Conquering technology risk in banking 1

Conquering
technology risk
in banking
5 ways leaders can transform risk into advantage
Conquering technology risk in banking 2

Contents
Introduction 3

The new face of banking risk 6

The race to master technology risks 13

Five best practices of risk leaders 17

A vision of the 2030 bank 29

Research background 34

Acknowledgements 39
Conquering technology risk in banking 3

Say YES to mitigating tech

risk and driving innovation

Technology risk management is sometimes Everyone in the bank, no matter your

perceived as a burdensome but necessary evil. department or role, needs to be a risk officer.

In my experience as a former bank CIO, it’s They need to share the responsibility of risk

often viewed as “keeping the lights on” rather identification and mitigation. The interconnected

than enabling business development, customer nature of business across the bank necessitates a

experience, and growth. In reality, strong holistic approach.

technology risk management is a catalyst for

innovation and performance. Resilient banks are better positioned to

effectively handle disruptions, which can drive

Recent banking crises and market disruptions better customer experiences and loyalty. By

have highlighted the importance of real-time risk embracing technology risk management as a

control and resilience. Technology risk has also competitive advantage rather than a burden,

become more evident to customers because banks can thrive in a dynamic environment.

they interact digitally with banks, be that through

an online portal for self-service, an app, chatbot, Simon Cox, Chief Transformation Officer,

or other means. As a result, technology risks that ServiceNow

used to be hidden in the back office are visible in

the front office and should now be considered as

an integral component of overall business risk.

Conquering technology risk in banking 4

Mastering technology risks

In today’s rapidly digitizing marketplace, a bank’s growth and For the purposes of this survey, we defined technology risk

competitiveness depends on its ability to innovate rapidly and as the potential of a breakdown in a bank’s IT infrastructure,

safely. That can be a complex balancing act, since faster systems, or applications that can impair the bank’s operations.

digital innovation often exposes banks to greater technology, We focused on how technology supports resilience, defined as

cyber, and operational risks, as well as regulatory scrutiny. The the ability of a bank to operate during times of disruption by

winners are those best equipped to handle both the upside using digital technologies and solutions.

and the downside of innovation and to weather disruptions.

As part of our analysis, we created a maturity framework to

To understand how banks manage technology risk in a examine the progress that banks are making in adopting

period of accelerated digital transformation, ServiceNow technology risk management best practices. We divided

and ThoughtLab conducted a comprehensive survey of 750 respondents into three groups: beginners taking their

banking executives in March-May of 2023. The study explored first steps in managing technology risk, intermediates in

the best practices, challenges, and performance benefits mid-implementation, and those most advanced in risk

around improving technology risk management and resilience. management, which we designated as leaders.

The 750 executives came from 12 countries across three global This report focuses on the best practices of risk leaders, which

regions. Respondents included a mix of C-Suite executives and provide valuable insights and lessons for banks earlier in their

direct reports knowledgeable about the risk management risk journeys.

practices of their institutions. The study included banks with

assets that range from $1 billon to over $1 trillion.

Conquering technology risk in banking 5

Defining a risk leader

Six pillars of technology risk excellence

To understand how banks can avoid the downside of innovation, we

created a maturity framework reflecting the progress banks have made

across six pillars of excellence in technology risk management. Based on

their answers to survey questions, we classified banks just starting out in

most areas as beginners; banks in the middle stage of implementation as

intermediates; and banks that are most advanced as risk leaders.

Process Integrated Governance Data Technology

Organization
approach

Building the Creating processes Fostering an Developing Providing senior Using the latest
organizational that improve integrated technology risk management and digital technologies
roles, skills, staffing, technology risk approach to IT, management other teams with the and solutions to
and structure management and cyber, and overall policies and adding timely and accurate reduce IT and
for effective resilience across the risk management. non-financial risks data to monitor, cyber risks and
technology risk enterprise. to the risk appetite assess, and respond ensure operational
management. framework. to technology risks. resilience.
Conquering technology risk in banking 6

The new face of

banking risk
Conquering technology risk in banking 7

Innovation leaders
must be risk leaders
Executives
agreeing
Around the world, banks are innovating at a These new risks are on management’s radar. Seven Statements All the most
breakneck speed to follow the pace set by firms like out of 10 CEOs and CROs say that accelerated digital

Apple, Netflix, and Amazon. But as banks rapidly innovation is driving the need to improve technology Accelerated digital innovation is 64% CEOs & CROs
driving the need to improve tech risk 72%
adopt new digital tools and solutions in response risk management. Ultimately, the winners will be those management and resilience
to customer expectations, they are exposed to a that excel in managing innovation. More than half

battery of technology risks that can bring down (52%) of the banks surveyed say that managing the Managing the risks of digital innovation 52% CFOs, 62%
is crucial for future growth and CROs, 58%
their operations. These risks range from external risks of digital innovation is crucial for future growth financial performance
cyberattacks and fraud to internal software failures and financial success. This belief is held by even more

and system misconfigurations. CFOs (62%) and CROs (58%), who are in the best Effective tech risk management 45% CFOs, 48%
requires that IT, risk, and cybersecurity
position to know.
functions work well together

About a quarter of executives—and over a third of Concerns about technology and 24% COOs, 34%
The best way to improve our risk cybersecurity risks are impeding my
COOs—say that worries about introducing technology
bank’s ability to innovate
management performance is to risks are preventing their firms from innovating. Another
make sure that the cybersecurity, 23% of executives—and 27% of CIOs—think that their
Many digital innovations do not involve 23% COOs & CIOs
risk, and IT departments work innovations are creating risks because they are not
the IT, risk, and security team early 27%
together.” involving IT, risk, and security teams early enough in the enough in the process

process. Indeed, nearly half of executives believe that

CEO, US universal bank
these functions must work well together to successfully

manage tech risk.

