- THE SUPERVISION BLOG
A key step in assessing SSM banks’ digitalisation journey and related risks
11 July 2024
Assessing how banks implement their digitalisation activities and manage the related risks has been one of the ECB’s supervisory priorities in recent years. We have now completed a key milestone for defining assessment criteria and in gathering sound practices. The Supervision Blog looks at this important step.
As the world has gotten increasingly digital in recent years, one of our supervisory priorities has been to assess risks related to banks’ digitalisation activities. After gathering market intelligence, carrying out a comprehensive survey of all significant institutions in 2022, conducting on-site inspections throughout 2022-23 and finally performing a recent targeted review of 21 banks in autumn 2023, we have now reached a key milestone by publishing a report that defines assessment criteria and sound practices for digitalisation. This work taken together allows us to take stock of banks’ sound practices and identify important aspects for a sustainable, well-governed and risk-aware steering of banks’ digitalisation. We will build on this initial stocktake in the coming years via new supervisory activities to deepen our understanding of the risks related to banks’ applications of digital technologies.
Key assessment criteria
Focusing on the recent targeted reviews, the main objective was to assess how banks shape, steer and implement their digitalisation strategies, focusing closely on risk identification and mitigation.
Our assessment criteria (as summarised in Grid 1) were based on the regulations and principles under the Capital Requirements Directive and the relevant European Banking Authority (EBA) guidelines, particularly regarding our regular annual health check of banks − the Supervisory Review and Evaluation Process (SREP) – as well as on outsourcing and internal governance. We applied those requirements to risks concerning digitalisation and the use of innovative technologies, including the strategic risk of not keeping pace in a fast-changing competitive environment. An in-depth comparison of banks’ practices allowed us to define a more granular view of how these assessment criteria can be interpreted for digitalisation.
Our report describes these assessment criteria in further detail and outlines some sound practices in the digital context we observed. These assessment criteria and sound practices will also be fine-tuned as we continue assessing risks related to digitalisation.
Main observations and collection of sound practices
We found that the banks demonstrating sound practices assess both the opportunities and risks related to their digital strategy, based on a granular assessment of their business environment. A substantiated evaluation of the strategic and business risks is equally important for those banks which consciously decide to limit digitalisation. The most advanced digital strategies are ones embedded in business or IT strategies, translated into digital initiatives driven by business use cases and technological developments which are then consistently evaluated for efficacy during the execution phase. We found that most banks have already used digital solutions to transform their back and front office operations, and that those that have made the most progress are now focusing on incremental digital improvements.
However, many banks have not defined sufficiently granular key performance indicators (KPIs), including those assessing the impact of their digital strategies on profit and loss. This means they cannot determine the effectiveness of their strategies and whether they have met their objectives. A key success factor is establishing KPIs throughout the execution phase to assess the on-going impact of digital strategies; this allows for better visibility into the progress made on achieving strategic objectives of digitalisation initiatives.
A clearly defined digital strategy is one that can be properly steered and implemented, and rolled out consistently across the organisation. However, for many banks this is often not yet the case. Strong organisational awareness, whereby banks embrace a digital culture and attract top talent, can help to implement a group-wide digital strategy and to foster digital proficiency. Digital expertise at the level of the management body also needs to be enhanced to ensure the proper steering and risk monitoring of digital initiatives.
One of the sound practices observed are banks’ supervisory board members who engage in proactive and information-based discussions to enable to adequately define a digitalisation strategy and oversee its execution. Many of the banks we reviewed still have a lot of room for improvement in this area. On the other hand, when setting a digital strategy, it is also important to involve the independent internal control functions from the outset, which in most banks is already the case.
Another sound practice is conducting a holistic assessment of the digital strategy’s impact on the bank’s overall risk profile, which also helps to create a comprehensive picture of the risks related to digitalisation. Scenarios, models (including behavioural models) and peculiarities of the bank’s risk assessment and risk management frameworks also merit special attention.
While many banks assess IT-related risks, or operational risks more broadly, they also give weight to considering outsourcing requirements and risks specifically related to critical dependencies and third-party relationships, procedures or software (including beyond their outsourcing frameworks). Also, since digitalisation can present broad-based implications for future financial performance, banks should be able to gauge any changes to their financial risk exposure which their digital strategy could trigger. Finally, the more far-reaching and technologically advanced the digital choices banks make, the greater the need for effective data governance that covers all data streams and strong information sharing and issue escalation to a management body that is well equipped to understand, steer and manage risks based on the reports.
