by John Thackeray
Risk Management – The Transformation
Never before in the age of risk management has so much been asked by so many by so few. Risk Management is going through a change management transformation, the likes of which have never been seen before. The key drivers for this change include a persistent volatile environment, a deep longing to be considered a good social citizen, endless regulation, the growth of non-financial risk types, new methods of customer engagement and a need to address past mistakes. The change is being exacerbated by the new operating environment (working from home), which has been enforced by COVID-19, focusing risk management to think differently both in terms of architecture, people, processes, systems and value.
This paper looks at the key drivers and the implications that it poses and suggests a meaningful pathway for the future of risk management by means of change transformation.
The current operating environment in which firms find themselves is anything but benign. COVID-19 has deepened structural fissures within an already existing fragile ecosystem. Negative interest rates, increased compliance costs, zombie loans, the continuing levying of fines for anti-money laundering and corruption have eaten into income and capital. Moreover, the persistence of scandals which are highlighted every week by social media have evaporated any good will towards financial institutions. Many financial institutions have been seen as facilitators of tax avoidance and enablers of financial crimes. The reputation of many is such that customer expectations, sentiment, and engagement are low, with very little confidence in both the products and the messaging of the organizations. Simply put, the financial organizations seem to many of their stakeholders to have lost their way, with no moral compass to lead them, leaving behind a bankrupt and obscure identity.
Having shot themselves in the foot, retribution has come in the form of heavy regulation partly due to past sins but also as an appeaser towards public opinion. The regulators now have the ready-made excuse to appear in the bowels of financial institutions, dictate terms, with an ever-increasing bright spotlight. This oversight extends and reaches on a global basis with regulation that can be retrospective, leading to unspecified fines for past mishaps from multiple agencies and countries.
Given the 2008 financial crisis, there is no longer an appetite to shore up financial institutions and indeed there is an intolerance towards any protest from the firms on the growing depth and breadth of new legislation which has dictated. This legislation has led to more detailed and demanding capital, leverage, liquidity, and funding requirements, data privacy as well as higher standards for risk reporting, such as BCBS 239. The financial guard rails have seen stiffened with more detail and requirements in the US banking system with regards to ‘CCAR” (Comprehensive Capital Adequacy Review) and by European Union guidelines with regards to stress testing, both bodies now seemingly dictating capital and dividend policy.
The growing of non-financial risk i.e. types cyber, model, climate and conduct has had a dramatic effect on financial institutions and their operations. Each risk now has entered the Enterprise Risk Management portfolio and needs to be addressed with urgency. Model Risk has increased with data availability and advances in computing, modelling, and the need to address in quick order pressing legislation such as “CECL” ‘(Current Expected Credit Losses)”. Climate Risk has maintained its ascendancy as an emerging risk with the Bank of England leading the way both in terms of supervision and legislation. Operational resilience has gained a foothold boosted by COVID-19 with a resultant knock on to reputational risk. Conduct risk has escalated as scandals highlighted by social media question the ethics of firms on how far they will go to boost their profits. All these pressing risks by themselves have sequestered an inordinate amount of energy and cost both in terms of mitigating and reporting.
These drivers will have huge implications on the effectiveness and adequacy of business systems and operations. Technology or the increased reliance on it will be seen as a panacea, the gatekeeper that can both thwart the risks and increase the opportunities posed by these drivers. The increased use of technology continues to transform the normal processes and channels of engagement/experience and accentuate the social distancing relationship. Big Data, Machine learning and Artificial Intelligence championed by the burgeoning ranks of the FINTECH are the go-to components to mitigate the effect of the drivers by means of reimagining business processes.
As regulations become more complex and the consequences of noncompliance ever more severe, financial institutions will likely have no choice but to eliminate human interventions to hardwire the right behaviors and standards into their operations, systems, and processes. There will be a need for new algorithms to parse the data, which will need to be reviewed and challenged on a constant basis. Where these interventions cannot be automated, robust surveillance and monitoring will be increasingly critical.
