Person standing atop white staircase that goes nowhere

Related Expertise: リスクマネジメント、コンプライアンス, コンプライアンス, 金融機関

Global Risk 2021: Building a Stronger, Healthier Bank

By Gerold GrasshoffMatteo CoppolaBernhard GehraKarlo KampmannThomas PfuhlerPatrick A. Uhlmann, and Carsten Wiegand

Banks proved their mettle during the pandemic, delivering vital aid at record speed, creating new processes and systems on the fly, and shifting to remote work. Now, they must tend to their own health. Leaders need to be prepared for heightened uncertainty—and thus risk.

• Leaders must take the pulse of the industry to know what to expect. They should brace for additional loan losses, for instance, and prepare for some countries to be harder hit.

• Then, they must strengthen their core. Moves include upgrading their scenario planning and advancing their compliance and nonfinancial-risk planning.

Click here to learn how bank leaders can get a jump on recovery.

Overview

Banks proved their mettle during the pandemic, delivering vital aid to businesses and individuals at record speed, creating new processes and systems on the fly, and shifting their workforce and operations to remote conditions—all while keeping a close eye on their own financial state.

The fact that most succeeded is a testament to the lessons institutions learned a decade ago after the financial crisis and to their determination to be part of the solution for their communities.

Now, however, banks must tend to their own health. With consumer confidence fragile and many businesses struggling, leaders need to be prepared for a period of heightened uncertainty.

With that uncertainty comes risk. There is little question, for instance, that the next 18 months will feature more defaults and insolvencies as job losses, supply-demand disruptions, and other pandemic-related impacts take their toll. Persistent low interest rates are also likely to remain a fixture, with central banks engaging earlier and more actively than during the financial crisis. Additionally for banks, the deteriorating rating quality of their loan books could make it harder and more costly for them to do business.

Far from being resigned to these risks, however, institutions have the opportunity to address them in ways that fortify their balance sheets and make them more adaptive to change. If the crisis period demonstrated how well banks can react to systemic shocks, the postcrisis period is an opportunity for them to showcase proactive leadership—with the same boldness, tenacity, and vision.

Institutions that commit to developing better sensing and planning capabilities, optimizing risks across the portfolio, and accelerating digitization in core functions will emerge from the pandemic in a position of strength—ready to help businesses and individuals regain their footing and able to create a firmer economic foundation for all.

Taking the Pulse

Banks entered the pandemic better prepared than most other organizations. Regulatory reforms following the financial crisis of 2007–2009 ensured that a majority of institutions had strong capital and liquidity reserves on hand. But resilience has its limits. As the pandemic enters its second year, many banks will need to brace for an uptick in nonperforming loans and the resulting balance sheet impact.

Recognizing that health favors the prepared, leaders that look outward over the next 12 to 18 months, understand which risks loom on the horizon, and shore up their defenses will be more immune to system shocks and better able to guide their customers into a postpandemic future. Here’s our prognosis.

Brace for Additional Loan Losses

The next year is likely to feature more insolvencies, as provisions that spared some companies from bankruptcy expire and the financial toll of the pandemic pushes others over the brink. Data shows that the number of opened insolvency proceedings fell in 2020 compared with 2019. (See Exhibit 1.) But the moratoria on bankruptcy filings that many governments instituted in the second and third quarters suppressed the true extent of business failures. As government relief programs wind down, the actual damage will become more clear. We expect insolvency numbers to grow in the months to come, given the ongoing grind of the pandemic and the time it takes for the full effects of COVID-19 to be fully reflected in corporate financial statements.

In response to the crisis, banks ratcheted up their risk provisions. European banks set aside considerably more for potential loan losses in 2020 than they did in 2019—with average provisions up by 113%. US institutions notched a slightly higher year-on-year increase, with average loan loss provisions rising to a weighted average of 161 basis points from 2019 to 2020, an increase of 137%. (See Exhibit 2.)

Prepare for Some Countries to Be Harder Hit

Although the capital ratios and liquidity buffers established after the financial crisis gave banks critical protection during the pandemic, that cushion might thin in the months ahead if the economic outlook worsens.

