surviving and thriving in banking through 10 major risks ......systemic cyber threat likelihood of...

Surviving and thriving in Banking through 10 major risks over the next decade

Tenth annual EY/IIF global bank risk

management survey

2 | Global bank risk management survey

History shows that there are two things we can be sure of when it comes to financial crises: there will be another one, and the next one won’t be the same as the last.

1. Weathering the likely financial downturn


1%Rampant inflation

Downturn threats and bank adaptability

Most significant threats

78%Trade wars

58%Asset valuation bubble 55%

Major country turmoilaffecting global economy

27%Sovereign debt crisis

14%Financial infrastructure failure(s)

12%Deflation

21%Energy price shocks

17%Financial institution failure(s)

14%Economic model

Top indicators used by CROs to identify potential material economic downturn

42%Inversion of yield risk

20%Sharply rising interest rates

27%Decrease in consumer confidence*

4%Deflation

36%Sharply rising unemployment

22%Decrease in business confidence*

8%Rising inventory

8%Rising inflation

20%Surveys of economists

*From periodic surveys

58%Slowing real GDP growth

21%Decrease in manufacturing production

Economic indicators Sentiment surveys and models


2. Operating in an ever-expanding ecosystem


Risks associated with the extended ecosystem


3. Protecting privacy to maintain trust

As a bank, we sell trust to our clients. If we are not able to protect their personal data, that means that trust is going away.


39%

16%14%

8%

7%

9%

4%3%

Managing privacy risks

Risk incorporation and management accountability

Incorporation of privacy risk into risk framework

11%

5%

55%

28%Fully integrated

Not part of framework, but in process of incorporating

In process of enhancing its integration further

Not part of risk framework, no plans to integrate

Other

CRO

Chief data officer

Chief privacy officer

Compliance

No executive designated

Chief information officer

Primary owner

53%Consider privacy risk a top emerging risk in the next five years

23%Consider privacy a top-five risk in the next 12 months

Legal

Most concerning privacy risks: degree of concern

Large-scale data breach

1% 3% 12% 38%

Third party creates material privacy risk event

2% 6% 15% 33%

Being noncompliant with laws and regulations

1% 15% 24% 33% 27%

Meeting legal or regulatory requirements for breach reporting

5% 16% 30% 23% 26%

Conflicting privacy laws across jurisdictions

3% 26% 23% 35% 13%

Fragmentation of privacy laws across jurisdictions

3% 23% 29% 31% 14%

Meeting customer demands to delete their data

4% 22% 32% 28% 14%

Not concerned Highly concerned

46%

43%


4. Fighting a cyber war in banks and across the system

IT is not about if, it is about when and what…


23%

18%

12%

Cyber risks remain a major concern

Not sure

2%

2%

Veryunlikely

Somewhatunlikely

Somewhat likely

Verylikely

16% 51% 29%

Own systems/data compromised

68%

Severe attack on major technology

provider9%

Severe attack on systemically important

institution*8%

Critical vendor compromised

6%

Severe attack on critical infrastructure

5%

Severe attack on critical

central bank capability

4%

Systemic cyber threat

Likelihood of severe industry-wide attack in the next five years

18%

13%

Data destruction

Data integrity

Loss or disclosure

67%

33%

11%

Customer data loss

Loss of confidence in banking system or bank

Proprietary data loss

Threats and vulnerabilities

Critical third party attacked

Inability to …

53%

33%

15%

Recover operations after attack

Give customers access to services

Access core IT systems

*Including financial market utility

Top CRO and board risk for the last three years

77%Top CRO risk in the next 12 months

72%Top board risk in next the 12 months

Manipulation of data

Security risks associated with cloud

Top cybersecurity risks

Insider threat


5. Navigating the inevitable industry transition to cloud

The benefits of Cloud are irresistibly interesting…


Cloud concerns and risk management

Concerns of industry-wide cloud adoption

30%

53%

43%

43%

55%

57%

33%

60%

61%

59%

74%

87%

33%

36%

47%

48%

57%

61%

62%

62%

63%

63%

77%

92%

Concern to regulators* Concern to CROs

Security of customer data

Security of bank data

Customer data integrity or destruction

Bank data integrity or destruction

Compliance or legal risk

Reputational risk

Concentration of cloud providers

Impact on operational resilience

Cloud provider exit strategy

Limited knowledge of third-party dependence on cloud

Geographic location of data or servers

Insufficient second-linerisk management involvement

*CROs’ views of regulators’ concerns


6. Industrializing data analytics and automation across the business in a controlled manner

From driving operations … to driving decisions


Addressing concerns about ML and AI

Concerns on scaling ML and AI Ways to address public and political concerns about AI

64%

59%

54%

47%

39%

28%

21%

20%

Need to enhance risk and control framework to capture risks

Scarcity of qualified talent

Lack of long-term historical performance history of models under different market conditions