Increased costs have led to an ever-increasing reliance on automation, both in decision making and processes. The amount of big data being generated will enable the more astute to redesign their processes using a comprehensive data management set of both public and private data sets. Processes such as underwriting will be digitalized, information submitted need only be scanned and verified without any in person engagement.
Artificial and machine learning will be used in behavioral analysis and remove a lot of the expert judgement required by risk officers, therefore eradicating any biases within the decision-making process.
Advances in technology will also help in the key areas of stress testing and scenario planning, especially in evaluation of climate risk within the portfolio. This advancement will lead to the multi-dimensional understanding of risks with complex models that need to be adjusted. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. These idiosyncrasies mean that data and climate scientists and engineers will need to be absorbed within the existing risk management structure. Moreover, stress testing and scenario planning will also have to incorporate operational sustainability and resilience which may call for significant contributions from external third parties to help complete the analysis and evaluation.
The Target Operating Model of Risk Management of the future will be very different, with the risk professionals armed with a new set of technology tools and new skillsets. In order for it be an enabler, the organization needs risk to transform its vision and redefine its role structurally given that many risk professionals will now need to work from a home environment. The main strategy will involve a heavy reliance and incorporation of new technology to both right size and reimagine risk management practices.
Listed below are some suggestions, which no doubt can be modified depending on the size and complexity of the organization.
• Risk management will be seen as foremost Firm Culture Champions and then Risk Culture Champions. Building and maintaining these identical and symbiotic cultures will be critical to ensuring the success of both the enterprise and risk function of the future. The combination of these cultures is likely to be a requisite element in a firm’s future competitive advantage. The secret recipe is to start with the risk culture first and then distribute and evangelize, so that both cultures will include a vision that will include the advocation of a strong corporate value. In order for this to take root, the firm will need to monitor and survey on a regular basis the action of its employees, no doubt enhanced by technology.
• The Chief Risk Officer (“CRO”) will be seen as a Champion of the firm and will be one of the stronger internal candidates to succeed the CEO. He/she will have to become an exceptional narrator who, armed with data, can convey and articulate the message of today. The brave new normal will call for greater transparency around disclosures concerning IT/Supplier disruptions, Operational resilience, Cyber-attacks, Sustainability, Climate change. The CRO must be able to engage in the conversation with the right message and be the voice piece of the firm backed by the data.
• The risk stripes will have to be reorganized structurally around correlated risk stripe clusters e.g. Fraud, Operations, Technology, IT Security, Compliance, Human Resources, Model, Conduct, and Reputation Anti Money Laundering will all come within the same coordinated structure and governance rather than standalone silos. The synergies will result in smaller teams of agile multi discipline staff with a depth and breadth of knowledge in one or more of these subject areas.
• The Risk Personnel with be multi trained in data analytics as a starting point and have the ability to match this with practical experience in all risk stripes. The tour of duty will include cross training in the various risk disciplines which will enable the team to speak a common language while applying consistent standards. Risk professionals will be expected to wear many hats, expectations high on delivery and communication skills.
• The risk management ecosystem will demand a comprehensive enterprise wide data base which is expected to help financial institutions create a repository for all types of structured and unstructured data. Since risk functions in the future are expected to become increasingly data driven, the supporting data infrastructure is a critical enabler. This data will have many uses and create a data driven analytical risk area which will need to be resourced by staff with multiple skill sets. Understanding the data will improve overall quality, aggregation capabilities, and risk reporting timeliness thus affording the management information systems to be displayed in a means that offers the users, a great deal of information in real time, improving the quality and timeliness of fact-based decisions.
Broader responsibilities, better trained, smaller, multi risk disciplined, data hungry, these will be the new requisite qualities of risk personnel. Change will happen. The question is – are you willing to embrace the change or not. The firm that thinks ahead with this mind set will be the one left standing not only with a competitive advantage but also with an enhanced reputation.