It's a pleasure to be back presenting to this banking conference. Today I am going to talk about the main risks that banks face, how those risks have evolved and how banks' and policymakers' response to them has adapted. And then, given the Reserve Bank's mandate for overall financial stability, I will discuss when those bank risks can be systemic financial risks.

It's important to note that risk is not a dirty word for banks. Banks' core business is managing risk. When they do that well, by offsetting, controlling and appropriately pricing risk they can increase economic activity and improve welfare. In doing this, banks remove risk from the balance sheets of businesses and households, they facilitate businesses investing and hedging, and enable households to smooth consumption, including by purchasing housing. But when banks don't manage risks well, the consequences can be devastating.

Four main bank risks

There are four main risks that are central to being a bank: credit risk, market risk, liquidity risk and operational risk.

Banks core business is lending money to customers and so they face credit risk with the uncertainty about whether customers will repay those debts.

They also, of course, face market risk with the potential for losses as a result of (unexpected) movements in financial asset values, such as commodities, exchange rates or interest rates.

Banks face liquidity risk from the mismatch of long-dated, illiquid assets – mostly loans – and short-term, liquid liabilities, in particular deposits and money market funding.^[1]

The last of these core risks for banks is operational risk, which is the risk of loss from inadequate or failed internal processes or systems, and human error (see BCBS 2011).

There are many other risks attributed to banks. Many of those are another name for, or part of, the four core risks I've just mentioned. For example market risk encompasses price risk and interest rate risk, while compliance risk, transaction risk, the risk of fraud or business disruption are operational risks.^[2]

These four core banking risks are the same risks that banks have faced for hundreds of years. But the nature of those risks continues to evolve. These risks have been prominent in the past 15 years given two major shocks: the global financial crisis (GFC) and the COVID-19 pandemic.

Core banking risks in recent years

Credit risk is the main risk we think of when it comes to banks and it continues to be the most prominent risk. Certainly since the GFC, it is the risk that the major Australian banks communicate most about, as judged by the number of references to credit risk in their annual reports (Graph 1).

The significance of credit risk was highlighted with the onset of the COVID-19 pandemic. Forecasts of very large contractions in economic activity and rising unemployment led banks to anticipate large credit losses and so substantially increase their provisioning.^[3] As it turns out, losses have been, and are expected to remain, much smaller because of much better than expected economic conditions and direct fiscal payments to affected households and businesses. With smaller credit losses now expected, banks have even started to reduce their stock of provisions as we outlined in our Financial Stability Review.^[4]

Market risk gets almost as much attention in banks' annual reports as credit risk. But Australian banks don't have large investments in marketable securities. Most of their assets are loans, and in particular housing loans. Banks hedge most of the interest rate risk from the maturity mismatch on their assets and liabilities, but they still face market risk on any leftover mismatches in how quickly their assets and liabilities can be repriced.

Internationally, the GFC increased the focus on the valuation of financial securities, particularly those with little price transparency, and so too the attention to market risk for banks that hold significant financial assets.

Liquidity risk has always been important for banks. Historically the focus of banks and policy makers has been on the potential for deposit runs. But the GFC demonstrated that there is just as large a risk of a run on wholesale funding, which can be very fast and damaging to a bank's balance sheet.^{[5] [6]}

The GFC was a crisis that started in the financial system – there were exceptionally expansionary financial conditions before the crisis, which tightened rapidly, even in Australia (Graph 2). While the early stages of the GFC were a liquidity crisis, fairly prompt provision of additional liquidity by central banks greatly reduced that aspect of the crisis.

The COVID-19 pandemic was very different because it was an exogenous shock to the financial system. But central banks quickly saw the potential for tighter liquidity conditions and, to an even greater extent, ramped up the provision of liquidity to forestall any potential for a significant liquidity shock. As a result, financial conditions quickly returned to being expansionary. One consequence of these two events is that, globally, banks have seen that central banks will increase the provision of liquidity in response to large systemic liquidity shocks and so expect there is less need to self-insure against these shocks. Indeed, this can make sense from a societal perspective, as there's a good argument that liquidity can be considered a public good (for example, see Kearns and Lowe (2008)).

