Emerging IT Risks: Insights from German Banking
How do German banks manage the emerging risks stemming from IT innovations such as cyber risk? With a focus on process, roles and responsibilities, field data from ten banks participating in the 2014 ECB stress test were collected by interviewing IT managers, risk managers and external experts. Current procedures for handling emerging risks in German banks were identified from the interviews and analysed, guided by the extant literature. A clear gap was found between enterprise risk management (ERM) as a general approach to risks threatening firms’ objectives and ERM’s neglect of emerging risks, such as those associated with IT innovations. The findings suggest that ERM should be extended towards the collection and sharing of knowledge to allow for an initial understanding and description of emerging risks, as opposed to the traditional ERM approach involving estimates of impact and probability. For example, as cyber risks emerge from an IT innovation, the focus may need to switch towards reducing uncertainty through knowledge acquisition. Since individual managers seldom possess all relevant knowledge of an IT innovation, various stakeholders may need to be involved to exploit their expertise.
Keywordscyber risk emerging risks enterprise risk management
- Ali, R., Barrdear, J., Clews, R. and Southgate, J. (2014) ‘Innovations in payment technologies and the emergence of digital currencies’, Bank of England Quarterly Bulletin 54(3): 262–275.Google Scholar
- Allan, N., Cantle, N., Godfrey, P. and Yin, Y. (2011) A review of the use of complex systems applied to risk appetite and emerging risks in ERM practice. Retrieved from http://www.actuaries.org.uk/research-and-resources/documents/review-use-complex-systems-applied-risk-appetite-and-emerging-ris-0.
- Babb, S. (2013) ‘Using COBIT 5 for risk management’, COBIT Focus 4: 3.Google Scholar
- Basel Committee on Banking Supervision (2014) Basel committee on banking supervision review of the principles for the sound management of operational risk. Retrieved from http://www.bis.org/publ/bcbs292.pdf.
- Beasley, M., Branson, B., Pagach, D., Scott, P., Christensen, B., DeLoach, J. and Donahue, K. (2016) Executive perspectives on top risks for 2016: key issues being discussed in the boardroom and C-suite. Retrieved from https://erm.ncsu.edu/az/erm/i/chan/library/NC-State-Protiviti-Survey-Top-Risks-2016.pdf.
- Bessis, J. (2010) Risk management in banking, 3rd ed. Chichester: John Wiley.Google Scholar
- Bhargava, A. (2014) ‘Examining best practices in operational risk management’, The RMA Journal 97(2): 64–69.Google Scholar
- Bromiley, P. and Rau, D. (2014) ‘Looking under the lamppost? A research agenda for increasing enterprise risk management’s usefulness to practitioners’, in T.J. Andersen (ed.) Contemporary Challenges in Risk Management. Palgrave Macmillan, pp 50–62.Google Scholar
- COSO (2004) Enterprise risk management—integrated framework. Retrieved from https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf.
- COSO (2017) Enterprise risk management—integrating with strategy and performance. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf.
- Deutsche Bundesbank (2014a) Annual report 2014. Retrieved from https://www.bundesbank.de/Redaktion/EN/Downloads/Publications/Annual_Report/2014_annual_report.pdf?__blob=publicationFile.
- Deutsche Bundesbank (2014b) The German banks in the comprehensive assessment: an overview of the results. Retrieved from http://www.bafin.de/SharedDocs/Downloads/EN/dl_141026_pm_comprehensive_assessment_anlage_en.pdf?__blob=publicationFile.
- Dombret, A. (2015) Totally digital? The future of banking business: the opportunities and challenges of digitalisation for banks and insurers. Retrieved from http://www.bundesbank.de/Redaktion/EN/Reden/2015/2015_10_26_dombret.html?nsc=true.
- European Banking Authority (EBA) (2014) 2014 EU-wide stress test results. Retrieved from http://www.eba.europa.eu/risk-analysis-and-data/eu-wide-stress-testing/2014/results.
- Federal Financial Supervisory Authority (FFSA) (2014) Banking supervision in Germany. Retrieved from https://www.bafin.de/EN/DieBaFin/AufgabenGeschichte/Bankenaufsicht/bankenaufsicht_artikel_en.html.
- Graebner, M.E. and Eisenhardt, K.M. (2004) ‘The seller’s side of the story: acquisition as courtship and governance as syndicate in entrepreneurial firms’, Administrative Science Quarterly 49(3): 366–403.Google Scholar
- Hall, M., Mikes, A. and Millo, Y. (2015) ‘How do risk managers become influential? A field study of toolmaking in two financial institutions’, Management Accounting Research 26: 3–22.Google Scholar
- Halliday, S.W. (2013) The Structure of Risk Management in Leading Australian Companies. Doctoral dissertation (unpublished), Charles Sturt University, Sydney.Google Scholar
- International Actuarial Association (IAA) (2008) Practice note on enterprise risk management for capital and solvency purposes in the insurance industry. Retrieved from http://www.actuaries.org.uk/research-and-resources/documents/practice-note-enterprise-risk-management-erm-capital-and-solvency-p.