Question 13. Which of the following statements about your bank do you agree with?
Conquering technology risk in banking 8

Leaders are freer to

scale operations

Improving technology risk management and Risk leaders also experience fewer breaches and Top 7 risk and compliance benefits of leaders
resilience pays off for banks in two interlocking ways: improvements in decision making and strategic

first, it generates risk and compliance benefits, alignment.

and second, it boosts strategic and financial

performance. Reducing technology risks helps leaders boost

strategic and financial performance. More secure

Most of the risk and compliance benefits are banking services raise customer retention. Lower

around speed—faster identification, issue resolution, risks and better compliance prevent costly incidents,

response, and risk and compliance reporting. Speed improving profitability.

is of the essence in managing tech risks since they

occur in real time with rapidly cascading effects. With digital risks under better control, leaders can

speed up innovation and time to market, bolstering Top 7 performance benefits of leaders
revenue growth. Leaders are freer to scale their

The organization’s new policies operations, a benefit that over half of leaders

expect to see over the next two years.

and practices for dealing with
technology risks have been very
beneficial both for risk performance Question 30. Which risk and compliance benefits is your bank seeing
from improving technology risk management and resilience? Which
and business growth.” does it expect to see over the next two years?

Question 31. Which benefits in business performance is your bank

CIO, Australian universal bank seeing from improving technology risk management and resilience?
Which does it expect to see over the next two years?
Conquering technology risk in banking 9

CEOs recognize tech risk is

the biggest threat for banks

Banks have a long history of mastering risks, from credit and market % agreeing with statements about technology risk If a bank’s settlement system
risks to those related to liquidity and operations. But technology goes down, that means a billion
risk is a different beast. It is more complex, harder to pinpoint, and All CEOs
dollars an hour is not settled. It
ever-changing. It surges in real time through digital connections and
creates a vast amount of market
cascades unexpectedly, even triggering other areas of risk. Worse, it is Technology risks (including cyber)
have grown significantly over the 61% 66% risk, not just for the bank and its
growing fast, threatening every part of a bank’s value chain.
last few years. counterparties, but also for the
CEOs are on alert. Two-thirds of CEOs report that entire market.”
technology risk has grown significantly over the last Technology risks (including cyber) Global head of crisis management,
are the biggest risk that my bank
54% 72%
few years. Over 7 out of 10 CEOs say that it is now French universal bank
faces today.
the biggest risk their bank faces. And 64% of CEOs
expect it to increase over the next two years.

Unfortunately, technology risk management is still an evolving

discipline, and as new technologies emerge, earlier ones become

61% of banks said that the level of technology
ineffective. One recent example is two-factor authentication through
risk increased over the last two years.
voice recognition, which cyber adversaries have already defeated

using AI-generated voices. The stakes are high. Without proper

67% expect tech risks to increase even more Question 13. Which of the following statements about
your bank do you agree with?
controls, a technology risk event can not only inflict serious harm on
over the next two years. Question 7. How has the level of technology risk that your
the bank, but also its customers, partners, and the wider economy. bank faces changed over the last two years, and how
do you expect it to change over the next two years?
Conquering technology risk in banking 10

Seven forces driving banks to

upgrade tech risk management

As banks accelerate digital innovation and Regulators are forcing action Forces driving the need to improve technology risk management and resilience
harness new technologies, they expose
All Leaders Beginners % pt. diff.
themselves to greater technology risks. These A firehose of regulations—here or coming—are

risks loom larger for banks that fail to ensure that also pushing banks to contain technology risks.
Accelerated digital innovation 64%
64% 60% 63% +3
their technology risk management efforts keep These regulations blanket most areas of the

pace with their digital transformation programs. world, from the EU’s General Data Protection
Use of new technologies 61%
61% 54% 59% +5
Cybersecurity is one example. Financial firms Regulation (GDPR ) and its more recent Digital

are 300 times more likely than other types of Operational Resilience Act (DORA) to the US’s

companies to be the target of a cyberattack, Federal Trade Commission Act (FTCA) and Escalating cyberattacks 61%
61% 45% 70% + 25
according to the Boston Consulting Group. patchwork of state regulations, such as the

robust California Consumer Privacy Act (CCPA).

Rising fraud/financial crime 48%
48% 42% 57% + 15
While most banks are exposed to rising Even here, risk leaders are less exposed because

cyberattacks, beginners are more vulnerable of their adoption of advance regulatory tracking

than risk leaders because they have not taken and compliance tools. Increased market disruptions 48%
48% 48% 59% + 11

enough steps to harden their cybersecurity.

The same is true for increased financial In fact, risk leaders face reduced risk in every Increased regulation 46%
46% 38% 45% +7
crime and market disruptions. Risk leaders category because of their stronger risk positions

have already improved their defenses, while and adept use of people, process, and
Rising customer expectations 44%
44% 36% 46% + 10
beginners still have considerable work to do. technology.

Question 10. Which external and internal forces are driving the need to improve technology risk management
and resilience at your bank?
Conquering technology risk in banking 11

How banks are addressing

internal vulnerabilities
Top causes of tech risk % of banks How banks address these vulnerabilities
increases, last 2 years citing

“To be prepared for emerging risks, we will add horizon scanning, which will allow us to see ahead to determine what threats a new
Use of new technologies 52%
technology breakthrough poses.” CEO, AUSTRALIAN RETAIL BANK

“We incorporate technology risk management early in innovation processes to avoid process failure risks.”
Process failures 36% CEO, AUSTRALIAN RETAIL BANK

“A significant percentage of our IT systems will be modernized to address key technical problems, and they will be reviewed in real time
System misconfigurations 32% on a regular basis by our expert staff.” CTO, US COMMERCIAL BANK

“With the application of ERP systems, additional interruptions or failures are more likely to be avoided because all processes are simplified
System failures 32% and monitored.” VP OF INFORMATION, GERMAN RETAIL BANK

“We have automated the process of data collection and analysis to avoid the human error that occurs when data is collected
Human error 32% manually.” VP OF RISK, FRENCH RETAIL BANK

“As we become more integrated into third-party ecosystems, we anticipate increasing vendor risks; as a result, we have started to
Use of third parties 27% include them in the broader risk portfolio for better management.” FINANCE DIRECTOR, US BANK

“We have developed data management solutions that combine data from IT, cyber, and security departments to improve coordination
Inadequate coordination 22% across diverse processes.” CFO, UK COMMERCIAL BANK

“To identify, evaluate, and report issues that occur within our network, we will build protective processes such as firewalls and endpoint
Network architecture 20% detection and response.“ CIO, AUSTRALIAN RETAIL BANK
Conquering technology risk in banking 12

