Future of Non-Financial Risk Management
Increasingly, banks are struggling to get their arms around the management of rapidly evolving set of non-financial risks and it is clear that the old ways of doing operational risk management need to change. Our animation gives a glimpse of a contrasting vision of Chief Risk Officer (CRO) success and failure in a future world. We outline what an effective second line in the future of non-financial risk management in banking.
With developments such as electronic capital markets, algorithmic trading and digital consumer banking, financial services companies have now effectively become applied technology companies. This digitalisation of the industry has brought with it a plethora of new risks. Large banks now typically maintain thousands of systems and interfaces, many of which are not fully documented or understood by staff. To bring still more complexity and unpredictability, they also have to manage a web of operational processes and controls.
When you consider that digitalisation has led to tighter coupling in the financial services industry, where failure in one area can easily lead to a potential domino effect, then you get a good sense of the dangers inherent in the system. The steady stream of headlines regarding system outages and cyberattacks reaffirm that impression. Make no mistake - we are walking a tightrope here.
To control all these risks, banks need a strong second line of defence. Many operational risk teams, however, struggle to mount an effective, expert-led and independent challenge of controls in the first line of defence, the business functions that actually generate the risks.
Those working in the second line of defence face three principal challenges. First, they often lack the necessary expertise and information. With the business tending to view operational risk activity purely as an exercise in compliance, the second line is excluded from important discussions, and as a consequence is not always aware of what is really going on at the coal face. Second, the risk function tends to look backwards rather than forwards, using historic losses as the basis for decisions, with insufficient thought devoted to what might happen in the future. Moreover, any deficiencies in controls are not investigated with sufficient thoroughness. An outcome bias also often exists – absence of incidents or losses are viewed as evidence that controls are working properly. Near misses and close shaves are often ignored. Third, the risk and assessment of control effectiveness often becomes a theoretical exercise, far removed from hard reality. The risk function needs to be at the forefront with the business designing the platform and be empowered to challenge and express their opinions.
Digesting key lessons
There are certainly some useful techniques and approaches to be learned from other industries in the quest to improve risk identification, controls assurance and the second line’s general oversight of risk.
Take the nuclear power industry as a prime example. Charles Perrow’s highly influential research into the causes of the Three Mile Island disaster in 1979 can provide some invaluable guidance to the financial services industry.
Similar to a modern financial services company, Perrow describes a nuclear power plant as an elaborate web of processes, as opposed to a linear model such as an assembly line. These types of systems are difficult to understand and more likely to interact in ways that we do not expect, the causes of which are hidden from view. As the complex workings of the web are invisible to the naked eye, one has to rely on indirect indicators to assess most situations (Chris Clearfield and Andras Tilcsik, Meltdown: Why Our Systems Fail and What Can We Do About It, 2018).
Perrow also argues that there is no slack in the nuclear power system. Failure in one part can lead to a disastrous knock-on effect. Once the dominoes start to tumble, there is often no way to stop it. This is where the comparison with a digitalised banking industry becomes particularly compelling. Modern banking may have always been complex, but the advent of digitalization makes for much tighter coupling. One small error can lead to calamitous results.
In complex, tightly-coupled systems such as a nuclear power plant, second-line controls are adapted accordingly. First, the risk function devotes huge effort to understanding the web of processes and establishing how controls can be imposed. Second, it focuses heavily on developing measurement systems to ensure that controls are effective. Third, it routinely tests its own assumptions on the optimal control environment, often summoning the opinions of external experts.
The idea that a diverse range of views can help to identify and limit risk has been fully internalised by the commercial aviation industry. Additional pilots regularly sit in cockpits, looking for potential vulnerabilities or defects, and thereby counteracting the dangers of complacent groupthink. To boost collaboration and information sharing, the Aviation Safety and Reporting System (ASRS) collects several thousand reports each month from pilots, military operators, air traffic controllers, mechanics and anyone else in the industry. All reports are stored in a searchable database, and a monthly newsletter is published.
There are certainly signs that the banking industry is starting to introduce techniques honed in other industries. For example, penetration testing – an authorised simulated attack on a computer system, network or web application to identify security vulnerabilities – has become increasingly routine.
Nevertheless, the adoption of such techniques has been intermittent rather than systematic, and what’s more, much of it takes place outside of the second line of defence anyway. The obstacles to a structured second-line challenge to operational controls can only be overcome through fundamentally reforming the existing culture and mindset, and bringing in new skills that are currently in short supply.
The necessary cultural change is twofold. Firstly, business functions need to see the benefits an independent challenge to their control set-up, rather than viewing such challenge as threatening or an implicit criticism of existing management. The expertise required for an independent challenge can be sourced from outside the organisation as well as internally. The second important cultural change involves risk functions finding a way to think proactively about future dangers, rather than dwelling too much on the lessons of the past.
As for skills, recruiting top experts in cybersecurity, data centre management, application development and cloud computing is prohibitively expensive for all but the largest banks. As a partial solution, some rotation of business function experts into the second line may help to ease the skills shortage.
If these deep-seated issues are confronted with energy and commitment, the second line of defence can finally play a vital role in controlling the myriad and proliferating risks within the banking system.