Prioritizing a Complex and Challenging Agenda
With cyber risk ever prevalent, significant new regulatory guidance taking hold, and banks’ reliance on third parties for technology growing, chief risk officers continue to spend the largest share of their time monitoring and managing non-financial risks. But in the wake of a liquidity crisis that felled three institutions and brought numerous bank deposit runs—and with credit risk spiking—financial risks are also demanding increasing attention.
That’s according to the latest edition of the RMA and Oliver Wyman CRO Outlook Survey. Conducted in summer 2023 with contributions from 51 institutions with diverse asset sizes and geographic footprints, the survey gathered information about:
- Risk agendas, emerging risks, and budgeting.
- Reactions to the regional banking crisis across the industry.
- External outlooks on the macroeconomic, regulatory, and competitive landscapes.
In a fast-moving world where multiple and changing exposures can make managing risk feel like playing zone defense, the survey highlights how peer risk leaders and institutions are balancing their time and attention. In detailing how CROs spend their time and CRO assessments of top risks and priorities, the survey data put a bank’s risk management practices in context and inform its journey going forward.
Fifty-two percent of the banks that participated in the survey had an asset size of less than $25 billion, 22% greater than $250 million, 15% between $25 billion and $100 billion, and 11% from $100 billion to $250 billion. In terms of geographic footprint, 44% of responding banks were multi-state, 19% regional, 19% super-regional, 11% global, 4% national, and 4% single state.
Jake Ritchken, a principal at Oliver Wyman, said the survey report “highlights several important trends for CROs as they look to prioritize their initiatives for 2024, particularly in topics related to risk measurement and preparedness.” “The timing of the survey release isn’t a coincidence,” he said. “It’s intended to serve as valuable input as CROs shape their 2024 priorities with their teams and their boards.”
This article discusses seven key takeaways.
Takeaway No. 1
CROs continue to allocate the greatest proportion of their time to non-financial risk management.
CROs dedicate about half their time to non-financial risks, with the other half split between financial risks (33%) and enterprise, strategic, and other risks (17%). It’s important to note a distinction based on bank size. For banks smaller than $100 billion, the average portion of time spent on non-financial risks was 54%, according to the survey, compared to 30% on financial risks. At banks larger than $100 billion, the average percentage of time devoted to non-financial risk was 41.5%, still edging out the time allocated to financial risks (37.5%) but by not nearly as much.
On the whole, time allocated to non-financial risks included: compliance (13%), operational (12.6%), cyber (10.3%), and third-party (6.7%).
Of all the top risks reported by CROs—both financial and non-financial—the most common was cyber. Fifty-eight percent of CROs put it in their list of top five risks. Another non-financial risk category, fraud and financial crime, made 42% of the
top risks lists.
Takeaway No. 2
While financial risks do not account for the largest share of a CRO’s time, they are rising in prominence, including an increased focus on treasury risks.
At a time of heated competition for deposits, a worrying flood of office vacancies, and spiking consumer loan delinquencies even as GDP grows, three of the most common top risks reported by respondents were financial: treasury/asset-liability management risks (cited as a top risk by half of respondents), wholesale (C&I and CRE) credit risks (42%), and a possible recessionary environment (42%).
The risk CROs devote most of their time to is a financial one: Survey respondents spend an average of 16% of their time managing credit risk. The survey also found that CROs spend an average of 10% of their time on another financial risk category—liquidity and treasury. Following the liquidity crisis that marked the earlier part of 2023, more CROs are classifying treasury/ALM risk as a top risk— 29% versus 17% in last year’s survey.
Takeaway No. 3
Beyond regulatory and economic concerns, CROs are focused on potential business changes and the organizational/cultural implications for risk management. Strategic risk/disruption, risk culture, and issues around operating model are cited much more often as priorities.
In a year when concerns regarding AI and technology risk, strategic risk and disruption, and wholesale credit risk were ascendant, some high priorities from the previous survey have dropped in the rankings. Recession readiness is clearly still crucial. A possible recessionary environment ranked as a top risk for many CROs. And over half of CROs believe that the macroeconomic environment will continue to worsen over the next year. But it was listed as a priority by only 32% of CROs, down from 52% a year prior.
Another area sliding down the priority list was climate risk. It was listed by 7% of CROs, down from 27% in the prior survey. Rising on the priority list were strategic risk/disruption (up 23 percentage points), risk culture (20 points), technology risk (19 points), and treasury/ALM risk (13 points).
Despite an apparent drop in priority level, said Michael Duane, a partner in Oliver Wyman’s Finance and Risk Management practice, “climate risk is still a pressing concern for many banks.”
“I think there are two things driving this finding in the survey,” he said. “First, the immediate reactions to the regional banking crisis have put topics such as ALM, interest rate risk in the banking book, and liquidity risks higher on the priority list. Something has to give.”
“Second, compared to a few years ago there is more certainty on what is expected of risk managers when it comes to climate, which is a source of comfort to CROs,” Duane said. “Supervisory expectations have become clearer since our first survey in 2021, and banks are advancing methods to manage climate risk through efforts including RMA’s Climate Risk Consortium. Oliver Wyman has proudly contributed to the consortium’s climate data and climate scenario analysis working groups, which are helping to refine industry practices in those areas.”
In addition to developments in the economy and industry, the changing priorities reflect the actual activity and workload of CROs. Respondents on average said their top time-consuming activities were:
- Risk governance and issue management, including risk appetite breaches and board reporting (15% of their time).
- Activities related to roles, responsibilities, and the operating model (12%).
- Regulatory affairs/relationship management (11%).
- Risk identification, including emerging risks (11%).
