Frequently Asked Questions about the Current and Future Role of the Risk Function in the Financial Institutions (FI)

I see a great deal of soul searching when it comes to defining Role of the Risk Function in the Financial institutions (FI);  I get asked  a lot of similar questions by my clients  ...So I decided to use this post to consolidate my thoughts and maybe open the debate more widely.The main issues as as I see them cluster around the following themes:

1. How can firms qualify for regulatory incentives, and help key decision makers anticipate outcomes and execute on better business strategies that more effectively balance risk with reward, by using the regulatory data actively in the planning process to derive business value while ensuring compliance
2. Move away from legacy disconnected risk and finance systems leading to problematic, manual and slow reporting cycles, passive regulatory compliance to using agile risk management as source of competitive advantage 
3. Manage the complexities of the risk/return optimum across volatile economic cycles whilst future proof for evolving regulation: IFRS 9, RDA, CRD IV / Stress Testing
4. Develop a meaningful and agile risk appetite framework, fine tuned by Regulatory Stress Testing /Scenario Analytics tools, based on actionable standards and triggers
5. Construct and test business plans that maximise the use of capital resources while maintaining regulatory compliance and adequate buffers in the event of a financial crisis 
6.  Develop the ability to aggregate relevant risk and regulatory data sources, based on sound data management that can provide the necessary data Precisely, Completely, Reliably and Promptly

Banks around the world are under pressure, now more than ever, to evolve and be able to respond in a quicker manner in order to deal with the volatility and speed of developments in the global capital markets. The need to react faster has increased in importance in recent years, and of particular note is access to and aggregation of the necessary data needed for business decisions, regulatory reporting as well as stress testing.

1.What role will Risk play in the Bank of the Future?

Based on my experience  as a former regulator and  seasoned risk practitioner, in the current turbulent market climate, I believe that Risk needs to find and implement pragmatic solutions:

• to  navigate the  volatile macroeconomic cycle
• while mitigating the compounding impact of the Prudential and Conduct regulatory regimes on  bank's ROE .
• Specifically the Risk function must distill the following :
• How to integrate, Risk, Finance and Product portfolio views
• Map back to risk appetite
• Forward to Capital and Liquidity constraints , and
• Enhance risk adjusted returns to improve value creation
• Develop Integrated Risk Management as the unified approach used to provide  consistent taxonomies, methodologies and systems drive better decision-making and better alignment to board-level risk appetite.

• Ensure that the Risk appetite covers all  combined risks to which a firm may be exposed, including financial,strategic, operational, reputational events.
• Combines key driver of shareholder value with business model,
• risk appetite, allocation of capital and limits, and
• optimised RoC/RAROC targets, based on the following key steps:

1. Review Firm Strategy / Policy : Determine the risk appetite:

Low-risk credit portfolio or self-certificated loans?

1. Identify relevant risks: Based on strategy. Scope and Scale of risks
2. Assess risks: How does the firm assess its risks?
3. Limit setting :Who sets size and content of portfolio constraints?
4. Monitoring and Control :Comparisons with limits. Breach processes.
5. Risk management: Active or passive? How are issues tackled?
6. Reporting and Management Information:How are risks aggregated and reported? What actions are taken on variances?

 This process is dynamic ,continually reviewing and improving the approach. When undertaken effectively, integrated risk management  ensures that the Board sets its strategy and takes decisions in ways which allow it to develop a sustainable business.

Integrated risk management is all about risk and return optimization, exploiting risk for maximum competitive advantage. Once risk-return profiles and risk-adjusted performance are comparable across business lines, and measurable for the entity as a whole, firms can address two key objectives which are to: ?1) Specify risk profiles to debt-holders. 2) Generate value for shareholders. ?The premise is to link risk performance to business performance.

Business units, functions, capital, and resources need to be realigned around risk to achieve the ultimate mission: to maximize shareholder value.

Realignment will enable enhanced risk-based decision-making, resulting in greater operational effectiveness and more efficient use of capital., where strategy and execution are tightly aligned, and risk evolves to become a management discipline. ?

Many of the enablers for integrated risk management are now better understood. Enhanced data aggregation, integrated analytics, workflow and reporting have created the opportunity to move from concept to reality. There’s no doubt that regulation helps; large fines and new capital and reporting requirements have acted as a catalyst for action.

