Top Risks Facing Financial Institutions

The backdrop of high interest rates, continued regulatory pressure and potentially moderating but still troubling inflation—combined with ramifications caused by the increasing geopolitical volatility in Eastern Europe, the Middle East, Asia and Latin America—highlight the volatile world facing leaders in the financial services sector.

In response, firms across the financial services sector are evolving to serve the needs of their customers while remaining sustainably profitable. To remain competitive, financial institutions are optimizing their cost base and embracing sound risk management while maintaining a tight grip on security and compliance. To achieve these aims firms are investing in technology as part of a long-term strategy to future-proof their businesses.

The competitive landscape for financial institutions is evolving; digital first providers and, to a somewhat lesser extent, fintechs are still entering and disrupting the marketplace. These new entrants attract users with superior digital experiences that established banks are racing to match by improving their own offerings and to outdo by investing in artificial intelligence (AI). The use of AI presents both a looming threat and opportunity for banks to enhance their customer experiences and reduce costs. At the same time, the sector is facing increased pressure and scrutiny from regulators, investors, customers and current and prospective employees to enhance their focus on sustainability and environmental, social and governance (ESG) initiatives.

It is therefore unsurprising that all top ten current risks in the sector are connected to the above trends. Rising geopolitical, social and economic volatility and the increasing use of AI have kept cyber attack or data breach in the number one spot among assessed business risks for financial institutions in 2023. And respondents anticipate it will remain their top concern, also ranking it as their number one future risk.

The number two ranking, regulatory or legislative changes, reflects the fact that international, national and state-level regulations are expected to evolve imminently to avoid past mistakes and negative impacts from overzealous behaviors.

In addition, increasing ESG criteria requirements are putting pressure on financial institutions to meet the needs of regulators and customers. And finally, the broader macroeconomic conditions that led to a rash of bank failures, mergers and acquisitions in the financial sector, as well as persistent inflation and high interest rates (ranked the industry’s number seven risk), are reflected in the number three and four rankings for economic slowdown or slow recovery and cash flow or liquidity risk, respectively.

Current Risks

With the growth of novel computing approaches, financial institutions are highly cognizant of their cyber security, ranking cyber attack or data breach and tech or system failure at number one and five, respectively.

Top 10 Current Risks

1. Cyber Attack or Data Breach
2. Regulatory or Legislative Changes
3. Economic Slowdown or Slow Recovery
4. Cash Flow or Liquidity Risk
5. Tech or System Failure
6. Failure to Innovate or Meet Customer Needs
7. Interest Rate Fluctuation
8. Failure to Attract or Retain Top Talent
9. Damage to Brand or Reputation
10. Business Interruption

Internal people-related threats, such as human error and deliberate acts, and the cultural, behavioral and social factors that influence them remain an area of great concern. Outside of bolstering their own cyber security, financial institutions must also ensure compliance with multiple data protection regulations. In the EU, the 2022 Digital Operational Resilience Act (DORA) outlines requirements for sound risk management in the financial sector; in the UK, the operational resilience framework sets requirements for assessing and addressing operational risks and reporting incidents; and in the US, the Interagency Paper on Sound Practices to Strengthen Operational Resilience provides guidance for financial institutions to shore up their resilience to internal and external threats that could cause wide-scale disruptions. As banks provide payment services, cloud hosting, digital wallets, blockchain and other services, third- and fourth-party risks continue to evolve.

Issues with cybersecurity and system failures can lead to cascading effects, such as the risk of business interruption (ranked number 9) and damage to brand or reputation (ranked number 10). Financial institutions’ dependence on technology to support operations is multifaceted and expanding rapidly. This reality, as well as the need to responsively implement new technologies to serve client needs, puts financial institutions at risk for system outages and consequent loss of income and customer trust. Using legacy or unsupported software can greatly exacerbate these risks.

The highly regulated financial sector faces myriad risks stemming from shifting political landscapes and regulatory or legislative changes, the number two risk. Significant operational and strategic changes may be needed to comply with the Basel Committee on Banking Supervision’s latest update to international banking accords. In addition to rigorous new standards for risk ratings and asset valuation, capital requirements could rise by as much as 20 percent for some banks, according to a Wall Street Journal report. And in the wake of fraud, money laundering and misappropriation allegations surrounding the collapse of cryptocurrency exchange firm FTX, banks that handle crypto assets can expect more rigorous regulatory scrutiny. As the assessed risk of economic slowdown and interest rate fluctuation remains high, financial institutions can anticipate needing to react to these and similar macroeconomic factors.

