Emerging IT Risks: Insights from German Banking

  • Simon Ashby
  • Trevor Buck
  • Stephanie Nöth-Zahn
  • Thomas Peisl
Article
  • 12 Downloads

Abstract

How do German banks manage the emerging risks stemming from IT innovations such as cyber risk? With a focus on process, roles and responsibilities, field data from ten banks participating in the 2014 ECB stress test were collected by interviewing IT managers, risk managers and external experts. Current procedures for handling emerging risks in German banks were identified from the interviews and analysed, guided by the extant literature. A clear gap was found between enterprise risk management (ERM) as a general approach to risks threatening firms’ objectives and ERM’s neglect of emerging risks, such as those associated with IT innovations. The findings suggest that ERM should be extended towards the collection and sharing of knowledge to allow for an initial understanding and description of emerging risks, as opposed to the traditional ERM approach involving estimates of impact and probability. For example, as cyber risks emerge from an IT innovation, the focus may need to switch towards reducing uncertainty through knowledge acquisition. Since individual managers seldom possess all relevant knowledge of an IT innovation, various stakeholders may need to be involved to exploit their expertise.

Keywords

cyber risk emerging risks enterprise risk management 

References

  1. Acharya, V., Engle, R. and Pierret, D. (2014) ‘Testing macroprudential stress tests: the risk of regulatory risk weights’, Journal of Monetary Economics 65: 36–53.CrossRefGoogle Scholar
  2. Aebi, V., Sabato, G. and Schmid, M. (2012) ‘Risk management, corporate governance, and bank performance in the financial crisis’, Journal of Banking & Finance 36(12): 3213–3226.CrossRefGoogle Scholar
  3. Ali, R., Barrdear, J., Clews, R. and Southgate, J. (2014) ‘Innovations in payment technologies and the emergence of digital currencies’, Bank of England Quarterly Bulletin 54(3): 262–275.Google Scholar
  4. Allan, N., Cantle, N., Godfrey, P. and Yin, Y. (2011) A review of the use of complex systems applied to risk appetite and emerging risks in ERM practice. Retrieved from http://www.actuaries.org.uk/research-and-resources/documents/review-use-complex-systems-applied-risk-appetite-and-emerging-ris-0.
  5. Anginer, D., Demirguc-Kunt, A. and Zhu, M. (2014) ‘How does competition affect bank systemic risk?’, Journal of Financial Intermediation 23(1): 1–26.CrossRefGoogle Scholar
  6. Arena, M., Arnaboldi, M. and Azzone, G. (2010) ‘The organizational dynamics of enterprise risk management’, Accounting, Organizations and Society 35(7): 659–675.CrossRefGoogle Scholar
  7. Aven, T. (2010a) ‘Some reflections on uncertainty analysis and management’, Reliability Engineering & System Safety 95(3): 195–201.CrossRefGoogle Scholar
  8. Aven, T. (2010b) ‘On how to define, understand and describe risk’, Reliability Engineering & System Safety 95(6): 623–631.CrossRefGoogle Scholar
  9. Aven, T. (2012) ‘The risk concept—historical and recent development trends’, Reliability Engineering & System Safety 99: 33–44.CrossRefGoogle Scholar
  10. Aven, T. (2016) ‘Risk assessment and risk management: review of recent advances on their foundation’, European Journal of Operational Research 253(1): 1–13.CrossRefGoogle Scholar
  11. Babb, S. (2013) ‘Using COBIT 5 for risk management’, COBIT Focus 4: 3.Google Scholar
  12. Basel Committee on Banking Supervision (2014) Basel committee on banking supervision review of the principles for the sound management of operational risk. Retrieved from http://www.bis.org/publ/bcbs292.pdf.
  13. Beasley, M., Branson, B. and Pagach, D. (2015) ‘An analysis of the maturity and strategic impact of investments in ERM’, Journal of Accounting and Public Policy 34(3): 219–243.CrossRefGoogle Scholar
  14. Beasley, M., Branson, B., Pagach, D., Scott, P., Christensen, B., DeLoach, J. and Donahue, K. (2016) Executive perspectives on top risks for 2016: key issues being discussed in the boardroom and C-suite. Retrieved from https://erm.ncsu.edu/az/erm/i/chan/library/NC-State-Protiviti-Survey-Top-Risks-2016.pdf.