Few firms have been successful in any kind of a ‘big bang’ approach for integrated risk and compliance framework. Instead, it requires a phased modular approach. Common starting points I have observed include integrating:

• Operational risk and compliance ?, branching out into Conduct and model Risk Management 
• Risk,Treasury and Finance
• Market risk and credit risk ? with Fraud risk and anti-money laundering
•  ?Fraud risk and IT security

1. What are the factors that will shape how we bank and operate in 5-10 years and what role will risk have?

• Unforeseen events in the very recent past revealed that many global banks did not have the necessary instruments and structures in order to effectively manage their risks and it has been not a seldom case that several of these banks ended up in serious difficulties only to be rescued by government support.
• In response, regulators around the globe have drastically tightened the regulatory requirements and are now forcing banks to create structures that enable them to better identify risks in a much swifter manner, and to deal with impending crises at an early stage.
• Two of the significant initiatives by the national supervisory authorities and the Basel Committee on Banking Supervision (BCBS) were the introduction of bank-wide stress tests since the year 2009, as well as the definition of the “Principles for Effective Risk Data Aggregation and Risk Reporting” (BCBS 239) in January 2013.The interface between both initiatives is the need for a prudent and efficient data management.
• As a result , the new paradigm – “regulatory big data” has now become the binding constraint for evaluating capital adequacy: A data deluge is evident in the financial services (FS) sector as new regulations demand more data and reporting, while new technology delivers more analytical power. Aggregating data and mining it for regulatory reports and risk / opportunity spotting is the driver.
• Re-regulation is rampant in the FS sector as legislators seek to avoid a recurrence of the 2008 crash. Regulators want to avoid another boom and bust cycle and are now checking that new post-crash rules designed to stop it such as the US Dodd-Frank Act, European Market Infrastructure Regulation (EMIR) and the global Basel 3 capital adequacy regime are being adhered to . However, a lot of this new regulation is still bedding in, some is yet to start and often it is experimental, overly bureaucratic and subject to the law of unintended consequences.

• All banks have relevant databases that should facilitate this data function. But, recent data driven regulatory exercises like the asset quality review (AQR) of the European Central Bank (ECB) or the comprehensive capital analysis and review (CCAR) of the Federal Reserve (Fed) made it painfully visible that numerous institutions are not able to compile the necessary data for regulatory reports or stress tests promptly, completely and in a reliable, quality form. Since data driven regulatory exercises like stress tests will become regular it is urgently necessary for the banks to remedy this shortfall.
• Also the risk function should help firm move from passive regulatory compliance to using risk as source of competitive advantage , 

1. Transformation of business models— The Regulators want Risk to make better use of stress testing outcomes to re shape your business model

• higher capital costs would create incentives for banks to move toward different business models (e.g., more fee based)
• Alteration of balance sheet management techniques for banks ? Firm will need to invest in substantial upgrades in IT Infrastructure, reporting systems, and data management— significantly increased expectations regarding stress testing capabilities and reporting, including the integration of stress analysis
• Cost of funding will likely increase for all institutions with materiality depending on balance sheet structure and funding strategy
• Implementation of legal entity ratio requirements will likely trap liquidity at banking subsidiaries posing challenges such as :
• Reduced industry profitability (as measured by ROE)
• Decreased investor appetite for banking sector capital issuances due to lower returns
• Greater scrutiny by investors, regulators, and other stakeholders regarding balance sheet usage
• Securitization markets businesses significantly altered by recalibration of RWA and elimination of the arbitrage between banking and trading book
• Large derivatives and reverse repo players impacted by increased counterparty credit risk capital requirements.

1. What kinds of megatrends will dominate our industry and risk management?

1. The recent financial crisis demonstrated that only high quality capital is useful to absorb unexpected losses. In Europe, with FIs needing around €1.1 trillion of additional tier-1 capital by 2019, a lack of quality capital could significantly impact many capital adequacy programs. Likewise, a gaping hole of $870 billion in tier-1 capital is set to impact the US banking sector. These capital shortfalls are staggering and warrant an increased focus on FIs’ ability to raise, calculate and maintain minimum regulatory capital .
2. Cyber security has jumped to the top of companies’ risk agenda after a number of high profile data breaches, ransom demands, distributed denial of service (DDoS) attacks and other hacks. In an increasingly digitized world, where data resides in the cloud, on mobiles and devices connected to the “Internet of Things” threat vectors are multiplying, threatening firms’ operations, customer and bank details and future financial stability.For example, cyber security events such as the “Carbanak” $1bn loss from financial institutions worldwide and this year’s Dyre Wolf malware attack against banks12 show that phishing, malware, fraud, money laundering and business disruption all go together. A cyber risk response and ORM strategy should be similarly coordinated. 
3. Human behavior-based GRC solutions have been deficient. In the financial services sector alone the aggregate impact of the top 50 operational loss events is estimated to be $60bn over a 12 month period.1 98% of these losses (by value) and 82% (by frequency) were due to misconduct and inappropriate human behavior. ?
4. Conduct Risk: Multi-billion cross-border fines have been laid down by regulators in recent years. The fines cover a range of events with misconduct and misbehavior as the root cause:

