Enterprise Risk Management - A journey to a digitally enabled enterprise risk function
Enterprise Risk Management ("ERM”) as a discipline within its own right has grown in terms of prominence and acceptance over the past decade since the onset of the Financial Crisis, but it still has a way to go in terms of developing to its full potential. While not usually considered a function or department within its own right, the pace of change and the trajectory of increasing demands on personnel who fall within the Risk Governance, Appetite and Strategy monikers, typically under the Chief Risk Officer, are increasingly being asked to become ‘Enterprise Risk Managers’ by actively managing their enterprise’s key risks and issues.
Evolving expectations from financial institutions’ stakeholders, primarily board of directors and senior management, has led to a rapid expansion in the expectations and demands of personnel falling under the ERM umbrella. These functions have built out in numbers over time as they matured with increasing expectations that they should undertake greater responsibilities than risk governance, administration and risk appetite facilitation and, at the same time, being challenged by the velocity of technological innovation being seen across the industry. ERM functions need to be enabled and staffed appropriately, providing them with the tools and personnel to pro-actively identify, advise and be trusted advisers in resolving risks and issues arising from within their enterprises.
Financial institutions cannot afford to continue operating their ERM as they always have. There are pressures from new fintechs and challenger / virtual banks who are not lumbered within legacy structures, bureaucracy and cost structures that incumbent banks may be. Whilst new entrants to the financial services industry may be seen as threats to some incumbent institutions, others may view this as an opportunity to streamline and optimize their enterprise risk model to ensure cost control ongoing relevance and become digital ready.
Until now, financial institutions have largely focused on technology innovation and process optimization in the infrastructure and operations of the individual risk disciplines (credit risk, market risk, etc), which may lead to “blind spots”, inefficient coordination and management, and insufficient insight into risks. The continuously changing risk environment asks for a risk management approach that is able to stand and incorporate new regulations and requirements on top of risks becoming more thematic in nature as organisations’ strategies change, firms expand, and contract over time.
Currently ERM personnel generally comprise of those that are involved in risk governance activities. These teams make efforts to aggregate existing risk reporting to develop comprehensive views of risks Information from the aggregation of information driving business decisions linked to strategic/business planning. To date, advances have been made in how risk is governed, measured, monitored mitigated and managed. However, undertaking these activities can be highly manual and time consuming, requiring a relatively high number of personnel and prone to human error.
There is a need to further develop enterprise risk, risk governance, appetite and strategy, and oversight responsibilities. ERM functions need to shift the composition of their teams, update their working practices incorporating Agile methodologies and build up capabilities to not only provide administrative guidance, oversight and appetite and strategy facilitation, but also be able to pro-actively identify, advise and be a trusted adviser in resolving any risks and/or issues arising from within the firm with a broad set of stakeholders.
Enterprise Risk Management Challenges Faced by Financial Institutions
Financial institutions face increasing pressure from several internal and external threats, from diverging regulatory agendas, changes in the competitive landscape, macroeconomic conditions externally as well as dealing with antiquated legacy systems and personnel-heavy risk and compliance functions.
Implementing / Execution Challenges
Financial Institutions have made progress in standardizing risk and control approaches but have lagged in implementing technologies to manage enterprise-wide risk and governance operations.
Financial institutions are contending with the pace that new techniques and technologies need to be implemented across their firms, particularly within risk management, to remain relevant. They will need to convince internal and external stakeholders that new technologies are at least as well controlled as existing approaches. Enterprise risk will face internal and external challenges in implementing technology  such as:
- Shortage of IT resources/talent
- Current infrastructure not being able to support new technologies
- Local and cross-border regulatory challenges
Financial institutions are constantly looking to control costs through a number of technological innovation initiatives, which can reduce error rates and leverage data to allow for more proactive, predictive risk management, over the next 3-5 years . To lead in the digital transformation of risk management, firms need to execute complex initiatives such as AI/machine learning, intelligent automation, data analytics and cloud computing. Developing in-house systems may create execution risks, be cumbersome, and not commercially viable.
Resource Constraints and Increased Competition
Rationalization of enterprise risk functions – Over time, enterprise risk functions have built out staffing levels to handle the sheer workload of the highly manual nature of risk governance, oversight, strategy and appetite responsibilities. This is not sustainable in the long term.
Enhanced competition – Financial institutions are facing increasing pressures from industry disruption from new technologies. Whether small, aggressive challenger /virtual bank, larger more mature consumer/tech companies, or other fintech start-ups. With this enhanced competition, there is greater emphasis on the need for simplification and automation.
Identifying and Managing Emerging Risks
Financial institutions need to address the massive challenge of having vast amounts of data; it will either be a liability, due to poor quality and lack of protections, or an asset, if managed and leveraged properly.
Shifts in a financial institution’s risk profile resulting from digital transformation and being agile enough to enable innovation whilst protecting bank, client data and keeping costs under control.
Financial Institutions are increasingly viewing complexity of their organizations as a risk in its own right.
ERM, BCBS 239 and Recovery and Resolution Planning (“RRP") - data aggregation challenges, particularly aggregation of qualitative information.
What Actions can be Taken to Remain Relevant?
Financial institutions have done their best to implement changes that meet evolving regulatory requirements and the ever-changing competitive landscape. To deliver real value to the business and meet regulators’ expectations, an evolving mind-set is required to create an effective, sustainable and agile ERM ecosystem.
Greater Operational Effectiveness
Incumbent financial institutions need to prepare for increased competition through right-sizing their enterprise risk functions and embark on the process of automating what is currently a highly manual undertaking to achieve greater operational efficiencies.
A highly people-dependent risk model is not sustainable. The financial services industry is acutely aware of the increased costs of compliance and risk and need to make their functions smarter, faster and cost effective to remain relevant. Financial institutions need to develop new talent strategies, reversing headcount growth, but at the same time ensuring the function is staffed with risk managers with skill set complimented by tech driven innovations to better articulate and actively manage enterprise wide risks. Weaning the function off its people dependency requires standardization, automation and the application of Agile methodologies.
Challenger/virtual banks and fintechs need to plan and deploy a right-sized ERM function, building out technology platforms that gives them a competitive edge against incumbent financial institutions. ERM and functional/governance structures need to be carefully considered and right-sized in terms of cost efficiency and regulatory requirements. ERM ‘lite’ models should be considered for those financial institutions that want to operate in a lean environment.
Third party vendors and managed solutions
Build out continues for financial institutions with greater usage of third-party vendors and managed solutions for ERM functions. Virtual/Challenger banks and fintechs will need to carefully craft and actively manage and consider business resilience in an ERM ‘lite’ environment, particularly when outsourcing ‘mission critical’ functions. Incumbent banks can also benefit from engaging third party vendors in areas such as governance where minimal USP are achievable. In both circumstances, exploring managed solutions may release significant costs to the business.
Build tools and Surveillance systems
Enterprise risk personnel need to be equipped with powerful, effective tools that enables them to identify, manage and inform senior management, board and relevant stakeholders of risks and issues arising in their enterprises in real-time. Empowerment of ERM personnel with tools that go beyond just dashboards and reporting that allows AI/machine learning to assist them in identifying and synthesizing these risks and issues arising from within the enterprise is key.
This article was written by Daniel Wolfsheimer. The views reflected in this article are the views of the author and do not necessarily reflect the views of any other organisation
1 - Source: Ninth Annual Global EY/IIF bank risk management Survey - 2018