1. Home
  2. Bank Relations & KYC
  3. Evaluating Banks’ Overall Performance

The future of bank risk management – EY survey

A report by EY on bank risk management - A set of blueprints for success - looks at the transformation in the banking sector eight years on since the 2008 financial crisis, which saw the demise of several banks and the bailout of others. It says that banks are now half-way through a 15-year period of risk management transformation and asks what the next stages of this journey will be.

Banks under pressure

Some of the report's broad conclusions include:

  • banks are under considerable pressure from investors on return on equity (ROE) – and investors are pressing for cost reductions and business model change;
  • the top three priority risk areas for boards of directors are: implementation of new regulatory rules, cybersecurity risk and risk appetite;
  • there are challenges in industry as more than 60 per cent of banks are changing their three lines of defence.

Major risks for banks

The report notes that, due to evolving regulations, cyber security threats and competition from non-banks, the traditional banks are under huge pressure. “The risk management function is evolving rapidly to cope with the changes in the economic and regulatory environments,” said Andrés Portilla, of the Institute of International Finance (IIF).

Non-finance risks also putting a major financial strain on the banking business. The survey's respondents said they are putting considerably more focus on areas such as money laundering, sanctions and cyber security.

'Three lines of defence' model

According to the survey, banks have greatly stepped up their efforts to make a fully functioning three-lines-of-defence approach to risk management work, but there is still no agreed blueprint within the industry on the balance of responsibilities across the first and second lines.

The three lines of defence for banking risk management, as accepted by US banking regulators and the Basel Committee on Banking Supervision, are:

  1. the business unit;
  2. independent risk management (compliance, operations risk, etc.); and
  3. the independent audit function.

Making business units more accountable

In the EY survey, more than 60 per cent of banks said they are currently changing their three lines of defence model and many are making the business units more accountable for various types of risk management. They are also looking into the second line and developing better technology and more advanced data analytics. If found that banks are also attempting to reduce non-financial risk by:

  • reducing complexity of products (57%);
  • exiting products (63%); and
  • improving employee training (67%).

Like this item? Get our Weekly Update newsletter. Subscribe today


This item appears in the following sections:
Bank Relations & KYC
Evaluating Banks’ Overall Performance
Risk Management
Financial Risk Management

Also see