Bank governance in a changing risk landscape

Speech by Anneli Tuominen, Member of the Supervisory Board of the ECB, at the “Board of the Future” seminar, jointly organised by the European University Institute and the ECB

Florence, 27 October 2025

It is a pleasure to be here today to continue the fruitful dialogue on bank governance matters which we have established with banking industry representatives through this seminar in recent years.^[1]

I would like to briefly discuss the implications of a changing risk landscape for the functioning of banks’ boards. While risk-taking and risk management are still the fundamental tenets of modern banking activity, it is evident that the backdrop to this activity has altered significantly in recent years. I am referring in particular to risks related to the digitalisation of banks’ business models, including cyber risk and IT-related risks, as well as geopolitical risks and, more recently, hybrid threats. None of these risks are new to banks, but the magnitude of the threat which they pose has increased. This is certainly the case for cyber risks, where the number of cyberattacks reported by banks has increased significantly^[2], and I would argue that it is also true of the other risk factors which are harder to measure.^[3] These “non-traditional” risks are in addition to “traditional” sources of vulnerabilities for banks, such as credit, market and liquidity-related risks. And all of this has taken place in a context in which market uncertainty – as proxied by standard indicators^[4] – has remained moderately high by historical standards.

The demands placed on banks’ boards have thus risen as the risk landscape in which banks operate has become more complex, underscoring the need for them to have robust governance frameworks in place. It would be premature for me to assert at this stage that this amounts to “the new normal”. However, I would argue that, as the digital transformation is essential for banks’ long-term survival regardless of their business model, many of these risks are not only irreversible but will likely grow in importance over time. If this is indeed the case, then the next question to ask is what sort of qualities would banks’ boards need to have in order to thrive in this altered environment. In my view, there are at least three features which should be highlighted in this regard.

What qualities should the “board of the future” exhibit?

A sound knowledge base and robust “awareness” to guard against risks. The first has to do with the concept of suitability of the board, both as a whole and individually. If the nature of the risks facing a bank has changed, or such risks have grown in number, it follows that the board as a whole needs to possess the necessary knowledge, skills and experience in these “new” areas to understand and effectively oversee the bank’s business, manage its risks, and make sound decisions. The need for banks to build sound knowledge bases in their management bodies has been well documented. The bitter experience during the global financial crisis underscored the importance of boards devoting sufficient time and effort to understanding banks’ business models and risk management practices. This requires board members to have both adequate prior experience in banking matters and diverse backgrounds so as to avoid potential problems associated with “group think”.^[5] More recently, the Federal Reserve System’s report on the factors leading to the demise of Silicon Valley Bank in the spring of 2023^[6] was a timely reminder of both the pitfalls related to ineffective corporate governance and the need for boards to “reassess” their banks’ strategy as the risk landscape evolves.

The good news is that banks are very much aware of the perils which non-traditional risks could pose to their franchise. For example, a recent risk management survey conducted by the Institute of International Finance revealed that cybersecurity remained the top concern for 75% of chief risk officers in global banking, primarily on account of geopolitical tensions.^[7] However, as regards banks directly supervised by the ECB, we see that there is still room for improvement in the collective expertise of their management bodies in the area of information and communication technology (ICT) risk and security risks stemming from the digitalisation of banking services. This is why last year we developed a dedicated set of supervisory expectations to help banks bridge the remaining gaps in this area.^[8] Our supervisors apply these expectations on a case-by-case basis when assessing the collective knowledge of management bodies in the context of fit and proper assessments. These expectations will also be useful for banks in managing the requirements stemming from the EU’s Digital Operational Resilience Act (DORA)^[9], which entered into force at the beginning of the year. This is because, among other things, DORA attributes specific responsibilities to banks’ boards for the governance and organisation of ICT risk management, emphasising the relevance of boards’ knowledge and skills to understanding and assessing ICT risk and its impact on their banks’ operations. DORA also requires some types of banks to perform advanced security testing using external “ethical hackers” who try to break into their IT systems, a process known as threat-led penetration testing. The ECB will be responsible for managing these tests for banks under its supervision^[10] and certifying that they meet the requirements. This is another way in which we hope to help banks strengthen their cyber resilience strategy.

Robust risk awareness is therefore a prerequisite for bank boards to identify and define effective strategies to manage risks, including by setting appropriate risk tolerance levels. In my view, this risk awareness should also extend to staff recruitment practices, for example through background checks, in order to avoid surprises further down the line. However, non-traditional risks faced by banks nowadays have the potential to interact with each other, or to act as drivers of traditional risk categories. Two examples of this are the positive correlation between increasing cyberattacks and rising geopolitical risk which I mentioned earlier, and credit risk potentially materialising in banks’ balance sheets on account of higher geopolitical risks (through increased trade protectionism). But these are certainly not the only ones.