That’s especially true for banks in countries where tourism, real estate, or transport makes up a large share of the industrial mix. In both the UK and Spain, for example, estimates prepared at the end of 2020 suggest that gross domestic product (GDP) fell by as much as 11% over the course of the year, with the UK’s woes exacerbated by Brexit. France and Italy also saw economic growth contract, with a dip of about 9% in both countries. Sectoral composition is likely to be a major factor in these GDP declines. (See Exhibit 3.)

Expect Regulators to Stay Flexible, for Now…

Cognizant of the challenges that banks and the wider economy face, regulators are likely to remain flexible. Many will continue allowing banks to use their capital and liquidity buffers and will retain some relaxed provisioning rules.

Although most of these regulatory relief measures are temporary, many regional authorities have confirmed that their pandemic-related guidance will remain in force until the end of 2021 or even 2022. For example, the European Central Bank (ECB) will continue to allow banks to operate below Pillar 2 guidance and combined buffer requirements until at least the end of 2022, without automatically triggering supervisory actions. In the US, the Federal Reserve will continue to extend flexibility to banks with respect to current expected credit losses.

Although banking authorities in Europe and North America have taken a more permissive stance on some capital, liquidity, and risk-provisioning rules, they continue to hold the line in many other areas. In 2020, banks in these regions paid $13 billion in penalties, with the vast majority of that amount forfeited by North American banks. Cumulative penalties since 2009 now total $394 billion, with North America accounting for 61% of that figure and Europe the remainder. (See Exhibit 4.)

Looking to the future, we expect that regulators will place increased emphasis on anti-money-laundering provisions. The European Banking Authority (EBA), for instance, has prepared draft regulation that will require banks operating within the region to impose stricter quality controls in order to reduce the risk of illicit funds passing through their institutions. In the US, the National Defense Authorization Act, put in place in January 2021, expands the country’s financial-crime enforcement over non-US banks. The provisions grant the US Departments of Justice and the Treasury powers to subpoena non-US-bank customer records stored outside the US if the institution maintains a US correspondence account. The act bars foreign banks from quashing these subpoenas on the basis of confidentiality and privacy laws and requires US banks to terminate correspondent banking relationships if a non-US bank fails to honor the government’s request.

Elsewhere, the UK’s major economic-crimes investigative agency, the Serious Fraud Office, has underscored the need for companies to invest in programs and procedures to prevent wrongdoing. The agency has also signaled a willingness to negotiate more-lenient settlements with companies that demonstrate strong compliance programs.

The heightened scrutiny of financial crimes intensifies the risks for banks that do business in affected markets. To mitigate these risks, institutions need to reinforce their compliance practices and engage cooperatively with authorities.

Establish Safeguards Now to Lead in the Postcrisis Period

After demonstrating their tenacity, banks have an opportunity to build on it over the months ahead. Well-positioned institutions that make the right moves now can cement their role as a trusted business partner. Many corporate clients, for instance, will need help managing their working capital, and supply chain financing may provide welcome relief for companies seeking to stabilize their cash flows. Likewise, retail customers may need assistance with refinancing loans to manage debt in some cases and to take advantage of low interest rates in others.

To capitalize on these opportunities, however, banks must reinforce their risk management and compliance capabilities. By securing their own stability, they’ll be able to help others in the broader community regain theirs.

Strengthen the Core

By improving their “sensing” skills, reinforcing their fundamentals, and optimizing their balance sheet and credit portfolios, banks can emerge from the crisis in a position of strength. Our prescription for health involves leaning into six core levers.

Upgrade Scenario Planning

Banks can turn the crisis response mechanisms that carried them through the worst days of the pandemic into a strategic operating discipline. Sophisticated scenario planning can help leaders assess current and emerging trends, weigh interdependencies among them, and gauge the probability and severity of downstream impacts. Such analysis requires banks to change their typical modeling. Instead of static data sets that look at a narrow range of business functions, they need continually refreshed data that allows them to evaluate operational, business, and financial vulnerabilities at the portfolio level.

Given the sweep of the transition, we recommend starting with a limited number of high-level scenarios. Some might model macro trends, such as the speed and scale of the economic recovery, while others look at targeted events focusing on specific industries and regions, like the impact of Brexit on business sectors in the UK. Leaders should then assign a probability weighting to different outcomes, evaluate the potential impacts on the bank, and identify leading indicators to monitor.

