EU bank boards face “significant” changes to risk profile: ECB

EU bank boards face significant risk changes in the coming years, as new corporate governance environments put old systems to the test. 

That’s according to Anneli Tuominen, Member of the Supervisory Board of the European Central Bank (ECB), who suggested that sustained risk pressure will continue on the financial industry and, in particular, those on boards making crucial decisions about short and long-term strategy. 

In a speech as part of a “Board of the Future” seminar, delivered on 27th October 2025 in Florence, Tuominen stressed that, for various reasons, the risk profile faced by financial institutions had seen “significant” changes, and laid out her ideal scenario for the kinds of qualities a capable board would have in the future.

Tuominen called attention to the following areas as drivers of heightened and rapidly evolving risk portfolios:

• • Digitalisation. Banks have been exploring new digital operations for years, and the pandemic helped to spur this process forward. Europe is now a major market in the neobanking sector, with companies like Revolut, Bunq and N26 conducting business entirely online. Meanwhile, legacy banks are moving more and more of their operations away from traditional banking to ensure customers have their entire suite of offerings – backed by new tools like AI where applicable – on their phones and computers. However, Tuominen said that this naturally brought more challenges in the cyber and IT spaces. 
  • Geopolitical risks. Caught in the middle of wider geopolitical standoffs, EU banks must often join in the bloc’s efforts to maintain diplomacy even in the heat of high-profile geopolitical standoffs. The wars in Ukraine and Gaza, not to mention the sanctions that can go alongside, and the ever-lingering threat of tariff wars, are some examples. 
  • Hybrid threats – drawing on elements of both of the above and other familiar sources of risk. 

Pivotally, Tuominen said that none of these risks will be new to banks. The true issue is that the “magnitude of the threat they pose has increased.”

“The demands placed on banks’ boards have thus risen as the risk landscape in which banks operate has become more complex, underscoring the need for them to have robust governance frameworks in place,” she said. 

While stopping short of calling all of this the “new normal”, she did argue that “as the digital transformation is essential for banks’ long-term survival regardless of their business model, many of these risks are not only irreversible but will likely grow in importance over time.”

While directors in EU banks will be very likely aware of this changing risk already, it doesn’t detract from their seriousness. 

It is one of the board’s fundamental duties to stakeholders: asking questions, acquiring complete information, and then making challenging but crucial calls related to risk, and how it integrates with the organisation’s wider strategy. 

Banks are often extremely high-stakes environments from a governance perspective. Their importance to the continent’s financial system, combined with the increasing burden of compliance and the risk mentioned above, means that boards have little to no room for error.

The short answer, according to Tuominen, is to have robust governance frameworks in place. 

In the context of EU banks in particular, that broke down into three main qualities boards should have to navigate the more challenging risk environment:

Whether trained internally or sourced externally, directors of EU boards must possess a “collective” knowledge in areas like information and communication technology, security, and new regulations like the Digital Operations Resilience Act (DORA), which provide extensive baseline requirements for financial services to manage IT risks.

This was a good-news-bad-news situation, according to Tuominen. The good news was that repeated external shocks to the banking sector over the years had helped banks to naturally update their crisis-management response. The bad news was that recent data has shown many banks didn’t have adequate customer-communication processes in place in the event of a crisis. 

Over time, we’ve seen – and not just in the banking sector – that poor customer communication has been disastrous for reputational risk. It doesn’t necessarily create a crisis, but it can make an existing crisis far worse. The most critical thing to stakeholders during a crisis is answers. If they don’t get them, their anger and fear will increase, rapidly eroding whatever reputation the company has built for itself.

Banks, like many other companies, continuously need to balance desires for short-term improvements and efficiencies vs. long-term innovation and diversification of business. 

Tuominen suggested that this balance is being thrown off by the rapid pace of technological advances and risk, creating stronger “winner and loser” scenarios. 

Using AI as an example, she stressed that as banks continue to explore this momentous shift in corporate life, they ought to think long and hard about having the right skills on their boards to oversee it properly; otherwise, the long-term element of the delicate balance is in jeopardy.

The ultimate message for EU banks was simple: they are likely familiar with the risk already, but what they need to appreciate is just how much they’ll grow and change.