However, banks clearly still need to insure against moderate systemic and idiosyncratic liquidity shocks. The global banking reforms that followed the GFC – including the Liquidity Coverage Ratio and Net Stable Funding Ratio in Basel III – mean that banks are much better placed to deal with liquidity shocks. Perhaps because of their confidence in their own liquidity, and the potential for central bank liquidity, Australian banks give less prominence to liquidity risk in their annual reports.

Operational risks have evolved and in general intensified over time, particularly for banks that have become larger and more complex. There is also some evidence that operational risk correlates with macroeconomic conditions and so potentially with the other core banking risks (Aldasoro et al 2020). Internationally there was a spike in operational losses following the GFC related to improper operating practices in the boom prior to the GFC. These included fiduciary breaches, aggressive sales, privacy breaches, account churning and misuse of confidential information. These issues have also had some prominence in Australia with the recent Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.^[7]

‘Emerging risks’

Two bank risks that are getting increasing attention are those stemming from climate change and cyber-attacks. In fact these are not distinct risks – both are representations of the four core banking risks I've just described.

Climate risk

Climate change is part of a broader category of ESG – Environmental, Social and Governance – risks that are getting greater attention, driven by investors.

Two separate risks are typically identified as resulting from climate change:^[8]

• Physical risk is the potential for reduction in a bank's income or the damage to its assets (most notably banks' loans) as a result of the physical effects of climate change, for example from severe storms, bushfires or more extreme temperatures or rainfall, which could reduce crop yields or tourism revenues.
• Transition risk is the potential for losses that could result from changes in policy, technology and behaviours, either in Australia or overseas, that occur as we move to a less emissions-intensive economy.

Physical and transition risks are sometimes referred to as horizontal risks in that they are across the four core bank risks. When it comes to climate change:

• There is credit risk because climate change can result in falls in borrowers' incomes and declines in the value of assets securing loans, either because of physical risk (for example, drought or storms result in smaller crops) or transition risk (for example, a coal miner could experience a sharp fall in the value of their mine if demand for coal falls with policy changes). This is the most significant part of climate risk.
• There is market risk because the risks from climate change could result in falls – or unexpected volatility – in the value of financial assets to the extent that these risks are currently not incorporated into prices.^[9]
• There can be liquidity risk, for example because a bank may not be able to roll over its short-term wholesale funding because investors are concerned about its climate exposure, probably from an increase in its credit or market risk.^[10]
• Banks can also face operational risk from extreme weather. For example, Hurricane Sandy forced banks in New York to close offices.

Just as in other countries, banks in Australia are now paying substantial attention to climate change. Climate change risks now get more mentions in our major banks' annual reports than even liquidity risk, in contrast to not being mentioned at all only a few years ago. While five or 10 years ago, climate risk was not in the job description of a bank chief risk officer (CRO), now the CRO is intimately involved in a bank's response to climate change reflecting the risks (and opportunities) that climate change poses to banks.

But quantifying and pricing the impact of climate change on their risks is challenging for banks. Most banks do not yet have sufficiently detailed data to estimate their exposure, such as disaggregated data on their emissions exposure via their counterparties, or detailed location information for assets that are used as collateral for loans. They also face uncertainty about the impact of climate change mitigation policies and the effects of climate change.

The Reserve Bank has recently published some initial work quantifying the impact of climate change on Australian banks through physical and transition risks (Bellrose, Norman and Royters 2021). That work finds that in regions most exposed to extreme weather, a small share of housing could experience price falls which increases the chance of lenders experiencing credit losses. But for the scenario used and based on available information on the banks' assets, the overall losses for the financial system appear to be manageable. Banks are also exposed to transition risks from their lending to emissions-intensive industries which again exposes them to credit risk, although overall, Australian banks' portfolios appear to be less emissions-intensive than the economy as a whole.

Another important step in Australia in developing banks' and regulators' understanding of climate risks is the Climate Vulnerability Assessment (CVA) being undertaken by the Australian Prudential Regulation Authority (APRA) on behalf of the Council of Financial Regulators (CFR), which includes APRA, along with the Australian Securities and Investments Commission (ASIC), Australian Treasury and the RBA. The CVA is currently being run with the five largest banks and the results are planned to be published next year (see APRA (2021)). The Reserve Bank is assisting in the CVA, including with the macroeconomic environment. Similar exercises are being undertaken in many countries.^[11] APRA has also recently released its Prudential Practice Guide for climate change financial risks.^[12]

Cyber risk

The other (so called) ‘emerging risk’ that is getting increasing attention is cyber risk. Cyber risk is a type of operational risk, which has actually existed for some time. It is the risk of financial loss, operational disturbance or damage resulting from disruption, failure or misuse of IT systems.^[13] Realised cyber risk can take many forms, from theft of funds or other valuable commercial or personal information, to disruption of services, or corruption of data, possibly for ransom.