Many banks are not ready

to manage tech risk

Not all banks believe they are well priority, a serious mistake. That is in stark Level of preparedness, by tech risk maturity By asset size
prepared to effectively manage the contrast to leaders. More than 90% of all
13% $100B and
over 81% 19%
technology risks they face over the next leaders assign a high or very high priority to 46% 47%
two years. This is true for just under half of all mitigating digital risks—which explains why 77%
banks surveyed—and for 77% of beginners. they are better at it than others. Similarly, 86% $25B to $99.9B 47% 53%
54% 53%
On the other hand, 86% of leaders say they 61% of banks with assets of $1 billion to $25
23%
are highly prepared. billion do not give high priority to tech risk $1B to $24.9B 39% 61%
Leader Intermediate Beginner All
management, compared with only 9% of

According to our research, the smaller the banks with over $100 billion in assets.
Slightly or moderately prepared
bank, the less prepared. For instance, 61% Highly or very highly prepared
of banks with assets under $25 billion are

not highly prepared for tech risk, compared

Level of priority, by tech risk maturity
with just 19% of banks with over $100 billion
Making risk management a
in assets. priority for top management 8%
has had the greatest beneficial 36% 37% Moderate or
Banks need to reset their priorities influence on our organization’s 60% low priority
Question 8. What is your
92% organization’s level of
technical risk performance.” 64% 63% preparedness to effectively
Surprisingly, 37% of banks—and 60% of 40% High or very manage the risks it faces over
Director of Operations, the next two years?
high priority
beginners—do not see technology risk French universal bank Question 9. What level of
Leader Intermediate Beginner All priority are technology risk
management and resilience as a high management and resilience
for your bank today?
Conquering technology risk in banking 13

The race to master

technology risks
Conquering technology risk in banking 14

Leaders are improving

in all areas of tech risk

Mastering technology risk is a work in Gaining value from tech and people How much progress has your bank made in tech risk management? Change in average progress
progress for most banks. Our research Over the next two years, all banks will Weighted average scores, (100 = highest) rankings for all banks

found that even leaders need to make take their risk initiatives to the next level,

more headway on the six pillars of although leaders’ approaches will Expected Data 1 1
progress
technology risk management. Overall, remain best in class. The technology in 2 years

banks have made the greatest progress area will jump most, as banks boost Technology 2 2
on data and technology, and slightly less investment in the latest digital solutions

on governance, process, and people. such as the cloud, AI, machine learning,
Governance 3 3
They are further behind in a key area blockchain, and cybersecurity tools.
Process 4 4
that drives the best results—integration. They will also advance rapidly on the

people/organization side as they train People/org 5 5

While all banks can do more, the staff and recruit specialists. Now

differences between leaders and others Integration

approach 6 6
are significant and paint a troubling Integration will undergo a big increase

picture for those that fail to keep pace as banks embrace this best practice,

with competitors. Given the impact realizing that integrating IT, risk, and Now 2 years
of tech risk on banking performance, cybersecurity operations will facilitate

management teams would be well cross-functional collaboration, make

Question 18. For each of the following areas
advised to gauge where they are now their risk profile more visible, and address of technology risk management, how much
progress has your bank made until now and
to determine where to go next. potential technical concerns. Average maturity scores grouped as: 1-25 = planning, 26-50 = early
how much progress do you plan to make
implementation, 51-75 = mid implementation, 76-100 = advanced over the next two years?
Conquering technology risk in banking 15

As banks advance, they target

different areas for improvement

57% (vs. 48% for beginners)

Business model
Leaders As they advance in their tech risk management journeys, banks’
63% (vs. 51% for leaders) 45% (vs. 24%)
Products & services priorities for improvements evolve.
Cybersecurity

56% (vs. 42%) 45% (vs. 31%)

Customer engagement Beginners are putting the basics in place, targeting
Beginners Risk mgmt. & compliance
cybersecurity, risk management and compliance, IT capabilities,
45% (vs. 36%) 32% (vs. 24%)
Financial systems/controls cloud adoption, and adopting other advanced technologies.
IT operations services

41% (vs. 36%) 30% (vs. 16%)

Since leaders have already taken many of these steps, they
Cloud migration Employee experiences
can turn their attention to more advanced areas of risk
38% (vs. 27%) 25% (vs. 5%)
management. These include creating business models and
Use of AI/other tech Supplier management
products and services that carry less technology risks. Leaders

also focus more on technology risks related to their stakeholders,

such as costumers, employees, and suppliers.

Conquering technology risk in banking 16

Hurdles evolve on the road

to tech risk leadership

As banks strive to balance innovation and Leaders should expect to tackle obstacles Where beginners see bigger challenges Where leaders see bigger challenges
risks, they face many organizational and arising further along, such as gaining third-
Beginners Leaders
technical challenges, which morph as they party support and calculating ROI. Since

mature in risk management. Beginners should leaders typically are larger organizations with 48% Lack of metrics (vs. 22% for leaders) 41% 3rd party support (vs. 32% for beginners)

be prepared to make the financial resources global operations, it is more complicated 45% Insufficient investment (vs. 31%) 38% Uncertain ROI (vs. 28%)
39% Siloed data (vs. 25%) 27% Difficulty collaborating (vs. 18%)
available—generally a bigger problem since for them to cultivate collaboration, ensure
36% High costs (vs. 14%) 27% Resilience not part of planning (vs. 18%)
they tend to be smaller banks. They will also teams are on the same page, and take an
34% Difficulty modernizing (vs. 18%) 27% Lack of integrated risk view (vs. 25%)
need to fill in the gaps in their tools and skills integrated risk view.
33% Lack of skills and talent (vs. 26%) 26% Tracking regulations (vs. 16%)
and overcome silos and legacy systems.
32% Lack of continuity tools (vs. 25%) 23% Teams with different values (vs. 10%)

Where CEOs see greater challenges than other executives

The CEO perspective
Perched at the top of the pyramid, CEOs are in a better position 54% 50%
44% 42% 40%
to spot challenges across the enterprise. They are more likely to 38% 34% 34%

see bigger barriers around insufficient investment and high costs,

inadequate skills and talent, and lack of an integrated risk view
across the organization.
Question 11. Which are the biggest challenges that your bank faces when seeking to improve technology risk management and resilience?
Conquering technology risk in banking 17

