In addition to creating efficiencies and opportunities, digital transformations create more concentrated and interconnected risks for financial services firms. In a recent Live Risk In a panel discussion sponsored by ServiceNow, experts discussed how they are adapting their approaches to these risks and some of the challenges they face as they transition to digital risk management. This article explores the three themes that emerged from their discussion
Today’s leaders look at the business world through a customer-centric lens. A key driver of technology transformations is the need to serve customers in the seamless way they expect and in line with consumer trends in the digital realm.
Panelists noted that, to manage digital risk, companies must also start from the perspective of the customer, who has evolved their ways of operating and raising awareness since the Covid-19 pandemic. If a company’s central banking or operating system one day fails and it cannot serve its customers, its greatest risk is reputational risk, because today’s customer expects everything instantly. .
Regulators have matured very quickly with the customer during the pandemic. Regulation is now outcome-based, which means regulators expect companies’ systems to be resilient and to be able to continue to serve their customers and prevent them from harm. The regulator expects companies’ systems to fail. But as part of operational resilience, they need to be able to recover, know their risks, and not lose their data. They need to have good visibility into their processes as well as transparency into what data they collect as part of onboarding or customer service and what data they hold for third parties.
Many financial services companies have legacy systems and digital domains that need to be upgraded to be able to provide this level of service and resiliency. Many are on their third or fourth digital transformation and are still looking to move their decades-old core banking systems to the cloud, while managing the risk of all the regulatory and customer oversight. Many are building “digital bridges” to navigate it. Simon Cox, Chief Transformation Officer at ServiceNow, said, “They don’t need to flip the switch on their core banking systems and move to the cloud overnight. They can bridge their way through this process with some of the new technologies available. »
These experts agreed that companies need people who understand their organization and which touchpoints in the customer journey and processes where risks arise. They question whether they understand the processes they follow, what their legacy risks of doing business are, and whether they know their business departments that matter from a broader operational risk perspective from a customer-centric perspective. Some have done a thorough analysis of the local standard controls they have. And some are now automating these checks. It is important that the back-end is digitized and automated, and not just the parts of the organization that have contact with customers. Because today regulators are asking what the customer outcome is, rather than whether companies have managed their risk.
In addition to the focus on the customer at all levels, thinking among financial services firms is much more common than ever before. Participants said there was more interest – from executives in various offices – in the technologies used in different parts of the business. Part of the driver of this cultural change is the Financial Conduct Authority’s senior management and certification regime, where business people are responsible for what the systems do and if they are vulnerable.
There should be a common view of risk within organisations, rather than people having an individualistic and narrow view of their work. It is useful for the first, second and third lines of defense to jointly consider whether new risks have arisen as a result of a change in process or operating model. When decisions are made with all three lines of defense, organizations have better visibility into what is happening and when their systems will fail. Hardest may be the cultural change that requires fearlessness from all three bloodlines in the face of this realization. They need to know that they have control, but have different approaches to dealing with risk.
One commenter noted that operational risk specialists are sometimes expected to be accomplished experts. While they may understand the risks, they cannot necessarily advise on how to mitigate them all. But companies can create a more specialist THIS risk function by training people THIS knowledge of risk management. This can complement the generalist operational risk function and help ensure business controls are operating effectively. For example, the front line may advise on the current state of information security and actively seek advice from operational risk specialists on the types of controls they need. Or they may have moved a particular environment to the cloud and are seeking advice on whether it was developed correctly. But they need a risk management framework and control environment that helps them make these changes safely. Fundamentally, digital risks should be integrated into a company’s existing risk management framework.
Joint thinking is also important when it comes to investing in digital risk management capabilities. Sometimes funding applications fail when the language imposed on management is too difficult to understand. Those applying for funding need to speak a business language and it won’t necessarily be the biggest technologist in the business.
3. Data Driven
This new business-to-THIS vue pushes companies to use technology and data to map processes and integrate systems rather than having silos in technology. “That means financial services firms today have smarter, more nuanced ways to mitigate risk when it happens,” Cox said.
Financial services firms focus on having strong, data-driven risk management frameworks. It involves dynamic risk management with social media analysis, frontline commentary and industry news. Here, companies analyze automated or dynamic risk data entering the organization. Cloud providers could be a great source of data, although they tend to have a black box approach.
As one expert said, companies can use all this data for risk management at massive scale. They can incorporate it into their risk models and use new technologies to determine their risk. The volumes of data analyzed mean that the results of checks can cause panic. So there is a change in the way companies present this data once it has been consumed.
To be able to truly protect themselves, companies must automate their controls. But the vast volumes of data can sometimes be a stumbling block. Before wondering what data they have, companies with true digital literacy should first consider the risks they are trying to mitigate or the proofs of concept they want to test. Once the data is available, they need the right direction and governance to effectively manage those risks. They also need to consider whether they have the right people and processes to work with the data and whether the executive function is in charge of oversight. Otherwise, all this data can create a lot of noise and it can be difficult to concentrate.
Businesses are realizing the power of artificial intelligence (AI) and machine learning in the use of big data. However, this does not happen overnight. The reality is that there is an organic process that starts with businesses understanding and using the data they already have. This leads them to understand what data they would like to have in the future. Once they get this data, they can move on to using AI and machine learning to automate.
Financial services firms are following the lead of retailers leveraging the data they collect on consumer behavior patterns for competitive advantage. But regulators are catching up and starting to ask how they are mitigating the risk of these technologies. And financial services firms will also need to be prepared to answer these questions.
The future of digital risk management is heavily data driven. And companies need reliable data sources, which is as much a cultural challenge as it is a technological one. Therefore, it is essential that they have continuous data improvement. This can be done by verifying and validating data through new technologies. Businesses also need AI and machine learning to process the large amounts of data they see. This is still immature in financial services, and culturally companies are still evolving to meet this challenge. Integrated risk management is a priority and is primarily driven by the regulatory response to operational resilience – not causing intolerable harm to the client. This perspective transforms risk management into a much broader exercise and has resulted in a cultural shift towards an environment where everyone’s job becomes risk management.