Firms that want to make the best of the new tools and products need a fresh approach to risk management – one that copes with hi-tech products developed in unfamiliar ways by innovative people. They should give their risk managers a wider mandate than up to now, so that they can ensure that the firm neither hampers the development of innovative propositions, nor compromises its security, but rather supports the business in transforming itself.
The nature of the new digital products is different. Some are aimed at a wider range of customers, not all of whom will fully understand the propositions and could therefore be categorized as vulnerable. Human interaction might have avoided this kind of problem in the past, but it has been reduced by the shift to digital delivery. Further complications come from channel security, customer journeys that are more flexible and more complex, and challenges related to devices, such as screen size and compatibility.
Furthermore, businesses are approaching the development of these propositions differently. Traditional risk management approaches tend to consist of a yes-or-no decision at certain points in time or the periodic review of a stable business process. An IT change or new product, for example, is subject to pre-release approval, and concerns that are identified at this point are translated into additional risk controls. But before and after this approval process, risk managers have limited engagement.
In an age of innovation, this approach is bound to fail. Agile development can mean propositions are never quite finished but are instead in a constant state of development, making point-in-time engagement impractical. In addition, innovation processes are often separated from the traditional business, as firms ringfence development teams to allow them to embrace agile working methods. This can make it hard for risk managers to engage.
Finally, when firms would be too slow at development themselves, they instead import innovation from outside. That produces other challenges, as these sources are often start-ups that will only gradually – if ever – meet established corporate standards, leaving a long list of exceptions to corporate policy.
Innovation therefore means dramatic changes in the ways institutions must manage risk. We believe they need first to establish an explicit institutional appetite for innovation risk and then to engage continuously. We have identified three pillars of innovation risk management:
1. Innovation Risk Appetite
Risk managers should work with senior management to codify an explicit statement of risk appetite in relation to innovation. This should address the important questions: Which risks are negotiable and where do we need to draw red lines? Where are we a first mover in our industry and where a follower? Where we do take on risk, what forms of payback are acceptable, and how are these tracked? Is the cost of risk management for a particular product reflected in its business case?
Some answers are clear: Financial crime should be on the other side of the red line against which no pay-back is acceptable. But in many other areas risks have to be weighed against potential returns. Where firms create a new market for a poorly served segment (think payroll services for the gig economy as a recent example), would a certain level of fraud be acceptable initially, while the market is being developed?
In other cases, firms might need to follow the competition just to defend an existing customer base. Many banks at first held off introducing mobile wallets such as Apple Pay, as the additional risk seemed to outweigh the likely benefits. But they launched them after a critical number of competitors moved ahead, demonstrating a differentiated if maybe not explicit approach to weighing risks and benefits.
2. New Controls For New Risks
Digital propositions will fundamentally change the risk profile of a firm. Technology-related risks, from resilience to cyber risks, may increase as heavy reliance is placed on technical infrastructure and previous manual alternatives are disbanded. Fraud may increase if not carefully controlled, as has been observed in the initial stages of many digital propositions. At the same time, less human interaction – both internally and with customers – may reduce risks related to poor behavior, such as embezzlement or mis-selling. Some risks may morph into new forms. To address the risk of a customer ending up with an unsuitable product, their journey needs to be assessed in its entirety, including exit gates for when there is no suitable product for a particular customer. This forms part of the emerging discipline of digital conduct.
3. Continuous engagement
Risk managers should contribute to innovative development through risk identification, analysis, and control recommendations. To ensure that risk controls are fully integrated into the resulting propositions, They should engage at the stages of development, testing, independent validation, and implementation, as well as regular review.
There are several drivers which make continuous engagement a necessity:
Today’s innovation labs and technology start-ups operate through cycles of design sprints. For risk management to be effective, it needs to be deeply embedded in the design throughout the development process, ideally right from the start.
As business processes are digitized, manual intervention becomes less desirable and risk controls increasingly must become an integral part of product design.
Regulators and law-makers are increasingly echoing these demands. The European Union’s General Data Protection Regulation (GDPR), for example, enshrines Privacy by Design as one of its foundational principles.
Once digital propositions have been launched, there will likely remain exceptions to the usual corporate standards. For instance, a start-up firm supplying customer analytics may not have the required cyber-risk certifications. The role of risk management will need to extend beyond the approval stage to ensure that exceptions are eventually closed out to protect the firm’s critical infrastructure and its customers’ data. Firms must be able to rapidly launch propositions without ultimately sacrificing the corporate standards that are the foundations of their customers’ trust.
Making the transition
Managing innovation risk will mean profound change for a firm’s risk functions. Digital innovation could breed new risks that only become apparent over time and may not fit into established taxonomies such as credit and compliance risk. New tools and processes will be required – for example to critically review algorithms and digital customer journeys and to engage meaningfully with third-party start-ups on the risks they pose. Risk management will also need a wider mandate to reflect earlier and later points of intervention. Risk managers will need the appropriate skills for this engagement model, and the organization will have to be supportive of agile working methods.
The risk functions at many firms are starting to tackle the challenge, often prompted by a particularly high-profile project or venture. The next task is to learn from those first moves and embed innovation management as a core part of the risk function’s mandate.
If a firm’s risk management does not adapt, innovation will simply happen elsewhere.