Five best practices

of risk leaders
Conquering technology risk in banking 18

1. Leaders make data a single

source of truth—and insight

% growth
At its foundation, technology risk management is Steps leaders are taking around data Now in 2 years
about data: not just protecting it and keeping it Deploying data tools and
Beginners
Provide leaders and staff with data they need to improve IT risk
private, but also harnessing it to improve a bank’s 59% 8%
dashboards to report on management and their security posture
security posture.
technology risks and resilience
contributed greatly to improving our Create data mgmt. solutions that integrate data across IT, cyber, risk 45% 16%
For most leaders, step one is to enable visibility and

decision-making by structuring and integrating

organization’s technology risk and
enterprise-wide data so that cross-functional teams resilience performance.” Predict potential cybersecurity risks by analyzing historical data 44% -9%

can access a single source of truth in a timely and COO, French private bank
actionable way. Three out of 10 leaders also now Deploy data tools and dashboards to report on technology risks 32% 59%
integrate vendor risk data into their data systems,

and the figure will grow over the next two years. Integrate supply chain/vendor risk data into data mgmt. system 30% 30%
The best outcomes to date have
Leaders will also do more to turn that data into come from the creation of data Conduct more frequent executive reviews of technology risk posture 29% 31%
insight over that time period. The steps that will grow
management solutions that combine
the most are using advanced data analytics, and
data from IT, cyber, and risk Use advanced data analytics to monitor and assess technology risks 28% 82%
deploying data tools and dashboards to enable
functions.”
executives to extract more value from data. They will
CEO, German retail bank
also conduct more frequent executive reviews, and

integrate supply chain risk data. Question 23. Which steps around data is your bank taking now to improve technology risk management and resilience?
Which steps does your bank plan to take or will continue to take over the next two years?
Conquering technology risk in banking 19

2. Leaders build integrated risk-

based processes…

% growth
Leaders consider risk-based processes to be sync to speed up innovation while mitigating Steps leaders are taking around process Now in 2 years
core to their integrated risk management tech risks. Even more pronounced, the number
Take a quantitative risk-based approach to IT and cyber risk 47% 15%
plans. Almost half take a risk-based approach, of leaders integrating tech, operational, and management in line with overall risk posture
which enables them to align risk and business enterprise risk management will soar by 119%.

priorities. It also allows them to be more strategic Ensure that partners and suppliers support strategies for improving 40% 13%
technology risk management
and quantitative in making risk decisions and

assessing trade-offs.
Introduce integrated risk management processes that ensure cross-func- 36% 47%
Our initiative to use a quantitative tional coordination

Leaders ensure proactive coordination across risk-based approach to better

functions and throughout their enterprises, Build business continuity plans around technology risks 34% 15%
manage IT and cybersecurity
including partners and suppliers. To make
in accordance with our firm’s
this happen, almost one-third create a Create a common lexicon for understanding and managing risk 31% 16%
overall risk profile is having the
common lexicon for managing risk and strive
most positive impact.” Incorporate technology risk management early in innovation processes 29% 24%
to incorporate technology risk early in the

innovation process.
CRO, Australian retail bank

Engage business leaders to identify critical assets and processes 19% 42%
Over the next two years, leaders will leap

ahead in introducing risk management across Integrate technology risk management with operational and enterprise 16% 119%
risk management
functions—with those doing so jumping by 47%.

That will ensure that different divisions work in Question 21. Which steps around process is your bank taking now to improve technology risk management and resilience?
Which steps does your bank plan to take or will continue to take over the next two years?
Conquering technology risk in banking 20

… that are increasingly

automated…

Use of automation is one area that sets risk Reasons to believe % of activity largely and fully automated, now and in two years
leaders and followers apart. Leaders are well

ahead in automating many processes, from There are many reasons for leaders’ obsession

risk identification, detection, and protection to with automation. It helps prevent human error

response, compliance, and analysis. Over the and improve data quality. It gives them a huge

next two years, most leaders will largely or fully edge in detecting risks early and mitigating them

automate these activities. quickly. It helps protect against opportunistic

cybercriminals looking for a way into their IT and

data systems.

We plan to automate our risk The widespread use of automation among

monitoring and detection leaders is in strong contrast to the practice of

beginners, most of which have not gotten off the

process in order to expedite
starting block, and small banks, which trail their
our management and
larger counterparts. These institutions—which are
compliance efforts and save
often one and the same—are highly vulnerable
time and money.” to fast-evolving technology risks. Our research
VP of Technology, shows they are aware of this, which is why many
French private bank
of them plan to forge ahead with a panoply of

automation initiatives over the next two years. Question 26. How automated are the following technology risk management activities at your bank?
Question 27. In two years, how automated will the following technology risk management activities be at your bank?
Conquering technology risk in banking 21

…and managed through

integrated risk platforms

Another huge difference between leaders and Integrated risk platforms become table stakes Use of integrated risk management platform, by tech risk maturity
beginners is the adoption of integrated risk

platforms. These platforms provide banks with a However, over the next two years, nearly all 93% 92% 88%
full view of cyber, technology, enterprise, and leaders and intermediates—and three-quarters 76%
operational risks based on a consistent, normalized of beginners—will use an integrated risk platform. 60%
data set, as well as a common set of tools to This will be essential for banks as they strive to
47% 43%
manage them. Leaders are much more apt incorporate technology risk into their overall risk 20%
to have an integrated risk platform now, while frameworks and take a more holistic risk approach.

beginners and intermediates are just starting to

implement them. It will also furnish banks with a better way to

Top five elements included in integrated risk platforms
manage risk transference between different kinds

of risk. This can happen, for example, when a

IT service management 64%
systems failure shuts down trading and creates
Deployment of an integrated risk
a market risk, or when a liquidity risk opens an
IT operations management 62%
management platform enables us to opportunity for cybercriminals.
conduct real-time risk assessments, Cyber risk/security 57%
Question 28. Does your bank now
use an integrated risk management
platform to get a full view of risk
which eventually give in-depth Typically, banks include between five and six across the enterprise?
If not, do you plan to use one over
insights into the dangers at hand.” elements in their integrated risk platforms, most Policy and compliance 54% the next two years?

often IT services, IT operations management, and Question 29. If your bank is using
CISO, French private bank an integrated risk management
cybersecurity. Operational resilience 51% platform now, which of the
following elements are included?
Conquering technology risk in banking 22

Ensure the right balance

between humans & machines
Major US Bank

For one major US bank, technology is a key This senior risk officer points to the example

element in a holistic risk management approach of recruitment automation that misses good

for managing credit, fraud, cyber, and market candidates because of biases built in or a too-strict

risks. But even for a bank that sees itself as a large focus on red flags on CVs—like employment gaps.

technology company offering financial services, “While in operational and tech risk management, AI

human judgment is still vital for managing risk. is looking for things going wrong rather than for bad

apples, the principle is the same.”

