Financial Services are evolving. Technology is enabling expansion of digital channels and customer journeys, while regulation is increasing and non-traditional competitors are obtaining banking licences and beginning to provide basic financial services. PWC’s 2017 report “Risk Mandate and Organisation” observes a clear recognition across banks of the need for risk functions to evolve with changing risk and business environment. Deloitte’s Global’s Risk Advisory Lead, Sam Balaji has signalled each enterprise must form a risk strategy for navigating the upside – product and service innovations, ventures and partnerships transforming business models while managing the downside – cyber security threats, conduct and compliance issues and third party risks.
Digitisation of products, services and processes is a constant within business environments. With digitisation comes digital trust, cyber security, digital journeys and even digital humans. Digitisation is most easily referenced in a customer facing context, but the digitisation of internal processes and tools is also a major shift in operation. Banks particularly have a distributed set of functions involving a range of third party suppliers, with significant regulatory obligations. Banks also operate dual modes, dual speeds, as they integrate legacy systems and processes with next generation technology like APIs, Cloud, RPA and Machine Learning. Many of the newer processes and systems operate in a digital environment, both consuming and generating data. But legacy systems and processes are often manual.
Balancing risk in an internal operating environment, using old and new technology creates disparate risks and disparate risk management needs, whereby some systems and processes produce data and others require physical sampling of reference documents.
Where digitisation has taken place, or is possible, organisations have the opportunity to re-vision risk management tools such as Risk Appetite Statements, Key Risk Indicators and Controls Assurance. Change to these tools can happen by understanding organisation objectives, and data.
Getting to know your data goes deeper than the “5 V’s of data”. Organisations need to examine the data’s cycle, or frequency, the data’s priority i.e. does the data relate to a Key Risk, or alternatively if the data does exist – can it be accessed? All of these considerations influence whether data is a candidate for digitising a Key Risk Indicator, or a Control – or simply creating metrics monitor performance, and trends to manage. Ultimately, enterprises must be able to link data insights from an internal operational environment to the organisations Risk Appetite Statement to observe performance and value.
Blending skills from niche fields can help extract value. Computer science and data science are two of a variety of possible non-traditional, specialised skill sets which have the potential to drastically change how the internal operational environment is understood and managed. Other new ‘risk’ skill sets include Designers and Business Process Managers. By injecting new skills sets there is the ability to recalibrate what is known of our operations (the coal face) through the presence of, absence of, and patterns within, data. There is the opportunity to consider the nature of a problem, and an optimal approach for resolution i.e. is the problem driven by caching? Being able to retrieve the right data at the right time - or is it a sorting problem? Where masses of data exist but lacks order. Designing dashboards and reports with users in mind to create a risk user story can deliver the right information, to the right people in the right way at the right time – this is particularly important for Executives with compliance accountabilities, and for Business Leaders who are responsible for the confidentiality, integrity and availability of systems processing, transporting and storing customer and corporate information. Lastly, by re-examining business processes, enterprises can consider what behaviours (teams) and outputs (systems) those processes drive or incentivise.
Linking digitisation, data, environments operating dual speed technology, and non-traditional skills provides an exciting prospect for forming Risk Appetite Statements, and establishing risk tolerance. A risk appetite statement sets the amount and type of risk an organisation is willing to take to meet it’s strategic objectives. By using data and non-traditional skills, measurable profiles can be built for Key Risks, for which appetites are formed. Observing meta data, patterns, trends and relationships, new insight may be delivered on risk causation, providing an opportunity to rethink Controls vigilance (detection) and resilience (containment). Used effectively, these updated risk tools complement enterprise governance.
In summary, taking an innovative approach to skills in risk teams, prioritising digital investment within internal operating environments and harvesting the data of systems and processes could yield real-time, continuous, monitoring and managing of risk across an enterprise’s diverse functions and partnerships. Linking to risk tools will support decision making and confidence that information is transparent and traceable, delivered to the Business Owners and Executives. In a world of dynamic change, communicating complex content simply, is a highly complex task.