IN AUGUST AND SEPTEMBER WE RAN THE BOBSGUIDE RISK MANAGEMENT SYSTEMS SURVEY TO GET A BETTER IDEA OF WHAT YOU, THE RISK INDUSTRY PROFESSIONALS, NEED AND WANT IN A RISK MANAGEMENT SYSTEM. WE HAD JUST UNDER 200 RESPONSES TO OUR SURVEY, REPRESENTING A VARIETY OF FINANCIAL INSTITUTIONS AROUND THE WORLD.
Funnily enough, 25% worked within risk management capacities for financial services, whilst another 25% were risk management solutions vendors. The 17.5% who selected ‘Other’ ranged from executive, to IT and treasury professionals.
32% were based in the UK, and 14% in the US. Other European countries featured strongly with Germany at 11% and France at 4% along with a scattering of other European countries. Asia was also represented with 9% based in India and 5% in Hong Kong with representatives from Australia, Singapore and Tonga.
51.9% of responders said that they currently used technology that specifically offers a risk management function, whilst the next significant minority of 16.9%, who do not currently have a risk function technology, said they were interested in exploring options in the market. 9.1% said that they didn’t currently have one, but that it was a priority to acquire one. A small 3.9% said they had no interest in acquiring technology specifically designed with a risk management function.
The majority of you (42%) were very satisfied with your risk management systems, whilst a quarter (25%) were extremely satisfied. A third (33%) were less impressed, with 20% of total respondents somewhat satisfied, and 13% not satisfied with the current capabilities of their risk management technology.
We left respondents to input their own answers here as to why they rated their satisfaction with their risk management technology the way they did. User-friendliness, and multi-function, wide coverage risk management systems were the factors most likely contributed to an extremely satisfactory experience (25%). Very satisfactory (42%) risk management systems provided a quality and bespoke system that was able to integrate and adapt to many business platforms whilst real-time feedback was a highly desirable trait.
As a mid-point between negative and positive reviews, a somewhat satisfactory (20%) risk management system did not exceed expectations and “addressed most requirements”. Those who were not very satisfied (13%) with their current risk management technology indicated it was “unwieldy, unreliable and unsupported”, whilst it also lacked At-Trade risk management.
11.8% of respondents were looking to purchase their first piece of risk management technology and subsequently all indicated that it was a priority to buy or they were exploring current market options in question 1. The majority of respondents (39.5%) were looking to augment and add to existing risk management capabilities which, when coordinated with the previous question, suggests they are seeking to plug holes or have a more proactive and sophisticated risk picture specific to their sector.
26.3% indicated they were happy with their current risk management technology and 11.8% indicated they did not require any risk management technology currently on the market. 10.5% were looking at a complete overhaul to replace their current risk management capabilities.
The biggest concerns when risk management shopping was the implementation (54.1%) with existing systems and the cost (48.6%). 33.8% indicated their concern was the increased complexity to process and 21.6% concerned about user ease of use. 14.9% were reluctant to buy considering technology’s short shelf life, whilst 17.6% believed there was currently no system on the market for them, either in terms of sophistication or innovation.
As one might expect, the chief risk officer was the most likely principal decision maker on acquiring new risk management solutions with 36%. In 27% of cases, the decision fell to the chief executive or chief operations officer whilst in 18% of cases, it fell within the prevue of the financial director or chief financial officer.
It’s clear that risk analytics (51.4%) was at the forefront of what respondents expected from their risk management technology, whilst compliance was the second most selected key functionality with 47.3% along with market risk. At the other end of the spectrum, collateral management scored lowly with 17.6% and 25.7% for asset and liability management. Credit (37.8%) liquidity (28.4%) and Operational risk (32.4%) all remain as secondary functionalities for risk management. 5.4% (of Other) indicated that trading risk was also a priority.
Cost of compliance was a key concern for 43.2% of respondents, whilst the feasibility of meeting regulatory change was also a significant concern at 37.8%. Interestingly, 32.4% were concerned with being able to identify emerging risks and the same percentage were concerned over data security. FX exposure scored 29.7% whilst the retention of risk management professionals was a slight concern with 16.2%.