So argues a senior operational risk officer at this

bank. “Humans must remain an essential ingredient “Risk models are fallible. They might slip up due to

and backstop for operational risk and resilience, faulty inputs or omissions in the programming. A

despite the rush to automate risk management— human might see something that modeling missed.”

particularly with the use of artificial intelligence,”

says the risk officer. “Machines don’t yet have the

judgment needed to look beyond rigid rules. At

both the beginning and the end of the process, we

My advice is to move to AI-led risk
need a set of human eyes.” processes at a measured pace,
stopping to kick the tires first. If there
is a mishap, it’s likely to be costly.”
Conquering technology risk in banking 23

3. Leaders invest in next-gen

technologies…

Leaders fight fire with fire by using advanced can make it easier to spot patterns in security Leaders’ most important tech investments % growth
technology to mitigate growing technology data; cloud-access security brokers, crucial for
49%
risks. Their most important areas of technology securing sprawling cloud platforms; quantum
12%
55%
investment today are laying the IT foundation cryptography to take encryption to the next level; 47%
4%
for risk management success. These investments and endpoint detection and response (EDR) to 49%
45%
include building a modernized IT systems that continuously monitor end-user devices. 13%
51%
draws on the cloud to ensure resilience and
45%
29%
cybersecurity orchestration to reduce risks. Over One of the most important areas of investment 58%
the next two years, leaders will continue to over the next two years will be in AI, which enables 43%
60% 40%
prioritize these investments. banks to reduce human error and identify and
42%
act on risk more quickly. Another is blockchain, 59%
40%
Winning the arms race which banks will use to improve the security, 40%
20%
transparency, and traceability of transactional 46%
40%
But over the next two years, leaders will turn their data and lower the risks of errors and fraud. As 15%
48%
sights to more advanced technologies that will part of their risk-based approaches, leaders will
35%
give them an edge in the escalating cyber war. also make more use of predictive analytics and 45% 29%

Banks will find it more important to ramp up their digital twins to see emerging risk trends and run

investments in more sophisticated cybersecurity simulations to gauge risk probabilities and impacts.

defense technologies, such as security information Question 17. Which of the following are now the most important areas of technology investment for your
bank to improve technology risk management and resilience?
and event management systems (SIEM), which
Which will be most important in two years or continue to be most important?
Conquering technology risk in banking 24

... to manage end-to-end

technology risks activities

Leaders harness technology to improve most Technology also enables leaders to improve Steps leaders are taking around technology
areas of technology risk management and compliance. It gives leaders the ability to monitor

resilience. They make digital tools and solutions and address growing regulations on operational

accessible to IT, security, and risk management resilience, and on data security and privacy. It

heads to improve their overall security posture. also allows them to regularly test and audit their

They use technology to digitize and automate technology risk operations. For a growing number

workflows to reduce human mistakes and boost of banks, advanced platforms make data sharing

productivity. And they use it to de-risk their cloud easy, across the bank as well as with third parties.

platforms and ensure resilience.

Over the next two years, leaders will do much

more to build resilience. The share of leaders

We intend to develop horizon digitizing and automating workflows to improve

resilience will grow to 54%, the highest percentage

scanning technology in our banks
for any technology step measured. Similarly, the
in order to detect upcoming
percentage of leaders using technology to ensure
regulations and laws and maintain
resilience processes will jump from 34% to 52%, the
track of them.”
biggest rise in any step over the next two years.
Director of controls, major Singapore bank

Question 24. Which steps around technology is your bank taking now to improve technology risk management
and resilience? Which steps does your bank plan to take or will continue to take over the next two years?
Conquering technology risk in banking 25

4. Leaders bring teams together

to manage tech risks

“It’s been said that there is a cybersecurity role of the CRO to include IT risk, a percentage Steps leaders are taking around organization
patch for our systems, but there is no patch for that will grow to 36% in two years. To ensure top

human stupidity,” notes the senior vice president managers are prepared for their role, risk leaders

of system audit with an Indian bank. are providing them with training.

Leaders understand that having the right Crucially, four out of 10 leaders
organization and culture is crucial for managing ensure that the Board and senior
tech risk and ensuring resilience. To do this, not management oversee technology
only must they carry the message to every part risk management, and that will rise
of the bank—and every employee—but also to almost half in two years.
make sure that a wide range of people across Functions playing a key role in managing tech risk for leaders
the enterprise are involved, trained, and working

together, with defined roles. We made technology and cyber 73% Cybersecurity 56% IT risk management

security risk management and

65% Digital transformation 53% Data quality/governance
Leaders assign key tech risk roles to varying resilience a part of our board and
functions in their bank, including cybersecurity, senior management duties, which 62% Operational risk 49% Senior management
digital transformation, operational risk has aided us in the early detection
management, data privacy, IT risk management, and correction of issues.” 61% Data privacy 42% Enterprise risk mgmt.

and data quality and governance. To improve CRO, US private bank

Question 19. What role do the following play at your bank in managing technology risks and resilience?
coordination, over a quarter have expanded the Question 20. Which steps around organization and people is your bank taking now to improve technology risk management and
resilience? Which steps does your bank plan to take or will continue to take over the next two years?
Conquering technology risk in banking 26

Communicate and coordinate

to strengthen risk posture
French Universal Bank

For the global head of crisis management, cyber, and technology Cooperation is also essential, notes the tech risk chief. “IT and
risk at a top-tier French universal bank, the writing is on the wall. “The cybersecurity departments have been isolated in the past, but
more you digitalize, the more you put that risk into your DNA. Once we have learned that we need to coordinate with other groups.
everything is digitalized, then it can fail, be encrypted, stolen, sold, We might be able to solve technical issues, but not the tactical or
or used against you. And that’s going to accelerate in the future.” strategic ones.”