It is difficult to assess the extent of cyber risk as firms don't tend to publicly disclose attacks and there isn't uniform or comprehensive reporting of cyber-attacks. But everything points to cyber-attacks growing in frequency. The Australian Cyber Security Centre received 13 per cent more reports of cybercrime in 2020/21 than the previous financial year, with a larger share being classified as severe. Various sources also suggest that the financial sector is one of the most targeted sectors.^[14] The Australian banks are also increasingly discussing the cyber risks they face. While the number of mentions of cyber risk in banks' annual reports is still fewer than the four core banking risks, it has much greater prominence today than only a few years ago. The pandemic has increased this risk further with more employees working from home and more digital banking, increasing the possible entry points for attackers.

Cyber risk is in many ways different to other risks banks face as there is an adversary, someone who is trying to profit at the bank's expense. In that sense it is closest to theft, another operational risk. But while bank robbers have traditionally been restricted to being able to steal the amount of cash in a bank branch or armoured car, cybercrimes have a potentially much larger loss for banks. One aspect of cyber risk that is truly different to other risks banks face is that an adversary may actually not be seeking a financial profit, but may just want to disrupt the operations of the bank or the broader financial system. Such motives make it harder to anticipate and defend against cyber-attacks.

The large Australian banks have substantial resources to deploy in their cyber defences, and so are generally regarded to be as well protected as other large firms in Australia. It can be difficult for smaller banks to maintain equivalent cyber defences because of their smaller resources – relative to some other expenses banks face, cyber defences have relatively large fixed costs compared to the variable costs that scale with the size of the bank.

Like all firms, banks have to pay attention not only to their own cyber defences but also those of any third-party suppliers they use. APRA directly supervises around 680 financial entities, but the financial system consists of around 17,000 interconnected entities including third-party service providers, which are all possible avenues for cyber risk. Entities regulated under CPS 234 are required to apply appropriate cybersecurity controls, develop active governance around cybersecurity, and report material cyber incidents to APRA. Regulated entities are also responsible for ensuring compliance by their third-party suppliers (see Summerhayes 2020).

The CFR is piloting a framework for adversarial testing of financial market participants' cyber defences and their resilience. This exercise is mimicking the tactics, techniques and procedures that are used in real cyber-attacks. In doing so, it will test how well banks, and financial market infrastructures more broadly, can detect, respond and recover when faced with an unknown cyber-attack.^[15]

Given the large number of cyber-attacks on Australian banks, it's not really a matter of if there is a major cyber breach but when – a point that APRA has made repeatedly (see for example Byres (2021)). So, as important as banks' cyber defences are, perhaps even more important is their resilience, how they would recover from an attack. This detection and response is an important part of this cyber testing being undertaken by the CFR agencies.

From bank risk to systemic risk

I'd now like to turn to how those core risks to banks can result in systemic risks for the financial system. A stable financial system facilitates the flow of funds between savers and investors and in doing so facilitates economic growth. If the smooth functioning of the overall financial system is disrupted, it can cause substantial harm to economic activity and our daily lives. We only have to think back to the GFC to be reminded of the significant cost globally to employment, incomes and welfare from a financial crisis. The Reserve Bank has a mandate for overall financial stability, and so we carefully monitor these systemic risks.

There are a number of factors that increase the likelihood that bank risk becomes systemic risk including:

• if the affected bank is large
• if the nature of the risk means it is correlated across banks so would be realised simultaneously in multiple banks (this could even be through perception, for example that a deposit run on a small bank precipitates runs on other small banks that look ‘similar’)
• if there is a high degree of interconnection or it affects a critical node of the financial system
• if the realisation of that risk is likely to be persistent and so it would have a long lasting effect
• if it is realised when uncertainty or risk aversion is particularly high (e.g. during a global pandemic).

