MULTIFACETED RISKS FACING FINANCIAL SERVICES

Cyber security and controls are poised to comprise a sizeable portion of the risks confronting leaders in the year 2023. Such risks pervade organisations, permeating every aspect of their operations - from their routine, day-to-day activities to their transformation initiatives and dealings with third-party suppliers. Following substantial losses sustained by the cyber risk market in 2020, insurers have responded by implementing stricter underwriting conditions, including higher premiums, reduced capacity, and elevated deductibles, particularly for large firms.

Against the current geopolitical backdrop, it is highly probable that major state-sponsored cyber-attacks will ensue. Given the exorbitant costs associated with direct military conflict and the challenges associated with attributing responsibility for cyber-attacks, it is probable that nations will engage in cyber warfare and retaliatory cyber-attacks targeting software that controls state infrastructure, which may result in infrastructure shutdowns. The implications of such shutdowns - such as the disruption of a national power grid - would have far-reaching consequences, severely impeding business operations.

The World Economic Forum’s Global Security Outlook report revealed that 93% of Cyber leaders and 86% of Business leaders think it is "moderately likely" or "very likely" that geopolitical instability will lead to a far-reaching catastrophic cyber event in the next two years.

[Percentages below are from the Accenture/ World Economic Forum's Cybersecurity Leadership survey, conducted in October 2022, including interviews with 151 cybersecurity and business leaders.]

Most banks are very accustomed to thinking about traditional measures of credit risk. The strong controls that were established in response to the global financial crisis have clearly served banks well and bolstered confidence among boards and senior leaders.

However, if a recession hits, prudent Risk leaders will be looking closely at lending books – scrutinising the effects of a war in Europe, the associated energy crisis and commodity prices, inflation, supply shortages and logistics pressures. There is also latent credit risk developed during COVID-19, where governments forced banks to lend to SMEs and relax their credit standards. Some of this is already showing, with UK company insolvencies in the first half of 2022 at a 13-year high and S&P forecasting that speculative-grade corporate default rates in the U.S. and Europe will double in 2023.

[From S&P's Global Credit Outlook 2023: No Easy Way Out, 'Outlook bias by sector (%) chart, based on Global Financial, non-Financial and Sovereign issuers responses; "Positive bias—Percentage of issuers with a positive outlook or CreditWatch placement. Negative bias—Percentage of issuers with a negative outlook or on CreditWatch. Net outlook bias—Percentage of issuers with a positive bias minus the percentage of issuers with a negative bias."]

Despite progress made by banks and insurers in measuring and monitoring climate risks through stress testing and models, regulators in 2022 highlighted that there is still significant work to be done. While quantification models are being used to inform business decisions, firms continue to face high reputational risks due to allegations of greenwashing, especially as they continue to lend to the fossil fuel industry.

To address these concerns, regulators plan to conduct supervisory deep dives and on-site assessments in 2023, which will include extended scenario exercises and stress tests that incorporate trading book risk. Firms are expected to integrate climate decisioning capabilities into all aspects of their operations, including sales activity, product development, client selection, and pricing.

Responding to regulatory initiatives is a frequent driver of hiring across Financial Services firms. While there was some respite granted by regulators in 2022, with firms taking advantage of regulatory delays as a result of the pandemic, it is no surprise to see Regulatory Risk related hiring back on the agenda for 2023. In focus are capital strategies in preparation for Basel IV (Basel 3.1) and FRTBs IMA and SA. With output floor limits approaching, this is expected to be a focal point through 2024 and 2025.

Likewise, capital strategies in insurance, the Solvency II reviews, in the EU and UK will continue developing over the course of 2023. These will provide insurers with more clarity on specific reforms and should prompt them to start more detailed implementation planning and hiring.

Recently, the FCA, in conjunction with the Bank of England and the PRA, published final rules and guidance on new requirements needed to strengthen operational resilience in the financial services sector; stating that by 2022, and by no later than 2025, firms must provide evidence of their mapping and testing in order to remain within impact tolerances as well as show consistency in processes across different parts of their business.

