How do German banks manage the emerging risks from IT innovations, e.g. cyber risk? With a focus on process, roles and responsibilities, field data from ten banks participating in the 2014 ECB stress test were collected by interviewing IT managers, risk managers and external experts. Current procedures for handling emerging risks in German banks were identified from the interviews and analysed, guided by the extant literature.A clear gap was found between Enterprise Risk Management (ERM) as a general approach to risks threatening firms' objectives, and ERM's neglect of emerging risks, e.g. those associated with IT innovations. The findings suggest that ERM should be extended towards the collection and sharing of knowledge to allow an initial understanding and description of emerging risks, as opposed to the traditional ERM approach involving estimates of impact and probability. For example, as cyber risks emerge from an IT innovation, the focus may need to switch towards reducing uncertainty by knowledge acquisition. Since single managers seldom possess all relevant knowledge of an IT innovation, various stakeholders may need to be involved, exploiting their expert knowledge. Runde, 2014;Flage and Aven, 2015). This gives rise to several unanswered questions:Research Question 1 (RQ1): What suggestions can be offered by enterprise risk management to manage these IT innovation-driven emerging risks?Research Question 2 (RQ2): When is an uncertainty understood to be an emerging risk?Research Question 3 (RQ3): Who should be involved in the management of emerging risks from IT, according to banks and consultants?These questions have been largely ignored in both theory and practice (Wilson et al., 2010).In terms of our study, 70% of interviewees had not actively considered emerging IT risks in their risk management. Banks in general adopted a passive stance, waiting to see how things developed, and how other banks responded.The current academic debate suggests that the management of emerging risks, such as cyber risks, requires an enterprise-wide approach (Anginer et al., 2014;COSO, 2017; RIMS, 2010). Not only because such risks can have a far-reaching effect on the operations and reputations of organisations, but also because of the opportunities which can be gained from
AuthorResearch classification and area
Quantitative, qualitative
Research topic Main findingsAebi et al.
