Adapting to a fast-changing risk landscape can sometimes feel like learning how to juggle while riding a unicycle on a tightrope. With every move forward, it seems like a new risk is added to the mix, be it digital disruption, competitor threats, regulatory pressures, misconduct, shifting customer preferences, or geopolitical uncertainties. How can banks and financial services institutions effectively manage all these risks while keeping up with the pace of change in internal and external environments?
There are multiple ways by which a customer’s personal information, entrusted to a bank, can fall into the wrong hands, compromising the customer’s safety, as well as the organization’s revenue and reputation. These risks, coupled with growing regulatory pressures around information security, make it imperative for financial institutions to have a robust data governance program in place.
Multiple aspects need to be considered when building such a program. For instance, many organizations, have some level of dependency on legacy systems which need to be fortified with rigorous defense measures such as access control protocols, continuous security monitoring, isolation of vulnerabilities, and disconnection from high-risk endpoints. Basic cybersecurity hygiene needs to be prioritized as new types of malware, control failures, and hacking incidents are brought to light.
Advanced IT risk management technology can strengthen the overall maturity of data security processes. It can help consolidate and harmonize security risk-related data from various sources such as vulnerability scanners, security intelligence feeds, and threat management tools. By unifying all this data in “a single source of truth” that is then mapped to IT assets, the system can enable organizations to understand their risk exposure, and prioritize their mitigation efforts accordingly.
To truly understand the impact of emerging risks—particularly non-financial risks like reputational risks or cyberattacks—banks and financial institutions need to be able to quantify these risks in financial terms. For example, how much would a security breach cost? What capital outflows might it trigger? What kind of financial impact will it have on the organization’s reputation?
The impact of non-financial risks is large and visible. Not only do these risks result in revenue losses and fines, but they also lead to long-term erosion of shareholder value. The 2018 Edelman Trust Barometer reported that financial services is among the least trusted sectors globally. In 2019, the industry moved up the trust curve by 2 percent, but there still remains a long way to go.
Financial institutions need to evolve towards providing accurate, quantifiable insights on losses. A strong data infrastructure provides the backbone for reporting and analytics, highlighting the aspects of the institution’s reputation, credibility, and trust that could be negatively impacted. These insights can then help management teams make more confident decisions about where to direct their risk investments.
Employees in the first line of defense—be it the teller at the bank or the insurance agent in the field—are constantly interacting with customers, other employees, and third parties. They are therefore likely to have important insights on potential issues, incidents, and risks. Harnessing their knowledge can be a powerful way of helping risk functions and other stakeholders understand latent risks.
Many organizations use integrated risk solutions with inbuilt surveys to support the front line in reporting risks, incidents, and issues. This data is then routed to the second line of defense for further investigation and analysis. Other organizations are beginning to go a step further with AI-enabled chat interfaces that can automatically capture data from the front line through a casual conversation with users. Not only is this approach engaging and simple, but it also minimizes the need for user training.
The key is to make risk reporting for the front line as easy and efficient as possible. The more engaged that employees are in communicating issues, the better the quality of insights that flow up to the management and board for informed decision-making.
Of the top emerging risks that confront banks, 80% are usually external, while 20% are internal. These dynamic risks—ranging from investment and operational risks, to geopolitical and cyber risks—can impact an organization at several levels. For example, a tweet from the leader of a nation can affect trade relations, as well as national security.
While tabletop exercises can be useful in evaluating the impact of these risks, structured risk assessment processes are also essential. So are regular meetings with stakeholders to track the progress of risks. Ideally, the results of independent risk evaluations should flow back to the risk register for analysis and monitoring. It also helps to combine internal risk findings with industry data to provide a holistic risk picture.
After every line of defense has identified, assessed, and reported their risks, the data needs to be converted into actionable mitigation plans. With support and direction from the board, a clear mitigation strategy can be defined and adopted globally.
It’s important to keep an eye on the risks and issues impacting other financial institutions and industries. For instance, the recent cybersecurity and privacy incidents at a leading social media network, as well as a multinational investment bank, provide valuable insights on the financial impact of digital risks. These insights can help financial institutions learn how to quantify non-financial risks in their own organizations.
Once the risks have been assessed, controls and other mitigation plans can be tested and monitored. With an integrated risk management program, this process becomes easier.
