Going Digital: A Paradigm Shift in Risk Management
Updated: Nov 10
"45% of paid activities could be automated using existing and demonstrated technologies.
The consultancy firm McKinsey identified that a very large array of employee day to day jobs could be subject to digitalisation, from repetitive low skill tasks to the Chief Executive Officer.
For example, IBM’s Watson can suggest available treatments for specific ailments, drawing on the body of medical research for those diseases.
If the technologies that process and “understand” natural language were to reach the median level of human performance, an additional 13 percent of work activities in the US economy could be automated.
Figure 1. Potential Areas for Automation
In that context, risk and compliance management functions could materially benefit from embarking on a digitalisation journey to improve the effectiveness of risk decisions as well as the efficiency of risk and compliance processes and controls. This would entail adopting proven technologies, such as machine learning and robotic process automation, across the risk management cycle. This would also a required a paradigm shift in culture, capabilities and organisational set-up.
What does this mean for risk management?
A paradigm shift is required when it comes to thinking about risk management and especially non-financial risk management (NFR) and compliance management.
We should be considering two broad assertions
Digitalisation of the risk / compliance processes wherever possible; and
Digitalisation of the driver of risks and especially NFRs.
This requires evolving risk management capabilities both from a process and from an outcome perspective. For example, this can include evolving risk and control self-assessment framework (see my previous blog) in conjunction with process optimisation / 6 sigma framework to enable process reengineering, digitalisation, and risk optimisation all at once. This can also include reviewing the end-to-end customer due diligence process. More on that later.
Figure 2. Expected Benefits
In the above example, the objective was to deliver a seamless customer experience and resilient / scalable process. As the review advanced, we identified that about 20% of the risks of the activity under review were driven by the nature of the activity. These risks were inherent to the “What” and could not be removed.
This meant that 70-80% of the risks were driven by ”How”, ie. the way the end-to-end process had been implemented. Looking back at it, the activity had grown organically without consideration for a holistic and integrated design. There hadn’t been any consideration for standardisation, with many teams doing the same activity in a completely different way. We also identified that the fragmentation of the end-to-end process had led to a fragmentation of the vendor support; some of the outsourcing arrangements were subscale, probably unprofitable for the vendors, and as a result led to poor service delivery.
This had an immediate impact on cost of running the process, including on proliferation of controls where the time spent on control activities was 5 times higher than it should be.
Some key concepts
Digitalisation is the use of digital technologies to change a business model and provide new revenue and value-producing opportunities; it is the process of moving to a digital business – Source: Gartner
Automation is the use of machines and computers that can operate without needing human control – Source: Cambridge Dictionary
Optimisation is the act of making something as good as possible – Source: Cambridge Dictionary
Process reengineering involves the radical redesign of core business processes to achieve dramatic improvements in productivity, cycle times and quality – Source: Bain
What would digital risk management look like?
Multiple steps of the risk management life cycle would be impacted at various degrees depending on the type of risk considered. The overall benefits would be better risk decisions, increased productivity and lower technology and data costs.
The digitalisation of financial risk including credit and market risks should be more accessible to most financial institutions considering current maturity and the impact of regulations, especially BCBS239 on risk data aggregation and reporting, which acted as a catalyst for significant data and technology transformation across the banking sector.
Firms reach the “nirvana”, when all risk disciplines are digitally integrated. Some examples,
1. The customer due diligence process provides an integrated financial and social profile enabling immediate credit risk decision (e.g. the customer is immediately granted the loan they requested) and “forward” decision (e.g. the customer is expecting and might benefit from additional financial support for acquiring a bigger car, life insurance, etc.) by preapproving certain financial products before the customer asked for them. This can be pushed further by connecting the future home owner with local builders, decorators, etc.
Ideally, this is done only once for a firm across all its businesses and / or could be done through data exchange across firms as Singapore and other countries are currently experimenting with.
2. Data driven risk decisions are enabled through smart strategic dashboards made widely available and structured to provide forward looking “advice” and insights. This can include live people management views aligned to strategic objectives, for example when a firm undergoes significant transformation and relies extensively on talents and change capabilities. Ideally this would include clear views on strategic and operational factors having a major impact on the success of the business objectives and strategy.
3. Data driven – whether based on big data or alternative data – horizon scanning provides “live” feeds to support strategic risks and is fully embedded into the firm strategic and operational decision process.
With these examples in mind, it becomes clear the digitalisation of risk management must be considered in its widest sense and include core control applications (e.g. Know Your Customers) as well as credit risk, market risk and Enterprise Risk Management systems covering Audit, Non-Financial Risk (e.g. risk events, Risk & Control Self-Assessment) or Compliance.
With this extended scope usually comes a very disparate and inconsistent technology landscape and data architecture, requiring a strong focus on phasing-out legacy systems to enable the access to superior functionalities and improve data quality and consistency.
