This piece was co-authored by Richard Dupree and
Joshua Rapp.
I have written about other aspects of risk management and will continue to do so, but each idea for a new article brings me back to the same fundamental question. Why do we have risk management? What is the value of effective risk management and are financial
services companies optimising their risk management resources and practices to return value to the firm? To answer this question, we need to first understand how we got to where we are today. To best prepare for the future, it helps to understand the past.
Does the history of risk and risk management practices inform current risk and risk management practices? It certainly should. Not all have the benefit of knowing this history and even fewer have the benefit of experiencing some of this history. I happen
to have both. Given this, I thought it would be a good idea to bring in another voice to give balance to the piece. Someone who may not have my understand of the history of risk as a discipline nor my years of experience in practice of different iterations,
but who is himself an active practitioner and very risk-minded in approach.
A History of Risk
Risk is loosely defined as the possibility of something bad happening. The ‘bad’ could be physical harm, financial loss, or other adverse consequence of someone’s action or inaction. Almost as old as the concept of risk itself is the practice of risk management.
Humans have learned to mitigate risk over time by taking actions to reduce their risk. Risk in business can never truly be eliminated but it benefits us all to identify and minimise risks. For example, most of us look both ways before crossing the street.
Our judgement (experience) with respect to making it across the street before cars arrive, our eyesight, and our ability to physically cross the street are all controls that, if effective, should minimise your risk of experiencing a loss (injury or death)
while pursuing the objective of crossing the street. Risk in the financial services industry has evolved more quickly over the past few decades than in its entire history given new entrants, new technologies, and new customer preferences all combining to disrupt
an industry once dominated by the major banks.
We can group risk approaches historically into 4 main revolutions:
Risk 1.0: Society
As societies formed and matured, it became important to provide guidance and sets of principles with respect to how its citizens should act to maintain the fabric of the society. This was especially important as societies grew in number and geographic footprint.
To consistently address risks across a society, or a kingdom, or a country, laws were enacted to mitigate risks. One of the earliest treatments of risk is risk transference, which is the transfer of risk from an individual or entity to a third party. In these
cases, the risks are not mitigated (like in later forms of risk management), but the potential impact of the risk is redirected to or assumed by another party, like with insurance. Some of the
earliest known insurance policies were included within the Code of Hammurabi, which is a set of 282 rules decreed by the Babylonian king Hammurabi around 1750 BC. One example of risk transference under the rules allowed for a transference of risk in cases
of an inability to repay a debt
in situations where a borrower was unable to pay due to a natural disaster, “inability to work and death.”
Risk 2.0: Industry
Risk transference is an effective means of shifting the responsibility of risk, but it does not reduce the risk. Over time, risk transference through insurance as the only means of risk treatment became too costly. In the 1950s, a new discipline emerged
which focused on the management of risks within certain industries and types of activity.
Yet it remained primarily focused on the identification and treatment of financial risks, such as the risk of a direct loss due to factors such as embezzlement, employee or customer injury, machinery malfunctions, and disasters such as floods, fires, earthquakes,
and tornadoes. As companies became larger, more complex, and more global in scope, risks increased and needed to be mitigated rather than simply transferred. This was the birth of modern-day risk management thought and study and documentation of theory and
process. It was not until the “early 1970s that the main financial
risk management products appeared, and that the initial theoretical models of modern risk coverage were published.”
Risk 3.0: Corporation
Through an emerging risk management discipline, companies became better at identifying their risks, albeit by line of business, product type, and activity. As an industry, financial services firms had a better understanding of what I would term ‘silos of
risk,’ such as credit risk (risk of loss arising from borrower’s failure to repay a loan), market risks (risk of loss in securities arising from movements in market prices), and operational risk (risk of loss resulting from inadequate or failed processes or
systems).
However, what does it mean at the enterprise level when you have higher market risk and credit risk exposure than say when you have higher credit risk and operational risk exposure? How does this impact strategic decision-making processes? How does this
impact allocation of budget and resources? It is the lack of ability and even desire to aggregate individual risks into a holistic risk profile for risk-based decisioning that, in 2008, led the US into the worst financial crisis since the Great Depression
that reverberated globally.
Simply complying with the letter of the law or regulation was no longer sufficient. Risk management as a discipline and a practice had to evolve, elevate to the enterprise level, and include legal and compliance as components of an overall enterprise risk
management framework rather than silos of risk to be managed individually.
Risk 4.0: Customer
As we view the state of risk over the last few decades, we see a fundamental shift in how regulations have impacted certain entities. When we look at regulations, such as Dodd-Frank, Sarbanes-Oxley, HIPAA, and GLBA, we find these regulations are designed
to raise the minimum threshold of accountability that corporations must abide by and inherently protecting them from lawsuits regarding unethical or irresponsible usage of customer assets and data.