To manage this risk requires a culture that emphasizes a measured This executive says that IT and cybersecurity teams realize that
approach based on communication and cooperation, this they must work not only with each other, but also with a range of
technology risk chief argues. Like banks in Japan and Germany, decision-makers from the business, including the CEO and senior
French banks have been more conservative than US banks in managers, and operational and financial risk managers. In addition,
adopting new technology, says the executive, pointing out that this they need legal department specialists to give opinions and work
French bank only started dipping its toe into cloud usage in 2019. with regulators, HR executives when employees might be involved,
data protection officers, as well as communication specialists to
inform clients, deal with the press, and monitor social media.

There is a lot of innovation happening, so we

While it may be difficult for banks with tiered and distributed
have to be able to explain to the board and structures to achieve such integration, collaboration is essential.
management—who are typically not IT experts— “We are working to break down the silos,” says the executive.
both the risks and use cases in simple terms.
The key challenge for the industry is to enable
sound risk decisions by people who don’t fully
understand either the technology or the risks.”
Conquering technology risk in banking 27

5. Leaders rethink governance

for today’s risks

To cope with today’s complex latticework of Steps leaders are taking around governance 97% of leaders
data security and privacy regulations around We have built technology and report that
46%
the world—and avoid huge reputational and cybersecurity risk into the bank’s Improve regulatory compliance planning, the board
monitoring 51%
monetary risks from non-compliance—banks need risk appetite framework, which has plays a role in
helped safeguard our assets.” 42%
to make a step-change in compliance planning, Create reporting on tech and cyber risk technology risk
metrics 53%
monitoring, and maintenance. CTO, UK universal bank management.
Conduct technology vulnerability and 41%
resilience audits 49%
At the same time, they need to keep track of ever- Leaders are taking concrete steps to improve 30% say the
changing regulations, such as upcoming revisions their ability to identify, measure, test, and report Create clear non-financial risk framework, 38% board plays a
with defined roles 46%
of the General Data Protection Regulation (GDPR) these evolving risks and incorporate them into key role.
in the EU and an influx of new data security and their risk appetite frameworks. As part of this effort, Build tech and cyber risk into the bank's risk 38%
appetite framework 44%
privacy laws expected in many US states and leaders are pushing ahead with creating clear,

countries in Asia and Africa. non-financial risk frameworks. Since technology Create technology risk controls, policies & 37%
risks have the power to trigger strategic, financial, procedures 45%

operational, regulatory, and reputational fallouts, 34%

Ensure board has expertise/data needed
We are continuously making and the board and senior management must be for decision-making 43%

updating our policies and processes actively involved—and need the expertise and

regarding technology risks.” data to make the right decisions. Now 2 years
CFO, Hong Kong universal bank
Question 22. Which steps around governance is your bank taking now to improve technology risk management and resilience?
Which steps does your bank plan to take or will continue to take over the next two years?
Conquering technology risk in banking 28

Mitigating risks in the face of

rapid digital change
Indian Commerial Bank

When India’s prime minister, Narendra Modi, withdrew the nation’s existing Rs500 and Rs1,000 From a process perspective, the bank increased audits on change and patch management and
banknotes in November 2016, this “demonetization” sparked widespread adoption of digital looked for process gaps in cybersecurity and IT. “Our goal was to understand where there were
financial transactions—and a corresponding jump in technology risk for banks. design or operation-level issues that we needed to fix,” he says.

“It was a massive transformation across the whole of India. Money started flowing from paper to bits
Recently, the bank began moving to a development, security, and operations (DevSecOps)
and bytes,” says the senior vice president of system audit with a Mumbai-based bank. “We were not
process to integrate security features into every stage of the software development lifecycle. This will
ready for such a huge volume of digital transactions, and we were unsure whether we could handle
help the bank take a more integrated approach, bringing risk experts into the product development
them in a secure manner.” Almost overnight, cyber risk became a top worry for banks across India.
process early to ensure robust and secure applications. “It’s a more agile process that does security
testing and vulnerability management on products on a real-time basis as they are developed,”

Mobilizing people, process, and technology to manage risk says the executive.

Among the first things the bank did was assess its vulnerabilities and build cyber risk into its risk On the technology side, the bank upgraded its firewalls, antivirus, and data management systems
appetite. It examined how the bank used new digital technologies and conducted black-box to improve its data loss prevention. It keeps up on its patching activities and has installed a security
penetration testing of its cybersecurity. From there, it took steps to mitigate its technology risk on information and event (SIEM) system and an endpoint detection and response (EDR) system. It also
three fronts: people, process, and technology. uses an outside threat intelligence and dark web monitoring service.

On the people side, it created a security operations (SecOps) team to monitor threats, manage
The bank has learned that technology risk management needs to be a continual effort and
incidents, and ensure security of new product lines. It increased cybersecurity awareness and
everyone’s job. “It isn’t only a single project—it’s an ongoing process,” the executive says. “The
phishing training and testing for staff and senior management. “The weakest link in cybersecurity is
whole organization has to be involved in making sure we are not compromised, and the right
a human being,” he says. The bank does behavioral monitoring and analytics to keep a check on
processes are put into place. You have to practice what you preach and preach what you
employees for repeated missteps or unauthorized log-in attempts.
practice.”
Also, the bank’s IT and cybersecurity teams began conducting regular drills to prepare for different
types of attacks. These included quarterly tabletop exercises with senior managers and others.
Conquering technology risk in banking 29

A vision of the
2030 bank
Conquering technology risk in banking 30

A vision of the future

Banks are advancing well in their journey to more complex set of risks that can emerge in

become technology risk leaders. This long-term real time with unexpected impacts. To succeed,

effort is made more difficult by the speed and financial institutions will need to implement

evolution of digital innovation and the daunting a more enlightened approach to risk and

risks that it creates. operational resilience, including having a clear

roadmap in mind.

Over the next five years, survey respondents

believe that advances in AI, blockchain, Understanding how banks view the future

decentralized finance, and the Metaverse, of technology risk management provides

as well as the rise of Web 3.0, will trigger an insights into what they need to do now to lay

unprecedented explosion of innovation that will the foundation. We asked survey respondents

remake the banking industry. what their banks’ technology risk management

would look like in five years, and how it would

These digital innovations will redefine change. Some of their most insightful answers

the banking value chain, from product are included in this section.

development and customer engagement, to

new business models and processes. At the

same time, innovation will give birth to an even

Conquering technology risk in banking 31

“We will use advanced data “To make it simple to detect “We will monitor and evaluate
analytics to monitor and assess vulnerabilities and opportunities technology risks using advanced
Greater focus on technology risks for faster risk within our organization from data analytics, which will lead
quantitative risk- identification and recovery.” multiple perspectives, we will to better risk identification and
implement data tools and risk increased visibility into enterprise
based analysis dashboard software.” risk activities.”