These factors have elements of credit, market, liquidity and even operational risk. For example, Australian banks have similar portfolios – in particular substantial housing lending – and so have similar credit and market risk. A significant increase in credit risk would affect a large share of banking assets and so could become systemic. The large Australian banks have similar funding structures including which international capital markets they borrow in. So significant realisations of liquidity risk would have the potential to become systemic, although as I noted the Reserve Bank has substantial ability to address a systemic liquidity crisis.^[16] Even operational risk can be systemic if it were to be realised in, say, a central counter party, or spilled over from one bank to others because the affected bank could not meet its payment obligations.

Indeed, even those so-called ‘emerging risks’ – climate risk and cyber risk – are on our radar as systemic risks. Just as banks have paid increasing attention to those risks, so have we at the Reserve Bank. And we too have been communicating more about them, as highlighted by the number of mentions in our Financial Stability Review (Graph 4). The financial risks from climate change are clearly systemic as climate change will affect the portfolios of all banks. Cyber risk need not be systemic. It could affect only one bank, but if that bank is large and interconnected, or the cyber-attack affects a critical node in the financial system, it could very well become systemic.

Conclusions

To sum up, banks today face the same four core risks that they have faced for decades or even hundreds of years: credit, market, liquidity and operational risk. But those risks have evolved, as highlighted by the growing prominence of risks that cross these core risks: climate change risk and cyber risk. How risks are managed has also changed substantially, for example the domestic implementation of the Basel III reforms after the GFC has resulted in banks holding more capital and liquid assets, while the latest capital reforms from APRA make risk weights more sensitive to the risks of different loans.^[17] The upcoming capital reforms will better allocate capital to risk by adjusting risk weights, improve flexibility by increasing the capital in buffers, boost loss-absorbing capacity, and improve the quality and transparency of reporting on regulatory requirements.^{[18] [19]} It is crucial that banks continue to adapt their risk management for these evolving risks, as those bank risks can morph into systemic risks that have the potential for dire consequences for the economy and people's livelihoods.

Endnotes

I would like to thank my colleagues in Financial Stability Department, and in particular Michelle Lewis and Max Sutton, for assistance in the preparation of this talk. [*]

This risk of a run is intricately tied to another key aspect of banking – maturity transformation. Banks' loans mostly have long terms but they have shorter-term liabilities, such as at-call deposits. [1]

There are some other risks that we might think of as falling outside of these four core risks, such as reputational risk and strategic risk, which is that poor decision making leads to lower profitability and perhaps disintermediation. [2]

Banks also offered loan repayment deferrals to customers, see RBA (2020), ‘Households and Business Finances in Australia’, Financial Stability Review, October, pp 21–28. [3]

See RBA (2021), Financial Stability Review, October. [4]

In fact, Shin (2009) argues that short-term wholesale market funding was actually a fundamental problem in precipitating the deposit run on Northern Rock (the first in the United Kingdom in 140 years), which was a high-profile event of the GFC. [5]

The remote potential for a deposit run in Australia has diminished even further since the GFC given the advent of the Financial Claims Scheme, which guarantees the first $250,000 for each depositor at each Authorised Deposit-taking Institution. [6]

See <https://www.royalcommission.gov.au/banking> [7]

In addition to physical and transition risks, liability risks – where parties may seek to recover losses they experience relating to climate change – are sometimes presented as a separate risk arising from climate change. There are of course also significant opportunities for banks as their customers adapt to climate change. [8]

Changes in correlations between asset values or to market liquidity for particular assets could affect risk management assumptions and result in less effective hedging practices. [9]

Alvarez, Cocco and Patel (2020) note that liquidity risk will generally relate to credit and market risk but provide a possible counter example in which a bank faces liquidity risk because its bonds become seen to be ‘brown’ by investors who have a growing preference for new green bonds. But even then, whether its bonds are seen to be brown or green will relate to its portfolio and so the credit and market risks it faces from climate change. [10]

See Network for Greening the Financial System (2021), ‘Scenarios in Action: A progress report on global supervisory and central bank climate scenario exercises’ October. Available at <https://www.ngfs.net/sites/default/files/medias/documents/scenarios-in-action-a-progress-report-on-global-supervisory-and-central-bank-climate-scenario-exercises.pdf>. [11]

See APRA (2021), ‘APRA finalises prudential guidance on managing the financial risks of climate change’, Media Release, 26 November. Available at <https://www.apra.gov.au/news-and-publications/apra-finalises-prudential-guidance-on-managing-financial-risks-of-climate> [12]