They then need to act on these insights, defining trigger-based structural actions and integrating them into their management decision-making processes. Equipped with the right analytics, banks can quickly model how their debt, cash, and liquidity positions might change on the basis of everything from shifting trade patterns, to regulatory moves, to sector-based headwinds. Institutions can build on their scenario modeling over time, posing more complex, multivariable “what if” questions that allow leaders to game out an array of possible futures and their potential impacts.

Shift to Active Credit Portfolio Management

Instead of the buy-and-hold strategy that many credit teams employ, banks should adopt an active-management mindset that expands the credit focus from optimizing returns on individual loans or sub-portfolios to optimizing risk-adjusted returns across the entire credit portfolio. In support of this strategy, chief risk officers (CROs) need to give credit teams portfolio-wide visibility. Enabling that broader view can help institutions avoid undue risk concentrations and be more responsive to changes in the market.

To put this approach into practice, CROs should establish a dedicated credit-portfolio management unit tasked with deriving optimization recommendations. This shift would allow teams to apply diverse risk mitigation instruments, such as collateral optimization and portfolio hedges. But it also requires that units have a clear understanding of which instruments to use for which segments and situations according to the degree of risk posed.

Active portfolio management requires timely execution. To stay abreast of changes, credit teams should move from spreadsheet-based reporting formats that often simply aggregate individual loans, to digital formats that enable comprehensive segment-specific reporting. These reports should include portfolio metrics that monitor such things as concentration risk by industry and geographic area. They should also incorporate risk metrics that measure the distribution of “probability of default” and “loss given default” across the portfolio.

As they set up their new units, CROs also need to ensure that their processes incorporate the necessary approval steps, factoring in capital markets, as well as business and compliance needs, and equipping the unit with the requisite authority, resources, and governance.

Augment Collections and Workout Capabilities

A spike in nonperforming loans (NPLs) may be inevitable, but banks that prepare now can greatly mitigate the impacts. To stabilize their operations and help clients navigate this difficult period, leaders should take three immediate actions:

  • Recalibrate risk segments and thresholds. We recommend that collections units update their segmentation and loan book analyses, drawing on patterns observed in the aftermath of the financial crisis. During the Great Recession, for instance, at-risk customers tended to pay auto loans before mortgages and generally prioritized paying down one favored credit card while letting others default. In workout, units should reassess loan risk across the portfolio, isolating short-term impacts (12 to 18 months) from longer-term trends and using risk-return considerations to classify risk tiers.
  • Refresh early-warning systems. Given the unusual nature of the current risk environment, banks need to broaden their metrics and data sets in order to unearth signs of trouble. In addition to conducting macroeconomic scenario modeling, workout teams should analyze financial data, including company EBITDA margins, cash flows, cost structures, and balance sheets. Metrics such as the cash conversion cycle, days payable and days sales outstanding, net financial position, and interest coverage ratio can give risk teams a more well-rounded view of which customers and segments face the most acute exposures.
  • Realign staffing. Proactive capacity planning can help banks stay on top of the expected surge of collections and workout activity over the coming year. Looking at past patterns can allow teams to identify where staffing needs are likely to be most acute, giving banks a head start in transferring and cross-training staff from other departments to fill those gaps.

In parallel with the quick fixes, banks need to digitize their collections and workout operating models in order to gain longer-term advantages. That starts with clearly articulating the overarching NPL strategy. For some institutions, the priority may be to maximize bank stability. For others, it will be to speed resolution and protect client relationships. Gaining consensus on the broader strategy can give teams more clarity in defining which cases to sell and which to retain and resolve. After aligning on the direction, banks can then create the supporting digital infrastructure:

