators Sentiment surveys and models
4 | Global bank risk management survey
2. Operating in an ever-expanding ecosystem
5 | Global bank risk management survey
Risks associated with the extended ecosystem
6 | Global bank risk management survey
3. Protecting privacy to maintain trust
As a bank, we sell trust to our clients. If we are not able to protect their personal data, that means that trust is going away.
7 | Global bank risk management survey
39%
16%14%
8%
7%
9%
4%3%
Managing privacy risks
Risk incorporation and management accountability
Incorporation of privacy risk into risk framework
11%
5%
55%
28%Fully integrated
Not part of framework, but in process of incorporating
In process of enhancing its integration further
Not part of risk framework, no plans to integrate
Other
CRO
Chief data officer
Chief privacy officer
Compliance
No executive designated
Chief information officer
Primary owner
53%Consider privacy risk a top emerging risk in the next five years
23%Consider privacy a top-five risk in the next 12 months
Legal
Most concerning privacy risks: degree of concern
Large-scale data breach
1% 3% 12% 38%
Third party creates material privacy risk event
2% 6% 15% 33%
Being noncompliant with laws and regulations
1% 15% 24% 33% 27%
Meeting legal or regulatory requirements for breach reporting
5% 16% 30% 23% 26%
Conflicting privacy laws across jurisdictions
3% 26% 23% 35% 13%
Fragmentation of privacy laws across jurisdictions
3% 23% 29% 31% 14%
Meeting customer demands to delete their data
4% 22% 32% 28% 14%
Not concerned Highly concerned
46%
43%
8 | Global bank risk management survey
4. Fighting a cyber war in banks and across the system
IT is not about if, it is about when and what…
9 | Global bank risk management survey
23%
18%
12%
Cyber risks remain a major concern
Not sure
2%
2%
Veryunlikely
Somewhatunlikely
Somewhat likely
Verylikely
16% 51% 29%
Own systems/data compromised
68%
Severe attack on major technology
provider9%
Severe attack on systemically important
institution*8%
Critical vendor compromised
6%
Severe attack on critical infrastructure
5%
Severe attack on critical
central bank capability
4%
Systemic cyber threat
Likelihood of severe industry-wide attack in the next five years
18%
13%
Data destruction
Data integrity
Loss or disclosure
67%
33%
11%
Customer data loss
Loss of confidence in banking system or bank
Proprietary data loss
Threats and vulnerabilities
Critical third party attacked
Inability to …
53%
33%
15%
Recover operations after attack
Give customers access to services
Access core IT systems
*Including financial market utility
Top CRO and board risk for the last three years
77%Top CRO risk in the next 12 months
72%Top board risk in next the 12 months
Manipulation of data
Security risks associated with cloud
Top cybersecurity risks
Insider threat
10 | Global bank risk management survey
5. Navigating the inevitable industry transition to cloud
The benefits of Cloud are irresistibly interesting…
11 | Global bank risk management survey
Cloud concerns and risk management
Concerns of industry-wide cloud adoption
30%
53%
43%
43%
55%
57%
33%
60%
61%
59%
74%
87%
33%
36%
47%
48%
57%
61%
62%
62%
63%
63%
77%
92%
Concern to regulators* Concern to CROs
Security of customer data
Security of bank data
Customer data integrity or destruction
Bank data integrity or destruction
Compliance or legal risk
Reputational risk
Concentration of cloud providers
Impact on operational resilience
Cloud provider exit strategy
Limited knowledge of third-party dependence on cloud
Geographic location of data or servers
Insufficient second-linerisk management involvement
*CROs’ views of regulators’ concerns
12 | Global bank risk management survey
6. Industrializing data analytics and automation across the business in a controlled manner
From driving operations … to driving decisions
13 | Global bank risk management survey
Addressing concerns about ML and AI
Concerns on scaling ML and AI Ways to address public and political concerns about AI
64%
59%
54%
47%
39%
28%
21%
20%
Need to enhance risk and control framework to capture risks
Scarcity of qualified talent
Lack of long-term historical performance history of models under different market conditions
Lack of consistent ML and AI adoption strategy
Uncertainty regarding regulatory expectations
Lack of board and senior management understanding of risks
Inability to identify model use across bank
Inability to articulate business case
49%
46%
43%
38%
37%
35%
29%
Carefully monitoring and fine tuning AI-based decision-making
Avoiding biases adversely affecting AI-based decisions
Being transparent in use of customer data to create AI
Properly training employees on AI limitations
Monitoring or adapting to public and regulatory concerns
Being willing to explain AI-based decisions
Being transparent with customers when AI is being used
14 | Global bank risk management survey
7. Operational Resilience
From Financial Resilience to Operational Resilience
15 | Global bank risk management survey
9%
16%
25%32%
39%
34%
64%56%
64%60%
41%
67%
Resilience risks and organization
Top resiliency risk concerns Functions being integrated to manage resiliency risks
*Business units
**Recovery and resolution planning
***Including simulations and table-top exercises
****For example, Sheltered Harbor in the US or industry-wide cyber simulations
Cyber risks Data access and availability Prolonged IT outage
IT obsolescence and legacy systems
Critical third-party outage
Financialresilience*
Critical data destroyed Prolonged outage of systemic player
Dependence on cloud service
Disaster recovery
Single function
68%
66% Business continuity planning across BUs*
61% Crisis management
58%Crisis communication
58%
Technology incident response
52%RRP activities**
Testing***
Industry initiatives****
70%
Cyber-incident response (IR)
*For example, liquidity, capital and collateral
80%
94%
2018 2019
39%
59%32%
42%
27%
40%
16 | Global bank risk management survey
8. Effects of fast-shifting geopolitics on banks and their customers
Rising geopolitical and geo-economic tensions represent the “most urgent global risks at present”, World Economic Forum’s Global Risks Report 2019.
