As technology becomes more pervasive across Financial Services, so do the associated risks; failing to manage these risks creates front page news, as well as an unwelcome and often material financial, customer and reputational impact. Regulators are responding accordingly, with many EMEA regulators paying particular attention to the risks associated with technology. For example, FINMA issued a draft of their revised circular 2008/21 on operational risk management in March 2016 with revised guidelines for managing IT risk.
In our recent EMEA IT Risk Management survey for Financial Services - "Foundations in a technology driven world"– we surveyed IT risk professionals across EMEA to comment on the key risks, issues and challenges they face in managing IT risk the financial services industry. This publication provides our thoughts on how these challenges can be overcome, and the challenges that might be lurking around the corner. We identified 5 main key risks areas peers across the Financial Services industry are facing today:
1. Managing technology risk strategically
Unsurprisingly, our respondents recognised that executive attention on IT risk management is ever increasing. Compliance with new and existing regulation was a clear leader in terms of focus with over 85% indicating it was one of the top two priorities for their executive. Many organisations still do not feel fully equipped to respond to the regulatory challenge, especially those with a global and multi-product footprint.
2. Getting the IT risk operating model right
With the Business, IT and operational risk functions all in the process of re-evaluating their own operating models, the IT risk function itself has had to adjust too. Our survey indicates that many organisations are struggling with the same fundamental questions how to position the IT risk function as a ‘value creator’ rather than a cost centre and how to enhance the three lines of defence model to better serve key stakeholders.
3. Keeping up with the evolving risk landscape
Emerging risks around change execution and operational resilience have joined cybercrime, data security, and third party management as being the most pressing IT risks identified by our respondents. In many ways though, risk identification is just the tip of the iceberg – IT risk is often the risk that the typical Board member may be the least well equipped or informed to understand and oversee. For example, there may be a relatively narrow view of IT risk taken by the Board (e.g. cyber, system availability), rather than a holistic appreciation of other IT risk areas such as change management, risks posed by automation, and underpinning factors such as execution risk.
4. Staying in control – the divergence between risk exposure and risk appetite
Our survey indicates a gap between business risk exposure - which is growing due to the increased strategic and operational dependence on IT - and business risk appetite, which is not increasing at the same pace. The significant increase in risk exposure demonstrates how critical effective IT risk management is to an organisation. Respondents also identified with a common challenge around accurately measuring business risk appetite.
5. The talent conundrum
With the rapid pace of change across Financial Services, having individuals with the right blend of IT, risk and business experience is often the key to being able to respond to the evolving needs of the business. As IT risk functions compete to attract the best talent, those without a focused Talent strategy are struggling to keep up, often acting as "risk administration" functions rather than true "risk management" functions.
Our survey findings indicate an underinvestment in people, processes and supporting systems across the Financial Services industry, coupled with an ever increasing reliance on technology to achieve business strategy and exposure to increasingly complex risks, such as cybercrime. This creates an extremely challenging environment in which to manage IT risks efficiently, effectively and in a way that adds value to the business; illustrating that the strategic importance of managing technology has never been higher. The consequences of getting it wrong severely impact an organisation’s reputation, customer confidence and loyalty, thus driving IT risk management firmly up the board agenda.