• In the financial services industry the aggregate impact of the top 50 operational loss events over the last 12 months is estimated to be $60bn: 98% of these losses (by value) and 82% (by frequency) were due to misconduct and inappropriate human behavior:
  • $8.9bn for sanctions failures;
  • $2bn for tax evasion;
  • $1.5bn for unauthorized trading.
• A number of recent scandals and fines were caused by poor conduct & the failure to manage it:
  • the EU’s billion-dollar LIBOR fines,
  • the PPI mis-selling fines,
  • Lloyds Banking’s ￡28m fine for retail conduct failings,
  • JP Morgan’s $4.5bn repayment to investors for mis-selling mortgage securities,

The ‘London Whale’ losses at JP Morgan also highlighted the potential cost of model risk. Insufficient governance of the modeling process and of model deployment allowed risk to mount, ultimately leading to billion-dollar losses, regulatory scrutiny, and reputational damage

1. New forms of unstructured data management are proving their value. The analytics of areas such as sales processes, complaints management, Know Your Customer (KYC) and third party risk management are increasingly enabled by text mining and social media analysis. Firms must prove that they have controls over their complaints, sales, and internal communication processes at increasingly granular levels.

1. Big data” and “big analytics” are rapidly being applied to enterprise  across all industry sectors.The idea and promise of risk and compliance as-a- service has been around for some time.Already a number of sub-segments (e.g. buy-side risk analytics) have mature hosted and cloud-based solutions. However, over the last twelve months, we have observed a significant shift in demand towards hosted risk and compliance solutions across more industry verticals and risk classes.The technology vendors are responding to this demand by developing horizontal software-as-a-service solutions in such segments as Know Your Customer (KYC), Anti Money Laundering (AML), GRC, market risk and regulatory reporting.Across financial and non financial organisation I see a lot more advanced technology been used; Specifically:

• a top 10 financial institution? using natural language processing and artificial intelligence tools for internal audit,
• an European energy company using continuous real-time technologies for health, safety and environment control monitoring,
• a global pharmaceutical company using high-performance supercomputers for risk identification in a “data lake” using graph analytics,
• and a manufacturing company using complex event processing (CEP) technology and in-memory analytics for supply chain risk management. ?

1. What role should Risk play to improve customer, employee, shareholder, regulator experiences and enable the businesses agility to respond to those new challenges and new business models?

The FI's still need a clear picture of what best practice / good looks like. Risk should play a key role in defining the roadmaps and establish the target operating model.

The worry is that the new post-2008 environment may encourage box-ticking compliance only and the generation of millions of pages of documentation and reports from even more powerful computing technologies, which don’t positively impact the bottom line, or even integrate with firms’ wider technology stack or enterprise risk .

1. Is Risk function going to be even more critical than today in making banks successful in 5-10 years’ time?

The economic realities of the next decade will be decided on FI's the ability and willingness to establish a risk intelligent culture, which can influence employee behavior and ensure risk oversight:

• Leadership on the ambition and tolerance levels for risk and reward in the organization must be established from the board and executive level downwards.
• Their stance must be communicated and implemented across the organization, guiding decisions at all levels.
• Employees should be rewarded and compensated for superior risk management practices.
• Moreover, the entire governance framework of the enterprise needs to be well understood and integrated with its risk management programs. 

 For the next 5 years, as businesses become increasingly complex, there is a corresponding demand for transparency, making the requirement for comprehensive performance management all the greater. Consequently, traditional risk related knowledge is becoming more relevant at all levels of the organization.

I feel encouraged by the fact that FIs are taking more seriously the need to view the impact of risk across the entire enterprise and not just in their organizational silos. The realisation is sinking in in:  FI's can no longer afford to operate the traditional model where risk is handled solely by risk managers – senior management needs access to the data, insights, analytics and models on a continuous basis.

 The Risk function can help firms to strengthen effective performance management by:

• improving their ability to view / assess their overall position,
• making compensation and strategic decision-making more robust and risk-aware,
• enabling alignment between risk and finance because risk-based performance management requires input from both these functions,
• facilitating the integration of data aggregation and reporting systems, and
• improving communication between the risk function, the front office, and senior management.

