Should risk management rein in digital or help accelerate it?

Risk management must keep pace with technology-driven change, and take the front seat in helping banks to achieve digital ambitions.

The technology revolution demands that every bank reinvent itself, and risk management has a critical role to play in this transformation. This is the core finding in our latest bank risk management survey, Accelerating digital transformation: four imperatives for risk management, a collaborative effort between EY and the Institute of International Finance.

The survey sets out four imperatives that boards, senior management, chief risk officers (CROs) and other key executives will have to address to gain a competitive advantage, to maintain trust and to successfully achieve their digital transformation ambitions:

1. Adapting to a risk environment and risk profile that is changing faster and more intensively than ever
2. Leveraging risk management to enable business transformation and sustained growth
3. Delivering risk management effectively and efficiently
4. Managing through and recovering from disruptions

Risk management still needs to maintain a focus on protecting the enterprise. However, increasingly, it also has to take a central role in the evolution of a firm’s digital and IT strategy, and to be credible, it needs to be involved from the initial planning through to implementation. Traditional risk management frameworks have a strong bias toward risk reduction or avoidance, so new approaches are needed to enable risk management professionals also to support and enable growth.

Risk needs to take a formative role in a firm’s digital transformation

To date, banks’ risk management groups often have taken a somewhat passive role in technology transformation. Generally speaking, there only is moderate input from risk into the firm’s IT and digital strategy, and moderate alignment of that strategy with risk management’s operating plan. This has to change, and quickly.

There’s no doubt this requires real change in the way risk management operates. It needs to embed itself in the agile development process and engage more actively in the early design decisions, as well as find ways to build in strong controls without impeding fast-turn design activities. This calls for new talents as well.

Risk management has to be more efficient

In the past decade, banks have focused on effectiveness to strengthen risk management in the first and second lines of defense. Do firms have the appropriate resources to identify, manage, monitor and mitigate risks? 

Now, efficiency of operations is becoming equally as important.

Risk managers have to deploy new technologies to work more effectively and quicken the pace in which it embraces new technologies. Most have a long way to go, as their transformation just started or is only partially complete. The same is true of risk management teaming with FinTech providers. Thus far, it’s been highly targeted.

Yet risk management can identify a broad range of areas wherein technologies could revolutionize the way they operate — for example, in fraud surveillance (72%), financial crime (68%) and modeling (67%).

More effective management and use of data are essential. This aids risk management and supports better customer and client service. The top data risk management priorities for banks through to 2021 are improving data quality (93%), automating processes (74%), and updating data across the life cycle and controls (57%).

But talent remains critical. Technology and data may elevate the performance and efficiency of risk management, but banks still need to attract and retain the best talent, although talent needs are shifting. Risk management teams continue to add specialist expertise to better manage financial and nonfinancial risks, and they are seeking individuals with a mix of business, risk and technological skills.

Risk management in a digital world

At the heart of the new paradigm is adaptive digital risk management incorporating management of risks associated with digital transformation from the front to back office (digital risk management), as well as fully testing and deploying digital strategies to better manage risk (digitizing risk management).

We see the following five core elements of digital risk management:

1.       Adaptive digital risk governance: Risk management of the future will need to be more adaptive to new and emerging risks and build adaptiveness into core risk management disciplines, such as risk strategy, risk identification and assessments, risk appetites and limits management, and the firm’s overall risk operating model and culture. A strong three-lines-of-defense model will remain a core foundation of strong risk management in a digital world. Accountability must be palpable, from the board level through to management and down to every employee.

2.      Products and services management: Properly governing and integrating risk management processes and controls into the design and implementation of new products, services and business processes are essential parts of implementing digital risk management. This enables faster innovation and mitigation of risks through the establishment, or use, of new platforms, that is, new data capabilities and different technical environments (such as the cloud or distributed ledger) and the use of artificial intelligence in decision-making, surveillance and processing.

3.       Resiliency and trust: None of the core elements above mean anything if firms aren’t dependable — customers want reliability, access and protection. Digital risk management requires firms to infuse resiliency, cybersecurity and privacy in the design of platforms and products, as well as in the extended enterprise through third- and fourth-party vendors. This will call for a transformation in the way third-party risk management conducts its full life cycle of activities, from pre-onboarding due diligence and through to monitoring onboarded vendors and to offboarding. The management of critical vendors — those supporting crucial business processes or whose disruption would have system-wide impacts — will need to change the most.

4.       Platform, data and infrastructure: Core, central capabilities provided by a platform and connected data sources (so-called “data lakes”) allow for quicker integration of customer, transaction and risk management data into decision-making processes. Together, this will uncover new opportunities to meet evolving customer expectations and drive value, as well as enable better risk management through improved data-driven insights.

5.       Agile decisions: Embedding risk management activities into the design and execution of the customer journey and related business processes will allow risk management professionals to validate that the right controls and risks are being considered, as well as help them identify how the digital engagement of customers could enable faster and more effective risk decision-making. Nimble and smart controls within digitized processes and transformation programs have to be responsive to evolving risks and environmental factors, and self-adapt to learn and improve.

Accelerating digital transformation: four imperatives for risk

Our ninth annual bank risk management survey focuses on four imperatives that boards, senior management, CROs and other key executives will have to address to gain a competitive advantage, maintain trust and successfully achieve their digital transformation ambitions according to data insights from 74 banks across 29 countries.

For survey insights, download the complete report.