The banking balance: technology and informed risk decision making
Ladd Muzzy, BWise: a fine-tuned balance that must be struck between technology, expertise and business sense
As our society moves to a world propelled by automation, where technology has given way to artificial intelligence, machine learning, driverless cars and delivery drones, it’s not leap of faith for technologists to consider how technological advances can play a role in banking.
In fact, given the proliferation of risks and controls that banks and their governance, risk and compliance (GRC) teams have to address it’s certainly tempting to do so, particularly when the new technologies are highly evolved. But how can technology be effectively used to help the organisation make the best decisions to manage its risks?
GRC technology has come a long way over the last 20 years, maturing quickly creating the means for users to quickly grasp the risk management principles while simultaneously putting it in the context of the organisation’s risk management framework.
However, a challenge of most organisations is assuring that the data that’s going into the GRC solution is as complete as possible. Quality is still a concern. In fact, individuals still rely heavily on data for decision making but struggle with the accuracy and volume of the data they use. This is primarily because of the breadth of what GRC covers – risks like processing, technology, people, legal, compliance, reputation, strategy, credit, market, liquidity, etc.
Not only has the banking environment become more competitive, but the proliferation of mobile technologies, new markets, and products/services has exacerbated the risk environment. These new paradigms are also complicating the existing risk profile as organisation’s deal with their sunk costs from latent processes and systems.
CEOs and CFOs, worried about the impact of, for example, cyber-attacks and other risks that may negatively impacting their bank’s reputation and stock price, are tuned-in to how technology can help thwart these harmful exposures within their organisation now, more than ever.
When it comes to GRC risks and exposure, the right technology and solutions are enormously helpful. It creates, among other things, standardisation, a pre-package of leading practices, and the configurability to make the software relevant to the end user.
GRC technology helps to act as a central repository for risk and control information with the ability to mine the data and show results in real time. This acts as a powerful decision making enabler.
Technology & benefits
The press is littered with bankruptcies, million dollar fines and settlements, billion dollar shareholder value losses, and customers’ dissatisfaction creating a deluge of financial and reputation impacts. The source of these impacts is forcing the C-suite to sit up and take note, asking questions to gain assurance that their company isn’t subject to the strains in other organisations.
The need to have a complete GRC solution to complement the risk management framework is more important than ever. Its incorporation and use by the lines of defense helps protect bank assets while ensuring that governance and regulatory red lines aren’t being crossed.
To stay on top of complicated GRC challenges, banks have to monitor and act on an exponential amount of data, spanning a vast number of businesses, functions, and external factors (e.g. vendors, competition, and customers) while ensuring that all are on the right side of the audit, risk, compliance, policy management, and information security standards.
Sophisticated technology is essential in creating this essential holistic view. Moreover, technology helps move banks away from the silo-ed legacy approach, where internal reports had only a business or function focus, lacking the vision of seeing risk across businesses and the value chain.
The evolution of carefully automating technology and processes empowers executives to make decisions that can positively impact the business’ bottom line too. For example, using the output from the GRC technology to make quick decisions to maximise revenue opportunities based on market conditions, allocating resources efficiently, and optimising control capital expenditures.
That said, while technology is enabling banks to synthesise data more quickly and efficiently, it must be coordinated across the organisation. For example, in one institution, there were three different GRC systems being used; one for risk, compliance, and one for audit. Each had its own approach to understanding its respective risk profile.
However, the taxonomies used by these groups weren’t aligned; so when reporting was prepared it gave different interpretations on the criticality of the same risk. This created confusion at the executive, board, and audit committee level and created questions on the efficacy and soundness of the risk management practices being used by these functions.
Technology provides the ability to review large amounts of data and work streams by presenting the information in a pragmatic way. For example, systems and tools can flag when a limit has been breached or signal that an area within the business requires further review. Although technology may provide a built in alert, it has to take both the business and risk collaborating together to determine whether the concern requires immediate attention or escalation versus being overridden favouring the opportunity for growth or additional revenue.
Therefore, there is an implicit need to understand what the technology is telling you – its programming and the underlying data supporting what you are seeing. The right GRC solution can be set up with the company’s risk appetite and tolerance in mind, supporting a risk seeking or conservative approach to managing risk. This helps the business and the second line of defense knowing they can rely on the technology as a first indicator of possible exposures.
However, the business changes rapidly – new products are introduced, changes occur in the business (e.g. increasing volume of data), new laws and regulations are announced, new market segments are opening – all which require a critical eye on the risk profile to see how things may need to be adjusted.
Tolerance levels may increase or decrease, there may be opportunities to reduce the number of controls on a process, controls may need to be added, etc. Using the legacy data and audit trail within the technology helps to provide a means to justify changes and whether or not these changes are meeting their objectives.
The industry challenge
The GRC space is being pushed to justify its value. There are two complementary but varying views:
1. Preserving value
2. Creating value
Preserving value is all about conformance – assuring that there is a risk management framework, one that’s being embedded and sustained, complying with laws and regulations, etc. Most banks use this as the impetus for their risk management departments. The goal is to keep the organization out of trouble, control things to the nth degree, and act more as the police, aggressively managing any identified “critical” exposures.
Conversely, creating value is about putting risk in the context of supporting the business objectives and activities. Remember, the support functions are overhead/administrative functions and aren’t established to make money for the bank. As a result, the ultimate objective has to be able to put the risk verbiage and processes in a way that resonates with the business, enables them to continue to grow and create profits, and maximizes the limited capital and resources it has.
GRC technology can help support this. Dashboards can be created that marry with the existing performance metrics already used by the business signaling failures, process weaknesses, or potential lurking hazards. It can also pull data from multiple internal and external sources providing awareness of changes in the business environment. This can create opportunities to reallocate capital and employees to pressing issues or areas for opportunity. Moreover, the technology can establish the means and provide supporting data to communicate across multiple areas of the business. Sharing risk information can lead to active and immediate discussions for changes that may affect profitability.
For example, based on analysis and data there may be an opportunity for a bank to move into a new mobile device product segment. However, upon further review by information security experts and knowledge about the market there could be cybersecurity implications, making the risk versus reward trade-off seemingly unpalatable. The GRC solution can point to strengths and weaknesses in the existing control environment that can be used with risk scenarios on the product to support any conclusions.
Additionally, a technology dashboard may flag that an area of the business is reaching a pre-established risk appetite threshold and that it requires further review. When business managers review the data they may make an argument to override the technology decision in pursuit of a significant revenue opportunity. The bank’s general council may review the same data and determine that there are compliance and therefore legal implications with overriding the outer limit. This is a powerful feature of the GRC technology. It allows for bespoke views of the same risk environment whilst simultaneously sharing the information across the lines-of-defense. This allows for the executive team to understand the full detail of the risk environment and its implications on the organization as a whole.
The competitive way forward
Ultimately there’s a fine-tuned balance that must be struck for banks to gain a competitive advantage – technology, expertise, and business sense.
Having a holistic over view of data across the business is crucial and radically improves the opportunity to manage GRC challenges. Ensuring banks have the right talent and expertise to decipher data and understand the technology, company and market strategy, is paramount to ensuring the C-suite is empowered to make important business decisions.
Banks are starting to realize the competitive advantage and need to make sense of the myriad of data that’s driving the portfolio of organisational risks. A robust, easily configurable GRC solution can help organisation’s leapfrog their competition by providing the means for the efficient pull of risk information to drive timely and informed business decisions.
By Ladd Muzzy, principal at Nasdaq’s BWise
