With every opportunity digital technology has provided to banks, customers and counterparties, it has also altered existing risks and often introduced new ones. While digital transformation is creating major opportunities, understanding and navigating through those risk areas is critical.
As technology continues to usher in a new era and drive transformative changes in every industry, corporates and financial institutions are altering their business models and redefining their operations underlined by automation, robotics and AI. While digital transformation is capturing new possibilities to head off the threat of disruption, it’s creating new risks that haven’t been encountered before.
Putting it simply, Ideagen head of ARC product Gordon McKeown said, “With [digital] opportunities come threats such as cybersecurity, data leakage, system failures, privacy and unethical automated decision making – and that is just the tip of the iceberg. As financial organisations become exposed to a broader range of risks in a digital environment, embedding a robust digital risk management strategy will be crucial to success.”
With technologies such as IoT and big data providing new ways to optimise operations, institutions witness a higher risk profile. According to a report by RSA, which surveyed circa 600 finance professionals, 35% reported their risk profile has expanded over the past two years due to digital transformation. In addition, 88% expect risks to escalate over the next two years.
Indeed, the next decade in risk assessment may be subject to more transformation than the last and unless banks act now and prepare for these changes, they may be overwhelmed by the new requirements. “Risk assessments enable organisations to navigate amid chaos and meet their strategic objectives. Therefore, the process must be baked into every step of their digital transformation if they are to achieve long-term success,” McKeown added.
Echoing a similar sentiment, Theta Lake VP of compliance Marc Gilman believes when conducting risk assessments, financial institutions must look beyond the traditional areas of digital risk. Failing to do so, organisations might face devastating effects. “Inadequate assessments impact all of a firm’s control processes such as compliance, information security and finance. Since risk assessments are the building blocks of a firm’s overall control framework, stale or incomplete assessments will have a broad effect,” he said.
“The impact of a particular rule change, business process, or operational paradigm, without a corresponding assessment of its risks, creates gaps in a firm’s compliance framework and exposes it to potential regulatory fines and sanctions as well as financial and reputational consequences,” Gilman added.
Indeed, failure to mitigate such eventualities could cost the firm penalties issued by regulatory bodies such as the UK’s FCA or even reputational damage which might result in loss of clients.
Highlighting the risk of reputational damage, Castlepoint Systems CEO Rachael Greaves said that, “Financial [firms] provide services, advice and products… under rigorous regulation. For these institutions to thrive and compete in a congested and consumer-centric global market, they must be trusted and reliable.
“Being unable to even understand their own risk, let alone take reasonable steps to treat it, is a serious breach of the social contract for customers and partners who rely on the institution’s effectiveness, security, and compliance.”
More data, more risk for financial institutions
Given that financial institutions are custodians of significant amounts of third-party data, much of which is personal and sensitive, it is imperative now more than ever to manage and assess the risks and their impact on the existing ecosystem to drive optimum value from their digital initiatives.
The risks are indeed multiplied where data is involved. With the ubiquity of online banking apps and services, the likelihood of a breach is almost certain at some point and that is when banks must be prepared. As the cadence of cyberattacks increase, organisations can no longer hide internal dysfunction from external stakeholders. “[When] an inevitable breach, audit or Royal Commission happens, financial institutions will only survive the exposure if they can show that they have actually taken all reasonable steps to protect themselves,” Greaves said.
Being in control of the high-risk data must be the first step in mitigating these risks. “The key to treating information risk is to have full control of that information. If an institution is unfamiliar with what data it has, who is doing what to it, and where and how it is stored within its systems, it will be unable to control it or protect it,” Greaves said.
Greaves advised, “The best ways to treat that risk are avoidance and mitigation, by removing high-risk data that is no longer needed. Coming in next is reduction – reducing the likelihood of a spill of sensitive information by finding all the high-risk data and targeting it for hardening.
“Risk assessment needs to focus first and foremost on understanding and quantifying the risk – not through sampling, guesswork, or ad hoc searches – but through creating a complete and comprehensive inventory of all data, and automatically flagging its risk, value and compliance obligations,” Greaves continued.
To add on, risks are not entirely limited to cybersecurity and ransomware attacks. McKeown said that the extent of risk is connected to every technology-based decision a business makes. “Social media, for example, has become an intrinsic part of marketing but creates risks to brand reputation and data integrity. Likewise, customer profiling is a cornerstone to improving the customer experience, yet this poses threats to data privacy,” he said.
Tellingly, a slew of RegTech tools have helped firms reduce time and cut costs as well as ease processes from tactical to strategic compliance to optimise operations. However, CSS executive director Keith Marks warned that firms must not fall into the trap of automating every step. “Risk assessments using regulatory experts are critical to bringing in the human element to compliance that can be missing from automation, providing that complementary and unmatched guidance, outside the box analysis and compliance tenure that technology cannot bring to the table,” he said.
What the pandemic meant for risk management
The ongoing Covid-19 pandemic has catalysed the process of digitalisation catapulting tools like Zoom, Slack, Microsoft Teams and Webex into every professional’s living room. In this occurrence, consumer demand for digital financial services went up tenfold and exacerbated every risk facing companies in the sector.
Gilman said that while the aforementioned communication tools have been essential to connecting geographically dispersed teams during the pandemic, it presents new risks such as “ensuring they can be properly supervised to align to FINRA, FCA and SEC investment advice mandates as well as creating new threat surfaces for the disclosure of sensitive PII, financial information, and proprietary IP.”
He added, “Moreover, Zoombombing and meeting security pose critical collaboration risks that compliance teams must consider in 2021. Clearly, the breadth and severity of risks related to work from anywhere and the pandemic must prompt risk assessment refreshes. Failing to account for these new remote work risks in assessments will result in inadequate compliance and information security programs and may raise regulator concerns during the coming examination cycle.”
Additionally, facilitating remote working and the surge in online transactions has brought a fresh set of challenges, forcing businesses to revisit their approach to risk management and uncertainty. McKeown said, “Covid-19 has highlighted the need for financial firms to be more forward-looking when it comes to risk management to build future resilience. Businesses now have an enhanced understanding that a single root-cause issue can quickly develop into an enterprise-level risk that affects every operation.
“Proactive risk assessment, detailed reporting, horizon scanning and expert judgement will be key to reducing the likelihood and severity of risks in future, helping organisations to reach a level of preparedness like never before.”
Consequently, financial companies learned the lesson of acting promptly when it comes to risk awareness and mitigation. “In 2021, there will be continued disruption for financial institutions caused by pandemic-derived digitalisation challenges,” McKeown added.
Adding to the challenges the pandemic brought, Greaves said that it has escalated the risks which were already prevalent before remote working became commonplace.
“[With] mass decentralisation of data, information was already spread across many corporate systems and stored in many different formats. This has always made it very difficult for institutions to know what data they actually hold, let alone how secure it is across the network. This risk has increased throughout the pandemic.
When this increase in the threat to the security of data and decrease in information oversight combines with the ever-increasing risk of cyber related infiltrations, financial institutions face a new frontier of accountability and defensibility,” she said.
In conclusion, by avoiding pitfalls such as failing to update existing risks and thresholds and not being realistic about the rate of risk associated with a given activity is a downward slope for financial companies. “Risk assessments are, in many respects, reality checks, so firms must be candid and transparent about the severity and likelihood of a particular risk when conducting these annual exercises,” Gilman said.