  • Develop a digital data platform to boost transparency. A simple, intuitive front-end platform can give teams visibility across the portfolio. In workout, for instance, tools used to identify data gaps in calculating risk-weighted assets (RWA), such as missing collateral, can be adapted to the requirements of workout functions, with a goal of making data from the credit contract digitally accessible.
  • Digitize mission-critical processes. Streamlining, standardizing, and automating core procedures can help banks boost productivity and performance markedly. We recommend focusing on one or two critical processes to start. In collections, that might mean shifting telephone outreach and supporting processes to SMS and email in order to align with the increasing customer migration away from landlines. In workout units, the most critical processes include intensive care, restructuring, and wind-down. Breaking these core activities into their component parts can help banks isolate key inputs, interfaces, and pain points and assess which technologies to employ at different stages of the journey.
  • Outline roles and responsibilities. As with any transformation, leaders must ensure clear accountability to minimize bottlenecks and redundancy and maintain strong task and skill alignment. By distinguishing asset classes and loan types by complexity, for example, banks can orient resources and workflows more effectively so that personnel manage the tasks that best suit their expertise. Similarly, splitting loan administration from core risk management can help by increasing transparency and productivity.
  • Establish governance and KPIs. We recommend defining KPIs in three levels: the bank-wide portfolio, the collections and workout portfolio, and segments or subunits. At the workout unit level, caseloads per full-time employee and caseloads resolved per month can be especially helpful metrics. In workout, banks also need to establish clear transition criteria to govern the transfer of loans from the credit risk management department to the workout units.

Optimize the Balance Sheet and P&L

Banks across regions are under increased pressure to shore up their balance sheet health. Many were already struggling with their profitability levels before the pandemic, given stubbornly low interest rates, high levels of administrative expenses, and other performance drags, like large liquidity buffers. As a result, more institutions face deteriorating ratings. The credit agency S&P Global reported 236 negative rating actions on banks globally since the start of the pandemic—nearly one-quarter of which were downgrades.

Decisive moves now may help prevent more downgrades. But leaders need to work methodically, breaking down the balance sheet into its component parts and optimizing layer by layer. (See Exhibit 5.) Examining each core area in detail can reveal areas for improvement that, taken together, can significantly strengthen performance.

In balance sheet management, for instance, changes in the way RWA are managed could unearth substantial value capture opportunities. Examples include securitizations or setting up a bad bank to separate troubled assets from healthy ones. Applying a similar risk mitigation lens at the asset portfolio level can also pay dividends. For instance, institutions can establish RWA limits, eliminate inefficient open lines, and consider ending customer relationships that are likely to remain too costly to serve.

In interest-rate risk management, three improvement levers could help banks increase net interest-income contributions by as much as 10%. These include changing the asset mix in favor of long-term fixed-rate items, using hedge accounting to steer the interest-rate risk position, and improving equity interest-rate modeling to address structural mismatches.

In liquidity and funding management, chief financial officers (CFOs) should challenge their teams to take a fresh look at their liquidity buffer. In some cases, adjusting a buffer’s size, composition, or funding horizon can deliver significant cost savings. Shifting to a centralized buffer model and moving from static to dynamic buffer management can further improve performance.

Similarly, in investment portfolio management, CFOs should consider whether to continue maintaining an investment book. If they decide to retain it, they should explore what size and composition would generate the best returns based on the bank’s risk appetite.

Advance Compliance and Nonfinancial Risk Management

Banks need to take their compliance and nonfinancial risk (NFR) management to a new level. Onboarding flaws, technology breakdowns, misconduct, and other operational failures can have substantial economic and reputational consequences for institutions and their executives. But while banks recognize the growing significance of NFRs, oversight in most organizations remains loosely structured. To better manage these risks—and do so consistently and at scale—institutions need to formalize and standardize their governance framework:

  • Establish a taxonomy. Leaders must ensure that compliance and risk teams have a common language for tracking and discussing relevant risks. Creating a comprehensive taxonomy is an essential step in doing so. To compile that set, banks should cast a wide net and consider the diverse exposures that units face in different markets. They should then standardize the nomenclature around those risks, creating a matrix that lists core risk types and their subrisks.
  • Implement the three lines of defense (LoD) framework. Leaders must link the taxonomy to the governance framework so that risk categories and ownership are clearly aligned—allocating risk owners in the first LoD and risk oversight to specific second LoD functions. Within the second LoD, for example, financial-crime oversight should be assigned to compliance, and cyber risk should be the purview of the chief information security officer (CISO). Although there are no industrywide standards for doing this, banks can use a risk identification matrix to map NFRs to each LoD and delineate specific oversight responsibilities.
  • Build an internal control system. Finally, risk leaders should establish a bank-wide internal control system to ensure quality and consistency in NFR oversight. The aim should be to create a harmonized view of control quality for all risk types so that NFRs are easily quantifiable and comparable.