  15. Bessis, J. (2010) Risk management in banking, 3rd ed. Chichester: John Wiley.Google Scholar
  16. Bhargava, A. (2014) ‘Examining best practices in operational risk management’, The RMA Journal 97(2): 64–69.Google Scholar
  17. Bjerga, T. and Aven, T. (2015) ‘Adaptive risk management using new risk perspectives—an example from the oil and gas industry’, Reliability Engineering & System Safety 134: 75–82.CrossRefGoogle Scholar
  18. Blockley, D. (2013) ‘Analysing uncertainties: towards comparing Bayesian and interval probabilities’, Mechanical Systems and Signal Processing 37(1–2): 30–42.CrossRefGoogle Scholar
  19. Bowers, J. and Khorakian, A. (2014) ‘Integrating risk management in the innovation project’, European Journal of Innovation Management 17(1): 25–40.CrossRefGoogle Scholar
  20. Bromiley, P. and Rau, D. (2014) ‘Looking under the lamppost? A research agenda for increasing enterprise risk management’s usefulness to practitioners’, in T.J. Andersen (ed.) Contemporary Challenges in Risk Management. Palgrave Macmillan, pp 50–62.Google Scholar
  21. Christiansen, U. and Thrane, S. (2014) ‘The prose of action: the micro dynamics of reporting on emerging risks in operational risk management’, Scandinavian Journal of Management 30(4): 427–443.CrossRefGoogle Scholar
  22. Conforti, R., La Rosa, M., Fortino, G., ter Hofstede, A.H.M., Recker, J. and Adams, M. (2013) ‘Real-time risk monitoring in business processes: a sensor-based approach’, Journal of Systems and Software 86(11): 2939–2965.CrossRefGoogle Scholar
  23. COSO (2004) Enterprise risk managementintegrated framework. Retrieved from https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf.
  24. COSO (2017) Enterprise risk managementintegrating with strategy and performance. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf.
  25. Davis, J.P. and Eisenhardt, K.M. (2011) ‘Rotating Leadership and Collaborative Innovation: Recombination Processes in Symbiotic Relationships’, Administrative Science Quarterly 56(2): 159–201.CrossRefGoogle Scholar
  26. Deutsche Bundesbank (2014b) The German banks in the comprehensive assessment: an overview of the results. Retrieved from http://www.bafin.de/SharedDocs/Downloads/EN/dl_141026_pm_comprehensive_assessment_anlage_en.pdf?__blob=publicationFile.
  27. Diaz-Rainey, I., Ibikunle, G. and Mention, A.-L. (2015) ‘The technological transformation of capital markets’, Technological Forecasting and Social Change 99: 277–284.CrossRefGoogle Scholar
  28. Dombret, A. (2015) Totally digital? The future of banking business: the opportunities and challenges of digitalisation for banks and insurers. Retrieved from http://www.bundesbank.de/Redaktion/EN/Reden/2015/2015_10_26_dombret.html?nsc=true.
  29. Eckles, D.L., Hoyt, R.E. and Miller, S.M. (2014) ‘The impact of enterprise risk management on the marginal cost of reducing risk: evidence from the insurance industry’, Journal of Banking & Finance 43: 247–261.CrossRefGoogle Scholar
  30. Emblemsvåg, J. (2010) ‘The augmented subjective risk management process’, Management Decision 48(2): 248–259.CrossRefGoogle Scholar
  31. European Banking Authority (EBA) (2014) 2014 EU-wide stress test results. Retrieved from http://www.eba.europa.eu/risk-analysis-and-data/eu-wide-stress-testing/2014/results.
  32. Farrell, M. and Gallagher, R. (2015) ‘The valuation implications of enterprise risk management maturity’, Journal of Risk and Insurance 82(3): 625–657.CrossRefGoogle Scholar
  33. Federal Financial Supervisory Authority (FFSA) (2014) Banking supervision in Germany. Retrieved from https://www.bafin.de/EN/DieBaFin/AufgabenGeschichte/Bankenaufsicht/bankenaufsicht_artikel_en.html.
  34. Feduzi, A. and Runde, J. (2014) ‘Uncovering unknown unknowns: towards a Baconian approach to management decision-making’, Organizational Behavior and Human Decision Processes 124(2): 268–283.CrossRefGoogle Scholar
  35. Flage, R. and Aven, T. (2015) ‘Emerging risk—conceptual definition and a relation to black swan type of events’, Reliability Engineering & System Safety 144: 61–67.CrossRefGoogle Scholar
