Risk management and control frameworks have always been a critical function for banks, but in recent years, they have become even more important in light of increased regulation in the aftermath of the global financial crisis and growing consumer privacy concerns. The pandemic environment of 2020 revealed gaps in existing risk management and control frameworks as banks were forced to rely more on their digital infrastructure and more fraudulent activity occurred. Many large US banks were fined heavily by regulators in 2020 for poor and inadequate risk management controls and practices, resulting in increased pressure on banks to overhaul their existing rule book. A report from LexisNexis Risk Solutions found that the amount large US banks spent on anti-financial crime compliance operations increased by 43.4% in 2020 as compared to 2019.
Today, many banks are reexamining risk management to serve their customers safely and effectively and minimize fraud, data leakage, and cybersecurity issues. And banks that have a strategic focus on growth, digitization, and customer experience are considering upgrading or rewriting their risk and control frameworks to develop greater operational resilience and improve governance.
Leading Strategic Imperatives to Improve Risk & Control Frameworks
Wipro has identified four imperatives in applying risk and control frameworks in banking systems and operations.
Imperative 1: Enhance governance, operating model & culture
One major consequence of the pandemic and its attendant economic fallout is that the operational environment of banks is evolving rapidly and is likely to be very different from what it is today. To put that in perspective, consider this forecast from McKinsey: Collectively, banks could lose revenues of $1.5–4.7 trillion between 2020 to 2024 – and a good part of that revenue will be lost forever.
This challenging environment – coupled with changes in banking regulations, the need to create more and better digital products, and the rise of non-bank (fintech) competitors – is creating a need for banks to redefine their core operating models away from legacy practices and towards new-age requirements. Banks need to build a new culture around risk management and governance if they want to thrive in the near-term and position themselves for the long-term.
Boards of directors and C-suite executives will be crucial in defining risk tolerance and fostering a culture that puts risk management and governance at the center of strategy and operations. Better risk management and governance demand the creation of detailed risk models, improved management information systems, risk/return-based management, early warning systems, and stress tests. Banks must leverage a risk-based prioritization framework while incorporating automation and standardization in internal controls to test their governance and cultural design and to increase operational resilience.
Imperative 2: Break down silos to improve collaboration
In the current environment, a key to growth and the development of new products, capabilities, and experience is breaking down silos within the bank. Traditionally, business units operate within their lines and don’t take a holistic view. Not only does this hamper growth but a siloed approach also generates risks that might be unobserved by executive management.
The treasury function is an example that faces the impact of inter-departmental conflict in the data flow, resulting in higher costs and lower revenues. According to a report from BCG, “It’s Time for Banks to Self-Disrupt,” 70% of banks’ treasury functions lack the data, modeling, and analytical tools to address balance sheet and risk management in a meaningful way. The survey also observed that better collaboration between internal teams can help provide relevant information at the right time, which could help improve treasury operating costs and net interest income.
The need for collaboration becomes even more essential today, as banks continue to develop and add new system architectures on top of their existing IT frameworks. New additions can result in breaches and failures can emerge in unanticipated areas mainly because of the lack of attention given to legacy systems. Today, banks must be vigilant about collaboration and consolidation to reduce risks, ensure efficiency, and increase productivity.
Imperative 3: Embrace new technologies
Controlling identified risks requires a fundamental change in banks’ outlook as they formulate and execute their risk strategy. The commonly adopted technology-based use cases – automation of the risk function, migration to the cloud, and strengthening financial crime capabilities – have led to increased flexibility and reduced costs.
Banks maintain large amounts of data, and most have data in multiple, unconsolidated systems – a situation with enormous risk management consequences as hackers look for vulnerabilities. Many banks already apply advanced technologies to operational processes to identify risks, but they should also explore investments in advanced analytical management information systems to anticipate risks.
The BCG report says that North American banks paid $228 billion in penalties for non-compliance between 2009–2019. Data breaches and fraud are the primary reasons for increased regulatory scrutiny of the banking industry (particularly large institutions).