[Diagram shows timeline of scheduled Output Floor limit change and how they will affect the benefits banks can derive from using their internal models to calculate minimum capital requirements.]

Operational resilience is the ability of a firm to prevent, respond to, recover and learn from operational disruptions. Recently the EU upgraded regulations in this area to emphasise IT security operational disruptions with the introduction of 'The Digital Operational Resilience Act' (DORA).

Banks, insurance companies and investment firms need to implement DORA by 17 January 2025. DORA aims to strengthen the IT security of financial entities due to the increasing risk of disruptions and cyberattacks. The regulation addresses four topics to enhance the resilience of financial entities: ICT risk management, cyber incident reporting, digital operational resilience testing, and ICT third-party risk management.

Although emerging and digital technologies can provide a competitive advantage, many control leaders are concerned about the speed at which companies are adopting them. Despite the pressure to adapt or risk becoming obsolete, the latest technologies often provided by third parties, such as machine learning, artificial intelligence, cloud adoption, tokenisation of assets, green finance initiatives, and identity & access management tools require intense risk regulation and control scrutiny upon implementation.

[Graph from EY/ IFF’s Global bank risk survey highlighting the 'top strategic risk facing risk leaders over the next three years.' Percentages refer to the proportion of respondents that selected a category as a top strategic risk.]

Recent years have seen cases of reputation loss, fines, and senior executive departures due to failed technology implementations, such as TSB's £48m operational resilience fine for attempting to migrate customer records to a new system, resulting in mass outages.

As a result, operational resilience has become a top priority in recent years. Despite significant investments made by firms to boost their operational resilience, many risk leaders agree that they need to spend more time considering "over the horizon risks" and continued collaboration between overlapping departments such as Risk and Technology is a priority. Firms should identify their important business services, spot vulnerabilities in real time, conduct appropriate mapping and scenario-based foresight, regularly update their operational resilience self-assessment capabilities, put a robust communication plan in place, and review and update important business services and impact tolerances.

Geopolitical risk is at the top of Risk leaders’ agendas for 2023. Geopolitical risk includes the risks associated with war, terrorist acts, and tensions between states and countries that affect the normal course of international relations. Geopolitical risk captures both the risk that these events materialise, and the new risks associated with an escalation of existing events. Recent examples include Russia’s invasion of the Ukraine and the global repercussions that followed. It shifted global concerns away from Coronavirus related health issues and towards growing political, security and macroeconomic risks. Russian energy supplies were cut, ceasing gas flows to 12 EU countries, with ripping effects to supply chains. The knock-on effects of high commodities prices, amplified by global monetary tightening and inflation may well still push may countries both developed and emerging countries into recession.

Alternatively, conflict between China and Taiwan grew when China conducted targeted military operations following a US visit to Taiwan. While the US government has reiterated that its diplomatic approach towards Taiwan has not changed, the erosion of the China-US relationship over the last few years has threatened this stability. While the worlds reliance on Taiwan’s semiconductors may limit this likelihood, the chance of a miscalculated response leading to wider conflict is increased with Risk and Control leaders expecting to pay particular attention to Geopolitical risk over the next few years.

[Source EIU, Risk Outlook 2023; Map shows "Ten Risk Scenarios that could reshape the global economy".]

While companies may not have the ability to prevent many of these impacts and events, it is crucial to have strong business continuity and resilience processes in place to mitigate and manage such events through understanding, analysis, and early planning. By addressing supply chain weaknesses, cyber exposures, and developing forward-looking enterprise risk processes, companies can better manage, monitor, and assess the effects of these risks.

In recent years there has been extensive hiring of Enterprise Risk Management (ERM) professionals, who offer a holistic view across all risk types and analyse the interconnectedness and dependencies that exist within an organisation. Against today's backdrop of external changes, we expect these newly formed ERM teams and frameworks to be extensively tested in the year ahead.

