A majority of banks and other financial institutions surveyed are not confident about their firms’ effectiveness in managing cybersecurity and geopolitics, two of the biggest risks facing global businesses of all shapes and sizes, according to Deloitte Global’s tenth survey of financial services risk managers.
How well-developed is each of the following operational risk management methodologies at your organization?
This comes as there is talk around deregulation in the United States, banks being challenged to hold overall costs down, major cybersecurity breaches and a shift to using new technology tools like robotic process automation (RPA) to improve quality and efficiency by automating routine tasks. Consequently, Deloitte Global predicts that 2017 may be an inflection point for financial institutions’ risk management efforts.
“Risk management is becoming even more important today, as financial institutions confront a variety of trends that have introduced greater uncertainty into the future direction of the business and regulatory environment,” said Edward Hida, Deloitte Global Risk & Capital Management Leader. “Risk management programs will need to not only become more effective and efficient, but also acquire the agility to respond flexibly and nimbly to the next set of demands. This is where I believe the next era of risk management will need to evolve to.”
According to the survey, 80 percent or higher of those surveyed rated their institution as extremely or very effective in managing traditional risks like liquidity, underwriting/reserving, credit and investment risk.
In contrast, when it came to newer risk types – which often present more challenges – respondents considered their institution to be less effective in areas like cybersecurity (42 percent), model (40 percent), third party (37 percent), data integrity (32 percent), and geopolitical risks (28 percent).
In the geopolitical risk area, this percentage dropped roughly by half from Deloitte Global’s previous survey in 2014, indicating that this issue has rocketed up risk managers’ radar.
Increasing investment in risk management
While the financial services industry is under pressure to reduce costs as a whole, 44 percent of respondents expected their institution’s annual spending on risk management to increase by 10 percent or more over the next two years, including 13 percent who expected an increase of more than 25 percent. These figures are an increase from 2014’s survey, when 37 percent of respondents expected an increase of 10 percent or more and 9 percent expected an increase of 25 percent or more.
“I suspect that part of these budgets are being redirected to invest in new, emerging technologies,” said Hida. “Along with technologies like RPA, an emerging trend is for institutions to leverage technologies like cognitive and advanced analytics techniques to identify behavior patterns and predictive analytics to identify emerging risks.”
Additionally, given the pace of regulatory change, 52 percent of respondents were extremely or very concerned about the ability for risk technology to adapt to changing regulatory requirements.
For your organization, how challenging is each of the following in managing cybersecurity risk?
Among other survey findings:
Geopolitical risk: Risk managers were asked about how proposals in some countries to renegotiate trade agreements (which can be an influencer to that country’s economic prospects) were likely to impact the risks facing their institutions. Respondents were divided, with 48 percent expecting that the risks facing their institution would increase, while 49 percent thought these proposals would have no impact. Executives in Europe were most likely to expect increased risk: 68 percent expected that risks would increase, including 16 percent who thought they would increase significantly.
Biggest issues in stress tests: A number of qualitative issues in capital stress testing were rated as being extremely or very challenging, including capital stress-testing IT platforms (66 percent) and data quality and management for capital stress-testing calculations (52 percent).
Battle for risk management talent: 70 percent of respondents said attracting and retaining risk management professionals with required skills would be an extremely or very high priority for their institution over the next two years, while 54 percent said the same about attracting and retaining business unit professionals with required risk management skills. Since cybersecurity is a growing concern across all industries, the competition is especially intense for professionals with expertise in this area.
Time for IT systems modernization?: Roughly half of respondents were either extremely or very concerned about several issues related to IT systems including legacy systems and antiquated architecture or end-of-life systems (51 percent), inability to respond to time sensitive and ad-hoc requests (49 percent), lack of flexibility to extend the current systems (48 percent), and lack of integration among systems (44 percent).
Culture challenges remain: While regulators around the world have recently placed greater focus on the important role that culture plays in effective risk management, work remains to be done on this front. According to those surveyed, board oversight activities at many financial institutions did not include helping establish and embed the risk culture of the enterprise (67 percent) or review incentive compensation plans to consider alignment of risks with rewards (55 percent).
Credit risk gets harder to gauge: With relatively weak economic conditions in many markets around the world, managing credit risk is a significant challenge for financial institutions. When asked how challenging it would be to manage credit risk over the next two years, the areas most often considered to be extremely or very challenging were collateral valuation (38 percent), commercial real estate (33 percent), unsecured credit (33 percent), and mortgages/home equity lines of credit (30 percent).
Even if the recent breakneck pace of new regulatory requirements does not continue, financial institutions will be well advised to not scale back their risk management programs.
“Whether regulatory change will slow is far from certain,” cautioned Bob Contri, Deloitte Global Financial Services Industry Leader.
“Many institutions have also found that the new regulatory requirements have created a new normal and a new set of industry expectations. Many will not want to change from this norm,” said Contri. “The higher capital requirements that have been put in place, for example, have had important implications for the lines of business that institutions choose to enter or exit in an effort to minimize their required capital.”