Mastering risk has long been a matter of life and death for banks. Credit, liquidity, and operational risks are as old as the industry itself. But technology risk—the potential of a breakdown in a bank’s IT infrastructure, systems, or applications that can impair its operations—is a different beast.
It’s more complex, harder to pinpoint, and ever-changing. It surges in real time through digital connections and cascades unexpectedly, even triggering other areas of risk. And, even worse, it’s growing fast, threatening every part of a bank’s value chain.
Top banking executives are on high alert. Two-thirds of CEOs report that technology risk has grown significantly over the last few years, according to a survey of 750 global banking executives conducted by ServiceNow and ThoughtLab. More than seven in 10 CEOs say that it is now the biggest risk their bank faces. And 64% of CEOs expect it to increase over the next two years.
The potential rewards for banks that successfully tame technology risk are significant. Improving technology risk management and resilience pays off in two interlocking ways. It generates risk and compliance benefits, which, in turn, boost strategic and financial performance. Most of these involve speed—faster identification, issue resolution, response, and risk and compliance reporting. Meanwhile, with digital risks under better control, leaders can also accelerate innovation and time to market, bolstering revenue growth. More than half (52%) of the banks surveyed say that managing the risks of digital innovation is crucial for future growth and financial success. This belief is held by even more CFOs (62%) and CROs (58%), who are in the best position to know.
New risks are often difficult to master. Our research pointed to five best practices among banks in the vanguard of addressing technology risk and resilience.
Research
Conquering technology risk in banking
Harnessing new technology, breaking down silos, centering risk in strategic decisions—none of it works without data. That’s why banks that have had the most success in overcoming technology risk say that collecting, analyzing, and sharing data across the enterprise is so important.
Fifty-nine percent of such banks say they’ve taken steps to provide IT, security, and risk management leaders and staff with data they need to improve IT risk management and resilience and their security posture. Additionally, 45% are creating data management solutions that integrate data across IT, cyber, and risk functions.
The return on investments in data are impressive, according to respondents. “Deploying data tools and dashboards to report on technology risks and resilience contributed greatly to improving our organization's technology risk and resilience performance,” the chief operating officer of a French private bank told us.
Conquering technology risk requires an integrated approach. That’s the takeaway from banks leading in risk maturity, who in our survey said they’re building technology risk management into key functions across the enterprise and its ecosystem of partners and suppliers. About half (47%) report taking a quantitative risk-based approach to IT and cyber risk management in line with overall risk posture. And 40% said they ensure that partners and suppliers support their strategies for improving technology risk management.
Crucially, banks identified as leaders in our survey are automating these risk-based processes—a trend that will only accelerate. Already far ahead of those we classified as beginners, the vast majority of banks at the forefront of addressing technology risk say they will automate risk identification (84%), detection and monitoring (73%), and compliance (73%) in the next two years.
Better execution is one of the key benefits executives at these banks expect to realize. “Our main objective for the upcoming years is the automation of key processes that impact risk functions, as this removes the chance of human mistakes,” the COO of an Australian retail bank told us.
Leaders in our survey understand that leaning into digital transformation is a necessary step to address technology risk. That might seem ironic—can the solution to technology risk really be more technology? Our findings were clear: If the technologies are the right ones, then the answer is a resounding yes. Leaders identify modernized IT systems, cloud, and tools that enable better orchestration of cybersecurity defenses as their most important tech investments. Importantly, they all contribute to a solid foundation upon which future innovation can take place.
The pace of investment in these technologies will only accelerate. Over half of leaders in risk (51%) say that cybersecurity orchestration is going to be one of the most important tech investments over the next two years. They’re also moving boldly to adopt artificial intelligence (AI) and machine learning, with 58% of leaders saying they plan to do so in that timeframe. And 59% say they plan blockchain investments within the coming two years.
Leaders harness technology to improve most areas of technology risk management and resilience. They make digital solutions accessible to IT, security, and risk management heads to improve their overall security posture. They use it to digitize and automate workflows to reduce human mistakes and boost productivity. And they use it to de-risk their cloud platforms and ensure resilience.
The right people and processes are also key to combatting technology risk, based on the most effective banks’ practices. This requires ensuring that a wide range of people across the enterprise are involved, trained, and working together, with defined roles.
Nearly three-quarters (73%) of leaders say cybersecurity personnel play a critical role in their efforts to manage tech risk. They most often complement them with experts in digital transformation (65%), operational risk (62%), data privacy (61%) and IT risk management (56%). To keep these cross-functional teams coordinated, many banks are broadening the responsibilities of the chief risk officer—and more plan to follow suit over the next couple of years.
Leaders see managing technology risk as an organization-wide priority. “Training and educating our workers on technology risk in order to instill a culture of accountability and responsibility among all employees” is a priority, according to the CIO of Japanese retail bank. While close to half of banks (49%) out in front in the fight against tech risk are already taking this step, a significant majority (58%) say it will become a focus in the next two years.
Managing technology risk is a governance challenge. Banks that do the best job of it take that challenge very seriously—all the way up to the very top of the organization. In fact, virtually every bank that we identified as technology risk leaders—97%—say their boards of directors are engaged on the issue. And almost a third (30%) said their boards play a key role.
For those that have taken this step, the benefits seem clear. “We made technology and cyber risk management and resilience part of our board and senior management duties, which has aided in early detection and correction of issues,” the chief risk officer at a US private bank told us.
To put that commitment into action, banks on the cutting edge of technology risk management are focused on compliance (46%) and reporting (42%). In both areas, a majority of leading banks say they’ll make investments over the next two years.
Get Workflow in your inbox
Trending articles
Related