- International Risk Governance Council (IRGC) (2011) Improving the management of emerging risks: risks from new technologies, system interactions, and unforeseen or changing circumstances: concept note. Geneva: International Risk Governance Council. Retrieved from https://www.irgc.org/risk-governance/emerging-risk/risk-management-in-industry/.
- Jäger, A. (2009) Risikobewertung und Risikomanagement von emerging risks in der Industrieversicherung. Einflussgrößen und Handlungsstrategien in der Versicherungsindustrie am Beispiel Nanotechnologien. Dissertation, University of Stuttgart, Stuttgart.Google Scholar
- Jovanovi, A.S. and Löscher, M. (2013) iNTeg-Risk project: how much nearer are we to improved “Early Recognition, Monitoring and Integrated Management of Emerging, New Technology related Risks”? Retrieved from http://cordis.europa.eu/docs/results/213345/final1-jovanovic-integrisk2013-v15aj06092013.pdf.
- Keith, J.L. (2014) Enterprise risk management: developing a strategic ERM alignment framework—Finance sector. Dissertatation, Brunel University, London. Retrieved from http://bura.brunel.ac.uk/handle/2438/10981.
- Khoo, B.K. (2012) Risk managers as sensemakers and sensegivers: reconceptualising enterprise risk management (ERM) from a sensemaking perspective. Dissertation. University of Canberra, Canberra. Retrieved from http://www.canberra.edu.au/researchrepository/items/b0900aa5-23ac-26a8-6d12-aeaac4d96b95/1/.
- Kloman, H.F. (1992) ‘Rethinking risk management’, The Geneva Papers on Risk and Insurance—Issues and Practice 17(3): 299–313.Google Scholar
- Klüppelberg, C., Straub, D. and Welpe, I.M. (eds.) (2014) Risk—A Multidisciplinary Introduction. New York: Springer.Google Scholar
- Krane, H.P., Johansen, A. and Alstad, R. (2014) ‘Exploiting opportunities in the uncertainty management’, Procedia—Social and Behavioral Sciences 119: 615–624.Google Scholar
- Medcraft, G. (2015) Digital disruption: harnessing the opportunities, mitigating the risks. Retrieved from http://asic.gov.au/about-asic/media-centre/speeches/digital-disruption-harnessing-the-opportunities-mitigating-the-risks/.
- Mikes, A. (2009) ‘Risk management and calculative cultures’, Risk Management, Corporate Governance and Management Accounting 20(1): 18–40.Google Scholar
- Moeller, R.R. (2007) COSO enterprise risk management: understanding the new integrated ERM framework. Hoboken, NJ: John Wiley & Sons.Google Scholar
- Munich Re. (2016) Emerging risks: Die Risiken von morgen. Retrieved from http://www.munichre.com/de/group/focus/emerging-risks/index.html.
- Power, M. (2004a) The risk management of everything: rethinking the politics of uncertainty. London: Demos. Retrieved from https://www.demos.co.uk/files/riskmanagementofeverything.pdf.
- Praeg, C.-P. (2014) Trendstudie Bank & Zukunft 2014: Transformation der Banken - Neue Wege zu Innovation und Wachstum. Stuttgart: Fraunhofer Verlag.Google Scholar
- Price, J. and Adams, M. (2015) ASIC and financial innovation. Retrieved from http://download.asic.gov.au/media/3355015/speech-fintech-15-sep-2015.pdf?_ga=1.146705905.41621168.1454748942.
- Risk and Insurance Management Society (RIMS) (2010) Emerging risks and enterprise risk management. Retrieved from https://www.rims.org/resources/ERM/Documents/EmergingRisk_ERMweb.pdf.
- Roland Berger (2015) Digital revolution in retail banking: chances in the new multi-channel world from a customers’ perspective. Retrieved from https://www.rolandberger.com/en/Publications/pub_digital_revolution_in_retail_banking.html.
- Royal Bank of Scotland (RBS) (2014) Annual report and subsidiary results: RBS Group Annual Report and Accounts year ending 31 December 2013. Retrieved from https://investors.rbs.com/~/media/Files/R/RBS-IR/annual-reports/natwest-ra-25042014.pdf.
- Wu, D. and Olson, D.L. (2008) ‘Enterprise risk management: financial and accounting perspectives’, in D.L. Olson and D. Wu (eds.) New Frontiers in Enterprise Risk Management. Berlin: Springer, pp. 25–38. Retrieved from https://link.springer.com/chapter/10.1007/978-3-540-78642-9_3.
- Zhao, X., Hwang, B.G. and Low, S.P. (2015) ‘Understanding enterprise risk management maturity in construction firms’, in L. Shen, K. Ye, C. Mao (eds.) Proceedings of the 19 th International Symposium on Advancement of Construction Management and Real Estate. Berlin: Springer.Google Scholar