17 | Global bank risk management survey
36%Rise of populism
Impact of geopolitical risks
Top major risks Impact over next decade
47%Escalating cyber warfare
47%China and US relationship
42%Changes to global trading environment
22%Changing US role
26%EU instability
23%Elongated Brexit fallout
18%Emerging-market volatility
12%Middle East instability
11%China’s rising global influence
3%Russia’s changing role
External stakeholders
78%
74%
41%
25%
23%
Market impact
Overall negative impact on demand
Unexpected market volatility
Corporate clients’ financing needs
Consumer sentiment or demand
Unexpected foreign exchange volatility
10%Push to account for climate change
Much less significant
3%
3%
Somewhat less significant
Same as today
Somewhat more
significant
Much more significant
14% 58% 22%
32%
10%
10%
Corporate clients’ supply chains
Bank’s third parties’ operations or finances
Bank’s counterparties’ financial strength
18 | Global bank risk management survey
9. Meeting emerging customer demands for customized, aggregated lifetime offerings
19 | Global bank risk management survey
26%
24%
33%
29%
28%
25%
23%
44%
20%
16%
Pricing for investments
Risk to customers
Performance of bundled offering over lifetime
Aggregating risks across tailored offerings
Overall risk in offering
Compliance risks
Product-related risks
Manage instability introduced to risk management*
Price offering
Adapt risk governance
Transparency
Measurement and evaluation
Ability to
Challenges in meeting new consumer needs
Most significant challenges Potentially required changes to risk management capabilities
*For example, risk management frameworks, models and approaches
62%
60%
59%
55%
48%
40%
39%
31%
New or more advanced data and technology capabilities
More integrated risk platforms to accelerate decision-making
Revised new-product approval process
More sophisticated risk modeling to capture cross product and business risks
More sophisticated risk modeling to evaluate customer lifetime value
Revised risk governance to provide real-time risk monitoring
Revised talent and training model
Revised risk framework to align with life-event-based customer value propositions
20 | Global bank risk management survey
10. Addressing the impact of Climate Change
“This is one of the defining risks of our career to manage”
21 | Global bank risk management survey
Scenarios and financial analysis
62% of banks have conducted climate change risk impact analysis
Climate change risk analysis and impact
*Over the business planning cycle
43%
32%
26%
22%
21%
12%
9%
Identify material risks on ongoing basis
Assess impact on expected credit losses
Quantify potential capital impact
Balance sheet sensitivity to changes in risk drivers/external conditions
Assessment of short-term* exposures and quantified financial risks
Long-term quantitative assessment of impact on business model
Assessment impact on loan pricing
Top most likely potential impacts
We have or are developing anapproach to
We have conducted a(n)
46%Financial needs of certain corporate sectors
30%Commercial opportunities in energy
53%Higher default or credit risk in certain corporate sectors
23%Own environmental impact
19%Residential real estate or mortgage portfolio 11%
Commercial real estate portfolio
10%Impact on
critical third parties
20%Business continuity plans
8%Catastrophic or other
insurance policies
5%Repricing of securities and derivatives
2%Repricing of sovereign
debt
Products, customers and assets
Bank’s operations
3%Own real estate portfolio(e.g., branches)
52%Consider environmental risk and climate change as key emerging risks for the next five years
22 | Global bank risk management survey