VP OF TECHNOLOGY, US PRIVATE BANK CRO, INDIAN RETAIL BANK COO, UK UNIVERSAL BANK

Fully “Our firm is going to integrate IT,

risk, and cybersecurity into other
processes in order to identify
“We will employ an integrated
risk management platform to
address difficulties across the
“We will ensure that cyber
security, risk, and IT functions
collaborate to manage
More integrated
integrated, risk management
and address future technical
issues before they become a
serious problem.”
company. This will help increase
risk awareness throughout the
enterprise and improve visibility
technological risk over the next
five years, which will hasten risk
detection and reaction.”
approach
risk-based
into our organization’s risk
operations.”
VP OF OPERATIONS, JAPANESE
COMMERCIAL BANK CIO, GERMAN PRIVATE BANK VP OF INFORMATION, US PRIVATE BANK

approach “We are thinking about “We will educate and train “We intend to engage risk
creating a culture of continuous employees to foster a risk-aware management professionals,
innovation in order to effectively culture that will encourage which will free up other staff for
More risk-aware manage technology and them to be proactive in other essential responsibilities.”
Process and organizational culture and staff cybersecurity risks.” detecting and managing
practices will change in the coming technology risks.”
years as banks work to achieve COO, UK RETAIL BANK CHIEF CONTROLS OFFICER, GERMAN VP OF CONTROLS, FRENCH PRIVATE BANK
superior risk management. PRIVATE BANK

“We will conduct technology “RPA will assist us in creating “We will create reports on
vulnerability and resilience thorough audit trails for each technology and cyber risk
More regular audits and testing on a regular
basis to keep track of our
and every process, reducing
company risk while maintaining
metrics to stay updated on our
risk exposure.”
reporting, testing, technical risks.” high process compliance.”
and auditing
CIO, US UNIVERSAL BANK VP OF TECHNOLOGY, UK UNIVERSAL BANK CRO, INDIAN UNIVERSAL BANK
Mastering technology risks 32
Conquering technology risk in banking 32

“We plan to use real-time risk “We will use AI and machine “Real-time risk assessments
assessment tools to facilitate learning to monitor consumer will streamline reporting and
reporting and improve behavior and detect enhance collaboration. Risk
visibility, decision-making, and abnormalities in real time.” assessment and analysis will be
Real time collaboration.” automated, and compliance
reporting will be expedited.”

VP OF FINANCE, US UNIVERSAL BANK CEO, UK RETAIL BANK CRO, UK RETAIL BANK

Real-time “We are going to integrate

predictive analysis and
“Predictive analytics will assist
us in proactively managing risks
“By integrating AI into our
operations, we can undertake
simulation models throughout and making educated resource predictive evaluations of future

data Predictive
our data collection and
management processes as the
influence of advanced analytics
allocation decisions.” technology risks and profit from
its advantages.”

with richer grows.”

VP OF RISK, GERMAN PRIVATE BANK

HEAD OF OPERATIONAL RESILIENCE,
AUSTRALIAN COMMERCIAL BANK CTO, UK UNIVERSAL BANK

analysis “We will employ IOT sensors to forecast “Our risk management processes will
maintenance on servers, routers, and be interconnected. All functions will be
switches, three important pieces of banking coordinated, and new software will be
infrastructure. IT teams can reduce the risk installed to automate the overall handling
Technology, while sometimes Interconnected of downtime and data loss by evaluating of technology risks.”
creating new risks today, in the sensor data to spot potential hardware
failures.”
future will help banks improve their
risk management and operational CISO, GERMAN COMMERCIAL BANK VP OF OPERATIONS, US PRIVATE BANK

resilience in multiple ways.

“Our risk managers expect that “By implementing heat map “We plan to deploy visualization
the usage of augmented reality technology, we will be able technologies that will help
will deliver insights and more to visualize data and spot us simplify data sharing and
intuitive and personalized ways trends that might otherwise go collaboration within the bank.”
More immersive to tackle technological risks.” missing.”

CTO, UK UNIVERSAL BANK VP OF FINANCE, FRENCH PRIVATE BANK CHIEF COMPLIANCE OFFICER, INDIAN
UNIVERSAL BANK
Conquering technology risk in banking 33

“Our bank will invest in new “Combining cybersecurity “We intend to develop and
security technologies such as technology with the cloud upgrade our cybersecurity
Use of blockchain, biometrics, and enables us to identify and programs with the use of
advanced quantum encryption, enhance defend against serious threats to historical data, which will assist
its incident response capabilities our data.” in avoiding and detecting cyber
cyber tools and conduct security audits.” crime.”

CEO, UK RETAIL BANK CEO, INDIAN COMMERCIAL BANK CISO, GERMAN COMMERCIAL BANK

Next- “We will use RegTech solutions

to assess our organization’s
“We will use RegTech to track
changing regulations on
“RegTech will be used to
accelerate risk and compliance
technology risks and identify technology risk and resilience. filings while keeping us up

generation RegTech-
enabled
potential vulnerabilities, which
will allow us to implement
appropriate controls to mitigate
RegTech will simplify and
connect the entire ecosystem.”
with changing laws governing
technology risk and resilience.”

compliance
security and these risks.”

CSO, AUSTRALIAN COMMERCIAL BANK CFO, US RETAIL BANK VP OF COMPLIANCE, GERMAN

compliance
COMMERCIAL BANK

“We will digitize and automate “We will employ workflow “We will automate risk
processes related to technology automation technologies to identification, risk detection
Automated risk and resilience for faster risk digitize and automate workflows and monitoring, risk incident
detection, quicker reaction to linked to technology risk and management, and risk
Technology will help to bring with AI, RPA, hazards, and improved visibility resilience.” mitigation using automation
security and compliance to a and other tools into business risk activities.” technologies.”
new level of excellence.
COO, GERMAN COMMERCIAL BANK CTO, SINGAPOREAN UNIVERSAL BANK CTO, US UNIVERSAL BANK

“To safeguard transactions “We will use blockchain “Blockchain will boost the
and stop fraud, we will deploy technology to create a value of our audits and KYC
blockchain technology. transparent, traceable, and compliance because of its
Blockchain will provide a secure secure record of all interactions. ability to store massive volumes
Blockchain and transparent log of all This will help our business reduce of data.”
protected transactions, making it difficult
for fraudsters to falsify records.”
the risk of errors.”