Regulators have announced plans to closely monitor digital assets to mitigate new risks arising from crypto and decentralised finance. The move comes in response to the 2022 plunge in crypto prices. In the UK, the PRA had already warned that crypto-related risks require amended "financial, prudential, operational, and reputational frameworks" to meet FCA requirements. The signing-off of risk-assessment frameworks that enable exposure to digital assets must involve individuals with the relevant Senior Management Function (SMF).

Simultaneously, the UK government and the Bank of England announced plans for the creation of the 'Digital Pound' by 2030. The digital currency will complement but not replace cash and will be used as an official rival to the technology sector. The digital pound will be issued by the Bank of England and held in smartphone wallets, allowing it to be interchangeable with cash and bank deposits for everyday payments in-store and online. Unlike crypto assets and stablecoins, the digital pound will be issued by a central authority, the Bank of England, with intrinsic value and less volatility.

Although many firms returned to a sense of normalcy after the pandemic in 2022, the year 2023 appears to be filled with headwinds from various factors, such as high inflation, geopolitical instability, slowing economies, and a possible recession for numerous countries. Bain's paper, "The New Recession Playbook" from 2022, suggests that during such times, companies should learn from past mistakes and adopt proactive measures. The paper identifies three traps that companies often fall into during a recession:

1. Some opt for an aggressive, across-the-board cost-cutting approach, known as the "burn-the-furniture" method.
2. Others venture too far from their core competencies and make misguided decisions in a desperate attempt for growth, known as "spray-and-pray" reactions.
3. Some companies wait too long before taking action, leaving them lagging behind competitors.

Bain's analysis further suggests that companies typically experience more significant gains and losses during a downturn than in stable periods. Therefore, winning companies take a proactive approach to prepare for recessions. They strategically trim costs before a downturn, preserve the essential aspects of their business, and manage liquidity and their balance sheets. They also take advantage of opportunities to invest in competitive advantages and pursue mergers and acquisitions aggressively.

[Figure from Bain analysis illustrates that 'there is more movement in company performance to capitalise on during a downturn than during a stable period'; Based off research on S&P 500 listed companies with annual revenue greater than $2m, data shows that companies are 89% more likely to become a 'sinking ship"' during a 'downturn period' in comparison with a 'stable period'. Conversely, in a 'downturn period', companies are also 47% more likely to become a rising star; 'Rising Stars' are companies that moved from the bottom quartile up to the top half between beginning and end period whereas 'Sinking Ships' moved from top quartile to bottom half. The 'downturn period' refers to Dec 2007 to Dec 2014, and the stable period as Dec 2014 to 2017.]

Non-bank financial intermediaries, also known as shadow banks, offer services similar to traditional banks whilst evading conventional banking regulations. As such, they remain a regulatory blind spot. These entities rely on highly leveraged, short-term funding, making them vulnerable to catastrophic losses without an established safety net, such as access to public sources of liquidity or backstops. With the end of the post-crisis quantitative easing era and the Central Banks’ decision to increase interest rates to tackle inflation, regulators are concerned about the vulnerabilities that have built up in shadow banking over the past few years. They fear that a potential problem in shadow banking could start there but quickly spread, sending shockwaves across the world. Recent examples, such as the collapse of Archegos Capital Management in 2021 and the turmoil that hit the UK pension funds sector in autumn 2022, illustrate the short-term cash pressures, risky bets, and knock-on effects that characterise the sector as volatile. Common problems around liquidity, leverage, and interconnectedness through derivatives and the cash collateral calls they generate exacerbate these issues. As a result, the Bank for International Settlements (BIS) has called for tighter regulation of the sector, urging these organisations to step out of the shadows and be regulated like their conventional peers.

The current operating environment for Risk and Control functions in financial services firms is highly complex, possibly more so than at any other point in recent decades. Leaders face the challenge of future-proofing their organisations against multifaceted scenarios and staying ahead of risks. They need to be proactive to gain a competitive advantage and maintain a high level of strategic resilience in their approach to risk management. Disruptions are becoming more frequent and severe, and their unpredictability requires companies in all industries to plan for the unexpected and build up their response capabilities in advance.