Effective risk management cannot be achieved in a vacuum. It requires engagement from all the lines of defense. Only when the business, as well as risk, compliance, and audit functions collaborate and share data with each other, can the organization effectively understand the risks that matter.
At a leading mortgage financing enterprise, risk and control taxonomies have been standardized, so that the three lines of defense can easily identify, collate, and organize risk data, while understanding inherent risk relationships. Teams leverage a common enterprise risk management framework, methodologies, and classifications to improve risk visibility at the enterprise level, as well as the process level.
The lines of defense also work together to define and approve the issue management process – including process standards, issue definitions, classifications, severity levels, and reporting workflows. This collaborative approach facilitates consolidated reporting to the management team who can then respond to critical issues proactively and effectively.
In today’s highly dynamic business environment, executives and boards are looking to the CRO to provide a holistic and proactive view of the risks that could impede their organization’s performance, or jeopardize its market viability.
The CRO is the custodian of the organization’s market reputation, and is therefore entrusted with the responsibility of ensuring that all internal employees, as well as external collaborators, are aware of the risks associated with their actions, and are guided to behave in accordance with the organization’s risk posture and appetite.
Most CROs have the insights that can help their organizations translate risks into opportunities. Their understanding of risk impact also provides the guardrails needed to keep the business on track.
Financial institutions are increasingly engaging third parties for data analytics, process outsourcing, fintech, enterprise applications, and other requirements. But with these third parties come new risks and vulnerabilities.
Earlier this year, the UK’s top financial regulatory authorities imposed severe fines on an independent bank for failing to implement sufficient oversight on an outsourced provider of technology services. A few months later, a leading European bank reported that they had suffered an unauthorized data breach through a website hosted by a third party.
Incidents like these underscore the importance of effective third-and fourthparty risk management programs with due diligence and monitoring processes. A robust third-party management system can help in this effort by mapping each third party to the associated risks, controls, regulations, business units, sub-contractors, and other data elements. That way, at a glance, management can clearly understand each third-party’s risk profile and impact.
Well-defined third-party onboarding processes are also essential. The risk parameters for onboarding should be updated based on evolving business risks.
In an age of growing weather-related disasters, cyber-attacks, and other crises, financial institutions need to be prepared to recover quickly, while also minimizing disruptions to their operations. By making business continuity planning an integral part of their overall operational risk and resilience strategy, organizations can effectively manage disruptive risks.
A good practice is to channel data on “known knowns” and "known unknowns" from enterprise risk assessments to the business continuity team, so that they can proactively prepare for these risks. A common risk register can make this process easier by facilitating the flow and sharing of data.
Another best practice is to track high impact “near misses” in the operational risk management program. This data can provide relevant and timely intelligence on potential disasters that are likely to affect the organization. Accordingly, users can design targeted business continuity plans.
The advent of AI and predictive analytics have opened up new opportunities for financial institutions to anticipate future business continuity risks. These cognitive technologies make it easier to identify risk patterns and pockets of high-risk concentration that business leaders can then proactively act on and mitigate.
Employees who are uninformed or disengaged from risk management practices can be a serious liability to their organizations. In fact, the EY Global Information Security Survey 2018–19 found that 34% of organizations globally view careless or unaware employees as their biggest vulnerability. Robust policies and compliance training programs can be useful in preventing these issues, but they are often not frequent or pervasive enough.
On the other hand, policy training processes that are more dynamic and continuous can foster a culture of good risk management practices. Similarly, when policies are standardized and centralized, employees can access them easily. The more that these employees understand about what they should and shouldn’t be doing, the more likely they are to be compliant.
To keep pace with a rapidly evolving risk landscape, it helps to have an integrated risk management (IRM) program that allows decision-makers to understand how various risks such as strategic, operational, IT, vendor, and digital risks are connected to each other, as well as to the compliance, audit, and legal data universes.
Many financial institutions have deployed a single, unified IRM system to identify, assess, manage, and mitigate multiple risks in line with pre-defined risk appetites and tolerance levels. The system delivers early warnings on evolving threats and their impact on the future risk profile of organizations. It also harmonizes risk categorizations, terminologies, approaches, and rating scales, thus making it easier for organizations to report and track risks.
As risks continue to change and evolve, financial institutions will need to be agile and efficient in how they respond. Proactive risk strategies and processes, as well as robust risk management tools, will go a long way towards helping business leaders capitalize on the opportunities ahead, while mitigating the downside risks.