Our top ten risks for firms in 2023

The pandemic triggered a significant amount of disruption and uncertainty and, recent global events have both exacerbated existing challenges and brought with them new ones. Russia’s invasion of Ukraine has put significant pressure on the supply and price of energy and goods. Consumers are confronted by a cost-of-living crisis largely as a result of rising food and energy prices. Globally, governments, businesses, and consumer focus’ is shifting towards ESG and the physical and transition risks that climate change poses. These issues are complex and interconnected; therefore, firms must ensure their risk management capabilities are robust and can support the business to adapt to changes/ shocks and manage risk in a holistic and proactive way.

We have ranked the top ten risks for 2023 based on shared knowledge with firms, feedback from regulators’ insights and have assessed the risks that financial services are increasingly susceptible to in 2023.

1.    IT Disruption

This is the loss of confidentiality, integrity and availability of information, data or systems and the potential adverse impacts on operations if an incident, attack or breach was to occur.

Having adapted to the pandemic and shifted to remote working arrangements, firms’ risk profiles have altered and created an even greater dependency on IT systems. Due in part to this increased reliance on software, systems and data, and the complexity of these landscapes, the frequency and severity of sophisticated cyber-attacks has increased. Risk mitigation will entail the investment in and development of robust information security management systems and controls to match the increased risk.

2.    Geopolitical risk

The wide array of risks associated with geopolitics, conflicts or tensions between states and, the impacts on businesses, trade, security and political relations.

The recovery seen in Europe following the pandemic has dwindled in part due to Russia’s invasion of Ukraine. The war and the disruptions in trade have caused a deterioration in the global economic outlook. Global instability has far-reaching consequences, from the immediate risk of Russia cutting off gas supply to second-order risks of soaring costs, further to this the knock-on effects are central banks tightening monetary policy to control inflation and higher borrowing costs. Geopolitical risk is pervasive and can arise in unexpected ways. Firms must ensure they are assessing and managing both the direct and indirect exposures they may have to these issues and the potential impact on their ability to achieve their business plan.

3.     Regulatory risk

The risk that firms are unable to keep up with regulatory changes or are ineffective at implementing those changes which can result in limited internal standards development or non-compliance.

Firms must ensure they have appropriate horizon scanning and regulatory management processes in place to ensure they adhere to the ever-evolving supervisory requirements and look to avoid any fines and reputational damage from non-compliance.

4.     Climate and sustainability

Climate risks refer to the physical risks of climate change which can result in damage to property, reduced productivity or disruption of supply chains and the transition risks which refer to the risks arising from the process of adjusting towards a lower-carbon and more environmentally sustainable economy.

Climate action failure is thought to be one of if not the biggest long-term threats to the world and so will remain at the top of every boardroom’s agenda in 2023. Firms will need to understand the full scope of their financed emissions (associated to lending, underwriting and investment activities) as well as their direct emissions to enable Board and Management teams to effectively manage climate risk. Regulated firms are expected to embed climate risk considerations into their risk management programmes in a proportionate manner and develop appropriate modelling capabilities to quantify the impact of climate change on their balance sheets and financial performance.

5.     Information risk

The loss of confidentiality, integrity and availability of information, data or systems and the potential adverse impacts on operations if an incident, attack or breach was to occur.

The increase in remote working arrangements has altered banks’ risk profiles and created an even greater dependency on IT systems. Due in part to this increased reliance on software, systems and data, and the complexity of these landscapes, the frequency and severity of sophisticated cyber-attacks have increased. Risk mitigation will entail the investment in and development of robust information security management systems and controls to match the increased risk.

6.     Operational resilience

The ability of firms to prevent, adapt, respond and recover from operational disruptions.

The pandemic led to significant operational disruption and increased operational risks. It proved to be a great test of the operational resilience of financial firms, however, it exemplified the need for firms to identify potential failures and assess the vulnerabilities of critical operations on an ongoing basis to ensure they can maintain resilience in the face of potential disruptions. Banks must now ensure that recent regulatory requirements that have been put in place do not become a ‘tick-box’ exercise for compliance purposes but will remain fit for purpose and can support business operations in the event of other severe operational shocks.

7.     Outsourcing and third-party risks

Refer to the risks that arise from contracting with service providers and in particular the risk that a service/product/activity provided by a supplier will deteriorate, be interrupted, or cease indefinitely, exposing businesses to operational, reputational and/or financial damage.

Firms’ dependence on outsourced providers and third parties continues to increase which exposes individual firms and in extreme cases the wider financial system to greater risk. Firms have had to comply with the PRA’s requirements which came into force on 31 March 2022 and should be considered alongside the operational resilience requirements. Requirements involve identifying, assessing the materiality and risks of all outsourcing and third-party arrangements as well as applying appropriate and proportionate governance and controls.

8.     Model risk

This is the potential adverse consequence from model errors or the inappropriate use of modelled outputs to inform business decisions.

Firms’ increased use of data, advances in computing, modelling, and algorithms and overall dependence on modelling means the risk of errors arising from suboptimal models and poor decision-making has increased. This coupled with the regulator’s increased focus on the topic requires firms to understand and manage model risk in a more holistic and robust manner. Risk mitigation will involve the development of guidelines and processes for developing, validating and monitoring models in a manner that is proportionate to the complexity and risks of the organisation.

 9.     Change management

This is the increased risk firms are potentially exposed to from a failure to effectively manage the transformation of key technologies, processes or business strategic objectives.

In particular, firms need to be able to ensure the safe and sound adoption of new technologies so that the benefits can be reaped and the risks arising from the adoption of innovative activities are proactively and appropriately managed. Firms will need to continue to adapt and evolve in order to meet customer demand and keep up with the more agile and technologically savvy fintech challengers. Firms should consider implementing robust change management frameworks and processes that clearly describe the roles, responsibilities and governance arrangements that oversee and manage the risks associated with strategic change projects.

10. Talent / remuneration risk

This is the risk that firms are unable to attract and retain talent which heightens the risk of key person dependency, succession planning and misconduct.

The pandemic forced employers to revisit their talent management strategies, particularly as remote working transformed how we work. In the UK the ‘great resignation’[1] in 2021 was accompanied by employees seeking greater work-life balance, higher pay, and better benefits. Companies are more than ever faced with increased labour costs and difficulties in attracting and retaining talent, especially in skilled roles and critical functions. The Board and Executive committees need to assess the current and future needs of the business and ensure their recruitment infrastructure support this.

What should firms be doing

Business environments are constantly evolving so firms must ensure their risk capabilities are agile and operate in an iterative way to reflect firms’ changing risk profiles. Assessing your framework, identifying areas for improvement and developing a clear roadmap of actions will go towards successfully achieving your desired outcomes.

[1] The Great Resignation: How employers drove workers to quit - BBC Worklife