- Risk culture (9%).
- New initiatives (9%).
Ritchken said efforts related to the operating model, risk culture, and new initiatives make sense when you consider that “as a bank changes its operating model, the manner in which the risk organization engages must change to keep pace.” A cohesive operating model and “full buy-in to the idea that risk management matters” are key, he said.
Takeaway No. 4
The impact of technology on the speed of risk is now seen as a significant emerging risk.
The speed of deposit withdrawals during the liquidity crisis, enabled by instantaneous, digital transactions and prompted in some cases by social media-spread anxiety, signaled a more dangerous era of risk. Many CROs were surprised by the pace at which the events of the first quarter unfolded, including the speed of deposit outflows—one institution lost $42 billion in deposits in a single business day—and potential contagion risks.
This phenomenon was a new entrant to the survey’s list of top emerging risks, where a third of respondents named the speed of risk in a digital world as a top emerging risk. “The pace and scale of contagion risks and taint of industry problems can affect the industry at-large,” one respondent observed in an open-ended survey response. “It was an important lesson learned: how quickly contagion risk can affect financial institutions.”
Ritchken said the crisis “showed us how important it is for everyone to understand the importance of risk, and the speed at which things can change when risks materialize.”
Takeaway No. 5
Banks are focused on uplifting their treasury risk management capabilities, including preparation for a wider range of outcomes.
To be sure, the speed of withdrawals was a notable factor in the liquidity crisis. But other important factors included a lack of stickiness in deposits, bank assets held in long-term instruments that lost value, and the effects of a rapidly rising interest-rate environment on both. At the time the survey was conducted, about 90% of CROs indicated they planned to upgrade at least one core treasury risk management capability. Two-thirds were planning to update at least five core treasury risk capabilities.
The majority of planned upgrades focused on scenario analysis (for example: liquidity stress testing and interest-rate risk), and monitoring/reporting (liquidity risk appetite metrics and interest-rate risk measurement).
In a fast-moving and uncertain environment, many survey respondents said they were already acting. Measures taken included:
- Updating short-term ILST scenarios.
- Evaluating potential scenarios and impacts to risk profile.
- Strengthening control suites.
- Actively monitoring through analytics and engaging in discussion of results.
- Establishing metrics to monitor on a quarterly basis.
- Establishing action plans on top identified risks to ensure appropriate oversight.
Duane said the quick and widescale adoption of enhanced liquidity and ALM frameworks was among the survey’s most surprising findings. “It isn’t just 50% of banks,” he said. “It’s the significant majority.”
One CRO said the crisis was a reminder that “interest-rate risk and liquidity risk management matter—despite the fact that these areas have received limited supervisory attention in the past decade.”
Takeaway No. 6
CROs continue to be pessimistic about the credit environment.
Perhaps reflective of surprisingly strong jobs and GDP reports as 2023 progressed, the CRO outlook for the overall economy is not as dim as in the prior survey. Slightly more than half of respondents said the economy will worsen in the next year, down from 84% who held that view a year earlier.
But that less-negative tone did not translate to credit risk. Seventy-eight percent of CROs believe the commercial credit environment will worsen, and nearly 90% believe that a worsening consumer credit environment—which has experienced spiking delinquencies for auto loans, student loans, and credit cards—is in store.
Commercial credit risk is seen as a higher-priority risk than consumer credit risk by respondents. Thirty-nine percent put wholesale credit (C&I and CRE) risk in their top five priorities list, while 14% assigned that status to consumer credit risk.
Takeaway No. 7
Regulatory attention and scrutiny have increased, with a particular focus on liquidity and capital.
The Federal Reserve’s November 2023 Supervision and Regulation report said supervisory findings are up across the industry as the regulator moves to “enhance the speed, force, and agility of its supervision” in the wake of the liquidity crisis. That was borne out by the survey results. Fifty-four percent of respondents said new supervisory findings had increased in the past year. That was up from 39% a year earlier. The 27% of CROs who reported a significant increase was up from 12%.
The increase in supervisory attention was most common for larger institutions. Half of CROs at banks above $100 billion in assets said findings were up significantly, compared to 17% at banks below $100 billion. With regulators focused on treasury issues, CROs overwhelmingly expect to see increased regulatory and supervisory findings at peer banks regarding liquidity (89%) and capital (81%) over the next year. Most also expect to see an increase in findings on third-party risk (78%), cyber risk (69%), and data, IT, and resiliency (69%). Compared to a year earlier, fewer CROs are expecting increased findings regarding ESG, climate, and equity—28%, compared to 72% in the prior survey.
Like every year, the universe of risks to monitor and manage closely seemed to expand in 2023, prompting the question: How can risk organizations continue to meet ever-growing and more complex responsibilities?
One way, of course, is bigger risk budgets. Several respondents reported that spending on risk management at their institutions had increased modestly in percentage terms. The average risk budget as a proportion of total budget was 6.3%, up from 5.8% in the previous survey. Just over half of CROs expect their bank’s risk spending to increase over the next three years, while others expected budgets to remain constant or even decrease.
This emphasizes several challenges that CROs face given the difficult economic climate. “Many CROs are being asked to do more with the same or even less,” Ritchken said, “which is particularly challenging for some areas where technical skills are in high demand, such as treasury risk.”
Short of significant funding increases, the answer to expanded responsibilities likely includes tapping AI and other technologies, de-emphasizing practices that are not as effective or efficient as they once were, and being on the lookout for innovation. No matter how risk management evolves and adapts, the annual RMA and Oliver Wyman CRO Survey will continue to serve as a critical benchmarking tool for CROs, their risk organizations, and their institutions.