Financial services firms take a wider approach to managing digital risk

As well as creating efficiencies and opportunities, digital transformations create more concentrated and interconnected risks for financial services firms. In a recent Risk Live panel session sponsored by ServiceNow, experts discussed how they are adapting their approaches to these risks and some of the challenges they are addressing in the move to digital risk management. This article explores the three themes that emerged from their discussion

1. Customer-focused

The executives of today look at the world of business through a customer-focused lens. One of the main drivers behind technology transformations is the need to service customers in the seamless way they expect and in keeping with consumer trends in the digital arena.

The panellists noted that, to manage digital risk, firms must also start from the perspective of the customer, who have evolved their ways of operating and awareness since the Covid-19 pandemic. If a firm’s core banking or operating system breaks down one day, and they can’t service their customers, their biggest risk is reputation risk because today’s customer expects everything instantly.

Regulators matured very quickly along with the customer during the pandemic. Regulation is now outcome-based, which means regulators expect firms’ systems to be resilient and for them to be able to continue servicing their customers and preventing any harm to them. The regulator’s expectation is that firms’ systems will break down. But as part of operational resilience, they must be able to recover, know what their risks are, and not lose their data. They should have good visibility on their processes as well as transparency around the data they collect as part of customer onboarding or servicing and the data they hold for third parties.

Many financial services firms have legacy systems and digital estates that need upgrading to be able to provide this level of service and resilience. Many are on their third or fourth digital transformation and are still working out how to move their decades-old core banking systems to the cloud, while managing the risk of all the regulatory oversight and customers. Many are building ‘digital bridges’ to navigate this. Simon Cox, chief transformation officer at ServiceNow, said: “They don’t need to pull the switch on their core banking systems and move to the cloud overnight. They can bridge their route across that process with some of the new technologies available.”

These experts agreed that firms need people who understand their organisation and what are the touchpoints are in the customer journey and the processes in which risks arise. They are asking themselves if they understand the processes they follow, what their inherited risks of doing business are and whether they know their important business services from an operational risk perspective broadly through a customer-focused lens. Some have done a very thorough deep dive into what local standard controls they have. And some are now in the process of automating those controls. It is important that the back end is digitalised and automated, not just the customer-facing parts of the organisation. Because today, the regulators are asking what the outcome is to the customer, rather than whether firms have managed their risk.

2. Joined-up

As well as the focus on the customer at all levels, there is much more joined-up thinking across financial services firms than ever before. Participants said that there is more interest – from executives in various offices – in the technologies being used in different parts of the business. Part of the driver for this cultural change is the Financial Conduct Authority’s Senior Managers and Certification Regime, where business people are accountable for what systems are doing and whether they are vulnerable.

There should be a joined-up view of risk within organisations, rather than people taking an individualistic, narrow view of their jobs. It helps if the first, second and third lines of defence examine jointly whether any new risks have arisen as a result of a process or operating model having changed. When decisions are made with all three lines of defence, firms have better visibility over what is happening and when their systems are going to fail. The hardest part can be the cultural change that requires intrepidity from all three lines in the face of this awareness. They need to know that they are in control, but that they have different approaches in how to tackle the risks.

One panellist noted that operational risk specialists are sometimes expected to be the consummate experts. Although they can understand the risks, they cannot necessarily advise on how to mitigate all of them. But firms can create a more specialist IT risk function by training people with IT backgrounds on risk management. This can supplement the generalist operational risk function and help ensure that the firm’s controls are working effectively. For example, the first line can advise on the current information security state and actively seek out advice from operational risk specialists on the types of controls they require. Or they might have moved a particular environment to the cloud and seek advice on whether this has been correctly developed. But they need a risk framework and control environment that supports them to make these changes safely. Crucially, digital risks should be integrated into a firm’s existing risk management framework.

Joined-up thinking is also important when it comes to achieving investment in digital risk management capabilities. Sometimes applications for funding fail when the language imposed on the management is too difficult to understand. Those pitching for funding must speak a business language and this will not necessarily be the firm’s greatest technologist.

3. Data-driven

This new joined-up business-to-IT view drives firms to use technology and data to map out processes and integrate systems rather than have silos in technology. “This means that financial services firms today have cleverer more nuanced ways of mitigating risks when they happen,” said Cox.

Financial services firms are focused on having robust, data-driven risk management frameworks. This involves dynamic risk management with an analysis of social media, frontline feedback and industry news. Here, firms are analysing the automated or dynamic risk data coming into the organisation. Cloud providers could be a great source of data, though they tend to have a black-box approach.

As one expert said, firms can use all that data for risk management at a hyper scale. They can integrate it into their risk models and use new technologies to determine their risk. The volumes of data being analysed mean the results of controls can create panic. So there is a shift in how firms are presenting that data once it has been consumed.

To really be able to protect themselves, firms must automate their controls. But the vast volumes of data can sometimes be a stumbling block. Before asking what data they have, firms with real digital literacy must first consider the risks they are trying to mitigate or proofs of concept they want to test. Once the data is available, they need the right focus and governance to manage those risks effectively. They also need to consider whether they have the right people and processes for working with the data and whether the senior management function has oversight. Otherwise, all that data can create a lot of noise and it can be hard to focus.

Firms are on their way to realising the power of artificial intelligence (AI) and machine learning in the use of big data. However, this doesn’t happen overnight. The reality is that there is an organic process that starts with firms gaining an understanding of and using the data that they already have. That leads them to understand the data they would like to have in future. Once they get that data, they can move to using AI and machine learning to automate.

Financial services firms are following the example of retailers that rely on the data that they collect on patterns of consumer behaviours for a competitive edge. But regulators are catching up and starting to ask how they are mitigating the risk attached to those technologies. And financial services firms will also have to be ready to answer those questions.

Conclusion

The future of digital risk management is heavily data-driven. And firms need trusted sources of data, which is as much a cultural as well as technology challenge. Therefore, it is critical that they have continuous improvement in the data. This can be done by checking and validating the data through new technologies. Firms also need AI and machine learning to process the vast amounts of data they are seeing. This is still immature in financial services, and culturally firms are still evolving to meet this challenge. Integrated risk management is a focus and is primarily driven by the regulatory response to operational resilience – not causing intolerable harm to the customer. This perspective turns risk management into a much wider exercise and has driven a cultural shift to an environment where everyone’s job becomes risk management.

Learn more about managing risk and resilience in real time at ServiceNow

Sponsored content