For the new decade I foresee that  integrating risk management will rely heavily on risk-based performance management  encompassing metrics relating to individual staff and lines of business, as well as enterprise-wide measurements, such as RAROC.

I can see the Risk Function bringing together a number of key elements at an enterprise level, including dynamic risk- based balance sheet management, capital efficiency, risk-based pricing and decision- making, collateral optimization, and enterprise risk appetite monitoring.

The organization’s risk and reward expectations need to be communicated implemented at board level, so that they can guide the decision making process on all levels .The involvement of Risk function is critical for:

• Enabling alignment between risk and finance, because risk-based performance measurement requires input to and output from both functions. ?
• Improving communication between the risk function, the front office, and senior management. ?
• Facilitating the integration of data aggregation, reconciliation and reporting systems facilitated by creation of multi-skilled cross functional teams to enable FI's understand the risk associated with particular decisions.
• To this end, Risk,  Finance and  Regulatory Compliance and technology teams can deliver reliable, high-quality information from diverse operations; integrate operational, transactional, and financial information to help identify and resolve risk-related issues; and facilitate prediction, prevention, detection, management, and reporting of internal and external risks. focused on :

1.  Risk Enterprise data management as the unified set of disciplines that work together to ensure that data is properly integrated and continuously maintained, and that information is made available to business users in the right format.
2. Advanced risk analytics helping organizations to leverage their data so they can make better decisions, streamline regulatory reporting, and improve risk-based performance monitoring. It can also help them identify and proactively manage financial, operational, regulatory, and security risk.
3. Advanced risk analytics (e.g. stress testing) can help firms to manage individual risk exposures within previously established levels. The role of Risk and technology in the context of risk-based performance management is to?align the constantly evolving business strategy and to support the identification and mitigation of risks generated from dynamically changing corporate policies, legislation and regulations.

• Risk  and Finance Consolidated Technology teams  operating as a key enabler of business priorities ; Risk,  Finance and  Regulatory Compliance functions should work?ing close partnership with an institution’s Data Governance function to ensure that the processes facilitate transparent data flow to all stakeholders.

1. How should Risk make use of new technologies to enable better risk decisions and automation of risk processes?

 To truly ensure the board level decisions are enacted and actuals meet expected outcomes, FI really need to impact the whole continuum - and  FICO with its experience at the decision level can provide this continuum.

The main role of technology in integrated risk management is to deliver the right type and amount of information to the right people in a timely manner.

In my opinion  in some  FI's , the board decisions usually do not fully take into account the likely impact or outcome of a decision at each level – usually they are based on current portfolio trends or even “gut feel”, when often the true outcome of different decisions can be very different e.g. throwing money at an improving trend is no guarantee that trend will continue or further improve, or inversely, may be the reason an area is not performing is under investment and a currently under-performing area is where the best ROI can be achieved.  

 FICO’s understanding of how to consider and model these impacts (whether expert or data driven) is key to making more correct investment decisions at all levels.

Ultimately, the choices of decision available in each product decision area at the customer level can also provide insight on potential options that can be fed back and can inform the board level decisions – completing the circle on the right of the graphic. These often take the form of Efficient Frontier graphs produced by each Decision Optimization – which allow you to see the impact of changing key constraints e.g. how would profit, revenue, costs and losses be impacted if we had $m less capital available.

 All decision areas have trade-offs and there are usually many choices of making a similar level of profit – some needing more or less capital. Roll all these options up and you can turn the board question  around – instead of how can we reduce capital needs by $XM, it becomes what combination of changes in capital allocation will have the least impact on profit. Ultimately if you can measure it, with a degree of certainty you can make a better decision.

 Finally,Risk must create an environment of fairness and transparency. They may be called upon to justify product offerings, communications with customers, clarity of documented features and fee structures of products, and customers’ ability to manage additional debt. So Risk need to have the right tools technologies and resources in place to address Conduct Risk compliance questions:

1. Suitability – the ability to prove customer suitability at the point of purchase and through lifetime usage.
2. Understanding – the ability to prove that the customer understands the product both at time of purchase, and in its long-term implication.
3. Fee justification – firms should ensure that margins charged are not beyond market norms or internal bank pricing.
4. Disparate impact – the danger that customers are treated differently based upon their race or place of origin (i.e. demographical discrimination).
5. Financial detriment – Regardless of safeguards, institutions run the risk of passing detrimental effects on to their customers.