As we move further along, we see regulations, such as Payment Card Industry Data Security Standard or (PCI DSS global), that are not necessarily designed to protect corporations, but rather to protect the suppliers of client assets and data. Finally, as
we fast forward to today, we see regulations around data privacy such as General Data Protection Regulation or GDPR, California Consumer Privacy Act or CCPA, Data Privacy Act of 2012 or DPA, and the Privacy and Electronic Communications Regulations or PECR5
all that benefit the customer and give them more control over not only what type of data an organisation can collect, but also over what that organisation can do with the data that they have.
Fintechs and neobanks have been successful in that they capitalised on a trend where consumers drive the financial services experience, not the government and not the banks. Consumers are defining new financial services products and experiences and ultimately
the risk profiles of these companies. Consumers are essentially driving risk management prioritisation and companies should give the consumers more of what they want and less of what they are not consuming.
Just like data and technology are used by fintechs to optimise price per transaction, product utilisation, and customer experience, it should also be used to optimise risk management efforts. Data should be leveraged equally across all aspects of your organisation,
including in Risk. Because, when a firm understands its threats as well as its opportunities and designs its business strategy to maximise growth around these factors, risk management and ultimately, returns, can be optimised.
Legacy Approaches
Most advanced cultures around the world have experienced similar revolutions, most notably the Industrial revolutions:
Each of these revolutions have created their own, unique sets of risks to be identified, assessed, and mitigated and each risk revolution has had its own, unique approach to risk management. Having the benefit of hindsight, we can now debate what worked
and what did not work and what that means with respect to where we are headed. How have we learned from these past risk revolutions? What does this mean for modern risk management frameworks? And how can a company manage its risk profile in real-time while
also keeping its eye on the horizon at what is emerging?
As we seek to answer these questions, companies would benefit from identifying a core set of principles on which to run their organisations and articulate these into comprehensible statements. Some examples might include:
1) We know what services our customers are utilising and our ability to deliver on them;
2) Customer data we obtain is essential to effectively deliver on product and service commitments;
3) We have identified strategic goals and business objectives and our risk strategy is properly aligned to support them.
Statements like these allow a company to shift its focus from one of merely chasing a certain compliance posture to focusing on what matters – identifying and addressing risks that impact their ability to deliver on business objectives and ensure continuity
in operations. Identifying risks in this way will empower companies to move from simply a compliance-based culture to a more targeted risk-based mindset, resulting in reducing compliance scope and focusing on risks that either impact the company’s ability
to meet its business objectives or impede continuity of the business.
Where do we go from here?
With an increase globally in privacy laws allowing for portability of data, customers are gaining more control over their data and companies utilising that data (even simply for servicing purposes) have more obligations with respect to how to obtain, use,
archive, and even delete customer data. With data becoming portable, customers will be empowered to shop around more easily for financial services and eventually may even request bids across solution providers. As a result, banks and fintechs will need to
develop a compelling business case for customer acquisition.
This business case will not be very compelling if the company requires additional data from its customers to ‘comply with regulatory requirements’ than its competitors, simply because the risk or compliance team determined the additional data element. Although
not required to satisfy legal or regulatory obligations at the point of onboarding, it would be useful should the customer’s activity eventually warrant the additional data point. In other words, the company’s approach to risk management could impact the company’s
marketability to prospective customers.
We are already seeing this trend, but customers will eventually drive risk profiles and therefore risk management frameworks just like they drive product features and servicing today. In order to be positioned for success in this future state and to align
most efficiently and effectively to the customer’s risk profile, bank and fintech risk management frameworks must be lean, targeted, flexible, and dynamic. For all of this to happen, banks and fintechs need to re-evaluate the way they currently identify and
treat risks and more than likely start with some serious house-cleaning. This can be achieved in the following ways:
Consolidation
With the sheer volume of compliance regulations and overlapping sets of controls and risks, compliance and risk functions need to merge into a core risk function. This would eliminate duplicate sets of risks and controls and reduce assessment fatigue for
business units. Consolidating into a risk function also changes the way companies address compliance. Just because a company is compliant with rules and regulations does not mean the company is operating within a defined risk appetite or tolerance levels.
Thinking more broadly in risk management terms rather than in types of risk, like Compliance, will ensure compliance with laws and regulations only to the extent that they have impact on your business model or operating environment and non-compliance would
impact your ability to meet your business objectives.
Elimination
Too many companies suffer from what we would call, Compliance debt, or layer over layer of compliance programs and remediation efforts that no longer offer a return on their investment. Legacy Compliance programs, remediation efforts, control structures,
etc. which should all be revisited and considered for elimination. If the process or control in question does not actively contribute to the company’s ability to meet its business objectives, it should be considered for elimination. The consideration for elimination
is superfluous data.