There are several advanced technologies available for risk management, and banks need to have a clear strategic roadmap to pick the most relevant technology innovations. They also need to evaluate these technologies from the perspective of interconnectedness to derive maximum efficiency and effectiveness.
Imperative 4: Strengthen operational and procedural resilience
Today, operational resilience is as important to banks as financial resilience. Banks are adding new functionalities to their businesses by revamping legacy systems, embracing digitalization in operations, and collaborating with fintechs. All of these initiatives can help banks anticipate and identify problems much more quickly. Reports on disaster response, data security, third-party vendor management, and business continuity plans have become government-mandated requirements.
As banks embrace digitalization, strong board and management involvement in defining governance, operating models, and cultural change is critical. While uncertain circumstances are inevitable, the focus should be on defining the tolerance level of the bank including recovery time and the financial impact of unrest. A well-thought-out response strategy and disaster management execution plan should be part of all operational initiatives undertaken by banks.
Data is another area that should be prime risk management and governance focus for banks. One instance of a data breach could cost a bank significantly, both in terms of reputational damage and money. Ensuring data quality and data governance should be critical aspects in developing operational and procedural resilience.
Three Tactical Ways to Improve Risk & Control Frameworks
The changing risk management challenges require banks to focus on staying up to date with new methods to deal with risk and control frameworks. Here are three tactics for banks to strengthen their risk management and control frameworks in this rapidly changing operating environment.
For many banks, the critical way to improve risk management is to move away from legacy architectures and invest in updated technology that provides real-time information. Large banks already spend substantially to ensure regulatory compliance and risk management systems, but focusing on investment in contemporary technologies can help with the ongoing challenge of risk management.
Blockchain and artificial intelligence, for example, are starting to demonstrate real potential in the risk and compliance space, according to BCG. Banks should also consider partnerships with the emerging “regtechs” (regulatory technology) companies that understand the challenges of global banking and apply information technology to address them. Regtechs can provide a risk management roadmap to simplify organization structure and streamline security and compliances processes to avoid failures and data breaches.
Automation has helped banks become the highly efficient enterprises they are today, but automation’s potential to improve efficiency and minimize risks remains enormous. There are multiple success stories of automation techniques helping companies predict customer defaults faster, resulting in more effective risk prevention. Traditional banks should consider rebuilding the value chain for every function and analyze what automation technologies each value chain demands. This must be done with an emphasis on consolidation to support seamless information flow across all systems while also ensuring compliance and security.
In a regulated industry like banking, it’s important to manage risk in all its forms and to ensure compliance with the letter of the laws and regulatory mandates. Effective risk management and control frameworks must continuously improve and evolve. Technology, of course, has a substantial part to play in this challenge. The right technology, implemented effectively, can help banks manage known and predictable threats and do so in ways that save time and money. Today’s technology can make every enterprise more resilient, and resilience is an incredible asset when dealing with a changing environment.
But dealing with change, particularly dealing with the unpredictable, also demands leadership, to build a culture that recognizes the critical importance of risk management and control, that reinforces values and ethics, and that understands what failure in risk management can bring. Periodic reviews of policy, governance, regulatory changes, technological advances, and industry best practices can help. The best way to proceed is by developing a strategic roadmap for risk management and making it an enterprise agenda to create a competitive edge in the changing operating environment.
Industry :
Mahesh Chandra
Vice President and Sector Head – Citigroup, Americas
Mahesh is Wipro Limited’s leader for Citigroup and spearheads the account with responsibility comprising sales and customer engagement of various transformation and digital programs. He is an accomplished business and thought leader with 24+ years of experience in managing large programs connected to infrastructure, risk and compliance, and business transformation. In addition to his tenure at Wipro, Mahesh has worked at Cognizant, HP, DEC, and Fujitsu UK.
Supported by:
Shri Dhar – Senior Manager, Insights
Radhika Todi – Assistant Manager, Insights