For banks that have not completed their digital transition, this is the time to double down. Machine learning, automation, web-scraping tools, and other solutions can expedite “know your customer” authentication, enhance screening, reduce false positives, and improve transaction monitoring, all of which can increase control quality and cost savings. To avail themselves of these solutions, banks must ensure that the IT infrastructure is in place to gather and manage needed data, support advanced modeling and applications, and automate essential processes.

Accelerate Digitization with an Emphasis on Cloud Adoption

Given the need for accurate forecasting and timely decision making, bank risk and compliance functions must go digital—not just in isolated areas, but front to back. End-to-end automation of critical risk processes, such as credit, can help institutions respond to changing events with agility. Using AI-enabled analytics, leaders can conduct robust, near-real-time modeling, fine-tune customer ratings, and refresh early-warning indicators. Likewise, straight-through processing can improve workflows and relieve capacity constraints on risk and compliance personnel.

Moving more workloads to the cloud is another way to gain agility and resilience. We recommend that banks prioritize the risk function, where the need for advanced analytical capabilities has soared as a result of regulatory demands—driving up on-premise data and storage costs commensurately. Our experience shows that shifting applications to the cloud could reduce bank infrastructure costs by 15% to 30% by enabling scalable pay-per-use resources that eliminate unnecessary spending on idle time.

In addition, sophisticated cloud-based applications can allow risk teams to do their jobs more effectively, enabling them to run the simulations required under the Fundamental Review of the Trading Book and other complex analyses. They can also house and access large historical data sets to support complex queries and use cases. And because analytical functionality is integrated into many product-as-a-service offerings, bank risk teams can pose analytical queries directly over the cloud interface.

Our data shows that cloud-based solutions have the potential to increase productivity in the risk function by 25% to 30% and shorten the time to market by 30% to 60%. From a cost benefit standpoint, migrating activities such as economic P&L management, value-at-risk assessments, and stress testing to the cloud can be particularly attractive, given the data intensity and variable computing resources required of these activities. Cloud-based credit-rating and scoring models can also deliver significant value. (See Exhibit 6.)

For the cloud transition to be successful, banks must take some preliminary steps. These include regulatory and IT due diligence to ensure that the migration strategy satisfies compliance needs and meets cybersecurity and latency requirements. Risk teams must be trained on the new technologies and the more agile ways of working that the cloud enables. Institutions may also need to renegotiate existing market data and third-party agreements to allow for cloud-based access.

Maintain Peak Performance

Winning the future also requires looking ahead to the foundational capabilities that will define the next generation of leading institutions. Two that can give banks an especially important edge are operational resilience and environmental, social, and governance (ESG) risk management.

Operational Resilience

With volatility likely to remain the norm rather than the exception for the foreseeable future, the financial industry must develop the ability to absorb and deflect disruption, not just in specific areas such as the credit portfolio but throughout the business. Those that master this capability will gain strategic advantage, enabling them to adapt more skillfully and quickly. Products and processes can be made “resilient by design,” for example, and integrated into the bank’s modernization plans. Institutions may also gain a compliance advantage in what is likely to be an area of increasing regulatory scrutiny. Authorities in places like the UK, EU, US, Hong Kong, and Australia have already begun looking more closely at whether a bank’s core processes and practices have the end-to-end resilience to withstand disruption.

Finally, making operational resilience a core discipline can also transform bank management more generally. While formal frameworks may take time to mature, even simple changes that employ a combination of technology, human support, and enhanced controls can markedly improve service stability and reliability. In this respect, operational resilience practices will serve as a smarter, better way to run a bank.

To fast-track development, institutions should establish specific operational resilience teams, either as a new group or integrated within business continuity planning, cyber risk management, or another first LoD function. These teams will also need to collaborate closely with the second LoD, such as risk control.

With guidance from the relevant business lines, such as the head of retail, operational resilience teams then need to identify where service disruption would have the most damaging consequences, be it to customers, market integrity, or the bank itself. Teasing out these vulnerabilities requires looking at the supporting end-to-end delivery chain—the processes, interdependencies, and handoffs involved in executing key tasks. That review should encompass important third-party relationships where bank information or processes could be exposed. The goal is not to determine how much capital to hold against the risk of disruption. Rather, it is to determine what level of risk is acceptable, on the basis of scenario testing, so that the bank can implement appropriate remediations and keep operations running within those tolerance bounds.