  36. García-Granero, A., Llopis, Ó., Fernández-Mesa, A. and Alegre, J. (2015) ‘Unraveling the link between managerial risk-taking and innovation: the mediating role of a risk-taking climate’, Journal of Business Research 68(5): 1094–1104.CrossRefGoogle Scholar
  37. Gioia, D.A., Corley, K.G. and Hamilton, A.L. (2013) ‘Seeking qualitative rigor in inductive research: notes on the Gioia methodology’, Organizational Research Methods 16(1): 15–31.CrossRefGoogle Scholar
  38. Gollier, C., Hammitt, J.K. and Treich, N. (2013) ‘Risk and choice: a research saga’, Journal of Risk and Uncertainty 47(2), 129–145.CrossRefGoogle Scholar
  39. Grace, M.F., Leverty, J.T., Phillips, R.D. and Shimpi, P. (2015) ‘The value of investing in enterprise risk management’, Journal of Risk and Insurance, 82(2): 289–316.CrossRefGoogle Scholar
  40. Graebner, M.E. and Eisenhardt, K.M. (2004) ‘The seller’s side of the story: acquisition as courtship and governance as syndicate in entrepreneurial firms’, Administrative Science Quarterly 49(3): 366–403.Google Scholar
  41. Häckel, B., Isakovic, V. and Moser, F. (2015) ‘Integrated long- and short-term valuation of IT innovation investments’, Electronic Markets 25(1): 73–85.CrossRefGoogle Scholar
  42. Hall, M., Mikes, A. and Millo, Y. (2015) ‘How do risk managers become influential? A field study of toolmaking in two financial institutions’, Management Accounting Research 26: 3–22.Google Scholar
  43. Halliday, S.W. (2013) The Structure of Risk Management in Leading Australian Companies. Doctoral dissertation (unpublished), Charles Sturt University, Sydney.Google Scholar
  44. Hayne, C. and Free, C. (2014) ‘Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management’, Accounting, Organizations and Society 39(5): 309–330.CrossRefGoogle Scholar
  45. Hoyt, R.E. and Liebenberg, A.P. (2011) ‘The value of enterprise risk management’, Journal of Risk and Insurance 78(4): 795–822.CrossRefGoogle Scholar
  46. International Actuarial Association (IAA) (2008) Practice note on enterprise risk management for capital and solvency purposes in the insurance industry. Retrieved from http://www.actuaries.org.uk/research-and-resources/documents/practice-note-enterprise-risk-management-erm-capital-and-solvency-p.
  47. International Risk Governance Council (IRGC) (2011) Improving the management of emerging risks: risks from new technologies, system interactions, and unforeseen or changing circumstances: concept note. Geneva: International Risk Governance Council. Retrieved from https://www.irgc.org/risk-governance/emerging-risk/risk-management-in-industry/.
  48. Jacks, T. and Palvia, P. (2014) ‘Measuring value dimensions of IT occupational culture: an exploratory analysis’, Information Technology and Management 15(1): 19–35.CrossRefGoogle Scholar
  49. Jäger, A. (2009) Risikobewertung und Risikomanagement von emerging risks in der Industrieversicherung. Einflussgrößen und Handlungsstrategien in der Versicherungsindustrie am Beispiel Nanotechnologien. Dissertation, University of Stuttgart, Stuttgart.Google Scholar
  50. Jovanovi, A.S. and Löscher, M. (2013) iNTeg-Risk project: how much nearer are we to improved “Early Recognition, Monitoring and Integrated Management of Emerging, New Technology related Risks”? Retrieved from http://cordis.europa.eu/docs/results/213345/final1-jovanovic-integrisk2013-v15aj06092013.pdf.
  51. Kasperson, R.E., Renn, O., Slovic, P., Brown, H.S., Emel, J., Goble, R., Kasperson, J.X., Ratick, S. (1988) ‘The social amplification of risk: a conceptual framework’, Risk Analysis 8(2): 177–187.CrossRefGoogle Scholar
  52. Keith, J.L. (2014) Enterprise risk management: developing a strategic ERM alignment frameworkFinance sector. Dissertatation, Brunel University, London. Retrieved from http://bura.brunel.ac.uk/handle/2438/10981.
  53. Khoo, B.K. (2012) Risk managers as sensemakers and sensegivers: reconceptualising enterprise risk management (ERM) from a sensemaking perspective. Dissertation. University of Canberra, Canberra. Retrieved from http://www.canberra.edu.au/researchrepository/items/b0900aa5-23ac-26a8-6d12-aeaac4d96b95/1/.