Review data is absolutely required for the business to run effectively. This is never an area where more is more. Less is always more. Eliminating unnecessary data reduces both the scope of compliance as well as vulnerability to risk. Reducing both the volume
and type of data to only critical data will help your risk team cut through the noise and prioritise what data is critical to business success. If collecting a Taxpayer Identification Number on your customer’s customer is not required as part of KYC at account
setup but is required for Ultimate Beneficiary Ownership screening as part of a transaction, collect the data only as part of the transaction. This may seem like a minor detail but there is a significant cumulative reduction in privacy and legal risks after
thousands of these transactions.
The risk here is not in the account setup but in the movement of money. Only address the risk at the time risk is realised or identified as having impact to the organisation rather than mitigating the risk ahead of time just because there could be a transaction
one day. That day may never happen and in the meantime, you’ve introduced additional risks that have nothing to do with attainment of business objectives.
Automation
With the increasing volume and dynamic nature of not only your business but your risks and regulatory compliance obligations, automation is key to ensuring you are not paying analysts six figures to update a spreadsheet as part of your risk management program.
Data analytics can help collect and correlate data from both non-traditional risk and compliance sources, consolidating risks and controls into a single register. Natural language processing systems can help automatically map controls to multiple sets of compliance
regulations, allowing for easier identification of your compliance gaps and what controls are overutilised or underutilised, saving both time and money. This also allows your team to focus on larger, more complex risk issues that return even greater value
to the organisation.
From mitigation to optimisation
It is clear the way risk was identified and addressed historically and even the way risk is identified and addressed currently will neither survive the growing mountain of regulatory requirements nor will it address the evolving demands of the emerging global
customer. A different way of acting and thinking about risk is required.
Rephrasing the question from “how do we become compliant with x?” to “what are my business objectives and what are the risks that will impact my ability to meet these objectives?” creates a more valuable conversation around risk identification, treatment,
and optimisation. Thinking of risk more as a value-add rather than just an expense will help shift the conversation to one of business requirements more generally where risk management becomes simply an integrated component. Discussing risk in this way will
also allow a company to introduce the concept of risk optimisation. In my opinion, too many banks and fintechs are focused on risk mitigation rather than risk optimisation. There will always be an acceptable level of risk a company can undertake in pursuit
of its business objectives and not just in credit and market risks but across the enterprise risk management effort. Finding that optimisation level can create a competitive advantage without having to enter new markets or introduce new products.
Back to Basics
First things first - understand what consumer data you’re currently housing and where, and ask yourself, “Do I need this to run my business?” If not, get rid of it. This process of identifying what stores, processes, or transmits consumer data is critical
to not only defining your compliance scope, but also in addressing your risk exposure. From the marketing side, this also determines what type of information you must have from your consumers in order to do business. Less information needed means more consumers
willing to do business with you.
Next, consolidate your risk and control libraries. Working with other risk functions, such as Information Security, Compliance, Audit, etc., to consolidate your risk registers allows for a holistic view of what operational risks are affecting your business
objectives the most and what controls can be implemented to address those risks. Consolidating can also help inform how you conduct risk assessments. Working to combine needed questions from the business into one assessment can help reduce assessment fatigue
and allow for all parties to get their questions answered in a timely manner.
Finally, identify and prioritise the risks that are critical to you achieving your business objectives. This helps you determine what investment is needed in compensating controls and shifts the focus from a compliance-based mindset to a risk-based mindset.
As you conduct remediation of those key risks, your compliance posture adjusts as well thereby reducing the number of regulations to comply against and ensuring that your controls are covering your regulatory obligations.
Don’t find fault, find a solution
Everything in this article can be achieved without technology, but it will never be optimised without technology. When it comes to the complexity of mapping risks to controls to assets to regulatory obligations, technology significantly eases this burden.
Data analytics can help collect and correlate data from both non-traditional risk and compliance sources, consolidating risks and controls into a single register. Once collected, robotic automation can help reduce the number of controls that need to be tested
manually.
Risk scoring and monitoring of risk tolerance levels can be performed automatically based on established criteria. Natural language processing, machine learning, and artificial intelligence solutions can help automatically map controls from your library
to multiple sets of compliance regulations, allowing for easier identification of your compliance gaps and which controls are either overutilised or underutilised, saving you both time and money and allowing for a true cost of risk analysis and discussion.
Overlay an integrated dashboard on top of these solutions and the firm’s risk profile can be articulated and managed in real time allowing management to make risk-based decisions using real-time data rather than based on a risk assessment performed manually
a year ago.
...And don’t blame Elon Musk for the potholes
Banks and fintechs have spent considerable money and brain power on evolving their business models and product offering to provide 24/7 device-agnostic access, faster payment options, integrated invoicing, smart contracts, and other evolutionary characteristics.
Yet in most cases this is all being done on a risk management infrastructure that will never achieve a risk optimised state. I liken it to driving a Tesla on a country road riddled with potholes. You will never truly optimise the Tesla driving experience in
that environment. You need to fix the underlying infrastructure. Our current model for managing risk needs a similar fix.
Getting back to the basics is a good place to start.