As well as creating efficiencies and opportunities, digital transformations are creating more concentrated and interconnected risks for financial services firms. In a recent Danger Live panel session sponsored by ServiceNow, experts discussed how they are adapting their strategies to these risks and some of the challenges they are addressing in the transition to digital risk management. This article explores three themes that emerged from their discussion
1. Focus on the customer
Today’s executives view the business world through a customer-focused lens. One of the main drivers behind technological changes is the need to serve customers in a seamless manner that they expect and in line with consumer trends in the digital arena.
The panellists noted that, to manage digital risk, companies must also start from the perspective of the customer, who have changed their operating methods and awareness since the Covid-19 pandemic. If a company’s core banking or operating system goes down one day, and they can’t service their customers, their biggest risk is reputational risk because today’s customer expects everything instantly.
Regulators have matured quickly with the customer during the pandemic. Regulation is now outcome-based, which means regulators expect companies’ systems to be robust and to be able to continue servicing their customers and avoid any harm to them. The regulator’s expectation is that the companies’ system will break. But as part of operational resilience, they must recover, know what their risks are, and not lose their data. They must have good visibility into their processes as well as transparency around the data they collect as part of customer onboarding or servicing and the data they hold for third parties.
Many financial services companies have legacy systems and digital estates that need upgrading to provide this level of service and stability. Many are on their third or fourth digital transformation and are still learning how to move their decades-old core banking systems to the cloud, while managing all the risk of regulatory oversight and customers. Many are building ‘digital bridges’ to navigate it. Simon Cox, chief innovation officer at ServiceNow, said: “They don’t have to pull the switch on their core banking systems and move to the cloud overnight. They can bridge their route through that process using some of the new technologies available.”
These experts agreed that companies need people who understand their organization and what the touchpoints are in the customer journey and the processes where risks arise. They ask themselves if they understand the processes they follow, what are their inherited business risks and if they know their important business services from a broad operational risk perspective through a lens customer oriented. Some do a thorough deep dive into what local standards controls they have. And some are now in the process of automating those controls. It is important that the back end is digitized and automated, not just the customer-facing part of the organization. Because now, regulators are asking what the outcome is to the customer, rather than whether companies are managing their risk.
As well as focusing on the customer at all levels, there is more integrated thinking in financial services companies than ever before. Participants said there was more interest – from executives in different offices – in technologies used in different parts of the business. Part of the driver for this cultural change is the Financial Conduct Authority’s Senior Managers and Certification Regime, which holds traders accountable for what systems are doing and whether they are vulnerable.
There should be an integrated view of risk within organizations, rather than people having an individualistic, narrow view of their jobs. It helps if the first, second and third lines of defense are jointly assessed for new risks that arise as a result of changing a process or operating model. When decisions are made across all three lines of defense, companies have better visibility into what’s going on and when their systems will fail. The hardest part may be the culture change that requires courage from all three front lines of this awareness. They need to know that they are in control, but they have different strategies on how to deal with risks.
One panellist noted that operational risk specialists are sometimes expected to be absolute experts. While they understand the risks, they don’t necessarily advise how to mitigate them all. But companies can create a more specialist IT risk function by training people with IT background in risk management. This can complement the generalist operational risk function and help ensure that the company’s controls are working effectively. For example, the first line can advise on the current state of information security and proactively seek advice from operational risk specialists on the types of controls they need. Or they may have moved a particular environment to the cloud and asked for advice on whether it was built correctly. But they need a risk framework and control environment that supports them to make these changes safely. Importantly, digital risks must be integrated into a company’s existing risk management framework.
Integrated thinking is also important when it comes to achieving investment in digital risk management capabilities. Sometimes applications for funding fail when the language imposed on management is too difficult to understand. Those seeking funding must speak the language of business and not the company’s best technologists.
3. Based on data
The new joint venture-in-IT The view pushes companies to use technology and data to map out processes and integrate systems rather than having technology silos. “This means that financial services companies today have smarter ways of mitigating risks when they occur,” Cox said.
Financial services firms are committed to having robust, data-driven risk management frameworks. This includes dynamic risk management with social media analysis, frontline feedback and industry news. Here, companies analyze automated or dynamic risk data entering the organization. Cloud providers can be a great source of data, although they tend to have a black-box approach.
As one expert put it, companies can use all that data for risk management on a hyper scale. They can incorporate this into their risk models and use new technologies to determine their risk. The amount of data being analyzed means that the results of the controls can create panic. So there’s a shift in how companies display that data once it’s consumed.
To truly protect themselves, companies must automate their controls. But the vast amount of data can sometimes be a hindrance. Before asking what data they have, companies with true digital literacy should first consider the risks they are trying to mitigate or proofs of concept they want to test. Once the data is available, they need the right focus and governance to effectively manage those risks. They also need to consider whether they have the right people and processes for working with the data and whether the senior management function has oversight. Otherwise, all that data can create a lot of noise and it can be hard to focus.
Companies are on their way to realizing the power of artificial intelligence (AI) and machine learning using big data. However, this does not happen overnight. The truth is that there is an organic process that starts with companies understanding and using the data they already have. That leads them to understand the data they want to have in the future. Once they have that data, they can move on to use AI and machine learning to automate.
Financial services companies are following the example of retailers who rely on the data they collect on patterns of consumer behaviors for a competitive edge. But regulators are catching on and starting to question how they mitigate the risk attached to those technologies. And financial services companies must also be prepared to answer those questions.
The future of digital risk management is highly data driven. And companies need trusted sources of data, which is a cultural as well as a technological challenge. Therefore, it is critical that they have continuous improvement in data. This can be done by checking and validating data through new technologies. Companies need it too AI and machine learning to process the vast amounts of data they see. It is still immature in financial services, and cultural companies are still evolving to meet this challenge. Integrated risk management is a focus and primarily driven by regulatory compliance with operational stability – not causing intolerable damage to the customer. This perspective makes risk management a broader exercise and has driven a cultural shift in an environment where everyone’s job becomes risk management.
Learn more about managing risk and resilience in real time with ServiceNow