While cyber risk is typically taken to relate to malicious actions, the risks to banks can equally stem from failures of their own systems, some of which are euphemistically referred to as ‘legacy systems’. [13]

See for example Accenture (2019), ‘The Cost of Cybercrime: Ninth annual cost of cybercrime study’, available at <https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf>; Aldasoro I, L Gambacorta, P Giudici and T Leach (2020), ‘The drivers of cyber risk’, BIS Working Paper No 865, 20 May, available at <https://www.bis.org/publ/work865.htm> and Bouveret A (2018), ‘Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment’, IMF Working Paper, 22 June, available at <https://www.imf.org/en/Publications/WP/Issues/2018/06/22/Cyber-Risk-for-the-Financial-Sector-A-Framework-for-Quantitative-Assessment-45924> [14]

See CFR (2020), ‘CORIE framework launched to test cyber resilience of Australia's financial services industry’, Media Release No 2020-06, 8 December. Available at <https://www.cfr.gov.au/news/2020/mr-20-06.html>. [15]

This is especially the case since Australian banks hedge the currency risk of offshore wholesale debt and so a liquidity crisis can be resolved with Australian dollars. This is demonstrated by the significant reduction in Australian banks issuance of debt offshore over the past 18 months, in part because of the Reserve Banks' Term Funding Facility. [16]

See APRA (2021), ‘APRA finalises new bank capital framework designed to strengthen financial system resilience’, Media Release, 29 November. Available at <https://www.apra.gov.au/news-and-publications/apra-finalises-new-bank-capital-framework-designed-to-strengthen-financial>. [17]

See APRA (2021), ‘Revisions to the capital framework for authorised deposit-taking institutions’, November, available at <https://www.apra.gov.au/revisions-to-capital-framework-for-authorised-deposit-taking-institutions> and APRA (2019), ‘APRA responds to submissions on plans to boost the loss-absorbing capacity of ADIs to support orderly resolution, available at <https://www.apra.gov.au/news-and-publications/apra-responds-to-submissions-on-plans-to-boost-loss-absorbing-capacity-of>. [18]

See APRA (2021), ‘Guidance on contingent liquidity for locally-incorporated ADIs subject to LCR requirements’, November, available at <https://www.apra.gov.au/guidance-on-contingent-liquidity-for-locally-incorporated-adis-subject-to-lcr-requirements>. [19]

References

Aldasoro I, L Gambacorta, P Giudici and T Leach (2020), ‘Operational and cyber risks in the financial sector’, BIS Working Paper No 840. Available at <https://www.bis.org/publ/work840.pdf>.

Alvarez N, A Cocco and KB Patel (2020), ‘A new framework for assessing climate change risk in financial markets’, Chicago Fed Letter, No 448, November. Available at <https://www.chicagofed.org/publications/chicago-fed-letter/2020/448>.

APRA (2021), ‘Information Paper: Climate Vulnerability Assessment’, 3 September. Available at <https://www.apra.gov.au/sites/default/files/2021-09/Climate%20Vulnerability%20Assessment_1.pdf>

BCBS (Basel Committee on Banking Supervision) (2011), ‘Principles for the Sound Management of Operational Risk’ Bank for International Settlements, June. Available at <https://www.bis.org/publ/bcbs195.pdf>.

Byres W (2021), ‘Banking on an unpredictable future’, Speech at the 2021 AFR Banking Summit, 30 March. Available at <https://www.apra.gov.au/news-and-publications/apra-chair-wayne-byres-speech-to-2021-afr-banking-summit>.

Bellrose K, D Norman and M Royters (2021), ‘Climate Change Risks to Australian Banks’, RBA Bulletin, September.

Kearns J and P Lowe (2008) ‘Promoting Liquidity: Why and How?’ RBA Research Discussion Paper No 2008-06, October.

Shin HS (2009), ‘Reflections on Northern Rock: The Bank Run that Heralded the Global Financial Crisis’, Journal of economic perspectives, 23(1), pp 101–119. Available at <https://www.aeaweb.org/articles?id=10.1257/jep.23.1.101>.

Summerhayes G (2020), ‘Strengthening the chain’, Speech at the Financial Services Assurance Forum, 26 November. Available at <https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services>.