There’s probably a very good anecdote about a host of castle architects being given the axe by their liege lords because they couldn’t build fortifications strong enough and quickly enough to counter the fresh structural challenges of cannon technology. The modern equivalent may well be that of the chief risk officer (CRO). Just as the castle architects would have protested the nigh on impossibility of countering gunpowder just with stone defences, so too has the CRO had to adapt and evolve to meet new challenges that are becoming increasingly difficult to predict and counteract. As the mitigator of risk, the CRO must be able to identify, assess and manage those risks using a variety of processes all while complying with increasingly stringent regulation. And where IT infrastructure and the emergence of technologies including AI and big data have made their job easier, it has also created a host of problems, not least for the internal operational risk concerns, but also the increasing and evolving threat of cyberattacks.
Indeed, risk is a very small word for a very large responsibility. This article will look at how the role of the CRO has changed over the years and where 2018 fits into the evolutionary trajectory.
The 1990s saw the first wave of CROs creating and implementing enterprise risk management (ERM) as well as a variety of risk models. This framework sought to define different risk functions and quantify their capability, before coordinating and integrating the risk output. In short, the ERM was there to identify, assess, manage, monitor and report risks under different circumstances, and have a contingency plan on how to mitigate should those risks arise.
A successful ERM programme firstly set a solid foundation for implementation. Risk alignment was first and foremost the priority, as a standardised glossary of risk was established to understand the company’s risk appetite (of what it was prepared to risk et cetera) whilst also allowing for a ranking of risk priority. CROs were also required to keep on top of regulatory compliance in the form of Solvency I for Insurance companies, and Basel I, and later II, for banks. Lastly, the ERM was to seamlessly integrate with the business as a whole.
In many regards, the CRO was chief implementer with a fairly low degree of seniority and wholly focused on the technical aspects of ERM and the consequences of dealing with risk fallout detected therein. Chief implementer soon evolved into chief assessor, building on the CRO’s formerly technically focused duties with wider business considerations. ERM now expanded to cover a variety of other business related risks, such as new legislation, reinsurance coverage (for insurance), and asset liability management, until the ERM and CRO were well situated in the business decision making. Indeed, the CRO role, for all its onboarding of additional risk and the breadth of that risk function, saw a rise in its status post-crisis a decade or so ago.
After the dust settled following the financial crisis and the flurry of regulations became clearer, the subsequent tech boom enabled a dramatic explosion of fintech challengers reaching an all-time high for investment in 2015-2016. Whilst the boom prompted innovation in financial services, security lagged behind, largely due to the volume, volatility and unpredictable nature of modern cyberattacks. If cyber risk hadn’t captured the serious attention of CROs before the ‘Wannacry’ ransomware attacks on legacy infrastructures like the NHS systems, then the slew of industry cyber breaches certainly did. Indeed, as many as 46% of UK companies registered an attack in 2016, with Tesco Bank and Three Mobile the most prominent, losing sensitive customer data and millions of pounds as a result. With General Data Protection Regulations (GDPR) coming in May next year, many CROs are currently reviewing ERMs and models, and consequently arguing for more IT budget spend to firm up potential breaches and keep the walls defensible.
And that increasingly led to the formation of a new job description for the modern CRO, and a position that now ranked a few rungs more senior in the company’s hierarchy; chief integrator of a diverse and dynamic range of risks, more on the front line of the business than as the passive risk manager. CROs were becoming, for all intents and purposes, a risk-oriented CEO, further embedded in the company as a business, and more vocal in the boardroom.
They needed to take ownership when aggregate risks went above risk appetite which, when successfully identified and acted upon, was as much a chance to generate competitive advantage as to simply avert risk. They also had to move from their traditional heartlands of insurance, market and credit risk towards conduct and operational risk. That leaves the CRO of 2017 vastly different from the CROs of a few years ago let alone pre-financial crisis.
What CROs would really like is a halt to regulatory change so that they can deal with what’s happened so far – continuous change makes life impossible
We spoke to Patricia Jackson, is a non-executive director and chair of the risk committee for Atom bank, BGL, Lloyds of London and SMBC Nikko, who gives an inside perspective of the change in the CRO role.