The customer journey is an essential part of the conduct risk management process. Firms should have a full 360 degree view of the customer lifecycle. Crucially, this does not end at onboarding, or the customer leaving – the customer remains the responsibility of the firm.

FIs need to have the right tools, technologies and resources in place to address compliance questions stemming from the originations process. With legacy systems creating redundancies and gaps in function, and a silo mentality around line of business functions, very often FIs lack visibility into the complete customer experience.

A complete customer experience requires the capture of all relevant data, creation of customer and household centric views, analytics that can be simple and complex, and a consistent execution environment across all customer touch points. 

1. What skills and capabilities are required of Risk professionals that will operate in the Risk function being proposed?

FIs often lack the analytic talent to explore the data in order to create relevant, useable information; to monitor strategies and scores in production; to alter strategies in a timely, flexible manner; and to document performance and validation activities. Therefore, Risk professionals skill set should include :

1. Risk adjusted performance optimization to maximize portfolio expected return in line with the enterprise’s risk appetite, or to minimize risk for a given level of expected return, by carefully choosing the proportions of projects and investments. It brings risk management and investment evaluation together,
2. Performance management portfolios of methodologies include risk adjusted portfolio optimization, xVA calculation, collateral optimization, customer relationship management (CRM), enterprise resource planning (ERP), etc.
3. Managing effectively mission critical projects and selecting core processes that an enterprise must do well will have already been selected in an investment evaluation process. It is at this stage that the balanced scorecard, with its predefined key performance indicators (KPIs) (and KRIs as a subset of the total universe of KPIs), becomes the mechanism to steer the organization.
4. Designing actionable balanced scorecards including target-versus-actual KPI variance dashboard measures, with drill-down analysis and color-coded alert signals. Scorecards provide operational and financial performance feedback …so that every employee, now able to see how he or she helps to achieve the executives’ strategy, can daily answer the fundamental question, “How am I performing the most important tasks?”
5. Collaboration to continuously realign their work efforts, priorities, and resources to attain the strategic objectives defined in strategy and value management.
6. Multi-disciplinary capabilities and competencies across operational risk and cyber security should be encouraged. Practitioners should meet their counterparts in different departments to develop a unified response.
7. Bringing together leadership and capabilities across fraud, IT, cyber security and operational risk in this manner can help FIs to “connect the dots” and improve their enterprise risk management (ERM) strategy.

1. What should be done NOW to start preparing for the future challenges?

FI 's need to make the transformation to become an integrated risk ecossytem , but lacked a realistic roadmap for this process. In order to drive transformation, they have to ensure that:

1. The risk function is managed throughout the organization through well-defined roles and responsibilities.
2. There are clear hand-offs between business and control functions. Here the executives stand back and identify and assess the market and environment, a process that includes the identification and stress testing of risk metrics such as market risk, credit risk and liquidity risk as well as key risk indicators (KRIs).
3. Formulating KRIs is essential to understanding the root causes of risk. They include a predictive capability, so that by continuously monitoring variances between expected and re-forecasted KRIs, the organization can react before rather than after an event occurs. Firms need to utilize a combination of qualitative and quantitative techniques.
4. Boardroom oversight and engagement is necessary in a good data control framework, but senior management should also support and listen to the CRO when they are setting the over-arching risk appetite of a firm.
5. To achieve the consistency and trust required for across the board aggregation and reporting, system data creators and consumers need to agree on usage, syntax, and value. This requires an achievable form of governance, which while enabled by technology, is not strictly a technology exercise. It is fundamentally driven by process and organizational factors. Many data management projects in large institutions have failed because they tried to “boil the ocean” by attempting to implement aggressive data management as a technology exercise, without the required organizational and process commitment.
6. Effective information from the CDO can buttress the CRO’s contribution in helping to set and meet this target. The CRO should continually assess the FI risk position and ensure it is within the bounds of the appetite the board sets and the strengthened regulatory framework from Basel. The job involves taking everyday responsibility for risk data and should almost have the status of a ‘whistleblower’ role, so that there is protection if a CRO raises an alert that is inconsistent with boardroom strategy. Indeed, Basel guidelines insist upon the independence of the CRO, direct reporting lines to the board and independence from other executive functions. the independent role of the chief risk officer (CRO) is important when discussing who should take ownership of regulatory and internal risk data at a bank. CROs can only do their job well, however, if they work closely with the chief data officer (CDO) function and ensure that the data they are using for stress test modeling and risk / opportunity-spotting is accurate, timely and relevant.