Reimagining risk management to face new economic and non-financial dangers
Key findings from the Global risk management survey, 11th edition

Developments in the global economy, business outlook, and regulatory requirements are creating a challenging new environment for risk management.



Edward Hida - Global Leader - Financial Risk community of practice - Risk & Financial Advisory – Partner, Deloitte & Touche LLP

Published on 17 September 2019

Share this article


Developments in the global economy, business outlook, and regulatory requirements are creating a challenging new environment for risk management. The rising tensions over trade policy provide a source of uncertainty in the global economic outlook. With the Brexit negotiations still underway, the eventual impact on the financial industry in Europe of the withdrawal of the United Kingdom from the European Union remains unclear. Competition from fintech firms is not confined to startups, but now includes major technology and e-commerce companies. There have been growing concerns that the world economy may be ready for another in the series of periodic crises that have hit markets and reduced growth. The increased volatility and unpredictability in the business and regulatory environment provide strong incentives for financial institutions to transform their risk management programs.

Continued growing importance of cybersecurity risk

There was broad consensus that cybersecurity is the risk type increasing the most in importance. Sixty-seven percent of respondents named cyberse­curity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely or very effective in managing this risk. For specific types of cyber­security risks, respondents most often considered their institutions to be extremely or very effective in managing disruptive attacks (58 percent), financial losses or fraud (57 percent), cybersecurity risks from customers (54 percent), loss of sensitive data (54 percent), and destructive attacks (53 percent). They were less likely to consider their institutions to be this effective when it came to threats from nation state actors (37 percent) or cybersecurity risks from third-party providers (31 percent). In managing cybersecurity risk, respondents most often cited as extremely or very challenging staying ahead of changing business needs (e.g., social mobile, analytics, and cloud) (58 percent) and ad­dressing threats from sophisticated actors (e.g., nation states, skilled hacktivists) (58 percent).

Increasing focus on nonfinancial risks

Almost all respondents considered their institu­tions to be extremely or very effective in managing traditional financial risks such as market (92 percent), credit (89 percent), asset and liability (87 percent), and liquidity (87 percent). In contrast, roughly one-half of the respondents said the same about a number of nonfinancial risks including reputation (57 percent), operational (56 percent), business resilience (54 percent), model (51 percent), conduct and culture (50 percent), strategic (46 percent), third-party (40 percent), geopolitical (35 percent), and data integrity (34 percent). Financial institutions should consider adopting a holistic ap­proach to managing nonfinancial risks.

Addressing risk data and IT systems is a top priority

A theme that runs throughout the survey results is the importance of enhancing risk data and IT systems. This has been a continuing issue for finan­cial institutions and the financial services industry for some time and indicates the deep-seated diffi­culty of providing quality data from source through many systems and processes to its ultimate users. When asked about the risk management priorities for their institutions over the next two years, the issues cited most often as being an extremely or very high priority were enhancing the quality, availability, and timeliness of risk data (79 percent) and en­hancing risk information systems and technology infrastructure (68 percent). This is consistent with results showing roughly one-third of respondents felt their institutions were extremely or very effec­tive regarding data governance (34 percent) and data controls/checks (33 percent).

The potential of digital risk management

Continued advances in a range of emerging technologies present a significant opportunity to dramatically transform the efficiency and effective­ness of risk management. Much of this opportunity is still to be realized; relatively few institutions reported applying some of these emerging technolo­gies to risk management. The technologies that institutions most often reported using were cloud computing (48 percent), big data and analytics (40 percent), and Business Process Modeling (BPM) tools (38 percent). Although adoption is currently fairly low, re­spondents believed that emerging technologies will deliver very large or large benefits in many areas such as increase operational efficiency/reduce error rates (68 percent), enhance risk analysis and detection (67 percent), and improve timely reporting (60 percent). Roughly one-half of respon­dents expected new technologies to provide this level of benefit to improve the scope and coverage of risk management via exception handling versus sample testing (54 percent) and reduce costs (45 percent).

How much potential benefit do you believe that your organization could gain in each of the following risk management areas from the application of emerging technologies?

What are the most significant challenges your organization faces in maintaining a "three lines of defense" risk governance model?

Addressing the challenges in the three lines of defense risk governance model

Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but said they face significant challenges. The challenges most often cited as significant typically involved the role of Line 1 (business units) including defining the roles and responsibilities between Line 1 (business) and Line 2 (risk management) (50 percent), getting buy-in from Line 1 (the busi­ness) (44 percent), eliminating overlap in the roles of the three lines of defense (38 percent), having sufficient skilled personnel in Line 1 (33 percent), and executing Line 1 responsibilities (33 percent). These challenges are consistent with our experience with financial institutions as many have been, or are in the process of, clarifying the roles of the first and second lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model.


Now that the pace of regulatory change has abated, institutions have the opportunity to reconsider how risk management is structured and managed. The three lines of defense risk governance model should be re-examined to eliminate overlapping responsibilities and to ensure that the business units in Line 1 have a clear understanding of their responsibilities to manage the risks they assume. These changes, which are already beginning to be implemented, mark a fundamental break with traditional approaches. In institutions that seize this opportunity, a risk-aware culture will infuse the organization, flowing from senior management as they devise strategy for business units to make day-to-day business decisions. The risk management function should have robust capabilities to manage a wide range of nonfinancial risks, especially cybersecurity, conduct, and third-party risk. Risk management could be powered by digital tools that provide early warning of impending risk events, offer insight into the factors that increase risk, and free risk professionals from repetitive tasks, allowing them instead to concentrate on identifying emerging risks and adding value.

Share #DeloitteInsideNow


Global risk management survey, 11th edition executive summary

Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at