Cyber risk has gone right up the agenda. In many organisations, cyber was previously sitting with IT and, the last year or so has seen a major shift in terms of the risk function taking more ownership of cyber risk, whilst we’ve also seen more engagement with cyber by the boards. There’s also much more focus on outsourcing and outsourcing risk by the CROs. In many companies, outsourcing was previously sitting with procurement and it has become a really key subject.
If you’re outsourcing functions to a supplier and you retain the risk, the question becomes ensuring the supplier is performing to a high enough standard and, as a topic, it’s evolving. In America, many firms are getting third party reviews done on cyber risk and they make those reviews available to those to whom they’re supplying services. That’s more of a changing area in the UK and it’s not quite in the same place where suppliers have third party assessments. So, in terms of business continuity and cyber, companies are wrestling with finding a way to ensure that outsourcing doesn’t leave them vulnerable.
Another huge topic is GDPR. GDPR is a real stretch for many firms and comes May next year. It’s complicated to deal with and it’ll bring heavy penalties if you get it wrong. For example, you have to be able to remove data at customer request and it’s far more complex than companies reckoned. For some years now, the CROs have been wrestling with risk appetite and how you assess forward risks against risk appetite. To start with, the focus was on the core financial risks and progress was made. But how you deal with non-financial risks including cyber and business continuity is still evolving.
For some firms, money laundering has been top of the agenda because the fines have been so high, so we are seeing enforcement there for some traditional organisations but also the tightening up of regulation of some more alternative sectors. Banks and insurers have been under regulatory pressure now for quite a few years and we’re seeing the tentacles spreading out to the more lightly regulated areas. I think it’s a general pattern, some CROs are spending as much as half of their time dealing with the regulatory agenda.
For capital, regulations are still changing for banks because the Basel committee is still issuing changes following on from Basel III. Trading book requirements are changing for example. Firms are also trying to wrestle with areas like risk culture where the regulators are focusing more. Outside the traditional banking and insurance sectors there is also focus on pricing and competition as well as operational risk.
Across all financial services, cyber is right up there as well as outsourcing. For companies dealing with a wider range of customers and jurisdictions, money laundering and financial crime are also right up there. Companies seem to be less bothered by credit and market risk I think because they believe they are under control. They’re very big risks but it’s central to what they do so they’re more comfortable managing it. The tricky bit is managing something as ever changing as cyber, whether that be the recent ransomware attacks or phishing expeditions.
What CROs would really like is a halt to regulatory change so that they can deal with what’s happened so far – continuous change makes life impossible. Along with that, they’d like more IT budget to make their areas more efficient.
That’s got to be part of the solution. People think of digital as the interface between firm and customer but the firm has also got to use it internally. AI can enable automation of intelligent processes and frees up time for the human to actually think about the risks. For instance, you don’t want to have to spend all your time calculating the numbers, but instead thinking about and assessing the risks.
As an example, one organisation which has many, many regulators had a specific team tasked with dealing with queries that came in about different rulebooks. They’ve run a pilot to roboticise the process and they’ve managed to reduce the time it takes to find the right rule enormously. So, something like that which you expect would require quite a bit of judgement can be managed quite well by AI.
In terms of IT risks, Atom, as a mobile phone based bank, is very dependent on the app, but major traditional banks are also absolutely dependent on their IT and Atom avoids some of the key risks associated with browsers and internet banking, so in that sense I don’t think the challenges are unique and all banks are dependent on their IT and all banks have to look at the risks around cyber.
For a start-up bank there needs to be very careful control of how new systems are put up and services are launched. That requires a very careful process which we did for Atom at every stage to make sure that the system, process and risk controls were in place before we moved onto the next phase. For instance, we didn’t put products up all in one fell swoop, but we brought them online as we were ready to do so and subjected them to a very careful risk management process. I expect the regulator welcomes this approach and will be looking for other new entrants to undertake the same level of oversight and control.
It seems, like everything else in business, that the buzzwords of AI, big data and machine learning continue to generate noise as the saviours of human roles struggling to keep afloat with the challenges that the same tech revolution has created.