The impact of COVID-19 on financial institutions, the economic downturn, and changes to working practices have had broad implications for risk management. How has risk management responded and where does it go from here?
In 2020, risk management at financial institutions faced challenges of a scale and scope not seen before as the world responded to a global health crisis caused by COVID-19. The measures taken by governments, businesses and consumers to restrain the spread of the novel coronavirus triggered a sharp economic downturn and far-reaching social impacts.
COVID-19 has also had direct financial impacts on financial institutions. The economic contraction significantly increased credit risk from both retail and commercial customers, and many institutions responded by tightening credit standards. In addition, there may be greater potential for fraud such as from misuse of customer data, invoicing for work not completed, or collusion with disreputable third parties.
Deloitte’s 12th edition of the Global risk management survey was conducted from March through September 2020 during unprecedented times globally. When asked about the most important trends for their institutions over the next two years, the issues respondents named included global financial crisis (48%) and global pandemics (42%).
Deloitte’s Global risk management survey, 12th edition is the latest in an ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The survey was conducted from March to September 2020 and was completed by 57 financial institutions around the world.
The pressure on revenues is likely to intensify the drive at many institutions to reduce ever-increasing expenditures on risk management. Several key risk management trends emerge from the survey results:
Increasing credit risk. Concerns over credit risk typically peak during economic contractions and, as expected, 20% of respondents named credit risk as the most important risk type for their institutions over the next two years, and 62% said that credit risk measurement will be an extremely or very high priority for their institutions.
Greater focus on nonfinancial risks. While almost all respondents rated their institutions as extremely or very effective at managing financial risks, the figure dropped to 65% for non-financial risk overall and was even lower for specific types and aspects of non-financial risk. Many institutions have work to do to enhance their capabilities in this area.
Continuing concerns over cybersecurity. Institutions have faced cyberattacks for a number of years, but the threat has only grown with many employees working at home. Only 61% of respondents considered their institutions to be extremely or very effective at managing cybersecurity risk, and 87% said that improving their ability to manage cybersecurity risk will be an extremely or very high priority over the next two years.
Addressing risk from third parties. Third-party relationships present a distinctive set of risks including data privacy, non-performance, unethical conduct and the loss of business continuity. Yet, only 44% of respondents rated their institutions as extremely or very effective in managing third-party risk.
Spotlight on environment, social and governance (ESG) risk. With growing concern over climate risk and increasing attention on the social responsibility of business, 47% of respondents said it will be an extremely or very high priority for their institutions to improve their ability to manage ESG, including climate risk.
The potential of digital risk management. There has been increasing recognition of the potential of digital technologies to reduce risk management expenses while simultaneously boosting effectiveness. Yet, despite their expected benefits, most institutions have not yet implemented these technologies.
Substantial challenges of risk data management. Leveraging emerging technologies requires comprehensive, high-quality and timely risk data. But many institutions continue to face challenges in obtaining this data, especially for non-financial risks. In this regard, most respondents said their institutions found two issues to be extremely or very challenging: maintaining reliable data to quantify non-financial risk and drive risk-based decisions, and the ability to leverage and source alternative data such as unstructured data.
Clarifying the three lines of defense model. All the institutions surveyed reported using the three lines of defense risk governance model, but many reported significant challenges. The challenges cited most often concerned the responsibilities and capabilities of the first line (business and functions).
Greater focus on stress testing. A majority of respondents reported that their institutions employed stress tests for capital and for financial risks such as liquidity, market and credit. However, regulators are now expanding stress tests to include non-financial risks, such as climate, but only 38% of institutions reported conducting stress tests for nonfinancial/operations risk.
Continued progress on risk governance. At the level of the board of directors, 72% of respondents said that one or more board committees is responsible for risk oversight, which is a sign of progress in effective governance. Eighty-seven per cent of institutions reported that their board risk committees have independent directors, and 82% said these committees have one or more identified risk management experts.
Universal adoption of the chief risk officer (CRO) position. The percentage of institutions with a CRO position or equivalent has increased over the course of Deloitte’s global risk management surveys, and all the institutions participating in the current survey reported having this position. However, the CRO is not always given appropriate authority to effect change.
Risk management functions will need the flexibility to respond quickly to volatile economic conditions and changing work practices, while continually monitoring which changes are temporary responses to the pandemic and which are destined to become permanent.
We don’t believe that risk is simply managed—it is confronted. In Advisory, we do not take a defensive crouch. We move forward, defining the unknowns and framing the issues before you encounter them. Whether your challenge is cyber, transactional, regulatory or internal controls, we can help prepare you to preempt the threat, define what’s vital and aggressively secure it. So that you can keep pace, get back to the business at hand—and move on what matters.