According to Ernst & Young’s 2016 global banking risk management survey, despite material strengthening of banks’ risk management, the industry is still searching for the appropriate blueprints to establish effective risk accountability.

The global survey of banks carried out by EY and the Institute of International Finance (IIF) follows the industry’s progress in improving risk management by surveying senior risk executives. This year, 67 banks from 29 countries participated in the survey. This includes 23 of the 30 institutions described as global systematically important banks (G-SIBS).

“Banks have made considerable strides in terms of risk management enhancements since the crisis. However, regulations are still changing and industry approaches on emerging or evolving areas such as non-financial risks and increased IT security threats are still maturing. This suggests a long road ahead for banks,” said Tom Campanile, partner, Financial Services Office, Ernst & Young. “Finding a sustainable risk management operating model that will be flexible through this current market environment will be essential to success.”

Although the survey highlighted that significant progress has been made so far, banks may be halfway through what could be a 15-year journey of substantial work to enhance risk management processes. Additionally, increased investor pressure to achieve higher, stable returns have resulted in banks converging toward an industry norm of three-year ROE targets of 10% to 15% across G-SIB and non-G-SIB banks, forcing banks to adapt their business models to meet these targets.

“Banks are still under huge pressure on different fronts, and the risk management function is evolving rapidly to cope with the changes in the economic and regulatory environments,” said Andrés Portilla, managing director of the Regulatory Affairs Department at the IIF. “As this report shows, it is about embedding the concept of risk throughout all the processes and business of the organization, for which a period of regulatory stability is essential.”

EY and the IIF also identified the continued significance of non-financial risks that pose major financial strains on the business. Specifically, focus on a wide range of conduct areas has increased – money laundering (increased to 72% from 52% in 2015) and sanctions (increased to 52% from 30% in 2015) have moved significantly up the agenda. Cybersecurity has surged with almost half of respondents (48%) highlighting it as one of the three most important risks for their board over the next year.

According to the survey, banks have greatly stepped up their efforts to make a fully functioning three-lines-of-defense approach to risk management work, but there is still no agreed blueprint within the industry on the balance of responsibilities across the first and second lines – with many firms working to enhance the responsibility of the first line. More than 60% of banks highlighted that they are currently changing their three lines of defense model.

Top reasons for doing this includes significant focus on the first line including making the first line accountable for end-to end risk (38%), making it more clearly accountable for non-financial (28%) and financial (27%) risk.

Banks are also looking at the effectiveness and efficiency of the second line functions – in particular better technology and more advanced data analytics are essential, as are properly implemented centralized teams for common, repeatable tasks (such as testing). Such approach would allow firms to deliver the right risk outcomes cost-effectively.

The industry, and G-SIBs in particular, continue to focus on addressing non-financial risks more effectively. Banks recognize that they need the management of risk to be part of everyone’s job, not just those in risk and control roles, and are testing and enhancing controls frameworks.

Significant changes have been made to improve the management of non-financial risk. Banks are attempting to reduce non-financial risk by reducing complexity of products (57%); exiting products (63%); improving employee training (67%) and strengthening risk culture and employee behavior by enhancing messaging and tone from the top (90%). Importantly, they are also enhancing their forward looking and analysis of intrinsic non-financial risks and embedding non-financial risk into other risk management initiatives.

In addition to addressing conduct issues, banks are focusing on three main areas: operational risk, cybersecurity and vendor risks. Firms report clear focus on operational risk (with 77% of them reporting devoting more time to it as compared to last year). Cybersecurity has shot up to the top of the CRO agenda, ranking second (51%) in the list of top five concerns over the next year.

The report highlights the combined effect of lower profitability because of economic conditions and low interest rates and higher regulatory capital on ROEs. Respondents say their investors are pushing for higher ROEs (82%) and reduced costs (79%). Banks express major concerns about the regulatory proposals to increase capital further and reduce risk sensitivity. Overall it would have the effect of making even more areas of core lending activity unprofitable.

The capital, liquidity and leverage changes under Basel III have led banks to rethink their business model as a large percentage of G-SIBs (83%) and non-G-SIBs (67%) are evaluating asset portfolios. Over 48% of respondents are exiting business lines and 27% are exiting countries.

It is projected that the cumulative reforms to the Basel III capital framework – often referred to as Basel IV – could have a particularly negative impact on banks. The survey highlights that changes to internal ratings-based (IRB) models are a major concern as 63% of respondents highlighted that the models could change the economics of some areas of business. Concerns also exist regarding fundamental changes proposed on the treatment market and operational risks.

Additional changes including the standardized measurement approach (SMA) for operational risk will drive up capital, especially for G-SIBs – with 67% expecting a significant or moderate increase and the fundamental review of the trading book (FRTB) will greatly impact trading and investment banks.