Given ongoing changes in the business and within the wider market environment, teams need to update their analyses periodically, much like other annual-review processes, to surface whether there are any new updates or business changes to reflect in the remediation plan.

ESG Risk Management

Bank leaders that step up their ESG risk management capabilities will also be acting in their enlightened self-interest. Regulators in some jurisdictions have already introduced rules that will require banks to strengthen ESG risk management. Financial institutions in Europe, for instance, will soon be expected to demonstrate the ESG impact from the portfolios they are financing. Most of the regulatory focus to date has been on environmental considerations, especially climate impacts, driven by the ambitious goals of the Paris Agreement. Authorities see banks as playing an important intermediary role in helping advance the global transition away from greenhouse gas emissions.

European banks face a tight timeline to implement regulatory requirements. They must define a framework and action plan to manage ESG risks by May 15, 2021. And because ESG will be an integral part of regulatory discussions in the second half of 2021, C-level bank executives will be under pressure to show initial results. The ECB will require financial institutions to integrate ESG into their stress testing by the first quarter of 2022 and have the first EBA disclosures on ESG risks in place by December 31, 2022.

Decision makers should seize the moment. Despite the current focus on environmental risk, banks should consider societal and governance risk factors as well, since regulators will increasingly push institutions to do so. Given that ESG risks are viewed as drivers of many other types of risk (credit, market, liquidity, and operational), banks need to weave ESG-risk-specific insights into their methods and models for all impacted risk types. The most advanced institutions have already integrated ESG risk management into their business and risk strategy, established clear governance, and connected all relevant processes into their framework and are now working on integrating ESG into their core banking processes and methods, including stress testing.

Success will require banks to take five steps:

  • Include ESG in the overall CRO strategy and risk appetite.
  • Embed ESG factors front to back in decision-making processes.
  • Integrate ESG scenarios into the bank’s rating methodology and stress-testing framework.
  • Prepare data requirements for disclosure (including an estimation of Scope 3 emissions under the Greenhouse Gas Protocol—meaning all indirect emissions linked to a bank’s operations and loan portfolio).
  • Build a holistic ESG data model.

Of these steps, building the data model is the most critical. Most banks know what ESG insights they’ll need but lack the data to put them into action. Collecting this data through the credit process will be essential for success. Banks also need to invest in training and specialized capabilities for ESG risk management in order to apply the methodology in a consistent way throughout the loan portfolio.

Institutions that take advantage of this opportunity will not only satisfy regulatory conditions, but will be able to ride the growing wave of interest in ESG products and investments.


By reinforcing their core processes, solidifying their financial foundations, and preemptively acting on emerging opportunities, banks can turn “wellness” into a winning proposition. But they must start now. Building on the guidance presented in this report, leaders can get a jump on the recovery—and their competitors—by taking three steps:

  • Set an ambition. Although planning in short-term increments is normal in a crisis, now is the time for banking leaders to look out over the next two to three years and envision what the “best version” of the institution could be from a risk management and resilience standpoint. Establishing a bold ambition that goes beyond the pandemic horizon can give leaders the runway they need to put strategic changes in motion.
  • Identify “no regrets” actions. Banks should take a hard look at their current financial fitness and identify the most critical potential destabilizers over the next 12 months. They can then align on a set of no-regrets moves to mitigate these risks and ensure that the executive ownership, funding, and accountability are in place to address these issues quickly and effectively.
  • Recognize that change is necessary and also uncomfortable. The financial services industry was in the throes of disruption even before the pandemic. Those trends will continue—and likely accelerate—in the months to come. Banks can either lead the change or have it thrust upon them. By empowering (and rewarding) teams to inculcate a growth mindset and continually test and innovate their approaches, leaders can help put their institutions on a more secure long-term footing.

The banks that embrace the changes outlined here will enter the postcrisis period fitter, stronger, and with the financial muscle to serve as a bulwark for their customers.

The authors are grateful to their BCG colleagues in the Financial Institutions practice and on the risk team, whose insights and experience contributed to this report. In particular, they thank Stefan Bochtler, Til Bünder, Lorenzo Fantini, Norbert Gittfried, Felix Hildebrand, Anand Kumar, Jannik Leiendecker, Giovanni Lucini, Christian Maass, James Mackintosh, Zubin Mogul, Brian O’Malley, and Pascal Vogt.

Subscribe to our Financial Institutions E-Alert.