EY / IIF survey finds 72% of global Chief Risk Officers (CROs) view cybersecurity as the top year-ahead risk, followed by credit and environment risks
62% of European banking CROs regard geopolitical risk as a top risk management issue relative to 28% globally
The impact of the war in Ukraine is the top geopolitical risk for 54% European banking CROs
Global banking CROs see climate risk, change through digitization and data integrity as the top emerging risk priorities for regulators over the next five years
European banks are leading the way in conducting climate risk-related scenario analysis and/or stress testing, and 62% of European banks incorporate these activities into their firm’s risk management activities, relative to 36% globally
Amid unprecedented levels of global volatility and uncertainty, cybersecurity has risen to the top of the list of near-term risks for banks around the world, according to the latest EY and Institute of International Finance (IIF) bank risk management survey.
The 12th edition of this joint report is based on survey data from 88 banks across 30 countries and highlights the issues chief risk officers (CROs) view as the most pressing for their organizations now and in the future.
Today’s CROs face increased complexity caused by overlapping and correlated risks, nearly all of which seem to be increasing in urgency. In the short term, three out of four CROs identified cybersecurity risk as their top concern over the next 12 months (72%), edging out credit risk (59%).
Jan Bellens, EY Global Banking & Capital Markets Sector Leader , said:
“CROs are no longer juggling a tiered waterfall of risk, but a torrent of interwoven complexities that have rapidly evolved in a matter of months. The role of the CRO is in the spotlight; and, with geopolitical risk underpinning everything else on their agenda, they will need to find new and innovative ways to address competing demands. It is arguably one of the hardest jobs in the banking c-suite, facing new and hidden risks – particularly from increasingly sophisticated cyber-attacks, that will put increasing pressure on an already volatile environment.”
Credit and geopolitical risks are acute for European CROs
Credit risk overwhelmingly dominated global CROs’ attention (98%) in last year’s survey, but this year the worries are most pronounced among European CROs. Sixty-nine per cent of European banking CROs view credit risk as the top risk-management issue relative to 59% globally. In addition, more than three quarters (77%) of European CROs view it as a risk that requires the attention of the board of directors, relative to 45% globally.
Over the past year, rising geopolitical risk has added uncertainty to an already turbulent economic recovery, and has recorded the biggest rise year-on-year relative to the previous survey. The impact of the war in Ukraine from February 2022 has played out most strongly in the risk agenda of Europe’s banking CROs, with 62% of expecting geopolitical factors to demand greater levels of their attention over the coming year, relative to 28% globally.
Omar Ali, EY EMEIA Area Managing Partner Financial Services, said:
“European banking CROs, board members and regulators are facing into a very different outlook relative to just 12 months ago, so it’s no surprise that risk agendas have moved markedly. While climate risk remains a priority area, war in Ukraine has precipitated a period of elevated market volatility and systemic inflation that continues to challenge Europe’s financial stability and confidence, and European CROs have understandably sharpened their focus on credit and geopolitical risk as a result.”
Market volatility from geopolitical risk is major concern
Geopolitical risks play out differently by region, with almost three quarters (70%) of North American CROs concerned about cyber warfare between nation states — substantially more than their peers in Europe (46%). For CROs in the Asia-Pacific region, more than three quarters (78%) are focused on China’s changing global role, and more than two thirds (67%) say they are most worried about ongoing changes within the global trade environment. Despite the regional differences, 59% of CROs agreed that market volatility from geopolitical risk would have ‘major or moderate-to-high’ impact on exposure to market risk.
Mitigating and understanding risk exposures
According to the survey, CROs are not confident in their ability to defend against cyberattacks, with 58% citing their organisation’s inability to manage cybersecurity risks as their top strategic threat over the next three years. The number of CROs concerned about increased cyber-attacks manifesting from geopolitical risk jumped from 39% last year to 61% this year.
On climate risk, which topped the list of emerging concerns for CROs last year, 51% of organizations stated they only had a basic understanding of their climate risk exposure. The survey also highlights that only 37% of CROs see environmental risk as a top-five issue that will demand CRO attention during the next three years, a drop from 49% in last year’s research. European banks are leading the way in their understanding of both climate-change physical risks and transition risks, and 69% of European banks report either a complete or somewhat complete understanding, versus 39% globally.
Nearly three quarters (71%) of global CROs expect climate risk to be the most important concern for regulators over the next five years, far ahead of digitization (37%), data integrity (36%) and geopolitical risk (35%). Notably, a majority of CROs surveyed say they will prioritize risk from new technologies and digitization to a greater extent than regulators, who they expect to focus on data privacy and security.
Andrés Portilla, Managing Director, Regulatory Affairs at the IIF, said:
“It’s clear that there’s an interconnectedness between the top risks identified by CROs this year – cybersecurity, geopolitical, and credit –and their underpinning networks. Ongoing economic volatility has only fueled the concern that CROs will be navigating an increasingly complex risk landscape over the next 12 months.”
Additional notable findings from the survey include:
Cyber controls are the top priority for boosting operational resilience (65%), followed by technology capacity (33%) and third-party dependencies (30%). Given the expanding need for more robust controls, 85% of respondents noted they expect the cost of controls to go up in the next three years.
Given the recent challenges faced by some large crypto exchanges, CROs are operating a more conservative model on digital assets. Nearly half (49%) of banks surveyed said they are still defining their digital asset strategies.
CROs are also very concerned about talent and culture risks, with 57% of them noting that talent is one of the most significant long-term risks facing the banking industry.
In order to attract and retain the talent to build a high performing risk management function and meet the changing needs of the risk management function, the vast majority of CROs (94%) say they need some or many new skills and resources.
For more information, read the full report.