Two recent reports on banking industry indicate point to the future of the Risk Management function. The first one was a 2019 report by Boston Consulting Group (BCG); the second one was a survey of Risk Management by Deloitte. From these two reports and other recent news on same topic; the writing on the wall is that Risk Management function is at a pivotal point and needs to transform itself to incorporate non-financial risks; digitize it’s operations and processes and be embedded in the Firm’s strategy in order to meet these new expectations while keeping costs down and remain vital, essential and relevant.
- First point of view is that non-financial risk (like cybersecurity, data privacy) is now the dominant risk that institutions are concerned about while financial (traditional) risks (i.e. market, credit, liquidity) are now mature to the point that they are not thought of posing a key risk to institutions. In response, Risk Management departments will need to incorporate non-financial risk (like cybersecurity, data privacy) as risk stripes similar to financial risk stripes (market, credit, operational) and become more holistic and mirror the current landscape of risks facing Firms.
- Second, Risk Management will need to become more integrated and provide more insight to the Firm’s strategy instead of being in a monitoring role post execution of the Strategy. This is essential now since some of these new risks like cybersecurity have very low latency and these risks have to be managed at the forefront i.e. in planning and design of strategy and not in the same manner as it is done now for financial risk i.e. after the transaction is done.
- Lastly, in order to meet these expectations, Risk Management function will need to break down silos across risk stripes, leverage technology and become more digital in order to maintain costs and more importantly because monitoring the non-financial risks will need digitization of risk processes. This is also imperative in order to not increase costs and to meet the profitability expectations from internal and external stakeholders.
- Declining Profitability – Profitability is on decline falling to 2013 levels with a global average of 8bps as per the BCG report; the South American and Middle East banks are most profitable followed by US banks and Asian banks and lagging behind are the European banks.
- Rising Risk and Operating Costs – Risk and operating costs are the biggest cost components adversely affecting the profitability of banks having risen by 24 bps from 2017 to 2018 as mentioned in the BCG report. This is driven by the increased regulatory demands from regulators across the globe.
- Non-Financial Risk more important than financial risk – Non-financial risk like cybersecurity, vendor risk management and distributed computing are becoming more important as sources of systemic risk than traditional financial risk (Market Risk, Credit Risk). The Deloitte survey notes that only 50% of respondents thought that their firms were capable of effectively handling cybersecurity risk compared to 92% for market risk.
- Digitization of Risk & Compliance – To increase profitability while meeting demands of regulators will require transformation of risk management leading to more digitization, use of Artificial Intelligence and Big data, Cloud Computing and automation in these areas. Risk Management is still operating largely as it was a decade back at the time of the Financial Crisis. New advances in computing and technology have not impacted Risk Management as the focus in past 10 years has been on meeting regulatory demands (aka stress testing in US). The Deloitte survey notes that respondents expect benefits from cloud computing, big data and analytics and business process automation in areas such as increased operational efficiency/reduce error rates (68 percent), enhanced risk analysis and detection (67 percent), and improve timeliness of reporting (60 percent). However what is coming in the way of these gains is the systems and data used by Risk Management which was one of the main concerns cited in the same survey; 79% of firms cite timeliness, quality and availability of data as a concern and 68% noted a concern with the systems and processes used to manage risk right now.
- Integration with Strategy – Risk Management will need to be embedded upfront in the Firm’s strategy and not be done after execution of the Firm’s strategy. Risk Management in many firms is still involved after the Strategy has been decided to manage the risk that has been taken and this creates will not work for non-financial risk like cybersecurity, vendor risk and data privacy which need risk appetite and utilization to be part of the strategy.
For those of us in the industry, this is an exciting time to shape and guide the re-invention of Risk Management and do what is essential to be relevant and vital to the success of the Firm.
Links to the two cited reports