The Risk function would also have to transform and develop new capabilities and skills. Digitalisation requires a very different mindset by which Chief Risk Officers become tech-savvy solution providers, as well as advisers and challengers. The McKinsey identified that
46% of risk managers viewed culture as a main challenge; and
43% of risk managers saw talent as a key challenge in digitizing
The notion of independence would have to be repositioned in a context where acting as a forward looking advisor might blur existing lines. Risk managers would have to become change agents and disrupt themselves to unleash significantly more value than they currently do.
What risk capabilities to consider?
Risk and compliance capabilities and activities have developed organically, in silo without due consideration for holistic alignment, including operating model and resourcing. Risk and Compliance leaders need to realign their organisations to core functional capabilities as required by their firms’ business activities, objectives and regulatory environment, focusing on duplications, gaps and manual processes.
The McKinsey Company estimates that productivity across operational (and credit) risk and control activities could improve by 25% through deeper automation and analytics. That’s in the backdrop of a proliferation of manual, fragmented and overly complex risk and compliance activities (e.g. Anti-Money Laundering)
In addition, better embedded and simplified risk / control processes can significantly improve the client experience and become a strategic differentiator against the competition, as outlined in the previous section.
With that in mind, the list of risk and control activities candidates for digitalisation covers the entire spectrum of risk management capabilities as illustrated in the table below.
Figure 3. The List of Capabilities
Example: Know Your Customer (KYC)
Financial criminals are becoming ever-more sophisticated. Verifying customers’ identity and completing due diligence has never been more important, or more difficult.
KYC is governed by a long and ever evolving list of international, regional, and local laws and regulations. As any compliance and risk team will attest to, KYC requirements are complex, with significant geographical nuances, and evolve far too quickly to keep pace with. These stringent regulations are a critical cornerstone of the world’s financial system, protecting it from being abused to conceal the proceeds of crime and corruption or the funding of terrorist activity.
In response to this environment, financial institutions tend to respond by tactically creating layers upon layers of control activities and tasks, resulting in fragmentated and costly KYC operations.
With that, this activity is a prime example of an evolving field with material potential in terms of efficiency gains and enhanced customer outcomes. Here are some key figures to illustrate this mostly untapped potential and turn KYC into a sustainable activity delivering value for the firm whilst protecting our society against crime.
Figure 4. Opportunities with KYC processes
This complex, intrusive and lengthy process acts as a deterrent to many new clients. Reuters also found that 12% of companies said they changed banks because of KYC issues.
KYC is extremely costly to run and is based on many controls and checks. For example, this includes sanctions lists, Politically Exposed Persons (or PEPs,) adverse media and court records, and much more. All of these result in a tremendous volume of information to sort through, most of it not relevant to the subject under investigation.
It also requires customers and clients to provide lots of information including customers’ identity documents, financial statuses, and source of funds, etc.
Not getting it right can be extremely costly. For example, HSBC Holdings Plc agreed to pay a record $1.92 billion in fines to U.S. authorities for allowing itself to be used to launder a river of drug money flowing out of Mexico, and other banking lapses.
Adopting new technologies can simplify the onboarding process, though, reducing customer headaches and protecting banks from lost business. Biometrics and document identity scans have shown the most promise so far and are popular among bank customers as an alternative to traditional KYC processes.
In my view there are three primary goals that financial institutions should pursue regardless of size and footprint, to enable and unlock material savings and opportunities:
Simplify KYC operations through a seamless end-to-end integrated journey regardless of which business line the client faces. For example, limit and preferably remove back and forth with the customer / client.
Integrate KYC operations into the wider customer / client journey, focusing on what they (might) need. For example, integrate this process with the credit approval process to accelerate new product onboarding and access.
Achieve compliance through global consistent standards and working by exceptions to meet local requirements when applicable
Chief Risk and Compliance Officers are about to enter the new digital age. The implications for their functions are akin to complete disruption.
From revolutionising and simplifying capabilities and technology, to integrating risk / compliance management processes into business decisions, the transformation required is significant.
But the benefits, whether they are about lowering risk and compliance running cost by 20-30% or delivering hastened product time to market, will materially exceed the costs and the impacts of getting there. The ever-evolving regtech and fintech landscape certainly offers smart solutions to accelerate the transition and can alleviate some of the pain points assuming risk and compliance leaders are ready to make a leap of faith. The costs of doing nothing will be even greater in terms of loss in strategic competitiveness and talent attraction.
The journey ahead will feel uncomfortable and certainly unsettling at time, but it will be equally exciting and rewarding.
Note  This covers all the risks outside of credit risk (e.g. lending), market risk (e.g. trading) and liquidity risk (e.g. funding) This is a very broad category that captures compliance / conduct type of risks, operational resilience, and everything pertaining to running an enterprise (e.g. operating model, legal set-up, execution, outsourcing, etc.)