Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the financial services industry.
By Cory Gunderson, Managing Director
Global Leader, Financial Services Industry
When we conducted our survey in the fourth quarter of last year, the top risks on the minds of financial services directors and executives, in order of priority, included: regulatory changes and increased scrutiny, cybersecurity, information security, economic volatility, and succession. However, risk is never static. If we were to conduct the survey today, with the significant changes over the past six months, including growing nationalist sentiment across the globe – Brexit being the most recent example – economic concerns would probably rise as high as second place, even with cybersecurity and information security remaining strong and “evergreen” concerns.
Executives perceive risk in much the same way the body perceives pain. New risks arise sharp and top-of-mind, but recede in perceived importance as the corporate body adapts to the stimulus. My colleague Richard Childs alluded to this “anesthetizing effect” in his recent post on top risks in the consumer products and services industry. In financial services, the reigning top risk – regulatory changes and scrutiny – continued a steady decline in perceived severity, and at least two other top risks from 2015 – social media and disruptive technology – dropped out of the top five.
That’s not to say these risks have receded. If anything, regulations continue to evolve and they change with greater frequency, reflecting the critical importance of a sound financial system to the world’s economy. And the level of investment in fintech – the technology driving the bleeding-edge of financial services – is growing in leaps and bounds. Rather, financial institutions are now dealing with these risk areas on a daily basis, so they are not perceived as sharply as when they first arose.
Similarly, other risks fundamental to a financial institution’s survival – such as market risk and credit risk – are so much a part of everyday life that they don’t even register on a survey like this. Things could change soon, however. We have lived in a low interest environment for well over 20 years, creating an entire generation of risk managers who have never had to manage volatile interest rate risk – at least not on the scale of the 1970s and 1980s. With the Federal Reserve strongly hinting of higher interest rates to come, regulators are keeping an increasingly close eye on this fundamental. Interest rate risk could very well become one to watch. And as in any cycle, the spectre of credit risk looms on the horizon, with many regulators looking at evidence of the risk-compounding scenario of loosened underwriting standards coupled with overheated pricing bubbles.
The bottom line is that the financial services industry, because it is central to the world’s liquidity, movement of capital, financing of business expansion and the safekeeping of wealth, is always going to be risk-heavy – and while the ranking of risks matters, it is not to be seen as an indication of one risk or another going away completely. Financial services firms are in the business of managing risk by their very nature, meaning the rankings are really more a reflection of what’s top of mind at a given point in time.
We are entering a period of increasing volatility. There are going to be stresses on financial institutions’ systems. It is important, going forward, that executives and directors work hard to remain agile and adaptive in their risk management roles, challenging all layers of defense – especially the first line – to remain engaged, and avail themselves of the latest in risk management capabilities. History has shown that when organizations become complacent, or assume that the situation of today won’t change tomorrow, risks have a way of becoming realities, and neither the regulators and policy makers nor the public at large appear to be in a forgiving mood.