A survey of senior risk managers in the financial sector reveals a complex landscape of interlocking risks, with regulatory change and cyber risks coming top of the five main risks. The survey also shows how the financial crisis affected the way in which the risk management function is perceived in financial institutions

StrategicRISK surveyed the most senior risk professionals at financial institutions, including investment banks, insurance companies and retail banks in Europe’s biggest economies to understand the key issues facing the financial sector. The findings reflect a complex risk landscape, with most of the top five risks interlinking with one another, increasing risk exposure and potential losses.

Respondents said the following threats are among their top five risks: changes to regulation (91%), cyber risk (65%), nonmalicious system failure (51%), reputation damage (47%) and economic slowdown/stalling recovery (37%). In a risk landscape where these threats are interconnected, the potential loss for a company will be significant.

Further, the insurance market is failing to address many of these key risks according to the survey.

When asked to list the hardest or impossible risks to insure, 70% identified reputation, 53% chose cyber and 51% said technology failure.

Reputational damage, for example, can be linked to cyber risk and non-malicious system failure. Data breaches and system failures could lower public confidence, particularly when personal finances and private information are at stake, as was the case with the US department store Target. In 2013, the company suffered a security breach in which hackers accessed personal information of about 70 million customers. The cost associated with the breach amounted to millions of dollars.

Top 5 risks:

  1. Changes to Regulation
  2. Cyber
  3. Non-malicious system failure
  4. Reputation damage
  5. Economic slow down

Regulation

Indeed, the regulatory environment is becoming stricter on areas such as financial reporting or data protection. Regulations that aim to protect personal data increase the compliance burden for companies and their breach can potentially lead to fines and reputational damage.

Regulation was also cited as an area lacking in insurance cover. Although ‘regulation’ was not offered as a choice in the multiple selection part of the survey, when asked to specify the most difficult risks to insure, respondents alluded to it in some shape or form.

One respondent said regulatory change was an uninsurable risk, while others stated ‘regulations’ or ‘regulatory impact’ were difficult areas to insure. This, coupled with the fact that an overwhelming 91% of risk managers said regulatory change was one of five top risks, illustrates a landscape where risk managers are struggling with the regulatory environment.

Interestingly, risk managers feel their role is driven primarily by regulatory changes. More than 80% of respondents said risk management practices in the industry are improving, with 58% citing regulation as the primary driver of those improvements.

As one respondent put it: “[Risk] practices are improving only through changes in regulatory requirements. I am not sure if this means that risk management is embraced or if it is merely done to comply.”

However, one risk manager viewed it differently: “Regulators are enforcing fast change in the compliance and risk control area, withholding the development of risk management.”

Other respondents, on the other hand, thought the improvements in risk management were due to advancements in technology and greater communication between risk managers and the board.

Financial crisis

The survey also reviewed how the economic crisis has affected how risk management is perceived in the respondents’ companies. More than 50% of respondents believe their organisation has become more risk-averse, compared to a smaller proportion (16%) admitting that their company had not made any risk management improvements and a further 28% said there has been no change since the financial crisis.

In terms of how risk management is perceived in their business following the crisis, almost 50% said they have seen no change, compared to one-third who believe the crisis has improved the importance of risk management.

Risk transfer

Although all respondents use risk transfer solutions, they identified gaps in the insurance market, including costs arising from human errors, liquidity, supply chain and, to a lesser extent, credit risk and natural catastrophes.

In addition, 40% of risk managers said the percentage of insurable risk represents between 20%-30% of their firms’ overall risk exposures.

A further 19% of risk managers said between 30%-40% of their risks were insurable and 2% are able to transfer 60%-70% of their firms’ risks through the insurance market.

The relationship between insurance and client is an area that needs to improve, according to the survey. When asked ‘how can insurers better assist you in the identification, management and transfer of risk?’, many answered that the relationship between insurer and client must be strengthened, with suggestions of more frequent meetings and regular communication.

The fact that three of the five top risks from the survey (cyber, non-malicious system failure and reputation) were commonly identified as the most difficult or impossible risks to insure, suggests insurers are failing to address some of the major concerns for risk managers at financial institutions. One respondent summed it up as: “Insurers and brokers are no longer thought leaders in risk management. They are merely a commodity in any risk management solution. For 70% of a firm’s exposures, most insurers have no solution.”

Conclusion

The economic crisis of 2008 plunged the financial sector into chaos. The aftermath has resulted in a more complex risk landscape where compliance is key.

Indeed, regulatory reform is a major concern for risk managers and is also a main driver behind improvements in risk management within FIs.

Although positive, this trend also raises questions as to whether top executives really appreciate the benefits of risk management or whether they are merely responding to pressure from regulators to increase risk reporting. By doing so, FIs will certainly have ticked a box, but this says little about whether risk management is really valued.

The question risk managers should perhaps be asking themselves is whether senior management would invest in their function if such regulatory pressures did not exist.

For some FIs, it seems that the main driver for change is the threat of enforcement, rather than a willingness to invest in risk management to promote best practice. Irrespective of what the correct attitude might be, it is clear that much remains to be done to raise the standards of practices in the financial sector.