  54. Kleffner, A.E., Lee, R.B. and McGannon, B. (2003) ‘The effect of corporate governance on the use of enterprise risk management: evidence from Canada’, Risk Management and Insurance Review 6(1): 53–73.CrossRefGoogle Scholar
  55. Kloman, H.F. (1992) ‘Rethinking risk management’, The Geneva Papers on Risk and InsuranceIssues and Practice 17(3): 299–313.Google Scholar
  56. Klüppelberg, C., Straub, D. and Welpe, I.M. (eds.) (2014) RiskA Multidisciplinary Introduction. New York: Springer.Google Scholar
  57. Kmec, P. (2011) ‘Temporal hierarchy in enterprise risk identification’, Management Decision 49(9): 1489–1509.CrossRefGoogle Scholar
  58. Köhler, A.R. and Som, C. (2014) ‘Risk preventative innovation strategies for emerging technologies the cases of nano-textiles and smart textiles’, Technovation 34(8): 420–430.CrossRefGoogle Scholar
  59. Krane, H.P., Johansen, A. and Alstad, R. (2014) ‘Exploiting opportunities in the uncertainty management’, ProcediaSocial and Behavioral Sciences 119: 615–624.Google Scholar
  60. Liebenberg, A.P. and Hoyt, R.E. (2003) ‘The determinants of enterprise risk management: evidence from the appointment of chief risk officers’, Risk Management and Insurance Review 6(1): 37–52.CrossRefGoogle Scholar
  61. March, J.G. and Shapira, Z. (1987) ‘Managerial perspectives on risk and risk taking’, Management Science 33 (11): 1404–1418.  https://doi.org/10.1287/mnsc.33.11.1404.CrossRefGoogle Scholar
  62. Maynard, A.D. (2015) ‘Why we need risk innovation’, Nature nanotechnology 10(9): 730–731.CrossRefGoogle Scholar
  63. Medcraft, G. (2015) Digital disruption: harnessing the opportunities, mitigating the risks. Retrieved from http://asic.gov.au/about-asic/media-centre/speeches/digital-disruption-harnessing-the-opportunities-mitigating-the-risks/.
  64. Mikes, A. (2009) ‘Risk management and calculative cultures’, Risk Management, Corporate Governance and Management Accounting 20(1): 18–40.Google Scholar
  65. Mikes, A. (2011) ‘From counting risk to making risk count: boundary-work in risk management’, Accounting, Organizations and Society 36(4–5): 226–245.CrossRefGoogle Scholar
  66. Mikes, A. and Kaplan, R.S. (2015) ‘When one size doesn’t fit all: evolving directions in the research and practice of enterprise risk management’, Journal of Applied Corporate Finance 27(1): 37–40.CrossRefGoogle Scholar
  67. Moeller, R.R. (2007) COSO enterprise risk management: understanding the new integrated ERM framework. Hoboken, NJ: John Wiley & Sons.Google Scholar
  68. Munich Re. (2016) Emerging risks: Die Risiken von morgen. Retrieved from http://www.munichre.com/de/group/focus/emerging-risks/index.html.
  69. O’Connor, G.C., Ravichandran, T. and Robeson, D. (2008) ‘Risk management through learning: management practices for radical innovation success’, The Journal of High Technology Management Research 19(1): 70–82.CrossRefGoogle Scholar
  70. Paape, L. and Speklé, R.F. (2012) ‘The adoption and design of enterprise risk management practices: an empirical study’, European Accounting Review 21(3): 1–32.CrossRefGoogle Scholar
  71. Perminova, O., Gustafsson, M. and Wikström, K. (2008) ‘Defining uncertainty in projects—a new perspective’, International Journal of Project Management 26(1): 73–79.CrossRefGoogle Scholar
  72. Power, M. (2004a) The risk management of everything: rethinking the politics of uncertainty. London: Demos. Retrieved from https://www.demos.co.uk/files/riskmanagementofeverything.pdf.
  73. Power, M. (2004b) ‘The risk management of everything’, The Journal of Risk Finance 5(3): 58–65.CrossRefGoogle Scholar
  74. Power, M. (2009) ‘The risk management of nothing’, Accounting, Organizations and Society 34(6–7): 849–855.CrossRefGoogle Scholar
  75. Praeg, C.-P. (2014) Trendstudie Bank & Zukunft 2014: Transformation der Banken - Neue Wege zu Innovation und Wachstum. Stuttgart: Fraunhofer Verlag.Google Scholar
  76. Price, J. and Adams, M. (2015) ASIC and financial innovation. Retrieved from http://download.asic.gov.au/media/3355015/speech-fintech-15-sep-2015.pdf?_ga=1.146705905.41621168.1454748942.
  77. Renn, O., Klinke A. and van Asselt, M. (2011) ‘Coping with complexity, uncertainty and ambiguity in risk governance: a synthesis’, Ambio 40(2): 231–246.CrossRefGoogle Scholar