This intersection of potential risks exacerbates the difficulties inherent in banks’ risk identification process – but here too the ECB is taking steps to assist banks. This is why we have announced that next year we will be conducting a reverse stress test on geopolitical risk.^[11] Unlike an ordinary stress test, we will be providing an outcome rather than a scenario. It will then be up to each bank to determine what kind of scenarios would lead to that particular outcome. Separately, our guide on effective outsourcing risk management for banks that use third-party cloud services, which we finalised earlier this year^[12], could be cited as another example of ways in which we try to encourage banks to proactively think about potential “hidden” or interrelated risks (in this case because many banks typically outsource some critical functions to a handful of third-party service providers, such that they could be exposed to common risks).

Strong communication and investing in franchise value to avoid reputational risks. The second quality relates to communication. The silver lining to the recurrent external shocks which have hit the banking sector in recent years is that banks’ management bodies have had many opportunities to refine their “crisis mode” playbook to be deployed in adverse scenarios, including with regard to internal communication channels. However, during the cyber resilience stress test which we conducted last year^[13], we found that many banks didn’t have sufficiently well-developed communication plans to reach out to their customers in crisis situations, including cyber incidents. This is especially concerning given that, according to a recent survey by the EU Agency for Cybersecurity, banks are by far the most affected entities in terms of number of cyberattacks in the European financial sector as a whole. Banks accounted for nearly half of all reported incidents in 2023 and the first half of 2024.^[14] Our supervisors are therefore following up with the affected banks to ensure that effective communication contingency plans are in place.

This brings me to a related point, which is the need for banks’ boards to invest in franchise value so as to avoid reputational risks in the digital age. Back in 2022 the European Banking Authority warned that European banks could be victims of ”fake news” and thus see sudden deposit withdrawals as part of the fallout from Russia’s invasion of Ukraine.^[15] That risk has not materialised – but just last April, the EU Agency for Cybersecurity warned about disinformation circulating via social media regarding an alleged cyberattack on European banks in the context of the power outage in parts of southern Europe^[16]. Banks therefore need to be prepared for such contingencies. Benjamin Franklin is quoted as saying that “it takes many good deeds to build a good reputation, and only one bad one to lose it”.^[17] I would argue that this is especially true in the era of digitalisation, information and disinformation, where the influence of social media can make bank runs move faster, as we saw during the market turmoil of spring 2023 in the United States^[18]. Reputational risks thus become a potentially existential threat. In my view, maintaining a stable deposit franchise to keep liquidity risks in check, and building a brand by securing a strong reputation for reliability and trustworthiness – including through the continued provision of essential services to customers – are the best ways for banks to guard against these potential threats. Banks’ boards have a critical role to play in this regard with their strategic steering and risk oversight to maintain franchise value over time^[19].

Navigating the trade-off between adaption and innovation. The third quality has to do with adaption and innovation. Banks are typically on the receiving end of third-party risks both directly and indirectly, including from households, corporations and governments. But through their capital allocation decisions, banks also affect risk perception (and risk preference) by such parties in the first place. When deciding on strategic resource allocation, banks’ boards are confronted with a fundamental trade-off. On the one hand, they could try to maximise efficiencies and improve existing capabilities, leveraging assets for short-term gain. On the other hand, they could opt to devote resources to innovating and pursuing new business lines in an attempt to secure longer-term rewards.

In organisational learning literature, this trade-off is referred to as “exploitation versus exploration”, though I prefer to see it as a dilemma between adaption to a known state of affairs and innovation to prepare for a future which is unknown.^[20] The trade-off is therefore not new to banks, but I would argue that technological advancements are raising the stakes associated with the potential “winner and loser” scenarios. Banks’ use of cloud services in recent years could be cited as a relevant example, because the benefits which the outsourcing of some services might bring have to be carefully weighed against the back-up infrastructure that needs to be in place should such arrangements fail. Looking ahead, an important question for banks is the extent to which they will be willing and able to invest in artificial intelligence (AI) solutions to transform both their risk management processes and their business models more broadly. In this respect, banks’ boards have a delicate balance to strike, because apart from the financial commitment itself, investment in AI requires banks to be in a position to understand and manage the risks which such technology will also bring.

A common journey for banks and their supervisors

Let me conclude. The risk oversight function of banks’ boards has become more complex in recent years, mainly due to the emergence of risks to operational resilience and geopolitical risks which I have referred to as non-traditional risks. I have argued that these risks are likely to remain in the future. This is not just because digitalisation appears irreversible, but also because, regardless of the intensity of non-traditional risks, banks will still need to incorporate their potential interaction with “traditional” risk categories into their risk management strategies. In order to thrive in this altered risk landscape, I have underlined that banks’ boards will need to ensure they have a sound knowledge base and display robust “awareness” to guard against risks, exhibit strong communication skills and invest in franchise value to avoid reputational risks, and strike a delicate balance between adaption and innovation.

But I have also emphasised that banks have not been left alone to navigate this challenging environment. The altered risk landscape which has emerged in recent years is not only new to banks, but also to us supervisors. There has therefore been a learning curve on both sides. We have tried to tailor our supervisory initiatives to help banks manage risks in these non-traditional areas, and in doing so, we have also had to reassess some of our own processes and practices to be able to deliver on our goals. This will continue to be our guiding approach, because as the popular proverb goes, “if you want to go fast, go alone, but if you want to go far, go together”.