The top risks facing banks in 2022 are all operational

Managing risk is critical for organizations large and small. But doing so is more complex than ever, with new risks — from pandemic waves to climate disruption to crypto volatility — emerging almost daily.

Multiply this challenge by another 20 times if you are a bank. For banks and similar institutions, dealing with risk is not limited to identifying its sources. Banks must focus on quantifying risk and embedding the tolerance for that particular risk in all areas of the business. They must contemplate the challenges both to markets and to the financial strength of borrowers, both commercial and consumer.

The proliferation of risks requires a mindset shift for banks. The Risk Management Association's recent Chief Risk Officer Outlook 2022 survey, conducted with the consulting firm Oliver Wyman, found the average CRO plans to spend nearly twice as much time on nonfinancial risk and compliance in 2022 as on financial risk.

In our collective 50-plus years of experience working with banks and their risk management teams, we have seen how greater information about what similar institutions are doing — particularly their risk frameworks and organizational structures — can help drive CROs’ efforts forward. Here, at the beginning of 2022, we see three areas our members and clients are tackling to prepare for the risks to come.

The first emerging risk we’re focused on is increasing regulatory intensity.

Many factors are changing economies and societies today and are forcing governments to act. Intensifying regulation is one of the top risks identified in our CRO Outlook 2022 survey, with 89% of the 40 CROs from a diverse set of North American banks identifying “a change in regulatory focus/intensity” as the top emerging risk.

Key regulatory changes include climate-risk disclosure and testing requirements, cyber disclosure, crypto regulations and data oversight, which can result in "matter requiring attention" missives from regulators. For U.S. community banks, changes to the Community Reinvestment Act could also have considerable impact.

A continually developing area of risk management for banks is third-party risk, which increasingly requires certifying to regulators what vendors and subvendors are doing to protect data and comply with laws and regulations.

U.S. regulations governing banks that partner with fintechs underscore why regulatory intensity is so concerning. As more banks partner with fintechs to enhance their customer experience, among other benefits, they face mounting requirements to certify their partner’s risk practices. This ranges from detailed strategy questions to certifying the validity of their partner’s data. Risk reviews that meet both the spirit and letter of regulation are so onerous that some banks may conclude fintech partnerships are not worth it. While this certainly isn’t the point of the regulation, the example shows the need to consider the intensifying regulatory landscape when making business decisions.

The second emerging risk area is related to data.

Adhering to regulations requires that banks have data at their fingertips. And not just data for the sake of data — the right data to monitor and address the specific risk in question. Every organization faces this challenge, but for data-dependent banks — which often operate in silos — the challenge to paint an accurate picture with data is even greater.

One bank we have worked with frustrated its board by presenting six different total loan numbers at one meeting. Each department presented its own version of the numbers, missing the opportunity to create a common taxonomy that would have helped explain what all those loan-loss numbers meant.

To improve your data output, you have to improve the inputs and the way the data is collected. This is a key opportunity to use automation and other technologies to help ease collection and visualize results. With climate and other data-heavy regulations around the corner, now is the time.

The final emerging risk factor is technology.

The pandemic showed two sides of technology risk. First, it forced banks to send their workers home and adopt new technology to operate remotely and keep things running. Second, it created heightened cyber risk from a reliance on technology.

Ransomware and other cyberattacks remain a critical risk for banks but still too often are considered the purview of the information technology department or the chief information security officer. Greater scrutiny by the Securities and Exchange Commission and other regulators means risk officers must build stronger bridges to their colleagues who manage technology. One way to do so is to recruit more tech-savvy employees.

In summary, the key risks that banks and other institutions face in the new year are central to their risk management functions. Given all the external risks known and brewing, this is a pivotal year for banks to build or reassess their risk management framework — ensuring their plans carefully align expected risks with staffing, platform and structure needs.

To do this effectively, banks should measure their risk management capabilities against industry benchmarks, concentrate on the risks they face and create an investment and action road map. That requires tools and platforms that can track vast amounts of data in real time and teams with diverse skill sets to analyze those results and communicate them to the rest of the business.

Establishing a holistic approach to risk management is no longer a nice-to-have but a must-have as the number and complexity of risks increase.