VP OF TECHNOLOGY, JAPANESE RETAIL VP OF FINANCE, AUSTRALIAN PRIVATE CFO, AUSTRALIAN RETAIL BANK
BANK BANK
Conquering technology risk in banking 34

Research
background
Conquering technology risk in banking 35

Respondent profile

Respondents by title (750 total) Respondents by type of bank Respondents by function Respondents by HQ country

Chief Executive Officer 7% United States 250

13% Management
Universal bank 25% UK 100
Chief Financial Officer 7% 33% Risk
22% Germany 90
IT
Chief Operating Officer 7%
Retail bank 25% Compliance
France 60
31%
Chief Compliance/Chief Control 7%
Japan 84

Chief Information Security 7% Private bank 25%

Australia/New Zealand 82
Respondents by assets
Chief Risk/Chief Security 9% India 26
Commercial bank 25% $1B - $24.9B
28% Hong Kong 19
Chief Information/Technology/Digital 13%
43% $25B - $99.9B Singapore 16
Vice President/Director 44%
$100B and over Malaysia 12
29%
Thailand 11
Conquering technology risk in banking 36

Defining a risk leader

We used Q18 in the survey questionnaire to create a maturity curve to determine banks’ progress
in six key areas of risk management best practice.

Q18. For each of the following areas of technology risk management, how much progress has your
bank made until now and how much progress do you plan to make over the next two years?

Areas: Responses:
• Organization: Building the organizational roles, skills, staffing, Not considering
and structure for effective technology risk management.
Planning: Exploring options,
• Process: Creating processes that improve technology risk developing plans, and
management and resilience across the enterprise. building support

• Integration: Fostering an integrated approach to IT, cyber, and Early implementation: Starting
overall risk management. to implement plans

• Governance: Developing effective tech risk management Mid implementation: Mid-way

policies and adding non-financial risks to risk appetite framework. through implementation and
starting to see results
• Data: Providing senior management, and teams, with the data
they need to monitor, assess, and respond to technology risks. Advanced: Fully
implemented, scaled across
• Technology: Using the latest digital technologies and solutions to enterprise, and driving
reduce IT and cyber risks and ensure operational resilience. showing results
Conquering technology risk in banking 37

Risk leadership framework

Our scoring methodology Based on this framework, 23% of respondents qualify as beginners, 58%
as intermediates, and 19% as leaders. In this report, we often refer to
Based on their responses to Q18, we calculated a score and grouped respondents into three leaders and “others,” comprised of risk beginners and intermediates.
maturity categories: beginners, intermediates, and leaders. We used the following scoring for the
stages of progress in the various areas of risk management:

Not considering (0 point)

19% 23%
Planning: Exploring options, developing plans, and building support (1 point)
Beginner
Early implementation: Starting to implement plans (2 points)
Intermediate
Mid implementation: Mid-way through implementation and starting to see results (3 points)
Leader
Advanced: Fully implemented, scaled across enterprise, and showing results (4 points)
58%
For each bank, we took the average of the scores for each area and grouped the respondent
into one of the three categories.

Beginner: below the 25th percentile

Intermediates: those in between 25th and 75th percentile
Leaders: above the 75th percentile
Conquering technology risk in banking 38

Where banks are in their

risk management journey

Maturity in risk management correlates to the size ($416 billion) of the other types banks—have more Risk maturity by type of bank
of the institution. Larger banks by asset size have leaders than do other institutions.
a bigger percentage of leaders (37%), while the
smallest financial institutions have the biggest share of But with more than half (58%) of respondents overall Universal
17% 53% 30%
bank
beginners (also 37%). now in the intermediate stage, organizations clearly
are moving to quicken their progress in improving their
Universal banks—which have double the size of assets risk management and resilience.
Retail bank 27% 56% 17%

Respondents by type of bank

65% Private bank 26% 59% 15%

58%
53%
Beginner

37% 37% Intermediate

Commercial
Leader 20% 64% 16%
bank
10% 19%
16% 5%

$1B-$24.9B $25B-$99.9B $100B & over Beginner Intermediate Leader

Conquering technology risk in banking 39

Acknowledgements
Conquering technology risk in banking 40

Acknowledgements

Authors and contributors Other acknowledgements

Thank you to the ServiceNow leaders who helped shape this research and provided Thank you to the ServiceNow leaders who helped bring this research to life and
insights related to the key banking themes in this technology risk and resilience study. contributed to this publication.

Jacquie Hersch Head of Industry Marketing, Financial Services, Healthcare, Government René Stranghoner Director, Global Campaigns Industry Marketing

Lauren Spruiell Industry Marketing Leader, Banking Sarah Struble Global Campaigns Industry Marketing, Banking and Healthcare

Simon Cox Chief Transformation Officer Richard Murphy Editor in Chief

Michael Murphy Risk Transformation Officer Sheila Dowd Director, Publishing and Operations

Keith Pearson Global Head of Financial Services, GTM Tim Catts Managing Editor, Thought Leadership

Greg Kanevski Global Head of Banking, GTM

Barbara Kay Head of Risk and Security Product Marketing ThoughtLab Group
ThoughtLab is an innovative thought leadership and economic research
Teresa Law Risk Product Marketing Leader firm providing fresh ideas and evidence-based analysis to help business and
government leaders cope with transformative change. We specialize in
analyzing the impact of technological, economic, and demographic shifts on
Karl Klaessig Security Product Marketing Leader industries, cities, and companies.

To learn more about ThoughtLab, visit: www.thoughtlabgroup.com

Skip Bacon VP, Technology and Operating Excellence Product Marketing
Conquering technology risk in banking 41

ServiceNow (NYSE: NOW) makes the world of financial services work better for everyone. Over 1,000 financial institutions
globally use ServiceNow’s cloud-based platform and solutions to intelligently automate processes and services across their
businesses. So financial institutions can future-proof their customer experiences, employee engagements, risk management,
security, and technology innovation. And we can all create the future of financial services that we imagine.

Learn how automated processes can drive revenue and growth.

Explore how financial institutions are managing technology risk and beyond.

© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc.
in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.