By Christopher Delporte
Technology risk in banking is increasingly defying traditional risk and compliance approaches and definitions. Institutions of all sizes — if they haven’t already — need to begin rethinking how they address tech risk from an operational level.
According to Reid Sawyer, head the Emerging Risks Group at Marsh, banks should be raising technology-related issues into enterprise- and board-level conversations and building greater strategic foresight into their risk and compliance programs. Sawyer provides a preview of some of the issues he will discuss as part of his audience-interactive keynote presentation during ABA’s upcoming Risk and Compliance Conference, May 5-7, in Charlotte, North Carolina.
“One of the overwhelming issues is that technology risk is no longer a niche cyber issue — and I would argue that it never has been,” Sawyer told the ABA Banking Journal. “It’s truly now a broader trust, governance, resilience, and even a strategic risk issue for banks.”
Sawyer said banks should rethink how they categorize risk, govern it and, ultimately, escalate it.
“When we talk to chief risk officers and operational risk leaders, there’s a strong recognition that the world has changed but that risk often remains organized in silos, and technology risk doesn’t respect those same silos,” he explained. “The least understood risk we’re facing now is that the decision architecture of a bank is what’s at risk. It’s not an attack surface like a cyber problem or an endpoint detection issue around whether or not somebody can execute a breach. Banks are now functionally all digital platforms, regardless of size, and with the advent and acceleration of open-banking and digital banking frameworks, what’s really at risk now is the decision architecture inside of the banks themselves, especially as banks move to employ more technology such as AI.”
To break through some of the traditional risk channels and thought processes, it helps to move past common “ownership” claims in the corporate hierarchy, Sawyer said. He explained that because there’s so much tech overlap across an organization today — for example, the deployment of artificial intelligence across anti-money laundering or know-your-customer processes — ownership isn’t as cut and dry.
“The last thing any organization needs is yet another committee or standing working group,” he quipped. “The problem is that the types of digital and technology risks we’re talking about are unbound by their very nature. So, who owns what? Is it the chief technology officer, the chief information security officer, the operational or business unit leader that owns it? Suddenly, I now have a technology to accelerate business growth and drive efficiency, and yet I probably have five or six different risk owners that are touching it.”
Banks should build in agility so that their organization can work across business units, recognize where the issues create “cross-cutting problems” across departments and determine how best to respond.
“It’s really the ability to understand how these risks move horizontally [through the bank] and then determine who the right people are to address them. You can gain a vantage point that our normal organizational structures don’t always allow,” Sawyer noted. “That kind of increased coordination can drive more efficiency and speed in the banks,” he said. “For organization leaders and risk and compliance leaders, this becomes a more active conversation.”
Editor’s note: The second part of this series will address banks’ levels of tech risk readiness, how an organization’s size can affect its risk response and the primary issues banks should consider.