  78. Ridley, G., Young, J. and Carroll, P. (2008) ‘Studies to evaluate COBIT’s contribution to organisations: opportunities from the literature, 2003-06’, Australian Accounting Review 18(4): 334–342.CrossRefGoogle Scholar
  79. Risk and Insurance Management Society (RIMS) (2010) Emerging risks and enterprise risk management. Retrieved from https://www.rims.org/resources/ERM/Documents/EmergingRisk_ERMweb.pdf.
  80. Rodriguez, E. and Edwards, J.S. (2014) ‘Knowledge management in support of enterprise risk management’, International Journal of Knowledge Management 10(2): 43–61.CrossRefGoogle Scholar
  81. Roland Berger (2015) Digital revolution in retail banking: chances in the new multi-channel world from a customers’ perspective. Retrieved from https://www.rolandberger.com/en/Publications/pub_digital_revolution_in_retail_banking.html.
  82. Rosati, P., Cummins, M., Deeney, P., Gogolin, F., van der Werff, L. and Lynn, T. (2017) ‘The effect of data breach announcements beyond the stock price: empirical evidence on market activity’, International Review of Financial Analysis 49: 146–154.CrossRefGoogle Scholar
  83. Royal Bank of Scotland (RBS) (2014) Annual report and subsidiary results: RBS Group Annual Report and Accounts year ending 31 December 2013. Retrieved from https://investors.rbs.com/~/media/Files/R/RBS-IR/annual-reports/natwest-ra-25042014.pdf.
  84. Ruan, K. (2017) ‘Introducing cybernomics: a unifying economic framework for measuring cyber risk’, Computers & Security 65: 77–89.CrossRefGoogle Scholar
  85. Smith, D. and Fischbacher, M. (2009) ‘The changing nature of risk and risk management: the challenge of borders, uncertainty and resilience’, Risk Management 11(1): 1–12.CrossRefGoogle Scholar
  86. Subramaniam, N., Wahyuni, D., Cooper, B.J., Leung, P. and Wines, G. (2015) ‘Integration of carbon risks and opportunities in enterprise risk management systems: evidence from Australian firms’, Journal of Cleaner Production 96: 407–417.CrossRefGoogle Scholar
  87. Taylor, H., Artman, E. and Woelfer, J.P. (2012) ‘Information technology project risk management: bridging the gap between research and practice’, Journal of Information Technology 27(1): 17–34.CrossRefGoogle Scholar
  88. Teece, D.J. (2012) ‘Dynamic capabilities: routines versus entrepreneurial action’, Journal of Management Studies 49(8): 1395–1401.CrossRefGoogle Scholar
  89. Tekathen, M. and Dechow, N. (2013) ‘Enterprise risk management and continuous re-alignment in the pursuit of accountability: a German case’, Management Accounting Research 24(2): 100–121.CrossRefGoogle Scholar
  90. White, D. (1995) ‘Application of systems thinking to risk management: a review of literature’, Management Decision 33(10): 35.CrossRefGoogle Scholar
  91. Wilson, J.O.S., Casu, B., Girardone, C. and Molyneux, P. (2010) ‘Emerging themes in banking: recent literature and directions for future research’, The British Accounting Review 42(3): 153–169.CrossRefGoogle Scholar
  92. Wu, D. and Olson, D.L. (2008) ‘Enterprise risk management: financial and accounting perspectives’, in D.L. Olson and D. Wu (eds.) New Frontiers in Enterprise Risk Management. Berlin: Springer, pp. 25–38. Retrieved from https://link.springer.com/chapter/10.1007/978-3-540-78642-9_3.
  93. Yeo, K.T. (1995) ‘Strategy for risk management through problem framing in technology acquisition’, International Journal of Project Management 13(4): 219–224.CrossRefGoogle Scholar
  94. Zhao, X., Hwang, B.G. and Low, S.P. (2015) ‘Understanding enterprise risk management maturity in construction firms’, in L. Shen, K. Ye, C. Mao (eds.) Proceedings of the 19 th International Symposium on Advancement of Construction Management and Real Estate. Berlin: Springer.Google Scholar

Copyright information

© The Geneva Association 2018

Authors and Affiliations

  • Simon Ashby
    • 1
  • Trevor Buck
    • 2
  • Stephanie Nöth-Zahn
    • 3
  • Thomas Peisl
    • 4
  1. 1.Plymouth Business SchoolUniversity of PlymouthPlymouthUK
  2. 2.Adam Smith Business SchoolGlasgow UniversityGlasgowUK
  3. 3.Edinburgh Napier UniversityEdinburghUK
  4. 4.MunichGermany

Personalised recommendations