A moving target: Refocusing risk and resilience amid continuing uncertainty
The impact of COVID-19 on financial institutions, the economic downturn, and changes to working practices have had broad implications for risk management. How has risk management already responded and what are the implications for strategically restructuring risk functions?
In 2020, risk management at financial institutions faced challenges of a scale and scope not seen before as the world responded to the global health crisis caused by COVID-19. The measures taken by governments, businesses, and consumers to restrain the spread of the novel coronavirus triggered a sharp economic downturn, with far-reaching social impacts.
COVID-19 has also had direct financial impacts on financial institutions. The economic contraction significantly increased credit risk from both retail and commercial customers, and many institutions responded by tightening credit standards. In addition, there may be greater potential for fraud, such as from misuse of customer data, invoicing for work not completed, or collusion with disreputable third parties.
Deloitte’s 12th edition of the Global risk management survey1 was conducted from March to September 2020 during unprecedented times globally. When asked about the most important trends for their institutions over the next two years, respondents included global financial crisis (48%) and global pandemics (42%).
The pressure on revenues is likely to intensify the drive at many institutions to reduce spiralling expenditures on risk management. Several key risk management trends emerge from the survey results:
Increasing credit risk: Concerns over credit risk typically peak during economic contractions and, as expected, 20% of respondents named credit risk as the most important risk type for their institutions over the next two years, and 62% said that credit risk measurement will be an extremely or very high priority for their institutions.
Greater focus on non-financial risks: While almost all respondents rated their institutions as extremely or very effective at managing financial risks, the figure dropped to 65% for non-financial risk overall and was even lower for specific types and aspects of non-financial risk. Many institutions have work to do to enhance their capabilities in this area.
Continuing concerns over cybersecurity: Institutions have faced cyberattacks for a number of years, but the threat has grown with many employees working at home. Only 61% of respondents considered their institutions to be extremely or very effective at managing cybersecurity risk, and 87% said that improving their ability to manage cybersecurity risk will be an extremely or very high priority over the next two years.
Addressing risk from third parties: Third-party relationships present a distinctive set of risks, including data privacy, non-performance, unethical conduct, and the loss of business continuity. Yet, only 44% of respondents rated their institutions as extremely or very effective in managing third-party risk.
Spotlight on environmental, social, and governance (ESG) risk: With growing concern over climate risk and increasing attention on the social responsibility of business, 47% of respondents said it will be an extremely or very high priority for their institutions to improve their ability to manage ESG, including climate risk.
The potential of digital risk management: There has been increasing recognition of the potential of digital technologies to reduce risk management expenditures while simultaneously boosting effectiveness. Yet, despite their expected benefits, most institutions have not yet implemented these technologies.
Substantial challenges of risk data management: Leveraging emerging technologies requires comprehensive, high-quality, and timely risk data. But many institutions continue to face challenges in obtaining this data, especially for non-financial risks. In this regard, most respondents said their institutions found two issues to be extremely or very challenging: maintaining reliable data to quantify non-financial risk and drive risk-based decisions, and the ability to leverage and source alternative data such as unstructured data.
Clarifying the three lines of defence model: All the institutions surveyed reported using the three lines of defence risk governance model, but many reported significant challenges. The challenges cited most often concerned the responsibilities and capabilities of the first line (business and functions).
Greater focus on stress testing: a majority of respondents reported that their institutions employed stress tests for capital and for financial risks such as liquidity, market, and credit. However, regulators are now expanding stress tests to include non-financial risks, such as climate, but only 38% of institutions reported conducting stress tests for non-financial/operations risk.
Continued progress on risk governance: At the level of the board of directors, 72% of respondents said that one or more board committees is responsible for risk oversight, which is a sign of progress in effective governance. Eighty-seven percent of institutions reported that their board risk committees have independent directors, and 82% said these committees have one or more identified risk management experts.
Universal adoption of the chief risk officer (CRO) position: The percentage of institutions with a CRO position or equivalent has increased over the course of Deloitte’s global risk management surveys, and all the institutions participating in the current survey reported having this position. However, the CRO is not always given appropriate authority to effect change.
Conclusion
These overall trends are in line with priorities of Chief Risk and Compliance Officers of Swiss Financial Institutions. In one of our latest events focussed on the Swiss CRO community the concerns over the worsening quality of the credit books emerged as the number 1 on the financial risk side (during the first wave of COVID this was only the number 4 topic). Regarding non-financial risks (NFR) – priorities changed in the way that regulatory risks became a much higher priority:
- Cyber Risk (unchanged to COVID wave 1)
- Operational Risk (unchanged to COVID wave 1)
- Regulatory Risk (number 7 in COVID wave 1)
- Third Party Risk (number 3 in COVID wave 1)
- External Fraud (number 4 COVID in wave 1)
Risk management functions will need the flexibility to respond quickly to volatile economic conditions and changing work practices, while continually monitoring which changes are temporary responses to the pandemic and which are destined to become permanent.
1Deloitte’s Global risk management survey (12th edition) is the latest in an ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was completed by 57 financial institutions around the world.
Key contact
- Previous The ever-evolving role of an Automatic Exchange of Information (AEOI) responsible person - Join our live training on 3 March at 16.00 CET
- Next Strategic trends and implications for bank operating models