The transformations taking place within the financial sector are affecting everything from customer expectations and product offerings to operating models and digital strategies. And the evolution of fintech is not only driving competition with banks over services but could also be driving competition over talent: according to our data, 70 percent of financial institutions report losses in digital talent.¹ This failure to attract or retain talent is common across industries, but within this sector, financial institutions without the talent to address other risks and novel factors may experience a failure to innovate or meet customer needs. Historically, financial institutions have countered talent-related risks with relatively high pay; however, many have shifted to a strategy that combines pay (levels and structures) with employee value propositions (EVPs) and purpose.

Underrated Risks

It is surprising to see neither climate change nor ESG or corporate social responsibility (CSR) enumerated as current or future top 10 risks, although respondents may be contemplating these risks under the umbrella of regulatory or legislative changes. As climate change affects economic systems around the world, ESG or CSR criteria are increasingly top of mind among clients and investors when making decisions about their consumption or investments. Inadequate incorporation or disclosure of ESG-related information, greenwashing and other problems arising from immature and insufficient ESG practices could also result in investigations, fines and penalties from global regulators.

Given their fiduciary duty to best offset the impacts of economic and political volatility, AI and other risks, directors and officers face tremendous liability and personal asset risks, making personal liability (directors & officers) the second most underrated risk. As scrutiny from the US Securities and Exchange Commission increases, cases involving directors and officers of financial institutions are also rising in profile.

High interest rates are expected to persist, which could lead to higher default rates for financial institutions. This leads to counterparty credit risk. Transferring credit exposures to capital and insurance markets could be viable options to mitigate counter-party credit risks, particularly when regulatory capital incentives are available. In the current economic climate, it is interesting to see that that risk has not made it into the top ten risks for the sector.

Future Risks

The rapid evolution of digital assets and AI use in the absence of prior experience and regulation could expose financial institutions to losses stemming from the use of the technology in their own operations, as well as from outside parties committing AI-enabled fraud. For financial institutions that develop their own AI, proper identification and quantification of those digital assets will be critical.

Top 10 Future Risks

1. Cyber Attack or Data Breach
2. Regulatory or Legislative Changes
3. Failure to Attract or Retain Top Talent
4. Economic Slowdown or Slow Recovery
5. Artificial Intelligence
6. Cash Flow or Liquidity Risk
7. Failure to Innovate or Meet Customer Needs
8. Asset Price Volatility
9. Interest Rate Fluctuation
10. Tech or System Failure

While today financial institutions rank failure to attract or retain top talent at number eight, they anticipate that it will rise to third place as a future risk, roughly swapping places with tech or system failure. Emerging and evolving technologies, coupled with an aging work force, mean that financial institutions’ growth will depend on attracting younger workers with the necessary skills to understand and innovate using new tools. New value propositions for employees, such as remote options, work-life balance and ESG-centric policies, can help financial institutions attract and retain the talent required to remain competitive.

How Can Financial Institutions Mitigate These Risks Effectively?

Because cyber attacks and data breaches are such rapidly evolving, complex exposures, ownership and understanding of how to mitigate these risks and strengthen resilience cannot be siloed or outsourced. Instead, cyber risks must be viewed not only through a cyber security lens but also from an organization-wide perspective. To be able to approach cyber risk holistically, investments in training, communication and, often, reskilling are needed. In an environment where new talent is hard to attract, upskilling the existing workforce to be able to address these risks is more important than ever. Retaining talent will depend on building a strong EVP to balance pay with other benefits.

In addition to targeted mitigation of cyber risk, financial institutions could benefit from integrating loss quantification, scenario analysis and insurance optimization across top operational risks. It is critical to properly and thoroughly assess and quantify risks such as cyber, third party, tech or system failure, and reputation. Long-tail risks can be easily overlooked, and exposures related to digital and crypto assets could be catastrophic. Once top risks are properly assessed and quantified, risk-transfer options can be employed, including tools such as captives. These risks are interconnected and increasingly complex; to mitigate both insurable and non-insurable risks requires changes in governance and strategy. Examples include more formal and regular cadences for joint review and decision making between stakeholders such as CFOs, CPOs, CROs, COOs and CTOs.

Improved quantification is particularly important for ESG considerations. Regulation of climate-related risk quantification and disclosure is ramping up in the financial sector. Proper quantification requires data and modelling to avoid any actual or perceived misrepresentation. If managed and communicated well, ESG can be a strong differentiator for financial institutions.

¹ Workforce Resilience Diagnostic Model Insights; 2022 Aon Workforce Resilience Risk Benchmark; Aon 2022-2023 Global Wellbeing Survey.

General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss caused by reliance on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.