By Neil Katkov
The improvements banks have made over the past decade to their risk practices are now up against COVID-19—the ultimate stress test for financial risk. The pandemic accelerated not only the demand for efficiency and automation in risk management (as I addressed in a Banking Journal article recently). The challenges presented by the pandemic continue to heighten the need to take an enterprise-wide, real-time approach to managing operational risk.
Today’s fast-moving challenges for banks require modern data management, connectivity and analytics. With the trajectory of the pandemic a moving target that’s influenced by many factors (such as market fluctuations and introduction of a vaccine), banks need to be agile around complex scenario forecasting, considering multiple outcomes regarding liquidity, funding and other aspects of financial risk management.
To keep up with constantly shifting risk factors, integrated risk management is required—on an ongoing basis, using up-to-the-minute data. Such an approach helps banks not only to capture all operational risks, but to address them in real time.
Why integrated risk management is a priority
Traditional governance, risk and compliance, or GRC, platforms come in different packages to support different functions of operational risk, such as capital risk (which involves financial data), IT risk or third-party risk. Each of these functions in a GRC platform is typically siloed and sold separately—possibly to completely different stakeholders within a financial institution. Getting a full view of risks across all of these functions is challenging. When it happens, it is laborious and time consuming.
Integrated risk management is about connecting these siloed functions for a total institutional view of risks. This approach considers business continuity; cybersecurity and financial crime; capital; IT; third-party risks; as well as GRC and strategic enterprise risk management. Integrated risk management uses modern digital techniques to tie all these things together and analyze them in a strategic way to deliver improved insights and greater efficiencies. It also addresses the intersecting needs of colleagues across the organization, including IT architects, line of business leaders, strategists, innovators and the chief information officer or chief technology officer.
Common barriers to integrated risk management
Risk managers at global financial institutions are cognizant of new digital technologies and how they can improve upon the notoriously slow-moving processes currently in place. These technologies and processes come with implementation barriers that may stall or fully stop progress. Some institutions aspire toward integrated risk management, but haven’t yet been able to implement a program. Others don’t have the appetite to rip and replace systems.
Common barriers to an integrated risk management initiative include:
Data challenges. Overreliance on manually-collected data from end-users leads to the inability to automatically collect or analyze significant amounts of quantitative data.
Platform challenges. Even with effective platforms in place, the lack of linkages to existing processes and/or tools used across the different operational risk functions creates inefficiencies. When a program is based on disparate systems, linking it all together is difficult, and analyzing it becomes an even greater challenge. Costs associated with managing multiple systems (such as licenses and IT support) exacerbate the platform challenges.
Organizational challenges. An age-old challenge—how to get various stakeholders aligned behind a large, enterprise-wide initiative—applies here. Difficult as it may seem, getting buy-in from various risk, technology and management teams is crucial for the program’s success. The “moving targets” that result from an evolving business environment and priorities may also prove difficult to manage.
Essential components of integrated risk management
Moving beyond these barriers requires the right data and connectivity. Enhanced insights are available to integrated risk management programs that rely on five essential building blocks. Even without a rip and replace, each element can be a piece that augments capabilities, linking efforts together and providing the capability for analysis.
While the following components focus primarily on the operational risk side, these concepts of how to manage, connect and analyze data can be applied to all types of risk management:
Data management. Data management is enabled by connectivity and analytics to manage that data. Data may include alternative data (e.g., external data, including weather, customer traffic or market data). Management may require putting external data into data lakes along with internal data, then analyzing it using big data techniques.
Connectivity. Modern connectivity requires event-driven, bi-directional APIs (such as representational state transfer, or REST, APIs) to support real-time access to both internal and external data. Key risk factors should be set up on a live, linked basis.
Analytics. To contextually analyze the huge amounts of qualitative data in operational risk (such as data generated through risk assessments), use advanced analytics. These include predictive analytics, artificial intelligence/machine learning, and natural language processing.
Workflow. To put everything together, what’s needed (but not often found in the risk area) is the modern process of robotic process automation. RPA can help create system workflows or automated workflows, increasing efficiencies remarkably. This may include helping with exception handling and putting action plans in place in the enterprise risk management area.
Reporting. In a sense, risk management is all about reporting, then taking action on the reported insights. Many reporting functions have traditionally been done on dashboards, though not necessarily in real time and without advanced visualization functionality. This final building block supports an integrated risk management program through interactive reporting and digitization tools (like graph analysis and link analysis).
In evaluating where to begin, a bank may identify dozens of potential entry points or top priorities. Always look to data management first.
New approaches for the new year
In 2021, as fintech companies and challengers make substantial gains in market share, integrated risk management will also increase in importance. Implementing integrated strategies and turning to real time assessments will help financial institutions weather whatever new stress tests are to yet to come.
Neil Katkov oversees the risk and compliance space at Celent, a global research and advisory firm focused on technology and business strategies in the financial services industry