Next steps
Going forward, we will expand the focus of our supervisory work to include reviewing the use of specific technologies more broadly. These include the deployment of AI and related business use cases. We will also continue to sharpen our focus on the impact of banks’ digitalisation strategies, including the risks and benefits of evolving opportunities and risk drivers of banks’ digitalisation efforts. We will also strive to better understand the linkage between banks’ efforts to evaluate digitalisation strategies and their decisions to make and measure investments. Again, this is important both for decisions to pursue digitalisation strategies and for those not to pursue them. Decisions in either direction can have positive or negative implications.
To date, we have identified some key AI use cases and related risk drivers from a strategic and operational standpoint. The risk drivers outlined below will be developed further as we collect additional relevant information. We also aim to expand this overview, for example with the benefit of further insights on the potential impact on financial risks. Lastly, clustering banks according to sound practices and the use of innovative technologies will help us tailor our supervisory work to the different stages of their digitalisation journey, as well as the diversity of approaches and the related risks within peer institution cohorts.
Table 1
Examples of the risk drivers that banks face on their digitalisation journeys
Strategic risk drivers | Executional/operational risk drivers |
---|---|
Governance, vision and tone from the top | Organisational structure |
Investment decision and timing | Budget optimisation and in-house/external inputs |
Alignment to business objectives | Coordination and project management capabilities |
Positioning in fintech ecosystem | Outsourcing and third-party management |
Innovative technologies adoption | Innovative technologies implementation (e.g. compliance, cyber risk, other IT-related risks) |
Source: ECB.
Chart 1
Clustering analysis by digitalisation risk profile
Our journey does not therefore end here: we will continue to engage closely with the banking industry to ensure that risks stemming from the rapidly evolving digitalisation landscape are properly managed.
Grid 1 – Key assessment criteria for a sound steering of digitalisation around business model, governance and risk management
Business model
- Understanding the impact of digital trends on the business environment in which institutions operate in the short, medium and long term, in order to be able to make informed commercial and strategic decisions.
- Based on an informed perspective, deciding on the need to formulate a clear and well-articulated digital strategy, and defining strategic objectives that are to be achieved by means of digitalisation and innovation.
- Having in place adequate financial and non-financial execution capabilities for a proper implementation of the digital strategy as defined.
- Developing a comprehensive framework of financial and non-financial key performance indicators (KPIs) for monitoring the implementation and execution of the digital strategy and for reassessing it in the event that targets are missed.
Governance
- Having a clear allocation of responsibilities related to digital topics in the management body, whether individual allocation to those with a management function/executives, and/or senior managers reporting to the executive management, or a dedicated centralised steering/coordination body, enabling adequate coordination of digital initiatives at group level.
- Setting up adequate processes covering all subsidiaries and business lines: defining the business areas ultimately responsible for reporting on digitalisation initiatives and setting up top-down steering and monitoring processes and proper bottom-up reporting processes.
- Having a management body with a supervisory function/non-executive role that constructively challenges the management body in its management function/executive level role and provides effective oversight of the digitalisation strategy and related risks.
- Assigning internal control functions a strong role in the digitalisation process, new product approval process (NPAP) and ongoing business operations, while ensuring their independence.
- Embedding digitalisation in the risk culture (e.g. tone from the top, incentives, risk accountability and a culture of challenge), both top-down and bottom-up, including the communication on strategy and risks, thereby creating awareness and fostering knowledge.
- Ensuring insight and monitoring of critical dependencies, interdependencies and third-party relationships, and not only of outsourcing, on an ongoing basis.
Risk management
- Carrying out a detailed impact review on traditional and non-traditional dimensions of risk during the process of digital strategy-setting and the NPAP as well as during the execution of the digital strategy.
- Having in place a data governance process to support data-driven digitalisation activities.
- Assessing and updating all dimensions of the risk map, reviewing the suitability of existing risk models in view of digitalisation and adapting them as necessary.
- Reviewing the risk appetite framework (RAF), the risk management framework (RMF) and the key risk indicators (KRIs) defined ex ante and adapting them if needed in view of digitalisation initiatives.
Check out The Supervision Blog and subscribe for future posts.
For topics relating to central banking, why not have a look at The ECB Blog?