Why Asian bankers are thinking differently about risk than their global counterparts

According to a recent global survey of how banks approach risk management,¹ Asian bank executives are thinking differently about future risk priorities than their global peers. This divergence reflects the region’s less interventionist regulatory environment and more robust digital environment.

The global survey has been conducted annually since 2008, tracking the changes in risk management after the global financial crisis. Since then, not surprisingly, banks have materially strengthened their risk management approach. From the board level down, banks have made significant investments in risk, compliance, and controls. Headcount in control functions has increased considerably, as has the seniority and scope of risk and compliance functions.

However, last year’s survey also found that, whilst important progress has been made, the work ahead remains substantial. In fact, it suggests that banks may be only halfway through a 15-year journey to develop robust risk management to meet the needs of the current era. In particular, it identified the ability to manage non-financial risks, particularly conduct, financial crime, and cybersecurity risks, more effectively as one of the biggest future challenges. The survey found that many banks are working to evolve new risk management approaches in this area, including making the first line of defense more clearly accountable for non-financial risk.

Regional non-financial risk priorities diverge from the global trend
As this work progresses, the survey found that, in the Asia Pacific region, the priorities of bank boards and chief risk officers (CROs) are notably different from those in the West. Western boards and CROs are most focussed on the risks involved in implementing new regulatory rules and responding to supervisory expectations. Specifically, focus on a wide range of conduct areas has increased – money laundering (increased to 72% from 52% in 2015) and sanctions (increased to 52% from 30% in 2015) have moved significantly up the agenda.

In contrast, cybersecurity was at the top of the risk list for bank boards in Asia Pacific. It’s a similar story for the region’s CROs, who rate cybersecurity risk second after credit risk – and put regulatory issues further down the list of the areas receiving their greatest focus.

It’s an interesting mindset difference reflecting two distinct regional factors.

First, although Asia Pacific’s banks are hugely impacted by regulatory requirements, the effect has not been of the magnitude seen in the West. In the UK and US in particular, banks have been beset by highly public misconduct scandals. From 2007 to 2015, the banks have paid over US$122b in fines,² equal to 7.1% of their aggregated revenue. Many banks have exited markets, products, and geographies, reduced the availability of certain products and services, or limited the complexity of products they offer.

Whereas, around the region, regulators have generally proved to be less politically driven to reign in the banks and more inclined to facilitate market development. In the resulting, more balanced approach, where regulators hold senior management accountable for running their banks well, the regulatory imperative is to lay a sound foundation for an orderly financial market.

Second, in Asia the consumer appetite for digital interactions and the high penetration of mobile devices are driving banks to adopt new technological innovations. At the same time, criminals are also becoming digital experts, leading to well-publicised incidents of cyber theft and the rise of shadowy malware capabilities. As a result, the region’s bank boards and CROs are more concerned about cybersecurity as a new risk to tackle than AML, KYC, or misconduct which they having been dealing with for a few years.

Asia Pacific regulators are also focussing on cyber as a critical threat. 2016 has seen the Hong Kong Monetary Authority introduce the Cybersecurity Fortification Initiative which, in addition to requiring individual banks to develop new controls and board oversight, will also include developing a Cyber Intelligence Sharing Platform allowing banks to share cyber threat intelligence. The Hong Kong Securities & Futures Commission is also looking into drawing up baseline requirements for the brokers and asset managers. Similarly, the Monetary Authority of Singapore has issued directions to its authorised institutions highlighting the increasing urgency of the need to address cybersecurity risks.

However, the survey found that, when it comes to cybersecurity, the region’s banks aren’t waiting to be regulated. They are already taking a broad approach to addressing cyber risks:

• Adding more resources – Banks are designating more roles to address cybersecurity in second-line risk and compliance groups. They have increased dedicated headcount (75%), appointed designated specific cyber roles (55%), and created a “chief information security officer”-type position (32%).
• Taking an enterprise-wide approach – Regulators want banks to view cybersecurity as an enterprise risk, not simply an IT issue, and many banks are already ahead in this regard, incorporating their cyber risks and compliance frameworks. Together, this constitutes an emerging three-lines-of-defense approach to cybersecurity.

But these moves are just the start of the necessary response to cyber threats. As Asia Pacific’s regulators escalate the timetable for implementing cyber controls and regulations, banks will need to demonstrate to local regulators that their cybersecurity programmes go beyond global programmes. Local banks need to be able to deal with and accountable for cyber threats to their local operation. 

In this regard, individual banks must turn to technological solutions to analyse big data to identify and potentially prevent cyber attacks. Data analytics can also be deployed to manage conduct risk. For example, some banks are already using data analytics to take multiple data points pre- and post-sales to identify sales misconduct.

In the future, banks will be ill-equipped to effectively manage risks without the use of technology, data analytics, and artificial intelligence.

¹ 2016 Global Banking Risk Management Survey, conducted by EY and the Institute of International Finance.
² Source: Company accounts, EY analysis. Further fines have been incurred in 2016.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.