Lack of consistent ML and AI adoption strategy

Uncertainty regarding regulatory expectations

Lack of board and senior management understanding of risks

Inability to identify model use across bank

Inability to articulate business case

49%

46%

43%

38%

37%

35%

29%

Carefully monitoring and fine tuning AI-based decision-making

Avoiding biases adversely affecting AI-based decisions

Being transparent in use of customer data to create AI

Properly training employees on AI limitations

Monitoring or adapting to public and regulatory concerns

Being willing to explain AI-based decisions

Being transparent with customers when AI is being used


7. Operational Resilience

From Financial Resilience to Operational Resilience


9%

16%

25%32%

39%

34%

64%56%

64%60%

41%

67%

Resilience risks and organization

Top resiliency risk concerns Functions being integrated to manage resiliency risks

*Business units

**Recovery and resolution planning

***Including simulations and table-top exercises

****For example, Sheltered Harbor in the US or industry-wide cyber simulations

Cyber risks Data access and availability Prolonged IT outage

IT obsolescence and legacy systems

Critical third-party outage

Financialresilience*

Critical data destroyed Prolonged outage of systemic player

Dependence on cloud service

Disaster recovery

Single function

68%

66% Business continuity planning across BUs*

61% Crisis management

58%Crisis communication

58%

Technology incident response

52%RRP activities**

Testing***

Industry initiatives****

70%

Cyber-incident response (IR)

*For example, liquidity, capital and collateral

80%

94%

2018 2019

39%

59%32%

42%

27%

40%


8. Effects of fast-shifting geopolitics on banks and their customers

Rising geopolitical and geo-economic tensions represent the “most urgent global risks at present”, World Economic Forum’s Global Risks Report 2019.


36%Rise of populism

Impact of geopolitical risks

Top major risks Impact over next decade

47%Escalating cyber warfare

47%China and US relationship

42%Changes to global trading environment

22%Changing US role

26%EU instability

23%Elongated Brexit fallout

18%Emerging-market volatility

12%Middle East instability

11%China’s rising global influence

3%Russia’s changing role

External stakeholders

78%

74%

41%

25%

23%

Market impact

Overall negative impact on demand

Unexpected market volatility

Corporate clients’ financing needs

Consumer sentiment or demand

Unexpected foreign exchange volatility

10%Push to account for climate change

Much less significant

3%

3%

Somewhat less significant

Same as today

Somewhat more

significant

Much more significant

14% 58% 22%

32%

10%

10%

Corporate clients’ supply chains

Bank’s third parties’ operations or finances

Bank’s counterparties’ financial strength


9. Meeting emerging customer demands for customized, aggregated lifetime offerings


26%

24%

33%

29%

28%

25%

23%

44%

20%

16%

Pricing for investments

Risk to customers

Performance of bundled offering over lifetime

Aggregating risks across tailored offerings

Overall risk in offering

Compliance risks

Product-related risks

Manage instability introduced to risk management*

Price offering

Adapt risk governance

Transparency

Measurement and evaluation

Ability to

Challenges in meeting new consumer needs

Most significant challenges Potentially required changes to risk management capabilities

*For example, risk management frameworks, models and approaches

62%

60%

59%

55%

48%

40%

39%

31%

New or more advanced data and technology capabilities

More integrated risk platforms to accelerate decision-making

Revised new-product approval process

More sophisticated risk modeling to capture cross product and business risks

More sophisticated risk modeling to evaluate customer lifetime value

Revised risk governance to provide real-time risk monitoring

Revised talent and training model

Revised risk framework to align with life-event-based customer value propositions


10. Addressing the impact of Climate Change

“This is one of the defining risks of our career to manage”


Scenarios and financial analysis

62% of banks have conducted climate change risk impact analysis

Climate change risk analysis and impact

*Over the business planning cycle

43%

32%

26%

22%

21%

12%

9%

Identify material risks on ongoing basis

Assess impact on expected credit losses

Quantify potential capital impact

Balance sheet sensitivity to changes in risk drivers/external conditions

Assessment of short-term* exposures and quantified financial risks

Long-term quantitative assessment of impact on business model

Assessment impact on loan pricing

Top most likely potential impacts

We have or are developing anapproach to

We have conducted a(n)

46%Financial needs of certain corporate sectors

30%Commercial opportunities in energy

53%Higher default or credit risk in certain corporate sectors

23%Own environmental impact

19%Residential real estate or mortgage portfolio 11%

Commercial real estate portfolio

10%Impact on

critical third parties

20%Business continuity plans

8%Catastrophic or other

insurance policies

5%Repricing of securities and derivatives

2%Repricing of sovereign

debt

Products, customers and assets

Bank’s operations

3%Own real estate portfolio(e.g., branches)

52%Consider environmental risk and climate change as key emerging risks for the next five years

surviving and thriving in banking through 10 major risks ......systemic cyber threat likelihood of...

Documents